Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer overflows (CVE-2021-45958) #519

Merged
merged 11 commits into from Apr 5, 2022
Merged

Fix buffer overflows (CVE-2021-45958) #519

merged 11 commits into from Apr 5, 2022

Conversation

JustAnotherArchivist
Copy link
Collaborator

Fixes #334
Fixes #501
Fixes #502
Fixes #503

This is a replacement of #504 and should properly fix the buffer overflows. In addition to @bwoodsend's changes in that PR, this is a rewrite of the buffer reservation calls from scratch and fixes a bug in the debug buffer check (RESERVE_STRING includes the double quotes around a string, so the check for adding one character would fail in certain conditions when addition was actually safe because it would check for 8 bytes instead of 6). I also widened the test cases from #501 and #503 so they wouldn't become obsolete on possible future default output format changes. Rebased onto main due to the black/Click incompatibility failing tests as well.

bwoodsend and others added 7 commits April 5, 2022 02:43
@bwoodsend @JustAnotherArchivist
Fix unchecked buffer overflows (CVE-2021-45958).
60929c2 
Add a few extra memory reserve calls to account for the extra space that
indentation needs.

These kinds of memory issues are hard to spot because the buffer is resized in
powers of 2 meaning that a miscalculation would only show any symptoms if the
required buffer size is estimated to be just below a 2 power but is actually
just above. Add a debug mode which replaces the 2 power scheme with reserving
only the memory explicitly requested and adds some overflow checks.
@bwoodsend @JustAnotherArchivist
Add a fuzzing test to search for segfaults in encoding.
62e4853
@bwoodsend @JustAnotherArchivist
Remove the hidden JSON_NO_EXTRA_WHITESPACE compile knob.
22ca5dc 
Unsetting it can lead to seg-faults. I don't think it's worth having to fix and
then test this undocumented permutation.
@bwoodsend @JustAnotherArchivist
Fix some more seg-faults on encoding.
3151be2
@bwoodsend @JustAnotherArchivist
Add fuzz test to CI/CD.
fdfb9f4
@JustAnotherArchivist
Refactor buffer reservations to ensure sufficient space on all additions
7039d60 
* Removed the reservations in Buffer_EscapeStringUnvalidated and Buffer_EscapeStringValidated as those are not needed and may hide other bugs.
* Debug check in Buffer_EscapeStringValidated was triggering incorrectly.
* The reservation on JT_RAW was much larger than necessary; the value is copied directly, so the factor six is not needed, and this may hide other bugs.
* Explicit accurate reservations everywhere else.
@JustAnotherArchivist
Widen tests to cover more possible buffer overflows
36ffcc8 
If the default output format changes in the future (e.g. `separators` as in the standard library), these tests would otherwise become irrelevant.
@codecov-commenter
Copy link

codecov-commenter commented Apr 5, 2022
edited

Codecov Report

Merging #519 (36ffcc8) into main (881ee93) will increase coverage by 0.22%.
The diff coverage is 97.05%.

@@            Coverage Diff             @@
##             main     #519      +/-   ##
==========================================
+ Coverage   90.41%   90.63%   +0.22%     
==========================================
  Files           6        6              
  Lines        1752     1783      +31     
==========================================
+ Hits         1584     1616      +32     
+ Misses        168      167       -1
Impacted Files Coverage Δ
lib/ultrajsonenc.c 84.97% <93.33%> (+0.74%) ⬆️
tests/test_ujson.py 99.58% <100.00%> (+0.01%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 881ee93...36ffcc8. Read the comment docs.

@JustAnotherArchivist JustAnotherArchivist mentioned this pull request Apr 5, 2022
Closed
hugovk
hugovk reviewed Apr 5, 2022
View reviewed changes
Copy link
Member

@hugovk hugovk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Few suggestions on the CI.

.github/workflows/fuzz.yml Outdated Show resolved Hide resolved
.github/workflows/fuzz.yml

- name: Install
run: |
python -m pip install -U pip
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting there's a Python available without actions/setup-python, looks like it has Python 3.8.

In any case, shall we include an explicit actions/setup-python so we don't get any surprises when the version changes? Can we use 3.10?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ubuntu ships a Python with it - that's the one that's there by default. It'll get upgraded whenever a new ubuntu image is added to GitHub Actions and ubuntu-latest shifts. It's a complete Python3+pip environment and this test shouldn't be Python version dependent so I'd be happy to use it as is.

.github/workflows/test.yml Outdated Show resolved Hide resolved
.github/workflows/test.yml Outdated Show resolved Hide resolved
tests/fuzz.py Outdated Show resolved Hide resolved
JustAnotherArchivist and others added 4 commits April 5, 2022 17:41
@JustAnotherArchivist @hugovk
actions/checkout@v3
968fb16 
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@JustAnotherArchivist @hugovk
Clearer pytest command
3944dae 
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@JustAnotherArchivist @hugovk
python -m pytest
9b50121 
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@JustAnotherArchivist @hugovk
Remove shebang
7dd7429 
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@hugovk hugovk added the changelog: Fixed For any bug fixes label Apr 5, 2022
@bwoodsend bwoodsend merged commit f6860f1 into ultrajson:main Apr 5, 2022
@bwoodsend
Copy link
Collaborator

Nice one @JustAnotherArchivist. @hugovk How long (if at all) do we need to twiddle our thumbs before pushing the release?

@bwoodsend bwoodsend mentioned this pull request Apr 5, 2022
Open
@hugovk
Copy link
Member

hugovk commented Apr 5, 2022

Release early, release often!

We can do one right now if you're ready, it's just three clicks away!

(https://github.com/ultrajson/ultrajson/blob/main/RELEASING.md)

Would you like to do the honours?

@bwoodsend
Copy link
Collaborator

Button is pressed. That's scarily streamlined.

@hugovk
Copy link
Member

hugovk commented Apr 6, 2022

This is now released as 5.2.0:

Thank you very much @bwoodsend and @JustAnotherArchivist for the PR and also to @gsnedders for your help with reviews!

adrianeboyd added a commit to adrianeboyd/srsly that referenced this pull request Apr 8, 2022
@adrianeboyd
Port ultrajson/ultrajson#519 (Fix buffer overflows)
a69dbb3 
Port fixes and unit tests from ultrajson/ultrajson#519 to fix buffer
overflows (CVE-2021-45958)
adrianeboyd added a commit to adrianeboyd/srsly that referenced this pull request Apr 8, 2022
@adrianeboyd
Port ultrajson/ultrajson#519 (Fix buffer overflows)
6479497 
Port fixes and unit tests from ultrajson/ultrajson#519 to fix buffer
overflows (CVE-2021-45958)
@adrianeboyd adrianeboyd mentioned this pull request Apr 8, 2022
Merged
adrianeboyd added a commit to explosion/srsly that referenced this pull request Apr 12, 2022
@adrianeboyd
Merge pull request #62 from adrianeboyd/backport/ultrajson-519
63a8a1c 
Port ultrajson/ultrajson#519 (Fix buffer overflows)
@asherf asherf mentioned this pull request Apr 14, 2022
Closed
@JustAnotherArchivist JustAnotherArchivist mentioned this pull request May 18, 2022
Closed
@JustAnotherArchivist JustAnotherArchivist mentioned this pull request Jul 2, 2022
Closed
@sync-by-unito sync-by-unito bot mentioned this pull request Jul 11, 2022
Closed
adrianeboyd added a commit to adrianeboyd/srsly that referenced this pull request Jul 18, 2023
@adrianeboyd
Port ultrajson/ultrajson#519 (Fix buffer overflows)
de709a4 
Port fixes and unit tests from ultrajson/ultrajson#519 to fix buffer
overflows (CVE-2021-45958)
adrianeboyd added a commit to adrianeboyd/srsly that referenced this pull request Jul 18, 2023
@adrianeboyd
Port ultrajson/ultrajson#519 (Fix buffer overflows)
74a13f2 
Port fixes and unit tests from ultrajson/ultrajson#519 to fix buffer
overflows (CVE-2021-45958)
adrianeboyd added a commit to adrianeboyd/srsly that referenced this pull request Jul 18, 2023
@adrianeboyd
Port ultrajson/ultrajson#519 (Fix buffer overflows)
dc85aa0 
Port fixes and unit tests from ultrajson/ultrajson#519 to fix buffer
overflows (CVE-2021-45958)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hugovk hugovk hugovk approved these changes

@bwoodsend bwoodsend bwoodsend approved these changes

Assignees
No one assigned
Labels
changelog: Fixed For any bug fixes
Projects
None yet
Milestone
No milestone
4 participants
@JustAnotherArchivist @codecov-commenter @bwoodsend @hugovk