Bug 2072912 (CVE-2022-24795) - CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
Summary: CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs du...
Keywords:
Status: NEW
Alias: CVE-2022-24795
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2072915 2072916 2072913 2072914 2074180 2074181 2074182 2074183
Blocks: 2072918
TreeView+ depends on / blocked
 
Reported: 2022-04-07 09:24 UTC by Vipul Nair
Modified: 2022-11-15 10:44 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the YAJL library in the way it reallocates a memory buffer to store more data. A very large input causes the value used to calculate the buffer size to overflow, resulting in a heap-based buffer overflow.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github lloyd yajl issues 239 0 None open CVE-2022-24795 2022-04-07 10:14:35 UTC
Red Hat Product Errata RHSA-2022:7524 0 None None None 2022-11-08 09:26:38 UTC
Red Hat Product Errata RHSA-2022:8252 0 None None None 2022-11-15 10:44:43 UTC

Description Vipul Nair 2022-04-07 09:24:00 UTC
yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

References:
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6

Comment 1 Vipul Nair 2022-04-07 09:26:22 UTC
Created R-jsonlite tracking bugs for this issue:

Affects: fedora-all [bug 2072915]


Created libbson tracking bugs for this issue:

Affects: epel-7 [bug 2072913]
Affects: epel-all [bug 2072914]


Created yajl tracking bugs for this issue:

Affects: fedora-all [bug 2072916]

Comment 3 errata-xmlrpc 2022-11-08 09:26:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7524 https://access.redhat.com/errata/RHSA-2022:7524

Comment 4 errata-xmlrpc 2022-11-15 10:44:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8252 https://access.redhat.com/errata/RHSA-2022:8252


Note You need to log in before you can comment on or make changes to this bug.