Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 6.0.0 RC
Affects Version/s: 6.0.0 Beta4
Component/s: XML: Stream Reader/Writer
Labels:
- found_by_libfuzzer
Environment:
Ubuntu 20.04 LTS 64 bit
clang 10.0.0
Built using qmake

Commits:
43aaf74f606de6ec97cb3c06c4e6dcee242c01d7 (qt/qtbase/dev)

Description

Have a build of Qt configured with "-sanitize address".
Use that to build the attached program.
Run the program on the attached input data:
```
./report input.xml
```
Address sanitizer will report a heap-use-after-free, see below.

This does not happen with Qt 5.15.

=================================================================
==56265==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000728 at pc 0x000000832a43 bp 0x7ffee1bd69f0 sp 0x7ffee1bd69e8
READ of size 1 at 0x619000000728 thread T0
    #0 0x832a42 in QXmlStreamReaderPrivate::parse() (/tmp/fuzzingqt6/build-xml/report+0x832a42)
    #1 0x852bd3 in QXmlStreamReader::readNext() (/tmp/fuzzingqt6/build-xml/report+0x852bd3)
    #2 0x4cb9da in main (/tmp/fuzzingqt6/build-xml/report+0x4cb9da)
    #3 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x420e6d in _start (/tmp/fuzzingqt6/build-xml/report+0x420e6d)

0x619000000728 is located 424 bytes inside of 1152-byte region [0x619000000580,0x619000000a00)
freed by thread T0 here:
    #0 0x4c967d in operator delete[](void*) (/tmp/fuzzingqt6/build-xml/report+0x4c967d)
    #1 0x8769c5 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::rehash(unsigned long) (/tmp/fuzzingqt6/build-xml/report+0x8769c5)
    #2 0x873c01 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (/tmp/fuzzingqt6/build-xml/report+0x873c01)
    #3 0x873253 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (/tmp/fuzzingqt6/build-xml/report+0x873253)
    #4 0x829994 in QXmlStreamReaderPrivate::parse() (/tmp/fuzzingqt6/build-xml/report+0x829994)
    #5 0x852bd3 in QXmlStreamReader::readNext() (/tmp/fuzzingqt6/build-xml/report+0x852bd3)
    #6 0x4cb9da in main (/tmp/fuzzingqt6/build-xml/report+0x4cb9da)
    #7 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4c8e2d in operator new[](unsigned long) (/tmp/fuzzingqt6/build-xml/report+0x4c8e2d)
    #1 0x875741 in QHashPrivate::Span<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::addStorage() (/tmp/fuzzingqt6/build-xml/report+0x875741)
    #2 0x873f3f in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (/tmp/fuzzingqt6/build-xml/report+0x873f3f)
    #3 0x873253 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (/tmp/fuzzingqt6/build-xml/report+0x873253)
    #4 0x855448 in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (/tmp/fuzzingqt6/build-xml/report+0x855448)
    #5 0x84faaf in QXmlStreamReader::QXmlStreamReader(QByteArray const&) (/tmp/fuzzingqt6/build-xml/report+0x84faaf)
    #6 0x4cb91b in main (/tmp/fuzzingqt6/build-xml/report+0x4cb91b)
    #7 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free (/tmp/fuzzingqt6/build-xml/report+0x832a42) in QXmlStreamReaderPrivate::parse()
Shadow bytes around the buggy address:
  0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff80e0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c327fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==56265==ABORTING