GNOME Bugzilla – Bug 763686
multiple heap overflow vulnerabilities in html parse functions
Last modified: 2017-02-08 20:52:41 UTC
Created attachment 323981 [details] over 3000 crash sample READ of size 1 at 0x62100001b8ff thread T0 #0 0x7f24da23b444 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x88444) #1 0x7f24d9ecb18d in xmlDictAddString /home/root/libxml2-master/dict.c:285 #2 0x7f24d9ecf80e in xmlDictLookup__internal_alias /home/root/libxml2-master/dict.c:926 #3 0x7f24d9b94438 in htmlParseNameComplex /home/root/libxml2-master/HTMLparser.c:2517 #4 0x7f24d9b94438 in htmlParseName /home/root/libxml2-master/HTMLparser.c:2483 #5 0x7f24d9b94612 in htmlParseEntityRef__internal_alias /home/root/libxml2-master/HTMLparser.c:2682 #6 0x7f24d9ba6649 in htmlParseEntityRef__internal_alias /home/root/libxml2-master/HTMLparser.c:2680 #7 0x7f24d9ba6649 in htmlParseReference /home/root/libxml2-master/HTMLparser.c:4044 #8 0x7f24d9ba9c27 in htmlParseContentInternal /home/root/libxml2-master/HTMLparser.c:4619 #9 0x7f24d9badbe7 in htmlParseDocument__internal_alias /home/root/libxml2-master/HTMLparser.c:4769 #10 0x7f24d9bbf8f8 in htmlDoRead /home/root/libxml2-master/HTMLparser.c:6741 #11 0x7f24d9bbf8f8 in htmlReadFile__internal_alias /home/root/libxml2-master/HTMLparser.c:6799 #12 0x410957 in parseAndPrintFile /home/root/libxml2-master/xmllint.c:2248 #13 0x40c911 in main /home/root/libxml2-master/xmllint.c:3759 #14 0x7f24d963486f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2086f) #15 0x40cb38 in _start (/home/root/libxml2-master/xmllint_afl+0x40cb38) 0x62100001b8ff is located 1 bytes to the left of 4096-byte region [0x62100001b900,0x62100001c900) allocated by thread T0 here: #0 0x7f24da246e9a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x93e9a) #1 0x7f24d9ceb245 in xmlBufCreate /home/root/libxml2-master/buf.c:137 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c427fffb710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c427fffb720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==15858==ABORTING PoC/id_000012,sig_06,src_000000,op_havoc,rep_128 ASan internal: fe ==15972==ABORTING PoC/id_000020,sig_06,src_000000+000272,op_splice,rep_64 program output: ================================================================= ==15989==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b8fd at pc 0x7fa6eceb2445 bp 0x7ffca01bcbe0 sp 0x7ffca01bc390 READ of size 3 at 0x62100001b8fd thread T0 #0 0x7fa6eceb2444 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x88444) #1 0x7fa6ecb4218d in xmlDictAddString /home/root/libxml2-master/dict.c:285 #2 0x7fa6ecb4680e in xmlDictLookup__internal_alias /home/root/libxml2-master/dict.c:926 #3 0x7fa6ec80b438 in htmlParseNameComplex /home/root/libxml2-master/HTMLparser.c:2517 #4 0x7fa6ec80b438 in htmlParseName /home/root/libxml2-master/HTMLparser.c:2483 #5 0x7fa6ec65d743 in htmlParseDocTypeDecl /home/root/libxml2-master/HTMLparser.c:3424 #6 0x7fa6ec82520b in htmlParseDocument__internal_alias /home/root/libxml2-master/HTMLparser.c:4751 #7 0x7fa6ec8368f8 in htmlDoRead /home/root/libxml2-master/HTMLparser.c:6741 #8 0x7fa6ec8368f8 in htmlReadFile__internal_alias /home/root/libxml2-master/HTMLparser.c:6799 #9 0x410957 in parseAndPrintFile /home/root/libxml2-master/xmllint.c:2248 #10 0x40c911 in main /home/root/libxml2-master/xmllint.c:3759 #11 0x7fa6ec2ab86f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2086f) #12 0x40cb38 in _start (/home/root/libxml2-master/xmllint_afl+0x40cb38) 0x62100001b8fd is located 3 bytes to the left of 4096-byte region [0x62100001b900,0x62100001c900) allocated by thread T0 here: #0 0x7fa6ecebde9a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x93e9a) #1 0x7fa6ec962245 in xmlBufCreate /home/root/libxml2-master/buf.c:137 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c427fffb710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c427fffb720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==15989==ABORTING PoC/id_000024,sig_06,src_000001,op_havoc,rep_2 ================================================================= ==16079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b8fd at pc 0x7fa866cd6445 bp 0x7ffc9ea98890 sp 0x7ffc9ea98040 READ of size 26 at 0x62100001b8fd thread T0 #0 0x7fa866cd6444 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x88444) #1 0x7fa86696618d in xmlDictAddString /home/root/libxml2-master/dict.c:285 #2 0x7fa86696a80e in xmlDictLookup__internal_alias /home/root/libxml2-master/dict.c:926 #3 0x7fa86662f438 in htmlParseNameComplex /home/root/libxml2-master/HTMLparser.c:2517 #4 0x7fa86662f438 in htmlParseName /home/root/libxml2-master/HTMLparser.c:2483 #5 0x7fa86662f612 in htmlParseEntityRef__internal_alias /home/root/libxml2-master/HTMLparser.c:2682 #6 0x7fa866641649 in htmlParseEntityRef__internal_alias /home/root/libxml2-master/HTMLparser.c:2680 #7 0x7fa866641649 in htmlParseReference /home/root/libxml2-master/HTMLparser.c:4044 #8 0x7fa866644c27 in htmlParseContentInternal /home/root/libxml2-master/HTMLparser.c:4619 #9 0x7fa866648be7 in htmlParseDocument__internal_alias /home/root/libxml2-master/HTMLparser.c:4769 #10 0x7fa86665a8f8 in htmlDoRead /home/root/libxml2-master/HTMLparser.c:6741 #11 0x7fa86665a8f8 in htmlReadFile__internal_alias /home/root/libxml2-master/HTMLparser.c:6799 #12 0x410957 in parseAndPrintFile /home/root/libxml2-master/xmllint.c:2248 #13 0x40c911 in main /home/root/libxml2-master/xmllint.c:3759 #14 0x7fa8660cf86f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2086f) #15 0x40cb38 in _start (/home/root/libxml2-master/xmllint_afl+0x40cb38) 0x62100001b8fd is located 3 bytes to the left of 4096-byte region [0x62100001b900,0x62100001c900) allocated by thread T0 here: #0 0x7fa866ce1e9a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x93e9a) #1 0x7fa866786245 in xmlBufCreate /home/root/libxml2-master/buf.c:137 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c427fffb710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c427fffb720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==16079==ABORTING PoC/id_000055,sig_06,src_000001,op_havoc,rep_64__2__ i fount too vulnerability in xmlDictAddString /home/root/libxml2-master/dict.c:254 pool = dict->strings; while (pool != NULL) { if (pool->end - pool->free > namelen) goto found_pool; !!! if (pool->size > size) size = pool->size; limit += pool->size; pool = pool->next; but PoC lost :-)
hi guys. any update?
This is fixed by the patch attached to Bug 764615. I'm going to mark this as a forward duplicate even though it is the older bug since Bug 764615 has a fix. *** This bug has been marked as a duplicate of bug 764615 ***