Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix fail on malformed certificate table parsing #417

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

ideeockus
Copy link
Contributor

@ideeockus ideeockus commented Jul 29, 2024

Hello!

In some PE files Certificate Table can be malformed / contain invalid data. But if we use ParseOptions::parse_attribute_certificates = true, then whole parsing is failed.

I suggest use default CertificateDirectoryTable in case of error.

@ideeockus ideeockus marked this pull request as draft July 29, 2024 13:43
@ideeockus ideeockus force-pushed the fix/fail_on_malformed_cert_table_parsing branch from 2642c9f to 2c7f7b5 Compare July 30, 2024 07:11
@ideeockus ideeockus marked this pull request as ready for review July 30, 2024 07:12
Copy link
Owner

@m4b m4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need some clarification on default certificate directory; also formatting things are odd

src/pe/mod.rs Outdated
use alloc::borrow::Cow;
use alloc::string::String;
use alloc::vec::Vec;
use core::cmp::max;
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised by these import changes, did the formatter do this?

src/pe/mod.rs Outdated
@@ -142,7 +140,7 @@ impl<'a> PE<'a> {
return Err(error::Error::Malformed(format!(
"Unsupported header magic ({:#x})",
magic
)))
)));
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto here too, this is also surprising to me

src/pe/mod.rs Outdated
)
.unwrap_or_else(|err| {
warn!("Cannot parse CertificateTable: {:?}", err);
Default::default()
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't remember, what is a default certificate directory in this case? is it going to cause other problems further down the line when parsing, or if a user accesses parts of it, will it panic? Does it have offsets into other parts of the PE file that are no longer valid, etc.?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default is empty table (no certificates), so no wrong offsets there

@m4b
Copy link
Owner

m4b commented Aug 26, 2024

So while this is an easy merge, I'm on the fence about whether we should; in general the malformed binary is kind of important to know, and in general, we choose to fail in those cases. However, sometimes we don't, and maybe this is one of those times, but it feels like it's just sort of skipping a malformed thing, and putting a default value in its place, which may be ok, but it also might not be.

So I'd like to understand more about:

  1. why binaries have malformed certificates, is it common
  2. is it not a big deal if they're malformed, e.g., it's safe to just supply a dummy/default/empty version of the table when bad ones are encountered, and continue going on?

thanks for your patience!

@ideeockus
Copy link
Contributor Author

in general the malformed binary is kind of important to know, and in general, we choose to fail in those cases. However, sometimes we don't, and maybe this is one of those times, but it feels like it's just sort of skipping a malformed thing

OK, that sounds reasonable.

What if we add something like ParseMode::Strict and ParseMode::Permissive to ParseOptions?

@ideeockus ideeockus force-pushed the fix/fail_on_malformed_cert_table_parsing branch from b94d9a3 to ac97d4c Compare December 8, 2024 13:20
@ideeockus
Copy link
Contributor Author

@m4b can you review please

I think handling malformations may be related to #401

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants