search

kbranigan / cJSON

I did not write this code, but I like it.
https://github.com/DaveGamble/cJSON
MIT License
394 stars 238 forks source link

Crashes found with afl #30

Open netsurf916 opened 8 years ago

netsurf916 commented 8 years ago

Please contact me for 246 crash cases found by fuzzing with afl. It's likely there aren't 246 actual errors, just 246 ways to get to the same few. These issues should be treated as critical since JSON parsing is often exposed on the attack surface.

kbranigan commented 8 years ago

There was a change made recently, how many of these crash cases still exist?

FSMaxB commented 8 years ago

Probably most of them. cJSON is in quite bad shape in this regard. Many crashes can probably eliminated by fixing cJSONs unicode handling.

netsurf916 commented 8 years ago

246 of 246 still exist on tips of master as of a few minutes ago.

netsurf916 commented 8 years ago

(gdb) run < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 Starting program: /home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 *** Error in/home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz': free(): invalid next size (fast): 0x000000000062e920 ***

Program received signal SIGABRT, Aborted. 0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt

0 0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56

1 0x00007ffff7766448 in __GI_abort () at abort.c:89

2 0x00007ffff77a31b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7898820 "* Error in `%s': %s: 0x%s *\n")

at ../sysdeps/posix/libc_fatal.c:175

3 0x00007ffff77a898e in malloc_printerr (action=1, str=0x7ffff78989e0 "free(): invalid next size (fast)", ptr=) at malloc.c:4996

4 0x00007ffff77a9696 in _int_free (av=, p=, have_lock=0) at malloc.c:3840

5 0x0000000000416c9e in cJSON_Delete (c=) at cJSON.c:88

6 cJSON_Delete (c=0x62e2d0) at cJSON.c:87

7 cJSON_Delete (c=0x62e260) at cJSON.c:87

8 cJSON_Delete (c=0x62e160) at cJSON.c:87

9 cJSON_Delete (c=0x62e060) at cJSON.c:87

10 cJSON_Delete (c=0x62e010) at cJSON.c:87

11 0x0000000000419c34 in cJSON_ParseWithOpts (return_parse_end=0x0, require_null_terminated=0, value=, value@entry=0x7ffffffee580 "")

at cJSON.c:333

12 cJSON_Parse (

value=value@entry=0x7ffffffee5a0 "{\n    \"glossary\": {\n        \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at cJSON.c:341

13 0x000000000042b241 in doit (

text=0x7ffffffee5a0 "{\n    \"glossary\": {\n        \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...)
at fuzz.c:33

14 dostdin () at fuzz.c:50

15 0x0000000000400c13 in main (argc=, argv=) at fuzz.c:54

`

DaveGamble commented 7 years ago

Just FYI, the official repo at https://github.com/daveGamble/cJSON has all these fixed.

netsurf916 commented 7 years ago

Thanks for the tip Dave.

FSMaxB commented 7 years ago

Wow, I've been running Afl for one night and didn't find any crashes anymore. Nice Job @DaveGamble, I'm really impressed.

I've been trying to fix some of these by myself, but every time I fixed one problem, it reappeared somewhere else.

Afl found one hang, but I still have to find out if it is legitimate. I'll be doing this in the evening I guess (GMT+7).

FSMaxB commented 7 years ago

The hang is a false positive 👍