jq Integer Overflow Vulnerability Leading to Heap Buffer Overflow

An integer overflow vulnerability has been identified in jq, a command-line JSON processor, in all versions through 1.8.1. The issue arises in the functions jvp_string_append() and jvp_string_copy_replace_bad, where concatenating strings that exceed a combined length of 2^31 bytes leads to a 32-bit unsigned integer overflow. This overflow causes a significant underallocation of a heap buffer, which is then exploited by subsequent memory copy operations that write the full string data into the undersized buffer, creating a heap buffer overflow. This vulnerability, classified as CWE-190 (Integer Overflow) and leading to CWE-122 (Heap-based Buffer Overflow), can be exploited by crafting jq queries that produce extremely large strings, potentially allowing for process crashes or further exploitation through heap corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution, depending on the environment and memory allocator.

Reproduction

The vulnerability can be reproduced by using jq to concatenate strings with a total length exceeding 2^31 bytes. This can be done by, for example, multiplying a string of a certain length (such as 2147483646 bytes) and adding additional characters, which triggers the integer overflow in the buffer allocation size calculation.

Remediation

Users can update to jq version 1.8.1 or later, where this vulnerability has been fixed.