Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Stackoverflow CVE-2022-40151 #314

Closed
henryrneh opened this issue Oct 24, 2022 · 6 comments
Closed

Stackoverflow CVE-2022-40151 #314

henryrneh opened this issue Oct 24, 2022 · 6 comments
Assignees
@joehni
Labels
bug
Milestone
1.4.20

Comments

@henryrneh
Copy link

Dear xstream maintainers and users,

the following zip contains crashing input, stacktrace, the fuzz target and all the information needed to reproduce CVE-2022-40151.

Please have a look and contact us if you need more information, thanks.

47367.zip
@henryrneh henryrneh mentioned this issue Oct 24, 2022
Closed
@0roman
Copy link

0roman commented Oct 24, 2022
edited
Loading

There seems to be some recursion possible in

xstream/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java

Line 56 in cf61d54

public Object convertAnother(final Object parent, Class<?> type, Converter converter) {

Snippet of the stacktrace of using the crashing input:


== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
--
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | Caused by: java.lang.StackOverflowError
  | at io.github.xstream.mxparser.MXParser.more(MXParser.java:3088)
  | at io.github.xstream.mxparser.MXParser.parseStartTag(MXParser.java:1742)
  | at io.github.xstream.mxparser.MXParser.nextImpl(MXParser.java:1138)
  | at io.github.xstream.mxparser.MXParser.next(MXParser.java:1104)
  | at com.thoughtworks.xstream.io.xml.XppReader.pullNextEvent(XppReader.java:113)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.readRealEvent(AbstractPullReader.java:156)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.readEvent(AbstractPullReader.java:143)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.hasMoreChildren(AbstractPullReader.java:88)
  | at com.thoughtworks.xstream.io.ReaderWrapper.hasMoreChildren(ReaderWrapper.java:34)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:56)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
...

@basil basil mentioned this issue Nov 4, 2022
Closed
@joehni
Copy link
Member

joehni commented Nov 15, 2022

@henryrneh: Thanks for providing the test case here, you did not attach it sending the private mail to me.

@joehni joehni self-assigned this Nov 15, 2022
@joehni joehni added the bug label Nov 15, 2022
@joehni joehni added this to the 1.4.x milestone Nov 15, 2022
@tedyyu
Copy link

tedyyu commented Nov 29, 2022

another vulnerability also reported: https://nvd.nist.gov/vuln/detail/CVE-2022-40152
Guess most of us need a new release to fix both...

@joehni
Copy link
Member

joehni commented Nov 29, 2022

This report is simply rubbish! #304

@cesarhernandezgt
Copy link

@tedyyu

another vulnerability also reported: https://nvd.nist.gov/vuln/detail/CVE-2022-40152 Guess most of us need a new release to fix both...

CVE-2022-40152 is not directly related to stream: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152.
My recommendation is to check more than one CVE database and catch up with the conversations in the threads, github issues, and mailing list, as pointed out in #304.

@tedyyu
Copy link

tedyyu commented Dec 2, 2022

Thanks for the link, now I get the full picture. @joehni @cesarhernandezgt

@dockter34 dockter34 mentioned this issue Dec 7, 2022
Closed
@joehni joehni closed this as completed Dec 23, 2022
@joehni joehni modified the milestones: 1.4.x, 1.4.20 Dec 23, 2022
joehni added a commit that referenced this issue Dec 23, 2022
@joehni
Document CVE-2022-40151 and add a test case. Closes #314.
fe215b3
joehni added a commit that referenced this issue Dec 29, 2022
@joehni
Document CVE-2022-40151 and add a test case. Closes #314.
5eba8cf
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@joehni joehni

Labels
bug
Projects
None yet
Milestone
1.4.20
Development

Successfully merging a pull request may close this issue.

[CVE-2022-40151] Fix StackOverflowError basil/xstream
5 participants
@joehni @cesarhernandezgt @tedyyu @henryrneh @0roman