Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation Fault #656

Closed
yngwei opened this issue Dec 9, 2017 · 7 comments
Closed

Segmentation Fault #656

yngwei opened this issue Dec 9, 2017 · 7 comments
Labels
Bug
Milestone
5.7

Comments

@yngwei
Copy link

yngwei commented Dec 9, 2017

Description

The vulnerability is an incorrect-access-control. The variable “currentNode” at line 2215(in clean.c) is modified in the loop, but it does not check whether the new value is valid. When you enter the loop again, “currentNode-> next”is invalid. So it causes the segmentation fault .

Version

5.7.0
2017.11.25

Backtrace:

#0  prvTidyTidyMetaCharset (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2235
#1  0x00000000004193ed in tidyDocCleanAndRepair (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:2077
#2  0x0000000000418381 in tidyCleanAndRepair (tdoc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:1401
#3  0x000000000040e954 in main (argc=0x2, argv=0x7fffffffded8)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/console/tidy.c:2420
#4  0x00007ffff7a2d830 in __libc_start_main (main=0x40d8a3 <main>, argc=0x2, 
    argv=0x7fffffffded8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdec8)
    at ../csu/libc-start.c:291
#5  0x000000000040a759 in _start ()

GDB Information

Stopped reason: SIGSEGV
0x0000000000440564 in prvTidyTidyMetaCharset (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2215
2215	    for (currentNode = head->content; currentNode; currentNode = currentNode->next)

PoC

Contact me if you need Poc file at yinjiawei@iie.ac.cn or yangmeifang@iie.ac.cn
@balthisar
Copy link
Member

balthisar commented Dec 10, 2017
edited

@yngwei, 谢谢, we'll have a look at it. Can you post your Poc file here? Add it as an attachment to a message.

@geoffmcl
Copy link
Contributor

@yngwei thank you for the issue... and certainly agree with you, the loop logic is flawed... after modification in the loop currentNode->next could be invalid, and lead to a segfault...

As @balthisar points out we will look at it soonest... and fix it... maybe a simple currentNode = (currentNode ? currentNode->next : NULL), or if (!currentNode) break; before each continue;, or something like that...

That is with or without a sample PoC, but having one certainly aids quick testing, and provides a later regression test sample... thanks...

@geoffmcl geoffmcl added the Bug label Dec 10, 2017
@geoffmcl geoffmcl added this to the 5.7 milestone Dec 10, 2017
@geoffmcl
Copy link
Contributor

@yngwei I have experimented with the following patch, and seems to work for me...

diff --git a/src/clean.c b/src/clean.c
index de4caf5..e96dd3f 100644
--- a/src/clean.c
+++ b/src/clean.c
@@ -2211,8 +2211,10 @@ Bool TY_(TidyMetaCharset)(TidyDocImpl* doc)
     tidyBufAppend(&charsetString, "charset=", 8);
     tidyBufAppend(&charsetString, (char*)enc, TY_(tmbstrlen)(enc));
     tidyBufAppend(&charsetString, "\0", 1); /* zero terminate the buffer */
-                                            /* process the children of the head */
-    for (currentNode = head->content; currentNode; currentNode = currentNode->next)
+    /* process the children of the head */
+    /* Issue #656 - guard against 'currentNode' being set NULL in loop */
+    for (currentNode = head->content; currentNode; 
+        currentNode = (currentNode ? currentNode->next : NULL))
     {
         if (!nodeIsMETA(currentNode))
             continue;   /* not a meta node */

Appreciated if you, or others, could give it a try... and/or comments... thanks...

And on a PoC sample html, I now too would certainly appreciate that...

I tried several ways to construct my own, but could not produce a simple sample where currentNode->prev was NULL, but still see it as a theoretic possibility, hence the suggested added loop guard...

As @balthisar asked, "Can you post your Poc file here? Add it as an attachment to a message."... thanks...

@yngwei
Copy link
Author

yngwei commented Dec 11, 2017

@geoffmcl This is the poc file.
poc.zip

@geoffmcl
Copy link
Contributor

geoffmcl commented Dec 11, 2017
edited

@yngwei thank you for the PoC file... it is the bad line 10, <meta charset<"utf-8"> that causes the problem to show up...

From that I was able to construct a minimal test sample, which I would never have been able to guess, which exposes the problem -

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset<"utf-8">
    <title>Issue #656-1</title>
  </head>
  <body>
    <h1>Issue #656-1</h1>
  </body>
</html>

Certainly applying my patch fixes the problem.

Of course the tidy generated html, after finding that extra < is not very pretty, and including a <meta... with no value is not good, but will leave those as separate issues to maybe be raised. Seems the Segmentation Fault is fixed...

Hope you can get a chance to try it and confirm... thanks...

@carnil
Copy link

carnil commented Dec 14, 2017

FTR, this issue has been assigned CVE-2017-17497.

geoffmcl added a commit that referenced this issue Dec 16, 2017
@geoffmcl
Issue #656 - protect against NULL node set in loop
a0414d6
@geoffmcl geoffmcl mentioned this issue Dec 16, 2017
Merged
@geoffmcl
Copy link
Contributor

Create PR #661 for testing and review... thanks...

geoffmcl added a commit that referenced this issue Jan 1, 2018
@geoffmcl
Is #656 PR #661 - Bump to 5.7.1 for this merge
5408bb7
@geoffmcl geoffmcl mentioned this issue May 31, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
5.7
Development

No branches or pull requests
4 participants
@carnil @geoffmcl @balthisar @yngwei