Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check null stack to prevent heap-buffer-overflow #299

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Commits on Jun 13, 2024

  1. Check null stack to prevent heap-buffer-overflow

    This patch adds a new macro STACK_NULL to check if given stack was initialized,
    in order to fix yaml#298, which is CVE-2024-35329.
    
    The root cause is stack(document->nodes) was used before initialized, so check stack
    before push.
    
    According to the poc in [1], building it with
    `gcc poc.c -o poc -lyaml -fsanitize=address`
    
    Before this patch, the output is:
    [root@test yaml-0.2.5]# ./poc
    heap-buffer-overflow on libyaml/src/api.c:1274:10
    
    =================================================================
    ==3867981==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x7f571f6af1a7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1a7)
        yaml#1 0x7f5720127ac9 in yaml_document_add_sequence /root/libxml/yaml-0.2.5/src/api.c:1271
    
    Direct leak of 22 byte(s) in 1 object(s) allocated from:
        #0 0x7f571f659707 in strdup (/usr/lib64/libasan.so.6+0x59707)
        yaml#1 0x7f5720127ab7 in yaml_document_add_sequence /root/libxml/yaml-0.2.5/src/api.c:1268
    
    Direct leak of 1 byte(s) in 1 object(s) allocated from:
        #0 0x7f571f6af1a7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1a7)
        yaml#1 0x7f5720125762 in yaml_stack_extend /root/libxml/yaml-0.2.5/src/api.c:126
    
    SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).
    
    After this patch, there are no memory leaks warnnings.
    
    [1] https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing
    
    Signed-off-by: Zhao Mengmeng <[email protected]>
    Zhao Mengmeng committed Jun 13, 2024
    Configuration menu
    Copy the full SHA
    1c2f6b7 View commit details
    Browse the repository at this point in the history