"Program Hanged (Timeout 10 Seconds)" Found Using go-fuzz in gomarkdown/markdown #311
Description
Description:
I performed fuzz testing using the provided fuzz.go file and a downloaded corpus, which resulted in a crash. Specifically, the program hangs and does not exit normally. Below are the detailed steps and reproduction information.
Steps to Reproduce:
- Clone the Corpus:
root@8d09d0785da6:~# git clone https://github.com/PMunch/markdown-corpus.git
Cloning into 'markdown-corpus'...
remote: Enumerating objects: 490, done.
remote: Counting objects: 100% (490/490), done.
remote: Compressing objects: 100% (434/434), done.
remote: Total 490 (delta 55), reused 490 (delta 55), pack-reused 0
Receiving objects: 100% (490/490), 5.28 MiB | 5.73 MiB/s, done.
Resolving deltas: 100% (55/55), done.- Run the Fuzzer:
root@8d09d0785da6:~/markdown# go-fuzz -bin=./markdown-fuzz.zip -workdir=fuzz-workdir/corpus/
2024/07/29 06:34:31 workers: 8, corpus: 505 (0s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s
2024/07/29 06:34:34 workers: 8, corpus: 523 (2s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 1683, uptime: 6s
2024/07/29 06:34:37 workers: 8, corpus: 523 (5s ago), crashers: 0, restarts: 1/5823, execs: 75703 (8409/sec), cover: 1683, uptime: 9s
2024/07/29 06:34:40 workers: 8, corpus: 523 (8s ago), crashers: 0, restarts: 1/5489, execs: 137240 (11435/sec), cover: 1683, uptime: 12s
2024/07/29 06:34:43 workers: 8, corpus: 523 (11s ago), crashers: 0, restarts: 1/6552, execs: 183468 (12229/sec), cover: 1683, uptime: 15s
2024/07/29 06:34:46 workers: 8, corpus: 523 (14s ago), crashers: 0, restarts: 1/7095, execs: 219953 (12218/sec), cover: 1683, uptime: 18s
2024/07/29 06:34:49 workers: 8, corpus: 523 (17s ago), crashers: 1, restarts: 1/7339, execs: 256887 (12231/sec), cover: 1683, uptime: 21s
2024/07/29 06:34:52 workers: 8, corpus: 523 (20s ago), crashers: 1, restarts: 1/7523, execs: 293412 (12224/sec), cover: 1683, uptime: 24s
2024/07/29 06:34:55 workers: 8, corpus: 523 (23s ago), crashers: 1, restarts: 1/7300, execs: 350441 (12978/sec), cover: 1683, uptime: 27s
^C2024/07/29 06:34:58 shutting down...- View the Crash Stack Information:
root@8d09d0785da6:~/markdown# cat ./fuzz-workdir/corpus/crashers/b2ad88c038704e4469f95743a1ac16d59fc67499.output
program hanged (timeout 10 seconds)
SIGABRT: abort
PC=0x4c4ed7 m=0 sigcode=0
goroutine 1 [running]:
github.com/gomarkdown/markdown/ast.GetLastChild(0x5928a0, 0xc000256c60, 0x5928a0, 0xc000256c60)
/root/markdown/ast/node.go:468 +0x37 fp=0xc0004a98f8 sp=0xc0004a98c8 pc=0x4c4ed7
github.com/gomarkdown/markdown/parser.endsWithBlankLine(0x592840, 0xc000255360, 0x300)
/root/markdown/parser/block.go:1320 +0x69 fp=0xc0004a9928 sp=0xc0004a98f8 pc=0x503219
github.com/gomarkdown/markdown/parser.finalizeList.func3(...)
/root/markdown/parser/block.go:1344
github.com/gomarkdown/markdown/parser.finalizeList(0xc0002e6000)
/root/markdown/parser/block.go:1344 +0x28b fp=0xc0004a99b8 sp=0xc0004a9928 pc=0x50355b
github.com/gomarkdown/markdown/parser.(*Parser).list(0xc000247600, 0xc000016c00, 0x1a, 0x1a, 0x36, 0x0, 0x2e, 0x0)
/root/markdown/parser/block.go:1293 +0x2a7 fp=0xc0004a9a28 sp=0xc0004a99b8 pc=0x502e87
github.com/gomarkdown/markdown/parser.(*Parser).paragraph(0xc000247600, 0xc000016c00, 0x1a, 0x1a, 0x0)
/root/markdown/parser/block.go:1654 +0x153a fp=0xc0004a9b10 sp=0xc0004a9a28 pc=0x506d5a
github.com/gomarkdown/markdown/parser.(*Parser).Block(0xc000247600, 0xc000016c00, 0x1a, 0x1a)
/root/markdown/parser/block.go:378 +0xd3d fp=0xc0004a9ca0 sp=0xc0004a9b10 pc=0x4f98ed
github.com/gomarkdown/markdown/parser.(*Parser).Parse(0xc000247600, 0x7f2327fc0000, 0x1a, 0x1a, 0x446498, 0x13115e98c6e2)
/root/markdown/parser/parser.go:300 +0xa4 fp=0xc0004a9e00 sp=0xc0004a9ca0 pc=0x51b3c4
github.com/gomarkdown/markdown.Parse(0x7f2327fc0000, 0x1a, 0x1a, 0x0, 0xc23939b, 0x13115e98c6e2)
/root/markdown/markdown.go:53 +0x9a fp=0xc0004a9e40 sp=0xc0004a9e00 pc=0x52225a
github.com/gomarkdown/markdown.Fuzz(0x7f2327fc0000, 0x1a, 0x1a, 0x3)
/root/markdown/fuzz.go:8 +0x60 fp=0xc0004a9e80 sp=0xc0004a9e40 pc=0x5221a0
go-fuzz-dep.Main(0xc0004a9f48, 0x1, 0x1)
go-fuzz-dep/main.go:36 +0x1ad fp=0xc0004a9f30 sp=0xc0004a9e80 pc=0x46b7ed
main.main()
github.com/gomarkdown/markdown/go.fuzz.main/main.go:15 +0x52 fp=0xc0004a9f60 sp=0xc0004a9f30 pc=0x522322
runtime.main()
runtime/proc.go:203 +0x21e fp=0xc0004a9fe0 sp=0xc0004a9f60 pc=0x42c37e
runtime.goexit()
runtime/asm_amd64.s:1357 +0x
1 fp=0xc0004a9fe8 sp=0xc0004a9fe0 pc=0x4547e1 - Write Go Code to Reproduce the Hang:
package main
import (
"log"
"github.com/gomarkdown/markdown"
)
func main() {
// Request string variable
str := "~~~~\xb4~\x94~\x94~\xd1\r\r:\xb4\x94\x94~\x9f~\xb4~\x94~\x94\x94"
// Convert string to byte slice
data := []byte(str)
log.Println("Starting markdown parsing with manual input...")
markdown.Parse(data, nil)
log.Println("Parsing completed successfully.")
}- Run the Go Code and Observe the Hang:
root@8d09d0785da6:~/markdown/Test1# go run manual_fuzz.go
2024/07/29 06:50:21 Starting markdown parsing with manual input...
^Csignal: interruptIssue Details: After manually adding the corpus and running manual_fuzz.go, a hang was successfully obtained. The crash information indicates it occurs in the ast.GetLastChild function. The program hangs and does not exit normally, requiring manual interruption.
Steps to Reproduce:
- Clone and download the corpus.
- Run the corpus using
go-fuzzand capture the crash. - Write a manual feed function and attempt to reproduce the crash.
- Observe the program hang.
Environment:
- System: Docker fuzzers/go-fuzz:1.2.0
- Tools:
go-fuzz,gomarkdown/markdown
Expected Solution: I am not proficient in Golang and do not know how to fix this issue. I hope the data I provided will be helpful for the project.