jq Controlled Pointer Dereference Vulnerability in _strindices Builtin Allowing Memory Disclosure

A vulnerability in the jq command-line JSON processor has been identified, specifically in the _strindices builtin. This issue arises in versions after commit 69785bf77f86e2ea1b4a20ca86775916889e91c9. The vulnerability exists because the _strindices builtin directly passes its arguments to the jv_string_indexes() function without verifying that they are strings. The jv_string_indexes() function relies on assert() checks, which are removed in release builds compiled with -DNDEBUG. As a result, an attacker can easily crash jq by using input like _strindices(0). Furthermore, by crafting a numeric value that manipulates the IEEE-754 bit pattern to point to a specific memory address, an attacker can achieve a controlled pointer dereference and a limited memory read or probe capability. This vulnerability affects any deployment that processes untrusted jq filters with a release build.

Impact

Exploitation of this vulnerability allows for a crash of the jq process and a controlled pointer dereference, leading to limited memory disclosure. The exit status can be used as a probe to infer mapped or unmapped memory regions.

Reproduction

The vulnerability can be reproduced by calling the _strindices function with a numeric argument, such as 0. This input will cause jq to crash. For the controlled pointer dereference, a crafted double value that corresponds to a desired memory address can be used, exploiting the way jq handles numeric inputs.

Remediation

Users should update to the patched version of jq, which includes the necessary runtime type checks to prevent this vulnerability. The patched version can be found in the official jq repository.