[jira] [Updated] (FELIX-6592) Stack overflow finding found by OSS-Fuzz

Henry Lin (Jira) Wed, 08 Feb 2023 09:34:05 -0800


     [ 
https://issues.apache.org/jira/browse/FELIX-6592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Henry Lin updated FELIX-6592:
-----------------------------
    Description: 
Dear Apache Felix Dev developers,

 

Fuzzing has found a stack overflow in OSS-Fuzz with JVM Fuzzer Jazzer in Apache 
Felix Dev. We have reviewed the finding and consider it security-related due to 
the potential of a denial of service.

 

Part of the crash stack trace:

== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
Stack overflow (use '-Xss921k' to reproduce)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)

Caused by: java.lang.StackOverflowError at 
java.base/java.lang.String.trim(String.java:2681)

at 
org.apache.felix.utils.json.JSONParser.parseKeyValueListRaw(JSONParser.java:215)

at 
org.apache.felix.utils.json.JSONParser.parseListValuesRaw(JSONParser.java:278)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:123)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)

...

 

We have included a reproducer zip which contains a README file that describes 
how to reproduce the issue.

We would appreciate if you could take a look into the findings. Do you see a 
risk that this might be exploited by untrusted input?

 

OSS-Fuzz Issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51725]

Hint: The provided OSS-Fuzz Issue links are only accessible if the issue gets 
fixed or if you are the maintainer of the OSS-Fuzz project.

 

Fuzz target: 
[https://github.com/google/oss-fuzz/blob/master/projects/apache-felix-dev/JSONParserFuzzer.java]

  was:
Dear Apache Felix Dev developers,

 

Fuzzing has found a stack overflow in OSS-Fuzz with JVM Fuzzer Jazzer in Apache 
Felix Dev. We have reviewed the finding and consider it security-related due to 
the potential of a denial of service.

 

Part of the crash stack trace:

== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
Stack overflow (use '-Xss921k' to reproduce)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)

Caused by: java.lang.StackOverflowError at 
java.base/java.lang.String.trim(String.java:2681)

at 
org.apache.felix.utils.json.JSONParser.parseKeyValueListRaw(JSONParser.java:215)

at 
org.apache.felix.utils.json.JSONParser.parseListValuesRaw(JSONParser.java:278)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:123)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)

at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)

...

 

We have included a reproducer zip which contains a README file that describes 
how to reproduce the issue.

 

We would appreciate if you could take a look into the findings. Do you see a 
risk that this might be exploited by untrusted input?

 

OSS-Fuzz Issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51725]

 

Hint: The provided OSS-Fuzz Issue links are only accessible if the issue gets 
fixed or if you are the maintainer of the OSS-Fuzz project.

 

Fuzz target: 
[https://github.com/google/oss-fuzz/blob/master/projects/apache-felix-dev/JSONParserFuzzer.java]


> Stack overflow finding found by OSS-Fuzz
> ----------------------------------------
>
>                 Key: FELIX-6592
>                 URL: https://issues.apache.org/jira/browse/FELIX-6592
>             Project: Felix
>          Issue Type: Bug
>            Reporter: Henry Lin
>            Priority: Major
>         Attachments: 51725-apache-felix-dev-JSONParserFuzzer.zip
>
>
> Dear Apache Felix Dev developers,
>  
> Fuzzing has found a stack overflow in OSS-Fuzz with JVM Fuzzer Jazzer in 
> Apache Felix Dev. We have reviewed the finding and consider it 
> security-related due to the potential of a denial of service.
>  
> Part of the crash stack trace:
> == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: 
> Stack overflow (use '-Xss921k' to reproduce)
> at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)
> Caused by: java.lang.StackOverflowError at 
> java.base/java.lang.String.trim(String.java:2681)
> at 
> org.apache.felix.utils.json.JSONParser.parseKeyValueListRaw(JSONParser.java:215)
> at 
> org.apache.felix.utils.json.JSONParser.parseListValuesRaw(JSONParser.java:278)
> at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:123)
> at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)
> at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)
> ...
>  
> We have included a reproducer zip which contains a README file that describes 
> how to reproduce the issue.
> We would appreciate if you could take a look into the findings. Do you see a 
> risk that this might be exploited by untrusted input?
>  
> OSS-Fuzz Issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51725]
> Hint: The provided OSS-Fuzz Issue links are only accessible if the issue gets 
> fixed or if you are the maintainer of the OSS-Fuzz project.
>  
> Fuzz target: 
> [https://github.com/google/oss-fuzz/blob/master/projects/apache-felix-dev/JSONParserFuzzer.java]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (FELIX-6592) Stack overflow finding found by OSS-Fuzz

Reply via email to