Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR: index out of range while parsing attribute (?) #75

Open
jonas-koeritz opened this issue Apr 27, 2023 · 0 comments
Open

ERROR: index out of range while parsing attribute (?) #75

jonas-koeritz opened this issue Apr 27, 2023 · 0 comments

Comments

@jonas-koeritz
Copy link

I am working with a velociraptor offline collector and go-ntfs seems to break on my machine reproducible. I haven't done a deep dive into the code yet but this is my stack-trace. There seems to be an off by one error or similar thing happening.

panic: runtime error: index out of range [216] with length 216

goroutine 389 [running]:
www.velocidex.com/golang/go-ntfs/parser.(*NTFS_ATTRIBUTE).RunList(0xc003080ba0)
        /go/pkg/mod/www.velocidex.com/golang/go-ntfs@v0.1.2-0.20230221030709-f91b68ac3222/parser/attribute.go:158 +0x313
www.velocidex.com/golang/go-ntfs/parser.joinAllVCNs(0xc00bf20360, {0xc001646100?, 0x3, 0x4})
        /go/pkg/mod/www.velocidex.com/golang/go-ntfs@v0.1.2-0.20230221030709-f91b68ac3222/parser/easy.go:393 +0x1d3
www.velocidex.com/golang/go-ntfs/parser.OpenStream(0xc00bf20360?, 0xc0015d5980?, 0xc00263e180?, 0xea1a?)
        /go/pkg/mod/www.velocidex.com/golang/go-ntfs@v0.1.2-0.20230221030709-f91b68ac3222/parser/easy.go:356 +0x207
www.velocidex.com/golang/velociraptor/accessors/ntfs.(*MFTFileSystemAccessor).OpenWithOSPath(0xc00263c4f0, 0xc0006d6ea0?)
        /velociraptor-build/velociraptor/accessors/ntfs/mft.go:139 +0x127
www.velocidex.com/golang/velociraptor/vql/filesystem.(*ReadFileFunction).Call(0xc000ee7ae0?, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}, 0x2149a20?)
        /velociraptor-build/velociraptor/vql/filesystem/filesystem.go:353 +0x2eb
www.velocidex.com/golang/vfilter.(*_SymbolRef).callFunction(0xc0011600c0, {0x26c1e20?, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0}, {0x26b76e8?, 0x34ff2d0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1691 +0x583
www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc0011600c0, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6ea0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1545 +0x1c6
www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc00034cc00, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6ea0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1433 +0x14f
www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc001a55e00, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1120 +0x56
www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc001a55e40, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1369 +0x53
www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc001a55e80, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1284 +0x53
www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001fe1410, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1322 +0x85
www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc000592040, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1246 +0x56
www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc000592200, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1214 +0x4a
www.velocidex.com/golang/vfilter.(*_AliasedExpression).Reduce(0x0?, {0x26c1e20?, 0xc0013e4880?}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:679 +0x9f
www.velocidex.com/golang/vfilter.(*_SelectExpression).Transform.func2({0x26c1e20, 0xc0013e4880}, {0xc00690c330?, 0xa?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:916 +0x5b
www.velocidex.com/golang/vfilter.(*LazyRowImpl).Get(0xc0001c8e00, {0xc00690c330, 0xa})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/lazy.go:60 +0x7d
www.velocidex.com/golang/vfilter/protocols.(*AssociativeDispatcher).Associative(0xc002252f98, {0x26dc670, 0xc0006d6fc0}, {0x1ecd480?, 0xc0001c8e00}, {0x1d97a20?, 0xc00263c130?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/protocols/protocol_associative.go:52 +0x3f5
www.velocidex.com/golang/vfilter/scope.(*Scope).Associative(...)
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/scope/scope.go:276
www.velocidex.com/golang/vfilter/scope.(*Scope).Resolve(0xc0006d6fc0, {0xc00690c330, 0xa})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/scope/scope.go:551 +0x176
www.velocidex.com/golang/vfilter/protocols.(*AssociativeDispatcher).Associative(0xc002252f98, {0x26dc670, 0xc0006d6fc0}, {0x2149a20?, 0xc0006d6fc0}, {0x1d97a20?, 0xc00263c120?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/protocols/protocol_associative.go:46 +0x482
www.velocidex.com/golang/vfilter/scope.(*Scope).Associative(0xc00690c330?, {0x2149a20?, 0xc0006d6fc0?}, {0x1d97a20?, 0xc00263c120?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/scope/scope.go:276 +0x53
www.velocidex.com/golang/vfilter.(*_SymbolRef).getFunction(0xc001161f80, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1505 +0x4de
www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc001161f80, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1534 +0x65
www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc00034cd00, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1433 +0x14f
www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc000592740, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1120 +0x56
www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc000592780, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1369 +0x53
www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc000592a00, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1284 +0x53
www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001fe15c0, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1322 +0x85
www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc000a6e740, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1246 +0x56
www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc000a6e800, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1214 +0x4a
www.velocidex.com/golang/vfilter.(*_CommaExpression).Reduce(0xc000a6eac0, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:1177 +0x5a
www.velocidex.com/golang/vfilter.(*_Select).processSingleRow(0xc001393220, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0011a7680}, {0x2113680, 0xc0021cb180}, 0xc0020650e0)
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:585 +0x229
www.velocidex.com/golang/vfilter.(*_Select).Eval.func3()
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:548 +0xe5
created by www.velocidex.com/golang/vfilter.(*_Select).Eval
        /go/pkg/mod/www.velocidex.com/golang/vfilter@v0.0.0-20230316180946-365e0a88120f/vfilter.go:533 +0x2ca
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonas-koeritz