Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of memory found by OSS-Fuzz (Issue 56774) #863

Closed
henryrneh opened this issue Sep 8, 2023 · 2 comments
Closed

Out of memory found by OSS-Fuzz (Issue 56774) #863

henryrneh opened this issue Sep 8, 2023 · 2 comments
Milestone
3.24.0

Comments

@henryrneh
Copy link

Dear jline3 maintainers,

Fuzzing has found an out of memory issues in OSS-Fuzz with JVM Fuzzer Jazzer in jline3. We have reviewed the finding and regarded it as security-related due to the potential of a denial of service.

The out of memory is triggered at this line while running in a loop.
We would appreciate it if you could take a look at the finding. Do you see a risk that this might be exploited by untrusted input?

Part of the stack trace:
== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Out of memory (use '-Xmx1710m' to reproduce)
Caused by: java.lang.OutOfMemoryError: Java heap space
 at java.base/java.lang.Object.clone(Native Method)
 at org.jline.reader.impl.BufferImpl.(BufferImpl.java:42)
 at org.jline.reader.impl.BufferImpl.copy(BufferImpl.java:48)
 at org.jline.reader.impl.BufferImpl.copy(BufferImpl.java:22)
 at org.jline.reader.impl.LineReaderImpl.readLine(LineReaderImpl.java:699)
 at org.jline.reader.impl.LineReaderImpl.readLine(LineReaderImpl.java:518)
 at org.jline.reader.impl.LineReaderImpl.readLine(LineReaderImpl.java:489)
 at LineReaderFuzzer.fuzzerTestOneInput(LineReaderFuzzer.java:66)
 at java.base/java.lang.invoke.LambdaForm$DMH/0x0000000800b94c40.invokeStatic(LambdaForm$DMH)
 at java.base/java.lang.invoke.LambdaForm$MH/0x0000000800bf6840.invoke(LambdaForm$MH)
 at java.base/java.lang.invoke.LambdaForm$MH/0x0000000800bf7040.invoke_MT(LambdaForm$MH)
...

We have added a reproducer zip which contains a README that describes how to reproduce the issue.
Reproducer zip: https://drive.google.com/file/d/1Yfb5zH7i8-xgPg1W8Sz-3hmuPA2DA2be/view?usp=sharing

Fuzz target: https://github.com/google/oss-fuzz/blob/master/projects/jline3/LineReaderFuzzer.java

OSS-Fuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56774
Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is fixed or you are the maintainer of the OSS-Fuzz project.

Best regards,
Henry
@gnodet
Copy link
Member

gnodet commented Oct 17, 2023

Do you have an macos arm64 (or amd64) binary for the jazzer executable ?

@henryrneh
Copy link
Author

henryrneh commented Oct 20, 2023
edited
Loading

@gnodet yes we have, I created a new macos version reproducer.

Or you can also download it from our Github.

Feel free to let me know if there're any more questions.

gnodet added a commit to gnodet/jline3 that referenced this issue Oct 23, 2023
@gnodet
Fix possible OOM caused by invalid use of repeat count on inserts (fixes
397eb8a 
 jline#863)
gnodet added a commit to gnodet/jline3 that referenced this issue Oct 23, 2023
@gnodet
Fix possible OOM caused by invalid use of repeat count on inserts (fixes
01e96bd 
 jline#863)
@gnodet gnodet closed this as completed in 7aa9c5e Oct 24, 2023
@gnodet gnodet added this to the 3.24.0 milestone Oct 24, 2023
@gnodet gnodet mentioned this issue Oct 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.24.0
Development

No branches or pull requests
2 participants
@gnodet @henryrneh