Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • L libxml2
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 89
    • Issues 89
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 6
    • Merge requests 6
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • libxml2
  • Issues
  • #230
Closed
Open
Issue created Apr 21, 2021 by zodf0055980@zodf0055980

heap-use-after-free in entities.c:621

Hi, I found a vulnerability in current master fb08d9fe. There is a heap-use-after-free in entities.c:621 in xmlEncodeEntitiesInternal

build

CFLAGS="-ggdb -fsanitize=address" ./configure

POC

poc1

reproduce :

xmllint --nocompact  --html --push ./poc1

Asan report

➜  Yuan /home/yuan/libxml2/xmllint --nocompact  --html --push ./poc1
./poc1:1: HTML parser error : htmlParseTryOrFinish: invalid element name
<<a
^
./poc1:4: HTML parser error : Couldn't find end of Start Tag a

^
=================================================================
==19156==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000000a8 at pc 0x7ffff67ebba8 bp 0x7fffffffbb20 sp 0x7fffffffbb10
READ of size 1 at 0x6190000000a8 thread T0
    #0 0x7ffff67ebba7 in xmlEncodeEntitiesInternal /home/yuan/libxml2/entities.c:621
    #1 0x7ffff67ebd1b in xmlEncodeEntitiesReentrant__internal_alias /home/yuan/libxml2/entities.c:815
    #2 0x7ffff69178a3 in htmlNodeDumpFormatOutput__internal_alias /home/yuan/libxml2/HTMLtree.c:850
    #3 0x7ffff6918308 in htmlDocContentDumpOutput__internal_alias /home/yuan/libxml2/HTMLtree.c:995
    #4 0x7ffff6918406 in htmlDocDump__internal_alias /home/yuan/libxml2/HTMLtree.c:1049
    #5 0x55555556aeef in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2555
    #6 0x555555572a4e in main /home/yuan/libxml2/xmllint.c:3753
    #7 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #8 0x555555562899 in _start (/home/yuan/libxml2/.libs/xmllint+0xe899)

0x6190000000a8 is located 40 bytes inside of 1048-byte region [0x619000000080,0x619000000498)
freed by thread T0 here:
    #0 0x7ffff6ef67a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x7ffff6ae2ed0 in xmlDictFree__internal_alias /home/yuan/libxml2/dict.c:848
    #2 0x7ffff68090b8 in xmlFreeParserCtxt__internal_alias /home/yuan/libxml2/parserInternals.c:1802
    #3 0x7ffff690a548 in htmlFreeParserCtxt__internal_alias /home/yuan/libxml2/HTMLparser.c:5130
    #4 0x555555569ad0 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2222
    #5 0x555555572a4e in main /home/yuan/libxml2/xmllint.c:3753
    #6 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

previously allocated by thread T0 here:
    #0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x7ffff6ae0515 in xmlDictAddString /home/yuan/libxml2/dict.c:271
    #2 0x7ffff6ae394d in xmlDictLookup__internal_alias /home/yuan/libxml2/dict.c:962
    #3 0x7ffff6af019a in xmlSAX2TextNode /home/yuan/libxml2/SAX2.c:1862
    #4 0x7ffff6af4635 in xmlSAX2Text /home/yuan/libxml2/SAX2.c:2540
    #5 0x7ffff6af52ee in xmlSAX2Characters__internal_alias /home/yuan/libxml2/SAX2.c:2641
    #6 0x7ffff690f93a in htmlParseTryOrFinish /home/yuan/libxml2/HTMLparser.c:6017
    #7 0x7ffff6910e9e in htmlParseChunk__internal_alias /home/yuan/libxml2/HTMLparser.c:6270
    #8 0x555555569a34 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2218
    #9 0x555555572a4e in main /home/yuan/libxml2/xmllint.c:3753
    #10 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-use-after-free /home/yuan/libxml2/entities.c:621 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
  0x0c327fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8010: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19156==ABORTING
Assignee
Assign to
Time tracking