debug/elf: NewFile fails to parse ELF files with program header count overflow (PN_XNUM)

[578559967]

What version of Go are you using (go version)?

go1.26rc1 (also affects earlier versions)

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you are using?

Linux/amd64

What did you do?

I tried to parse a core dump file that contains 74,525 program headers using debug/elf.NewFile. The ELF header's e_phnum field overflows to PN_XNUM (0xffff), and the actual count is stored in the first section header's sh_info field per ELF specification.

What did you expect to see?

NewFile should correctly parse all 74,525 program headers.

What did you see instead?

Only 65,536 (0x10000) program headers were parsed, causing the core file to be incorrectly read.

Root Cause

According to the ELF Specification:

e_phnum: If the number of program headers is greater than or equal to PN_XNUM (0xffff), this member has the value PN_XNUM and the actual number of program headers is contained in the sh_info field of the section header at index 0.

However, the current implementation in src/debug/elf/file.go simply reads e_phnum as a uint16 without checking for the overflow case:

// file.go:349, 368
phnum = int(bo.Uint16(data[unsafe.Offsetof(hdr.Phnum):]))

Comparison with Section Header Overflow
The code already correctly handles section header overflow (shnum >= SHN_LORESERVE) in commit 7d157fd:

// file.go:453-493 - Already implemented
if shoff > 0 && shnum == 0 {
    // Read actual shnum from section[0].sh_size
    shnum = int(sh.Size)
}

But the equivalent logic for phnum overflow is missing.

Suggested Fix

Add similar overflow handling for phnum after reading the ELF header:

const PN_XNUM = 0xffff
// After reading phnum from ELF header
if phnum == PN_XNUM && shoff > 0 {
    // Read actual phnum from section[0].sh_info
    var shInfo uint32
    switch f.Class {
    case ELFCLASS32:
        var sh Section32
        // ... read section header at index 0
        shInfo = sh.Info
    case ELFCLASS64:
        var sh Section64
        // ... read section header at index 0
        shInfo = sh.Info
    }
    phnum = int(shInfo)
}

Impact

This affects parsing of:

• Large core dump files
• Any ELF files with >= 65535 program headers

Related

• Commit 7d157fd which fixed the analogous issue for section headers
• Issue debug/elf: files with more than 65280 (0xff00) sections not handled correctly #55294 (section header overflow)

[gabyhelp]

Related Issues

• debug/elf: NewFile can be tricked into reading the entire file into memory if it is corrupted #68454
• debug/elf: Opening file causes runtime error with certain invalid ELF files #53626 (closed)
• debug/elf: suport files with >= 65280 (0xff00) sections #55295 (closed)
• debug/elf: files with more than 65280 (0xff00) sections not handled correctly #55294 (closed)
• debug/elf: fatal error: runtime: out of memory #45599 (closed)
• debug/pe: fails to parse variable length optional header #32126 (closed)
• debug/pe: attempt to allocate giant slice #17809 (closed)
• debug/pe: (*File).ImportedSymbols seeking to virtual address lacks bounds check before using VirtualAddress #76721 (closed)
• debug/elf: parsing Malware Elf File causes a panic in debug/elf.NewFile #47445 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[ianlancetaylor]

Thanks for the report. I sent https://go.dev/cl/758040 to fix this.

[gopherbot]

Change https://go.dev/cl/758040 mentions this issue: debug/elf: handle program header count overflow