New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple crashes when feeding mxmldoc bogus source files #237

Closed
HongxuChen opened this Issue Dec 13, 2018 · 6 comments

Comments

Projects
None yet
4 participants
@HongxuChen
Copy link

HongxuChen commented Dec 13, 2018

We detected several crashes with our fuzzer when mxml is compiled with AddressSanitizer, including buffer overflow (heap-based or stack-based), and use-after-free. POCs (files ending with .txt) and error messages (files ending with .err) are put inside this directory.
The triggering command is ./mxmldoc $POC (w/o setting xml, POC is the "source file").

@michaelrsweet

This comment has been minimized.

Copy link
Owner

michaelrsweet commented Dec 13, 2018

What version of Mini-XML are you using?

What compiler are you using?

What operating system/Linux distribution?

How did you build the source? (Options and environment variables)

@michaelrsweet michaelrsweet self-assigned this Dec 13, 2018

@michaelrsweet michaelrsweet changed the title Multiple crashes when running xmldoc Multiple crashes when running mxmldoc Dec 13, 2018

@michaelrsweet michaelrsweet changed the title Multiple crashes when running mxmldoc Multiple crashes when feeding mxmldoc bogus source files Dec 13, 2018

@HongxuChen

This comment has been minimized.

Copy link

HongxuChen commented Dec 13, 2018

It's the git HEAD version (53c75b0), on Ubuntu 18.04 LTS. I compiled mxml with Clang-7 with both initial options CFLAGS="-fsanitize=address -O3 -g" and CFLAGS="-fsanitize=address -O0 -g" (both of these casesLDFLAGS="-fsanitize=address" initially).

@wcventure

This comment has been minimized.

Copy link

wcventure commented Dec 29, 2018

Hi,
Especially the use-after-free problem has serious harm. We are also developing a dedicated toolset to help to detect use-after-free errors.

For ease of reference, the ASAN dumps the stack trace as follows:

=================================================================
==27460==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000005c8 at pc 0x7fdfe37d798c bp 0x7ffc372523d0 sp 0x7ffc372523c8
READ of size 8 at 0x6080000005c8 thread T0
    #0 0x7fdfe37d798b in mxmlAdd /home/exp/FOT/mxml-asan-O0/mxml-node.c:128:27
    #1 0x7fdfe37d8ba3 in mxml_new /home/exp/FOT/mxml-asan-O0/mxml-node.c:869:5
    #2 0x7fdfe37d8cb9 in mxmlNewElement /home/exp/FOT/mxml-asan-O0/mxml-node.c:385:15
    #3 0x519c2c in scan_file /home/exp/FOT/mxml-asan-O0/mxmldoc.c:2739:23
    #4 0x5144ef in main /home/exp/FOT/mxml-asan-O0/mxmldoc.c:503:11
    #5 0x7fdfe25e9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a919 in _start (/home/exp/FOT/mxml-asan-O0/install/bin/mxmldoc+0x41a919)

0x6080000005c8 is located 40 bytes inside of 88-byte region [0x6080000005a0,0x6080000005f8)
freed by thread T0 here:
    #0 0x4da600 in __interceptor_free.localalias.0 (/home/exp/FOT/mxml-asan-O0/install/bin/mxmldoc+0x4da600)
    #1 0x7fdfe37d8955 in mxml_free /home/exp/FOT/mxml-asan-O0/mxml-node.c:821:3
    #2 0x7fdfe37d82f3 in mxmlDelete /home/exp/FOT/mxml-asan-O0/mxml-node.c:234:5
    #3 0x521f34 in sort_node /home/exp/FOT/mxml-asan-O0/mxmldoc.c:3389:5
    #4 0x517124 in scan_file /home/exp/FOT/mxml-asan-O0/mxmldoc.c:2144:7
    #5 0x5144ef in main /home/exp/FOT/mxml-asan-O0/mxmldoc.c:503:11
    #6 0x7fdfe25e9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 here:
    #0 0x4da9f8 in calloc (/home/exp/FOT/mxml-asan-O0/install/bin/mxmldoc+0x4da9f8)
    #1 0x7fdfe37d8ab7 in mxml_new /home/exp/FOT/mxml-asan-O0/mxml-node.c:844:15
    #2 0x7fdfe37d8cb9 in mxmlNewElement /home/exp/FOT/mxml-asan-O0/mxml-node.c:385:15
    #3 0x51c56f in scan_file /home/exp/FOT/mxml-asan-O0/mxmldoc.c:3289:19
    #4 0x5144ef in main /home/exp/FOT/mxml-asan-O0/mxmldoc.c:503:11
    #5 0x7fdfe25e9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /home/exp/FOT/mxml-asan-O0/mxml-node.c:128:27 in mxmlAdd
Shadow bytes around the buggy address:
  0x0c107fff8060: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8070: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff8090: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fff80b0: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fa
  0x0c107fff80c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff80d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27460==ABORTING
@nluedtke

This comment has been minimized.

Copy link

nluedtke commented Jan 2, 2019

This was assigned CVE-2018-20592 and CVE-2018-20593.

@michaelrsweet

This comment has been minimized.

Copy link
Owner

michaelrsweet commented Jan 2, 2019

@nluedtke Seriously? Well please let them know the fix is to remove the utility from the build. This isn't an issue with the library...

michaelrsweet added a commit that referenced this issue Jan 3, 2019

@michaelrsweet

This comment has been minimized.

Copy link
Owner

michaelrsweet commented Jan 3, 2019

[master eadf40f] Remove mxmldoc (Issue #237)

mxmldoc is moving to a separate project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment