Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BasicJsonParser can fail with a timeout or stackoverflow with malformed map JSON #31869

Closed
philwebb opened this issue Jul 26, 2022 · 2 comments
Closed

BasicJsonParser can fail with a timeout or stackoverflow with malformed map JSON #31869

philwebb opened this issue Jul 26, 2022 · 2 comments
Labels
type: bug A general bug
Milestone
2.6.11

Comments

@philwebb
Copy link
Member 

[Environment] ASAN_OPTIONS=check_malloc_usable_size=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_sigfpe=2:print_scariness=1:print_summary=1
	+----------------------------------------Release Build Stacktrace----------------------------------------+
	Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/BasicJsonParserFuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-4154e426ab90e9d738789e3074a020dd471ab3b6
	Time ran: 64.91553115844727
	
	OpenJDK 64-Bit Server VM warning: Option CriticalJNINatives was deprecated in version 16.0 and will likely be removed in a future release.
	OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
	INFO: Loaded 118 hooks from com.code_intelligence.jazzer.runtime.TraceCmpHooks
	INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.TraceDivHooks
	INFO: Loaded 2 hooks from com.code_intelligence.jazzer.runtime.TraceIndirHooks
	INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.NativeLibHooks
	INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.Deserialization
	INFO: Loaded 3 hooks from com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection
	INFO: Loaded 70 hooks from com.code_intelligence.jazzer.sanitizers.LdapInjection
	INFO: Loaded 46 hooks from com.code_intelligence.jazzer.sanitizers.NamingContextLookup
	INFO: Loaded 1 hooks from com.code_intelligence.jazzer.sanitizers.OsCommandInjection
	INFO: Loaded 68 hooks from com.code_intelligence.jazzer.sanitizers.ReflectiveCall
	INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.RegexInjection
	INFO: Loaded 16 hooks from com.code_intelligence.jazzer.sanitizers.RegexRoadblocks
	INFO: Loaded 19 hooks from com.code_intelligence.jazzer.sanitizers.SqlInjection
	INFO: Instrumented java.util.regex.Pattern$BnM with custom hooks only (took 18 ms, size +20%)
	INFO: Instrumented java.util.regex.Pattern$BackRef with custom hooks only (took 5 ms, size +34%)
	INFO: Instrumented java.util.regex.Pattern$Branch with custom hooks only (took 10 ms, size +27%)
	INFO: Instrumented java.util.regex.Pattern$BranchConn with custom hooks only (took 2 ms, size +56%)
	INFO: Instrumented java.util.regex.Pattern$BmpCharPropertyGreedy with custom hooks only (took 2 ms, size +31%)
	INFO: Instrumented java.util.regex.Pattern$GroupCurly with custom hooks only (took 8 ms, size +34%)
	INFO: Instrumented java.util.regex.Pattern$Ques with custom hooks only (took 4 ms, size +78%)
	INFO: Instrumented java.util.regex.Pattern$Curly with custom hooks only (took 6 ms, size +50%)
	INFO: Instrumented java.util.regex.Matcher with custom hooks only (took 33 ms, size +4%)
	INFO: Instrumented java.util.regex.Pattern$StartS with custom hooks only (took 2 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$Start with custom hooks only (took 2 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$First with custom hooks only (took 2 ms, size +52%)
	INFO: Instrumented java.util.regex.Pattern$Slice with custom hooks only (took 1 ms, size +44%)
	INFO: Instrumented java.util.regex.Pattern$CharPropertyGreedy with custom hooks only (took 2 ms, size +22%)
	INFO: Instrumented java.util.regex.Pattern$BmpCharProperty with custom hooks only (took 2 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$CharProperty with custom hooks only (took 3 ms, size +33%)
	INFO: Instrumented java.util.regex.Pattern$GroupHead with custom hooks only (took 1 ms, size +49%)
	INFO: Instrumented java.util.regex.Pattern with custom hooks only (took 58 ms, size +2%)
	INFO: Instrumented BasicJsonParserFuzzer (took 15 ms, size +14%)
	INFO: Instrumented org.springframework.boot.json.JsonParseException (took 2 ms, size +16%)
	INFO: libFuzzer ignores flags that start with '--'
	INFO: Running with entropic power schedule (0xFF, 100).
	INFO: Seed: 1965438993
	INFO: Loaded 1 modules   (512 inline 8-bit counters): 512 [0x7f339bcfb010, 0x7f339bcfb210),
	INFO: Loaded 1 PC tables (512 PCs): 512 [0x1d67190,0x1d69190),
	/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/jazzer_driver: Running 1 inputs 100 time(s) each.
	Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-4154e426ab90e9d738789e3074a020dd471ab3b6
	INFO: Instrumented org.springframework.boot.json.BasicJsonParser (took 16 ms, size +25%)
	INFO: Instrumented org.springframework.boot.json.AbstractJsonParser (took 5 ms, size +19%)
	INFO: Instrumented org.springframework.boot.json.JsonParser (took 0 ms, size +0%)
	ALARM: working on the last Unit for 61 seconds
	       and the timeout value is 60 (use -timeout=N to change)
	==10088== ERROR: libFuzzer: timeout after 61 seconds
	
	Stack traces of all JVM threads:
	
	Thread[Finalizer,8,system]
	 at java.base@17.0.3/java.lang.Object.wait(Native Method)
	 at java.base@17.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
	 at java.base@17.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:176)
	 at java.base@17.0.3/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:172)
	
	Thread[Notification Thread,9,system]
	
	Thread[Signal Dispatcher,9,system]
	
	Thread[Reference Handler,10,system]
	 at java.base@17.0.3/java.lang.ref.Reference.waitForReferencePendingList(Native Method)
	 at java.base@17.0.3/java.lang.ref.Reference.processPendingReferences(Reference.java:253)
	 at java.base@17.0.3/java.lang.ref.Reference$ReferenceHandler.run(Reference.java:215)
	
	Thread[main,5,main]
	 at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceCmpInt(Native Method)
	 at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceCmpInt(TraceDataFlowNativeCallbacks.java:47)
	 at app//org.springframework.boot.json.BasicJsonParser.tokenize(BasicJsonParser.java:118)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:53)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)

(...)

at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:61)
	 at app//org.springframework.boot.json.BasicJsonParser.parseListInternal(BasicJsonParser.java:54)
	 at app//org.springframework.boot.json.BasicJsonParser$$Lambda$59/0x0000000800c84228.apply(Unknown Source)
	 at app//org.springframework.boot.json.AbstractJsonParser.trimParse(AbstractJsonParser.java:46)
	 at app//org.springframework.boot.json.AbstractJsonParser.parseList(AbstractJsonParser.java:40)
	 at app//org.springframework.boot.json.BasicJsonParser.lambda$parseList$1(BasicJsonParser.java:47)
	 at app//org.springframework.boot.json.BasicJsonParser$$Lambda$58/0x0000000800c84000.call(Unknown Source)
	 at app//org.springframework.boot.json.AbstractJsonParser.tryParse(AbstractJsonParser.java:53)
	 at app//org.springframework.boot.json.BasicJsonParser.parseList(BasicJsonParser.java:47)
	 at app//BasicJsonParserFuzzer.fuzzerTestOneInput(BasicJsonParserFuzzer.java:11)
	
	Thread[Common-Cleaner,8,InnocuousThreadGroup]
	 at java.base@17.0.3/java.lang.Object.wait(Native Method)
	 at java.base@17.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
	 at java.base@17.0.3/jdk.internal.ref.CleanerImpl.run(CleanerImpl.java:140)
	 at java.base@17.0.3/java.lang.Thread.run(Thread.java:833)
	 at java.base@17.0.3/jdk.internal.misc.InnocuousThread.run(InnocuousThread.java:162)
	
	Garbage collector stats:
	
	PS MarkSweep: 6 collections took 473ms
	PS Scavenge: 18 collections took 626ms
	
	SUMMARY: libFuzzer: timeout
@philwebb
Copy link
Member Author

repeated-open-array.txt

@philwebb philwebb added this to the 2.6.x milestone Jul 26, 2022
@philwebb
Copy link
Member Author

Thanks to Patrice Salathe for finding this issue

@philwebb philwebb changed the title BasicJsonParser can fail with a timeout BasicJsonParser can fail with a timeout or stackoverflow with malformed map JSON Jul 26, 2022
@philwebb philwebb mentioned this issue Jul 26, 2022
Closed
@snicoll snicoll modified the milestones: 2.6.x, 2.6.11 Jul 26, 2022
@snicoll snicoll added the type: bug A general bug label Jul 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
2.6.11
Development

No branches or pull requests
2 participants
@snicoll @philwebb