fuyu0425 opened a new issue, #639: URL: https://github.com/apache/logging-log4cxx/issues/639
Hello Apache Logging maintainers, I am reporting a reproducible stack overflow in log4cxx's XML DOMConfigurator path while loading a crafted XML configuration. I reproduced it by replaying the attached testcas [8b184d9c50ad5ea1ae9a04f634dc2674.xml](https://github.com/user-attachments/files/27120382/8b184d9c50ad5ea1ae9a04f634dc2674.xml) `8b184d9c50ad5ea1ae9a04f634dc2674.xml` against a locally built OSS-Fuzz ASAN target `DOMConfiguratorFuzzer-utf-8`. I am sending this through the public github isue because, at this point, I have only established a verified crash in a locally built OSS-Fuzz ASAN target and have not separately validated release-build behavior or a broader security impact. Tested scope - Reproduced on a locally built OSS-Fuzz target for project `apache-logging-log4cxx` - Source inspection used a separate upstream `master` checkout at commit `66bc258a68fa30724f4501f9a2f591941cb192d9` - That source-inspection checkout's project version file reports `1.7.0.0` - Released versions were not separately validated - Harness provenance: upstream `logging-log4cxx` source file `src/fuzzers/cpp/DOMConfiguratorFuzzer.cpp` - Fuzzer target name: `DOMConfiguratorFuzzer-utf-8` - Platform: Linux x86_64, glibc 2.43 Observed result - Process aborts with ASAN stack overflow - Top of stack: `log4cxx::xml::DOMConfigurator::DOMConfiguratorPrivate::findAppenderByName` - Source location: `src/main/cpp/domconfigurator.cpp:220:14` - Replay exit status: `134` / `SIGABRT` Likely trigger / root cause - The testcase contains `<appender-ref ref="X"/>` with no matching appender definition. - `findAppenderByReference()` falls back to `findAppenderByName(doc->root, appenderName)`. - `findAppenderByName()` recursively walks `element->first_child` and `element->next`. - A sufficiently deep chain of sibling elements causes stack exhaustion before the missing appender search terminates. Current validated impact - This crash is verified in the OSS-Fuzz ASAN target only. - I have not separately validated behavior in non-ASAN or release builds. - I have not validated exploitability beyond process crash / stack exhaustion. Exact repro 1. Build or obtain the OSS-Fuzz ASAN target `DOMConfiguratorFuzzer-utf-8`. 2. Replay from a writable working directory. The fuzzer writes `conf.xml` in its current working directory, so replaying directly inside the default OSS-Fuzz output directory can produce a false negative if `conf.xml` there is not writable. 3. Run the attached `repro-command.sh`, or equivalent: ```bash tmpdir="$(mktemp -d)" cp 8b184d9c50ad5ea1ae9a04f634dc2674.xml "$tmpdir/input.xml" ( cd "$tmpdir" LLVM_SYMBOLIZER_PATH=/path/to/llvm-symbolizer \ ASAN_OPTIONS='detect_leaks=0:alloc_dealloc_mismatch=0:symbolize=1:abort_on_error=1' \ UBSAN_OPTIONS='print_stacktrace=1:symbolize=1:halt_on_error=1' \ /path/to/DOMConfiguratorFuzzer-utf-8 "$tmpdir/input.xml" ) ``` Expected result - ASAN reports `AddressSanitizer: stack-overflow` - Stack trace repeats `DOMConfiguratorPrivate::findAppenderByName` - The local replay I captured ends with: ```text SUMMARY: AddressSanitizer: stack-overflow /src/logging-log4cxx/src/main/cpp/domconfigurator.cpp:220:14 in log4cxx::xml::DOMConfigurator::DOMConfiguratorPrivate::findAppenderByName(...) ==3432139==ABORTING ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
