New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
debug/pe: panic when parsing UPX compressed pe file #33901
Comments
/cc @alexbrainman |
Instructions on how to reproduce this and a code snippet using debug/pe that triggers the panic would definitely speed-up the investigation, @BruceWang666 |
Yes. Please, provide instructions on how to reproduce this. Thank you. Alex |
I think in general the Write and compile simple Go hello world:
Compress it with the latest upx release:
The executable itself still works properly:
But trying to load it with debug/pe, like this:
will print this error:
While the same snippet works fine when loading an uncompressed executable. The error above comes from |
@alexbrainman I tested it, it's still failing on current tip, same error:
|
@ALTree I built https://go-review.googlesource.com/c/go/+/193819 to play with this issue. And the problem here is that PE file header points beyond the end of file. In the CL, I adjusted string table and symbol table reading code to ignore any EOF. This allows me to complete debug/pe.Open without any errors, and I can print debug/pe.File that debug/pe.Open returns.
According to https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#coff-string-table
So, it means that string table should start at 26916 = 15360 (PointerToSymbolTable) + 642 (NumberOfSymbols) * 18 (symbol table record size). But the file size is only 21237. I don't think we should use CL 193819 to allow for UPXed executables. These executables as far as I am concerned violate PE Format description (as I explained above). In fact objdump agrees with me:
The only problem I see here is that objdump can at least display sections of the file:
but debug/pe.Open fails, because it reads sections alright, but then it fails reading string table. But that is by design - debug/pe.Open does everything. I don't see way around it. I think the problem is that UPX does not adjust pointer to symbol table. I think both symbol and string tables are also compressed by UPX (I did not check that). So they are not accessible. UPX should set both PointerToSymbolTable and NumberOfSymbols to 0. So it does not confuse all tools that read the file. I don't think there is anything to do here. Let me know, if you disagree. Thank you. Alex |
I know nothing about PE : ) but if your analysis is correct and the executable generated by UPX are not strictly standard, I agree that the final verdict here could be "the debug/pe package does not support loading UPX-compressed executables". We could maybe add a note about this at the top of the package, but leaving this for you to decide. Closing here, since it appears that this is not a debug/pe bug. |
https://github.com/golang/go/blob/master/src/debug/pe/file.go
line 102 and line 108
f.StringTable, err = readStringTable(&f.FileHeader, sr)
f.COFFSymbols, err = readCOFFSymbols(&f.FileHeader, sr)
when PE file compressed by UPX, this line code will panic .
The text was updated successfully, but these errors were encountered: