heap-use-after-free in xmllint (xmlStrlen) - bug 3/4
By fuzzing, we found heap UAF in xmllint (xmlStrlen func).
How to reproduce
Build libxml2 with address sanitizer:
CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure
and run:
./xmllint -maxmem 959 i -repeat
Command output
Ran out of memory needs > 959 bytes
Ran out of memory needs > 959 bytes
parser error :
Sanitizer Dump
==8955==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000068 at pc 0x7ffff6e6966e bp 0x7fffffffdb40 sp 0x7fffffffd2e8
READ of size 62 at 0x610000000068 thread T0
#0 0x7ffff6e6966d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
#1 0x7ffff6b30427 in xmlStrlen /home/youngseok/latest-subjects/libxml2/xmlstring.c:429
#2 0x7ffff6a2e0f6 in xmlReportError /home/youngseok/latest-subjects/libxml2/error.c:411
#3 0x7ffff6a2fc92 in __xmlRaiseError /home/youngseok/latest-subjects/libxml2/error.c:664
#4 0x7ffff6aa88ea in xmlErrMemory /home/youngseok/latest-subjects/libxml2/parserInternals.c:111
#5 0x7ffff6ab05e2 in xmlInitSAXParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1606
#6 0x7ffff6ab3338 in xmlNewSAXParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1917
#7 0x7ffff6ab32a1 in xmlNewParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1892
#8 0x555555572e32 in main /home/youngseok/latest-subjects/libxml2/xmllint.c:3688
#9 0x7ffff65afc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#10 0x555555562d19 in _start (/home/youngseok/latest-subjects/libxml2/.libs/lt-xmllint+0xed19)
0x610000000068 is located 40 bytes inside of 190-byte region [0x610000000040,0x6100000000fe)
freed by thread T0 here:
#0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
#1 0x7ffff6b2df10 in xmlReallocLoc /home/youngseok/latest-subjects/libxml2/xmlmemory.c:354
#2 0x7ffff6b2e1e2 in xmlMemRealloc /home/youngseok/latest-subjects/libxml2/xmlmemory.c:406
#3 0x55555556381d in myReallocFunc /home/youngseok/latest-subjects/libxml2/xmllint.c:357
#4 0x7ffff6a2ed22 in __xmlRaiseError /home/youngseok/latest-subjects/libxml2/error.c:529
#5 0x7ffff6aa88ea in xmlErrMemory /home/youngseok/latest-subjects/libxml2/parserInternals.c:111
#6 0x7ffff6ab05e2 in xmlInitSAXParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1606
#7 0x7ffff6ab3338 in xmlNewSAXParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1917
#8 0x7ffff6ab32a1 in xmlNewParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1892
#9 0x555555572e32 in main /home/youngseok/latest-subjects/libxml2/xmllint.c:3688
#10 0x7ffff65afc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
previously allocated by thread T0 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7ffff6b2d602 in xmlMallocLoc /home/youngseok/latest-subjects/libxml2/xmlmemory.c:167
#2 0x7ffff6b2dcfc in xmlMemMalloc /home/youngseok/latest-subjects/libxml2/xmlmemory.c:298
#3 0x5555555637c0 in myMallocFunc /home/youngseok/latest-subjects/libxml2/xmllint.c:342
#4 0x7ffff6a2ec11 in __xmlRaiseError /home/youngseok/latest-subjects/libxml2/error.c:529
#5 0x7ffff6aa88ea in xmlErrMemory /home/youngseok/latest-subjects/libxml2/parserInternals.c:111
#6 0x7ffff6ab05e2 in xmlInitSAXParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1606
#7 0x7ffff6ab3338 in xmlNewSAXParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1917
#8 0x7ffff6ab32a1 in xmlNewParserCtxt /home/youngseok/latest-subjects/libxml2/parserInternals.c:1892
#9 0x555555572e32 in main /home/youngseok/latest-subjects/libxml2/xmllint.c:3688
#10 0x7ffff65afc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
Environment
- OS: Ubuntu 18.04
- gcc: 7.5.0
- libxml2: 21100-GITv2.10.0-464-ge7c3a4ca