Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Program Hanged (Timeout 10 Seconds)" Found Using go-fuzz in gomarkdown/markdown #311

Closed
Brinmon opened this issue Jul 29, 2024 · 2 comments
Closed

"Program Hanged (Timeout 10 Seconds)" Found Using go-fuzz in gomarkdown/markdown #311

Brinmon opened this issue Jul 29, 2024 · 2 comments

Comments

@Brinmon
Copy link

Brinmon commented Jul 29, 2024

Description:
I performed fuzz testing using the provided fuzz.go file and a downloaded corpus, which resulted in a crash. Specifically, the program hangs and does not exit normally. Below are the detailed steps and reproduction information.

Steps to Reproduce:

  1. Clone the Corpus:
   root@8d09d0785da6:~# git clone https://github.com/PMunch/markdown-corpus.git
   Cloning into 'markdown-corpus'...
   remote: Enumerating objects: 490, done.
   remote: Counting objects: 100% (490/490), done.
   remote: Compressing objects: 100% (434/434), done.
   remote: Total 490 (delta 55), reused 490 (delta 55), pack-reused 0
   Receiving objects: 100% (490/490), 5.28 MiB | 5.73 MiB/s, done.
   Resolving deltas: 100% (55/55), done.
  1. Run the Fuzzer:
    root@8d09d0785da6:~/markdown# go-fuzz -bin=./markdown-fuzz.zip -workdir=fuzz-workdir/corpus/
    2024/07/29 06:34:31 workers: 8, corpus: 505 (0s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s
    2024/07/29 06:34:34 workers: 8, corpus: 523 (2s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 1683, uptime: 6s
    2024/07/29 06:34:37 workers: 8, corpus: 523 (5s ago), crashers: 0, restarts: 1/5823, execs: 75703 (8409/sec), cover: 1683, uptime: 9s
    2024/07/29 06:34:40 workers: 8, corpus: 523 (8s ago), crashers: 0, restarts: 1/5489, execs: 137240 (11435/sec), cover: 1683, uptime: 12s
    2024/07/29 06:34:43 workers: 8, corpus: 523 (11s ago), crashers: 0, restarts: 1/6552, execs: 183468 (12229/sec), cover: 1683, uptime: 15s
    2024/07/29 06:34:46 workers: 8, corpus: 523 (14s ago), crashers: 0, restarts: 1/7095, execs: 219953 (12218/sec), cover: 1683, uptime: 18s
    2024/07/29 06:34:49 workers: 8, corpus: 523 (17s ago), crashers: 1, restarts: 1/7339, execs: 256887 (12231/sec), cover: 1683, uptime: 21s
    2024/07/29 06:34:52 workers: 8, corpus: 523 (20s ago), crashers: 1, restarts: 1/7523, execs: 293412 (12224/sec), cover: 1683, uptime: 24s
    2024/07/29 06:34:55 workers: 8, corpus: 523 (23s ago), crashers: 1, restarts: 1/7300, execs: 350441 (12978/sec), cover: 1683, uptime: 27s
    ^C2024/07/29 06:34:58 shutting down...
  1. View the Crash Stack Information:
    root@8d09d0785da6:~/markdown# cat ./fuzz-workdir/corpus/crashers/b2ad88c038704e4469f95743a1ac16d59fc67499.output
    program hanged (timeout 10 seconds)
    
    SIGABRT: abort
    PC=0x4c4ed7 m=0 sigcode=0
    
    goroutine 1 [running]:
    github.com/gomarkdown/markdown/ast.GetLastChild(0x5928a0, 0xc000256c60, 0x5928a0, 0xc000256c60)
            /root/markdown/ast/node.go:468 +0x37 fp=0xc0004a98f8 sp=0xc0004a98c8 pc=0x4c4ed7
    github.com/gomarkdown/markdown/parser.endsWithBlankLine(0x592840, 0xc000255360, 0x300)
            /root/markdown/parser/block.go:1320 +0x69 fp=0xc0004a9928 sp=0xc0004a98f8 pc=0x503219
    github.com/gomarkdown/markdown/parser.finalizeList.func3(...)
            /root/markdown/parser/block.go:1344
    github.com/gomarkdown/markdown/parser.finalizeList(0xc0002e6000)
            /root/markdown/parser/block.go:1344 +0x28b fp=0xc0004a99b8 sp=0xc0004a9928 pc=0x50355b
    github.com/gomarkdown/markdown/parser.(*Parser).list(0xc000247600, 0xc000016c00, 0x1a, 0x1a, 0x36, 0x0, 0x2e, 0x0)
            /root/markdown/parser/block.go:1293 +0x2a7 fp=0xc0004a9a28 sp=0xc0004a99b8 pc=0x502e87
    github.com/gomarkdown/markdown/parser.(*Parser).paragraph(0xc000247600, 0xc000016c00, 0x1a, 0x1a, 0x0)
            /root/markdown/parser/block.go:1654 +0x153a fp=0xc0004a9b10 sp=0xc0004a9a28 pc=0x506d5a
    github.com/gomarkdown/markdown/parser.(*Parser).Block(0xc000247600, 0xc000016c00, 0x1a, 0x1a)
            /root/markdown/parser/block.go:378 +0xd3d fp=0xc0004a9ca0 sp=0xc0004a9b10 pc=0x4f98ed
    github.com/gomarkdown/markdown/parser.(*Parser).Parse(0xc000247600, 0x7f2327fc0000, 0x1a, 0x1a, 0x446498, 0x13115e98c6e2)
            /root/markdown/parser/parser.go:300 +0xa4 fp=0xc0004a9e00 sp=0xc0004a9ca0 pc=0x51b3c4
    github.com/gomarkdown/markdown.Parse(0x7f2327fc0000, 0x1a, 0x1a, 0x0, 0xc23939b, 0x13115e98c6e2)
            /root/markdown/markdown.go:53 +0x9a fp=0xc0004a9e40 sp=0xc0004a9e00 pc=0x52225a
    github.com/gomarkdown/markdown.Fuzz(0x7f2327fc0000, 0x1a, 0x1a, 0x3)
            /root/markdown/fuzz.go:8 +0x60 fp=0xc0004a9e80 sp=0xc0004a9e40 pc=0x5221a0
    go-fuzz-dep.Main(0xc0004a9f48, 0x1, 0x1)
            go-fuzz-dep/main.go:36 +0x1ad fp=0xc0004a9f30 sp=0xc0004a9e80 pc=0x46b7ed
    main.main()
            github.com/gomarkdown/markdown/go.fuzz.main/main.go:15 +0x52 fp=0xc0004a9f60 sp=0xc0004a9f30 pc=0x522322
    runtime.main()
            runtime/proc.go:203 +0x21e fp=0xc0004a9fe0 sp=0xc0004a9f60 pc=0x42c37e
    runtime.goexit()
            runtime/asm_amd64.s:1357 +0x

1 fp=0xc0004a9fe8 sp=0xc0004a9fe0 pc=0x4547e1
  1. Write Go Code to Reproduce the Hang:
   package main

   import (
       "log"
       "github.com/gomarkdown/markdown"
   )

   func main() {
       // Request string variable
       str := "~~~~\xb4~\x94~\x94~\xd1\r\r:\xb4\x94\x94~\x9f~\xb4~\x94~\x94\x94"

       // Convert string to byte slice
       data := []byte(str)
       log.Println("Starting markdown parsing with manual input...")
       markdown.Parse(data, nil)
       log.Println("Parsing completed successfully.")
   }
  1. Run the Go Code and Observe the Hang:
   root@8d09d0785da6:~/markdown/Test1# go run manual_fuzz.go
   2024/07/29 06:50:21 Starting markdown parsing with manual input...
   ^Csignal: interrupt

Issue Details: After manually adding the corpus and running manual_fuzz.go, a hang was successfully obtained. The crash information indicates it occurs in the ast.GetLastChild function. The program hangs and does not exit normally, requiring manual interruption.

Steps to Reproduce:

  1. Clone and download the corpus.
  2. Run the corpus using go-fuzz and capture the crash.
  3. Write a manual feed function and attempt to reproduce the crash.
  4. Observe the program hang.

Environment:

  • System: Docker fuzzers/go-fuzz:1.2.0
  • Tools: go-fuzz, gomarkdown/markdown

Expected Solution: I am not proficient in Golang and do not know how to fix this issue. I hope the data I provided will be helpful for the project.
@kjk kjk closed this as completed in a2a9c4f Jul 29, 2024
@kjk
Copy link
Contributor

kjk commented Jul 29, 2024

Thanks for a great bug report! Should be fixed now.

@kjk kjk mentioned this issue Jul 29, 2024
Closed
@cebarks
Copy link

cebarks commented Oct 16, 2024

This issue is being tracked by CVE-2024-44337.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kjk @cebarks @Brinmon