debug/elf: Opening file causes runtime error with certain invalid ELF files

[secDre4mer]

What version of Go are you using (go version)?

$ go version
1.18.3

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Reproducible on all OS / archs

What did you do?

I created a minimal ELF file and modified the last section header of that ELF file to have size 0xFFFFFFFFFFFFFFFF.

Then, I called elf.NewFile(...) with that ELF file.

https://go.dev/play/p/IKMGvTZsOuh

What did you expect to see?

The ELF parser should return an error since the section size is incorrect.

What did you see instead?

The ELF parser allocates an block of RAM equal to the section size, which causes a runtime error:

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
debug/elf.(*Section).Data(0xc0000f2b80)
	/usr/local/go-faketime/src/debug/elf/file.go:105 +0x30
debug/elf.NewFile({0x4d54a8?, 0xc0000a8240})
	/usr/local/go-faketime/src/debug/elf/file.go:459 +0x1252
main.main()
	/tmp/sandbox3945547430/prog.go:12 +0x99

[ianlancetaylor]

Thanks for the report. This was fixed by the fix for #52035, and the fix will be in the 1.19 release.

[secDre4mer]

Hi Ian,

Thanks for the quick answer. However, I don't think that the fix you mentioned is sufficient. It covers this case because the section size exceeds an int64; but it's easy to create an example with a section size that fits into an int64, but is still large enough to cause a crash.

https://go.dev/play/p/q3Lw9K7O0Dh?v=gotip

The underlying issue, from what I see, is that Section.Data() allocates a byte slice with a size passed from the ELF file without any checking if the section data actually is that large.

[ZekeLu]

@secDre4mer This issue will be fixed by https://go.dev/cl/408679 (for #52522).

[secDre4mer]

Hi @ZekeLu , thanks for the link. The change with saferio sounds quite interesting, too.