debug/elf: index out of range

Question

debug/elf: index out of range

dvyukov opened this issue 10 years ago · 8 comments

The following program crashes with the panic:

package main

import (
    "bytes"
    "debug/elf"
)

func main() {
    data := []byte("\u007fELF\x02\x01\x010000000000000" +
        "\x010000000000000000000" +
        "\x00\x00\x00\x00\x00\x00\x00\x0000000000\x00\x00\x00\x00" +
        "0000")
    f, err := elf.NewFile(bytes.NewReader(data))
    if err != nil {
        if f != nil {
            panic("file is not nil on error")
        }
        return
    }
    defer f.Close()
    f.DynamicSymbols()
    f.ImportedLibraries()
    f.ImportedSymbols()
    f.Section(".data")
    f.SectionByType(elf.SHT_GNU_VERSYM)
    f.Symbols()
    dw, err := f.DWARF()
    if err != nil {
        if dw != nil {
            panic("dwarf is not nil on error")
        }
        return
    }
    dr := dw.Reader()
    for {
        e, _ := dr.Next()
        if e == nil {
            break
        }
    }

}

panic: runtime error: index out of range

goroutine 1 [running]:
debug/elf.NewFile(0x7f6e0f6071c0, 0xc208014420, 0x63d900, 0x0, 0x0)
    src/debug/elf/file.go:380 +0x1484
main.main()
    elftest.go:13 +0x10e

on commit 596bb76

Answer 1 · 2015-05-30T10:09:06.000Z

/cc @ianlancetaylor @davecheney
mey be related to https://codereview.appspot.com/6936058/

Answer 2 · 2015-05-30T10:28:55.000Z

I got the below output in this case:

len(Sections): 12336
shstrndx: 12336

Answer 3 · 2015-05-30T10:33:29.000Z

The failing case seems failed on Go 1.4.2 too

/usr/local/go/bin/go run elf.go
panic: runtime error: index out of range

goroutine 1 [running]:
debug/elf.NewFile(0x220820f9b0, 0x208236270, 0x1c5ee8, 0x0, 0x0)
    /usr/local/go/src/debug/elf/file.go:379 +0x1638
main.main()
    /Users/c9s/go/elf.go:13 +0x110
exit status 2

Answer 4 · 2015-05-30T10:41:45.000Z

Then probably shoff is 0 or negative in the following condition:

    if shnum > 0 && shoff > 0 && (shstrndx < 0 || shstrndx >= shnum) {
        return nil, &FormatError{0, "invalid ELF shstrndx", shstrndx}
    }

so the check for shstrndx >= shnum don't trigger.
Please print shnum/shoff as well.

Answer 5 · 2015-05-30T10:45:51.000Z

len(Sections): 12336
shstrndx: 12336
shnum: 12336
shoff: 0

Answer 6 · 2015-05-30T11:00:17.000Z

CL https://golang.org/cl/10477 mentions this issue.

Answer 7 · 2015-06-01T15:10:51.000Z

It's too late in the Go 1.5 release process for fuzzer bugs. The chance of hitting any of these is so low that the benefit of the fix is outweighed by the chance of the fix introducing a more serious bug.

Answer 8 · 2019-02-14T23:05:00.000Z

Change https://golang.org/cl/162857 mentions this issue: debug/elf: perform stricter section header table checks in NewFile