Bug 767154 – OOB read in test suite (test_xmlCreatePushParserCtxt)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 767154 - OOB read in test suite (test_xmlCreatePushParserCtxt)


Summary:	OOB read in test suite (test_xmlCreatePushParserCtxt)


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	David Kilzer
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Duplicates:	774590 (view as bug list)
Depends on:
Blocks:	780159

Reported:	2016-06-02 10:57 UTC by Huzaifa Sidhpurwala (Red Hat Security Response)
Modified:	2017-06-01 16:45 UTC

See Also:	758572
GNOME target:	---
GNOME version:	---

Attachments
Patch v1 (71.80 KB, patch) 2017-05-27 16:43 UTC, David Kilzer	none	Details \| Review

Description Huzaifa Sidhpurwala (Red Hat Security Response) 2016-06-02 10:57:49 UTC

This does not seem to be a duplicate of https://bugzilla.gnome.org/show_bug.cgi?id=752191 but reporting this anyways.

Test:
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
make
make check

I am using git head for testing here.

## Parsing non-recursive test cases
## Parsing non-recursive huge case
.........
Total 9 tests, no errors
Testing HTMLparser : 32 of 38 functions ...
=================================================================
==20225==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000047b184 at pc 0x7f86c69e6228 bp 0x7ffc2cf09890 sp 0x7ffc2cf09038
READ of size 122 at 0x00000047b184 thread T0
    #0 0x7f86c69e6227 in __asan_memmove (/lib64/libasan.so.2+0x8d227)
    #1 0x7f86c651358b in xmlBufAdd /NotBackedUp/libxml2-2.9.4/buf.c:908
    #2 0x7f86c640015f in xmlParserInputBufferCreateMem__internal_alias /NotBackedUp/libxml2-2.9.4/xmlIO.c:3038
    #3 0x7f86c64545bf in htmlCreateMemoryParserCtxt__internal_alias /NotBackedUp/libxml2-2.9.4/HTMLparser.c:5022
    #4 0x41d18f in test_htmlCreateMemoryParserCtxt /NotBackedUp/libxml2-2.9.4/testapi.c:1484
    #5 0x41fbb0 in test_HTMLparser /NotBackedUp/libxml2-2.9.4/testapi.c:2784
    #6 0x41ca6f in testlibxml2 /NotBackedUp/libxml2-2.9.4/testapi.c:1249
    #7 0x41b10d in main /NotBackedUp/libxml2-2.9.4/testapi.c:154
    #8 0x7f86c57bc6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
    #9 0x41a888 in _start (/NotBackedUp/libxml2-2.9.4/.libs/lt-testapi+0x41a888)

0x00000047b184 is located 0 bytes to the right of global variable '*.LC12' defined in 'testapi.c' (0x47b180) of size 4
  '*.LC12' is ascii string 'foo'
0x00000047b184 is located 60 bytes to the left of global variable '*.LC13' defined in 'testapi.c' (0x47b1c0) of size 7
  '*.LC13' is ascii string '<foo/>'
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
  0x0000800875e0: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800875f0: 00 00 00 01 f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9
  0x000080087600: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x000080087610: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x000080087620: f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
=>0x000080087630:[04]f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
  0x000080087640: 00 02 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
  0x000080087650: 00 01 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x000080087660: 06 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x000080087670: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
  0x000080087680: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 01 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20225==ABORTING
Makefile:1776: recipe for target 'runtests' failed
make: *** [runtests] Error 1

I have narrowed it down to an issue in test_xmlCreatePushParserCtxt()

Comment 1 Nick Wellnhofer 2016-11-23 12:47:19 UTC

*** Bug 774590 has been marked as a duplicate of this bug. ***

Comment 2 David Kilzer 2017-03-16 16:31:00 UTC

I fixed this once in Bug 758572, but I didn't realize testapi.c was generated, so when it was regenerated for commit 8effcb578e0590cc01bbcab0f9dccefc6bdbcdbd, this issue reappeared:

https://git.gnome.org/browse/libxml2/commit/?id=8effcb578e0590cc01bbcab0f9dccefc6bdbcdbd

I guess the best way to fix this is to teach gentest.py when it needs to use the strlen() of the output of gen_const_char_ptr() for an API test rather than using gen_int().

Comment 3 David Kilzer 2017-03-16 16:32:42 UTC

The original fix was here (in case anyone wants to apply it locally until this bug is fixed):

https://git.gnome.org/browse/libxml2/commit/?id=e6b97476a0bcc023f6fc05bddcbc140001f9832f

Comment 4 David Kilzer 2017-03-17 20:44:03 UTC

I have a fix for this that updates gentest.py, but I'm waiting for approval to upload it.

Comment 5 David Kilzer 2017-05-27 16:43:36 UTC

Created attachment 352694 [details] [review]
Patch v1

This fixes all of the spurious ASan issues in testapi.c by fixing the generator, then running it to update testapi.c.

Comment 6 David Kilzer 2017-06-01 15:17:20 UTC

Nick just fixed this a different way by skipping an API call if the size parameter (various names) was larger than the buffer passed in:

https://git.gnome.org/browse/libxml2/commit/?id=ff34ba3e88cdd2e83e1c95e0356bbf4bef47ae2e