[jira] [Updated] (LOG4J2-3535) Certain strings passed into StrSubstitutor can cause "infinite loop in property interpolation"

Pascal Koeiman (Jira) Fri, 10 Jun 2022 03:50:04 -0700


     [ 
https://issues.apache.org/jira/browse/LOG4J2-3535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Pascal Koeiman updated LOG4J2-3535:
-----------------------------------
    Description: 
I believe this is a similar issue to what's listed here, although there it is 
deemed fixed in 2.17.0: https://issues.apache.org/jira/browse/LOG4J2-3230

Using Code Intelligence's fuzz testing tool 
([Jazzer|https://github.com/CodeIntelligenceTesting/jazzer]), the exception was 
found by having the tool pass in generated strings to the *replace* method of 
the *StrSubstitutor* class. See also the message below:

{{== Java Exception: java.lang.IllegalStateException: Infinite loop in property 
interpolation of $\{k:{-}$}ߤ{$\{$k:{-}${$k}߀��$}����:$����$}����-: $k
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1087)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1034)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1047)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:451)
        at Log4jFuzzer.fuzzerTestOneInput(Log4jFuzzer.java:16)}}

 

In the attachments I included some files that can be used to try and reproduce 
the issue. The lowercase crash file contains the input that the fuzzing tool 
passed into the method.

  was:
I believe this is a similar issue to what's listed here, although there it is 
deemed fixed in 2.17.0: https://issues.apache.org/jira/browse/LOG4J2-3230

Using Code Intelligence's fuzz testing tool 
([Jazzer|https://github.com/CodeIntelligenceTesting/jazzer]), the exception was 
found by having the tool pass in generated strings to the *replace* method of 
the *StrSubstitutor* class. See also the message below:

{{== Java Exception: java.lang.IllegalStateException: Infinite loop in property 
interpolation of ${k:-$}ߤ\{${$k:-${$k}߀��$}����:$����$}����-: $k
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1087)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1034)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1047)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)
        at 
org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:451)
        at Log4jFuzzer.fuzzerTestOneInput(Log4jFuzzer.java:16)}}


> Certain strings passed into StrSubstitutor can cause "infinite loop in 
> property interpolation"
> ----------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-3535
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3535
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.17.2
>            Reporter: Pascal Koeiman
>            Priority: Minor
>         Attachments: Crash_e4372c5ba2ed2cdbd5d87cfd541a5bcae60fb274.java, 
> crash-e4372c5ba2ed2cdbd5d87cfd541a5bcae60fb274, hhsJazzer.jar
>
>
> I believe this is a similar issue to what's listed here, although there it is 
> deemed fixed in 2.17.0: https://issues.apache.org/jira/browse/LOG4J2-3230
> Using Code Intelligence's fuzz testing tool 
> ([Jazzer|https://github.com/CodeIntelligenceTesting/jazzer]), the exception 
> was found by having the tool pass in generated strings to the *replace* 
> method of the *StrSubstitutor* class. See also the message below:
> {{== Java Exception: java.lang.IllegalStateException: Infinite loop in 
> property interpolation of $\{k:{-}$}ߤ{$\{$k:{-}${$k}߀��$}����:$����$}����-: $k
>         at 
> org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1087)
>         at 
> org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1034)
>         at 
> org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1047)
>         at 
> org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
>         at 
> org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)
>         at 
> org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:451)
>         at Log4jFuzzer.fuzzerTestOneInput(Log4jFuzzer.java:16)}}
>  
> In the attachments I included some files that can be used to try and 
> reproduce the issue. The lowercase crash file contains the input that the 
> fuzzing tool passed into the method.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Updated] (LOG4J2-3535) Certain strings passed into StrSubstitutor can cause "infinite loop in property interpolation"

Reply via email to