Open jonas-koeritz opened 1 year ago
I am working with a velociraptor offline collector and go-ntfs seems to break on my machine reproducible. I haven't done a deep dive into the code yet but this is my stack-trace. There seems to be an off by one error or similar thing happening.
panic: runtime error: index out of range [216] with length 216 goroutine 389 [running]: www.velocidex.com/golang/go-ntfs/parser.(*NTFS_ATTRIBUTE).RunList(0xc003080ba0) /go/pkg/mod/www.velocidex.com/golang/go-ntfs@v0.1.2-0.20230221030709-f91b68ac3222/parser/attribute.go:158 +0x313 www.velocidex.com/golang/go-ntfs/parser.joinAllVCNs(0xc00bf20360, {0xc001646100?, 0x3, 0x4}) /go/pkg/mod/www.velocidex.com/golang/go-ntfs@v0.1.2-0.20230221030709-f91b68ac3222/parser/easy.go:393 +0x1d3 www.velocidex.com/golang/go-ntfs/parser.OpenStream(0xc00bf20360?, 0xc0015d5980?, 0xc00263e180?, 0xea1a?) /go/pkg/mod/www.velocidex.com/golang/go-ntfs@v0.1.2-0.20230221030709-f91b68ac3222/parser/easy.go:356 +0x207 www.velocidex.com/golang/velociraptor/accessors/ntfs.(*MFTFileSystemAccessor).OpenWithOSPath(0xc00263c4f0, 0xc0006d6ea0?) /velociraptor-build/velociraptor/accessors/ntfs/mft.go:139 +0x127 www.velocidex.com/golang/velociraptor/vql/filesystem.(*ReadFileFunction).Call(0xc000ee7ae0?, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}, 0x2149a20?) /velociraptor-build/velociraptor/vql/filesystem/filesystem.go:353 +0x2eb www.velocidex.com/golang/vfilter.(*_SymbolRef).callFunction(0xc0011600c0, {0x26c1e20?, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0}, {0x26b76e8?, 0x34ff2d0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1691 +0x583 www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc0011600c0, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6ea0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1545 +0x1c6 www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc00034cc00, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6ea0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1433 +0x14f www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc001a55e00, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1120 +0x56 www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc001a55e40, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1369 +0x53 www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc001a55e80, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1284 +0x53 www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001fe1410, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1322 +0x85 www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc000592040, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1246 +0x56 www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc000592200, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1214 +0x4a www.velocidex.com/golang/vfilter.(*_AliasedExpression).Reduce(0x0?, {0x26c1e20?, 0xc0013e4880?}, {0x26dc670?, 0xc0006d6ea0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:679 +0x9f www.velocidex.com/golang/vfilter.(*_SelectExpression).Transform.func2({0x26c1e20, 0xc0013e4880}, {0xc00690c330?, 0xa?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:916 +0x5b www.velocidex.com/golang/vfilter.(*LazyRowImpl).Get(0xc0001c8e00, {0xc00690c330, 0xa}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/lazy.go:60 +0x7d www.velocidex.com/golang/vfilter/protocols.(*AssociativeDispatcher).Associative(0xc002252f98, {0x26dc670, 0xc0006d6fc0}, {0x1ecd480?, 0xc0001c8e00}, {0x1d97a20?, 0xc00263c130?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/protocols/protocol_associative.go:52 +0x3f5 www.velocidex.com/golang/vfilter/scope.(*Scope).Associative(...) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/scope/scope.go:276 www.velocidex.com/golang/vfilter/scope.(*Scope).Resolve(0xc0006d6fc0, {0xc00690c330, 0xa}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/scope/scope.go:551 +0x176 www.velocidex.com/golang/vfilter/protocols.(*AssociativeDispatcher).Associative(0xc002252f98, {0x26dc670, 0xc0006d6fc0}, {0x2149a20?, 0xc0006d6fc0}, {0x1d97a20?, 0xc00263c120?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/protocols/protocol_associative.go:46 +0x482 www.velocidex.com/golang/vfilter/scope.(*Scope).Associative(0xc00690c330?, {0x2149a20?, 0xc0006d6fc0?}, {0x1d97a20?, 0xc00263c120?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/scope/scope.go:276 +0x53 www.velocidex.com/golang/vfilter.(*_SymbolRef).getFunction(0xc001161f80, {0x26dc670, 0xc0006d6fc0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1505 +0x4de www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc001161f80, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1534 +0x65 www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc00034cd00, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1433 +0x14f www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc000592740, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1120 +0x56 www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc000592780, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1369 +0x53 www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc000592a00, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1284 +0x53 www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001fe15c0, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1322 +0x85 www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc000a6e740, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1246 +0x56 www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc000a6e800, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1214 +0x4a www.velocidex.com/golang/vfilter.(*_CommaExpression).Reduce(0xc000a6eac0, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0}) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1177 +0x5a www.velocidex.com/golang/vfilter.(*_Select).processSingleRow(0xc001393220, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0011a7680}, {0x2113680, 0xc0021cb180}, 0xc0020650e0) /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:585 +0x229 www.velocidex.com/golang/vfilter.(*_Select).Eval.func3() /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:548 +0xe5 created by www.velocidex.com/golang/vfilter.(*_Select).Eval /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:533 +0x2ca
I am working with a velociraptor offline collector and go-ntfs seems to break on my machine reproducible. I haven't done a deep dive into the code yet but this is my stack-trace. There seems to be an off by one error or similar thing happening.