Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cant found RET offset in gotls mode. fix #502. #512

Merged
merged 4 commits into from
Mar 30, 2024
Merged

Fix cant found RET offset in gotls mode. fix #502. #512

merged 4 commits into from
Mar 30, 2024

Conversation

cfc4n
Copy link
Member

@cfc4n cfc4n commented Mar 24, 2024
edited
Loading

Fix the issue of not being able to fetch the function RET offset in the gotls model when building a Golang binary with pie mode.

GO_BUILDMODE="-buildmode=pie"

ref: https://github.com/docker/cli/blob/799bf5268039a92c9af197abd612b0f36cf9efe1/scripts/build/.variables#L75C13-L75C42

Here, a constant IdaProOffset = 0x120 is used. I found through IDA static symbol analysis that the address of crypto/tls.(*Conn).Read is 46EE50. The address calculated by the program is always 0x120 less than this number. By analyzing multiple compiled programs, I found that the difference is always 0x120. Therefore, I defined a constant and added it to the address calculated by the program. However, I don't know the reason, if you know, please let me know.

这里,使用了一个常量IdaProOffset = 0x120,我是通过IDA静态分析符号发现crypto/tls.(*Conn).Read的地址是46EE50,我用程序计算出来的总是比这个数字少了0x120 ,通过分析其他多个编译的程序,发现差值总是0x120,所以,我定义了一个常量,增加到程序计算的地址上。但是我不知道原因,如果你知道,请告诉我。

func (gc *GoTLSConfig) findPieSymbolAddr(lfunc string) (uint64, error) {
	f := gc.goSymTab.LookupFunc(lfunc)
	if f == nil {
		return 0, errors.New("Cant found symbol address on pie model.")
		// f.Value - prog.Vaddr + prog.Off + IdaProOffset
	}
	var err error
	var address uint64
	for _, prog := range gc.goElf.Progs {
		if prog.Type != elf.PT_LOAD || (prog.Flags&elf.PF_X) == 0 {
			continue
		}
		// For more info on this calculation: stackoverflow.com/a/40249502
		address = f.Value
		if prog.Vaddr <= f.Value && f.Value < (prog.Vaddr+prog.Memsz) {
			funcLen := f.End - f.Entry
			data := make([]byte, funcLen)
			address = f.Value - prog.Vaddr + prog.Off + IdaProOffset
			_, err = prog.ReadAt(data, int64(address))
			if err != nil {
				return 0, fmt.Errorf("search function return: %w", err)
			}
			return address, nil
		}
	}
	return 0, ErrorNoRetFoundFromSymTabFun
}
cc_snip_2024-03-30_17-38-52

@cfc4n
Fix cant found RET offset in gotls mode. fix #502.
dd0c48a 
Fix the issue of not being able to fetch the function RET offset in the gotls model when building a Golang binary with pie mode.

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n cfc4n added 🐞 bug Something isn't working fix bug fix PR labels Mar 24, 2024
@sancppp
Copy link
Contributor

sancppp commented Mar 24, 2024
edited
Loading

Why do I get a could not find magic number error in my test environment?
This error does not occur in the master branch.

As you can see in the picture, my order of operation is right before left.
CleanShot_2024-03-24_at_20 00 50@2x

@cfc4n
Copy link
Member Author

cfc4n commented Mar 24, 2024

is tests not a ELF file? The pie mode requires enabling CGO.

please use command :

CGO_ENABLED=1 go build -buildmode=pie  -o test main.go

ps:
This PR is not yet complete, I am in the process of optimizing it.

@sancppp
Copy link
Contributor

sancppp commented Mar 24, 2024

is tests not a ELF file? The pie mode requires enabling CGO.

please use command :

CGO_ENABLED=1 go build -buildmode=pie  -o test main.go

ps: This PR is not yet complete, I am in the process of optimizing it.

It looks the same as before.

CleanShot_2024-03-24_at_20 31 09@2x

I'm going to wait until this PR is complete before I run these tests, in order to understand what's changed in this PR.

cfc4n added 3 commits March 30, 2024 18:35
@cfc4n
support symbols in sections .data.rel.ro.gopclntab and .data.rel.ro.
d53387f 
see PR #512 for more info .

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n
fix SA4006: this value of address is never used (staticcheck)
c38d3dc 
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n
fix : incorret gotls event payload length.
5b49651 
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
cfc4n
cfc4n commented Mar 30, 2024
View reviewed changes
Copy link
Member Author

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed.

@cfc4n cfc4n merged commit 7ebb395 into master Mar 30, 2024
6 checks passed
cfc4n added a commit that referenced this pull request Mar 30, 2024
@cfc4n
support symbols in sections .data.rel.ro.gopclntab and .data.rel.ro.
5121f36 
see PR #512 for more info .

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n cfc4n deleted the ret_offset_pie_mode branch March 30, 2024 14:22
@wlingze wlingze mentioned this pull request Apr 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sancppp sancppp sancppp approved these changes

Assignees
No one assigned
Labels
🐞 bug Something isn't working fix bug fix PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cfc4n @sancppp