After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 765271 - Double free in sha1()
Double free in sha1()
Status: RESOLVED FIXED
Product: libxslt
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2016-04-19 20:03 UTC by Nicolas Gregoire
Modified: 2016-04-20 12:39 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
PoC XSLT (213 bytes, application/xml)
2016-04-19 20:03 UTC, Nicolas Gregoire
Details

Description Nicolas Gregoire 2016-04-19 20:03:07 UTC
Created attachment 326353 [details]
PoC XSLT

As shown under ASan, libxslt will attempt to free a pointer twice when the argument to sha1() is an empty string:
- once in exsltCryptoPopString() line 479
- once in exsltCryptoSha1Function() line 570 

These two calls to xmlFree() are very close, so this issue may not be exploitable.

PoC:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:c="http://exslt.org/crypto">
 <xsl:template match="/">
  <xsl:value-of select="c:sha1('')"/>
 </xsl:template>
</xsl:stylesheet>

Repro:

==34428== ERROR: AddressSanitizer: attempting double-free on 0x60040000c350:
    #0 0x7f630a66d33a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0x7f630a19f276 in exsltCryptoSha1Function /home/azureuser/libxslt/libexslt/crypto.c:570
    #2 0x7f6309ec10a0 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x910a0)
0x60040000c350 is located 0 bytes inside of 1-byte region [0x60040000c350,0x60040000c351)
freed by thread T0 here:
    #0 0x7f630a66d33a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0x7f630a19e0c7 in exsltCryptoPopString /home/azureuser/libxslt/libexslt/crypto.c:479
    #2 0x7f630a19f248 in exsltCryptoSha1Function /home/azureuser/libxslt/libexslt/crypto.c:567
    #3 0x7f6309ec10a0 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x910a0)
previously allocated by thread T0 here:
    #0 0x7f630a66d41a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0x7f6309edcb88 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0xacb88)
SUMMARY: AddressSanitizer: double-free ??:0 ??
==34428== ABORTING
Comment 1 Nick Wellnhofer 2016-04-20 12:39:33 UTC
Fixed with the following commit:

https://git.gnome.org/browse/libxslt/commit/?id=d8862309f08054218b28e2c8f5fb3cb2f650cac7

Thanks for the report.