Commits on Jun 13, 2024

1. Check null stack to prevent heap-buffer-overflow …

   This patch adds a new macro STACK_NULL to check if given stack was initialized,
   in order to fix yaml#298, which is CVE-2024-35329.
   
   The root cause is stack(document->nodes) was used before initialized, so check stack
   before push.
   
   According to the poc in [1], building it with
   `gcc poc.c -o poc -lyaml -fsanitize=address`
   
   Before this patch, the output is:
   [root@test yaml-0.2.5]# ./poc
   heap-buffer-overflow on libyaml/src/api.c:1274:10
   
   =================================================================
   ==3867981==ERROR: LeakSanitizer: detected memory leaks
   
   Direct leak of 64 byte(s) in 1 object(s) allocated from:
       #0 0x7f571f6af1a7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1a7)
       yaml#1 0x7f5720127ac9 in yaml_document_add_sequence /root/libxml/yaml-0.2.5/src/api.c:1271
   
   Direct leak of 22 byte(s) in 1 object(s) allocated from:
       #0 0x7f571f659707 in strdup (/usr/lib64/libasan.so.6+0x59707)
       yaml#1 0x7f5720127ab7 in yaml_document_add_sequence /root/libxml/yaml-0.2.5/src/api.c:1268
   
   Direct leak of 1 byte(s) in 1 object(s) allocated from:
       #0 0x7f571f6af1a7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1a7)
       yaml#1 0x7f5720125762 in yaml_stack_extend /root/libxml/yaml-0.2.5/src/api.c:126
   
   SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).
   
   After this patch, there are no memory leaks warnnings.
   
   [1] https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing
   
   Signed-off-by: Zhao Mengmeng <[email protected]>

   Zhao Mengmeng committed Jun 13, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 1c2f6b7
   • Browse repository at this point

   Copy the full SHA

   1c2f6b7 View commit details

   Browse the repository at this point in the history