timeouts in xmlRegexpCompile() |
|||
Issue descriptionlibxml_xml_regexp_compile_fuzzer always hits timeout in xmlRegexpCompile() function and fuzzing becomes useless. Reproduction steps: 1) Build 'libxml_xml_regexp_compile_fuzzer' target using this instruction https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer 2) Run it with the following parameter (file is attached): ./libxml_xml_regexp_compile_fuzzer -test_single_input=./timeout-946f09e885b1388ea98f19edff18cb87cd828d72 -timeout=10 The output will be like: ALARM: working on the last Unit for 1457361450 seconds and the timeout value is 10 (use -timeout=N to change) 0x5f,0x6f,0x5b,0x54,0x3c,0x6e,0x3e,0x6d,0x3c,0x3c,0x3f,0x78,0x6d,0x6c,0xee,0x76,0x65,0x72,0x6e,0x6f,0x74, _o[T<n>m<<?xml\xeevernot ==42534== ERROR: libFuzzer: timeout after 1457361450 seconds #0 0x4ba18e in __sanitizer_print_stack_trace (<...>/out/Release/libxml_xml_regexp_compile_fuzzer+0x4ba18e) #1 0x7cd59d in fuzzer::Fuzzer::AlarmCallback() third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:123:7 #2 0x7f6aa4b8133f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1033f) #3 0x8c33e9 in xmlFAParseCharRange third_party/libxml/src/xmlregexp.c:5060:9 #4 0x8c33e9 in xmlFAParsePosCharGroup third_party/libxml/src/xmlregexp.c:5078 #5 0x8c03f2 in xmlFAParseCharGroup third_party/libxml/src/xmlregexp.c:5119:6 #6 0x8bdd55 in xmlFAParseCharClass third_party/libxml/src/xmlregexp.c:5139:2 #7 0x8bdd55 in xmlFAParseAtom third_party/libxml/src/xmlregexp.c:5293 #8 0x8bdd55 in xmlFAParsePiece third_party/libxml/src/xmlregexp.c:5310 #9 0x8bd20e in xmlFAParseBranch third_party/libxml/src/xmlregexp.c:5345:8 #10 0x8a2e80 in xmlFAParseRegExp third_party/libxml/src/xmlregexp.c:5371:5 #11 0x8a216a in xmlRegexpCompile third_party/libxml/src/xmlregexp.c:5467:5 #12 0x4db800 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_regexp_compile_fuzzer.cc:29:20 #13 0x7d1708 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:266:13 #14 0x7be6d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:232:3 #15 0x7c28ad in FuzzerDriver third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:326:5 #16 0x7c28ad in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:378 #17 0x7be4b2 in main third_party/llvm/lib/Fuzzer/FuzzerMain.cpp:25:10 #18 0x7f6aa45b7ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287 SUMMARY: libFuzzer: timeout
,
Apr 26 2016
David, may be this bug can be fixed upstream? It prevents us from further fuzzing and also looks like a possible DoS.
,
Apr 26 2016
Any reason not to file a public bugzilla.gnome.org, or should it be secure since this could be used as a DoS attack?
,
Apr 27 2016
This is absolutely public, no problem to file a bug at bugzilla.gnome.org, filed: https://bugzilla.gnome.org/show_bug.cgi?id=765661
,
Apr 27 2016
Thanks! Yeah, I realized that after I posted the comment. :) I have a few more libxml2 security bugs to fix before I can look at this, though.
,
Aug 1
|
|||
►
Sign in to add a comment |
|||
Comment 1 by mmoroz@chromium.org
, Mar 7 2016