Skip to content

Fuzzing Test Result. #957

New issue
New issue
Closed
Closed
Fuzzing Test Result.#957
@adoxalim

Description

@adoxalim
adoxalim
opened on Sep 15, 2023

During fuzzing test I receive this result, At the exploitation time I saw unusual eaten RAM usage, even with my 32 gb cloud machine downs in a few second. Normally during fuzzing it creates an instance of trigger but this time only shows me this result. I will be happy to understand background of the issue. And I also have another bug it causes timeout, for this I have reproducer too. but can not add this page because of its character encoding.

Unusual fuzzing result:

<--- Last few GCs --->

[12992:0x6b7b8f0]     7736 ms: Mark-Compact 3544.3 (4144.0) -> 3544.1 (4143.8) MB, 91.00 / 0.00 ms  (average mu = 0.139, current mu = 0.010) allocation failure; GC in old space requested
[12992:0x6b7b8f0]     7826 ms: Mark-Compact 3544.4 (4144.1) -> 3544.3 (4144.0) MB, 88.78 / 0.00 ms  (average mu = 0.080, current mu = 0.011) allocation failure; GC in old space requested


<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
 1: 0xc9adf0 node::Abort() [node]
 2: 0xb700f7  [node]
 3: 0xec0530 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [node]
 4: 0xec0817 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [node]
 5: 0x10d1ea5  [node]
 6: 0x10d2434 v8::internal::Heap::RecomputeLimits(v8::internal::GarbageCollector) [node]
 7: 0x10e9324 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GarbageCollectionReason, char const*) [node]
 8: 0x10e9b3c v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [node]
 9: 0x10bfe41 v8::internal::HeapAllocator::AllocateRawWithLightRetrySlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [node]
10: 0x10c0fd5 v8::internal::HeapAllocator::AllocateRawWithRetryOrFailSlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [node]
11: 0x109d616 v8::internal::Factory::AllocateRaw(int, v8::internal::AllocationType, v8::internal::AllocationAlignment) [node]
12: 0x108f114 v8::internal::FactoryBase<v8::internal::Factory>::AllocateRawWithImmortalMap(int, v8::internal::AllocationType, v8::internal::Map, v8::internal::AllocationAlignment) [node]
13: 0x1091415 v8::internal::FactoryBase<v8::internal::Factory>::AllocateRawOneByteInternalizedString(int, unsigned int) [node]
14: 0x10a1715 v8::internal::Factory::NewInternalizedStringImpl(v8::internal::Handle<v8::internal::String>, int, unsigned int) [node]
15: 0x13d9c64 v8::internal::Handle<v8::internal::String> v8::internal::StringTable::LookupKey<v8::internal::InternalizedStringKey, v8::internal::Isolate>(v8::internal::Isolate*, v8::internal::InternalizedStringKey*) [node]
16: 0x13d9e2f v8::internal::StringTable::LookupString(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>) [node]
17: 0x1502eab v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::StoreOrigin, v8::Maybe<v8::internal::ShouldThrow>) [node]
18: 0x150453b v8::internal::Runtime_SetKeyedProperty(int, unsigned long*, v8::internal::Isolate*) [node]
19: 0x7f865e699ef6 
Aborted (core dumped)

Here is my fuzzing harness:

const MarkdownIt = require('markdown-it');

function fuzz(data) {
    try {
        const input = data.toString('utf-8');

        // Using commonmark mode
        const mdCommonMark = new MarkdownIt('commonmark');
        mdCommonMark.render(input);

        // Using default mode
        const mdDefault = new MarkdownIt();
        mdDefault.render(input);

        // Enabling everything
        const mdEverythingEnabled = new MarkdownIt({
            html: true,
            linkify: true,
            typographer: true
        });
        mdEverythingEnabled.render(input);

        // Using full options list with defaults
        const mdFullOptions = new MarkdownIt({
            html: false,
            xhtmlOut: false,
            breaks: false,
            langPrefix: 'language-',
            linkify: false,
            typographer: false,
            quotes: '“”‘’',
            highlight: function (/*str, lang*/) { return ''; }
        });
        mdFullOptions.render(input);
    } catch (e) {
        // If you encounter a specific error you want to ignore, handle it here.
        // Otherwise, re-throw the error so the fuzzer can catch it.
        throw e;
    }
}

// Export the fuzz function for JazzerJS or any other fuzzer you're using
module.exports = { fuzz };

I wrote it for jsfuzz, but I will integrate it to jazzerjs which is full integrated with OSS

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions