UAF DOM\XMLDocument xinclude

[YuanchengJiang]

Description

The following code:

<?php
$a = str_repeat("/", 9000000);
$fusion = $a;
$data = file_get_contents(__DIR__."/xinclude.xml");
$data = str_replace('compress.zlib://ext/dom/tests/','compress.zlib://'.$fusion."/", $data);
$dom = Dom\XMLDocument::createFromString($data);
$dom->xinclude();

Resulted in this output:

SUMMARY: AddressSanitizer: heap-use-after-free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x623707) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0fe5c397ecb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5c397ecc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5c397ecd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5c397ece0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe5c397ecf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe5c397ed00:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe5c397ed10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe5c397ed20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe5c397ed30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe5c397ed40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe5c397ed50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3304633==ABORTING

PHP Version

nightly

Operating System

No response

[nielsdos]

@YuanchengJiang You found an old libxml bug, not a PHP bug. This libxml bug was fixed in GNOME/libxml2@5a19e21 . It appears your distro has an older version of libxml and has not backported that commit.

[nwellnhof]

This issue was found and fixed in libxml2 when improving handling of malloc failures. I didn't realize at the time that it can also arise without a malloc failure. It was fixed in 2.11.0, but older versions are still vulnerable. It might be a good idea to request a CVE ID, so it will be patched in older distros. I have requested a CVE ID, so it will be patched in older distros.

[nielsdos]

Thanks Nick!

[carnil]

CVE-2022-49043 has been assigned.