제출 #633170: JQ JQ version 1.6 and the newest master. Assertion Failure정보

제목JQ JQ version 1.6 and the newest master. Assertion Failure
설명## Summary During fuzzing of the jq JSON processor, an assertion failure vulnerability was discovered in the test suite's JSON parsing consistency validation mechanism. The vulnerability occurs when processing malformed JSON input containing invalid Unicode escape sequences, leading to inconsistencies between expected and reparsed JSON values during test execution. This vulnerability affects the reliability of jq's internal test framework and indicates potential parsing inconsistencies in JSON serialization and deserialization logic. ## Technical Details - **Vulnerability Type**: Assertion Failure - **Affected Function**: `run_jq_tests` - **Source File**: `jq_test.c` - **Line Number**: 204 - **Signal**: SIGABRT (6) - **Assertion**: `jv_equal(jv_copy(expected), jv_copy(reparsed))` ## Mechanism and Root Cause This assertion failure vulnerability is caused by inconsistencies in JSON parsing and serialization when processing malformed Unicode escape sequences. The root cause lies in the test suite's validation logic where expected and reparsed JSON values do not match after processing invalid input containing Unicode characters. The vulnerability manifests through the following sequence: 1. **Input Processing Phase**: Malformed JSON input containing invalid Unicode sequences is processed by the jq parser 2. **Syntax Error Detection**: JQ parser detects syntax error with `unexpected INVALID_CHARACTER` at column 6 in the input string 3. **Test Suite Execution**: The `run_jq_tests` function in `jq_test.c:40` is invoked to validate parsing consistency 4. **Parsing Validation**: The test framework attempts to validate that expected and reparsed JSON values are equal using `jv_equal(jv_copy(expected), jv_copy(reparsed))` 5. **Assertion Failure**: The comparison fails due to parsing inconsistencies, triggering the assertion at line 204 6. **Program Termination**: The assertion failure causes SIGABRT signal and program termination The call chain demonstrates the vulnerability path: ``` main() → jq_testsuite() → run_jq_tests() → assertion failure at jv_equal() ``` ## Report ``` jq: error: syntax error, unexpected INVALID_CHARACTER, expecting end of file at <top-level>, line 1, column 6. jq: 1 compile error jq: src/jq_test.c:204: void run_jq_tests(jv, int, FILE *, int, int): Assertion `jv_equal(jv_copy(expected), jv_copy(reparsed))' failed. Aborted === GDB BACKTRACE === #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737349768256) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737349768256) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737349768256, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7c18476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7bfe7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7bfe71b in __assert_fail_base (fmt=0x7ffff7db3130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555557a4960 <str> "jv_equal(jv_copy(expected), jv_copy(reparsed))", file=0x5555557a4420 <str> "src/jq_test.c", line=204, function=<optimized out>) at ./assert/assert.c:94 #6 0x00007ffff7c0fe96 in __GI___assert_fail (assertion=0x5555557a4960 <str> "jv_equal(jv_copy(expected), jv_copy(reparsed))", file=0x5555557a4420 <str> "src/jq_test.c", line=line@entry=204, function=0x5555557a4440 <__PRETTY_FUNCTION__.run_jq_tests> "void run_jq_tests(jv, int, FILE *, int, int)") at ./assert/assert.c:103 #7 0x000055555568d5de in run_jq_tests (lib_dirs=..., verbose=1, testdata=0x615000000580, skip=-1, take=-1) at src/jq_test.c:204 #8 jq_testsuite (libdirs=..., verbose=<optimized out>, argc=<optimized out>, argv=<optimized out>) at src/jq_test.c:40 #9 0x0000555555666793 in main (argc=9, argv=0x7fffffffe3b8) at src/main.c:523 ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed JSON file provided as `POC_jq_assertion_failure_test_suite_parsing`. This file contains specific Unicode escape sequences that cause parsing inconsistencies in the test framework validation logic. **POC Download**: [Google Drive Link - POC_jq_assertion_failure_test_suite_parsing](https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing) ## Reproduction Steps 1. Compile jq with debugging symbols enabled 2. Execute: `jq -c --compact-output --library-path %s%d%x --debug-trace=all --run-tests . POC_jq_assertion_failure_test_suite_parsing` 3. The program will crash with an assertion failure in the test suite validation logic ## Affected Versions JQ version 1.6 and the newest master. **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
원천⚠️ https://github.com/jqlang/jq/issues/3393
사용자
 xdcao (UID 88377)
제출2025. 08. 12. PM 08:46 (11 개월 ago)
모더레이션2025. 08. 24. PM 05:01 (12 days later)
상태수락
VulDB 항목321239 [jqlang jq 까지 1.6 JSON Parser jq_test.c run_jq_tests 서비스 거부]
포인트들20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!