Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

text/template: slice bounds out of range in Parse #52527

Open
catenacyber opened this issue Apr 24, 2022 · 8 comments
Open

text/template: slice bounds out of range in Parse #52527

catenacyber opened this issue Apr 24, 2022 · 8 comments
Labels
NeedsInvestigation
Milestone

Comments

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Apr 24, 2022

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/59OUlem1oNe?v=gotip

What did you expect to see?

The program finishing and printing somme dummy data

What did you see instead?

panic: runtime error: slice bounds out of range [:5] with length 3

goroutine 6 [running]:
text/template/parse.(*lexer).emit(...)
	/usr/local/go-faketime/src/text/template/parse/lex.go:163
text/template/parse.lexRightDelim(0xc000104000)
	/usr/local/go-faketime/src/text/template/parse/lex.go:354 +0x29a
text/template/parse.(*lexer).run(0xc000104000)
	/usr/local/go-faketime/src/text/template/parse/lex.go:236 +0x2a
created by text/template/parse.lex
	/usr/local/go-faketime/src/text/template/parse/lex.go:229 +0x1ca

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46746

@cagedmantis cagedmantis added the NeedsInvestigation label Apr 27, 2022
@cagedmantis cagedmantis added this to the Backlog milestone Apr 27, 2022
@cagedmantis
Copy link
Contributor

@cagedmantis cagedmantis commented Apr 27, 2022

/cc @robpike @mvdan

@robpike
Copy link
Contributor

@robpike robpike commented Apr 27, 2022

See also #52191. The lexer is due for a rewrite.

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jun 6, 2022

Don't use whitespace in delimiters.

I guess we could add a check for that, but it's hard to see why anybody would write it. I assume this was found by a fuzzer.

@catenacyber
Copy link
Contributor Author

@catenacyber catenacyber commented Jun 6, 2022

I guess we could add a check for that, but it's hard to see why anybody would write it. I assume this was found by a fuzzer.

This was indeed found by ngolo-fuzzing.
So, should a check be added for this whitespace ?

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jun 7, 2022

I'm inclined to think that it's not worth adding a check to the text/template package, but I don't feel strongly about it. I think it's extremely unlikely that anybody would write code that permits the user to specify the delimiters for a text/template. If that is true, then this crash can only occur for code that deliberately itself sets the delimiters to include whitespace, and for that odd behavior I think the current panic is fine. Happy to hear other opinions.

@mvdan
Copy link
Member

@mvdan mvdan commented Jun 7, 2022

I'm inclined to think that we should add a check - causing a panic given some inputs which aren't documented as invalid feels like something to avoid, and the fuzzer is probably right to complain about it. But Ian is probably right that this feels like a rare possibility in practice, so I don't think we need to rush out a fix.

@robpike
Copy link
Contributor

@robpike robpike commented Jun 8, 2022

I propose to deal with this while addressing #53261

@catenacyber
Copy link
Contributor Author

@catenacyber catenacyber commented Jun 8, 2022

My 2 cents : the fuzzer does not alert on a panic with a string.

This way, developers can explicitly mention an unexpected behavior, and users can get a better error message ("do not use white space" looks more explicit to me than "slice bounds out of range")

And no need to rush

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

5 participants