jq Signed Integer Overflow Vulnerability in Bytecode VM Stack Leading to Potential Heap Corruption

A signed integer overflow vulnerability has been identified in the jq command-line JSON processor, specifically in versions through 1.8.1. The issue arises in the bytecode virtual machine's data stack, which tracks allocation size using a signed integer. When the stack exceeds approximately 1 GiB due to deeply nested generator forks, the arithmetic overflow occurs. This wrapped value is then passed to realloc and used in a memmove operation with offsets influenced by the attacker.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by triggering a controlled abort due to out-of-memory errors. However, there is potential for more severe consequences, such as heap corruption, if the vulnerability is exploited under specific conditions.

Reproduction

The vulnerability can be reproduced by using jq to evaluate a deeply nested generator that causes the VM stack to grow beyond 1 GiB. This can be done by defining a recursive function that calls itself and then using it in a way that limits the evaluation, forcing the stack to grow without unwinding.