Bugfix: Fix incorrect tag-count/reserved-tag handling in GetPageValues#30
Open
Che4ter wants to merge 1 commit into
Open
Bugfix: Fix incorrect tag-count/reserved-tag handling in GetPageValues#30Che4ter wants to merge 1 commit into
Che4ter wants to merge 1 commit into
Conversation
On Windows 11 25H2 (OS Build 26200.8655), Velociraptor's SRUM
collection started failing with:
parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat:
Page 2326537 exceeds max page 16913
The available page tag field (PGHDR.itagState) packs itagMicFree
(low 12 bits, real tag count) and ctagReserved (next 3 bits, number
of reserved tags at the start of the page) unconditionally, regardless
of page size or format revision - not only on 32KiB pages as
previously assumed. GetPageValues was reading the unmasked raw value
as the tag count on this build, producing a garbage tag offset that
decoded to an out-of-range child page number and surfaced as the
error above.
This also fixes the tag-slot skip to scale with ctagReserved (which
can be up to 7 per CPAGE) instead of always skipping exactly one
slot, and guards against ctagReserved being larger than itagMicFree.
See https://github.com/microsoft/Extensible-Storage-Engine/blob/main/dev/ese/src/inc/cpage.hxx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On Windows 11 25H2 (OS Build 26200.8655), Velociraptor's SRUM collection started failing with:
The available page tag field (PGHDR.itagState) packs itagMicFree (low 12 bits, real tag count) and ctagReserved (next 3 bits, number of reserved tags at the start of the page) unconditionally, regardless of page size or format revision - not only on 32KiB pages as previously assumed. GetPageValues was reading the unmasked raw value as the tag count on this build, producing a garbage tag offset that decoded to an out-of-range child page number and surfaced as the error above.
This also fixes the tag-slot skip to scale with ctagReserved (which can be up to 7 per CPAGE) instead of always skipping exactly one slot, and guards against ctagReserved being larger than itagMicFree.
See https://github.com/microsoft/Extensible-Storage-Engine/blob/main/dev/ese/src/inc/cpage.hxx
Testing
Verified against:
TestWindowsQmgr, which fails identically on unmodified master,
pre-existing and unrelated to this change).
Parsing now succeeds end-to-end with no "exceeds max page" errors.
Note on this fix
I ran into this bug during day-to-day DFIR work and traced it as far as the failing artefact/error message, but diagnosing the actual
root cause in the ESE tag-packing format and writing the fix itself was done with AI assistance (Claude/Anthropic) as this went deeper into the ESE binary format internals than I could confidently do myself.
I've reviewed and tested the change, but wanted to mention that this PR contains AI generated code.