New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 140368 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Dec 2012
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Security: heap-use-after-free in xsltGenerateIdFunction

Reported by nicolas....@agarri.fr, Aug 2 2012

Issue description

VULNERABILITY DETAILS

When generate-id() is applied on the context node "." inside nested templates, a "use after free()" occurs in libxslt. This doesn't happen if generate-id() is applied to the current node "".

VERSION

xsltproc+ASan: libxml 20800, libxslt 10126 and libexslt 815
Chromium+ASan: 21.0.1180.49 (147161)

REPRODUCTION CASE

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

    <xsl:template match="*" name="level1">
        <xsl:call-template name="level2"/>
    </xsl:template>

    <xsl:template name="level2">
        <xsl:for-each select="namespace::*">
            <xsl:value-of select="generate-id(.)"/>
        </xsl:for-each>
    </xsl:template>

</xsl:stylesheet>

ADDITIONAL INFORMATION

ASan xsltproc log (more verbose than the Chromium one):

==5023== ERROR: AddressSanitizer heap-use-after-free on address 0x7f07d3c81388 at pc 0x7f07d556f8da bp 0x7fffdd31fed0 sp 0x7fffdd31fec8
READ of size 4 at 0x7f07d3c81388 thread T0

    #0  00000000000538da <xsltGenerateIdFunction+0x32a>:
        xmlNsPtr ns = (xmlNsPtr) cur;
        if (ns->context != NULL)
            doc = ns->context;
        else
            doc = ctxt->context->doc;
   538da:       e8 19 37 fc ff          callq  16ff8 <__asan_report_load8@plt>
    #1  xmlXPathCompOpEval+0x279b
    #2  xmlXPathCompOpEval+0x431a
    #3  xmlXPathRunEval+0x3ec
    #4  xmlXPathCompiledEvalInternal+0xca
    #5  xmlXPathCompiledEval+0x7c
    #6  xsltValueOf+0x342
    #7  xsltApplySequenceConstructor+0x96a
    #8  xsltForEach+0xb81
    #9  xsltApplySequenceConstructor+0x96a
    #10  xsltApplyXSLTTemplate+0x8b9
    #11  xsltCallTemplate+0x5b4
    #12  xsltApplySequenceConstructor+0x96a
    #13  xsltApplyXSLTTemplate+0x8b9
    #14  xsltProcessOneNode+0x545
    #15  xsltDefaultProcessOneNode+0x878
    #16  xsltProcessOneNode+0x272
    #17  xsltApplyStylesheetInternal+0x10ff
    #18  xsltProcess+0x37b
    #19  main+0x198b
    #20  __libc_start_main+0xfd
0x7f07d3c81388 is located 8 bytes inside of 48-byte region [0x7f07d3c81380,0x7f07d3c813b0)

    #0  0000000000415aa2 <free+0x22>:
  415aa2:       4c 8d b5 d8 fd ff ff    lea    -0x228(%rbp),%r14
    #1  xmlXPathFreeNodeSet+0xef
    #2  xmlXPathFreeObject+0xec
    #3  xsltGenerateIdFunction+0x339
    #4  xmlXPathCompOpEval+0x279b
    #5  xmlXPathCompOpEval+0x431a
    #6  xmlXPathRunEval+0x3ec
    #7  xmlXPathCompiledEvalInternal+0xca
    #8  xmlXPathCompiledEval+0x7c
    #9  xsltValueOf+0x342
    #10  xsltApplySequenceConstructor+0x96a
    #11  xsltForEach+0xb81
    #12  xsltApplySequenceConstructor+0x96a
    #13  xsltApplyXSLTTemplate+0x8b9
    #14  xsltCallTemplate+0x5b4
    #15  xsltApplySequenceConstructor+0x96a
    #16  xsltApplyXSLTTemplate+0x8b9
    #17  xsltProcessOneNode+0x545
    #18  xsltDefaultProcessOneNode+0x878
    #19  xsltProcessOneNode+0x272
    #20  xsltApplyStylesheetInternal+0x10ff
    #21  xsltProcess+0x37b
    #22  main+0x198b
    #23  __libc_start_main+0xfd
 
Owner: cevans@chromium.org
Aw, man. How many of these are we expecting :P

That's a Turing-complete language! Expect more ;-) Btw, the fact that many libxslt extensions are disabled in Webkit is preserving you of a few additional bugs.
Cc: a deleted user
Nice, out of curiousity what are the things we disabled that are helping here? Are we talking about libexslt? I've hit some nice bugs in that before :)
Yes, libexslt ... The RC4 stuff should remind a few things ;-)

Off-by-one write in rc4_decrypt
https://bugzilla.gnome.org/show_bug.cgi?id=675917

Read of previously free'd memory when using func:result
https://bugzilla.gnome.org/show_bug.cgi?id=680920
Status: Started
I'm not seeing this use-after-free in valgrind. This is with a build with the "namespace::*" issue fixed, though, so I suspect that broke the repro.

Do you have a repro that doesn't rely on namespace::* ?
Every repro that I have uses namespace::* :-(
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

<xsl:template match="/">
  <xsl:variable name="foo" select="generate-id(//namespace::xsl)"/>
</xsl:template>

</xsl:stylesheet>

Shorter repro, using "namespace::xsl" instead of "namespace::*". Of course, the XML input file needs to define this namespace (you may use the XSL as the XML).
Labels: SecImpacts-Stable SecImpacts-Beta SecSeverity-Low
Thanks.
Unfortunately, I think this bug might be something _I_ added, OMG! Haha. More fortunately, it seems harmless. The use is directly after the free in the same function, in fact almost on adjacent lines. Given that tcmalloc allocations are primarily thread-local, I don't think there's much risk at all.

Easy to fix, of course, which I'll do now.
Project Member

Comment 10 by bugdroid1@chromium.org, Aug 4 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=149998

------------------------------------------------------------------------
r149998 | cevans@chromium.org | 2012-08-04T02:25:50.421408Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/README.chromium?r1=149998&r2=149997&pathrev=149998
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxslt/libxslt/functions.c?r1=149998&r2=149997&pathrev=149998

Fix harmless memory error in generate-id.

BUG= 140368 
Review URL: https://chromiumcodereview.appspot.com/10823168
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-21 Merge-Approved
Status: FixUnreleased
BTW, feel free to object if you think I've misunderstood the impact :)
Project Member

Comment 12 by bugdroid1@chromium.org, Aug 24 2012

Labels: -Merge-Approved merge-merged-1180
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=153293

------------------------------------------------------------------------
r153293 | cevans@chromium.org | 2012-08-24T21:28:25.707949Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1180/src/third_party/libxml/README.chromium?r1=153293&r2=153292&pathrev=153293
   M http://src.chromium.org/viewvc/chrome/branches/1180/src/third_party/libxslt/libxslt/functions.c?r1=153293&r2=153292&pathrev=153293

Merge 149998 - Fix harmless memory error in generate-id.

BUG= 140368 
Review URL: https://chromiumcodereview.appspot.com/10823168

TBR=cevans@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10880053
------------------------------------------------------------------------
Labels: CVE-2012-2870
Cc: -a deleted user veill...@gmail.com
Project Member

Comment 15 by bugdroid1@chromium.org, Oct 14 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member

Comment 17 by bugdroid1@chromium.org, Jan 18 2013

Labels: Restrict-View-EditIssue
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member

Comment 18 by bugdroid1@chromium.org, Jan 18 2013

Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Low -Mstone-21 Security-Severity-Low Security-Impact-Stable Security-Impact-Beta M-21 Type-Bug-Security
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 26 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 31 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-0 Pri-2

Sign in to add a comment