Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2018-20843] 88k xml file uses >2G memory #186

Closed
caolanm opened this issue Jan 25, 2018 · 7 comments

Comments

@caolanm
Copy link

commented Jan 25, 2018

valgrind --tool=massif xmlwf clusterfuzz-testcase-4543406568112128.txt
reports that xmlwf uses > 2G of memory to load this bogus xml document.

clusterfuzz-testcase-4543406568112128.txt

This was reported by oss-fuzz against LibreOffice (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226) which uses expat and has the same memory use so I felt I should pass it on.

@hartwork

This comment has been minimized.

Copy link
Member

commented Jan 25, 2018

Nice! 😄 Thanks for taking this report here.

@hartwork hartwork added the help wanted label Jul 8, 2018

@RMJ10

This comment has been minimized.

Copy link
Contributor

commented Aug 4, 2018

I haven't got all the way into this yet, but I suspect the culprit is setElementTypePrefix. It adds each prefix to the DTD string pool as it finds a colon; not each separate element, but the whole prefix from the start of the string to the colon it most recently found. That's the string "DIs", "DIS:BBBBBBB", "DIs:BBBBBBB:includeemBBBBBB" etc. That's going to add up to a lot of space given the long strings of colons in the attribute "name".

@MohammedKhajapasha

This comment has been minimized.

Copy link
Contributor

commented May 7, 2019

Hi Caolanm,
Are you observing this issue with latest libexpat also? we have tried to reproduce this issue with given command and dummy xml file (valgrind --tool=massif xmlwf clusterfuzz-testcase-4543406568112128.txt) but we didn't observe any error here, could you please let us know if any configuration needed for this ? else could you please close this ticket.

@hartwork

This comment has been minimized.

Copy link
Member

commented May 8, 2019

@MohammedKhajapasha the bug report is legit and still applies to 2.2.6:

# wget https://github.com/libexpat/libexpat/files/1664546/clusterfuzz-testcase-4543406568112128.txt
# time xmlwf clusterfuzz-testcase-4543406568112128.txt & while pgrep xmlwf >/dev/null; do echo $(grep -E '^(VmPeak|VmHWM)' /proc/$(pgrep xmlwf)/status); sleep 0.5 ; done | tail -n1
clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found

real    0m18.761s
user    0m18.099s
sys     0m0.660s
VmPeak: 2301900 kB VmHWM: 2298436 kB

@hartwork hartwork added the bug label May 8, 2019

@MohammedKhajapasha

This comment has been minimized.

Copy link
Contributor

commented Jun 11, 2019

As per our initial analysis & Rhodri James comments, the culprit was setElementTypePrefix() which adds all string from start when it founds colon, mBBBBBB:aBBBBQ:::::::::, for every continuous occurrence of colon it adds whole string from start to DTD pool repeatedly which leads increase in VmPeak & VmHWM for application process.

@hartwork

This comment has been minimized.

Copy link
Member

commented Jun 13, 2019

Please note pull request #262 wishing for review. Thanks!

hartwork added a commit that referenced this issue Jun 16, 2019

@hartwork hartwork added the security label Jun 16, 2019

@hartwork hartwork added this to the 2.2.7 milestone Jun 16, 2019

@hartwork hartwork closed this Jun 16, 2019

@hartwork hartwork referenced this issue Jun 19, 2019
23 of 23 tasks complete
hartwork added a commit that referenced this issue Jun 24, 2019

@hartwork hartwork changed the title 88k xml file uses >2G memory [CVE-2018-20843] 88k xml file uses >2G memory Jun 24, 2019

@hartwork

This comment has been minimized.

@jubalh jubalh referenced this issue Jul 4, 2019
laanwj added a commit to bitcoin/bitcoin that referenced this issue Jul 10, 2019
Merge #16270: depends: expat 2.2.7
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [#186](libexpat/libexpat#186) [#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Jehops pushed a commit to Jehops/freebsd-ports that referenced this issue Sep 16, 2019
textproc/expat2: upgrade 2.2.6 -> 2.2.7
- exp-run by antoine

PR:		238864
Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
Reviewed by:	koobs
Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
Security:	libexpat/libexpat#186
		libexpat/libexpat#262


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512162 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Sep 16, 2019
pi
textproc/expat2: upgrade 2.2.6 -> 2.2.7
- exp-run by antoine

PR:		238864
Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
Reviewed by:	koobs
Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
Security:	libexpat/libexpat#186
		libexpat/libexpat#262


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512162 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Sep 16, 2019
textproc/expat2: upgrade 2.2.6 -> 2.2.7
- exp-run by antoine

PR:		238864
Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
Reviewed by:	koobs
Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
Security:	libexpat/libexpat#186
		libexpat/libexpat#262
mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Sep 18, 2019
textproc/expat2: upgrade 2.2.6 -> 2.2.7
- exp-run by antoine

PR:		238864
Submitted by:	Sergei Vyshenski <svysh.fbsd@gmail.com> (maintainer)
Reviewed by:	koobs
Relnotes:	https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
Security:	libexpat/libexpat#186
		libexpat/libexpat#262


git-svn-id: https://svn.freebsd.org/ports/head@512162 35697150-7ecd-e111-bb59-0022644237b5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.