[CVE-2018-20843] 88k xml file uses >2G memory #186

caolanm · 2018-01-25T15:38:40Z

valgrind --tool=massif xmlwf clusterfuzz-testcase-4543406568112128.txt
reports that xmlwf uses > 2G of memory to load this bogus xml document.

clusterfuzz-testcase-4543406568112128.txt

This was reported by oss-fuzz against LibreOffice (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226) which uses expat and has the same memory use so I felt I should pass it on.

hartwork · 2018-01-25T20:29:41Z

Nice! 😄 Thanks for taking this report here.

RMJ10 · 2018-08-04T22:29:56Z

I haven't got all the way into this yet, but I suspect the culprit is setElementTypePrefix. It adds each prefix to the DTD string pool as it finds a colon; not each separate element, but the whole prefix from the start of the string to the colon it most recently found. That's the string "DIs", "DIS:BBBBBBB", "DIs:BBBBBBB:includeemBBBBBB" etc. That's going to add up to a lot of space given the long strings of colons in the attribute "name".

MohammedKhajapasha · 2019-05-07T12:36:05Z

Hi Caolanm,
Are you observing this issue with latest libexpat also? we have tried to reproduce this issue with given command and dummy xml file (valgrind --tool=massif xmlwf clusterfuzz-testcase-4543406568112128.txt) but we didn't observe any error here, could you please let us know if any configuration needed for this ? else could you please close this ticket.

hartwork · 2019-05-08T14:21:06Z

@MohammedKhajapasha the bug report is legit and still applies to 2.2.6:

# wget https://github.com/libexpat/libexpat/files/1664546/clusterfuzz-testcase-4543406568112128.txt
# time xmlwf clusterfuzz-testcase-4543406568112128.txt & while pgrep xmlwf >/dev/null; do echo $(grep -E '^(VmPeak|VmHWM)' /proc/$(pgrep xmlwf)/status); sleep 0.5 ; done | tail -n1
clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found

real    0m18.761s
user    0m18.099s
sys     0m0.660s
VmPeak: 2301900 kB VmHWM: 2298436 kB

MohammedKhajapasha · 2019-06-11T18:57:11Z

As per our initial analysis & Rhodri James comments, the culprit was setElementTypePrefix() which adds all string from start when it founds colon, mBBBBBB:aBBBBQ:::::::::, for every continuous occurrence of colon it adds whole string from start to DTD pool repeatedly which leads increase in VmPeak & VmHWM for application process.

hartwork · 2019-06-13T19:26:27Z

Please note pull request #262 wishing for review. Thanks!

hartwork · 2019-06-24T18:21:36Z

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [#186](libexpat/libexpat#186) [#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9

- exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512162 35697150-7ecd-e111-bb59-0022644237b5

- exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262

textproc/expat2: upgrade 2.2.6 -> 2.2.7 - exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 textproc/expat2: upgrade 2.2.7 -> 2.2.8 PR: 240613 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Exp-Run by: antoine Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes Security: CVE-2019-15903 Approved by: ports-secteam

0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [#186](libexpat/libexpat#186) [#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9

textproc/expat2: upgrade 2.2.6 -> 2.2.7 - exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 textproc/expat2: upgrade 2.2.7 -> 2.2.8 PR: 240613 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Exp-Run by: antoine Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes Security: CVE-2019-15903 Approved by: ports-secteam

0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9

- exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262

hartwork added the help wanted label Jul 8, 2018

hartwork added the bug label May 8, 2019

hartwork self-assigned this Jun 12, 2019

MohammedKhajapasha mentioned this issue Jun 13, 2019

Fix: Skip continuous coping the string into DTD string pool #261

Closed

hartwork added a commit that referenced this issue Jun 13, 2019

xmlparse.c: Fix extraction of namespace prefix from XML name (#186)

11f8838

hartwork mentioned this issue Jun 13, 2019

xmlparse.c: Fix extraction of namespace prefix from XML name (#186) #262

Merged

hartwork added a commit that referenced this issue Jun 16, 2019

Changes: Document #186 and #262

ed682ae

hartwork added the security label Jun 16, 2019

hartwork added this to the 2.2.7 milestone Jun 16, 2019

hartwork closed this as completed Jun 16, 2019

hartwork mentioned this issue Jun 19, 2019

Release Expat 2.2.7 #254

Closed

23 tasks

fanquake mentioned this issue Jun 23, 2019

depends: expat 2.2.7 bitcoin/bitcoin#16270

Merged

hartwork added a commit that referenced this issue Jun 24, 2019

Changes: Attach CVE-2018-20843 to #186 and #262

9c90d3d

hartwork changed the title ~~88k xml file uses >2G memory~~ [CVE-2018-20843] 88k xml file uses >2G memory Jun 24, 2019

jubalh mentioned this issue Jul 4, 2019

Fix OMEMO leaks profanity-im/profanity#1131

Closed

tuliom mentioned this issue Jul 15, 2019

[CVE-2018-20843] expat - Especially crafted XML could consume high amount of resources and cause DoS advancetoolchain/advance-toolchain#1042

Closed

github-actions bot mentioned this issue Jun 3, 2021

Security Alert Test lazy-actions/gitrivy#99

Closed

github-actions bot mentioned this issue Sep 25, 2021

Security Alert yeyintr0lan/myxssableblog#1

Open

lyricidal mentioned this issue Mar 22, 2023

[Upstream] depends: expat 2.2.7 PRCYCoin/PRCYCoin#406

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2018-20843] 88k xml file uses >2G memory #186

[CVE-2018-20843] 88k xml file uses >2G memory #186

caolanm commented Jan 25, 2018

hartwork commented Jan 25, 2018

RMJ10 commented Aug 4, 2018 •

edited

MohammedKhajapasha commented May 7, 2019

hartwork commented May 8, 2019

MohammedKhajapasha commented Jun 11, 2019 •

edited

hartwork commented Jun 13, 2019

hartwork commented Jun 24, 2019

[CVE-2018-20843] 88k xml file uses >2G memory #186

[CVE-2018-20843] 88k xml file uses >2G memory #186

Comments

caolanm commented Jan 25, 2018

hartwork commented Jan 25, 2018

RMJ10 commented Aug 4, 2018 • edited

MohammedKhajapasha commented May 7, 2019

hartwork commented May 8, 2019

MohammedKhajapasha commented Jun 11, 2019 • edited

hartwork commented Jun 13, 2019

hartwork commented Jun 24, 2019

RMJ10 commented Aug 4, 2018 •

edited

MohammedKhajapasha commented Jun 11, 2019 •

edited