983985 – (CVE-2016-4472) VUL-0: CVE-2016-4472: expat: Undefined behavior and pointer overflows

Bug 983985 (CVE-2016-4472) - VUL-0: CVE-2016-4472: expat: Undefined behavior and pointer overflows

Summary: VUL-0: CVE-2016-4472: expat: Undefined behavior and pointer overflows

Status:	RESOLVED FIXED

Alias:	CVE-2016-4472

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/169928/
Whiteboard:	CVSSv2:RedHat:CVE-2015-1283:5.1:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-09 13:53 UTC by Marcus Meissner
Modified:	2018-02-16 10:39 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-09 13:53:25 UTC

via rh bugzilla


It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.

One pattern in the fix for CVE-2015-1283/CVE-2015-2716 is:

/* bufferSize is positive here */
do {
bufferSize *= 2;
} while (bufferSize < neededSize && bufferSize > 0);
if (bufferSize <= 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;

Any of the modern optimizing compiler, IF able to infer that bufferSize is initially positive (which is true but not obvious to see through local reasoning), will eliminate bufferSize > 0 as always true when the execution is defined, and bufferSize <= 0 as always false when the execution is defined.


Without knowing that bufferSize starts positive, an optimizing compiler could also move the test bufferSize > 0 out of the loop, that is, compile the code as if it had been written:

if (bufferSize <= 0)
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
else {
do {
bufferSize *= 2;
} while (bufferSize < neededSize);
}

Both cases leads to not eliminating the vulnerability.

Upstream patch:

https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1344251
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4472

Comment 1 Swamp Workflow Management 2016-06-09 22:01:37 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2016-06-10 09:26:14 UTC

(it is not clear if our fixes were miscompiled in that way)

Comment 3 Kristyna Streitova 2016-06-15 12:19:18 UTC

The updated patch for CVE-2015-1283 (the same issue as CVE-2015-2716) was already submitted (see bug 980391). However, CVE-2016-4472 was assigned after this submission.

Do we want to alter changelog and add a reference about CVE-2016-4472?

Comment 4 Marcus Meissner 2016-06-15 14:44:19 UTC

Can you alter the changelog on the next submission, the update was already released.


I confirmed the SLE11 and SLE12 expat updates are using this update code.

Comment 8 Marcus Meissner 2017-10-26 07:16:29 UTC

was released, but we forgot the tracking addition.