php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #74460 Heap-based Buffer Overflow in DOM parser
Submitted: 2017-04-17 13:00 UTC Modified: 2017-06-25 07:13 UTC
From: marcel dot boehme at acm dot org Assigned:
Status: Not a bug Package: DOM XML related
PHP Version: master-Git-2017-04-17 (Git) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: marcel dot boehme at acm dot org
New email:
PHP Version: OS:

 

 [2017-04-17 13:00 UTC] marcel dot boehme at acm dot org
Description:
------------
Dear all,

In a fuzzing session with AFLGo, a directed version of AFL/AFLFast, we found a heap-based buffer overflow in LibXML2 (git master) -- causing an invalid READ of size 109. Thanks also to Thuan Pham!

Our upstream bug report (currently non-public): https://bugzilla.gnome.org/show_bug.cgi?id=781361

$ ../libxml2/xmllint --version
/src/libxml2/.libs/lt-xmllint: using libxml version 20904-GITv2.9.4-16-g0741801
   compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP DTDValid HTML Legacy C14N Catalog XPath XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas Schematron Modules Debug

$ sapi/cli/php --version                                                                               
PHP 7.2.0-dev (cli) (built: Apr 17 2017 09:22:02) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0-dev, Copyright (c) 1998-2017 Zend Technologies

How to reproduce:
* Configure and build Libxml2 with ASAN
* Configure PHP --with-libxml-dir ..
* Build PHP with ASAN

$ wget https://www.comp.nus.edu.sg/~mboehme/3.large.xml
$ sapi/cli/php test.php   #see below

Test script:
---------------
<?php
$doc = new DOMDocument();
$XML_PARSE_OLD10 = 1<<17; /* LIBXML Constant */
$doc->load('3.large.xml', $XML_PARSE_OLD10);
?>

Actual result:
--------------
Warning: DOMDocument::load(): MixedContentDecl : '|' or ')*' expected in Entity, line: 3 in /src/php-src/test2.php on line 5
=================================================================
==134897==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002c069 at pc 0x0000004df605 bp 0x7ffcc09ef0d0 sp 0x7ffcc09ee880
READ of size 109 at 0x60300002c069 thread T0
    #0 0x4df604 in __asan_memcpy /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:455
    #1 0x7f9deb50dae1 in xmlDictAddString /src/libxml2/dict.c:285:5
    #2 0x7f9deb50dae1 in xmlDictLookup__internal_alias /src/libxml2/dict.c:926
    #3 0x7f9deaf3b760 in xmlParseNameComplex /src/libxml2/parser.c
    #4 0x7f9deaf3b760 in xmlParseName__internal_alias /src/libxml2/parser.c:3487
    #5 0x7f9deaf83ff6 in xmlParseElementDecl__internal_alias /src/libxml2/parser.c:6718:16
    #6 0x7f9deaf86500 in xmlParseMarkupDecl__internal_alias /src/libxml2/parser.c:6997:4
    #7 0x7f9deafc4e56 in xmlParseInternalSubset /src/libxml2/parser.c:8482:6
    #8 0x7f9deafc2eb4 in xmlParseDocument__internal_alias /src/libxml2/parser.c:10930:6
    #9 0x1212387 in dom_document_parser /src/php-src/ext/dom/document.c:1449:2
    #10 0x1212387 in dom_parse_document /src/php-src/ext/dom/document.c:1505
    #11 0x20da413 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:954:4
    #12 0x1ee529e in execute_ex /src/php-src/Zend/zend_vm_execute.h:432:7
    #13 0x1ee663e in zend_execute /src/php-src/Zend/zend_vm_execute.h:474:2
    #14 0x1cfa501 in zend_execute_scripts /src/php-src/Zend/zend.c:1537:4
    #15 0x1a17ae4 in php_execute_script /src/php-src/main/main.c:2548:14
    #16 0x236834c in do_cli /src/php-src/sapi/cli/php_cli.c:997:5
    #17 0x23640df in main /src/php-src/sapi/cli/php_cli.c:1390:18
    #18 0x7f9dea45482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x43b238 in _start (/src/php-src/sapi/cli/php+0x43b238)

0x60300002c069 is located 0 bytes to the right of 25-byte region [0x60300002c050,0x60300002c069)
allocated by thread T0 here:
    #0 0x4f5f98 in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f9deb286b46 in xmlStrndup__internal_alias /src/libxml2/xmlstring.c:45:23
    #2 0x7f9deb286b46 in xmlStrdup__internal_alias /src/libxml2/xmlstring.c:71
    #3 0x7f9deb08bbe5 in xmlPathToURI__internal_alias /src/libxml2/uri.c:2537:9
    #4 0x7f9deb51c8b6 in xmlSAX2StartDocument__internal_alias /src/libxml2/SAX2.c:1034:21
    #5 0x7f9deafc2640 in xmlParseDocument__internal_alias /src/libxml2/parser.c:10905:9
    #6 0x1212387 in dom_document_parser /src/php-src/ext/dom/document.c:1449:2
    #7 0x1212387 in dom_parse_document /src/php-src/ext/dom/document.c:1505
    #8 0x20da413 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /src/php-src/Zend/zend_vm_execute.h:954:4
    #9 0x1ee529e in execute_ex /src/php-src/Zend/zend_vm_execute.h:432:7
    #10 0x1ee663e in zend_execute /src/php-src/Zend/zend_vm_execute.h:474:2
    #11 0x1cfa501 in zend_execute_scripts /src/php-src/Zend/zend.c:1537:4
    #12 0x1a17ae4 in php_execute_script /src/php-src/main/main.c:2548:14
    #13 0x236834c in do_cli /src/php-src/sapi/cli/php_cli.c:997:5
    #14 0x23640df in main /src/php-src/sapi/cli/php_cli.c:1390:18
    #15 0x7f9dea45482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:455 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fffd7b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 07 fa
  0x0c067fffd7c0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fffd7d0: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c067fffd7e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffd7f0: fa fa fd fd fd fd fa fa 00 00 00 01 fa fa 00 00
=>0x0c067fffd800: 00 00 fa fa fd fd fd fd fa fa 00 00 00[01]fa fa
  0x0c067fffd810: 00 00 00 00 fa fa 00 00 06 fa fa fa 00 00 00 00
  0x0c067fffd820: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fffd830: 00 00 fa fa 00 00 07 fa fa fa fa fa fa fa fa fa
  0x0c067fffd840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffd850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-06 01:53 UTC] marcel dot boehme at acm dot org
Assigned CVE-2017-9049 and CVE-2017-9050 [1], [2]
Fixed in LibXML2 trunk [3]

Kindly checkout from LibXML2 trunk, assess whether this is considered a security issue, and what is its severity.

[1] .. http://www.openwall.com/lists/oss-security/2017/05/15/1
[2] .. http://www.openwall.com/lists/oss-security/2017/05/22/1
[3] .. https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
 [2017-06-25 01:11 UTC] marcel dot boehme at acm dot org
-Package: XML related +Package: DOM XML related
 [2017-06-25 01:11 UTC] marcel dot boehme at acm dot org
*ping*
 [2017-06-25 06:35 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2017-06-25 06:35 UTC] stas@php.net
I'm not sure what there is to do on PHP side? This seems to be libxml2 bug, fixed in libxml2, so what is the PHP part here?
 [2017-06-25 07:11 UTC] marcel dot boehme at acm dot org
-Status: Feedback +Status: Open
 [2017-06-25 07:11 UTC] marcel dot boehme at acm dot org
While these are certainly not bugs in PHP, our reports do constitute vulnerabilities in PHP as demonstrated with our test cases. From our understanding a vulnerability in a third-party library that can be reproduced in PHP warrants the classification as security issue (https://wiki.php.net/security). When a PHP maintainer has decided on the classification, we would trigger the process with the Internet Bug Bounty Panel.

As far as PHP users are concerned, the vulnerability is fixed when LibXML is updated.
 [2017-06-25 07:13 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2017-06-25 07:13 UTC] stas@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 14:01:30 2024 UTC