heap-use-after-free in xinclude.c:2433
Hi, I found a vulnerability in current master bf227135. There is a heap-use-after-free in xinclude.c:2433 in xmlXIncludeDoProcess.
build
CFLAGS="-ggdb -fsanitize=address" ./configure
POC
reproduce :
xmllint --recover --dropdtd --nofixup-base-uris ./poc3
Asan report
=================================================================
==30572==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000048 at pc 0x7ffff69930b3 bp 0x7fffffffbb60 sp 0x7fffffffbb50
READ of size 4 at 0x60d000000048 thread T0
#0 0x7ffff69930b2 in xmlXIncludeDoProcess /home/yuan/libxml2/xinclude.c:2433
#1 0x7ffff699369c in xmlXIncludeProcessTreeFlagsData__internal_alias /home/yuan/libxml2/xinclude.c:2525
#2 0x7ffff699374f in xmlXIncludeProcessFlagsData__internal_alias /home/yuan/libxml2/xinclude.c:2554
#3 0x7ffff6993776 in xmlXIncludeProcessFlags__internal_alias /home/yuan/libxml2/xinclude.c:2569
#4 0x55555556a8ee in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2438
#5 0x555555572aae in main /home/yuan/libxml2/xmllint.c:3753
#6 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#7 0x5555555628f9 in _start (/home/yuan/libxml2/.libs/xmllint+0xe8f9)
0x60d000000048 is located 8 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
freed by thread T0 here:
#0 0x7ffff6ef67a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x7ffff67e824d in xmlFreeEntity /home/yuan/libxml2/entities.c:145
#2 0x7ffff67ec971 in xmlFreeEntityWrapper /home/yuan/libxml2/entities.c:942
#3 0x7ffff68a874c in xmlHashFree__internal_alias /home/yuan/libxml2/hash.c:346
#4 0x7ffff67ec993 in xmlFreeEntitiesTable__internal_alias /home/yuan/libxml2/entities.c:953
#5 0x7ffff687fe03 in xmlFreeDtd__internal_alias /home/yuan/libxml2/tree.c:1146
#6 0x55555556a8b4 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2429
#7 0x555555572aae in main /home/yuan/libxml2/xmllint.c:3753
#8 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
previously allocated by thread T0 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7ffff67e82a6 in xmlCreateEntity /home/yuan/libxml2/entities.c:159
#2 0x7ffff67e90ad in xmlAddEntity /home/yuan/libxml2/entities.c:279
#3 0x7ffff67e9691 in xmlAddDocEntity__internal_alias /home/yuan/libxml2/entities.c:410
#4 0x7ffff6ae8059 in xmlSAX2EntityDecl__internal_alias /home/yuan/libxml2/SAX2.c:647
#5 0x7ffff682fab1 in xmlParseEntityDecl__internal_alias /home/yuan/libxml2/parser.c:5465
#6 0x7ffff683e6e5 in xmlParseMarkupDecl__internal_alias /home/yuan/libxml2/parser.c:6826
#7 0x7ffff6848632 in xmlParseInternalSubset /home/yuan/libxml2/parser.c:8318
#8 0x7ffff685ef3c in xmlParseDocument__internal_alias /home/yuan/libxml2/parser.c:10736
#9 0x7ffff687a245 in xmlDoRead /home/yuan/libxml2/parser.c:15122
#10 0x7ffff687a451 in xmlReadFile__internal_alias /home/yuan/libxml2/parser.c:15184
#11 0x55555556a821 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2403
#12 0x555555572aae in main /home/yuan/libxml2/xmllint.c:3753
#13 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-use-after-free /home/yuan/libxml2/xinclude.c:2433 in xmlXIncludeDoProcess
Shadow bytes around the buggy address:
0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30572==ABORTING