After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 759020 - (CVE-2016-1835) Heap use-after-free in xmlSAX2AttributeNs
(CVE-2016-1835)
Heap use-after-free in xmlSAX2AttributeNs
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other All
: Normal major
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2015-12-04 11:31 UTC by Wei Lei
Modified: 2016-08-22 20:22 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Minimized crasher by afl-tmin (4.09 KB, text/xml)
2015-12-04 11:31 UTC, Wei Lei 		  Details
Original crasher (35.90 KB, image/svg+xml)
2015-12-04 11:32 UTC, Wei Lei 		  Details
Proposed Patch v1 (10.40 KB, patch)
2016-03-16 23:39 UTC, David Kilzer 		none Details | Review

Description Wei Lei 2015-12-04 11:31:32 UTC 
Created attachment 316764 [details]
Minimized crasher by afl-tmin

Hi,

The following heap use-after-free observed on an ASAN build of the latest Libxml2 version 2.9.3:

$ ./xmllint c02_id0.raw

==8253== ERROR: AddressSanitizer: heap-use-after-free on address 0xb4c00137 at pc 0x8832928 bp 0xbfda6128 sp 0xbfda611c
READ of size 1 at 0xb4c00137 thread T0
    #0 0x8832927 in xmlSAX2AttributeNs libxml2-2.9.3/SAX2.c:2035
    #1 0x8844b09 in xmlSAX2StartElementNs libxml2-2.9.3/SAX2.c:2409
    #2 0x812819e in xmlParseStartTag2 libxml2-2.9.3/parser.c:9756
    #3 0x8171cb2 in xmlParseElement libxml2-2.9.3/parser.c:10129
    #4 0x817bfe9 in xmlParseDocument libxml2-2.9.3/parser.c:10912
    #5 0x81b5589 in xmlDoRead libxml2-2.9.3/parser.c:15390
    #6 0x81b5589 in xmlReadFile libxml2-2.9.3/parser.c:15452
    #7 0x805d5a9 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401
    #8 0x8051352 in main libxml2-2.9.3/xmllint.c:3759
    #9 0xb5fada82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #10 0x80555c0 in _start (libxml2-2.9.3/bin/xmllint+0x80555c0)
0xb4c00137 is located 55 bytes inside of 8194-byte region [0xb4c00100,0xb4c02102)
freed by thread T0 here:
    #0 0xb619f9b4 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.0+0x169b4)
    #1 0x85150b2 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486
    #2 0x85150b2 in xmlBufGrow libxml2-2.9.3/buf.c:515
previously allocated by thread T0 here:
    #0 0xb619f854 in malloc (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x8511a90 in xmlBufCreateSize libxml2-2.9.3/buf.c:172
SUMMARY: AddressSanitizer: heap-use-after-free libxml2-2.9.3/SAX2.c:2035 ??
Shadow bytes around the buggy address:
  0x3697ffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3697ffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3697fff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36980000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36980010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36980020: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x36980030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36980040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36980050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36980060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36980070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==8253== ABORTING
Aborted

Found with american fuzzy lop by lcamtuf. A minimized crasher that works for Libxml2-2.9.3 ASAN build is attached as c02_id0_min.xml:

$ xxd -g 1 c02_id0_min.xml | head -10
0000000: 3c 3f 6c 20 30 30 30 30 30 30 30 30 30 30 30 30  <?l 000000000000
0000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
0000020: 30 3f 3e 0d 0a 3c 73 30 30 20 77 30 30 30 30 3d  0?>..<s00 w0000=
0000030: 22 30 30 30 22 20 68 30 30 30 30 30 3d 22 30 30  "000" h00000="00
0000040: 30 22 0d 0a 20 78 6d 6c 6e 73 20 3d 20 27 30 30  0".. xmlns = '00
0000050: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
0000060: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
0000070: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
0000080: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
0000090: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
Comment 1 Wei Lei 2015-12-04 11:32:40 UTC 
Created attachment 316765 [details]
Original crasher
Comment 2 David Kilzer 2016-03-09 11:18:27 UTC 
The fix for this bug appears to be similar to:

Bug 756525: heap-buffer-overflow in xmlParseMisc
<https://bugzilla.gnome.org/show_bug.cgi?id=756525>

Which was fixed in f1063fdbe7fa66332bbb76874101c2a7b51b519f:

<https://git.gnome.org/browse/libxml2/commit/?id=f1063fdbe7fa66332bbb76874101c2a7b51b519f>
Comment 3 David Kilzer 2016-03-16 23:39:06 UTC 
Created attachment 324148 [details] [review]
Proposed Patch v1
Comment 5 Olav Vitters 2016-08-22 20:22:48 UTC 
Removing security group as commit is public.