You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It should also be noted that Expat allows operation with or without support for XML Namespaces (where : has a special role), and that this finding was yield with function XML_ParserCreate where namespace support is disabled.
There is nothing UTF-16 about this finding despite the related fuzzer and filename, this is UTF-8 even in original form.
Closer Look
At parse time reference &q; is replaced by text &:; which is in turn replaced by text s <. The s in there is what made the fuzzer stop the parser from the character handler. At that point both entities are marked open (see OPEN_INTERNAL_ENTITY *m_openInternalEntities; and its use). When suspending, the existing code on master decides to keep entity q open (since the < has not yet been processed) but close entity : despite not being at the top of the open entity stack. As a result, the other open entity's memory is leaked and that is the symptom that triggered LeakSanitizer and made oss-fuzz uncover the issue.
A candidate fix would be to add a check to only close an entity when it is the top of the stack of open entities. A related pull request coming up in a few minutes, review and testing is welcome. This issue exists primarily to clearly separate problem and solution.
I am not aware of any security aspects of this finding.
For a reproducer that is slightly less cryptic than the original finding, I can offer this alternative:
Issue
This is the public side of soon-public (access protected) oss-fuzz Expat finding:
Issue 65924: expat:xml_parsebuffer_fuzzer_UTF-16: Direct-leak in processInternalEntity.
The three key (access protected) contained links are:
The reproducer (also attached as file clusterfuzz-testcase-minimized-xml_parsebuffer_fuzzer_UTF-16-5339329924759552.xml.txt) is essentially this:
The original's SHA245 sum is
7fe9e1bf3d97f9268034cb8d7e5e7fe020c69efd41f379f6c5c5ce87c988d1a1
.The regression link effectively links to 2640b1d...86a3623 (which makes good sense since these changes increase fuzzing coverage).
Here's the LeakSanitizer output enriched with with
EXPAT_ENTITY_DEBUG=1
:Analysis
Foreword
It should be noted first that general entity
:
and its use via&:;
are well-formed with regard to Section "Names and Tokens" in 2.3 Common Syntactic Constructs of XML 1.0 Fourth Edition:It should also be noted that Expat allows operation with or without support for XML Namespaces (where
:
has a special role), and that this finding was yield with functionXML_ParserCreate
where namespace support is disabled.There is nothing UTF-16 about this finding despite the related fuzzer and filename, this is UTF-8 even in original form.
Closer Look
At parse time reference
&q;
is replaced by text&:;
which is in turn replaced by texts <
. Thes
in there is what made the fuzzer stop the parser from the character handler. At that point both entities are marked open (seeOPEN_INTERNAL_ENTITY *m_openInternalEntities;
and its use). When suspending, the existing code onmaster
decides to keep entityq
open (since the<
has not yet been processed) but close entity:
despite not being at the top of the open entity stack. As a result, the other open entity's memory is leaked and that is the symptom that triggered LeakSanitizer and made oss-fuzz uncover the issue.A candidate fix would be to add a check to only close an entity when it is the top of the stack of open entities. A related pull request coming up in a few minutes, review and testing is welcome. This issue exists primarily to clearly separate problem and solution.
I am not aware of any security aspects of this finding.
For a reproducer that is slightly less cryptic than the original finding, I can offer this alternative:
It should be noted that without stopping the parser while parsing, this isolate sample will not show anything interesting with e.g. xmlwf.
CC @catenacyber @RMJ10 @Snild-Sony
The text was updated successfully, but these errors were encountered: