Heap buffer overflow in cuJSONLinesIterator::gotoArrayIndex
Environment
- cuJSON commit:
2ac7d3dcd7ad1ff64ebdb14022bf94c59b3b4953 (branch master)
- OS: Ubuntu 22.04.5 LTS
- GPU: NVIDIA A40 (Ampere,
sm_86)
- NVIDIA driver: 590.48.01
- CUDA toolkit: 13.1 (
nvcc V13.1.115)
Component
cuJSON — JSON Lines iterator, cuJSONLinesIterator::gotoArrayIndex (paper_reproduced/src/query/query_iterator.cpp:269-315)
Severity
High (CWE-122, Heap-based Buffer Overflow).
Description
cuJSONLinesIterator::gotoArrayIndex mirrors the standard iterator traversal logic and can advance nextNode beyond the valid parsed structure when an operation sequence requests an invalid array element, producing a host-side heap-buffer-overflow.
Root cause
The JSON Lines iterator shares the standard iterator's traversal logic and likewise lacks bounds checks around nextNode, node, pair_pos, and structural-array accesses. An out-of-range array index drives the iterator past the parsed structure and reads past the heap buffer.
Call path:
harness LLVMFuzzerTestOneInput
-> cuJSONLinesIterator
-> cuJSONLinesIterator::gotoArrayIndex (heap-buffer-overflow)
Impact
Malformed JSON Lines input plus iterator operations can crash the host process and risk adjacent heap access in services that expose iterator navigation.
Reproduction
CUDA_HOME=${CUDA_HOME:-/usr/local/cuda}
nvcc -std=c++17 -arch=native -O2 \
-I<cujson-src> -I${CUDA_HOME}/include \
-Xcompiler -fsanitize=address,-fno-omit-frame-pointer \
llm_harness_cuJSONLinesIterator.cu harness_afl_main.cpp \
--compiler-bindir g++-13 -L${CUDA_HOME}/lib64 -lcudart \
-Xlinker -fsanitize=address \
-o /tmp/cujson_cuJSONLinesIterator_asan.bin
ASAN_OPTIONS=protect_shadow_gap=0:detect_leaks=0 \
/tmp/cujson_cuJSONLinesIterator_asan.bin trigger.binSanitizer evidence
==3418215==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7b9d4b70457f
SUMMARY: AddressSanitizer: heap-buffer-overflow in cuJSONLinesIterator::gotoArrayIndex(int)
Suggested fix
Add explicit bounds checks around nextNode, node, pair_pos, and structural-array accesses. Reject out-of-range array indices before traversal mutates iterator state.
Attachments
The following files from this finding are attached:
llm_harness_cuJSONLinesIterator.cuharness_afl_main.cpptrigger.binasan.log
Archive.zip
Heap buffer overflow in
cuJSONLinesIterator::gotoArrayIndexEnvironment
2ac7d3dcd7ad1ff64ebdb14022bf94c59b3b4953(branchmaster)sm_86)nvccV13.1.115)Component
cuJSON — JSON Lines iterator,
cuJSONLinesIterator::gotoArrayIndex(paper_reproduced/src/query/query_iterator.cpp:269-315)Severity
High (CWE-122, Heap-based Buffer Overflow).
Description
cuJSONLinesIterator::gotoArrayIndexmirrors the standard iterator traversal logic and can advancenextNodebeyond the valid parsed structure when an operation sequence requests an invalid array element, producing a host-side heap-buffer-overflow.Root cause
The JSON Lines iterator shares the standard iterator's traversal logic and likewise lacks bounds checks around
nextNode,node,pair_pos, and structural-array accesses. An out-of-range array index drives the iterator past the parsed structure and reads past the heap buffer.Call path:
Impact
Malformed JSON Lines input plus iterator operations can crash the host process and risk adjacent heap access in services that expose iterator navigation.
Reproduction
Sanitizer evidence
Suggested fix
Add explicit bounds checks around
nextNode,node,pair_pos, and structural-array accesses. Reject out-of-range array indices before traversal mutates iterator state.Attachments
The following files from this finding are attached:
llm_harness_cuJSONLinesIterator.cuharness_afl_main.cpptrigger.binasan.logArchive.zip