search

akheron / jansson

C library for encoding, decoding and manipulating JSON data
http://www.digip.org/jansson/
Other
3.06k stars 815 forks source link

Error OOM #654

Closed famasoon closed 1 year ago

famasoon commented 1 year ago 
#include <stddef.h>
#include <stdint.h>

#include <jansson.h>

int parseJson(const char *buffer, size_t buflen) {
  json_error_t error;
  json_t *root;
  json_t *obj;
  const char *str;
  double dValue;
  int iValue;

  root = json_loadb(buffer, buflen, 0, &error);

  if (root == NULL) {
    return 0;
  }

  obj = json_object_get(root, "dateTime");

  if (json_is_string(obj)) {
    str = json_string_value(obj);
  }

  obj = json_object_get(root, "eventType");

  if (json_is_string(obj)) {
    str = json_string_value(obj);
  }

  obj = json_object_get(root, "DependOnSequentialEvent");

  if (json_is_object(obj)) {
    json_t *obj2;
    obj2 = json_object_get(obj, "valPercent");
    if (json_is_real(obj2)) {
      dValue = json_real_value(obj2);
    }
    else if (json_is_integer(obj2)) {
      iValue = json_integer_value(obj2);
    }
    obj2 = json_object_get(obj, "alive");
    if (json_is_string(obj2)) {
      str = json_string_value(obj2);
    }
    obj2 = json_object_get(obj, "isScript");
  }
  return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size < 0) {
    return -1;
  }
  parseJson((const char *)data, size);
  return 0;
}

I wrote ParseJson program. But it was crash this null data.

I researched via LibFuzzer, this code maybe oom.

./fuzz input_json -- -dict=json.dict -detect_leaks=0                     
INFO: libFuzzer ignores flags that start with '--'
Dictionary: 57 entries
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3030517605
INFO: Loaded 1 modules   (1054 inline 8-bit counters): 1054 [0x557bc07c9820, 0x557bc07c9c3e), 
INFO: Loaded 1 PC tables (1054 PCs): 1054 [0x557bc07c9c40,0x557bc07cde20), 
INFO:      742 files found in input_json
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 742 min: 1b max: 3646b total: 151477b rss: 31Mb
#743    INITED cov: 90 ft: 120 corp: 3/6b exec/s: 0 rss: 42Mb
#1048576        pulse  cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 349525 rss: 357Mb
#2097152        pulse  cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 349525 rss: 569Mb
#4194304        pulse  cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 322638 rss: 633Mb
#8388608        pulse  cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 322638 rss: 759Mb
#16777216       pulse  cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 316551 rss: 1014Mb
^[      ``````#33554432 pulse  cov: 90 ft: 120 corp: 3/6b lim: 4096 exec/s: 307838 rss: 1181Mb
==33608== ERROR: libFuzzer: out-of-memory (used: 2051Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 1167797174 bytes in 21991387 chunks; quarantined: 23650313 bytes in 690183 chunks; 3169120 other chunks; total chunks: 25850690; showing top 95% (at most 8 unique contexts)
703690944 byte(s) (60%) in 10995171 allocation(s)
    #0 0x557bc072aa3e in malloc (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0xe3a3e) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #1 0x557bc076f6a5 in jsonp_malloc /home/user/fuzzing/jasson/jansson/src/memory.c:27:12
    #2 0x557bc0775be0 in json_array /home/user/fuzzing/jasson/jansson/src/value.c:440:20
    #3 0x557bc076efdb in parse_array /home/user/fuzzing/jasson/jansson/src/load.c:740:21
    #4 0x557bc076a1f4 in parse_value /home/user/fuzzing/jasson/jansson/src/load.c:831:20
    #5 0x557bc07671a9 in parse_json /home/user/fuzzing/jasson/jansson/src/load.c:863:14
    #6 0x557bc07677fc in json_loadb /home/user/fuzzing/jasson/jansson/src/load.c:962:14
    #7 0x557bc0765936 in parseJson(char const*, unsigned long) /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:19:10
    #8 0x557bc0765fbe in LLVMFuzzerTestOneInput /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:70:3
    #9 0x557bc068e3c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x473c3) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #10 0x557bc068db19 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x46b19) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #11 0x557bc068f309 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48309) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #12 0x557bc068fe85 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48e85) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #13 0x557bc067dfc2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x36fc2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #14 0x557bc06a7cb2 in main (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x60cb2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #15 0x7ffa05429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

439806840 byte(s) (37%) in 10995171 allocation(s)
    #0 0x557bc072aa3e in malloc (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0xe3a3e) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #1 0x557bc076f6a5 in jsonp_malloc /home/user/fuzzing/jasson/jansson/src/memory.c:27:12
    #2 0x557bc0775b09 in json_array /home/user/fuzzing/jasson/jansson/src/value.c:432:27
    #3 0x557bc076efdb in parse_array /home/user/fuzzing/jasson/jansson/src/load.c:740:21
    #4 0x557bc076a1f4 in parse_value /home/user/fuzzing/jasson/jansson/src/load.c:831:20
    #5 0x557bc07671a9 in parse_json /home/user/fuzzing/jasson/jansson/src/load.c:863:14
    #6 0x557bc07677fc in json_loadb /home/user/fuzzing/jasson/jansson/src/load.c:962:14
    #7 0x557bc0765936 in parseJson(char const*, unsigned long) /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:19:10
    #8 0x557bc0765fbe in LLVMFuzzerTestOneInput /home/user/fuzzing/jasson2/jansson/bin/lib/jassonfuzz.cc:70:3
    #9 0x557bc068e3c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x473c3) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #10 0x557bc068db19 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x46b19) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #11 0x557bc068f309 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48309) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #12 0x557bc068fe85 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x48e85) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #13 0x557bc067dfc2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x36fc2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #14 0x557bc06a7cb2 in main (/home/user/fuzzing/jasson2/jansson/bin/lib/fuzz+0x60cb2) (BuildId: 1d94d2ea86819dd9cbc0168128e68cf65aba040b)
    #15 0x7ffa05429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

MS: 5 ChangeByte-CrossOver-ShuffleBytes-EraseBytes-ShuffleBytes-; base unit: dd79c8cfb8beeacd0460429944b4ecbe95a31561

artifact_prefix='./'; Test unit written to ./oom-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
SUMMARY: libFuzzer: out-of-memory

Fuzzing code.

#include <stddef.h>
#include <stdint.h>

#include "jansson.h"

int parseJson(const char *buffer, size_t buflen) {
  json_error_t error;

  json_t *root;

  json_t *obj;

  const char *str;

  double dValue;

  int iValue;

  root = json_loadb(buffer, buflen, 0, &error);

  if (root == NULL) {
    return 0;
  }

  obj = json_object_get(root, "dateTime");

  if (json_is_string(obj)) {
    str = json_string_value(obj);
  }

  obj = json_object_get(root, "eventType");

  if (json_is_string(obj)) {
    str = json_string_value(obj);
  }

  obj = json_object_get(root, "DependOnSequentialEvent");

  if (json_is_object(obj)) {
    json_t *obj2;

    obj2 = json_object_get(obj, "valPercent");

    if (json_is_real(obj2)) {
      dValue = json_real_value(obj2);
    }

    else if (json_is_integer(obj2)) {

      iValue = json_integer_value(obj2);
    }

    obj2 = json_object_get(obj, "alive");

    if (json_is_string(obj2)) {
      str = json_string_value(obj2);
    }

    obj2 = json_object_get(obj, "isScript");
  }
  return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

  if (size < 0) {
    return -1;
  }

  parseJson((const char *)data", size);

  return 0;
}
famasoon commented 1 year ago

This data is NULL

cat oom-da39a3ee5e6b4b0d3255bfef95601890afd80709

I will triage RCA.

famasoon commented 1 year ago

Sorry, this was not reproduce... I close this issue