This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
test/tools/llvm-readobj/
-
tools/
-
llvm-readobj/
8/11
dyn-symbols.test
-
tools/llvm-readobj/
-
llvm-readobj/
15/16
ELFDumper.cpp

Differential D67078

[llvm-readelf] - Allow dumping the dynamic symbols when there is no program headers.
ClosedPublic

Authored by grimar on Sep 2 2019, 6:41 AM.

Download Raw Diff

Details

Reviewers

jhenderson
MaskRay
rupprecht

Commits

rG4e14bf71b70b: [llvm-readelf] - Allow dumping dynamic symbols when there is no program headers.
rL371071: [llvm-readelf] - Allow dumping dynamic symbols when there is no program headers.

Summary

D62179 introduced a regression. llvm-readelf lose the ability to dump the dynamic symbols
when there is .dynamic section with a DT_SYMTAB, but there are no program headers:
https://reviews.llvm.org/D62179#1652778

Below is a program flow before the D62179 change:

Find SHT_DYNSYM.
Find there is no PT_DYNAMIC => don't try to parse it.
Print dynamic symbols using information about them found on step (1).

And after the change it became:

Find SHT_DYNSYM.
Find there is no PT_DYNAMIC => find SHT_DYNAMIC.
Parse dynamic table, but fail to handle the DT_SYMTAB because of the absence of the PT_LOAD. Report the "Virtual address is not in any segment" error.

This patch fixes the issue. For doing this it checks that the value of DT_SYMTAB was mapped to a segment. If not - it ignores it.

Diff Detail

Event Timeline

grimar created this revision.Sep 2 2019, 6:41 AM

Herald added a subscriber: seiya. · View Herald TranscriptSep 2 2019, 6:41 AM

grimar marked an inline comment as done.Sep 2 2019, 6:42 AM

grimar added inline comments.

tools/llvm-readobj/ELFDumper.cpp
1655	for example when we want to dump the dynamic relocations and there is no sections table This is used and tested by `test\Object\relocation-executable.test`

grimar edited the summary of this revision. (Show Details)Sep 2 2019, 6:43 AM

MaskRay added inline comments.Sep 2 2019, 9:26 AM

test/tools/llvm-readobj/dyn-symbols.test
185	The test is different from https://reviews.llvm.org/D62179#1652778 In https://reviews.llvm.org/D62179#1652778, there is no program headers (corrupted phdr), so toMappedAddr returns a nullptr. Here, DT_SYMTAB is 0. When the information from DT_SYMTAB and .dynsym conflict, we probably should let DT_DYNTAB win...
tools/llvm-readobj/ELFDumper.cpp
1656	We probably should check whether `toMappedAddr` returns a nullptr - which is the case if there is no program headers. This approach may be better than if (!DynSymRegion.EntSize) {

grimar marked an inline comment as done.Sep 3 2019, 1:08 AM

grimar added inline comments.

test/tools/llvm-readobj/dyn-symbols.test
185	The test is different from https://reviews.llvm.org/D62179#1652778 I think not. Here is the same YAML but with the program headers: --- !ELF FileHeader: Class: ELFCLASS64 Data: ELFDATA2LSB Type: ET_DYN Machine: EM_X86_64 Sections: - Name: .dynamic Type: SHT_DYNAMIC Entries: - Tag: DT_SYMTAB Value: 0 - Tag: DT_NULL Value: 0 DynamicSymbols: - Name: foo ProgramHeaders: - Type: PT_LOAD Flags: [ PF_R ] VAddr: 0x0000 PAddr: 0x0000 Align: 8 Sections: - Section: .dynsym The 0 value for DT_SYMTAB is valid. I just removed the `ProgramHeaders`. When the information from DT_SYMTAB and .dynsym conflict, we probably should let DT_DYNTAB win... I do not understand why. Particulary I do not understand why we should take .dynsym size from the section headers table (it is the only source it seems), but its address from another place. The much simpler logic is to try to take everything from section header at first and fallback to DT_SYMTAB. This is what this patch does. If we have different results, then I guess it would be correct to report a warning, but I am not sure why DT_SYMTAB should win. Doesn't it mean we have a broken object? In this case why should we make any assumptions about which place is correct and which is not?

MaskRay added inline comments.Sep 3 2019, 1:29 AM

test/tools/llvm-readobj/dyn-symbols.test
185	There are two approaches to locate the dynamic symbol table: program header -> PT_DYNAMIC -> DT_SYMTAB section header -> .dynsym The first approach is used by the final consumer of an executable/shared object: ld.so or some other interpreter/emulator. They locate the dynamic table (from a program header), parse it, and use DT_SYMTAB to resolve symbol lookups. They ignore the section header. Prioritizing the section header can potentially be cheated by a malicious binary. // Information in the section header has priority over the information // in a PT_DYNAMIC header. So, I think we should probably prioritize the information in PT_DYNAMIC. In this case, the program header does not exist. I think it is fine to ignore DT_SYMTAB in the first approach.

I don't have any particular strong feelings either way on the discussion in the comments, so I've just made a number of suggested minor comment fixes.

test/tools/llvm-readobj/dyn-symbols.test
166	dump dynamic symbols table -> dump the dynamic symbol table
192	to address -> to an address of absence -> of the absence of the corresponding -> of a corresponding
tools/llvm-readobj/ELFDumper.cpp
1648	That -> Doing this
1649	This -> This behaviour
1650	Remove "exist"
1651	symbols -> symbol
1652	But we -> However, we
1654	sections table -> section table

grimar marked an inline comment as done.Sep 3 2019, 2:15 AM

grimar added inline comments.

test/tools/llvm-readobj/dyn-symbols.test
185	Information in the section header has priority over the information in a PT_DYNAMIC header. So, I think we should probably prioritize the information in PT_DYNAMIC. This is comment taken from here: https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-readobj/ELFDumper.cpp#L1430 And it says that for locating the .dynamic we try to take the information from the sections header first and then fallback to `PT_DYNAMIC` if have no `SHT_DYNAMIC` section. That is how llvm-readeobj scans the object now. So are you saying we should probably reimplement it to take the information from `PT_DYNAMIC` at first, right?

MaskRay added inline comments.Sep 3 2019, 4:15 AM

test/tools/llvm-readobj/dyn-symbols.test
185	Yes, I think we should try `PT_DYNAMIC` first. I believe this is one of few things that GNU readelf `-D` (`--use-dynamic`) does. The option has been around for more than 20 years (it has been available since the commit `19990502 sourceware import`). Fake .dynsym has been used by malware for years. I think we can just always default to `-D`.

Reimplemented in according to discussion.
Added more test cases to verify the new behavior.

tools/llvm-readobj/ELFDumper.cpp
1648	I had to rewrite this comment completely because of behavior change...

jhenderson added inline comments.Sep 4 2019, 9:19 AM

test/tools/llvm-readobj/dyn-symbols.test
220	to address -> to an address
251	of dynamic -> of the dynamic
274–275	Won't this be implicitly generated?
tools/llvm-readobj/ELFDumper.cpp
1648	dynamic symbols section -> dynamic symbol table (technically, if there are no section headers, there's no dynamic symbol section)
1650	has a priority -> has priority
1651	in runtime -> at runtime Normally the -> The (should implies normally)
1653	to address -> to an address
1656	Using `DynSymRegion.EntSize` to determine if the dynamic symbol table has been found via a section header feels a bit weird to me. Please at least add a comment.
1660	of dynamic -> of the dynamic

Addressed review comments.

test/tools/llvm-readobj/dyn-symbols.test
274–275	Yes, but this is probably not so obvious here? It probably can raise questions, like: "will the default SHT_DYNSYM be generated if we already have one in the YAML?". Having 2 described makes this test case pretty straightforward.

LGTM.

This revision is now accepted and ready to land.Sep 5 2019, 5:51 AM

MaskRay accepted this revision.Sep 5 2019, 5:56 AM

MaskRay added inline comments.

tools/llvm-readobj/ELFDumper.cpp
1661	This warning looks good :) People will stay alert when they see this warning.

Closed by commit rL371071: [llvm-readelf] - Allow dumping dynamic symbols when there is no program headers. (authored by grimar). · Explain WhySep 5 2019, 7:06 AM

This revision was automatically updated to reflect the committed changes.

Herald added a project: Restricted Project. · View Herald TranscriptSep 5 2019, 7:06 AM

Revision Contents

Path

Size

test/

tools/

llvm-readobj/

dyn-symbols.test

67 lines

tools/

llvm-readobj/

ELFDumper.cpp

14 lines

Diff 218356

test/tools/llvm-readobj/dyn-symbols.test

	RUN: llvm-readobj --dyn-symbols %p/Inputs/dynamic-table-so.x86 \| FileCheck %s			# RUN: llvm-readobj --dyn-symbols %p/Inputs/dynamic-table-so.x86 \| FileCheck %s

	# Check the two-letter alias --dt is equivalent to the --dyn-symbols full flag			## Check the two-letter alias --dt is equivalent to the --dyn-symbols full flag
	# name.			## name.
	RUN: llvm-readobj --dt %p/Inputs/dynamic-table-so.x86 > %t.readobj-dt-alias
	RUN: llvm-readobj --dyn-symbols %p/Inputs/dynamic-table-so.x86 > %t.readobj-dt-no-alias			# RUN: llvm-readobj --dt %p/Inputs/dynamic-table-so.x86 > %t.readobj-dt-alias
	RUN: diff %t.readobj-dt-alias %t.readobj-dt-no-alias			# RUN: llvm-readobj --dyn-symbols %p/Inputs/dynamic-table-so.x86 > %t.readobj-dt-no-alias
				# RUN: diff %t.readobj-dt-alias %t.readobj-dt-no-alias

	# CHECK: DynamicSymbols [			# CHECK: DynamicSymbols [
	# CHECK-NEXT: Symbol {			# CHECK-NEXT: Symbol {
	# CHECK-NEXT: Name:			# CHECK-NEXT: Name:
	# CHECK-NEXT: Value: 0x0			# CHECK-NEXT: Value: 0x0
	# CHECK-NEXT: Size: 0			# CHECK-NEXT: Size: 0
	# CHECK-NEXT: Binding: Local			# CHECK-NEXT: Binding: Local
	# CHECK-NEXT: Type: None			# CHECK-NEXT: Type: None
	▲ Show 20 Lines • Show All 140 Lines • ▼ Show 20 Lines
	# CHECK-NEXT: Value: 0x7BC			# CHECK-NEXT: Value: 0x7BC
	# CHECK-NEXT: Size: 0			# CHECK-NEXT: Size: 0
	# CHECK-NEXT: Binding: Global			# CHECK-NEXT: Binding: Global
	# CHECK-NEXT: Type: Function			# CHECK-NEXT: Type: Function
	# CHECK-NEXT: Other: 0			# CHECK-NEXT: Other: 0
	# CHECK-NEXT: Section: .fini			# CHECK-NEXT: Section: .fini
	# CHECK-NEXT: }			# CHECK-NEXT: }
	# CHECK-NEXT: ]			# CHECK-NEXT: ]

				## Check that we are able to dump dynamic symbols table even when we have no program headers.
				jhendersonUnsubmitted Done Reply Inline Actions dump dynamic symbols table -> dump the dynamic symbol table jhenderson: dump dynamic symbols table -> dump the dynamic symbol table
				## In this case we find the table by it's type (SHT_DYNSYM) and ignore the DT_SYMTAB value.

				# RUN: yaml2obj --docnum=1 %s -o %t1.so
				# RUN: llvm-readobj %t.so --dyn-symbols \| FileCheck %s --check-prefix=NOPHDRS

				# NOPHDRS: foo

				--- !ELF
				FileHeader:
				Class: ELFCLASS64
				Data: ELFDATA2LSB
				Type: ET_DYN
				Machine: EM_X86_64
				Sections:
				- Name: .dynamic
				Type: SHT_DYNAMIC
				Entries:
				- Tag: DT_SYMTAB
				Value: 0
				MaskRayUnsubmitted Not Done Reply Inline Actions The test is different from https://reviews.llvm.org/D62179#1652778 In https://reviews.llvm.org/D62179#1652778, there is no program headers (corrupted phdr), so toMappedAddr returns a nullptr. Here, DT_SYMTAB is 0. When the information from DT_SYMTAB and .dynsym conflict, we probably should let DT_DYNTAB win... MaskRay: The test is different from https://reviews.llvm.org/D62179#1652778 In https://reviews.llvm.
				grimarAuthorUnsubmitted Done Reply Inline Actions The test is different from https://reviews.llvm.org/D62179#1652778 I think not. Here is the same YAML but with the program headers: --- !ELF FileHeader: Class: ELFCLASS64 Data: ELFDATA2LSB Type: ET_DYN Machine: EM_X86_64 Sections: - Name: .dynamic Type: SHT_DYNAMIC Entries: - Tag: DT_SYMTAB Value: 0 - Tag: DT_NULL Value: 0 DynamicSymbols: - Name: foo ProgramHeaders: - Type: PT_LOAD Flags: [ PF_R ] VAddr: 0x0000 PAddr: 0x0000 Align: 8 Sections: - Section: .dynsym The 0 value for DT_SYMTAB is valid. I just removed the `ProgramHeaders`. When the information from DT_SYMTAB and .dynsym conflict, we probably should let DT_DYNTAB win... I do not understand why. Particulary I do not understand why we should take .dynsym size from the section headers table (it is the only source it seems), but its address from another place. The much simpler logic is to try to take everything from section header at first and fallback to DT_SYMTAB. This is what this patch does. If we have different results, then I guess it would be correct to report a warning, but I am not sure why DT_SYMTAB should win. Doesn't it mean we have a broken object? In this case why should we make any assumptions about which place is correct and which is not? grimar: > The test is different from https://reviews.llvm.org/D62179#1652778 I think not. Here is the…
				MaskRayUnsubmitted Not Done Reply Inline Actions There are two approaches to locate the dynamic symbol table: program header -> PT_DYNAMIC -> DT_SYMTAB section header -> .dynsym The first approach is used by the final consumer of an executable/shared object: ld.so or some other interpreter/emulator. They locate the dynamic table (from a program header), parse it, and use DT_SYMTAB to resolve symbol lookups. They ignore the section header. Prioritizing the section header can potentially be cheated by a malicious binary. // Information in the section header has priority over the information // in a PT_DYNAMIC header. So, I think we should probably prioritize the information in PT_DYNAMIC. In this case, the program header does not exist. I think it is fine to ignore DT_SYMTAB in the first approach. MaskRay: There are two approaches to locate the dynamic symbol table: * program header -> PT_DYNAMIC ->…
				grimarAuthorUnsubmitted Done Reply Inline Actions Information in the section header has priority over the information in a PT_DYNAMIC header. So, I think we should probably prioritize the information in PT_DYNAMIC. This is comment taken from here: https://github.com/llvm-mirror/llvm/blob/master/tools/llvm-readobj/ELFDumper.cpp#L1430 And it says that for locating the .dynamic we try to take the information from the sections header first and then fallback to `PT_DYNAMIC` if have no `SHT_DYNAMIC` section. That is how llvm-readeobj scans the object now. So are you saying we should probably reimplement it to take the information from `PT_DYNAMIC` at first, right? grimar: >> // Information in the section header has priority over the information >> // in a PT_DYNAMIC…
				MaskRayUnsubmitted Not Done Reply Inline Actions Yes, I think we should try `PT_DYNAMIC` first. I believe this is one of few things that GNU readelf `-D` (`--use-dynamic`) does. The option has been around for more than 20 years (it has been available since the commit `19990502 sourceware import`). Fake .dynsym has been used by malware for years. I think we can just always default to `-D`. MaskRay: Yes, I think we should try `PT_DYNAMIC` first. I believe this is one of few things that GNU…
				- Tag: DT_NULL
				Value: 0
				DynamicSymbols:
				- Name: foo

				## Check we report a warning when there is no SHT_DYNSYM section and we can't map the DT_SYMTAB value
				## to address because of absence of the corresponding PT_LOAD program header.
				jhendersonUnsubmitted Done Reply Inline Actions to address -> to an address of absence -> of the absence of the corresponding -> of a corresponding jhenderson: to address -> to an address of absence -> of the absence of the corresponding -> of a…

				# RUN: yaml2obj --docnum=2 %s -o %t2.so
				# RUN: llvm-readobj %t2.so --dyn-symbols 2>&1 \| FileCheck %s -DFILE=%t2.so --check-prefix=NOSHT-DYNSYM

				# NOSHT-DYNSYM: warning: '[[FILE]]': Unable to parse DT_SYMTAB: virtual address is not in any segment: 0x0
				# NOSHT-DYNSYM: DynamicSymbols [
				# NOSHT-DYNSYM-NEXT: ]

				--- !ELF
				FileHeader:
				Class: ELFCLASS64
				Data: ELFDATA2LSB
				Type: ET_DYN
				Machine: EM_X86_64
				Sections:
				- Name: .dynsym
				Type: SHT_PROGBITS
				- Name: .dynamic
				Type: SHT_DYNAMIC
				Entries:
				- Tag: DT_SYMTAB
				Value: 0
				- Tag: DT_NULL
				Value: 0
				DynamicSymbols:
				- Name: foo
				jhendersonUnsubmitted Done Reply Inline Actions to address -> to an address jhenderson: to address -> to an address
				jhendersonUnsubmitted Done Reply Inline Actions of dynamic -> of the dynamic jhenderson: of dynamic -> of the dynamic
				jhendersonUnsubmitted Done Reply Inline Actions Won't this be implicitly generated? jhenderson: Won't this be implicitly generated?
				grimarAuthorUnsubmitted Done Reply Inline Actions Yes, but this is probably not so obvious here? It probably can raise questions, like: "will the default SHT_DYNSYM be generated if we already have one in the YAML?". Having 2 described makes this test case pretty straightforward. grimar: Yes, but this is probably not so obvious here? It probably can raise questions, like: "will the…

tools/llvm-readobj/ELFDumper.cpp

Show First 20 Lines • Show All 1,638 Lines • ▼ Show 20 Lines	for (const Elf_Dyn &Dyn : dynamic_table()) {
case ELF::DT_STRTAB:		case ELF::DT_STRTAB:
StringTableBegin = reinterpret_cast<const char *>(		StringTableBegin = reinterpret_cast<const char *>(
toMappedAddr(Dyn.getTag(), Dyn.getPtr()));		toMappedAddr(Dyn.getTag(), Dyn.getPtr()));
break;		break;
case ELF::DT_STRSZ:		case ELF::DT_STRSZ:
StringTableSize = Dyn.getVal();		StringTableSize = Dyn.getVal();
break;		break;
case ELF::DT_SYMTAB:		case ELF::DT_SYMTAB:
		// Normally we find the dynamic symbols section location and size using
		// the information in sections headers. That allows us to dump dynamic
		jhendersonUnsubmitted Done Reply Inline Actions That -> Doing this jhenderson: That -> Doing this
		grimarAuthorUnsubmitted Done Reply Inline Actions I had to rewrite this comment completely because of behavior change... grimar: I had to rewrite this comment completely because of behavior change...
		jhendersonUnsubmitted Done Reply Inline Actions dynamic symbols section -> dynamic symbol table (technically, if there are no section headers, there's no dynamic symbol section) jhenderson: dynamic symbols section -> dynamic symbol table (technically, if there are no section headers…
		// symbols when program headers are absent. This is consistent with GNU
		jhendersonUnsubmitted Done Reply Inline Actions This -> This behaviour jhenderson: This -> This behaviour
		// readelf and seems reasonable because there is no DT_SYMTABSZ tag exist,
		jhendersonUnsubmitted Done Reply Inline Actions Remove "exist" jhenderson: Remove "exist"
		jhendersonUnsubmitted Done Reply Inline Actions has a priority -> has priority jhenderson: has a priority -> has priority
		// i.e. the only way to get the size of the dynamic symbols table is to
		jhendersonUnsubmitted Done Reply Inline Actions symbols -> symbol jhenderson: symbols -> symbol
		jhendersonUnsubmitted Done Reply Inline Actions in runtime -> at runtime Normally the -> The (should implies normally) jhenderson: in runtime -> at runtime Normally the -> The (should implies normally)
		// take it from section headers. But we still need the code below for
		jhendersonUnsubmitted Done Reply Inline Actions But we -> However, we jhenderson: But we -> However, we
		// specific cases, for example when we want to dump the dynamic
		jhendersonUnsubmitted Done Reply Inline Actions to address -> to an address jhenderson: to address -> to an address
		// relocations and there is no sections table.
		jhendersonUnsubmitted Done Reply Inline Actions sections table -> section table jhenderson: sections table -> section table
		if (!DynSymRegion.EntSize) {
		grimarAuthorUnsubmitted Done Reply Inline Actions for example when we want to dump the dynamic relocations and there is no sections table This is used and tested by `test\Object\relocation-executable.test` grimar: > for example when we want to dump the dynamic relocations and there is no sections table This…
DynSymRegion.Addr = toMappedAddr(Dyn.getTag(), Dyn.getPtr());		DynSymRegion.Addr = toMappedAddr(Dyn.getTag(), Dyn.getPtr());
		MaskRayUnsubmitted Done Reply Inline Actions We probably should check whether `toMappedAddr` returns a nullptr - which is the case if there is no program headers. This approach may be better than if (!DynSymRegion.EntSize) { MaskRay: We probably should check whether `toMappedAddr` returns a nullptr - which is the case if there…
		jhendersonUnsubmitted Done Reply Inline Actions Using `DynSymRegion.EntSize` to determine if the dynamic symbol table has been found via a section header feels a bit weird to me. Please at least add a comment. jhenderson: Using `DynSymRegion.EntSize` to determine if the dynamic symbol table has been found via a…
DynSymRegion.EntSize = sizeof(Elf_Sym);		DynSymRegion.EntSize = sizeof(Elf_Sym);
		}
break;		break;
case ELF::DT_RELA:		case ELF::DT_RELA:
		jhendersonUnsubmitted Done Reply Inline Actions of dynamic -> of the dynamic jhenderson: of dynamic -> of the dynamic
DynRelaRegion.Addr = toMappedAddr(Dyn.getTag(), Dyn.getPtr());		DynRelaRegion.Addr = toMappedAddr(Dyn.getTag(), Dyn.getPtr());
		MaskRayUnsubmitted Not Done Reply Inline Actions This warning looks good :) People will stay alert when they see this warning. MaskRay: This warning looks good :) People will stay alert when they see this warning.
break;		break;
case ELF::DT_RELASZ:		case ELF::DT_RELASZ:
DynRelaRegion.Size = Dyn.getVal();		DynRelaRegion.Size = Dyn.getVal();
break;		break;
case ELF::DT_RELAENT:		case ELF::DT_RELAENT:
DynRelaRegion.EntSize = Dyn.getVal();		DynRelaRegion.EntSize = Dyn.getVal();
break;		break;
case ELF::DT_SONAME:		case ELF::DT_SONAME:
▲ Show 20 Lines • Show All 4,268 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[llvm-readelf] - Allow dumping the dynamic symbols when there is no program headers.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 218356

test/tools/llvm-readobj/dyn-symbols.test

tools/llvm-readobj/ELFDumper.cpp

[llvm-readelf] - Allow dumping the dynamic symbols when there is no program headers.
ClosedPublic