Stackoverflow CVE-2022-40151

[henryrneh]

Dear xstream maintainers and users,

the following zip contains crashing input, stacktrace, the fuzz target and all the information needed to reproduce CVE-2022-40151.

Please have a look and contact us if you need more information, thanks.

47367.zip

[0roman]

There seems to be some recursion possible in

xstream/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java

Line 56 in cf61d54

public Object convertAnother(final Object parent, Class<?> type, Converter converter) {

Snippet of the stacktrace of using the crashing input:

== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
--
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | Caused by: java.lang.StackOverflowError
  | at io.github.xstream.mxparser.MXParser.more(MXParser.java:3088)
  | at io.github.xstream.mxparser.MXParser.parseStartTag(MXParser.java:1742)
  | at io.github.xstream.mxparser.MXParser.nextImpl(MXParser.java:1138)
  | at io.github.xstream.mxparser.MXParser.next(MXParser.java:1104)
  | at com.thoughtworks.xstream.io.xml.XppReader.pullNextEvent(XppReader.java:113)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.readRealEvent(AbstractPullReader.java:156)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.readEvent(AbstractPullReader.java:143)
  | at com.thoughtworks.xstream.io.xml.AbstractPullReader.hasMoreChildren(AbstractPullReader.java:88)
  | at com.thoughtworks.xstream.io.ReaderWrapper.hasMoreChildren(ReaderWrapper.java:34)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:56)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:137)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:122)
  | at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readCompleteItem(AbstractCollectionConverter.java:152)
  | at com.thoughtworks.xstream.converters.collections.ArrayConverter.unmarshal(ArrayConverter.java:57)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
  | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:76)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
  | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
...

[joehni]

@henryrneh: Thanks for providing the test case here, you did not attach it sending the private mail to me.

[tedyyu]

another vulnerability also reported: https://nvd.nist.gov/vuln/detail/CVE-2022-40152
Guess most of us need a new release to fix both...

[joehni]

This report is simply rubbish! #304

[cesarhernandezgt]

@tedyyu

another vulnerability also reported: https://nvd.nist.gov/vuln/detail/CVE-2022-40152 Guess most of us need a new release to fix both...

CVE-2022-40152 is not directly related to stream: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152.
My recommendation is to check more than one CVE database and catch up with the conversations in the threads, github issues, and mailing list, as pointed out in #304.

[tedyyu]

Thanks for the link, now I get the full picture. @joehni @cesarhernandezgt