Janet-Lang Janet Signed Integer Overflow Vulnerability in Fiber Deserialization

A signed integer overflow vulnerability has been identified in Janet programming language, specifically in versions through 1.41.0. The issue arises in the 'unmarshal_one_fiber' function within 'src/core/marsh.c', where an attacker can manipulate serialized data to cause an overflow. This vulnerability can be exploited locally, leading to allocation-size corruption. The issue has been publicly disclosed, and a patch is available.

Impact

Exploitation of this vulnerability causes a signed integer overflow, with different impacts depending on the system architecture. On 64-bit systems, the overflow leads to an allocation request of approximately 18 exabytes, causing a denial-of-service condition. On 32-bit systems, the overflow allows for a heap buffer overflow, which can be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using the Janet interpreter to unmarshal data from a crafted binary file that exploits the integer overflow. This can be done by building Janet with address and undefined behavior sanitizers, and then running the 'janet' command with the 'unmarshal' function, specifying the path to the crafted binary file as an argument.

Remediation

Users should update to the patched version of Janet, which is available on the official GitHub repository.