tinyxml2 icon indicating copy to clipboard operation
tinyxml2 copied to clipboard
verified publisher icon leethomason

Crashes during parsing of malformed XML files (SDF format)

Open retpoline opened this issue 4 years ago • 0 comments

Hi there,

During fuzz testing of the sdformat binary there were a couple crashes discovered and at least one of them seems to be a crash in tinyxml2. Although these files only crash the apps, they could potentially be crafted further into security issues where a malformed sdf/xml file would be able compromise the process's memory through memory corruption, so hardening the code to prevent these kinds of bugs would be great.

You can download the crashing files in a zip from Ufile to to debug and understand where the code is crashing.

Here's a snip of one crash log relevant to TinyXML2.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff77c6d38 in tinyxml2::XMLNode::InsertFirstChild(tinyxml2::XMLNode*)
    () from /lib/x86_64-linux-gnu/libtinyxml2.so.6

#0  0x00007ffff77c6d38 in tinyxml2::XMLNode::InsertFirstChild(tinyxml2::XMLNode*) () from /lib/x86_64-linux-gnu/libtinyxml2.so.6
#1  0x00007ffff7e0124a in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#2  0x00007ffff7e019f1 in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#3  0x00007ffff7e03066 in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#4  0x00007ffff7e02fe7 in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#5  0x00007ffff7e02fe7 in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#6  0x00007ffff7e03a6d in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#7  0x00007ffff7e6c0b1 in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#8  0x00007ffff7e665e4 in ?? () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#9  0x00007ffff7e66be0 in sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, sdf::v11::ParserConfig const&, std::shared_ptr<sdf::v11::SDF>, std::vector<sdf::v11::Error, std::allocator<sdf::v11::Error> >&) () from /lib/x86_64-linux-gnu/libsdformat11.so.11
#10 0x00007ffff7e66d14 in sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, sdf::v11::ParserConfig const&, std::vector<sdf::v11::Error, std::allocator<sdf::v11::Error> >&) ()
   from /lib/x86_64-linux-gnu/libsdformat11.so.11
#11 0x00007ffff7e66e0b in sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<sdf::v11::Error, std::allocator<sdf::v11::Error> >&) ()
   from /lib/x86_64-linux-gnu/libsdformat11.so.11
#12 0x00007ffff7e66e7f in sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
   from /lib/x86_64-linux-gnu/libsdformat11.so.11
#13 0x0000555555562f34 in main ()

rax            0x555555dd7210      93825001157136
rbx            0x5555557330f8      93824994193656
rcx            0x555555dd7212      93825001157138
rdx            0x7fffffffdae0      140737488345824
rsi            0x0                 0
rdi            0x5555558fb3e0      93824996062176
rbp            0x555555f8e730      0x555555f8e730
rsp            0x7fffffffcf88      0x7fffffffcf88
r8             0x555555dd7210      93825001157136
r9             0xff                255
r10            0xfffffffffffff83d  -1987
r11            0x7ffff77c6d30      140737345514800
r12            0x5555558fb3e0      93824996062176
r13            0x7fffffffd0b0      140737488343216
r14            0x0                 0
r15            0x7fffffffd030      140737488343088
rip            0x7ffff77c6d38      0x7ffff77c6d38 <tinyxml2::XMLNode::InsertFirstChild(tinyxml2::XMLNode*)+8>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

=> 0x7ffff77c6d38 <_ZN8tinyxml27XMLNode16InsertFirstChildEPS0_+8>:	
    cmp    %rdx,0x8(%rsi)
   0x7ffff77c6d3c <_ZN8tinyxml27XMLNode16InsertFirstChildEPS0_+12>:	
    jne    0x7ffff77c6d80 <_ZN8tinyxml27XMLNode16InsertFirstChildEPS0_+80>
   0x7ffff77c6d3e <_ZN8tinyxml27XMLNode16InsertFirstChildEPS0_+14>:	
    push   %rbp
   0x7ffff77c6d3f <_ZN8tinyxml27XMLNode16InsertFirstChildEPS0_+15>:	
    mov    %rdi,%rbp

'exploitable' version 1.32
Linux ubuntu 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64
Signal si_signo: 11 Signal si_addr: 8
Nearby code:
Dump of assembler code for function _ZN8tinyxml27XMLNode16InsertFirstChildEPS0_:
   0x00007ffff77c6d30 <+0>:	endbr64 
   0x00007ffff77c6d34 <+4>:	mov    rdx,QWORD PTR [rdi+0x8]
=> 0x00007ffff77c6d38 <+8>:	cmp    QWORD PTR [rsi+0x8],rdx
   0x00007ffff77c6d3c <+12>:	jne    0x7ffff77c6d80 <_ZN8tinyxml27XMLNode16InsertFirstChildEPS0_+80>
   0x00007ffff77c6d3e <+14>:	push   rbp
   0x00007ffff77c6d3f <+15>:	mov    rbp,rdi
   0x00007ffff77c6d42 <+18>:	push   rbx

Stack trace:
#  0 tinyxml2::XMLNode::InsertFirstChild(tinyxml2::XMLNode*) at 0x7ffff77c6d38 in /usr/lib/x86_64-linux-gnu/libtinyxml2.so.6.2.0
#  1 None at 0x7ffff7e0124a in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  2 None at 0x7ffff7e019f1 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  3 None at 0x7ffff7e03066 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  4 None at 0x7ffff7e02fe7 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  5 None at 0x7ffff7e02fe7 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  6 None at 0x7ffff7e03a6d in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  7 None at 0x7ffff7e6c0b1 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  8 None at 0x7ffff7e665e4 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
#  9 sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, sdf::v11::ParserConfig const&, std::shared_ptr<sdf::v11::SDF>, std::vector<sdf::v11::Error, std::allocator<sdf::v11::Error> >&) at 0x7ffff7e66be0 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
# 10 sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, sdf::v11::ParserConfig const&, std::vector<sdf::v11::Error, std::allocator<sdf::v11::Error> >&) at 0x7ffff7e66d14 in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
# 11 sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<sdf::v11::Error, std::allocator<sdf::v11::Error> >&) at 0x7ffff7e66e0b in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
# 12 sdf::v11::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at 0x7ffff7e66e7f in /usr/lib/x86_64-linux-gnu/libsdformat11.so.11.3.0
# 13 main at 0x555555562f34 in sdformat/examples/build/simple

Faulting frame: #  0 tinyxml2::XMLNode::InsertFirstChild(tinyxml2::XMLNode*) at 0x7ffff77c6d38 in /usr/lib/x86_64-linux-gnu/libtinyxml2.so.6.2.0
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Hash: 70782d025f66f1a0c4d1269e8e130916.9065aca7a494684805529ac0a0baa17c
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (21/22)

Thanks!

retpoline avatar Sep 17 '21 03:09 retpoline