New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Blocked on:
issue 616040
issue 616698



Sign in to add a comment

Heap-buffer-overflow in xmlDictComputeFastKey

Project Member Reported by ClusterFuzz, Jun 16 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5851397434376192

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60200000ed84
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94yUDbm7VSHsZCwDfY9OV2wj-95e3Hxtu_wd1_df9jHOuG--TnJNK61RtqVD1jTLkYa2NHDzkIbFQCFlKUCSLsLJnxG6hO4YytEVi4yhWj36wtPBOs-84FDd43TV_tfN_DnVC_kFI-XN8thhYpfIBfp5-91Kw
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<!ELEMENT<!ATTLISTNT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>


Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by mmoroz@chromium.org, Jun 16 2016

Blockedon: 616040
Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>XML
Owner: dominicc@chromium.org
This bug isn't a new one, but haven't been found by CF before now, so I'm filing it.

It is also reported at the upstream (https://bugzilla.gnome.org/show_bug.cgi?id=766956)

Project Member

Comment 2 by sheriffbot@chromium.org, Jun 16 2016

Labels: Pri-1
Project Member

Comment 3 by ClusterFuzz, Jun 16 2016

Status: Assigned (was: Available)

Comment 4 by est...@chromium.org, Jun 16 2016

Labels: M051

Comment 5 by est...@chromium.org, Jun 16 2016

Labels: -M051 M-51

Comment 6 by mmoroz@chromium.org, Jun 17 2016

Cc: pju...@apple.com ddkil...@apple.com

Comment 7 by mmoroz@chromium.org, Jun 22 2016

Testcase from the CF report.
fuzz-2-libxml_xml_read_memory_fuzzer
204 bytes View Download

Comment 8 by ddkil...@apple.com, Jun 22 2016

I ran git-bisect on our internal tree, and this issue will be fixed by this upstream bug:

 Bug 759398 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=759398>

I am unable to post a patch at this time (working on resolving that internally), so if someone here wants to take my comments in <https://bugzilla.gnome.org/show_bug.cgi?id=766956#c3> and create a patch, that would help to get that bug fixed quicker.

Comment 9 by ddkil...@apple.com, Jun 23 2016

> I ran git-bisect on our internal tree, and this issue will be fixed by this upstream bug:
>
>  Bug 759398 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
> <https://bugzilla.gnome.org/show_bug.cgi?id=759398>

BTW, Apple is planning on shipping this fix by the end of July 2016, so we need to get Daniel Veillard engaged on this bug.  Posting a patch for review is the best way to do that.


Cc: dan...@veillard.com
Project Member

Comment 11 by ClusterFuzz, Jun 24 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5810396837707776

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x60300000ee4f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94bjMOglPlGItRInhMx06pTpzmaeY6waZDaNh3GiXzizRLP7PpNjYpLP8B9ZIEX4BULYrIrp12G7DzCci_zVXSxaxT0AdECnNPo7Ub29XmT6JV31yORcl-Mb0VWT8YWE5viA8eKV1B3tQF2q4aCzSgRzd-QQg?testcase_id=5810396837707776
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<![INCLUDE[&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;�ggKENSMYNT&#35;MENTD&#37


Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 30 2016

dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Current status: I was not actively working on this, half hoping there would be an upstream patch. I could develop one.
Status: Started (was: Assigned)
OK, taking a look at this.
Hmm, I can't reproduce this at r403744.
ClusterFuzz says it could reproduce these at r404631 and r404605. I need to try again.
Project Member

Comment 18 by ClusterFuzz, Jul 12 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4835303932297216

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60500000bf2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseName
  
Recommended Security Severity: Medium


Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv954ifA6vOolHwuhWorQ2gViH1J39Vt1jeXpk9BjQWcF70l_TpLWFZWwEnxFJG_Al-vs1wSoK4dwVA0iHDrhGrEc8GSVP1ZKiD7RSz6iolhU7cCAbwFdQ7A0Va5siUKBCf457HONVpPdRsV8YZfBeQ6fVydQ5w?testcase_id=4835303932297216

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 19 by sheriffbot@chromium.org, Jul 21 2016

Labels: -M-51 M-52
Project Member

Comment 20 by ClusterFuzz, Jul 29 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4593889466122240

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60600000ee2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95JfhQONaR-2B3QHwy8kUMRNwv9cCGDAAr0Gc1uVYSQGxlYeIXVdkM_LlA-TtKGiVTjdWXETCSLqBE1F9KdT-zwzHCwlENOH7VEdMd2NZamy88EUv0yeNKUcJ_50R-hoX_AXroEoK4bT0Zsc-L4QpI7OlFdlA?testcase_id=4593889466122240

<!--
--><!--e
--><!--
<--><!--
--><?lm verUTF-16
<!DOCTYPE root [
<?m<l  enc<v xmnnodlig"0"?>
<!DOCTYPE root [
<!ENTITY % dafroot '
&#60;!ELEMENT dia:dciagram (dia:diagramdata, draft.--mon:h >
<!ELEMENT dia:diag&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTIradata (dia:attbirute)* >
<!ENTITY //docboo	SYsSTEMTY' >
%dafroot;%de


Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
dominicc, are you following the instructions at https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md ?

I can still reproduce this locally today. 
 Issue 637552  has been merged into this issue.
friendly ping Dominicc. These are probably are end-tail of libxml bugs that will be great for knockout!
Project Member

Comment 24 by ClusterFuzz, Aug 25 2016

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5810396837707776

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x60300000ee4f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94bjMOglPlGItRInhMx06pTpzmaeY6waZDaNh3GiXzizRLP7PpNjYpLP8B9ZIEX4BULYrIrp12G7DzCci_zVXSxaxT0AdECnNPo7Ub29XmT6JV31yORcl-Mb0VWT8YWE5viA8eKV1B3tQF2q4aCzSgRzd-QQg?testcase_id=5810396837707776
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<![INCLUDE[&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;�ggKENSMYNT&#35;MENTD&#37


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 25 by ClusterFuzz, Aug 25 2016

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4593889466122240

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60600000ee2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95JfhQONaR-2B3QHwy8kUMRNwv9cCGDAAr0Gc1uVYSQGxlYeIXVdkM_LlA-TtKGiVTjdWXETCSLqBE1F9KdT-zwzHCwlENOH7VEdMd2NZamy88EUv0yeNKUcJ_50R-hoX_AXroEoK4bT0Zsc-L4QpI7OlFdlA?testcase_id=4593889466122240

<!--
--><!--e
--><!--
<--><!--
--><?lm verUTF-16
<!DOCTYPE root [
<?m<l  enc<v xmnnodlig"0"?>
<!DOCTYPE root [
<!ENTITY % dafroot '
&#60;!ELEMENT dia:dciagram (dia:diagramdata, draft.--mon:h >
<!ELEMENT dia:diag&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTIradata (dia:attbirute)* >
<!ENTITY //docboo	SYsSTEMTY' >
%dafroot;%de


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 26 by ClusterFuzz, Aug 25 2016

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5851397434376192

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60200000ed84
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94yUDbm7VSHsZCwDfY9OV2wj-95e3Hxtu_wd1_df9jHOuG--TnJNK61RtqVD1jTLkYa2NHDzkIbFQCFlKUCSLsLJnxG6hO4YytEVi4yhWj36wtPBOs-84FDd43TV_tfN_DnVC_kFI-XN8thhYpfIBfp5-91Kw?testcase_id=5851397434376192
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<!ELEMENT<!ATTLISTNT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 27 by sheriffbot@chromium.org, Sep 1 2016

Labels: -M-52 M-53
Looks fixed for all the testcases except of https://cluster-fuzz.appspot.com/v2/testcase-detail/4835303932297216

Kicked of "Redo Fixed" job there.

Comment 29 by ddkil...@apple.com, Oct 11 2016

As noted in Comment #8, most of these issues were probably fixed by upstream:

 Bug 759398 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=759398>

The rest should be fixed by this upstream bug (which hasn't landed yet):

Bug 766956: Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=766956>

Note that GNOME Bug 766956 is tracked by < https://crbug.com/616698 >.

Blockedon: 616698
We rolled libxml2 45752d2c334b50016666d8f0ec3691e2d680f0a0 which says it fixes https://bugzilla.gnome.org/show_bug.cgi?id=759398 in r396097.

Guess I will mark this blocked on  Issue 616698 .  Issue 616040  says the other bug mentioned above, <https://bugzilla.gnome.org/show_bug.cgi?id=766956>, is being tracked in  Issue 616698 .
Project Member

Comment 31 by sheriffbot@chromium.org, Oct 13 2016

Labels: -M-53 M-54
Project Member

Comment 32 by sheriffbot@chromium.org, Dec 2 2016

Labels: -M-54 M-55
Brief update, the issue in the original post still repros at r440736, taking a look at this now.
Project Member

Comment 35 by bugdroid1@chromium.org, Jan 10 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b6cc2b4809e9e7479b03e69b39f613f2de70e0b

commit 6b6cc2b4809e9e7479b03e69b39f613f2de70e0b
Author: dominicc <dominicc@chromium.org>
Date: Tue Jan 10 06:19:01 2017

Give up looking up interned names if the encoding changed during parsing

NEXTL may process encoding changes by refilling the parser's input
buffer, which makes the accumulated length 'len' inaccurate.

BUG= 620679 

Review-Url: https://codereview.chromium.org/2603933002
Cr-Commit-Position: refs/heads/master@{#442517}

[modify] https://crrev.com/6b6cc2b4809e9e7479b03e69b39f613f2de70e0b/third_party/libxml/README.chromium
[modify] https://crrev.com/6b6cc2b4809e9e7479b03e69b39f613f2de70e0b/third_party/libxml/src/parser.c

Status: Fixed (was: Started)
This should be fixed, ClusterFuzz PTAL.
Project Member

Comment 37 by ClusterFuzz, Jan 10 2017

ClusterFuzz has detected this issue as fixed in range 442501:442519.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4835303932297216

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60500000bf2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseName
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=442501:442519

Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv954ifA6vOolHwuhWorQ2gViH1J39Vt1jeXpk9BjQWcF70l_TpLWFZWwEnxFJG_Al-vs1wSoK4dwVA0iHDrhGrEc8GSVP1ZKiD7RSz6iolhU7cCAbwFdQ7A0Va5siUKBCf457HONVpPdRsV8YZfBeQ6fVydQ5w?testcase_id=4835303932297216

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 38 by sheriffbot@chromium.org, Jan 10 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-56
Project Member

Comment 40 by sheriffbot@chromium.org, Jan 12 2017

Labels: -Merge-Request-56 Hotlist-Merge-Approved Merge-Approved-56
Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 41 by sheriffbot@chromium.org, Jan 16 2017

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: ail@google.com
Labels: -M-55 -Hotlist-Merge-Approved -Merge-Approved-56 M-57
Labels: Release-0-57
Labels: -Release-0-57 Release-0-M57
Project Member

Comment 46 by sheriffbot@chromium.org, Apr 18 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
I believe this has been fixed by upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

Comment 48 by ddkil...@apple.com, Jun 14 2017

> I believe this has been fixed by upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

That matches my notes as well.

Sign in to add a comment