Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • L libxml2
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 91
    • Issues 91
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 7
    • Merge requests 7
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • libxml2
  • Issues
  • #235
Closed
Open
Issue created Apr 22, 2021 by zodf0055980@zodf0055980

heap-buffer-overflow in entities.c:621

Hi, I found a vulnerability in current master 1358d157. There is a heap-buffer-overflow read in entities.c:621 in xmlEncodeEntitiesInternal.

build

CFLAGS="-ggdb -fsanitize=address" ./configure

POC

poc2

reproduce :

xmllint --recover --postvalid  ./poc2

Asan report

=================================================================
==94070==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000236 at pc 0x7f2cd187cffb bp 0x7ffd1ad80120 sp 0x7ffd1ad80110
READ of size 1 at 0x602000000236 thread T0
    #0 0x7f2cd187cffa in xmlEncodeEntitiesInternal /home/sqlab/libxml2/entities.c:621
    #1 0x7f2cd187d150 in xmlEncodeAttributeEntities /home/sqlab/libxml2/entities.c:798
    #2 0x7f2cd1913ad0 in xmlNodeListGetString__internal_alias /home/sqlab/libxml2/tree.c:1718
    #3 0x7f2cd1978a62 in xmlValidateElement__internal_alias /home/sqlab/libxml2/valid.c:6482
    #4 0x7f2cd1978ce3 in xmlValidateElement__internal_alias /home/sqlab/libxml2/valid.c:6501
    #5 0x7f2cd197b07c in xmlValidateDocument__internal_alias /home/sqlab/libxml2/valid.c:6941
    #6 0x564b9c1f68b0 in parseAndPrintFile /home/sqlab/libxml2/xmllint.c:2814
    #7 0x564b9c1fcf56 in main /home/sqlab/libxml2/xmllint.c:3753
    #8 0x7f2cd16200b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x564b9c1ecb2d in _start (/home/sqlab/libxml2/.libs/xmllint+0xfb2d)

0x602000000236 is located 0 bytes to the right of 6-byte region [0x602000000230,0x602000000236)
allocated by thread T0 here:
    #0 0x7f2cd1db3bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x7f2cd1a5788d in xmlBufResize /home/sqlab/libxml2/buf.c:827
    #2 0x7f2cd1a57fb3 in xmlBufAdd /home/sqlab/libxml2/buf.c:902
    #3 0x7f2cd1912955 in xmlStringLenGetNodeList__internal_alias /home/sqlab/libxml2/tree.c:1465
    #4 0x7f2cd1b842e2 in xmlSAX2AttributeNs /home/sqlab/libxml2/SAX2.c:2027
    #5 0x7f2cd1b86acc in xmlSAX2StartElementNs__internal_alias /home/sqlab/libxml2/SAX2.c:2397
    #6 0x7f2cd18e378d in xmlParseStartTag2 /home/sqlab/libxml2/parser.c:9612
    #7 0x7f2cd18e7c38 in xmlParseElementStart /home/sqlab/libxml2/parser.c:9982
    #8 0x7f2cd18e70d3 in xmlParseContent__internal_alias /home/sqlab/libxml2/parser.c:9882
    #9 0x7f2cd18e7528 in xmlParseElement__internal_alias /home/sqlab/libxml2/parser.c:9932
    #10 0x7f2cd18f06f1 in xmlParseDocument__internal_alias /home/sqlab/libxml2/parser.c:10768
    #11 0x7f2cd190b48e in xmlDoRead /home/sqlab/libxml2/parser.c:15122
    #12 0x7f2cd190b6a2 in xmlReadFile__internal_alias /home/sqlab/libxml2/parser.c:15184
    #13 0x564b9c1f4cae in parseAndPrintFile /home/sqlab/libxml2/xmllint.c:2403
    #14 0x564b9c1fcf56 in main /home/sqlab/libxml2/xmllint.c:3753
    #15 0x7f2cd16200b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sqlab/libxml2/entities.c:621 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 06 fa fa fa 00 01 fa fa 00 01 fa fa 07 fa
  0x0c047fff8010: fa fa 00 03 fa fa 06 fa fa fa 00 01 fa fa 05 fa
  0x0c047fff8020: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 04 fa
  0x0c047fff8030: fa fa 00 03 fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fff8040: fa fa 04 fa fa fa[06]fa fa fa fd fd fa fa fd fa
  0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8060: fa fa 07 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==94070==ABORTING
Assignee
Assign to
Time tracking