Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • L libxml2
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 91
    • Issues 91
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 6
    • Merge requests 6
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • libxml2
  • Issues
  • #243
Closed
Open
Issue created Apr 30, 2021 by yuawn@yuawn

CWE-476 NULL pointer dereference in valid.c:729 in xmlValidBuildAContentModel

Hi, I found a vulnerability in current master 5465a8e5, and I also reproduced it on v2.9.10.

There is a CWE-476 NULL Pointer Dereference in library in xmlValidBuildAContentModel, it can lead to segmentation fault and cause denial-of-service.

Thank you.

PoC:

poc.gz

To reproduce:

CFLAGS='-g -fsanitize=address' ./configure
make

./xmllint --recover --postvalid ./poc

ASAN report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1935392==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9db71265c8 bp 0x7ffd282d0050 sp 0x7ffd282cff20 T0)
==1935392==The signal is caused by a READ memory access.
==1935392==Hint: address points to the zero page.
    #0 0x7f9db71265c8 in xmlValidBuildAContentModel /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:729
    #1 0x7f9db7127418 in xmlValidBuildContentModel__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:839
    #2 0x7f9db7139581 in xmlValidateElementContent /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:5330
    #3 0x7f9db713d3de in xmlValidateOneElement__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6233
    #4 0x7f9db713eb00 in xmlValidateElement__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6478
    #5 0x7f9db71411d7 in xmlValidateDocument__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6941
    #6 0x5643c49158db in parseAndPrintFile /home/yuawn/fuzzing/libxml2/reproduce/libxml2/xmllint.c:2815
    #7 0x5643c491bf81 in main /home/yuawn/fuzzing/libxml2/reproduce/libxml2/xmllint.c:3754
    #8 0x7f9db6de50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x5643c490bb2d in _start (/home/yuawn/fuzzing/libxml2/reproduce/libxml2/.libs/xmllint+0xfb2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:729 in xmlValidBuildAContentModel
==1935392==ABORTING
Edited Apr 30, 2021 by yuawn
Assignee
Assign to
Time tracking