Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I encountered a segmentation fault when processing XML file data with version 1.3.2 of Cereal. Could this be a security vulnerability #805

Open
JohenanLi opened this issue Oct 11, 2023 · 0 comments
Open

I encountered a segmentation fault when processing XML file data with version 1.3.2 of Cereal. Could this be a security vulnerability #805

JohenanLi opened this issue Oct 11, 2023 · 0 comments

Comments

@JohenanLi
Copy link

This is my tested C++ code:
#include <cereal/archives/xml.hpp>
#include

struct MyData
{
bool b;
double d;

template
void serialize( Archive & ar )
{
ar( b, d );
}
};

int main()
{
int i1, i2, i3, i4;
MyData md;
std::string xmlData;
std::string line;
while (std::getline(std::cin, line)) {
xmlData += line + "\n"; // 将每行追加到xmlData中
}
std::cout << xmlData << std::endl;
std::stringstream ss(xmlData);
cereal::XMLInputArchive ar(ss);
// std::ifstream is("data.xml");
// cereal::XMLInputArchive ar(is);

// NVP doesn't match expected value, perform a search
ar( cereal::make_nvp("myData", md) );

ar( i4 );                           // cereal continues from node it found using search
ar( cereal::make_nvp("var1", i1) ); // new search re-positions at node var1
ar( i2, i3 );                       // continue from location of last search

                                            // next value read would be 'myData'

return 0;
}

After enabling ASAN, I received the following error. I'm not sure if it's a security vulnerability.

AddressSanitizer:DEADLYSIGNAL

==62609==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x55b157fbfc04 bp 0x7ffd68d98060 sp 0x7ffd68d97ea0 T0)
==62609==The signal is caused by a READ memory access.
==62609==Hint: address points to the zero page.
#0 0x55b157fbfc04 in cereal::XMLInputArchive::NodeInfo::NodeInfo(cereal::rapidxml::xml_node) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp
#1 0x55b157fbfc04 in void __gnu_cxx::new_allocatorcereal::XMLInputArchive::NodeInfo::construct<cereal::XMLInputArchive::NodeInfo, cereal::rapidxml::xml_node&>(cereal::XMLInputArchive::NodeInfo*, cereal::rapidxml::xml_node&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/new_allocator.h:162:23
#2 0x55b157fbfc04 in void std::allocator_traits<std::allocatorcereal::XMLInputArchive::NodeInfo >::construct<cereal::XMLInputArchive::NodeInfo, cereal::rapidxml::xml_node&>(std::allocatorcereal::XMLInputArchive::NodeInfo&, cereal::XMLInputArchive::NodeInfo*, cereal::rapidxml::xml_node&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/alloc_traits.h:516:8
#3 0x55b157fbfc04 in void std::deque<cereal::XMLInputArchive::NodeInfo, std::allocatorcereal::XMLInputArchive::NodeInfo >::emplace_back<cereal::rapidxml::xml_node&>(cereal::rapidxml::xml_node&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/deque.tcc:170:6
#4 0x55b157fbfc04 in void std::stack<cereal::XMLInputArchive::NodeInfo, std::deque<cereal::XMLInputArchive::NodeInfo, std::allocatorcereal::XMLInputArchive::NodeInfo > >::emplace<cereal::rapidxml::xml_node&>(cereal::rapidxml::xml_node*&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_stack.h:256:6
#5 0x55b157fbfc04 in cereal::XMLInputArchive::startNode() /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp:504:18
#6 0x55b157fc0f6e in void cereal::prologue<double, (cereal::traits::detail::sfinae)0>(cereal::XMLInputArchive&, double const&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp:862:8
#7 0x55b157fc0f6e in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<double&>(double&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:852:9
#8 0x55b157fc0f6e in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<bool&, double&>(bool&, double&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:862:9
#9 0x55b157fbf311 in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::operator()<bool&, double&>(bool&, double&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:730:9
#10 0x55b157fbf311 in void MyData::serializecereal::XMLInputArchive(cereal::XMLInputArchive&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/xml_fuzz.cc:12:5
#11 0x55b157fbf311 in decltype(fp0.serialize(fp)) cereal::access::member_serialize<cereal::XMLInputArchive, MyData>(cereal::XMLInputArchive&, MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/access.hpp:246:18
#12 0x55b157fbf311 in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::processImpl<MyData, (cereal::traits::detail::sfinae)0>(MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:917:9
#13 0x55b157fbf311 in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<MyData&>(MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:853:15
#14 0x55b157fbf311 in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::operator()<MyData&>(MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:730:9
#15 0x55b157fbf311 in void cereal::load<MyData&>(cereal::XMLInputArchive&, cereal::NameValuePair<MyData&>&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp:902:5
#16 0x55b157fb16af in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::processImpl<cereal::NameValuePair<MyData&>, (cereal::traits::detail::sfinae)0>(cereal::NameValuePair<MyData&>&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:941:9
#17 0x55b157fb16af in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<cereal::NameValuePair<MyData&> >(cereal::NameValuePair<MyData&>&&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:853:15
#18 0x55b157fb16af in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::operator()<cereal::NameValuePair<MyData&> >(cereal::NameValuePair<MyData&>&&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:730:9
#19 0x55b157fb16af in main /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/xml_fuzz.cc:32:5
#20 0x7fe8a85cdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#21 0x7fe8a85cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
#22 0x55b157ef08c4 in _start (/home/liyuweiheng/fuzz_target/linux_program/cereal/poc/xml-fuzz+0x218c4) (BuildId: 28b568b61fb8dd21a422583f1ad458817291bf74)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp in cereal::XMLInputArchive::NodeInfo::NodeInfo(cereal::rapidxml::xml_node*)
==62609==ABORTING
The content of the "data.xml" file is as follows:

4 32 64 t���������������������������.24 128

All files are attached.
data.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JohenanLi