Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

"Program Hanged (Timeout 10 Seconds)" Found Using go-fuzz in gomarkdown/markdown #311

Closed
Brinmon opened this issue Jul 29, 2024 · 2 comments
Closed

"Program Hanged (Timeout 10 Seconds)" Found Using go-fuzz in gomarkdown/markdown #311

Brinmon opened this issue Jul 29, 2024 · 2 comments

Comments

@Brinmon
Copy link

Brinmon commented Jul 29, 2024

Description:
I performed fuzz testing using the provided fuzz.go file and a downloaded corpus, which resulted in a crash. Specifically, the program hangs and does not exit normally. Below are the detailed steps and reproduction information.

Steps to Reproduce:

  1. Clone the Corpus:
   root@8d09d0785da6:~# git clone https://github.com/PMunch/markdown-corpus.git
   Cloning into 'markdown-corpus'...
   remote: Enumerating objects: 490, done.
   remote: Counting objects: 100% (490/490), done.
   remote: Compressing objects: 100% (434/434), done.
   remote: Total 490 (delta 55), reused 490 (delta 55), pack-reused 0
   Receiving objects: 100% (490/490), 5.28 MiB | 5.73 MiB/s, done.
   Resolving deltas: 100% (55/55), done.
  1. Run the Fuzzer:
    root@8d09d0785da6:~/markdown# go-fuzz -bin=./markdown-fuzz.zip -workdir=fuzz-workdir/corpus/
    2024/07/29 06:34:31 workers: 8, corpus: 505 (0s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s
    2024/07/29 06:34:34 workers: 8, corpus: 523 (2s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 1683, uptime: 6s
    2024/07/29 06:34:37 workers: 8, corpus: 523 (5s ago), crashers: 0, restarts: 1/5823, execs: 75703 (8409/sec), cover: 1683, uptime: 9s
    2024/07/29 06:34:40 workers: 8, corpus: 523 (8s ago), crashers: 0, restarts: 1/5489, execs: 137240 (11435/sec), cover: 1683, uptime: 12s
    2024/07/29 06:34:43 workers: 8, corpus: 523 (11s ago), crashers: 0, restarts: 1/6552, execs: 183468 (12229/sec), cover: 1683, uptime: 15s
    2024/07/29 06:34:46 workers: 8, corpus: 523 (14s ago), crashers: 0, restarts: 1/7095, execs: 219953 (12218/sec), cover: 1683, uptime: 18s
    2024/07/29 06:34:49 workers: 8, corpus: 523 (17s ago), crashers: 1, restarts: 1/7339, execs: 256887 (12231/sec), cover: 1683, uptime: 21s
    2024/07/29 06:34:52 workers: 8, corpus: 523 (20s ago), crashers: 1, restarts: 1/7523, execs: 293412 (12224/sec), cover: 1683, uptime: 24s
    2024/07/29 06:34:55 workers: 8, corpus: 523 (23s ago), crashers: 1, restarts: 1/7300, execs: 350441 (12978/sec), cover: 1683, uptime: 27s
    ^C2024/07/29 06:34:58 shutting down...
  1. View the Crash Stack Information:
    root@8d09d0785da6:~/markdown# cat ./fuzz-workdir/corpus/crashers/b2ad88c038704e4469f95743a1ac16d59fc67499.output
    program hanged (timeout 10 seconds)
    
    SIGABRT: abort
    PC=0x4c4ed7 m=0 sigcode=0
    
    goroutine 1 [running]:
    github.com/gomarkdown/markdown/ast.GetLastChild(0x5928a0, 0xc000256c60, 0x5928a0, 0xc000256c60)
            /root/markdown/ast/node.go:468 +0x37 fp=0xc0004a98f8 sp=0xc0004a98c8 pc=0x4c4ed7
    github.com/gomarkdown/markdown/parser.endsWithBlankLine(0x592840, 0xc000255360, 0x300)
            /root/markdown/parser/block.go:1320 +0x69 fp=0xc0004a9928 sp=0xc0004a98f8 pc=0x503219
    github.com/gomarkdown/markdown/parser.finalizeList.func3(...)
            /root/markdown/parser/block.go:1344
    github.com/gomarkdown/markdown/parser.finalizeList(0xc0002e6000)
            /root/markdown/parser/block.go:1344 +0x28b fp=0xc0004a99b8 sp=0xc0004a9928 pc=0x50355b
    github.com/gomarkdown/markdown/parser.(*Parser).list(0xc000247600, 0xc000016c00, 0x1a, 0x1a, 0x36, 0x0, 0x2e, 0x0)
            /root/markdown/parser/block.go:1293 +0x2a7 fp=0xc0004a9a28 sp=0xc0004a99b8 pc=0x502e87
    github.com/gomarkdown/markdown/parser.(*Parser).paragraph(0xc000247600, 0xc000016c00, 0x1a, 0x1a, 0x0)
            /root/markdown/parser/block.go:1654 +0x153a fp=0xc0004a9b10 sp=0xc0004a9a28 pc=0x506d5a
    github.com/gomarkdown/markdown/parser.(*Parser).Block(0xc000247600, 0xc000016c00, 0x1a, 0x1a)
            /root/markdown/parser/block.go:378 +0xd3d fp=0xc0004a9ca0 sp=0xc0004a9b10 pc=0x4f98ed
    github.com/gomarkdown/markdown/parser.(*Parser).Parse(0xc000247600, 0x7f2327fc0000, 0x1a, 0x1a, 0x446498, 0x13115e98c6e2)
            /root/markdown/parser/parser.go:300 +0xa4 fp=0xc0004a9e00 sp=0xc0004a9ca0 pc=0x51b3c4
    github.com/gomarkdown/markdown.Parse(0x7f2327fc0000, 0x1a, 0x1a, 0x0, 0xc23939b, 0x13115e98c6e2)
            /root/markdown/markdown.go:53 +0x9a fp=0xc0004a9e40 sp=0xc0004a9e00 pc=0x52225a
    github.com/gomarkdown/markdown.Fuzz(0x7f2327fc0000, 0x1a, 0x1a, 0x3)
            /root/markdown/fuzz.go:8 +0x60 fp=0xc0004a9e80 sp=0xc0004a9e40 pc=0x5221a0
    go-fuzz-dep.Main(0xc0004a9f48, 0x1, 0x1)
            go-fuzz-dep/main.go:36 +0x1ad fp=0xc0004a9f30 sp=0xc0004a9e80 pc=0x46b7ed
    main.main()
            github.com/gomarkdown/markdown/go.fuzz.main/main.go:15 +0x52 fp=0xc0004a9f60 sp=0xc0004a9f30 pc=0x522322
    runtime.main()
            runtime/proc.go:203 +0x21e fp=0xc0004a9fe0 sp=0xc0004a9f60 pc=0x42c37e
    runtime.goexit()
            runtime/asm_amd64.s:1357 +0x

1 fp=0xc0004a9fe8 sp=0xc0004a9fe0 pc=0x4547e1
  1. Write Go Code to Reproduce the Hang:
   package main

   import (
       "log"
       "github.com/gomarkdown/markdown"
   )

   func main() {
       // Request string variable
       str := "~~~~\xb4~\x94~\x94~\xd1\r\r:\xb4\x94\x94~\x9f~\xb4~\x94~\x94\x94"

       // Convert string to byte slice
       data := []byte(str)
       log.Println("Starting markdown parsing with manual input...")
       markdown.Parse(data, nil)
       log.Println("Parsing completed successfully.")
   }
  1. Run the Go Code and Observe the Hang:
   root@8d09d0785da6:~/markdown/Test1# go run manual_fuzz.go
   2024/07/29 06:50:21 Starting markdown parsing with manual input...
   ^Csignal: interrupt

Issue Details: After manually adding the corpus and running manual_fuzz.go, a hang was successfully obtained. The crash information indicates it occurs in the ast.GetLastChild function. The program hangs and does not exit normally, requiring manual interruption.

Steps to Reproduce:

  1. Clone and download the corpus.
  2. Run the corpus using go-fuzz and capture the crash.
  3. Write a manual feed function and attempt to reproduce the crash.
  4. Observe the program hang.

Environment:

  • System: Docker fuzzers/go-fuzz:1.2.0
  • Tools: go-fuzz, gomarkdown/markdown

Expected Solution: I am not proficient in Golang and do not know how to fix this issue. I hope the data I provided will be helpful for the project.
@kjk kjk closed this as completed in a2a9c4f Jul 29, 2024
@kjk
Copy link
Contributor

kjk commented Jul 29, 2024

Thanks for a great bug report! Should be fixed now.

@kjk kjk mentioned this issue Jul 29, 2024
Closed
@cebarks
Copy link

cebarks commented Oct 16, 2024

This issue is being tracked by CVE-2024-44337.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kjk @cebarks @Brinmon