oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

two heap overflows in raptor

From: Hanno Böck <hanno () hboeck de>
Date: Wed, 7 Jun 2017 13:08:24 +0200
Hi,

raptor is a library to parse rdf data. Notably it is used by
libreoffice.

I reported two heap overflows in april. The bug reports are private
http://bugs.librdf.org/mantis/view.php?id=617
http://bugs.librdf.org/mantis/view.php?id=618

Both are fixed by the same commit:
https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1

I also informed the libreoffice security team.

No new release has been made yet. I'm pasting the content of my bug
reports below, poc files attached.


----------------------
Summary 0000617: heap buffer overflow in raptor_qname_format_as_xml
Description     The attached file will cause a heap buffer overflow in raptor. Can be tested with the rapper command 
line tool.

This is a security bug, so I'm marking this private.

Here's a stack trace of the crash (from address sanitizer):
==24627==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000002090 at pc 0x000000529a9c bp 0x7fffc7e52060 
sp 0x7fffc7e52058
WRITE of size 8 at 0x604000002090 thread T0
    #0 0x529a9b in raptor_qname_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_qname.c:666:15
    #1 0x5cb770 in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:242:9
    #2 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3
    #3 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9
    #4 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830
    #5 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5
    #6 0x7efcbd5decad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad)
    #7 0x7efcbd5ec323 (/usr/lib64/libxml2.so.2+0x4f323)
    #8 0x7efcbd5ed3ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba)
    #9 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10
    #10 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8
    #11 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10
    #12 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554
    #13 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8
    #14 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8
    #15 0x7efcbc4d52b0 in __libc_start_main (/lib64/libc.so.6+0x202b0)
    #16 0x41b919 in _start (/r/raptor/rapper+0x41b919)


------------------

Summary 0000618: heap buffer overflow in raptor_xml_writer_start_element_common
Description     The attached file will cause a heap buffer overflow and crash raptor. This was found via fuzzing with 
the tool american fuzzy lop.

This is a security bug, so I'm marking it private.

Here's a stack trace (from address sanitizer):
==3322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000001f88 at pc 0x0000005ccdbc bp 0x7ffe62bb8540 
sp 0x7ffe62bb8538
WRITE of size 8 at 0x604000001f88 thread T0
    #0 0x5ccdbb in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:241:65
    #1 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3
    #2 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9
    #3 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830
    #4 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5
    #5 0x7f5125ce9cad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad)
    #6 0x7f5125cf7323 (/usr/lib64/libxml2.so.2+0x4f323)
    #7 0x7f5125cf83ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba)
    #8 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10
    #9 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8
    #10 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10
    #11 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554
    #12 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8
    #13 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8
    #14 0x7f5124be02b0 in __libc_start_main (/lib64/libc.so.6+0x202b0)
    #15 0x41b919 in _start (/r/raptor/rapper+0x41b919)

0x604000001f88 is located 8 bytes to the left of 38-byte region [0x604000001f90,0x604000001fb6)
allocated by thread T0 here:
    #0 0x4d1d28 in malloc (/r/raptor/rapper+0x4d1d28)
    #1 0x525745 in raptor_namespace_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_namespace.c:791:12
    #2 0x5cb4ed in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:201:9

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Attachment: raptor-heapoverflow-raptor_qname_format_as_xml.rdf
Description:

Attachment: raptor-heapoverflow-raptor_xml_writer_start_element_common.rdf
Description:

Previous By Date Next
Previous By Thread Next

Current thread: