Mailinglist Archive: opensuse-bugs (4295 mails)

< Previous Next >
[Bug 1039064] New: VUL-0: libxml2: stack overflow vulnerability strcat two more characters without checking whether the current strlen(buf) + 2 < size (xmlSnprintfElementContent func in valid.c)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 15 May 2017 11:32:31 +0000
  • Message-id: <bug-1039064-21960@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1039064


Bug ID: 1039064
Summary: VUL-0: libxml2: stack overflow vulnerability strcat
two more characters without checking whether the
current strlen(buf) + 2 < size
(xmlSnprintfElementContent func in valid.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q2/258
============================================
+++++++++++++++++++++++++++++++++++++++++++++++
+ BUG 781701 - ANOTHER STACK OVERFLOW in VALID.C
+ https://bugzilla.gnome.org/show_bug.cgi?id=781701
+++++++++++++++++++++++++++++++++++++++++++++++

Here is a quick analysis:
The bug is related to but different from Bug
https://bugzilla.gnome.org/show_bug.cgi?id=781333. Function
xmlSnprintfElementContent in valid.c is supposed to
recursively dump the element content definition into a char buffer 'buf' of
size 'size'. At the end of the routine, the
function may strcat two more characters without checking whether the current
strlen(buf) + 2 < size.

$ ./xmllint --version
/src/libxml2/.libs/lt-xmllint: using libxml version 20904-GITv2.9.4-16-g0741801
compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP
DTDValid HTML Legacy C14N Catalog XPath
XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas
Schematron Modules Debug

How to reproduce:
$ ./xmllint --valid bug2.xml
==112703==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffeff6f3428 at pc 0x7fd88f824d3c bp 0x7ffeff6f1fb0 sp 0x7ffeff6f1fa8
WRITE of size 2 at 0x7ffeff6f3428 thread T0
#0 0x7fd88f824d3b in xmlSnprintfElementContent__internal_alias
/src/libxml2/valid.c
#1 0x7fd88f859b8d in xmlValidateElementContent /src/libxml2/valid.c:5447:6
#2 0x7fd88f859b8d in xmlValidateOneElement__internal_alias
/src/libxml2/valid.c:6154
#3 0x7fd89031cd6c in xmlSAX2EndElementNs__internal_alias
/src/libxml2/SAX2.c:2467:24
#4 0x7fd88f63b242 in xmlParseEndTag2 /src/libxml2/parser.c:9930:2
#5 0x7fd88f5fec12 in xmlParseElement__internal_alias
/src/libxml2/parser.c:10292:2
#6 0x7fd88f654709 in xmlParseDocument__internal_alias
/src/libxml2/parser.c:10966:2
#7 0x7fd88f6d3647 in xmlDoRead /src/libxml2/parser.c:15449:5
#8 0x7fd88f6d3647 in xmlCtxtReadFile__internal_alias
/src/libxml2/parser.c:15694
#9 0x559158 in parseAndPrintFile /src/libxml2/xmllint.c:2391:9
#10 0x54b0e4 in main /src/libxml2/xmllint.c:3772:7
#11 0x7fd88e40b82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x41d0b8 in _start (/src/libxml2/.libs/lt-xmllint+0x41d0b8)

Address 0x7ffeff6f3428 is located in stack of thread T0 at offset 5128 in frame
#0 0x7fd88f852c6f in xmlValidateOneElement__internal_alias
/src/libxml2/valid.c:5945

This frame has 5 object(s):
[32, 82) 'fn.i' (line 5290)
[128, 5128) 'expr.i' (line 5443) <== Memory access at offset 5128
overflows this variable
[5392, 10392) 'list.i' (line 5444)
[10656, 10660) 'extsubset' (line 5952)
[10672, 10722) 'fn' (line 6065)
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/libxml2/valid.c
in xmlSnprintfElementContent__internal_alias


============================================
PATCHED BY:
--- a/valid.c
+++ a/valid.c
@@ -1320,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size,
xmlElementContentPtr content, int
xmlSnprintfElementContent(buf, size, content->c2, 0);
break;
}
+ if (size - strlen(buf) <= 2) return;
if (englob)
strcat(buf, ")");
switch (content->ocur) {

============================================

(open-)SUSE: https://software.opensuse.org/package/libxml2

2.9.4 (TW, 42.2, official repo)
2.9.1 (42.1, official repo)

Upstream report -- https://bugzilla.gnome.org/show_bug.cgi?id=781701 -- has
'private' status.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages