Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45322: Memory error: heap-use-after-free in xmllint (xmlUnlinkNode) (#583) · Issues · GNOME / libxml2 · GitLab

** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor’s position is “I don’t think these issues are critical enough to warrant a CVE ID … because an attacker typically can’t control when memory allocations fail.”

CVE
#linux#git

Skip to content

GitLab

Memory error: heap-use-after-free in xmllint (xmlUnlinkNode)

I am using the current commit 778cca38.

There is a heap-use-after-free error when I run xmllint on some input file and on some program options. I attach the xml input file here input.xml

To reproduce the error, run:

./libxml2/xmllint --copy --html --maxmem 315229 input.xml

The ASAN output is the following:

==12246==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa3052580 at pc 0xaaaacd087148 bp 0xffffc11cad10 sp 0xffffc11cad20
WRITE of size 8 at 0xffffa3052580 thread T0
    #0 0xaaaacd087144 in xmlUnlinkNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144)
    #1 0xaaaacd06ceac in xmlFreeDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xbeceac)
    #2 0xaaaaccee01d8 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa601d8)
    #3 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
    #4 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #5 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
    #6 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)

0xffffa3052580 is located 96 bytes inside of 160-byte region [0xffffa3052520,0xffffa30525c0)
freed by thread T0 here:
    #0 0xffffa8c79fe8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0xaaaacd141a3c in xmlMemFree (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc1a3c)
    #2 0xaaaacced0d04 in myFreeFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d04)
    #3 0xaaaacd0842e4 in xmlFreeNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc042e4)
    #4 0xaaaacd08db9c in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0db9c)
    #5 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
    #6 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
    #7 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
    #8 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)

previously allocated by thread T0 here:
    #0 0xffffa8c7a2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0xaaaacd13fd0c in xmlMallocLoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcbfd0c)
    #2 0xaaaacd140b58 in xmlMemMalloc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc0b58)
    #3 0xaaaacced0d24 in myMallocFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d24)
    #4 0xaaaacd08abf8 in xmlStaticCopyNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0abf8)
    #5 0xaaaacd08d930 in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0d930)
    #6 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
    #7 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
    #8 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
    #9 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
    #11 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)

SUMMARY: AddressSanitizer: heap-use-after-free (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144) in xmlUnlinkNode
Shadow bytes around the buggy address:
  0x200ff460a460: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x200ff460a470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff460a480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x200ff460a490: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x200ff460a4a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x200ff460a4b0:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x200ff460a4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff460a4d0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x200ff460a4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff460a4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x200ff460a500: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12246==ABORTING

If any program option is removed, the issue does not trigger.

Related news

Gentoo Linux Security Advisory 202402-11

Gentoo Linux Security Advisory 202402-11 - Multiple denial of service vulnerabilities have been found in libxml2. Versions greater than or equal to 2.12.5 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907