x/net/html: ParseFragment out of memory on specially crafted input #70179
Description
Go version
go1.23.1 linux/amd64
Output of go env in your module/workspace:
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/oof/.cache/go-build'
GOENV='/home/oof/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/oof/.asdf/installs/golang/1.23.1/packages/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/oof/.asdf/installs/golang/1.23.1/packages'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/oof/.asdf/installs/golang/1.23.1/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/oof/.asdf/installs/golang/1.23.1/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/oof/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD=''
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1768793625=/tmp/go-build -gno-record-gcc-switches'What did you do?
Hi!
I originally reported this as a security issue, but this wasn't categorized as such, so I am just going to paste the original report here:
Summary: Out-Of-Memory (OOM) in net/html in golang
Program: Google VRP
URL: https://github.com/golang/net/
Vulnerability type: Denial of Service (DoS)
Details
An attacker can cause Out-Of-Memory by passing a maliciously crafted input to html.ParseFragment. The input is this string: "<svg><head><title><select><input>" which makes the program consume all of the systems available memory.
Here is an example program which demonstrates this vulnerability:
package main
import (
"golang.org/x/net/html"
"strings"
)
func main() {
html.ParseFragment(strings.NewReader("<svg><head><title><select><input>"), nil)
}
My golang version is go version go1.23.1 linux/amd64 and I am using the v0.30.0 version of the net library.
This vulnerability does not occur in html.Parse, only in html.ParseFragment which I found a bit odd.
Attack scenario
An attacker can use this vulnerability to cause degradation in performance and Denial-Of-Service if said attacker can deliver malicious input to html.ParseFragment . The effects of this vulnerability are basically the same as any other OOM bug. I uploaded all the files which I played around with as files.zip.
What did you see happen?
This causes an out-of-memory condition when parsing a specially crafted input.
What did you expect to see?
The program should parse the input or fail with an error, not consume all of the systems memory.
Metadata
Metadata
Assignees
Labels
Type
Projects
Relationships
Development
No branches or pull requests
Participants
Activity
gabyhelp commentedon Nov 4, 2024
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
[-]x/net: Out-Of-Memory when parsing "<svg><head><title><select><input>" with html.ParseFragment[/-][+]x/net/html: ParseFragment out of memory on specially crafted input[/+]odeke-em commentedon Nov 4, 2024
Thank you @personnumber3377 for reporting this bug. Given that this is a security bug, I shall route it to @rolandshoemaker and @golang/security. Thanks for the vector, interestingly I was fuzzing x/net/html.Parse given similar inputs found by @tr3ee in a whole range of issues for Parse.
guidovranken commentedon Nov 18, 2024
html.Parseis also affected (presumably the same issue but I haven't checked):logrusorgru commentedon Feb 1, 2025
Local testing
go.mod:go.sum:This
Ends quickly without a problem.
But this
Leads to infinity processing. No memory eating at a 1 minute distance found.