jsmn patch: memory access before allocated block

[chlunde]

jsmn with the strict allocation patch may create memory access out of bounds. A small input example is

cur.log

,""

fluent-bit.conf

[SERVICE]
   Daemon             off
   Parsers_File       conf/parsers.conf

[INPUT]
   Name                tail
   Tag                 kube.*
   Path                cur.log
   Parser              docker

[OUTPUT]
   Name                stdout
   Match               *

Check with valgrind

(cd build; git clean -f -d -x . ; cmake -DCMAKE_BUILD_TYPE=Debug ..) && make -C build
valgrind ./build/bin/fluent-bit -c ./fluent-bit.conf

...
==26233== Invalid read of size 4
==26233==    at 0x62533C: jsmn_string_next_tok (jsmn.c:24)
==26233==    by 0x625C65: jsmn_parse (jsmn.c:348)
==26233==    by 0x440990: json_tokenise (flb_pack.c:43)
==26233==    by 0x440E41: flb_pack_json (flb_pack.c:191)
==26233==    by 0x43B0AE: flb_parser_json_do (flb_parser_json.c:56)
==26233==    by 0x43994A: flb_parser_do (flb_parser.c:554)
==26233==    by 0x449C04: process_content (tail_file.c:217)
==26233==    by 0x44ACE1: flb_tail_file_chunk (tail_file.c:651)
==26233==    by 0x4486D8: in_tail_collect_static (tail.c:129)
==26233==    by 0x42C956: flb_input_collector_fd (flb_input.c:995)
==26233==    by 0x433147: flb_engine_handle_event (flb_engine.c:296)
==26233==    by 0x433147: flb_engine_start (flb_engine.c:515)
==26233==    by 0x41FC79: main (fluent-bit.c:824)
==26233==  Address 0x7bad9bc is 20 bytes before a block of size 5,120 alloc'd
==26233==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
==26233==    by 0x43FF8C: flb_calloc (flb_mem.h:69)
==26233==    by 0x440F4B: flb_pack_state_init (flb_pack.c:234)
==26233==    by 0x440E17: flb_pack_json (flb_pack.c:187)
==26233==    by 0x43B0AE: flb_parser_json_do (flb_parser_json.c:56)
==26233==    by 0x43994A: flb_parser_do (flb_parser.c:554)
==26233==    by 0x449C04: process_content (tail_file.c:217)
==26233==    by 0x44ACE1: flb_tail_file_chunk (tail_file.c:651)
==26233==    by 0x4486D8: in_tail_collect_static (tail.c:129)
==26233==    by 0x42C956: flb_input_collector_fd (flb_input.c:995)
==26233==    by 0x433147: flb_engine_handle_event (flb_engine.c:296)
==26233==    by 0x433147: flb_engine_start (flb_engine.c:515)
==26233==    by 0x41FC79: main (fluent-bit.c:824)
==26233==

Tested on RHEL 7.5.

Patch

With the following patch, valgrind no longer complains, but I have not studied the source code of jsmn so it might require more to fix this issue, like setting toktype.

diff --git a/lib/jsmn/jsmn.c b/lib/jsmn/jsmn.c
index aaba6a10..61997207 100644
--- a/lib/jsmn/jsmn.c
+++ b/lib/jsmn/jsmn.c
@@ -343,7 +343,7 @@ int jsmn_parse(jsmn_parser *parser, const char *js, size_t len,
                                if (parser->toksuper != -1 && tokens != NULL)
                                        tokens[parser->toksuper].size++;
 #ifdef JSMN_STRICT
-                               if (tokens != NULL) {
+                               if (parser->toksuper != -1 && tokens != NULL) {
                                        parser->toktype = jsmn_string_next_tok
                                                (&tokens[parser->toksuper], parser->toktype);
                                }

[edsiper]

thanks for troubleshooting this issue.

Definitely that's the right fix!, I've tested your case and also I've found that it also solves the main issue reported to jsmn here:

zserge/jsmn#131

since JSMN team is not being responsive I will merge this fix directly in our repo and I would like to ask you if you can submit a PR to them too please.

[edsiper]

I've merged the fix into the repo (with your name as author), I will backport this to 0.13 too.

thanks!