http://bugzilla.suse.com/show_bug.cgi?id=1039069 Bug ID: 1039069 Summary: VUL-0: libxml2: heap-based buffer overflow (xmlDictAddString func) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q2/258 ============================================ +++++++++++++++++++++++++++++++++++++++++++++++ + HEAP-BASED BUFFER OVERFLOW IN xmlDictAddString + https://bugzilla.gnome.org/show_bug.cgi?id=781361 +++++++++++++++++++++++++++++++++++++++++++++++ Again, we understand that a similar bug report was filed before: https://bugzilla.gnome.org/show_bug.cgi?id=758605 (CVE-2016-1839) and fixed about a year ago in git revision a820dbe: https://git.gnome.org/browse/libxml2/commit/?id=a820dbeac29d330bae4be05d9ecd... However, this patch was apparently incomplete, as well. LIBXML version: $ ./xmllint --version /src/libxml2/.libs/lt-xmllint: using libxml version 20904-GITv2.9.4-16-g0741801 compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP DTDValid HTML Legacy C14N Catalog XPath XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas Schematron Modules Debug How to reproduce: $ ./xmllint --oldxml10 bug4.xml ASAN says: ================================================================= ==44604==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x0000004c1685 bp 0x7ffc15d12290 sp 0x7ffc15d11a40 READ of size 109 at 0x603000000030 thread T0 #0 0x4c1684 in __asan_memcpy /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:455 #1 0x7fa6e0af4b91 in xmlDictAddString /src/libxml2/dict.c:285:5 #2 0x7fa6e0af4b91 in xmlDictLookup__internal_alias /src/libxml2/dict.c:926 #3 0x7fa6e0522740 in xmlParseNameComplex /src/libxml2/parser.c #4 0x7fa6e0522740 in xmlParseName__internal_alias /src/libxml2/parser.c:3487 #5 0x7fa6e056afe6 in xmlParseElementDecl__internal_alias /src/libxml2/parser.c:6718:16 #6 0x7fa6e056d4f0 in xmlParseMarkupDecl__internal_alias /src/libxml2/parser.c:6997:4 #7 0x7fa6e05abe66 in xmlParseInternalSubset /src/libxml2/parser.c:8482:6 #8 0x7fa6e05a9ec4 in xmlParseDocument__internal_alias /src/libxml2/parser.c:10930:6 #9 0x7fa6e05d7bd8 in xmlDoRead /src/libxml2/parser.c:15445:5 #10 0x7fa6e05d7bd8 in xmlReadFile__internal_alias /src/libxml2/parser.c:15507 #11 0x521ac8 in parseAndPrintFile /src/libxml2/xmllint.c:2408:9 #12 0x51872d in main /src/libxml2/xmllint.c:3775:7 #13 0x7fa6df52a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x41d2b8 in _start (/src/libxml2/.libs/lt-xmllint+0x41d2b8) 0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030) allocated by thread T0 here: #0 0x4d8018 in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66 #1 0x7fa6e0af4c73 in xmlDictLookup__internal_alias /src/libxml2/dict.c:932:10 #2 0x7fa6e05793b8 in xmlDetectSAX2 /src/libxml2/parser.c:1078:24 #3 0x7fa6e05a8a44 in xmlParseDocument__internal_alias /src/libxml2/parser.c:10844:5 #4 0x7fa6e05d7bd8 in xmlDoRead /src/libxml2/parser.c:15445:5 #5 0x7fa6e05d7bd8 in xmlReadFile__internal_alias /src/libxml2/parser.c:15507 #6 0x521ac8 in parseAndPrintFile /src/libxml2/xmllint.c:2408:9 #7 0x51872d in main /src/libxml2/xmllint.c:3775:7 #8 0x7fa6df52a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) For the version of libxml that comes pre-installed on Ubuntu 16.04: $ xmllint --version xmllint: using libxml version 20903 compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP DTDValid HTML Legacy C14N Catalog XPath XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas Schematron Modules Debug Zlib Lzma VALGRIND says: ==146420== ERROR SUMMARY: 216 errors from 2 contexts (suppressed: 0 from 0) ==146420== ==146420== 54 errors in context 1 of 2: ==146420== Invalid read of size 1 ==146420== at 0x4C32758: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==146420== by 0x4F74FBD: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4F75C3C: xmlDictLookup (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E7C523: xmlParseName (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E83B1F: xmlParseElementDecl (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E889F4: xmlParseMarkupDecl (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E8DB4E: xmlParseDocument (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E944FF: xmlReadFile (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x111EA3: ??? (in /usr/bin/xmllint) ==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint) ==146420== by 0x521582F: (below main) (libc-start.c:291) ==146420== Address 0x830d378 is 0 bytes after a block of size 104 alloc'd ==146420== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==146420== by 0x4E735E1: xmlNewInputStream (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E75FA3: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E8871F: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E88954: xmlParseMarkupDecl (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E8DB4E: xmlParseDocument (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E944FF: xmlReadFile (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x111EA3: ??? (in /usr/bin/xmllint) ==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint) ==146420== by 0x521582F: (below main) (libc-start.c:291) ==146420== ==146420== ==146420== 162 errors in context 2 of 2: ==146420== Invalid read of size 1 ==146420== at 0x4C32766: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==146420== by 0x4F74FBD: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4F75C3C: xmlDictLookup (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E7C523: xmlParseName (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E83B1F: xmlParseElementDecl (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E889F4: xmlParseMarkupDecl (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E8DB4E: xmlParseDocument (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E944FF: xmlReadFile (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x111EA3: ??? (in /usr/bin/xmllint) ==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint) ==146420== by 0x521582F: (below main) (libc-start.c:291) ==146420== Address 0x830d379 is 1 bytes after a block of size 104 alloc'd ==146420== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==146420== by 0x4E735E1: xmlNewInputStream (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E75FA3: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E8871F: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E88954: xmlParseMarkupDecl (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E8DB4E: xmlParseDocument (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x4E944FF: xmlReadFile (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3) ==146420== by 0x111EA3: ??? (in /usr/bin/xmllint) ==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint) ==146420== by 0x521582F: (below main) (libc-start.c:291) ==146420== ==146420== ERROR SUMMARY: 216 errors from 2 contexts (suppressed: 0 from 0) ============================================ ============================================ PATCHED BY: --- a/parser.c +++ a/parser.c @@ -3312,6 +3312,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + size_t startPosition = 0; #ifdef DEBUG nbParseNameComplex++; @@ -3323,6 +3324,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { GROW; if (ctxt->instate == XML_PARSER_EOF) return(NULL); + startPosition = CUR_PTR - BASE_PTR; c = CUR_CHAR(l); if ((ctxt->options & XML_PARSE_OLD10) == 0) { /* @@ -3420,9 +3422,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); return(NULL); } - if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + + if (BASE_PTR + startPosition + len > ctxt->input->end) + return(NULL); + + return(xmlDictLookup(ctxt->dict, BASE_PTR + startPosition, len)); } /** ============================================ (open-)SUSE: https://software.opensuse.org/package/libxml2 2.9.4 (TW, 42.2, official repo) 2.9.1 (42.1, official repo) Upstream report -- https://bugzilla.gnome.org/show_bug.cgi?id=781361 -- has 'private' status. -- You are receiving this mail because: You are on the CC list for the bug.