1184025 – libxml2 segfaults in xmlCtxtReadFile() even with simplest XML

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1184025 - libxml2 segfaults in xmlCtxtReadFile() even with simplest XML

Summary: libxml2 segfaults in xmlCtxtReadFile() even with simplest XML

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	zlib
Sub Component:
Version:	6.7
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Chaloupka
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Duplicates (5):	921493 1183215 1183217 1184243 1185089 (view as bug list)
Depends On:
Blocks:	987194
TreeView+	depends on / blocked

Reported:	2015-01-20 13:18 UTC by Martin Kletzander
Modified:	2015-03-26 08:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-26 08:14:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Kletzander 2015-01-20 13:18:04 UTC

Description of problem:
When trying to parse an XML, there's some invalid address being used in strncpm().

Version-Release number of selected component (if applicable):
both following packages have the same problem:
 libxml2-2.7.6-14.el6.x86_64
 libxml2-2.7.6-17.el6_6.1.x86_64
*But* this happens after an upgrade to latest packages and libxml2 was not part of the upgrade!  But I'm assigning this to libxml2 as I don't know where else to track it (see the backtrace below).

How reproducible:
100%

 Steps to Reproduce:
1.

$ cat >test.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <libxml/parser.h>

int
main(int argc, char **argv)
{
    int ret = EXIT_FAILURE;
    xmlDocPtr doc = NULL;
    xmlParserCtxtPtr ctx = xmlNewParserCtxt();

    if (!ctx || !ctx->sax)
        goto cleanup;

    if(argc != 2)
        goto cleanup;

    doc = xmlCtxtReadFile(ctx, argv[1], NULL,
                          XML_PARSE_NONET | XML_PARSE_NOWARNING);

    if (!doc)
        goto cleanup;

    ret = EXIT_SUCCESS;
 cleanup:
    if (doc)
        xmlFreeDoc(doc);
    if (ctx)
        xmlFreeParserCtxt(ctx);
    return ret;
}
EOF

2.
$ cat >dummy.xml <<EOF
<dummy/>
EOF

3.
$ gcc -pedantic -pedantic-errors -Wall -Werror $(pkg-config --libs --cflags libxml-2.0) test.c -ggdb -o test

4.
$ ./test dummy.xml

Actual results:
Segmentation fault (core dumped)

Expected results:
Doesn't crash and returns 0 (as it does on RHEL7 for example).

Additional info:
This is an isolation of a problem that libvirt daemon cannot start.  It fails when qemu driver tries to parse a default network's XML.

Here's a full bt:

$ gdb --args ./test dummy.xml
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-75.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test...done.
(gdb) r
Starting program: /root/test dummy.xml

Program received signal SIGSEGV, Segmentation fault.
__strncmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:214
214		movlpd	(%rsi), %xmm2
(gdb) bt full
#0  __strncmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:214
No locals.
#1  0x000000343545e885 in __xmlParserInputBufferCreateFilename (URI=<value optimized out>, 
    enc=XML_CHAR_ENCODING_NONE) at xmlIO.c:2525
        cptr = 0x700001c4f <Address 0x700001c4f out of bounds>
        buff4 = "<dum"
        ret = 0x602700
        i = <value optimized out>
        context = 0x6025f0
#2  0x000000343543380d in xmlNewInputFromFile__internal_alias (ctxt=0x601010, filename=0x7fffffffe8a7 "dummy.xml")
    at parserInternals.c:1549
        buf = <value optimized out>
        inputStream = <value optimized out>
        directory = 0x0
        URI = 0x0
#3  0x000000343544bebb in xmlCtxtReadFile__internal_alias (ctxt=0x601010, filename=0x7fffffffe8a7 "dummy.xml", 
    encoding=0x0, options=<value optimized out>) at parser.c:15220
        stream = <value optimized out>
#4  0x0000000000400769 in main (argc=2, argv=0x7fffffffe648) at test.c:18
        ret = 1
        doc = 0x0
        ctx = 0x601010

Comment 1 Daniel Veillard 2015-01-21 11:34:16 UTC

Weird I cannot reproduce this here, and I think with such a bug no regtests
would have ever passed, I wonder what is going on, maybe the old zlib / libxml2
bug

server:~ -> gcc -pedantic -pedantic-errors -Wall -Werror $(pkg-config --libs --cflags libxml-2.0) test.c -ggdb -o test
server:~ -> ./test dummy.xml
server:~ -> rpm -q libxml2
libxml2-2.7.6-17.el6_6.1.x86_64
server:~ -> ldd ./test
	linux-vdso.so.1 =>  (0x00007fffe8deb000)
	libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00000033d0e00000)
	libc.so.6 => /lib64/libc.so.6 (0x00000033c6600000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00000033c7200000)
	libz.so.1 => /lib64/libz.so.1 (0x00000033c7a00000)
	libm.so.6 => /lib64/libm.so.6 (0x00000033c6a00000)
	/lib64/ld-linux-x86-64.so.2 (0x00000033c6200000)
server:~ -> rpm -qf /lib64/libz.so.1
zlib-1.2.3-29.el6.x86_64
server:~ -> 

Daniel

Comment 2 Martin Kletzander 2015-01-21 11:40:10 UTC

The problem exists with zlib-1.2.5-2.el6.x86_64 and downgrading to zlib-1.2.3-29.el6.x86_64 fixes the problem.  Moving to zlib.

Comment 3 Ondrej Vasik 2015-01-21 18:58:40 UTC

*** Bug 1183217 has been marked as a duplicate of this bug. ***

Comment 6 Jan Chaloupka 2015-01-21 21:27:48 UTC

After some inspection, this is libxml2 bug. Patch is at [1]. The crash is reproducible from zlib-1.2.4. Due to rebase from zlib-1.2.3 to zlib-1.2.5.

libxml2 is not on ACL for rhel-6.7. If this issue will not get fixed, I cannot rebase zlib, which has already all acks on. 

[1] http://osdir.com/ml/svn-commits-list/2010-01/msg05723.html

Comment 7 Daniel Veillard 2015-01-22 02:58:23 UTC

it's a tie between libxml2 and zlib, they cannot be updated independently.

If you apply the pacth and don't update zlib it breaks, if you don't apply
the patch you can't update zlib.

I don't know how Martin ended up with a zlib-1.2.5 but we absolutely must not
update zlib in RHEL-6 to a newer version or all libxml2 apps will break.
Issue known for a long time.

Martin how did you end up with zlib-1.2.5 on a RHEL-6 machine, this MUST not
happen.

Daniel

Comment 8 Daniel Veillard 2015-01-22 03:19:00 UTC

*** Bug 1184243 has been marked as a duplicate of this bug. ***

Comment 9 Daniel Veillard 2015-01-26 02:34:28 UTC

*** Bug 1185089 has been marked as a duplicate of this bug. ***

Comment 13 Jan Chaloupka 2015-01-26 14:25:46 UTC

*** Bug 1183215 has been marked as a duplicate of this bug. ***

Comment 14 Ján Tomko 2015-03-18 08:29:58 UTC

*** Bug 921493 has been marked as a duplicate of this bug. ***

Comment 16 Martin Kletzander 2015-03-26 08:14:39 UTC

I see the zlib package version is kept at 1.2.3 and everything works now.  Closing as NOTABUG as this was a pre-release issue.

Note You need to log in before you can comment on or make changes to this bug.