search

mandiant / GoReSym

Go symbol recovery tool
MIT License
503 stars 62 forks source link

Lack of Exception Handling for pe/string/readStringTable #8

Closed renzhexigua closed 1 year ago

renzhexigua commented 1 year ago

Describe the bug

This PE sample (VT link) will cause an OOM fatal error.

Context

GoReSym Version: v1.3 Operating System: Linux with 2GB memory Sample Info: 64-bit PE executable compiled by Go v1.18+

To Reproduce

Steps to reproduce the behavior:

  1. Use command './GoReSym_lin -t -d -p /path/to/file'
  2. See error

Logs

fatal error: runtime: out of memory

runtime stack:
runtime.throw({0x59576a, 0x100000000})
    /usr/local/go/src/runtime/panic.go:1198 +0x71
runtime.sysMap(0xc000400000, 0x428760, 0x7ffe58faa2d8)
    /usr/local/go/src/runtime/mem_linux.go:169 +0x96
runtime.(*mheap).grow(0x70dba0, 0x80000)
    /usr/local/go/src/runtime/mheap.go:1393 +0x225
runtime.(*mheap).allocSpan(0x70dba0, 0x80000, 0x0, 0x1)
    /usr/local/go/src/runtime/mheap.go:1179 +0x165
runtime.(*mheap).alloc.func1()
    /usr/local/go/src/runtime/mheap.go:913 +0x69
runtime.systemstack()
    /usr/local/go/src/runtime/asm_amd64.s:383 +0x49

goroutine 1 [running]:
runtime.systemstack_switch()
    /usr/local/go/src/runtime/asm_amd64.s:350 fp=0xc0000b30e8 sp=0xc0000b30e0 pc=0x45bee0
runtime.(*mheap).alloc(0xc00009a0a0, 0x14, 0x14, 0x0)
    /usr/local/go/src/runtime/mheap.go:907 +0x73 fp=0xc0000b3138 sp=0xc0000b30e8 pc=0x424a93
runtime.(*mcache).allocLarge(0x30, 0xfffffffb, 0x10, 0x1)
    /usr/local/go/src/runtime/mcache.go:227 +0x89 fp=0xc0000b3198 sp=0xc0000b3138 pc=0x415929
runtime.mallocgc(0xfffffffb, 0x54c400, 0x1)
    /usr/local/go/src/runtime/malloc.go:1082 +0x5c5 fp=0xc0000b3218 sp=0xc0000b3198 pc=0x40c825
runtime.makeslice(0x5c7fa0, 0xc0000665d0, 0x5cba80)
    /usr/local/go/src/runtime/slice.go:98 +0x52 fp=0xc0000b3240 sp=0xc0000b3218 pc=0x4468b2
github.com/mandiant/GoReSym/debug/pe.readStringTable(0x5c7fa0, {0x5ca068, 0xc0000665d0})
    /home/xxx/source/repos/goresym_public/debug/pe/string.go:49 +0x15e fp=0xc0000b32a8 sp=0xc0000b3240 pc=0x524b5e
github.com/mandiant/GoReSym/debug/pe.NewFile({0x5c8020, 0xc00000e038})
    /home/xxx/source/repos/goresym_public/debug/pe/file.go:100 +0x27c fp=0xc0000b33a8 sp=0xc0000b32a8 pc=0x521b3c
github.com/mandiant/GoReSym/objfile.openPE({0x5c8020, 0xc00000e038})
    /home/xxx/source/repos/goresym_public/objfile/pe.go:27 +0x27 fp=0xc0000b33d0 sp=0xc0000b33a8 pc=0x534227
github.com/mandiant/GoReSym/objfile.Open({0x7ffe58faa741, 0x14})
    /home/xxx/source/repos/goresym_public/objfile/objfile.go:93 +0xb7 fp=0xc0000b3458 sp=0xc0000b33d0 pc=0x52c897
main.main_impl({_, _}, _, _, _, _, {_, _})
    /home/xxx/source/repos/goresym_public/main.go:73 +0xc5 fp=0xc0000b3880 sp=0xc0000b3458 pc=0x537225
main.main()
    /home/xxx/source/repos/goresym_public/main.go:385 +0x445 fp=0xc0000b3f80 sp=0xc0000b3880 pc=0x53a165
runtime.main()
    /usr/local/go/src/runtime/proc.go:255 +0x227 fp=0xc0000b3fe0 sp=0xc0000b3f80 pc=0x434467
runtime.goexit()
    /usr/local/go/src/runtime/asm_amd64.s:1581 +0x1 fp=0xc0000b3fe8 sp=0xc0000b3fe0 pc=0x45dfc1

RCA

The value of l will be 4294967291(0xffffffff - 4) which is calculated based on a field of the FileHeader structure, i.e. PointerToSymbolTable. https://github.com/mandiant/GoReSym/blob/0c08ac179bf3c3e13c2f3ccf28b202e84781fb2e/debug/pe/string.go#L48-L50

As you can see, this sample's PointerToSymbolTable points to a gap area between the .rsrc and .symtab section's boundary. image

The PointerToSymbolTable value is .symtab file offset normally, while the case here is somehow mismatched.

stevemk14ebr commented 1 year ago

Thanks for the report! 6eedc548d23eef9dd9663f1b935ac9f2d70641fd