Mailinglist Archive: opensuse-bugs (4295 mails)

< Previous Next >
[Bug 1039069] New: VUL-0: libxml2: heap-based buffer overflow (xmlDictAddString func)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 15 May 2017 11:43:15 +0000
  • Message-id: <bug-1039069-21960@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1039069


Bug ID: 1039069
Summary: VUL-0: libxml2: heap-based buffer overflow
(xmlDictAddString func)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q2/258
============================================
+++++++++++++++++++++++++++++++++++++++++++++++
+ HEAP-BASED BUFFER OVERFLOW IN xmlDictAddString
+ https://bugzilla.gnome.org/show_bug.cgi?id=781361
+++++++++++++++++++++++++++++++++++++++++++++++

Again, we understand that a similar bug report was filed before:
https://bugzilla.gnome.org/show_bug.cgi?id=758605 (CVE-2016-1839)
and fixed about a year ago in git revision a820dbe:
https://git.gnome.org/browse/libxml2/commit/?id=a820dbeac29d330bae4be05d9ecd939ad6b4aa33

However, this patch was apparently incomplete, as well.

LIBXML version:
$ ./xmllint --version
/src/libxml2/.libs/lt-xmllint: using libxml version 20904-GITv2.9.4-16-g0741801
compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP
DTDValid HTML Legacy C14N Catalog XPath
XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas
Schematron Modules Debug

How to reproduce:
$ ./xmllint --oldxml10 bug4.xml

ASAN says:
=================================================================
==44604==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000030 at pc 0x0000004c1685 bp 0x7ffc15d12290 sp
0x7ffc15d11a40
READ of size 109 at 0x603000000030 thread T0
#0 0x4c1684 in __asan_memcpy
/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:455
#1 0x7fa6e0af4b91 in xmlDictAddString /src/libxml2/dict.c:285:5
#2 0x7fa6e0af4b91 in xmlDictLookup__internal_alias /src/libxml2/dict.c:926
#3 0x7fa6e0522740 in xmlParseNameComplex /src/libxml2/parser.c
#4 0x7fa6e0522740 in xmlParseName__internal_alias /src/libxml2/parser.c:3487
#5 0x7fa6e056afe6 in xmlParseElementDecl__internal_alias
/src/libxml2/parser.c:6718:16
#6 0x7fa6e056d4f0 in xmlParseMarkupDecl__internal_alias
/src/libxml2/parser.c:6997:4
#7 0x7fa6e05abe66 in xmlParseInternalSubset /src/libxml2/parser.c:8482:6
#8 0x7fa6e05a9ec4 in xmlParseDocument__internal_alias
/src/libxml2/parser.c:10930:6
#9 0x7fa6e05d7bd8 in xmlDoRead /src/libxml2/parser.c:15445:5
#10 0x7fa6e05d7bd8 in xmlReadFile__internal_alias
/src/libxml2/parser.c:15507
#11 0x521ac8 in parseAndPrintFile /src/libxml2/xmllint.c:2408:9
#12 0x51872d in main /src/libxml2/xmllint.c:3775:7
#13 0x7fa6df52a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x41d2b8 in _start (/src/libxml2/.libs/lt-xmllint+0x41d2b8)

0x603000000030 is located 0 bytes to the right of 32-byte region
[0x603000000010,0x603000000030)
allocated by thread T0 here:
#0 0x4d8018 in malloc
/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x7fa6e0af4c73 in xmlDictLookup__internal_alias
/src/libxml2/dict.c:932:10
#2 0x7fa6e05793b8 in xmlDetectSAX2 /src/libxml2/parser.c:1078:24
#3 0x7fa6e05a8a44 in xmlParseDocument__internal_alias
/src/libxml2/parser.c:10844:5
#4 0x7fa6e05d7bd8 in xmlDoRead /src/libxml2/parser.c:15445:5
#5 0x7fa6e05d7bd8 in xmlReadFile__internal_alias /src/libxml2/parser.c:15507
#6 0x521ac8 in parseAndPrintFile /src/libxml2/xmllint.c:2408:9
#7 0x51872d in main /src/libxml2/xmllint.c:3775:7
#8 0x7fa6df52a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)


For the version of libxml that comes pre-installed on Ubuntu 16.04:
$ xmllint --version
xmllint: using libxml version 20903
compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP
DTDValid HTML Legacy C14N Catalog XPath
XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas
Schematron Modules Debug Zlib Lzma

VALGRIND says:
==146420== ERROR SUMMARY: 216 errors from 2 contexts (suppressed: 0 from 0)
==146420==
==146420== 54 errors in context 1 of 2:
==146420== Invalid read of size 1
==146420== at 0x4C32758: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==146420== by 0x4F74FBD: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4F75C3C: xmlDictLookup (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E7C523: xmlParseName (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E83B1F: xmlParseElementDecl (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E889F4: xmlParseMarkupDecl (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E8DB4E: xmlParseDocument (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E944FF: xmlReadFile (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x111EA3: ??? (in /usr/bin/xmllint)
==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint)
==146420== by 0x521582F: (below main) (libc-start.c:291)
==146420== Address 0x830d378 is 0 bytes after a block of size 104 alloc'd
==146420== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==146420== by 0x4E735E1: xmlNewInputStream (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E75FA3: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E8871F: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E88954: xmlParseMarkupDecl (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E8DB4E: xmlParseDocument (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E944FF: xmlReadFile (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x111EA3: ??? (in /usr/bin/xmllint)
==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint)
==146420== by 0x521582F: (below main) (libc-start.c:291)
==146420==
==146420==
==146420== 162 errors in context 2 of 2:
==146420== Invalid read of size 1
==146420== at 0x4C32766: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==146420== by 0x4F74FBD: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4F75C3C: xmlDictLookup (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E7C523: xmlParseName (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E83B1F: xmlParseElementDecl (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E889F4: xmlParseMarkupDecl (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E8DB4E: xmlParseDocument (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E944FF: xmlReadFile (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x111EA3: ??? (in /usr/bin/xmllint)
==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint)
==146420== by 0x521582F: (below main) (libc-start.c:291)
==146420== Address 0x830d379 is 1 bytes after a block of size 104 alloc'd
==146420== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==146420== by 0x4E735E1: xmlNewInputStream (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E75FA3: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E8871F: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E88954: xmlParseMarkupDecl (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E89214: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E8DB4E: xmlParseDocument (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x4E944FF: xmlReadFile (in
/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==146420== by 0x111EA3: ??? (in /usr/bin/xmllint)
==146420== by 0x10EDFE: ??? (in /usr/bin/xmllint)
==146420== by 0x521582F: (below main) (libc-start.c:291)
==146420==
==146420== ERROR SUMMARY: 216 errors from 2 contexts (suppressed: 0 from 0)
============================================


============================================

PATCHED BY:
--- a/parser.c
+++ a/parser.c
@@ -3312,6 +3312,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l;
int c;
int count = 0;
+ size_t startPosition = 0;

#ifdef DEBUG
nbParseNameComplex++;
@@ -3323,6 +3324,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
GROW;
if (ctxt->instate == XML_PARSER_EOF)
return(NULL);
+ startPosition = CUR_PTR - BASE_PTR;
c = CUR_CHAR(l);
if ((ctxt->options & XML_PARSE_OLD10) == 0) {
/*
@@ -3420,9 +3422,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL);
}
- if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+
+ if (BASE_PTR + startPosition + len > ctxt->input->end)
+ return(NULL);
+
+ return(xmlDictLookup(ctxt->dict, BASE_PTR + startPosition, len));
}

/**

============================================
(open-)SUSE: https://software.opensuse.org/package/libxml2

2.9.4 (TW, 42.2, official repo)
2.9.1 (42.1, official repo)

Upstream report -- https://bugzilla.gnome.org/show_bug.cgi?id=781361 -- has
'private' status.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages