Red Hat Bugzilla – Bug 1276036
Crash on QMP input exceeding limits
Last modified: 2016-11-03 16:06:54 EDT
+++ This bug was initially created as a clone of Bug #1276032 +++ Description of problem: The QMP parser attempts to limit nesting depth and input size to defend against input triggering excessive heap or stack memory use. However, it crashes when the nesting depth limit is exceeded. I suspect it also crashes when the input size is exceeded, but haven't actually tested. This is a regression since RHEL-6. How reproducible: Always Steps to Reproduce: 1. Run with a QMP monitor, e.g. $ qemu-kvm -nodefaults -S -display none -qmp stdio 2. Input at least 1025 left braces Actual results: ERROR:/home/armbru/work/qemu-kvm-rhev7/qobject/json-parser.c:295:parser_context_peek_token: assertion failed: (ctxt->tokens.pos < ctxt->tokens.count) Aborted (core dumped) Expected results: Same behavior as in RHEL-6, i.e. {"error": {"class": "JSONParsing", "desc": "Invalid JSON syntax", "data": {}}} Additional info: It's really the 1025-th left brace. 1024 left braces followed by 1024 right braces doesn't crash. Broken upstream in commit 65c0f1e "json-parser: don't replicate tokens at each level of recursion", v1.2.0.
Proposed upstream fix: http://lists.gnu.org/archive/html/qemu-devel/2015-11/msg04518.html Related bug: the parser is a ridiculous memory hog. If we get that fixed upstream together with this bug, I'll widen this bug's scope to cover it. If not, I'll file a new one.
Both the crash and the excessive memory use have been fixed upstream: df64983 qjson: Limit number of tokens in addition to total size 9bada89 qjson: surprise, allocating 6 QObjects per token is expensive 95385fe qjson: store tokens in a GQueue d538b25 qjson: Convert to parser to recursive descent d2ca7c0 qjson: replace QString in JSONLexer with GString 6b9606f qjson: Inline token_is_escape() and simplify 50e2a46 qjson: Inline token_is_keyword() and simplify c546166 qjson: Give each of the six structural chars its own token type b8d3b1d qjson: Spell out some silent assumptions f0ae030 check-qjson: Add test for JSON nesting depth limit 0753113 qjson: Don't crash when input exceeds nesting limit 4f2d31f qjson: Apply nesting limit more sanely
Fix included in qemu-kvm-1.5.3-121.el7
Reproduce this bug on: qemu-kvm-1.5.3-105.el7.x86_64 Steps: 1. Run qemu with a qmp monitor. # /usr/libexec/qemu-kvm -nodefaults -S -display none -qmp stdio {"QMP": {"version": {"qemu": {"micro": 3, "minor": 5, "major": 1}, "package": " (qemu-kvm-1.5.3-105.el7)"}, "capabilities": []}} 2. Input 1025 left braces. {{{{{{{{{{{{{... Results: Qemu aborted with following error. ** ERROR:qobject/json-parser.c:295:parser_context_peek_token: assertion failed: (ctxt->tokens.pos < ctxt->tokens.count) Aborted Verify this bug on: qemu-kvm-1.5.3-121.el7.x86_64 Steps: 1. Run qemu with a qmp monitor. # /usr/libexec/qemu-kvm -nodefaults -S -display none -qmp stdio {"QMP": {"version": {"qemu": {"micro": 3, "minor": 5, "major": 1}, "package": " (qemu-kvm-1.5.3-121.el7)"}, "capabilities": []}} 2. Input 1025 left braces. {{{{{{{{{{{{{... Results: 1. qemu not aborted and there is error in qmp. {"error": {"class": "GenericError", "desc": "Invalid JSON syntax"}} 2. qemu not crash with 1025 left braces and 1024 right braces, got same error as above. Please be free to correct if there is any problem. Thanks.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2585.html