New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2018-20843] 88k xml file uses >2G memory #186
Comments
|
Nice! |
|
I haven't got all the way into this yet, but I suspect the culprit is |
|
Hi Caolanm, |
|
@MohammedKhajapasha the bug report is legit and still applies to 2.2.6: # wget https://github.com/libexpat/libexpat/files/1664546/clusterfuzz-testcase-4543406568112128.txt
# time xmlwf clusterfuzz-testcase-4543406568112128.txt & while pgrep xmlwf >/dev/null; do echo $(grep -E '^(VmPeak|VmHWM)' /proc/$(pgrep xmlwf)/status); sleep 0.5 ; done | tail -n1
clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found
real 0m18.761s
user 0m18.099s
sys 0m0.660s
VmPeak: 2301900 kB VmHWM: 2298436 kB |
|
As per our initial analysis & Rhodri James comments, the culprit was setElementTypePrefix() which adds all string from start when it founds colon, mBBBBBB:aBBBBQ:::::::::, for every continuous occurrence of colon it adds whole string from start to DTD pool repeatedly which leads increase in VmPeak & VmHWM for application process. |
|
Please note pull request #262 wishing for review. Thanks! |
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [#186](libexpat/libexpat#186) [#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
- exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512162 35697150-7ecd-e111-bb59-0022644237b5
- exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512162 35697150-7ecd-e111-bb59-0022644237b5
- exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262
textproc/expat2: upgrade 2.2.6 -> 2.2.7 - exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 textproc/expat2: upgrade 2.2.7 -> 2.2.8 PR: 240613 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Exp-Run by: antoine Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes Security: CVE-2019-15903 Approved by: ports-secteam
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [#186](libexpat/libexpat#186) [#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
textproc/expat2: upgrade 2.2.6 -> 2.2.7 - exp-run by antoine PR: 238864 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Reviewed by: koobs Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes Security: libexpat/libexpat#186 libexpat/libexpat#262 textproc/expat2: upgrade 2.2.7 -> 2.2.8 PR: 240613 Submitted by: Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer) Exp-Run by: antoine Relnotes: https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes Security: CVE-2019-15903 Approved by: ports-secteam
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
0512f05 depends: expat 2.2.7 (fanquake) Pull request description: Major changes in expat 2.2.7: * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262) Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5). ACKs for top commit: laanwj: ACK 0512f05 Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
valgrind --tool=massif xmlwf clusterfuzz-testcase-4543406568112128.txt
reports that xmlwf uses > 2G of memory to load this bogus xml document.
clusterfuzz-testcase-4543406568112128.txt
This was reported by oss-fuzz against LibreOffice (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226) which uses expat and has the same memory use so I felt I should pass it on.
The text was updated successfully, but these errors were encountered: