Headline
CVE-2023-45322: Memory error: heap-use-after-free in xmllint (xmlUnlinkNode) (#583) · Issues · GNOME / libxml2 · GitLab
** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor’s position is “I don’t think these issues are critical enough to warrant a CVE ID … because an attacker typically can’t control when memory allocations fail.”
Skip to content
GitLab
Memory error: heap-use-after-free in xmllint (xmlUnlinkNode)
I am using the current commit 778cca38.
There is a heap-use-after-free error when I run xmllint on some input file and on some program options. I attach the xml input file here input.xml
To reproduce the error, run:
./libxml2/xmllint --copy --html --maxmem 315229 input.xml
The ASAN output is the following:
==12246==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa3052580 at pc 0xaaaacd087148 bp 0xffffc11cad10 sp 0xffffc11cad20
WRITE of size 8 at 0xffffa3052580 thread T0
#0 0xaaaacd087144 in xmlUnlinkNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144)
#1 0xaaaacd06ceac in xmlFreeDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xbeceac)
#2 0xaaaaccee01d8 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa601d8)
#3 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
#4 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
#6 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
0xffffa3052580 is located 96 bytes inside of 160-byte region [0xffffa3052520,0xffffa30525c0)
freed by thread T0 here:
#0 0xffffa8c79fe8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0xaaaacd141a3c in xmlMemFree (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc1a3c)
#2 0xaaaacced0d04 in myFreeFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d04)
#3 0xaaaacd0842e4 in xmlFreeNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc042e4)
#4 0xaaaacd08db9c in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0db9c)
#5 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
#6 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
#7 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
#8 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
#10 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
previously allocated by thread T0 here:
#0 0xffffa8c7a2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xaaaacd13fd0c in xmlMallocLoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcbfd0c)
#2 0xaaaacd140b58 in xmlMemMalloc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc0b58)
#3 0xaaaacced0d24 in myMallocFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d24)
#4 0xaaaacd08abf8 in xmlStaticCopyNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0abf8)
#5 0xaaaacd08d930 in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0d930)
#6 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
#7 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
#8 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
#9 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
#11 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
SUMMARY: AddressSanitizer: heap-use-after-free (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144) in xmlUnlinkNode
Shadow bytes around the buggy address:
0x200ff460a460: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x200ff460a470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x200ff460a480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x200ff460a490: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x200ff460a4a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x200ff460a4b0:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x200ff460a4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x200ff460a4d0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x200ff460a4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x200ff460a4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x200ff460a500: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==12246==ABORTING
If any program option is removed, the issue does not trigger.
Related news
Gentoo Linux Security Advisory 202402-11 - Multiple denial of service vulnerabilities have been found in libxml2. Versions greater than or equal to 2.12.5 are affected.