After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 757970 - Global-buffer-overflow read of size 8 running libxslt/tests/exslt/date/seconds.1 test
Global-buffer-overflow read of size 8 running libxslt/tests/exslt/date/second...
Status: RESOLVED FIXED
Product: libxslt
Classification: Platform
Component: general
1.1.x
Other All
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2015-11-12 00:04 UTC by David Kilzer
Modified: 2016-02-25 13:40 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Simplest fix (552 bytes, patch)
2015-11-12 00:20 UTC, David Kilzer 		none Details | Review
Alternative fix (1.27 KB, patch)
2015-12-13 20:40 UTC, Nick Wellnhofer 		none Details | Review

Description David Kilzer 2015-11-12 00:04:11 UTC 
Compiling libxslt with clang Address Sanitizer enabled, then running built-in tests found this issue.  This likely affects all platforms, but I originally found this on Mac OS X 10.10 with libxslt v1.1.28.

This is not likely to be exploitable, hence the public report.

* ADDRESS SANITIZER INFO

================================================================
==10368==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001077ae0f8 at pc 0x0001077a8b1f bp 0x7fff59263a40 sp 0x7fff59263a38
READ of size 8 at 0x0001077ae0f8 thread T0
    #0 0x1077a8b1e in _exsltDateCastYMToDays date.c:1325
    #1 0x1077a837e in _exsltDateDifference date.c:1674
    #2 0x1077a8ca9 in exsltDateSeconds date.c:2943
    #3 0x10779f5a7 in exsltDateSecondsFunction date.c:3554
    #4 0x7fff8632b41c in xmlXPathCompOpEval (/usr/lib/libxml2.2.dylib+0xc941c)
    #5 0x7fff8632adc1 in xmlXPathCompOpEval (/usr/lib/libxml2.2.dylib+0xc8dc1)
    #6 0x7fff863298c9 in xmlXPathRunEval (/usr/lib/libxml2.2.dylib+0xc78c9)
    #7 0x7fff863295df in xmlXPathCompiledEvalInternal (/usr/lib/libxml2.2.dylib+0xc75df)
    #8 0x7fff86329440 in xmlXPathCompiledEval (/usr/lib/libxml2.2.dylib+0xc7440)
    #9 0x10773f7cc in xsltValueOf transform.c:4524
    #10 0x107736a87 in xsltApplySequenceConstructor transform.c:2647
    #11 0x107734a1e in xsltApplyXSLTTemplate transform.c:3108
    #12 0x107731c21 in xsltProcessOneNode transform.c:2097
    #13 0x107732256 in xsltProcessOneNode transform.c:1927
    #14 0x107732256 in xsltProcessOneNode transform.c:1927
    #15 0x1077458b2 in xsltApplyStylesheetInternal transform.c:6159
    #16 0x10699ef30 in xsltProcess xsltproc.c:411
    #17 0x10699dd5d in main xsltproc.c:888
    #18 0x7fff89ff15c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
    #19 0x2  (<unknown module>)
 
0x0001077ae0f8 is located 8 bytes to the left of global variable 'dayInYearByMonth' defined in 'date.c:181:28' (0x1077ae100) of size 96
0x0001077ae0f8 is located 24 bytes to the right of global variable 'dayInLeapYearByMonth' defined in 'date.c:183:28' (0x1077ae080) of size 96
SUMMARY: AddressSanitizer: global-buffer-overflow date.c:1325 _exsltDateCastYMToDays
Shadow bytes around the buggy address:
  0x100020ef5bc0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x100020ef5bd0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x100020ef5be0: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x100020ef5bf0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x100020ef5c00: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
=>0x100020ef5c10: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9[f9]
  0x100020ef5c20: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x100020ef5c30: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x100020ef5c40: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
  0x100020ef5c50: 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9
  0x100020ef5c60: f9 f9 f9 f9 00 00 00 00 00 00 00 00 03 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 
abort() called

* OUTPUT OF TEST RUN

$ make test
make[1]: Nothing to be done for `tests'.
## Running REC1 tests
## Running REC2 tests
## Running REC tests
## Running REC tests without dictionaries
## Running general tests
## Running general tests without dictionaries
## Running namespaces tests
## Running keys tests
## Running numbers tests
## Running extensions tests
## Running reports tests
## Running xmlspec tests
## Running multiple tests
## Running XInclude test
## Running XSLTMark tests
## Running docbook tests
/Applications/Xcode.app/Contents/Developer/usr/bin/make single
-n gdp-handbook.xml : html 
-n fo 
-n xhtml 

/Applications/Xcode.app/Contents/Developer/usr/bin/make xtchunk
html-chunking
## Running exslt common tests
## Running exslt function tests
## Running exslt math tests
## Running exslt sets tests
## Running exslt string tests
## Running exslt sets tests
## Running exslt date tests
#
# Inspect the following for correctness
#
Current Date : 2015-11-05T14:05:19-08:00
     year                 : 2015
     leap-year            : false
     month-in-year        : 11
     month-name           : November
     month-abbreviation   : Nov
     week-in-year         : 45
     day-in-year          : 309
     day-in-month         : 5
     day-of-week-in-month : 1
     day-in-week          : 5
     day-name             : Thursday
     day-abbreviation     : Thu
     time                 : 14:05:19-08:00
     hour-in-day          : 14
     minute-in-hour       : 5
     second-in-minute     : 19
## Running exslt common tests
seconds.1 result
Fatal error, no seconds.1.res
## Running plugin tests

xsltproc  crashed when running seconds.1 test.

Comment 1 David Kilzer 2015-11-12 00:20:48 UTC 
Created attachment 315304 [details] [review]
Simplest fix

The bug appears to be that values from exsltDateValPtr objects that represent durations are being passed into the DAY_IN_YEAR() macro, the 'month' field is zero, and then DAY_IN_YEAR() is trying to access dayInLeapYearByMonth[-1] or dayInYearByMonth[-1], reading off the beginning of the static array.

The simplest fix is to lower-bounds-check 'month', and use '0' if month is less than 1, which is what this patch does.

Obviously, this code could be even more defensive by upper-bounds-checking 'month', but that assumes that the code currently generates invalid exsltDateValPtr objects.  (I did not audit the code for any such possibilities.)

Another approach may be to check whether the exsltDateValPtr is a duration, and not to use DAY_IN_YEAR() on durations, or to make DAY_IN_YEAR() work properly with durations.
Comment 2 Nick Wellnhofer 2015-12-13 20:40:06 UTC 
Created attachment 317311 [details] [review]
Alternative fix

It seems that the root cause of the problem is that month and days are set to zero when parsing xs:gYears or xs:gYearMonths or when truncating dates. This patch makes sure that this never happens and shbould also prevent OOB access to the daysInMonth array. 

Nevertheless, it's a good idea to always perform a range check when accessing any of the arrays indexed by month.
Comment 3 David Kilzer 2015-12-15 18:16:31 UTC 
Thanks Nick!(In reply to Nick Wellnhofer from comment #2)
> Created attachment 317311 [details] [review] [review]
> Alternative fix
> 
> It seems that the root cause of the problem is that month and days are set
> to zero when parsing xs:gYears or xs:gYearMonths or when truncating dates.
> This patch makes sure that this never happens and shbould also prevent OOB
> access to the daysInMonth array. 
> 
> Nevertheless, it's a good idea to always perform a range check when
> accessing any of the arrays indexed by month.

No crashes with clang address sanitizer enabled (on 15f148ee plus your patch), and the results match what happens without the patch.  This is with libxml2-2.9.2 on El Capitan Mac OS X 10.11.2.

Here's how I ran configure prior to running the tests:

CC="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -fsanitize=address" ./configure --prefix=/usr --without-python --disable-static

Test results:

[...]
  CCLD     xsltproc
## Running REC1 tests
## Running REC2 tests
## Running REC tests
## Running REC tests without dictionaries
## Running general tests
bug-110 result
0a1
> ./../docs/bug-110.xml:1: element elem: validity error : ID id0 already defined
## Running general tests without dictionaries
bug-110 result
0a1
> ./../docs/bug-110.xml:1: element elem: validity error : ID id0 already defined
## Running namespaces tests
## Running keys tests
## Running numbers tests
## Running extensions tests
## Running reports tests
## Running xmlspec tests
## Running multiple tests
## Running XInclude test
## Running XSLTMark tests
perl ./dbgen.pl 100 > db100.xml
perl ./dbgen.pl 10000 > db10000.xml
perl ./dbgen.pl 1000 > db1000.xml
## Running docbook tests
/Applications/Xcode.app/Contents/Developer/usr/bin/make single
-n gdp-handbook.xml : html 
element a: validity error : ID intro already defined
element a: validity error : ID gdp already defined
element a: validity error : ID goals already defined
element a: validity error : ID joining already defined
element a: validity error : ID collaborating already defined
element a: validity error : ID notation already defined
element a: validity error : ID idp106373368229088 already defined
element a: validity error : ID about already defined
element a: validity error : ID gettingstarted already defined
element a: validity error : ID selecting already defined
element a: validity error : ID know already defined
element a: validity error : ID doctable already defined
element a: validity error : ID docbook already defined
element a: validity error : ID installingdocbook already defined
element a: validity error : ID gdpstylesheets already defined
element a: validity error : ID gdpdtd already defined
element a: validity error : ID editors already defined
element a: validity error : ID make-output already defined
element a: validity error : ID jadeimages already defined
element a: validity error : ID moredocbookinfo already defined
element a: validity error : ID gdptemplates already defined
element a: validity error : ID screenshots already defined
element a: validity error : ID screenshotappearance already defined
element a: validity error : ID screenshottools already defined
element a: validity error : ID screenshotfiles already defined
element a: validity error : ID applicationbugs already defined
element a: validity error : ID cvs already defined
element a: validity error : ID anonymouscvs already defined
element a: validity error : ID logincvs already defined
element a: validity error : ID cvsetiquette already defined
element a: validity error : ID gnomedocsystem already defined
element a: validity error : ID gnomehelpbrowser already defined
element a: validity error : ID gnomehelpbrowser2 already defined
element a: validity error : ID gnomehelponthefly already defined
element a: validity error : ID gnomehelpcomponents already defined
element a: validity error : ID applicationmanualsintro already defined
element a: validity error : ID applicationhelpintro already defined
element a: validity error : ID contextsensitivehelpintro already defined
element a: validity error : ID userguide already defined
element a: validity error : ID userdocs already defined
element a: validity error : ID developerdocs already defined
element a: validity error : ID projectdocs already defined
element a: validity error : ID docbookbasics already defined
element a: validity error : ID introtodocbook already defined
element a: validity error : ID xml already defined
element a: validity error : ID structure already defined
element a: validity error : ID section already defined
element a: validity error : ID notes already defined
element a: validity error : ID figures already defined
element a: validity error : ID listing already defined
element a: validity error : ID lists already defined
element a: validity error : ID inline already defined
element a: validity error : ID gui already defined
element a: validity error : ID links already defined
element a: validity error : ID filenames already defined
element a: validity error : ID keys already defined
element a: validity error : ID email already defined
element a: validity error : ID specsymb already defined
element a: validity error : ID conventions already defined
element a: validity error : ID conventionsalldocs already defined
element a: validity error : ID xmlcomp already defined
element a: validity error : ID authorsnames already defined
element a: validity error : ID conventionsappdocs already defined
element a: validity error : ID applicationversionid already defined
element a: validity error : ID license already defined
element a: validity error : ID license2 already defined
element a: validity error : ID bugtraq already defined
element a: validity error : ID writingapplicationmanuals already defined
element a: validity error : ID listingdocsinhelpmenu already defined
element a: validity error : ID applicationhelpbuttons already defined
element a: validity error : ID packagingappletdocs already defined
element a: validity error : ID appletfiles already defined
element a: validity error : ID appletmenu already defined
element a: validity error : ID writingcontextsensitivehelp already defined
element a: validity error : ID referring already defined
element a: validity error : ID basics already defined
element a: validity error : ID styleplanning already defined
element a: validity error : ID balance already defined
element a: validity error : ID stylestructure already defined
element a: validity error : ID stylegrammar already defined
element a: validity error : ID teamwork already defined
element a: validity error : ID teamworkgdp already defined
element a: validity error : ID teamworkdevelopers already defined
element a: validity error : ID finishing already defined
element a: validity error : ID editting already defined
element a: validity error : ID submitting already defined
element a: validity error : ID resources already defined
element a: validity error : ID resourcesweb already defined
element a: validity error : ID resourcesbooks already defined
element a: validity error : ID mailinglists already defined
element a: validity error : ID irc already defined
element a: validity error : ID template1 already defined
element a: validity error : ID template2-1x already defined
element a: validity error : ID template2-2x already defined
-n fo 
-n xhtml 

/Applications/Xcode.app/Contents/Developer/usr/bin/make xtchunk
html-chunking
result
1a2,23
> element a: validity error : ID gettingstarted already defined
> element a: validity error : ID selecting already defined
> element a: validity error : ID know already defined
> element a: validity error : ID doctable already defined
> element a: validity error : ID docbook already defined
> element a: validity error : ID installingdocbook already defined
> element a: validity error : ID gdpstylesheets already defined
> element a: validity error : ID gdpdtd already defined
> element a: validity error : ID editors already defined
> element a: validity error : ID make-output already defined
> element a: validity error : ID jadeimages already defined
> element a: validity error : ID moredocbookinfo already defined
> element a: validity error : ID gdptemplates already defined
> element a: validity error : ID screenshots already defined
> element a: validity error : ID screenshotappearance already defined
> element a: validity error : ID screenshottools already defined
> element a: validity error : ID screenshotfiles already defined
> element a: validity error : ID applicationbugs already defined
> element a: validity error : ID cvs already defined
> element a: validity error : ID anonymouscvs already defined
> element a: validity error : ID logincvs already defined
> element a: validity error : ID cvsetiquette already defined
2a25,36
> element a: validity error : ID gnomedocsystem already defined
> element a: validity error : ID gnomehelpbrowser already defined
> element a: validity error : ID gnomehelpbrowser2 already defined
> element a: validity error : ID gnomehelponthefly already defined
> element a: validity error : ID gnomehelpcomponents already defined
> element a: validity error : ID applicationmanualsintro already defined
> element a: validity error : ID applicationhelpintro already defined
> element a: validity error : ID contextsensitivehelpintro already defined
> element a: validity error : ID userguide already defined
> element a: validity error : ID userdocs already defined
> element a: validity error : ID developerdocs already defined
> element a: validity error : ID projectdocs already defined
3a38,53
> element a: validity error : ID docbookbasics already defined
> element a: validity error : ID introtodocbook already defined
> element a: validity error : ID xml already defined
> element a: validity error : ID structure already defined
> element a: validity error : ID section already defined
> element a: validity error : ID notes already defined
> element a: validity error : ID figures already defined
> element a: validity error : ID listing already defined
> element a: validity error : ID lists already defined
> element a: validity error : ID inline already defined
> element a: validity error : ID gui already defined
> element a: validity error : ID links already defined
> element a: validity error : ID filenames already defined
> element a: validity error : ID keys already defined
> element a: validity error : ID email already defined
> element a: validity error : ID specsymb already defined
4a55,63
> element a: validity error : ID conventions already defined
> element a: validity error : ID conventionsalldocs already defined
> element a: validity error : ID xmlcomp already defined
> element a: validity error : ID authorsnames already defined
> element a: validity error : ID conventionsappdocs already defined
> element a: validity error : ID applicationversionid already defined
> element a: validity error : ID license already defined
> element a: validity error : ID license2 already defined
> element a: validity error : ID bugtraq already defined
5a65
> element a: validity error : ID writingapplicationmanuals already defined
6a67
> element a: validity error : ID listingdocsinhelpmenu already defined
7a69
> element a: validity error : ID applicationhelpbuttons already defined
8a71,73
> element a: validity error : ID packagingappletdocs already defined
> element a: validity error : ID appletfiles already defined
> element a: validity error : ID appletmenu already defined
9a75
> element a: validity error : ID writingcontextsensitivehelp already defined
10a77
> element a: validity error : ID referring already defined
11a79,83
> element a: validity error : ID basics already defined
> element a: validity error : ID styleplanning already defined
> element a: validity error : ID balance already defined
> element a: validity error : ID stylestructure already defined
> element a: validity error : ID stylegrammar already defined
12a85,87
> element a: validity error : ID teamwork already defined
> element a: validity error : ID teamworkgdp already defined
> element a: validity error : ID teamworkdevelopers already defined
13a89,91
> element a: validity error : ID finishing already defined
> element a: validity error : ID editting already defined
> element a: validity error : ID submitting already defined
14a93,97
> element a: validity error : ID resources already defined
> element a: validity error : ID resourcesweb already defined
> element a: validity error : ID resourcesbooks already defined
> element a: validity error : ID mailinglists already defined
> element a: validity error : ID irc already defined
15a99
> element a: validity error : ID template2-1x already defined
16a101
> element a: validity error : ID template2-2x already defined
17a103
> element a: validity error : ID template1 already defined
18a105,112
> element a: validity error : ID intro already defined
> element a: validity error : ID gdp already defined
> element a: validity error : ID goals already defined
> element a: validity error : ID joining already defined
> element a: validity error : ID collaborating already defined
> element a: validity error : ID notation already defined
> element a: validity error : ID idp106373418172960 already defined
> element a: validity error : ID about already defined

## Running exslt common tests
## Running exslt function tests
## Running exslt math tests
## Running exslt sets tests
## Running exslt string tests
## Running exslt sets tests
## Running exslt date tests
#
# Inspect the following for correctness
#
Current Date : 2015-12-15T10:00:50-08:00
     year                 : 2015
     leap-year            : false
     month-in-year        : 12
     month-name           : December
     month-abbreviation   : Dec
     week-in-year         : 51
     day-in-year          : 349
     day-in-month         : 15
     day-of-week-in-month : 3
     day-in-week          : 3
     day-name             : Tuesday
     day-abbreviation     : Tue
     time                 : 10:00:50-08:00
     hour-in-day          : 10
     minute-in-hour       : 0
     second-in-minute     : 50
## Running exslt common tests
## Running plugin tests
  CC       xmlsoft_org_xslt_testplugin_la-testplugin.lo
  CCLD     xmlsoft_org_xslt_testplugin.la