Bug 769658 – Stack overflow in xmlParseConditionalSections in recover mode (With PoC)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 769658 - Stack overflow in xmlParseConditionalSections in recover mode (With PoC)


Summary:	Stack overflow in xmlParseConditionalSections in recover mode (With PoC)


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other All

Importance:	Normal minor
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-08-09 02:48 UTC by f7bm4
Modified:	2019-11-02 20:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Proof of concept (106 bytes, text/xml) 2016-08-09 02:48 UTC, f7bm4	Details

Description f7bm4 2016-08-09 02:48:37 UTC

Created attachment 332981 [details]
Proof of concept

Bug found with afl-fuzz on git master. Proof of concept attached. Looks like a recursive call to xmlParseConditionalSections from parser.c gets stuck and causes an overflow. Unsure of exploitability of this condition.

POC:
xmllint --recover crash.xml

Valgrind:
==24792== Memcheck, a memory error detector
==24792== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24792== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24792== Command: xmllint --recover crash.xml
==24792== 
crash.xml:1: parser error : xmlParseDocTypeDecl : no DOCTYPE name !
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
              ^
crash.xml:1: parser error : Space required after 'ELEMENT'
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                        ^
crash.xml:1: parser error : Space required after '<!ENTITY'
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                                ^
crash.xml:1: parser error : Space required after '%'
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                                 ^
crash.xml:1: parser error : Space required after the entity name
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                                   ^
crash.xml:1: parser error : Space required after '<!ENTITY'
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                                                                 ^
crash.xml:1: parser error : Space required after '%'
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                                                                  ^
crash.xml:1: parser error : Space required after the entity name
<?m?><!DOCTYPE[<!ELEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[
                                                                    ^
crash.xml:1: parser error : Space required after '<!ENTITY'
LEMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[&#37;zz;'><!ENTITY
                                                                               ^
crash.xml:1: parser error : Space required after the entity name
EMENT<!ENTITY%xx'<![INCLUDE[&#37;zz;'><!ENTITY%zz'<![INCLUDE[&#37;zz;'><!ENTITYz
                                                                               ^
==24792== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24792== 
==24792== Process terminating with default action of signal 11 (SIGSEGV)
==24792==  Access not within mapped region at address 0xFFE801FE0
==24792== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24792==    at 0x4E7BC90: xmlParseName (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3)
==24792==  If you believe this happened as a result of a stack
==24792==  overflow in your program's main thread (unlikely but
==24792==  possible), you can try to increase the size of the
==24792==  main thread stack using the --main-stacksize= flag.
==24792==  The main thread stack size used in this run was 8388608.
==24792== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24792== 
==24792== Process terminating with default action of signal 11 (SIGSEGV)
==24792==  Access not within mapped region at address 0xFFE801FD8
==24792== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24792==    at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==24792==  If you believe this happened as a result of a stack
==24792==  overflow in your program's main thread (unlikely but
==24792==  possible), you can try to increase the size of the
==24792==  main thread stack using the --main-stacksize= flag.
==24792==  The main thread stack size used in this run was 8388608.
==24792== 
==24792== HEAP SUMMARY:
==24792==     in use at exit: 147,482 bytes in 72 blocks
==24792==   total heap usage: 174,594 allocs, 174,522 frees, 18,297,027 bytes allocated
==24792== 
==24792== LEAK SUMMARY:
==24792==    definitely lost: 0 bytes in 0 blocks
==24792==    indirectly lost: 0 bytes in 0 blocks
==24792==      possibly lost: 0 bytes in 0 blocks
==24792==    still reachable: 147,482 bytes in 72 blocks
==24792==         suppressed: 0 bytes in 0 blocks
==24792== Rerun with --leak-check=full to see details of leaked memory
==24792== 
==24792== For counts of detected and suppressed errors, rerun with: -v
==24792== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault

Comment 1 Nick Wellnhofer 2019-11-02 20:24:26 UTC

Should be fixed here: https://gitlab.gnome.org/GNOME/libxml2/commit/c51e38cb3a808e315248e03c9e52bce08943c22b