tag:blogger.com,1999:blog-3024470480937744884.post6483071935887850597..comments2024-03-18T04:40:58.042-07:00Comments on Security: Multi-browser heap address leak in XSLTChris Evanshttp://www.blogger.com/profile/01004765479735675808noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-3024470480937744884.post-21965750476388728932013-02-14T11:36:48.642-08:002013-02-14T11:36:48.642-08:00I dont think that any holes are closed. This smell...I dont think that any holes are closed. This smells like a begin from a big thing. Leave on it.Steffenhttp://pideco.denoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-21465545622924713642011-04-11T15:52:10.932-07:002011-04-11T15:52:10.932-07:00I can't believe that they would bother to allo...I can't believe that they would bother to allocate additional memory to generate an ID, when keeping a single pointer which you increment each time it's called would have worked perfectly fine.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-84610860779803701112011-04-06T09:41:06.744-07:002011-04-06T09:41:06.744-07:00Yes, please lets chat about this over email. I thi...Yes, please lets chat about this over email. I think that is not a correct interpretation.<br /><br />You can find my email in the bugzilla bug (https://bugzilla.mozilla.org/show_bug.cgi?id=640339)Jonas Sickingnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-21049887180191945592011-03-16T16:41:39.386-07:002011-03-16T16:41:39.386-07:00@Jonas: the second case is actually OK. The id pre...@Jonas: the second case is actually OK. The id prefix varies between "idp" and "idm" depending on whether the delta was positive or negative.<br /><br />I'm less qualified to comment on the first case, but I believe the libxslt maintainer consulted the spec and noted that generate-id() only guarantees the id to be unique within the current document.<br /><br />Perhaps something to be continued over e-mail? I can do intros.Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-20562728596417472402011-03-16T15:57:46.360-07:002011-03-16T15:57:46.360-07:00Thanks for finding this!
Unfortunately it appears...Thanks for finding this!<br /><br />Unfortunately it appears that the fix for libxslt contains a couple of bugs. The patch does indeed fix the leak of heap addresses, but it in the process breaks the functionality of the generate-id function.<br /><br />The point of the generate-id function is that it's supposed to generate unique strings for each node. This string needs to remain unique for a given transformation.<br /><br />However, the patch can generate the same id for two different nodes in two ways:<br /><br />First off, the string it returns appears to be the difference between a node and its owner document. However since multiple documents can be in an XSLT transformation, this can generate the same value for two different nodes with different owner documents.<br /><br />Second, it appears that in an effort to avoid dealing with negative values, the code uses the absolute value of this difference. Meaning that a node that is located 100 bytes after its owner document and a node that is located 100 bytes before its owner document, will get the same generated id.<br /><br />Would be lovely to see that fixed as to avoid having transforms break more or less randomly in libxslt based XSLT implementations.<br /><br />/ JonasJonas Sickingnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-67856151500144291812011-03-10T12:53:36.062-08:002011-03-10T12:53:36.062-08:00How do you translate IDAW0MLB
into a heap address ...How do you translate IDAW0MLB<br />into a heap address in details?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-75489500479919548912011-03-10T04:59:29.476-08:002011-03-10T04:59:29.476-08:00re: Anonymous
This IS a security mistake and shou...re: Anonymous<br /><br />This IS a security mistake and should be fixed. All object ids should not release information about their low end C/C++ implementation as this could be used to infer the memory layout at the moment of exploiting a vuln or even plainly bypass ASLR if the address used is inside some loaded module, for example.<br /><br />From a user perspective, there's always a layer of abstraction from the back end implementation and the front end language (JS/XSLT/VB/whatever).<br /><br />pablo.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-79442776909188311692011-03-09T17:05:06.686-08:002011-03-09T17:05:06.686-08:00I think the code is doing exactly what the program...I think the code is doing exactly what the programmers intended, so it's not technically a bug.Anonymousnoreply@blogger.com