Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debug/pe: oom when reading section data of file generated by fuzzing #53189

Closed
catenacyber opened this issue Jun 1, 2022 · 4 comments
Closed

debug/pe: oom when reading section data of file generated by fuzzing #53189

catenacyber opened this issue Jun 1, 2022 · 4 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.20

Comments

@catenacyber
Copy link
Contributor

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/OGp56YSJsP1

What did you expect to see?

The program finishing and printing somme Hello, without having allocated too much space

What did you see instead?

Nothing

Running heap profiling I see that 4 GByte was allocated from

debug/pe.(*Section).Data
/usr/local/go/src/debug/pe/section.go

  Total:         4GB        4GB (flat, cum) 99.90%
     95            .          .           	sr *io.SectionReader 
     96            .          .           } 
     97            .          .            
     98            .          .           // Data reads and returns the contents of the PE section s. 
     99            .          .           func (s *Section) Data() ([]byte, error) { 
    100          4GB        4GB           	dat := make([]byte, s.sr.Size()) 
    101            .          .           	n, err := s.sr.ReadAt(dat, 0) 
    102            .          .           	if n == len(dat) { 
    103            .          .           		err = nil 
    104            .          .           	} 
    105            .          .           	return dat[0:n], err

cf #52350

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47754
@4ra1n
Copy link

4ra1n commented Jun 1, 2022

I have found the bug some weeks ago too, and report them to go security team.
Not only does oom exist in the 'debug/pe' package, but also in the 'debug/elf' and 'debug/macho' packages
But go security team no longer treat these packages (debug/*) as part of the security boundary for Go.

@catenacyber
Copy link
Contributor Author

Not only does oom exist in the 'debug/pe' package, but also in the 'debug/elf' and 'debug/macho' packages

Indeed cf #52522 and #52523

@dmitshur dmitshur added this to the Backlog milestone Jun 3, 2022
@dmitshur
Copy link
Contributor

dmitshur commented Jun 3, 2022

CC @alexbrainman.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jun 3, 2022
@gopherbot
Copy link

Change https://go.dev/cl/412014 mentions this issue: debug/pe, internal/saferio: use saferio to read PE section data

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Aug 17, 2022
@dmitshur dmitshur modified the milestones: Backlog, Go1.20 Aug 17, 2022
@golang golang locked and limited conversation to collaborators Aug 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.20
Development

No branches or pull requests
4 participants
@dmitshur @gopherbot @4ra1n @catenacyber