Continuously fuzzing tidy-html5 with OSS-Fuzz

[stefanbucur]

OSS-Fuzz is free fuzzing infrastructure for automatically identifying security vulnerabilities and stability bugs in open source projects.

We believe tidy-html5 is an important part of the open source ecosystem (all integrated projects can be found here), and as such we have recently integrated a few fuzz targets that we developed for tidy-html5 into OSS-Fuzz. Once integrated, OSS-Fuzz will continuously fuzz this project, alert when it finds bugs, and verify the fixes.

Would any of the contributors be interested in becoming a contact person for receiving any bug reports?

Since some of these bugs may be security vulnerabilities, we have a disclosure policy where bugs are first reported to the maintainers before being publicly released after a certain deadline (see the link for the complete details).

Ideally, these fuzz targets should also reside in the main project repository, so they are updated together with API changes. Let me know if you're also interested in integrating these targets in this repository (since this is additional work on top of your volunteer time to open-source, we are also offering integration rewards, more details here).

Thank you!

[stefanbucur]

I just wanted to add that we're starting seeing a number of crashes from fuzzing tidy-html5, and it would be very helpful if someone could take a look at them.

[geoffmcl]

@stefanbucur thank you for the comments, and information...

I am NOT interested in setting up automated or continuous fuzzing, in this repo, so in general, simply no thanks!

But I am very interested in any tidy crashes found. Where do I look? links?

Any that are valid, repeatable bugs should be added to these issues, together with a minimal sample html, setup, and configuration used... thanks...

It goes without saying, code fixes, patches or PR's are always welcome...

[stefanbucur]

I have just CC-ed your GitHub e-mail address on some of the most important issues (for example, here). Some of the crashes are potentially security vulnerabilities, so by default they are not publicly visible, to reduce the chance of them being exploited while we give maintainers a chance to take a look first.

Regarding how to report these bugs, I can try filing the existing bugs as issues here on GitHub too (but these will be publicly visible). Let me know if you'd like me to do this for all crashes. I can also try producing some fixes, but unfortunately I'm not familiar with the implementation so I might not be able to fix too many things.

[geoffmcl]

@stefanbucur thanks for the comment... and the CC-ed emails... which I have started to look at... will continue that...

Regarding using the sanitizer please note we already have open #791 - the fix for this is only presently in the issue-791 for testing, prior to merging to next... appreciate any testing on this... thanks...

Also see like #588, #622, which got solved, and closed... there are probably like issues open/closed... still checking... any pointers would help...

Before we get to ... producing some fixes, ..., we need to be able to reproduce the bug!

I built an issue-791 tidy 5.7.18.sani, and downloaded/*85920, copied the test to cases/testcase-12111.html, but get no Sanitizer errors... what am I doing wrong?

Of course, running tidy on that almost random set of bytes yields some 9067 warnings and 149 errors... but no problem...

So the most important thing here is to produce a repeatable test... where debuggers can help isolate the precise problem... etc... can do nothing without a test...

Any help really appreciated... thanks...

[geoffmcl]

@stefanbucur went through the emails.. seems there are 3 issues - please confirm?

from: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12111
 Issue 12111: tidy-html5/tidy_fuzzer: Heap-buffer-overflow in prvTidyEncodeCharToUTF8Bytes
 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5639351547985920

from: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12074
 Issue 12074: tidy-html5/tidy_fuzzer: Use-of-uninitialized-value in prvTidyIsHighSurrogate
 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5697834188275712

from: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12309
 Issue 12309: tidy-html5/tidy_fuzzer: Crash in GetSurrogatePair
 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5123069669015552

This is my 3 downloads... copied to respective cases...

-rw-rw-r--  1 geoff geoff     15794 Jan 15 15:26  clusterfuzz-testcase-minimized-tidy_fuzzer-5639351547985920 cases/testcase-12111.html
-rw-rw-r--  1 geoff geoff      4264 Jan 16 02:29  clusterfuzz-testcase-minimized-tidy_fuzzer-5123069669015552 cases/testcase-12309.html
-rw-rw-r--  1 geoff geoff         9 Jan 16 02:45  clusterfuzz-testcase-minimized-tidy_fuzzer-5697834188275712 cases/testcase-12074.html

To do a bit of testing... quick and dirty... but should do it...

#!/bin/sh
#< test-cases.sh
BN=`basename $0`

TMPTIDY="./tidy"
TMPCASES="12111 12309 12074"
TMPCFG="--force-output yes"
# show tidy version
$TMPTIDY -v
if [ ! "$?" = "0" ]; then
    echo "$BN: Unable to run '$TMPTIDY' - FIX ME "
    exit 1
fi

for arg in $TMPCASES; do
    #echo "$BN: $arg"
    TMPHTML="cases/testcase-$arg.html"
    TMPOUT="cases/tempout-$arg.html"
    TMPERR="cases/temperr-$arg.txt"
    echo "$BN: '$TMPTIDY $TMPCFG -o $TMPOUT -f $TMPERR $TMPHTML'"
    $TMPTIDY $TMPCFG -o $TMPOUT -f $TMPERR $TMPHTML
done

# eof

Is there any specific tidy config being used? Didn't see any, but... need to be sure...

Certainly need help to reproduce the sanitizer errors... thanks...

[stefanbucur]

Thanks a lot @geoffmcl for looking into these issues! You are right that the test cases in the bug reports don't seem to reproduce directly with the 'tidy' tool, so I spent some time to understand what's going on. I believe the source of differences is that our fuzzer uses a special driver that relies on in-memory buffers to parse the input HTML file. This differs from what the 'tidy' tool does, which reads the data directly from a file. Perhaps reading from a file would mask any memory issues that the sanitizer would catch?

In any case, here is how one can reproduce the crashes using the fuzzer driver:

$ git clone git@github.com:google/oss-fuzz.git && cd oss-fuzz/
$ python infra/helper.py build_image tidy-html5
$ python infra/helper.py build_fuzzers --sanitizer=address tidy-html5

# You should now be able to reproduce the crash.
$ build/out/tidy-html5/tidy_fuzzer ~/Downloads/clusterfuzz-testcase-minimized-tidy_fuzzer-5639351547985920

That being said, it is good to know that the tidy tool itself is not directly vulnerable, but users of the tidy API may be exposed.

[geoffmcl]

Oops, there seems a 4th...

from: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12411
 Issue 12411: tidy-html5/tidy_fuzzer: Use-of-uninitialized-value in PPrintText
 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5705060225384448
 copy to: cases/testcase-12411

@stefanbucur thanks for the information... ok, you run the tests, using your own module... interesting... and exports int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size), and use a TidyBuffer ... all great...

Just reading the source, a little suspect of the attach_string_to_buffer service... can see it uses strlen, in tidyBufAttach(buffer, (byte*)data_string, strlen(data_string) + 1);, which would fail with binary data, which is what is in the inputs I downloaded... but need to look at that...

Will try certainly the steps you outlined soonest... looks easy as pie... a python builder, looks interesting for Windows build, but... every fix begins by repeating the bug... somehow... but that will probably be tomorrow now...

Agree 100%, libTidy should not fail, even on binary data input...

Be back soonest...

[geoffmcl]

file: tidy-sanitize-04.txt

@stefanbucur when it is interesting code/coding, I can come back to my computers after dinner... to play a little more...

No particular problem following your setup, except some steps required sudo, ... but all seemed to download/build fine...

And running tidy_fuzzer on a previous download did indeed produce a sanitizer error - but what error?

-rwxr-xr-x 1 root root 16275248 Jan 16 23:35 tidy_fuzzer
~/projects/oss-fuzz$ build/out/tidy-html5/tidy_fuzzer ~/downloads/clusterfuzz-testcase-minimized-tidy_fuzzer-5639351547985920
INFO: Seed: 4061903721
INFO: Loaded 1 modules   (9150 inline 8-bit counters): 9150 [0xac1028, 0xac33e6), 
INFO: Loaded 1 PC tables (9150 PCs): 9150 [0x7cbbc0,0x7ef7a0), 
build/out/tidy-html5/tidy_fuzzer: Running 1 inputs 1 time(s) each.
Running: /home/geoff/downloads/clusterfuzz-testcase-minimized-tidy_fuzzer-5639351547985920
=================================================================
==5645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x000000636d07 bp 0x7ffff791de90 sp 0x7ffff791de88
WRITE of size 1 at 0x625000002100 thread T0
    #0 0x636d06  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x636d06)
    #1 0x637197  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x637197)
    #2 0x617684  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x617684)
    #3 0x6174b6  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x6174b6)
    #4 0x61bae0  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x61bae0)
    #5 0x61ba75  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x61ba75)
    #6 0x61ba75  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x61ba75)
    #7 0x61ba75  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x61ba75)
    #8 0x5c1332  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5c1332)
    #9 0x5bd7ed  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5bd7ed)
    #10 0x5344eb  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5344eb)
    #11 0x5346ca  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5346ca)
    #12 0x55f205  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x55f205)
    #13 0x535206  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x535206)
    #14 0x540ac6  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x540ac6)
    #15 0x53487c  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x53487c)
    #16 0x7fc3a57a3b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #17 0x41d288  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x41d288)

0x625000002100 is located 0 bytes to the right of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
    #0 0x4ef32f  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x4ef32f)
    #1 0x62f638  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x62f638)
    #2 0x5f6061  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5f6061)
    #3 0x5f5d91  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5f5d91)
    #4 0x5fbae8  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5fbae8)
    #5 0x5e8dd5  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5e8dd5)
    #6 0x5be8ab  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5be8ab)
    #7 0x5bce50  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5bce50)
    #8 0x534493  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x534493)
    #9 0x5346ca  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x5346ca)
    #10 0x55f205  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x55f205)
    #11 0x535206  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x535206)
    #12 0x540ac6  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x540ac6)
    #13 0x53487c  (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x53487c)
    #14 0x7fc3a57a3b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/geoff/projects/oss-fuzz/build/out/tidy-html5/tidy_fuzzer+0x636d06) 
Shadow bytes around the buggy address:
  0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5645==ABORTING
~/projects/oss-fuzz$ 

Wow, that looks interesting... but what am I to make of this?

In say, a current next memory leak case, I get a very clear report -

==6782==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 298 byte(s) in 18 object(s) allocated from:
    #0 0x7fce12b49b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x562f006631f3 in stringWithFormat (/home/geoff/projects/html_tidy/tidy-html5/build/temp-sanit/tidy+0x991f3)
    #2 0x562f00663bbf in localize_option_names (/home/geoff/projects/html_tidy/tidy-html5/build/temp-sanit/tidy+0x99bbf)
    #3 0x562f0066a6cf in xml_help (/home/geoff/projects/html_tidy/tidy-html5/build/temp-sanit/tidy+0xa06cf)
    #4 0x562f0066b99d in main (/home/geoff/projects/html_tidy/tidy-html5/build/temp-sanit/tidy+0xa199d)
    #5 0x7fce1269bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 298 byte(s) leaked in 18 allocation(s).

You filed this issue as Issue 12111: tidy-html5/tidy_fuzzer: Heap-buffer-overflow in prvTidyEncodeCharToUTF8Bytes... Where/how did you get that information? ...

It seems a good lead... getting closer... I hope...

[stefanbucur]

@geoffmcl thanks for pointing out this issue! It does look like running the fuzzer binary directly prevents ASAN from resolving symbols and showing them in stack traces. I did a bit of research and realized that there is a better way to debug the issue:

1. In the projects/tidy-html5/build.sh file, could you add in the beginning flags that cause the build to include debug symbols:

   export CFLAGS="${CFLAGS} -g"
   export CXXFLAGS="${CXXFLAGS} -g"

2. You can then rebuild the fuzzer and run it inside a debug container, using the infra/helper.py scripts:

   $ python infra/helper.py build_image tidy-html5
   $ python infra/helper.py build_fuzzers --sanitizer=address tidy-html5 --clean
   # Copy the crashing test case in the debug environment.
   $ cp ~/Downloads/clusterfuzz-testcase-minimized-tidy_fuzzer-5639351547985920 build/out/tidy-html5/
   
   # Run the debug container.
   $ python infra/helper.py shell base-runner-debug
   
   # Once inside the container, you can reproduce the crash with full debug information.
   $ gdb --args /out/tidy-html5/tidy_fuzzer /out/tidy-html5/clusterfuzz-testcase-minimized-tidy_fuzzer-5639351547985920
   

I hope this setup will be more effective at pointing out how the execution leads to the crash.

[geoffmcl]

@stefanbucur thank you for the additional clues, help...

I think what you propose for build.sh is very valid, even workable, but why not use the native cmake... like -

diff --git a/projects/tidy-html5/build.sh b/projects/tidy-html5/build.sh
index 840e9a50..522713de 100644
--- a/projects/tidy-html5/build.sh
+++ b/projects/tidy-html5/build.sh
@@ -18,8 +18,9 @@
 
 mkdir -p ${WORK}/tidy-html5
 cd ${WORK}/tidy-html5
+CMAKE_FLAGS="-DCMAKE_C_FLAGS=-fsanitize=address -DTIDY_RC_NUMBER=SN01 -DCMAKE_BUILD_TYPE=Debug"
 
-cmake -GNinja ${SRC}/tidy-html5/
+cmake -GNinja ${SRC}/tidy-html5/ $CMAKE_FLAGS
 ninja
 
 for fuzzer in tidy_config_fuzzer tidy_fuzzer; do

Assuming that Ninja supports this/these... but I think it will...

It ensures the generated static libtidys.a which also has the sanitizer code, and the build type, debug, ensures -g is added to the mix...

Will try to test, try, this... soonest...

Including a tidy_fuzzer.c suggested code change... use of TidyBuffer, which has a length attribute...

diff --git a/projects/tidy-html5/tidy_fuzzer.c b/projects/tidy-html5/tidy_fuzzer.c
index 3cf2732d..23e1de39 100644
--- a/projects/tidy-html5/tidy_fuzzer.c
+++ b/projects/tidy-html5/tidy_fuzzer.c
@@ -38,6 +38,7 @@ void run_tidy_parser(TidyBuffer* data_buffer,
     tidyRelease(tdoc);
 }
 
+#if 0 /* 00000000000000000000000000000000000 */
 void attach_string_to_buffer(const uint8_t* data,
                              size_t size,
                              TidyBuffer* buffer) {
@@ -50,6 +51,7 @@ void attach_string_to_buffer(const uint8_t* data,
     }
     tidyBufAttach(buffer, (byte*)data_string, strlen(data_string) + 1);
 }
+#endif /* #if 0 - 00000000000000000000000000000000000 */
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     TidyBuffer data_buffer;
@@ -59,7 +61,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     tidyBufInit(&output_buffer);
     tidyBufInit(&error_buffer);
 
-    attach_string_to_buffer(data, size, &data_buffer);
+    /* attach_string_to_buffer(data, size, &data_buffer); can be binary data!!! ie has null's */
+    tidyBufAppend( &data_buffer, (void *)data, (uint)size ); /* move data into buffer */
+    
     run_tidy_parser(&data_buffer, &output_buffer, &error_buffer);
     
     tidyBufFree(&error_buffer);

Seems no reason to strndup the input, when a TidyBuffer offers that same safe, complete (8-bit-binary) length copy...

You could even append a "\0", if you think that would help... but input length is input length in tidy,,,

Still to test out the results...

Some initial trouble, that maybe sudo python infra/helper.py build_fuzzers --sanitizer=address tidy-html5 --clean might remove...

Thanks for the help, feedback... look forward to more... thanks...

[geoffmcl]

@stefanbucur - suggested changes push to my fork, test-tidy branch...

• Add cmake flags to build.sh - geoffmcl/oss-fuzz@3078d1c
• Suggested TidyBuffer change - geoffmcl/oss-fuzz@89f6dfc

But still some troubles in testing... any help appreciated... thanks...

[geoffmcl]

tidy-sanitize-05.txt

@stefanbucur some steps forward, but some failures...

Was unable to get the error output, to show the addresses... do not know why... need more help... but...

Using the 4 samples - 12111 12309 12074 12411 - only 1 and 4 showed an error, but it looks like the same error! a 1 byte overrun...

Using my fork amended tidy_fuzzer.c got no errors...

Just to hopefully prove the point, made another test fix of tidy_fuzzer.c - removing strndup and strlen -

diff --git a/projects/tidy-html5/tidy_fuzzer.c b/projects/tidy-html5/tidy_fuzzer.c
index 3cf2732d..5c582b4b 100644
--- a/projects/tidy-html5/tidy_fuzzer.c
+++ b/projects/tidy-html5/tidy_fuzzer.c
@@ -42,13 +42,16 @@ void attach_string_to_buffer(const uint8_t* data,
                              size_t size,
                              TidyBuffer* buffer) {
     // Use a NULL-terminated copy to make it more likely to expose
-    // buffer overflows.
-    char *data_string = strndup((const char*)data, size);
+    // buffer overflows. Where is this documented?
+    /* char *data_string = strndup((const char*)data, size); */
+    char *data_string = (char *)malloc( size + 1 ); /* allocate desired buffer + 1 */
     if (data_string == NULL) {
         perror("Could not allocate string buffer.");
         abort();
     }
-    tidyBufAttach(buffer, (byte*)data_string, strlen(data_string) + 1);
+    memcpy( data_string, data, size ); /* copy in the data */
+    data_string[size] = 0; /* ensure zero term., not really required, but no harm... */
+    tidyBufAttach(buffer, (byte*)data_string, size + 1); /* attach buffer */
 }
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
@@ -64,6 +67,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     
     tidyBufFree(&error_buffer);
     tidyBufFree(&output_buffer);
+    /* API NOTE: If user supplied the buffer, should call tidyBufDetach()
+       so caller must free... but if default malloc/free use, then no prob. with */
     tidyBufFree(&data_buffer);
     return 0;
 }

Note I respect your desire to add a null byte to the input stream... but do not think this adds anything...

And please see API NOTE: using tidyBufAttach should be paired with tidyBufDetach - that is the caller deals with allocating and freeing, if need be... but...

Prefer the direct data transfer to the TidyBuffer as suggested in the previous patch...

Starting to conclude there may be a bug in the fuzzer code... what do you think...

[stefanbucur]

@geoffmcl my apologies for the latency (I was away for a while). Thank you for the detailed investigation, let me take a closer look and will get back to you soon!