Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/net/html: ParseFragment out of memory on specially crafted input #70179

Open
personnumber3377 opened this issue Nov 4, 2024 · 3 comments
Open
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@personnumber3377
Copy link

Go version

go1.23.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/oof/.cache/go-build'
GOENV='/home/oof/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/oof/.asdf/installs/golang/1.23.1/packages/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/oof/.asdf/installs/golang/1.23.1/packages'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/oof/.asdf/installs/golang/1.23.1/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/oof/.asdf/installs/golang/1.23.1/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/oof/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD=''
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1768793625=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Hi!

I originally reported this as a security issue, but this wasn't categorized as such, so I am just going to paste the original report here:


Summary: Out-Of-Memory (OOM) in net/html in golang

Program: Google VRP

URL: https://github.com/golang/net/

Vulnerability type: Denial of Service (DoS)

Details
An attacker can cause Out-Of-Memory by passing a maliciously crafted input to html.ParseFragment. The input is this string: "<svg><head><title><select><input>" which makes the program consume all of the systems available memory.

Here is an example program which demonstrates this vulnerability:


package main

import (
	"golang.org/x/net/html"
	"strings"
)

func main() {
	html.ParseFragment(strings.NewReader("<svg><head><title><select><input>"), nil)
}


My golang version is go version go1.23.1 linux/amd64 and I am using the v0.30.0 version of the net library.

This vulnerability does not occur in html.Parse, only in html.ParseFragment which I found a bit odd.

Attack scenario
An attacker can use this vulnerability to cause degradation in performance and Denial-Of-Service if said attacker can deliver malicious input to html.ParseFragment . The effects of this vulnerability are basically the same as any other OOM bug. I uploaded all the files which I played around with as files.zip.

What did you see happen?

This causes an out-of-memory condition when parsing a specially crafted input.

What did you expect to see?

The program should parse the input or fail with an error, not consume all of the systems memory.

@gopherbot gopherbot added this to the Unreleased milestone Nov 4, 2024
@gabyhelp
Copy link

gabyhelp commented Nov 4, 2024

@seankhliao seankhliao changed the title x/net: Out-Of-Memory when parsing "<svg><head><title><select><input>" with html.ParseFragment x/net/html: ParseFragment out of memory on specially crafted input Nov 4, 2024
@odeke-em
Copy link
Member

odeke-em commented Nov 4, 2024

Thank you @personnumber3377 for reporting this bug. Given that this is a security bug, I shall route it to @rolandshoemaker and @golang/security. Thanks for the vector, interestingly I was fuzzing x/net/html.Parse given similar inputs found by @tr3ee in a whole range of issues for Parse.

@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 6, 2024
@guidovranken
Copy link

html.Parse is also affected (presumably the same issue but I haven't checked):

package main

import (
    "golang.org/x/net/html"
    "strings"
)

func main() {
    html.Parse(strings.NewReader("<table><tbody><svg><td><desc><select></select></tbody>"))
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

6 participants