Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Jun 2016 09:22:37 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Apache Xerces getLastExtEntityInfo Use-After-Free

2016-06-28 9:13 GMT+02:00 Marco Grassi <marco.gra@...il.com>:
> Hi Gustavo,
>
> thank you for the feedback, yes applying that patch manually to trunk
> resolves the UAF

No problem! thanks for fuzzing and reporting issues in xml parsers!

>
> is there a svn branch where this patch is already applied to retest?

I don't know. You should ask the Xerces manteiner (Scott Cantor).

>
> Marco
>
> On Tue, Jun 28, 2016 at 2:57 PM, Gustavo Grieco <gustavo.grieco@...il.com>
> wrote:
>
>> Hi,
>>
>> Is it related with CVE-2016-2099 still unfixed in 3.1.3
>> (https://issues.apache.org/jira/browse/XERCESC-2066) ?
>>
>> Thanks!
>>
>> 2016-06-28 8:50 GMT+02:00 Marco Grassi <marco.gra@...il.com>:
>> > Hi,
>> >
>> > the attached xml will trigger a UAF in xerces-c version 3.1.3 and the
>> trunk
>> > version
>> >
>> >
>> > ➜  xml cat xerces_uaf | xerces-c-3.1.3/samples/StdInParse
>> > =================================================================
>> > ==16010==ERROR: AddressSanitizer: heap-use-after-free on address
>> 0xf4a0dfcc
>> > at pc 0x0836c7f4 bp 0xfff9a198 sp 0xfff9a188
>> > READ of size 1 at 0xf4a0dfcc thread T0
>> >     #0 0x836c7f3 in
>> >
>> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
>> > const xercesc/internal/ReaderMgr.cpp:833
>> >     #1 0x83a42d4 in
>> > xercesc_3_1::XMLScanner::emitError(xercesc_3_1::XMLErrs::Codes,
>> > xercesc_3_1::XMLExcepts::Codes, unsigned short const*, unsigned short
>> > const*, unsigned short const*, unsigned short const*)
>> > xercesc/internal/XMLScanner.cpp:927
>> >     #2 0x8e40963 in
>> > xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
>> > xercesc/internal/IGXMLScanner.cpp:276
>> >     #3 0x84b4cca in
>> xercesc_3_1::SAXParser::parse(xercesc_3_1::InputSource
>> > const&) xercesc/parsers/SAXParser.cpp:575
>> >     #4 0x80533d6 in main src/StdInParse/StdInParse.cpp:186
>> >     #5 0xf6dd5636 in __libc_start_main (/lib32/libc.so.6+0x18636)
>> >     #6 0x80624f1
>> >
>> (/home/bob/VulnResearch/misc/xml/xerces-c-3.1.3/samples/StdInParse+0x80624f1)
>> >
>> > 0xf4a0dfcc is located 44 bytes inside of 56-byte region
>> > [0xf4a0dfa0,0xf4a0dfd8)
>> > freed by thread T0 here:
>> >     #0 0xf7228034 in operator delete(void*)
>> > (/usr/lib32/libasan.so.3+0xc5034)
>> >     #1 0x80992df in xercesc_3_1::XMemory::operator delete(void*)
>> > xercesc/util/XMemory.cpp:89
>> >
>> > previously allocated by thread T0 here:
>> >     #0 0xf72279b4 in operator new(unsigned int)
>> > (/usr/lib32/libasan.so.3+0xc49b4)
>> >     #1 0x8357ad9 in xercesc_3_1::MemoryManagerImpl::allocate(unsigned
>> int)
>> > xercesc/internal/MemoryManagerImpl.cpp:40
>> >     #2 0x8099042 in xercesc_3_1::XMemory::operator new(unsigned int,
>> > xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
>> >
>> > SUMMARY: AddressSanitizer: heap-use-after-free
>> > xercesc/internal/ReaderMgr.cpp:833 in
>> >
>> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
>> > const
>> > Shadow bytes around the buggy address:
>> >   0x3e941ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > =>0x3e941bf0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
>> >   0x3e941c00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
>> >   0x3e941c10: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
>> >   0x3e941c20: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>> >   0x3e941c30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
>> >   0x3e941c40: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
>> > Shadow byte legend (one shadow byte represents 8 application bytes):
>> >   Addressable:           00
>> >   Partially addressable: 01 02 03 04 05 06 07
>> >   Heap left redzone:       fa
>> >   Heap right redzone:      fb
>> >   Freed heap region:       fd
>> >   Stack left redzone:      f1
>> >   Stack mid redzone:       f2
>> >   Stack right redzone:     f3
>> >   Stack partial redzone:   f4
>> >   Stack after return:      f5
>> >   Stack use after scope:   f8
>> >   Global redzone:          f9
>> >   Global init order:       f6
>> >   Poisoned by user:        f7
>> >   Container overflow:      fc
>> >   Array cookie:            ac
>> >   Intra object redzone:    bb
>> >   ASan internal:           fe
>> >   Left alloca redzone:     ca
>> >   Right alloca redzone:    cb
>> > ==16010==ABORTING
>> >
>> >
>> >
>> > Marco
>> >
>> > https://marcograss.github.io/
>>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.