New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 749397 link

Starred by 2 users
Status: Verified
Owner:
dominicc@chromium.org
Last visit > 30 days ago
Closed: Aug 2017
Cc:
wellnho...@aevum.de
awhalley@chromium.org
scottmg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in xmlSAX2AttributeNs

Project Member Reported by ClusterFuzz, Jul 27 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5509219355983872

Fuzzer: libFuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6020000006cd
Crash State:
  xmlSAX2AttributeNs
  xmlSAX2StartElementNs
  xmlParseStartTag2
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=480737:480767

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5509219355983872


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by vakh@chromium.org, Jul 27 2017

Components: Blink>XML
Owner: dominicc@chromium.org
Status: Assigned (was: Untriaged)
Quite likely a duplicate of  issue 749352
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 27 2017

Labels: M-61
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 27 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 27 2017

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 28 2017

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 6 by dominicc@chromium.org, Aug 9 2017 

I haven't been able to reproduce this locally yet.

Comment 7 by dominicc@chromium.org, Aug 9 2017

Status: Started (was: Assigned)
I've done some debugging, not sure exactly what's happening here but the attribute parser hits this error about the input:

https://cs.chromium.org/chromium/src/third_party/libxml/src/parser.c?type=cs&l=9625

The context is looking at:

<!ENTITY%MEN>\n\t\t\t\t<par md=\"10\" h=\"3bPD21CD21C\"><par iVd=\"n ve\" without

and it's unpacked one attribute successfully, the iVd="n ve" one.

Then there's this gem:

 /*
  * Arithmetic on dangling pointers is technically undefined
  * behavior, but well...
  */
 ptrdiff_t offset = ctxt->input->base - atts[i+2];

And atts gets messed up right after this point. I think this is another case of GROW or whatever flipping the context base into an entity it is expanding while some other part of the parser is holding onto a pointer into another buffer.

Comment 8 by dominicc@chromium.org, Aug 9 2017 

I have filed a blank upstream bug <https://bugzilla.gnome.org/show_bug.cgi?id=786032>

Comment 9 by gov...@chromium.org, Aug 9 2017 

[Bulk Edit]
URGENT - PTAL.
Your bug is labelled as M61 Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP.

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

Thank you.

Comment 10 by dominicc@chromium.org, Aug 10 2017 

I think 5f440d8cadea9f0d87fd3849366445029d47f528 upstream may fix this.

Comment 11 by dominicc@chromium.org, Aug 10 2017

Cc: scottmg@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
I've uploaded a roll which includes the change in Comment 10 at https://chromium-review.googlesource.com/c/609563 and verified this fixes the problem locally.
Project Member

Comment 12 by bugdroid1@chromium.org, Aug 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5

commit cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5
Author: Dominic Cooney <dominicc@chromium.org>
Date: Mon Aug 14 03:55:00 2017

Roll libxml to 27f310d453b7e2e71847e5910a0961753aacdbd1

Bug:  749397 , 750430 
Change-Id: Id15d1ebcc54a7dc70fb869622b9acb85770bf367
Reviewed-on: https://chromium-review.googlesource.com/609563
Commit-Queue: Dominic Cooney <dominicc@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#494008}
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/README.chromium
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/ChangeLog
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/Makefile.am
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/Makefile.in
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/SAX2.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/buf.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/dict.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/encoding.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/error.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/hash.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/include/libxml/HTMLparser.h
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/include/libxml/schemasInternals.h
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/include/libxml/xmlreader.h
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/libxml.m4
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/list.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/nanohttp.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/parser.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/runtest.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/testThreads.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/threads.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/tree.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/valid.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/xmlIO.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/xmlmemory.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/xmlreader.c
[modify] https://crrev.com/cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5/third_party/libxml/src/xmlstring.c

Comment 13 by dominicc@chromium.org, Aug 14 2017

Labels: Merge-Request-61
Status: Fixed (was: Started)
ClusterFuzz, do your thing.
Project Member

Comment 14 by sheriffbot@chromium.org, Aug 14 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review
This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by gov...@chromium.org, Aug 14 2017

Cc: awhalley@chromium.org
+awhalley@ for M61 merge review (CL at comment #12 didn't make it to canary yet)
Project Member

Comment 16 by ClusterFuzz, Aug 14 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5091504392765440 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 17 by ClusterFuzz, Aug 14 2017 

ClusterFuzz has detected this issue as fixed in range 494006:494012.

Detailed report: https://clusterfuzz.com/testcase?key=5509219355983872

Fuzzer: libFuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6020000006cd
Crash State:
  xmlSAX2AttributeNs
  xmlSAX2StartElementNs
  xmlParseStartTag2
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=480737:480767
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=494006:494012

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5509219355983872

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 18 by sheriffbot@chromium.org, Aug 14 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by keta...@chromium.org, Aug 14 2017

Labels: -Merge-Review-61 Merge-Approved-61
Approving merge for M61 Chrome OS.
Project Member

Comment 20 by bugdroid1@chromium.org, Aug 15 2017

Labels: -merge-approved-61 merge-merged-3163
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/520bbb7e468bdbce3d52b11b2bb576cd50e92316

commit 520bbb7e468bdbce3d52b11b2bb576cd50e92316
Author: Dominic Cooney <dominicc@chromium.org>
Date: Tue Aug 15 01:09:02 2017

Roll libxml to 27f310d453b7e2e71847e5910a0961753aacdbd1

TBR=dominicc@chromium.org

(cherry picked from commit cc6c1eb1271f22d3d3aaef1d9ae0053dd22b3fa5)

Bug:  749397 , 750430 
Change-Id: Id15d1ebcc54a7dc70fb869622b9acb85770bf367
Reviewed-on: https://chromium-review.googlesource.com/609563
Commit-Queue: Dominic Cooney <dominicc@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#494008}
Reviewed-on: https://chromium-review.googlesource.com/614924
Reviewed-by: Dominic Cooney <dominicc@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#565}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/README.chromium
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/ChangeLog
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/Makefile.am
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/Makefile.in
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/SAX2.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/buf.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/dict.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/encoding.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/error.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/hash.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/include/libxml/HTMLparser.h
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/include/libxml/schemasInternals.h
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/include/libxml/xmlreader.h
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/libxml.m4
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/list.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/nanohttp.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/parser.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/runtest.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/testThreads.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/threads.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/tree.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/valid.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/xmlIO.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/xmlmemory.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/xmlreader.c
[modify] https://crrev.com/520bbb7e468bdbce3d52b11b2bb576cd50e92316/third_party/libxml/src/xmlstring.c

Comment 21 by awhalley@google.com, Aug 17 2017

Labels: -ReleaseBlock-Stable

Comment 22 by dominicc@google.com, Aug 31 2017

Cc: wellnho...@aevum.de
Project Member

Comment 23 by sheriffbot@chromium.org, Nov 20 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment