From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 25 Apr 2024 09:26:04 -0400 Subject: [PATCH] Address segfault found in CVE-2023-52425 The CVE addresses a possible DoS when unreasonably large tokens are passed into the XML parser for processing. These were taking upwards of 8 seconds per file processed with the exception of aaaaaa_cdata.xml which caused a segmentation fault. The XML processor was effectively losing the start of the string, setting it to NULL. This caused a cascade of errors trying to parse both the next token and in handling errors if a new token was not found. This handles both those cases but not the underlying reason why the pointer to inputStart is lost. Trying to backport the libexpat changes to address the performance issue would be enormous since the xmlrpc-c custom version of libexpat is extremely old. Since xmlrpc-c is mostly used as a client passing in random values is less of an issue. Include the libexpat upstream benchmark test to validate that the tests pass, albeit slowly. To run the benchmarks: extract the sources cd xmlrpc-c-1.51.0 make cd test make cd benchmark for file in *.xml; do ./benchmark $file 4096 1; done One test will error out but this is expected as part of the fix. The tests will be extracted as a Source because of their uncompressed size (~48M) Fixes: RHEL-24226 --- lib/expat/xmlparse/xmlparse.c | 3 +++ lib/expat/xmltok/xmltok_impl.c | 4 ++++ test/Makefile | 7 +++++-- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c index 16ab82a..6621d18 100644 --- a/lib/expat/xmlparse/xmlparse.c +++ b/lib/expat/xmlparse/xmlparse.c @@ -35,6 +35,9 @@ extractXmlSample(const char * const start, size_t const maximumLen) { size_t const len = MIN(maximumLen, (size_t)(end - start)); + if (start == NULL) { + return strdup(""); + } return xmlrpc_makePrintable_lp(start, len); } diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c index bae79b9..80da94f 100644 --- a/lib/expat/xmltok/xmltok_impl.c +++ b/lib/expat/xmltok/xmltok_impl.c @@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc, */ PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end); + if (inputStart == NULL) { + *nextTokPtr = NULL; + return XML_TOK_INVALID; + } if (end == inputStart) { *nextTokPtr = inputStart; return XML_TOK_PARTIAL; diff --git a/test/Makefile b/test/Makefile index 4fce824..1242910 100644 --- a/test/Makefile +++ b/test/Makefile @@ -7,7 +7,7 @@ SUBDIR := test include $(BLDDIR)/config.mk -SUBDIRS = cpp +SUBDIRS = cpp benchmark XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test @@ -98,11 +98,14 @@ runtests_local: test cgitest1 ./test .PHONY: runtests -runtests: runtests_local cpp/runtests +runtests: runtests_local cpp/runtests benchmark/runtests cpp/runtests: FORCE $(MAKE) -C $(dir $@) $(notdir $@) +benchmark/runtests: + $(MAKE) -C $(dir $@) $(notdir $@) + .PHONY: install install: -- 2.42.0