CVE-2022-24795 #239

anticomputer · 2022-04-06T18:32:06Z

Hello, I am a member of the GitHub Security team and am seeking a maintainer contact for this project with regards to GHSA-jj47-x69x-mxrm

We were unable to establish contact with a maintainer for this project during the coordinated disclosure process for CVE-2022-24795. If this project is still actively maintained, we'd like to offer our assistance in getting this issue resolved in your library. If it is no longer actively maintained, we recommend archiving this repository.

robohack · 2022-04-06T19:55:28Z

I'm actively maintaining a derived version at https://github.com/robohack/yajl/ (on the default branch "bsdmake").

I'm not sure what this could mean for lloyd/yajl, except to say that I would not be opposed to archiving it.

(as lloyd/yajl, and thus so far my own variant, do not directly do their own memory allocation error checking, I think the simple quick hack is to add a basic assert(), and a safer fix would be a direct call to abort(); though also allowing greater than 2^31 byte buffers on 32-bit platforms through use of a non-exponential size increment might be appropriate)

anticomputer · 2022-04-06T20:02:30Z

👋 @robohack you can find our patches for the 1.x branch included with yajl-ruby here

robohack · 2022-04-06T20:22:13Z

Actually I take that suggestion for calling abort() back. (The assert() is still useful of course, but can't be expected to be enabled in all circumstances.)

The best general solution is to recommend that a user-supplied realloc call do whatever error handling it would do for a realloc() failure whenever an allocation of zero bytes is requested.

There was an integer overflow in yajl_buf_ensure_available() leading to allocating less memory than requested. Then data were written past the allocated heap buffer in yajl_buf_append(), the only caller of yajl_buf_ensure_available(). Another result of the overflow was an infinite loop without a return from yajl_buf_ensure_available(). yajl-ruby project, which bundles yajl, fixed it <brianmario/yajl-ruby#211> by checking for the integer overflow, fortifying buffer allocations, and report the failures to a caller. But then the caller yajl_buf_append() skips a memory write if yajl_buf_ensure_available() failed leading to a data corruption. A yajl fork mainter recommended calling memory allocation callbacks with the large memory request and let them to handle it. But that has the problem that it's not possible pass the overely large size to the callbacks. This patch catches the integer overflow and terminates the process with abort(). lloyd#239 GHSA-jj47-x69x-mxrm

There was an integer overflow in yajl_buf_ensure_available() leading to allocating less memory than requested. Then data were written past the allocated heap buffer in yajl_buf_append(), the only caller of yajl_buf_ensure_available(). Another result of the overflow was an infinite loop without a return from yajl_buf_ensure_available(). yajl-ruby project, which bundles yajl, fixed it <brianmario/yajl-ruby#211> by checking for the integer overflow, fortifying buffer allocations, and report the failures to a caller. But then the caller yajl_buf_append() skips a memory write if yajl_buf_ensure_available() failed leading to a data corruption. A yajl fork mainter recommended calling memory allocation callbacks with the large memory request and let them to handle it. But that has the problem that it's not possible pass the overely large size to the callbacks. This patch catches the integer overflow and terminates the process with abort(). lloyd#239 GHSA-jj47-x69x-mxrm (cherry picked from commit 23cea2d in https://github.com/ppisar/yajl)

There was an integer overflow in yajl_buf_ensure_available() leading to allocating less memory than requested. Then data were written past the allocated heap buffer in yajl_buf_append(), the only caller of yajl_buf_ensure_available(). Another result of the overflow was an infinite loop without a return from yajl_buf_ensure_available(). yajl-ruby project, which bundles yajl, fixed it <brianmario/yajl-ruby#211> by checking for the integer overflow, fortifying buffer allocations, and report the failures to a caller. But then the caller yajl_buf_append() skips a memory write if yajl_buf_ensure_available() failed leading to a data corruption. A yajl fork mainter recommended calling memory allocation callbacks with the large memory request and let them to handle it. But that has the problem that it's not possible pass the overely large size to the callbacks. This patch catches the integer overflow and terminates the process with abort(). GHSA-jj47-x69x-mxrm Origin: ppisar/yajl@23cea2d Bug: lloyd/yajl#239 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036

An integer overflow will lead to heap memory corruption with large (~2GB) inputs. Origin: ppisar@23cea2d Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 Bug: lloyd#239

Neustradamus · 2024-12-12T21:04:43Z

A long time ago, I have done a ticket:

New version? Vulns? #219

An integer overflow will lead to heap memory corruption with large (~2GB) inputs. Origin: ppisar@23cea2d Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 Bug: lloyd#239

ppisar mentioned this issue Apr 7, 2022

Fix CVE-2022-24795 #240

Open

QuLogic mentioned this issue Apr 9, 2022

CVE-2022-24795: heap-based buffer overflow when handling large inputs due to an integer overflow jeroen/jsonlite#388

Open

ayin1551 mentioned this issue Jun 6, 2022

CVE-2022-24795 openEuler-BaseService/yajl#7

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-24795 #239

CVE-2022-24795 #239

anticomputer commented Apr 6, 2022

robohack commented Apr 6, 2022

anticomputer commented Apr 6, 2022

robohack commented Apr 6, 2022

Neustradamus commented Dec 12, 2024

CVE-2022-24795 #239

CVE-2022-24795 #239

Comments

anticomputer commented Apr 6, 2022

robohack commented Apr 6, 2022

anticomputer commented Apr 6, 2022

robohack commented Apr 6, 2022

Neustradamus commented Dec 12, 2024