runtime: “unknown pc” exception for amd64 programs on Windows 7 with EMET and Export Address Table Access Filtering enabled

[merces]

What version of Go are you using (go version)?

$ go version
go version go1.14.4 windows/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\user\AppData\Local\go-build
set GOENV=C:\Users\user\AppData\Roaming\go\env
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\user\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=c:\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=c:\go\pkg\tool\windows_amd64
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\user\AppData\Local\Temp\go-build817141214=/tmp/go-build -gno-record-gcc-switches
GOROOT/bin/go version: go version go1.14.4 windows/amd64
GOROOT/bin/go tool compile -V: compile version go1.14.4

What did you do?

1. Download and install EMET 5.5 on Windows 7 64-bits.

2. Compile a simple 64-bit Go program (GOARCH=amd64). A "Hello, world" like the default shown in https://play.golang.org/ is enough.

3. Enable EMET for the compiled program (Open EMET GUI -> Apps -> Add application). The default profile enable all mitigations but EAF+ and ASR. The following screenshot illustrate this (main.exe in this example):

4. Click OK.

5. Run the program from the Command Prompt.

What did you expect to see?

Hello, playground

What did you see instead?

Exception 0x80000001 0x0 0x7fefd7da020 0x7fefd7aa677
PC=0x7fefd7aa677

runtime: unknown pc 0x7fefd7aa677
stack: frame={sp:0x22fc00, fp:0x0} stack=[0x0,0x22ff30)
000000000022fb00:  0000000000000002  0000000000000000 
000000000022fb10:  0000000077ca7ff0  0000000000000000 
000000000022fb20:  0000000000000034  000007fef4fe7fda 
000000000022fb30:  0000000000000002  0000000077bd141a 
000000000022fb40:  00000000002617d0  000007fef4fdffdc 
000000000022fb50:  0000000000291630  000000000022fb80 
000000000022fb60:  0000000000000000  000007fef4fe20c5 
000000000022fb70:  0000000000000000  0000000000000000 
000000000022fb80:  00000000002746c0  0000000000000004 
000000000022fb90:  0000000041d70000  0000774313c43aa0 
000000000022fba0:  0000000000290810  0000000000267ed0 
000000000022fbb0:  0000000000000002  00000000002680c4 
000000000022fbc0:  00000000002683b0  00000000002617d0 
000000000022fbd0:  0000000000000000  0000000000000000 
000000000022fbe0:  00000000002617a0  0000000000000000 
000000000022fbf0:  0000000077b83128  0000000000000000 
000000000022fc00: <0000000000000020  0000000000260000 
000000000022fc10:  0000000000000001  0000000000000018 
000000000022fc20:  0000000000260298  0000000077ba7974 
000000000022fc30:  0000000000000000  0000000000000018 
000000000022fc40:  0000006800380021  00000000002682c0 
000000000022fc50:  000000000022fd18  000007fef4fe7f54 
000000000022fc60:  0000000000000000  0000000000579380 
000000000022fc70:  0000000000000000  00000000779629b1 
000000000022fc80:  000007fef5026470  0000000000000002 
000000000022fc90:  00000000379619c4  07fe18aa80000000 
000000000022fca0:  0000000000000000  0000000000000202 
000000000022fcb0:  0000000000000103  000007fffffde000 
000000000022fcc0:  0000000000000001  0000000000000008 
000000000022fcd0:  0000000000000370  0000000000000df4 
000000000022fce0:  000007fffffdc000  000000000022fea8 
000000000022fcf0:  0000000000579380  0000000077bd141a 
runtime: unknown pc 0x7fefd7aa677
stack: frame={sp:0x22fc00, fp:0x0} stack=[0x0,0x22ff30)
000000000022fb00:  0000000000000002  0000000000000000 
000000000022fb10:  0000000077ca7ff0  0000000000000000 
000000000022fb20:  0000000000000034  000007fef4fe7fda 
000000000022fb30:  0000000000000002  0000000077bd141a 
000000000022fb40:  00000000002617d0  000007fef4fdffdc 
000000000022fb50:  0000000000291630  000000000022fb80 
000000000022fb60:  0000000000000000  000007fef4fe20c5 
000000000022fb70:  0000000000000000  0000000000000000 
000000000022fb80:  00000000002746c0  0000000000000004 
000000000022fb90:  0000000041d70000  0000774313c43aa0 
000000000022fba0:  0000000000290810  0000000000267ed0 
000000000022fbb0:  0000000000000002  00000000002680c4 
000000000022fbc0:  00000000002683b0  00000000002617d0 
000000000022fbd0:  0000000000000000  0000000000000000 
000000000022fbe0:  00000000002617a0  0000000000000000 
000000000022fbf0:  0000000077b83128  0000000000000000 
000000000022fc00: <0000000000000020  0000000000260000 
000000000022fc10:  0000000000000001  0000000000000018 
000000000022fc20:  0000000000260298  0000000077ba7974 
000000000022fc30:  0000000000000000  0000000000000018 
000000000022fc40:  0000006800380021  00000000002682c0 
000000000022fc50:  000000000022fd18  000007fef4fe7f54 
000000000022fc60:  0000000000000000  0000000000579380 
000000000022fc70:  0000000000000000  00000000779629b1 
000000000022fc80:  000007fef5026470  0000000000000002 
000000000022fc90:  00000000379619c4  07fe18aa80000000 
000000000022fca0:  0000000000000000  0000000000000202 
000000000022fcb0:  0000000000000103  000007fffffde000 
000000000022fcc0:  0000000000000001  0000000000000008 
000000000022fcd0:  0000000000000370  0000000000000df4 
000000000022fce0:  000007fffffdc000  000000000022fea8 
000000000022fcf0:  0000000000579380  0000000077bd141a 
rax     0x0
rbx     0x22fce0
rcx     0x0
rdi     0x22fe80
rsi     0x22fe88
rbp     0x22fe28
rsp     0x22fc00
r8      0x40
r9      0x0
r10     0x0
r11     0x246
r12     0x0
r13     0x0
r14     0x0
r15     0x0
rip     0x7fefd7aa677
rflags  0x10346
cs      0x33
fs      0x53
gs      0x2b

Comments

The problem only occurs if Export Address Table Access Filtering (EAF) is enabled (it's enabled by default on EMET). You can find more information about it in EMET 5.5 User Guide.

I'm aware EMET is a discontinued product but there are legacy systems still using it, so I thought it'd good to let you guys know about this problem.

[odeke-em]

Thank you for this report @merces, and welcome to the Go project.

Kindly cc-ing some experts @alexbrainman @zx2c4.

[zx2c4]

It's probably possible to fix this, but meh. Does it really matter? I've bypassed EAF a bunch of times -- it's not a very useful security mechanism. And it doesn't work with Chrome anyway, which means it's usually disabled for a program with lots of attack surface. And since the Fall update for Windows 10, EMET is disabled by Microsoft. I could look into this further, I guess, but do we really need to?

[alexbrainman]

I am not security expert.

I agree with @zx2c4 that we can, probably, fix it, if it is worth spending time on this. Leaving for others to decide.

Alex

[merces]

Thanks for evaluating this!

Well, Go programs run normally in Windows 7 64-bits even though it’s no longer supported by Microsoft. I think EMET falls under the same category and legacy systems may use it (as it happened in my case).

In the other hand, I’m apparently the first one to report it, so probably not a big issue for the rest of the world. 🙂

[Beaelf]

i meet the same problem, what can i do for it