internal/driver: guard BuildID slice in locateBinaries to prevent panic on short BuildID#998
Merged
Conversation
…values
The LLVM debug-file lookup sliced m.BuildID[:2] and m.BuildID[2:] to
construct a filesystem path of the form <path>/<first2>/<rest>.debug.
The existing guard only checked m.BuildID != "", so a BuildID with
fewer than two characters (e.g. a single byte) caused a panic:
runtime error: slice bounds out of range [:2] with length 1
The profile.proto format imposes no minimum length on BuildID, and the
profile.CheckValid() function does not validate it either. A crafted
profile with a one-character BuildID therefore reliably crashes any
process that calls locateBinaries, including tools or servers that
accept and analyze user-supplied profiles.
Fix: wrap the LLVM path construction in a len(m.BuildID) >= 2 guard,
matching the documented precondition of the LLVM build-id protocol
('the first two characters are used as directory').
Add a test case with BuildID="X" to TestSymbolizationPath to prevent
regression.
aalexand
approved these changes
May 7, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #998 +/- ##
==========================================
+ Coverage 70.46% 72.59% +2.12%
==========================================
Files 44 44
Lines 9877 7793 -2084
==========================================
- Hits 6960 5657 -1303
+ Misses 2893 2112 -781
Partials 24 24 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
locateBinariesininternal/driver/fetch.goconstructs an LLVM debug-file path by slicingm.BuildID[:2]andm.BuildID[2:](line 433). The guard at line 424 only checksm.BuildID != "", so a BuildID with fewer than two characters passes the check and causes a panic:The
profile.protoformat places no minimum length requirement on thebuild_idfield, andprofile.CheckValid()does not validate it. A crafted profile file withbuild_id = "X"(or any single-byte value) reliably panics any process that callslocateBinaries.Impact
Any tool or server that accepts a user-supplied profile and analyzes it (symbolization, flamegraph rendering, etc.) can be crashed by this one-byte
build_id. This includes:pprofbinary run by an operator against an untrusted profilepprofas a library and accepts uploaded profilesFix
Add
len(m.BuildID) >= 2guard before the LLVM path construction. This matches the documented precondition of the LLVM build-id convention ("the first two characters are used as the directory name").Test
Added
BuildID: "X"case toTestSymbolizationPath— this panicked before the fix and passes after.