Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzing Test Result. #957

Closed
adoxalim opened this issue Sep 15, 2023 · 0 comments
Closed

Fuzzing Test Result. #957

adoxalim opened this issue Sep 15, 2023 · 0 comments

Comments

@adoxalim
Copy link

During fuzzing test I receive this result, At the exploitation time I saw unusual eaten RAM usage, even with my 32 gb cloud machine downs in a few second. Normally during fuzzing it creates an instance of trigger but this time only shows me this result. I will be happy to understand background of the issue. And I also have another bug it causes timeout, for this I have reproducer too. but can not add this page because of its character encoding.

Unusual fuzzing result:

<--- Last few GCs --->

[12992:0x6b7b8f0]     7736 ms: Mark-Compact 3544.3 (4144.0) -> 3544.1 (4143.8) MB, 91.00 / 0.00 ms  (average mu = 0.139, current mu = 0.010) allocation failure; GC in old space requested
[12992:0x6b7b8f0]     7826 ms: Mark-Compact 3544.4 (4144.1) -> 3544.3 (4144.0) MB, 88.78 / 0.00 ms  (average mu = 0.080, current mu = 0.011) allocation failure; GC in old space requested


<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
 1: 0xc9adf0 node::Abort() [node]
 2: 0xb700f7  [node]
 3: 0xec0530 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [node]
 4: 0xec0817 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [node]
 5: 0x10d1ea5  [node]
 6: 0x10d2434 v8::internal::Heap::RecomputeLimits(v8::internal::GarbageCollector) [node]
 7: 0x10e9324 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GarbageCollectionReason, char const*) [node]
 8: 0x10e9b3c v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [node]
 9: 0x10bfe41 v8::internal::HeapAllocator::AllocateRawWithLightRetrySlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [node]
10: 0x10c0fd5 v8::internal::HeapAllocator::AllocateRawWithRetryOrFailSlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [node]
11: 0x109d616 v8::internal::Factory::AllocateRaw(int, v8::internal::AllocationType, v8::internal::AllocationAlignment) [node]
12: 0x108f114 v8::internal::FactoryBase<v8::internal::Factory>::AllocateRawWithImmortalMap(int, v8::internal::AllocationType, v8::internal::Map, v8::internal::AllocationAlignment) [node]
13: 0x1091415 v8::internal::FactoryBase<v8::internal::Factory>::AllocateRawOneByteInternalizedString(int, unsigned int) [node]
14: 0x10a1715 v8::internal::Factory::NewInternalizedStringImpl(v8::internal::Handle<v8::internal::String>, int, unsigned int) [node]
15: 0x13d9c64 v8::internal::Handle<v8::internal::String> v8::internal::StringTable::LookupKey<v8::internal::InternalizedStringKey, v8::internal::Isolate>(v8::internal::Isolate*, v8::internal::InternalizedStringKey*) [node]
16: 0x13d9e2f v8::internal::StringTable::LookupString(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>) [node]
17: 0x1502eab v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::StoreOrigin, v8::Maybe<v8::internal::ShouldThrow>) [node]
18: 0x150453b v8::internal::Runtime_SetKeyedProperty(int, unsigned long*, v8::internal::Isolate*) [node]
19: 0x7f865e699ef6 
Aborted (core dumped)

Here is my fuzzing harness:

const MarkdownIt = require('markdown-it');

function fuzz(data) {
    try {
        const input = data.toString('utf-8');

        // Using commonmark mode
        const mdCommonMark = new MarkdownIt('commonmark');
        mdCommonMark.render(input);

        // Using default mode
        const mdDefault = new MarkdownIt();
        mdDefault.render(input);

        // Enabling everything
        const mdEverythingEnabled = new MarkdownIt({
            html: true,
            linkify: true,
            typographer: true
        });
        mdEverythingEnabled.render(input);

        // Using full options list with defaults
        const mdFullOptions = new MarkdownIt({
            html: false,
            xhtmlOut: false,
            breaks: false,
            langPrefix: 'language-',
            linkify: false,
            typographer: false,
            quotes: '“”‘’',
            highlight: function (/*str, lang*/) { return ''; }
        });
        mdFullOptions.render(input);
    } catch (e) {
        // If you encounter a specific error you want to ignore, handle it here.
        // Otherwise, re-throw the error so the fuzzer can catch it.
        throw e;
    }
}

// Export the fuzz function for JazzerJS or any other fuzzer you're using
module.exports = { fuzz };

I wrote it for jsfuzz, but I will integrate it to jazzerjs which is full integrated with OSS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adoxalim