This is an archive of the discontinued LLVM Phabricator instance.

Differential D68086

[llvm-readelf] - Report a warning when .hash section contains a chain with a cycle.
ClosedPublic

Authored by grimar on Sep 26 2019, 7:18 AM.

Details

Reviewers
jhenderson
MaskRay
Commits
rG4496f07497a8: [llvm-readelf] - Report a warning when .hash section contains a chain with a…
rL373476: [llvm-readelf] - Report a warning when .hash section contains a chain with a…
Summary

It is possible to craft a .hash section that triggers an infinite loop
in llvm-readelf code. This patch fixes the issue and introduces
a warning.

Diff Detail

Event Timeline

grimar created this revision.Sep 26 2019, 7:18 AM
Herald added subscribers: seiya, rupprecht. · View Herald TranscriptSep 26 2019, 7:18 AM
MaskRay added inline comments.Sep 26 2019, 8:35 AM
test/tools/llvm-readobj/elf-hash-symbols.test
365

an entry of the bucket array points to a cycle

391

Suggested wording:

llvm-readelf will read the hash table from the file offset p_offset + (p_vaddr - DT_HASH) = p_offset + (0 - 0) = p_offset, which is the start of PT_LOAD, i.e. the file offset of .hash

jhenderson added inline comments.Sep 27 2019, 2:02 AM
test/tools/llvm-readobj/elf-hash-symbols.test
365

Also "when a hash table" or similar.

I think combining the two suggests:

"Show that we report a warning for a hash table which contains an entry of the bucket array pointing to a cycle."

tools/llvm-readobj/ELFDumper.cpp
3446

Perhaps worth giving more context to this message, i.e. something about a cycle being detected linking which buckets.

grimar updated this revision to Diff 222589.Oct 1 2019, 4:23 AM
grimar marked 4 inline comments as done.
  • Addressed review comments.
grimar edited the summary of this revision. (Show Details)Oct 1 2019, 4:23 AM
jhenderson accepted this revision.Oct 1 2019, 6:01 AM

LGTM, with one nit.

test/tools/llvm-readobj/elf-hash-symbols.test
393

Nit: missing trailing full stop.

This revision is now accepted and ready to land.Oct 1 2019, 6:01 AM
Closed by commit rL373476: [llvm-readelf] - Report a warning when .hash section contains a chain with a… (authored by grimar). · Explain WhyOct 2 2019, 7:10 AM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptOct 2 2019, 7:10 AM
grimar mentioned this in D68771: [llvm-readelf] - Do not enter an infinite loop when printing histogram..Oct 10 2019, 2:47 AM
grimar mentioned this in rL374344: [llvm-readelf] - Do not enter an infinite loop when printing histogram..Oct 10 2019, 6:29 AM
grimar mentioned this in rG55f1be09967e: [llvm-readelf] - Do not enter an infinite loop when printing histogram..

Revision Contents

PathSize
test/
tools/
llvm-readobj/
39 lines
tools/
llvm-readobj/
8 lines

Diff 221941

test/tools/llvm-readobj/elf-hash-symbols.test

Show First 20 LinesShow All 355 Lines▼ Show 20 Lines Sections:
- Section: .dynamic - Section: .dynamic
- Section: .text.foo - Section: .text.foo
- Type: PT_DYNAMIC - Type: PT_DYNAMIC
Flags: [ PF_R ] Flags: [ PF_R ]
VAddr: 0x1000 VAddr: 0x1000
PAddr: 0x1000 PAddr: 0x1000
Sections: Sections:
- Section: .dynamic - Section: .dynamic
## Show that we report a warning when .hash section contains a chain with a cycle.
MaskRayUnsubmitted
Done
ReplyInline Actions

an entry of the bucket array points to a cycle

MaskRay: an entry of the `bucket` array points to a cycle
jhendersonUnsubmitted
Done
ReplyInline Actions

Also "when a hash table" or similar.

I think combining the two suggests:

"Show that we report a warning for a hash table which contains an entry of the bucket array pointing to a cycle."

jhenderson: Also "when a hash table" or similar. I think combining the two suggests: "Show that we report…
# RUN: yaml2obj --docnum=6 %s -o %t6.so
# RUN: llvm-readelf --hash-symbols %t6.so 2>&1 | FileCheck %s -DFILE=%t6.so --check-prefix=BROKEN
# BROKEN: Symbol table of .hash for image:
# BROKEN-NEXT: Num Buc: Value Size Type Bind Vis Ndx Name
# BROKEN-NEXT: 1 0: 00000000 0 NOTYPE LOCAL DEFAULT UND aaa
# BROKEN: warning: '[[FILE]]': .hash section is invalid
--- !ELF
FileHeader:
Class: ELFCLASS32
Data: ELFDATA2LSB
Type: ET_DYN
Machine: EM_386
Sections:
- Name: .hash
Type: SHT_HASH
Link: .dynsym
Bucket: [ 1 ]
Chain: [ 1, 1 ]
- Name: .dynamic
Type: SHT_DYNAMIC
Entries:
## PT_LOAD's p_vaddr is 0x0. PT_LOAD's p_offset = 0x1bc. DT_HASH value is 0x0.
## llvm-readelf will read .hash content from p_offset + (p_vaddr - DT_HASH value) = 0x1bc.
MaskRayUnsubmitted
Done
ReplyInline Actions

Suggested wording:

llvm-readelf will read the hash table from the file offset p_offset + (p_vaddr - DT_HASH) = p_offset + (0 - 0) = p_offset, which is the start of PT_LOAD, i.e. the file offset of .hash

MaskRay: Suggested wording: llvm-readelf will read the hash table from the file offset `p_offset +…
## This matches the file offset of the .hash section.
- Tag: DT_HASH
jhendersonUnsubmitted
Not Done
ReplyInline Actions

Nit: missing trailing full stop.

jhenderson: Nit: missing trailing full stop.
Value: 0x0
DynamicSymbols:
- Name: aaa
- Name: bbb
ProgramHeaders:
- Type: PT_LOAD
Sections:
- Section: .hash
- Section: .dynamic

tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 3,431 Lines▼ Show 20 Lines else
OS << " Num Buc: Value Size Type Bind Vis Ndx Name"; OS << " Num Buc: Value Size Type Bind Vis Ndx Name";
OS << "\n"; OS << "\n";
auto Buckets = SysVHash->buckets(); auto Buckets = SysVHash->buckets();
auto Chains = SysVHash->chains(); auto Chains = SysVHash->chains();
for (uint32_t Buc = 0; Buc < SysVHash->nbucket; Buc++) { for (uint32_t Buc = 0; Buc < SysVHash->nbucket; Buc++) {
if (Buckets[Buc] == ELF::STN_UNDEF) if (Buckets[Buc] == ELF::STN_UNDEF)
continue; continue;
std::vector<bool> Visited(SysVHash->nchain);
for (uint32_t Ch = Buckets[Buc]; Ch < SysVHash->nchain; Ch = Chains[Ch]) { for (uint32_t Ch = Buckets[Buc]; Ch < SysVHash->nchain; Ch = Chains[Ch]) {
if (Ch == ELF::STN_UNDEF) if (Ch == ELF::STN_UNDEF)
break; break;
if (Visited[Ch]) {
reportWarning(createError(".hash section is invalid"), FileName);
jhendersonUnsubmitted
Done
ReplyInline Actions

Perhaps worth giving more context to this message, i.e. something about a cycle being detected linking which buckets.

jhenderson: Perhaps worth giving more context to this message, i.e. something about a cycle being detected…
break;
}
printHashedSymbol(Obj, &DynSyms[0], Ch, StringTable, Buc); printHashedSymbol(Obj, &DynSyms[0], Ch, StringTable, Buc);
Visited[Ch] = true;
} }
} }
} }
// Try printing .gnu.hash // Try printing .gnu.hash
if (auto GnuHash = this->dumper()->getGnuHashTable()) { if (auto GnuHash = this->dumper()->getGnuHashTable()) {
OS << "\n Symbol table of .gnu.hash for image:\n"; OS << "\n Symbol table of .gnu.hash for image:\n";
if (ELFT::Is64Bits) if (ELFT::Is64Bits)
▲ Show 20 LinesShow All 2,566 LinesShow Last 20 Lines