Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 676623 Security: libxslt generation of text nodes integer overflow
Starred by 2 users Reported by hofu...@gmail.com, Dec 22 Back to list
Status: Fixed
Owner:
Closed: Feb 1
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
VULNERABILITY DETAILS

With a xslt file which generates big text nodes it is possible to trigger an integer overflow in xsltAddTextString in transform.c of the libxslt library. The function handles the memory management if new data are added to a text node. The vulnerability exists because there is no check for overflow while calculating a new size of a buffer to hold the data of a text node. The issue can be exploited to trigger an out of bounds write.

A simple fix would limit the max size of a text node to a sane value.
A mitigation would it be to use a size_checked_realloc like in libxml in libxslt.

VERSION
Chrome Version: 57.0.2953.0 + beta
Operating System: Ubuntu 16.04.1 LTS

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
Type of crash: tab
Crash State:

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd7a76a2000 at pc 0x564695670354 bp 0x7ffd5c6a4020 sp 0x7ffd5c6a37d0
WRITE of size 5614304 at 0x7fd7a76a2000 thread T0 (chrome)

    #0 0x564695670353 in __asan_memcpy ??:?
    #1 0x7fd93b807573 in xsltAddTextString ./out/Debug/../../third_party/libxslt/libxslt/transform.c:837
    #2 0x7fd93b806cd9 in xsltCopyTextString ./out/Debug/../../third_party/libxslt/libxslt/transform.c:929
    #3 0x7fd93b81f988 in xsltValueOf ./out/Debug/../../third_party/libxslt/libxslt/transform.c:4540
    #4 0x7fd93b80e26d in xsltApplySequenceConstructor ./out/Debug/../../third_party/libxslt/libxslt/transform.c:2766
    #5 0x7fd93b80c4e0 in xsltApplyXSLTTemplate ./out/Debug/../../third_party/libxslt/libxslt/transform.c:3204
    #6 0x7fd93b82101a in xsltCallTemplate ./out/Debug/../../third_party/libxslt/libxslt/transform.c:4780
    #7 0x7fd93b80e26d in xsltApplySequenceConstructor ./out/Debug/../../third_party/libxslt/libxslt/transform.c:2766
    #8 0x7fd93b825857 in xsltIf ./out/Debug/../../third_party/libxslt/libxslt/transform.c:5390
    #9 0x7fd93b80e26d in xsltApplySequenceConstructor ./out/Debug/../../third_party/libxslt/libxslt/transform.c:2766
    #10 0x7fd93b80c4e0 in xsltApplyXSLTTemplate ./out/Debug/../../third_party/libxslt/libxslt/transform.c:3204
…

0x7fd7a76a2000 is located 6144 bytes to the left of 5616152-byte region [0x7fd7a76a3800,0x7fd7a7bfea18)

sorry for splitted report
chrome.poc.html
2.3 KB View Download
Comment 3 Deleted
Project Member Comment 4 by clusterf...@chromium.org, Dec 22
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4937030674153472
Components: Blink>XML
Labels: Stability-Memory-AddressSanitizer Security_Severity-Medium Security_Impact-Stable OS-All Pri-1
Owner: dominicc@chromium.org
Status: Assigned
Hi Dominic,

Feel free to adjust labels, or reassign as appropriate.

Thanks!
Project Member Comment 6 by sheriffbot@chromium.org, Dec 23
Labels: M-56
Project Member Comment 7 by clusterf...@chromium.org, Dec 28
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5731321122127872
Labels: -Security_Severity-Medium Security_Severity-High
Project Member Comment 9 by clusterf...@chromium.org, Dec 29
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5684287069487104
Project Member Comment 10 by sheriffbot@chromium.org, Jan 5
dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Started
Cc: groebert@google.com
Cc: ail@google.com
Cc: scottmg@chromium.org
hofusec, can I CC you on the upstream libxslt bug?
yes
Nick Wellnhofer contributed a simpler, better patch upstream at https://bugzilla.gnome.org/attachment.cgi?id=343366 see https://codereview.chromium.org/2626983002 patch 2 for posterity.
Cc: ddkil...@apple.com
Note: Per upstream request, we need to ping the upstream bug when we land something.
Status: Fixed
This should be fixed.
Project Member Comment 22 by sheriffbot@chromium.org, Feb 1
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 23 by sheriffbot@chromium.org, Feb 3
Labels: Merge-Request-57
Project Member Comment 24 by sheriffbot@chromium.org, Feb 3
Labels: -Merge-Request-57 Hotlist-Merge-Approved Merge-Approved-57
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please merge your change to M57 branch 2987 before 5:00 PM Pt, Monday (02/06/) so we can pick it up for next week Beta release. Thank you.
Project Member Comment 26 by sheriffbot@chromium.org, Feb 6
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please merge your change to M57 branch 2987 before 5:00 PM PT, Tuesday (02/07/17) so we can pick it up for next Beta release. Thank you.
Labels: reward-topanel
Labels: Merge-Merged
I'm not sure why a bot did not comment here, but I merged this yesterday:

https://storage.googleapis.com/chromium-find-releases-static/14b.html#14b7c024aaec338adcbf87cbeee54cf6137d7f8a

Merged to 57.0.2987.33 (as 3b4c1d91...).

If someone could please sanity check me on that :)
Labels: -Merge-Approved-57 merge-merged-2987
Per comment #29, this is already merged to M57 branch 2987 and I can see the merge here: https://chromium.googlesource.com/chromium/src/+/3b4c1d91912bbc7fa1e75c7034318a241c03a7ae
Thanks for the CC folks.  Tracking this at Apple with <rdar://problem/30398908>.

Labels: -reward-topanel reward-unpaid reward-3000
Nice one!  The panel decided to award $3,000 for this report.  A member of our finance team will be in touch shortly to arrange payment.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Labels: -reward-unpaid reward-inprocess
Labels: -Hotlist-Merge-Approved
Has a CVE-ID been assigned to this issue?  Apple wants to mention the CVE-ID in an upcoming security bulletin.

Cc: awhalley@chromium.org
Andrew, did it get a CVE?
Labels: CVE-2017-5029
Yep, it's CVE-2017-5029. Thanks for the ping.
Cool, thanks for the fast response!
Labels: Release-0-M57
Labels: CVE-2017-5033
Wait, two CVEs for a single bug? I've pinged Andrew to ensure that this is correct.
Labels: -CVE-2017-5033
Good spot - overly zealous automation :-(
Comment 45 by awhalley@google.com, Mar 24 (5 days ago)
Labels: -Restrict-View-SecurityNotify allpublic
Removing view restrictions given #44
Sign in to add a comment