'Re: [oss-security] Apache Xerces getLastExtEntityInfo Use-After-Free'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Apache Xerces getLastExtEntityInfo Use-After-Free
From:       Gustavo Grieco <gustavo.grieco () gmail ! com>
Date:       2016-06-28 7:22:37
Message-ID: CACn5sdQG-M4FXwRBmFLY7MV3WCZ+sh9MtEgj-cVJL0-gOH7zrA () mail ! gmail ! com
[Download RAW message or body]

2016-06-28 9:13 GMT+02:00 Marco Grassi <marco.gra@gmail.com>:
> Hi Gustavo,
>
> thank you for the feedback, yes applying that patch manually to trunk
> resolves the UAF

No problem! thanks for fuzzing and reporting issues in xml parsers!

>
> is there a svn branch where this patch is already applied to retest?

I don't know. You should ask the Xerces manteiner (Scott Cantor).

>
> Marco
>
> On Tue, Jun 28, 2016 at 2:57 PM, Gustavo Grieco <gustavo.grieco@gmail.com>
> wrote:
>
>> Hi,
>>
>> Is it related with CVE-2016-2099 still unfixed in 3.1.3
>> (https://issues.apache.org/jira/browse/XERCESC-2066) ?
>>
>> Thanks!
>>
>> 2016-06-28 8:50 GMT+02:00 Marco Grassi <marco.gra@gmail.com>:
>> > Hi,
>> >
>> > the attached xml will trigger a UAF in xerces-c version 3.1.3 and the
>> trunk
>> > version
>> >
>> >
>> > ➜  xml cat xerces_uaf | xerces-c-3.1.3/samples/StdInParse
>> > =================================================================
>> > ==16010==ERROR: AddressSanitizer: heap-use-after-free on address
>> 0xf4a0dfcc
>> > at pc 0x0836c7f4 bp 0xfff9a198 sp 0xfff9a188
>> > READ of size 1 at 0xf4a0dfcc thread T0
>> >     #0 0x836c7f3 in
>> >
>> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
>> > const xercesc/internal/ReaderMgr.cpp:833
>> >     #1 0x83a42d4 in
>> > xercesc_3_1::XMLScanner::emitError(xercesc_3_1::XMLErrs::Codes,
>> > xercesc_3_1::XMLExcepts::Codes, unsigned short const*, unsigned short
>> > const*, unsigned short const*, unsigned short const*)
>> > xercesc/internal/XMLScanner.cpp:927
>> >     #2 0x8e40963 in
>> > xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
>> > xercesc/internal/IGXMLScanner.cpp:276
>> >     #3 0x84b4cca in
>> xercesc_3_1::SAXParser::parse(xercesc_3_1::InputSource
>> > const&) xercesc/parsers/SAXParser.cpp:575
>> >     #4 0x80533d6 in main src/StdInParse/StdInParse.cpp:186
>> >     #5 0xf6dd5636 in __libc_start_main (/lib32/libc.so.6+0x18636)
>> >     #6 0x80624f1
>> >
>> (/home/bob/VulnResearch/misc/xml/xerces-c-3.1.3/samples/StdInParse+0x80624f1)
>> >
>> > 0xf4a0dfcc is located 44 bytes inside of 56-byte region
>> > [0xf4a0dfa0,0xf4a0dfd8)
>> > freed by thread T0 here:
>> >     #0 0xf7228034 in operator delete(void*)
>> > (/usr/lib32/libasan.so.3+0xc5034)
>> >     #1 0x80992df in xercesc_3_1::XMemory::operator delete(void*)
>> > xercesc/util/XMemory.cpp:89
>> >
>> > previously allocated by thread T0 here:
>> >     #0 0xf72279b4 in operator new(unsigned int)
>> > (/usr/lib32/libasan.so.3+0xc49b4)
>> >     #1 0x8357ad9 in xercesc_3_1::MemoryManagerImpl::allocate(unsigned
>> int)
>> > xercesc/internal/MemoryManagerImpl.cpp:40
>> >     #2 0x8099042 in xercesc_3_1::XMemory::operator new(unsigned int,
>> > xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
>> >
>> > SUMMARY: AddressSanitizer: heap-use-after-free
>> > xercesc/internal/ReaderMgr.cpp:833 in
>> >
>> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
>> > const
>> > Shadow bytes around the buggy address:
>> >   0x3e941ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> >   0x3e941be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > =>0x3e941bf0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
>> >   0x3e941c00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
>> >   0x3e941c10: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
>> >   0x3e941c20: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>> >   0x3e941c30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
>> >   0x3e941c40: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
>> > Shadow byte legend (one shadow byte represents 8 application bytes):
>> >   Addressable:           00
>> >   Partially addressable: 01 02 03 04 05 06 07
>> >   Heap left redzone:       fa
>> >   Heap right redzone:      fb
>> >   Freed heap region:       fd
>> >   Stack left redzone:      f1
>> >   Stack mid redzone:       f2
>> >   Stack right redzone:     f3
>> >   Stack partial redzone:   f4
>> >   Stack after return:      f5
>> >   Stack use after scope:   f8
>> >   Global redzone:          f9
>> >   Global init order:       f6
>> >   Poisoned by user:        f7
>> >   Container overflow:      fc
>> >   Array cookie:            ac
>> >   Intra object redzone:    bb
>> >   ASan internal:           fe
>> >   Left alloca redzone:     ca
>> >   Right alloca redzone:    cb
>> > ==16010==ABORTING
>> >
>> >
>> >
>> > Marco
>> >
>> > https://marcograss.github.io/
>>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic