Skip to content

XML fuzzing memory leak #4905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
obiltschnig opened this issue Mar 22, 2025 · 3 comments
Open

XML fuzzing memory leak #4905

obiltschnig opened this issue Mar 22, 2025 · 3 comments
Labels
bug fixed fuzzing third-party
Milestone
Release 1.14.2

Comments

@obiltschnig
Copy link
Member

https://issues.oss-fuzz.com/issues/405192526

Reference Info: 405192526 poco:xml_parser_fuzzer: Direct-leak in processInternalEntity
component: Public Trackers > 1362134 > OSS Fuzz
status: New
reporter: 87...@developer.gserviceaccount.com
cc: Ad...@adalogics.com, al...@pocoproject.org, [email protected]
collaborators: co...@oss-fuzz.com
type: Bug
access level: Limited visibility
priority: P2
severity: S4
hotlist: Reproducible, Stability-Memory-AddressSanitizer, Stability-Memory-LeakSanitizer
retention: Component default
Project: poco
Reported: Mar 21, 2025

87...@developer.gserviceaccount.com added comment #1:
Detailed Report: https://oss-fuzz.com/testcase?key=4684169896853504

Project: poco
Fuzzing Engine: libFuzzer
Fuzz Target: xml_parser_fuzzer
Job Type: libfuzzer_asan_poco
Platform Id: linux

Crash Type: Direct-leak
Crash Address:
Crash State:
processInternalEntity
doContent
internalEntityProcessor

Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_poco&range=202408050612:202408060606

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4684169896853504

Issue filed automatically.

See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please

  • mention the fix revision(s).
  • state whether the bug was a short-lived regression or an old bug in any stable releases.
  • add any other useful information.
    This information can help downstream consumers.

If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
@obiltschnig obiltschnig added this to the Release 1.14.2 milestone Mar 22, 2025
@obiltschnig
Copy link
Member Author 

LAST TESTED STACKTRACE ON REVISION 057A5294A33AC9D199DEB27D10809243A91864A7 (61 LINES)
[Environment] ASAN_OPTIONS=exitcode=77
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/leak-eb5e1adc319333cb7590d384990b5fbead127185
Time ran: 0.06768560409545898
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1018926440
INFO: Loaded 1 modules   (29834 inline 8-bit counters): 29834 [0x57cacb6caa08, 0x57cacb6d1e92),
INFO: Loaded 1 PC tables (29834 PCs): 29834 [0x57cacb6d1e98,0x57cacb746738),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/leak-eb5e1adc319333cb7590d384990b5fbead127185
=================================================================
==396==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x57cacb341ccf in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x57cacb3cbb76 in processInternalEntity(XML_ParserStruct*, ENTITY*, unsigned char) poco/XML/src/xmlparse.cpp:5863:35
    #2 0x57cacb3d1a65 in doContent(XML_ParserStruct*, int, encoding const*, char const*, char const*, char const**, unsigned char, XML_Account) poco/XML/src/xmlparse.cpp:2987:18
    #3 0x57cacb3e0abd in internalEntityProcessor(XML_ParserStruct*, char const*, char const*, char const**) poco/XML/src/xmlparse.cpp:5938:14
    #4 0x57cacb3b620e in callProcessor(XML_ParserStruct*, char const*, char const*, char const**) poco/XML/src/xmlparse.cpp:1049:30
    #5 0x57cacb3b620e in XML_ResumeParser poco/XML/src/xmlparse.cpp:2299:25
    #6 0x57cacb3a1b20 in Poco::XML::XMLStreamParser::nextBody() poco/XML/src/XMLStreamParser.cpp:596:11
    #7 0x57cacb39cd6e in Poco::XML::XMLStreamParser::nextImpl(bool) poco/XML/src/XMLStreamParser.cpp:390:14
    #8 0x57cacb3824d6 in Poco::XML::XMLStreamParser::Iterator::operator++() poco/XML/include/Poco/XML/XMLStreamParser.h:146:18
    #9 0x57cacb3824d6 in LLVMFuzzerTestOneInput poco/XML/fuzzing/XMLParse.cpp:78:37
    #10 0x57cacb235f00 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #11 0x57cacb221175 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #12 0x57cacb226c0f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #13 0x57cacb251eb2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7c4732357082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
================================================================================
The following leaks are not necessarily related to the first leak.
SUMMARY: AddressSanitizer: 40 byte(s) leaked in 1 allocation(s).
INFO: a leak has been found in the initial corpus.
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x57cacb341ccf  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x258ccf)
    #1 0x57cacb3cbb76  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2e2b76)
    #2 0x57cacb3d1a65  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2e8a65)
    #3 0x57cacb3e0abd  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2f7abd)
    #4 0x57cacb3b620e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2cd20e)
    #5 0x57cacb3a1b20  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2b8b20)
    #6 0x57cacb39cd6e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2b3d6e)
    #7 0x57cacb3824d6  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x2994d6)
    #8 0x57cacb235f00  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x14cf00)
    #9 0x57cacb221175  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x138175)
    #10 0x57cacb226c0f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x13dc0f)
    #11 0x57cacb251eb2  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_poco_1db3fa9809868c4ff79e01d98ba23512768546d9/revisions/xml_parser_fuzzer+0x168eb2)
    #12 0x7c4732357082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

@obiltschnig obiltschnig added this to 1.14 Mar 24, 2025
@obiltschnig
Copy link
Member Author

obiltschnig commented Mar 24, 2025
edited
Loading

This is an Expat issue, apparently fixed in 2.7.0. Looks like that specific part in xmlparse.c has been rewritten as part of the fix for CVE-2024-8176.

Was able to reproduce with 1.14.0, but not with current main/1.14.2.

@matejk matejk moved this to Done in 1.14 Mar 24, 2025
@obiltschnig
Copy link
Member Author

Changed
status: New → Verified
assignee: → cl...@appspot.gserviceaccount.com
verifier: → cl...@appspot.gserviceaccount.com

87...@developer.gserviceaccount.com added comment #2:
ClusterFuzz testcase 4684169896853504 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_asan_poco&range=202503230614:202503240622

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug fixed fuzzing third-party
Projects
1.14
Status: Done
Milestone
Release 1.14.2
Development

No branches or pull requests
1 participant
@obiltschnig