Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stackoverflow CVE-2022-40151 #314

Closed
henryrneh opened this issue Oct 24, 2022 · 6 comments
Closed

Stackoverflow CVE-2022-40151 #314

henryrneh opened this issue Oct 24, 2022 · 6 comments
Assignees
@joehni
Labels
bug
Milestone
1.4.20

Comments

@henryrneh
Copy link

Dear xstream maintainers and users,

the following zip contains crashing input, stacktrace, the fuzz target and all the information needed to reproduce CVE-2022-40151.

Please have a look and contact us if you need more information, thanks.

47367.zip
@henryrneh henryrneh mentioned this issue Oct 24, 2022
Closed
@0roman
Copy link

0roman commented Oct 24, 2022
edited

There seems to be some recursion possible in

xstream/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java

Line 56 in cf61d54

public Object convertAnother(final Object parent, Class<?> type, Converter converter) {

Snippet of the stacktrace of using the crashing input:


== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
--
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | Caused by: java.lang.StackOverflowError
  | at io.github.xstream.mxparser.MXParser.more(MXParser.java:3088)
  | at io.github.xstream.mxparser.MXParser.parseStartTag(MXParser.java:1742)
  | at io.github.xstream.mxparser.MXParser.nextImpl(MXParser.java:1138)
  | at io.github.xstream.mxparser.MXParser.next(MXParser.java:1104)
  | at com.thoughtworks.xstream.io.xml.XppReader.pullNextEvent(XppReader.java:113)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.readRealEvent(AbstractPullReader.java:156)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.readEvent(AbstractPullReader.java:143)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.hasMoreChildren(AbstractPullReader.java:88)
  | at com.thoughtworks.xstream.io.ReaderWrapper.hasMoreChildren(ReaderWrapper.java:34)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:56)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
...

@basil basil mentioned this issue Nov 4, 2022
Closed
@joehni
Copy link
Member

joehni commented Nov 15, 2022

@henryrneh: Thanks for providing the test case here, you did not attach it sending the private mail to me.

@joehni joehni self-assigned this Nov 15, 2022
@joehni joehni added the bug label Nov 15, 2022
@joehni joehni added this to the 1.4.x milestone Nov 15, 2022
@tedyyu
Copy link

tedyyu commented Nov 29, 2022

another vulnerability also reported: https://nvd.nist.gov/vuln/detail/CVE-2022-40152
Guess most of us need a new release to fix both...

@joehni
Copy link
Member

joehni commented Nov 29, 2022

This report is simply rubbish! #304

@cesarhernandezgt
Copy link

@tedyyu

another vulnerability also reported: https://nvd.nist.gov/vuln/detail/CVE-2022-40152 Guess most of us need a new release to fix both...

CVE-2022-40152 is not directly related to stream: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152.
My recommendation is to check more than one CVE database and catch up with the conversations in the threads, github issues, and mailing list, as pointed out in #304.

@tedyyu
Copy link

tedyyu commented Dec 2, 2022

Thanks for the link, now I get the full picture. @joehni @cesarhernandezgt

@dockter34 dockter34 mentioned this issue Dec 7, 2022
Closed
@joehni joehni closed this as completed Dec 23, 2022
@joehni joehni modified the milestones: 1.4.x, 1.4.20 Dec 23, 2022
joehni added a commit that referenced this issue Dec 23, 2022
@joehni
Document CVE-2022-40151 and add a test case. Closes #314.
fe215b3
joehni added a commit that referenced this issue Dec 29, 2022
@joehni
Document CVE-2022-40151 and add a test case. Closes #314.
5eba8cf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehni joehni

Labels
bug
Projects
None yet
Milestone
1.4.20
Development

Successfully merging a pull request may close this issue.

[CVE-2022-40151] Fix StackOverflowError basil/xstream
5 participants
@joehni @cesarhernandezgt @tedyyu @henryrneh @0roman