Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • L libxml2
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 89
    • Issues 89
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 6
    • Merge requests 6
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • libxml2
  • Issues
  • #178
Closed
Open
Issue created Aug 04, 2020 by Suhwan@SuhwanSong

xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal

Hi, we found a global-buffer-overflow in xmlEncodeEntitiesInternal at libxml2/entities.c:583

version: commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1)

How to reproduce:

  1. build libxml2 with ASAN.
  2. run following cmd xmllint --htmlout $PoC

poc

Here's ASAN log.

==19600==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5608cd40a230 at pc 0x7f6705c1cdb4 bp 0x7ffced505890 sp 0x7ffced505880
READ of size 1 at 0x5608cd40a230 thread T0
    #0 0x7f6705c1cdb3 in xmlEncodeEntitiesInternal /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/entities.c:583
    #1 0x5608cd1ea3f5 in xmlHTMLEncodeSend /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:531
    #2 0x5608cd1ea3f5 in xmlHTMLError /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:642
    #3 0x7f6705c7fac9 in __xmlRaiseError /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/error.c:638
    #4 0x7f6705da51ec in xmlFatalErrMsgStrIntStr /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:720
    #5 0x7f6705da51ec in xmlParseElementStart /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:10027
    #6 0x7f6705dfea47 in xmlParseContent__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:9865
    #7 0x7f6705e16d8f in xmlParseElement__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:9915
    #8 0x7f6705e16d8f in xmlParseDocument__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:10751
    #9 0x7f6705e6a5ab in xmlDoRead /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:15101
    #10 0x7f6705e6a5ab in xmlCtxtReadFile__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:15346
    #11 0x5608cd1daee8 in parseAndPrintFile /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:2332
    #12 0x5608cd1c0741 in main /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:3732
    #13 0x7f67057adb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x5608cd1ca1b9 in _start (/mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/.libs/xmllint+0x1f1b9)

0x5608cd40a230 is located 48 bytes to the left of global variable 'end' defined in 'xmllint.c:420:30' (0x5608cd40a260) of size 16
0x5608cd40a230 is located 0 bytes to the right of global variable 'buffer' defined in 'xmllint.c:525:13' (0x5608cd3fdee0) of size 50000
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/entities.c:583 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
  0x0ac199a793f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac199a79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac199a79410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac199a79420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac199a79430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac199a79440: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 00 00 f9 f9
  0x0ac199a79450: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac199a79460: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac199a79470: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac199a79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac199a79490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19600==ABORTING

This is found by Agency for Defense Development (ADD).

Assignee
Assign to
Time tracking