search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.28k stars 17.57k forks source link

debug/pe: oom when reading section data of file generated by fuzzing #53189

Closed catenacyber closed 2 years ago

catenacyber commented 2 years ago

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:    macOS
ProductVersion: 12.2.1
BuildVersion:   21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/OGp56YSJsP1

What did you expect to see?

The program finishing and printing somme Hello, without having allocated too much space

What did you see instead?

Nothing

Running heap profiling I see that 4 GByte was allocated from 

debug/pe.(*Section).Data
/usr/local/go/src/debug/pe/section.go

  Total:         4GB        4GB (flat, cum) 99.90%
     95            .          .             sr *io.SectionReader 
     96            .          .           } 
     97            .          .            
     98            .          .           // Data reads and returns the contents of the PE section s. 
     99            .          .           func (s *Section) Data() ([]byte, error) { 
    100          4GB        4GB             dat := make([]byte, s.sr.Size()) 
    101            .          .             n, err := s.sr.ReadAt(dat, 0) 
    102            .          .             if n == len(dat) { 
    103            .          .                 err = nil 
    104            .          .             } 
    105            .          .             return dat[0:n], err

cf #52350

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47754

4ra1n commented 2 years ago

I have found the bug some weeks ago too, and report them to go security team. Not only does oom exist in the 'debug/pe' package, but also in the 'debug/elf' and 'debug/macho' packages But go security team no longer treat these packages (debug/*) as part of the security boundary for Go.

catenacyber commented 2 years ago

Not only does oom exist in the 'debug/pe' package, but also in the 'debug/elf' and 'debug/macho' packages

Indeed cf https://github.com/golang/go/issues/52522 and https://github.com/golang/go/issues/52523

dmitshur commented 2 years ago

CC @alexbrainman.

gopherbot commented 2 years ago

Change https://go.dev/cl/412014 mentions this issue: debug/pe, internal/saferio: use saferio to read PE section data