jq Stack Overflow Vulnerability in jv_contains Function Allows Denial-of-Service

A stack overflow vulnerability has been identified in jq, a command-line JSON processor, in versions through 1.8.1. The issue arises in the jv_contains function, which recursively processes nested arrays and objects without a depth limit. This unbounded recursion can lead to exhaustion of the C stack, causing a denial-of-service condition. The vulnerability can be exploited with a deeply nested input structure, created programmatically using the reduce function, as the JSON parser restricts depth to 10,000 levels.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a segmentation fault and a denial-of-service condition. On systems without stack guard pages, the overflow can corrupt heap memory or another thread's stack. In cases where libjq is embedded in larger applications, such an overflow can disrupt heap metadata or affect the stacks of other threads.

Reproduction

The vulnerability can be reproduced by using jq to process a JSON structure that exceeds the maximum depth limit. This can be done by creating a JSON array that contains itself recursively, effectively bypassing the depth restriction imposed by the JSON parser. The AddressSanitizer will report a stack overflow error, indicating that the recursion has exceeded the limits of the call stack.