[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Apache Xerces getLastExtEntityInfo Use-After-Free
From: Gustavo Grieco <gustavo.grieco () gmail ! com>
Date: 2016-06-28 7:22:37
Message-ID: CACn5sdQG-M4FXwRBmFLY7MV3WCZ+sh9MtEgj-cVJL0-gOH7zrA () mail ! gmail ! com
[Download RAW message or body]
2016-06-28 9:13 GMT+02:00 Marco Grassi <marco.gra@gmail.com>:
> Hi Gustavo,
>
> thank you for the feedback, yes applying that patch manually to trunk
> resolves the UAF
No problem! thanks for fuzzing and reporting issues in xml parsers!
>
> is there a svn branch where this patch is already applied to retest?
I don't know. You should ask the Xerces manteiner (Scott Cantor).
>
> Marco
>
> On Tue, Jun 28, 2016 at 2:57 PM, Gustavo Grieco <gustavo.grieco@gmail.com>
> wrote:
>
>> Hi,
>>
>> Is it related with CVE-2016-2099 still unfixed in 3.1.3
>> (https://issues.apache.org/jira/browse/XERCESC-2066) ?
>>
>> Thanks!
>>
>> 2016-06-28 8:50 GMT+02:00 Marco Grassi <marco.gra@gmail.com>:
>> > Hi,
>> >
>> > the attached xml will trigger a UAF in xerces-c version 3.1.3 and the
>> trunk
>> > version
>> >
>> >
>> > ➜ xml cat xerces_uaf | xerces-c-3.1.3/samples/StdInParse
>> > =================================================================
>> > ==16010==ERROR: AddressSanitizer: heap-use-after-free on address
>> 0xf4a0dfcc
>> > at pc 0x0836c7f4 bp 0xfff9a198 sp 0xfff9a188
>> > READ of size 1 at 0xf4a0dfcc thread T0
>> > #0 0x836c7f3 in
>> >
>> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
>> > const xercesc/internal/ReaderMgr.cpp:833
>> > #1 0x83a42d4 in
>> > xercesc_3_1::XMLScanner::emitError(xercesc_3_1::XMLErrs::Codes,
>> > xercesc_3_1::XMLExcepts::Codes, unsigned short const*, unsigned short
>> > const*, unsigned short const*, unsigned short const*)
>> > xercesc/internal/XMLScanner.cpp:927
>> > #2 0x8e40963 in
>> > xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
>> > xercesc/internal/IGXMLScanner.cpp:276
>> > #3 0x84b4cca in
>> xercesc_3_1::SAXParser::parse(xercesc_3_1::InputSource
>> > const&) xercesc/parsers/SAXParser.cpp:575
>> > #4 0x80533d6 in main src/StdInParse/StdInParse.cpp:186
>> > #5 0xf6dd5636 in __libc_start_main (/lib32/libc.so.6+0x18636)
>> > #6 0x80624f1
>> >
>> (/home/bob/VulnResearch/misc/xml/xerces-c-3.1.3/samples/StdInParse+0x80624f1)
>> >
>> > 0xf4a0dfcc is located 44 bytes inside of 56-byte region
>> > [0xf4a0dfa0,0xf4a0dfd8)
>> > freed by thread T0 here:
>> > #0 0xf7228034 in operator delete(void*)
>> > (/usr/lib32/libasan.so.3+0xc5034)
>> > #1 0x80992df in xercesc_3_1::XMemory::operator delete(void*)
>> > xercesc/util/XMemory.cpp:89
>> >
>> > previously allocated by thread T0 here:
>> > #0 0xf72279b4 in operator new(unsigned int)
>> > (/usr/lib32/libasan.so.3+0xc49b4)
>> > #1 0x8357ad9 in xercesc_3_1::MemoryManagerImpl::allocate(unsigned
>> int)
>> > xercesc/internal/MemoryManagerImpl.cpp:40
>> > #2 0x8099042 in xercesc_3_1::XMemory::operator new(unsigned int,
>> > xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
>> >
>> > SUMMARY: AddressSanitizer: heap-use-after-free
>> > xercesc/internal/ReaderMgr.cpp:833 in
>> >
>> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
>> > const
>> > Shadow bytes around the buggy address:
>> > 0x3e941ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > 0x3e941bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > 0x3e941bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > 0x3e941bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > 0x3e941be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>> > =>0x3e941bf0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
>> > 0x3e941c00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
>> > 0x3e941c10: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
>> > 0x3e941c20: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>> > 0x3e941c30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
>> > 0x3e941c40: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
>> > Shadow byte legend (one shadow byte represents 8 application bytes):
>> > Addressable: 00
>> > Partially addressable: 01 02 03 04 05 06 07
>> > Heap left redzone: fa
>> > Heap right redzone: fb
>> > Freed heap region: fd
>> > Stack left redzone: f1
>> > Stack mid redzone: f2
>> > Stack right redzone: f3
>> > Stack partial redzone: f4
>> > Stack after return: f5
>> > Stack use after scope: f8
>> > Global redzone: f9
>> > Global init order: f6
>> > Poisoned by user: f7
>> > Container overflow: fc
>> > Array cookie: ac
>> > Intra object redzone: bb
>> > ASan internal: fe
>> > Left alloca redzone: ca
>> > Right alloca redzone: cb
>> > ==16010==ABORTING
>> >
>> >
>> >
>> > Marco
>> >
>> > https://marcograss.github.io/
>>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic