CVE-2022-24795 - Integer Overflow in yajl-ruby Leads to Heap Memory Corruption in Large Inputs
Yajl-ruby is a popular C binding to the YAJL JSON parsing and generation library. Recently, an integer overflow vulnerability has been discovered in the 1.x and 2.x branches of yajl-ruby, which could lead to heap memory corruption when handling large inputs (around 2GB in size). This vulnerability is mostly related to process availability, and maintainers believe that the potential for arbitrary code execution is unlikely. A patch is in the works and expected to be part of yajl-ruby version 1.4.2. In the meantime, avoiding passing large inputs to YAJL would serve as a workaround.
The vulnerability can be seen at yajl_buf.c#L64
if (need > ctx->bufSize) {
size_t sz = ctx->bufUsed + need;
if (sz < ctx->bufUsed) return yajl_buf_ins_error;
yajl_buf_ensure_available(ctx, sz);
}
When the value of need reaches approximately x80000000 (i.e., ~2GB of data), the 32-bit integer wraps around to , causing the reallocation of buf->alloc into a small heap chunk.
These integers are declared as size_t in the 2.x branch of yajl, which practically prevents the issue from triggering on 64-bit platforms. However, this does not preclude this issue from triggering on 32-bit builds on which size_t is a 32-bit integer.
Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.
Original references and exploit details
The maintainers of yajl-ruby provided a detailed description of the issue in their GitHub repository. To receive the latest updates and information about the patch, follow this link:
yajl-ruby GitHub repository - Issue description
While the maintainers believe that arbitrary code execution is unlikely due to the nature of the vulnerability, they still recommend avoiding passing large inputs to YAJL as a workaround until the patch becomes available in version 1.4.2.
Conclusion
Integer overflow vulnerabilities in popular libraries like yajl-ruby can lead to various security issues related to availability, and in some cases, even arbitrary code execution. It is essential to keep up-to-date with the latest patches and security issues in the dependencies of your software projects to ensure their security and reliability. In the case of CVE-2022-24795, make sure to follow the original references and update yajl-ruby to version 1.4.2 as soon as it is available.
Timeline
Published on: 04/05/2022 16:15:00 UTC
Last modified on: 04/18/2022 10:05:00 UTC