提出 #633170: JQ JQ version 1.6 and the newest master. Assertion Failure情報

タイトルJQ JQ version 1.6 and the newest master. Assertion Failure
説明## Summary During fuzzing of the jq JSON processor, an assertion failure vulnerability was discovered in the test suite's JSON parsing consistency validation mechanism. The vulnerability occurs when processing malformed JSON input containing invalid Unicode escape sequences, leading to inconsistencies between expected and reparsed JSON values during test execution. This vulnerability affects the reliability of jq's internal test framework and indicates potential parsing inconsistencies in JSON serialization and deserialization logic. ## Technical Details - **Vulnerability Type**: Assertion Failure - **Affected Function**: `run_jq_tests` - **Source File**: `jq_test.c` - **Line Number**: 204 - **Signal**: SIGABRT (6) - **Assertion**: `jv_equal(jv_copy(expected), jv_copy(reparsed))` ## Mechanism and Root Cause This assertion failure vulnerability is caused by inconsistencies in JSON parsing and serialization when processing malformed Unicode escape sequences. The root cause lies in the test suite's validation logic where expected and reparsed JSON values do not match after processing invalid input containing Unicode characters. The vulnerability manifests through the following sequence: 1. **Input Processing Phase**: Malformed JSON input containing invalid Unicode sequences is processed by the jq parser 2. **Syntax Error Detection**: JQ parser detects syntax error with `unexpected INVALID_CHARACTER` at column 6 in the input string 3. **Test Suite Execution**: The `run_jq_tests` function in `jq_test.c:40` is invoked to validate parsing consistency 4. **Parsing Validation**: The test framework attempts to validate that expected and reparsed JSON values are equal using `jv_equal(jv_copy(expected), jv_copy(reparsed))` 5. **Assertion Failure**: The comparison fails due to parsing inconsistencies, triggering the assertion at line 204 6. **Program Termination**: The assertion failure causes SIGABRT signal and program termination The call chain demonstrates the vulnerability path: ``` main() → jq_testsuite() → run_jq_tests() → assertion failure at jv_equal() ``` ## Report ``` jq: error: syntax error, unexpected INVALID_CHARACTER, expecting end of file at <top-level>, line 1, column 6. jq: 1 compile error jq: src/jq_test.c:204: void run_jq_tests(jv, int, FILE *, int, int): Assertion `jv_equal(jv_copy(expected), jv_copy(reparsed))' failed. Aborted === GDB BACKTRACE === #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737349768256) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737349768256) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737349768256, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7c18476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7bfe7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7bfe71b in __assert_fail_base (fmt=0x7ffff7db3130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555557a4960 <str> "jv_equal(jv_copy(expected), jv_copy(reparsed))", file=0x5555557a4420 <str> "src/jq_test.c", line=204, function=<optimized out>) at ./assert/assert.c:94 #6 0x00007ffff7c0fe96 in __GI___assert_fail (assertion=0x5555557a4960 <str> "jv_equal(jv_copy(expected), jv_copy(reparsed))", file=0x5555557a4420 <str> "src/jq_test.c", line=line@entry=204, function=0x5555557a4440 <__PRETTY_FUNCTION__.run_jq_tests> "void run_jq_tests(jv, int, FILE *, int, int)") at ./assert/assert.c:103 #7 0x000055555568d5de in run_jq_tests (lib_dirs=..., verbose=1, testdata=0x615000000580, skip=-1, take=-1) at src/jq_test.c:204 #8 jq_testsuite (libdirs=..., verbose=<optimized out>, argc=<optimized out>, argv=<optimized out>) at src/jq_test.c:40 #9 0x0000555555666793 in main (argc=9, argv=0x7fffffffe3b8) at src/main.c:523 ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed JSON file provided as `POC_jq_assertion_failure_test_suite_parsing`. This file contains specific Unicode escape sequences that cause parsing inconsistencies in the test framework validation logic. **POC Download**: [Google Drive Link - POC_jq_assertion_failure_test_suite_parsing](https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing) ## Reproduction Steps 1. Compile jq with debugging symbols enabled 2. Execute: `jq -c --compact-output --library-path %s%d%x --debug-trace=all --run-tests . POC_jq_assertion_failure_test_suite_parsing` 3. The program will crash with an assertion failure in the test suite validation logic ## Affected Versions JQ version 1.6 and the newest master. **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
ソース⚠️ https://github.com/jqlang/jq/issues/3393
ユーザー
 xdcao (UID 88377)
送信2025年08月12日 20:46 (11 月 ago)
モデレーション2025年08月24日 17:01 (12 days later)
ステータス承諾済み
VulDBエントリ321239 [jqlang jq 迄 1.6 JSON Parser jq_test.c run_jq_tests サービス拒否]
ポイント20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!