Skip to content

debug/buildinfo: slice bounds out of range #69066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
catenacyber opened this issue Aug 25, 2024 · 4 comments
Closed

debug/buildinfo: slice bounds out of range #69066

catenacyber opened this issue Aug 25, 2024 · 4 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.24

Comments

@catenacyber
Copy link
Contributor

Go version

go version devel go1.24-96d8ff0 Sat Aug 24 00:51:40 2024 +0000 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/root/.go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/root/.go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.1'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/src/ngolo-fuzzing/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3147469696=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Run https://go.dev/play/p/28-LPYiOuVt?v=gotip

What did you see happen?

panic: runtime error: slice bounds out of range [864:863] [recovered]
	panic: runtime error: slice bounds out of range [864:863]

goroutine 17 [running, locked to thread]:
github.com/catenacyber/ngolo-fuzzing/fuzz_ng_debug_buildinfo.FuzzNG_unsure.func1()
	github.com/catenacyber/ngolo-fuzzing/fuzz_ng_debug_buildinfo/fuzz_ng.go:152 +0x10d
panic({0x5584972fa0c0?, 0x10c00001a108?})
	runtime/panic.go:785 +0x132
debug/buildinfo.searchMagic({0x558497316e08, 0x10c000072098}, 0x20, 0x2?)
	debug/buildinfo/buildinfo.go:383 +0x605
debug/buildinfo.readRawBuildInfo({0x558497316478, 0x10c0000b25d0})
	debug/buildinfo/buildinfo.go:175 +0xd17
debug/buildinfo.Read({0x558497316478?, 0x10c0000b25d0?})
	debug/buildinfo/buildinfo.go:89 +0x3e

What did you expect to see?

The program printing hello

This was found by ngolo-fuzzing on oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71257
@gabyhelp
Copy link

Related Issues and Documentation

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@catenacyber catenacyber mentioned this issue Aug 25, 2024
Closed
@catenacyber
Copy link
Contributor Author

Note that there is no problem in go 1.23

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/608517 mentions this issue: debug/buildinfo: don't crash on corrupt object file

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Aug 27, 2024
@dmitshur dmitshur added this to the Go1.24 milestone Aug 27, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/608637 mentions this issue: debug/buildinfo: stop searchMagic search at EOF

gopherbot pushed a commit that referenced this issue Aug 27, 2024
@prattmic
debug/buildinfo: stop searchMagic search at EOF
61e00ae 
An invalid executable may claim to have a data section bigger than the
executable, causing readData in searchMagic to hit EOF. Since readData
suppresses all EOF errors, searchData would keep attempting to search
through a potentially huge "section" despite readData continuously
failing.

Fix by suppressing EOF only on partial read. If nothing is read, allow
EOF. Note that most of the admittedly tedious EOF handling in this
package is around ensuring we return errNotGoExe in most cases.

This was discovered by the new fuzz test. This fuzz test was inspired
by #69066, though it has not found that specific bug.

Change-Id: Icf413e996cecc583c084c9e44249b9294c3d8f10
Reviewed-on: https://go-review.googlesource.com/c/go/+/608637
Reviewed-by: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@gabyhelp gabyhelp mentioned this issue Nov 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.24
Development

No branches or pull requests
4 participants
@dmitshur @gopherbot @catenacyber @gabyhelp