You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Henry Lin (Jira)" <ji...@apache.org> on 2023/02/08 17:32:00 UTC
[jira] [Created] (FELIX-6592) Stack overflow finding found by OSS-Fuzz
Henry Lin created FELIX-6592:
--------------------------------
Summary: Stack overflow finding found by OSS-Fuzz
Key: FELIX-6592
URL: https://issues.apache.org/jira/browse/FELIX-6592
Project: Felix
Issue Type: Bug
Reporter: Henry Lin
Attachments: 51725-apache-felix-dev-JSONParserFuzzer.zip
Dear Apache Felix Dev developers,
Fuzzing has found a stack overflow in OSS-Fuzz with JVM Fuzzer Jazzer in Apache Felix Dev. We have reviewed the finding and consider it security-related due to the potential of a denial of service.
Part of the crash stack trace:
== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)
Caused by: java.lang.StackOverflowError at java.base/java.lang.String.trim(String.java:2681)
at org.apache.felix.utils.json.JSONParser.parseKeyValueListRaw(JSONParser.java:215)
at org.apache.felix.utils.json.JSONParser.parseListValuesRaw(JSONParser.java:278)
at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:123)
at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)
at org.apache.felix.utils.json.JSONParser.parseValue(JSONParser.java:124)
...
We have included a reproducer zip which contains a README file that describes how to reproduce the issue.
We would appreciate if you could take a look into the findings. Do you see a risk that this might be exploited by untrusted input?
OSS-Fuzz Issue: [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51725]
Hint: The provided OSS-Fuzz Issue links are only accessible if the issue gets fixed or if you are the maintainer of the OSS-Fuzz project.
Fuzz target: [https://github.com/google/oss-fuzz/blob/master/projects/apache-felix-dev/JSONParserFuzzer.java]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)