Skip to content
GitLab

heap-use-after-free in xinclude.c:2433

Hi, I found a vulnerability in current master bf227135. There is a heap-use-after-free in xinclude.c:2433 in xmlXIncludeDoProcess.

build

CFLAGS="-ggdb -fsanitize=address" ./configure

POC

poc3

reproduce :

xmllint --recover --dropdtd --nofixup-base-uris ./poc3

Asan report

=================================================================
==30572==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000048 at pc 0x7ffff69930b3 bp 0x7fffffffbb60 sp 0x7fffffffbb50
READ of size 4 at 0x60d000000048 thread T0
    #0 0x7ffff69930b2 in xmlXIncludeDoProcess /home/yuan/libxml2/xinclude.c:2433
    #1 0x7ffff699369c in xmlXIncludeProcessTreeFlagsData__internal_alias /home/yuan/libxml2/xinclude.c:2525
    #2 0x7ffff699374f in xmlXIncludeProcessFlagsData__internal_alias /home/yuan/libxml2/xinclude.c:2554
    #3 0x7ffff6993776 in xmlXIncludeProcessFlags__internal_alias /home/yuan/libxml2/xinclude.c:2569
    #4 0x55555556a8ee in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2438
    #5 0x555555572aae in main /home/yuan/libxml2/xmllint.c:3753
    #6 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #7 0x5555555628f9 in _start (/home/yuan/libxml2/.libs/xmllint+0xe8f9)

0x60d000000048 is located 8 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
freed by thread T0 here:
    #0 0x7ffff6ef67a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x7ffff67e824d in xmlFreeEntity /home/yuan/libxml2/entities.c:145
    #2 0x7ffff67ec971 in xmlFreeEntityWrapper /home/yuan/libxml2/entities.c:942
    #3 0x7ffff68a874c in xmlHashFree__internal_alias /home/yuan/libxml2/hash.c:346
    #4 0x7ffff67ec993 in xmlFreeEntitiesTable__internal_alias /home/yuan/libxml2/entities.c:953
    #5 0x7ffff687fe03 in xmlFreeDtd__internal_alias /home/yuan/libxml2/tree.c:1146
    #6 0x55555556a8b4 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2429
    #7 0x555555572aae in main /home/yuan/libxml2/xmllint.c:3753
    #8 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

previously allocated by thread T0 here:
    #0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x7ffff67e82a6 in xmlCreateEntity /home/yuan/libxml2/entities.c:159
    #2 0x7ffff67e90ad in xmlAddEntity /home/yuan/libxml2/entities.c:279
    #3 0x7ffff67e9691 in xmlAddDocEntity__internal_alias /home/yuan/libxml2/entities.c:410
    #4 0x7ffff6ae8059 in xmlSAX2EntityDecl__internal_alias /home/yuan/libxml2/SAX2.c:647
    #5 0x7ffff682fab1 in xmlParseEntityDecl__internal_alias /home/yuan/libxml2/parser.c:5465
    #6 0x7ffff683e6e5 in xmlParseMarkupDecl__internal_alias /home/yuan/libxml2/parser.c:6826
    #7 0x7ffff6848632 in xmlParseInternalSubset /home/yuan/libxml2/parser.c:8318
    #8 0x7ffff685ef3c in xmlParseDocument__internal_alias /home/yuan/libxml2/parser.c:10736
    #9 0x7ffff687a245 in xmlDoRead /home/yuan/libxml2/parser.c:15122
    #10 0x7ffff687a451 in xmlReadFile__internal_alias /home/yuan/libxml2/parser.c:15184
    #11 0x55555556a821 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2403
    #12 0x555555572aae in main /home/yuan/libxml2/xmllint.c:3753
    #13 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-use-after-free /home/yuan/libxml2/xinclude.c:2433 in xmlXIncludeDoProcess
Shadow bytes around the buggy address:
  0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30572==ABORTING