Skip to content

x/net/html: ParseFragment out of memory on specially crafted input #70179

New issue
New issue
Closed
Closed
x/net/html: ParseFragment out of memory on specially crafted input#70179
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
Unreleased
@personnumber3377

Description

@personnumber3377
personnumber3377
opened on Nov 4, 2024

Go version

go1.23.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/oof/.cache/go-build'
GOENV='/home/oof/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/oof/.asdf/installs/golang/1.23.1/packages/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/oof/.asdf/installs/golang/1.23.1/packages'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/oof/.asdf/installs/golang/1.23.1/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/oof/.asdf/installs/golang/1.23.1/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/oof/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD=''
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1768793625=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Hi!

I originally reported this as a security issue, but this wasn't categorized as such, so I am just going to paste the original report here:


Summary: Out-Of-Memory (OOM) in net/html in golang

Program: Google VRP

URL: https://github.com/golang/net/

Vulnerability type: Denial of Service (DoS)

Details
An attacker can cause Out-Of-Memory by passing a maliciously crafted input to html.ParseFragment. The input is this string: "<svg><head><title><select><input>" which makes the program consume all of the systems available memory.

Here is an example program which demonstrates this vulnerability:


package main

import (
	"golang.org/x/net/html"
	"strings"
)

func main() {
	html.ParseFragment(strings.NewReader("<svg><head><title><select><input>"), nil)
}


My golang version is go version go1.23.1 linux/amd64 and I am using the v0.30.0 version of the net library.

This vulnerability does not occur in html.Parse, only in html.ParseFragment which I found a bit odd.

Attack scenario
An attacker can use this vulnerability to cause degradation in performance and Denial-Of-Service if said attacker can deliver malicious input to html.ParseFragment . The effects of this vulnerability are basically the same as any other OOM bug. I uploaded all the files which I played around with as files.zip.

What did you see happen?

This causes an out-of-memory condition when parsing a specially crafted input.

What did you expect to see?

The program should parse the input or fail with an error, not consume all of the systems memory.

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions