This is an archive of the discontinued LLVM Phabricator instance.

Differential D68086

[llvm-readelf] - Report a warning when .hash section contains a chain with a cycle.
ClosedPublic

Authored by grimar on Sep 26 2019, 7:18 AM.

Details

Reviewers
jhenderson
MaskRay
Commits
rG4496f07497a8: [llvm-readelf] - Report a warning when .hash section contains a chain with a…
rL373476: [llvm-readelf] - Report a warning when .hash section contains a chain with a…
Summary

It is possible to craft a .hash section that triggers an infinite loop
in llvm-readelf code. This patch fixes the issue and introduces
a warning.

Diff Detail

Repository
rL LLVM

Event Timeline

grimar created this revision.Sep 26 2019, 7:18 AM
Herald added subscribers: seiya, rupprecht. · View Herald TranscriptSep 26 2019, 7:18 AM
MaskRay added inline comments.Sep 26 2019, 8:35 AM
test/tools/llvm-readobj/elf-hash-symbols.test
365 ↗(On Diff #221941)

an entry of the bucket array points to a cycle

391 ↗(On Diff #221941)

Suggested wording:

llvm-readelf will read the hash table from the file offset p_offset + (p_vaddr - DT_HASH) = p_offset + (0 - 0) = p_offset, which is the start of PT_LOAD, i.e. the file offset of .hash

jhenderson added inline comments.Sep 27 2019, 2:02 AM
test/tools/llvm-readobj/elf-hash-symbols.test
365 ↗(On Diff #221941)

Also "when a hash table" or similar.

I think combining the two suggests:

"Show that we report a warning for a hash table which contains an entry of the bucket array pointing to a cycle."

tools/llvm-readobj/ELFDumper.cpp
3446 ↗(On Diff #221941)

Perhaps worth giving more context to this message, i.e. something about a cycle being detected linking which buckets.

grimar updated this revision to Diff 222589.Oct 1 2019, 4:23 AM
grimar marked 4 inline comments as done.
  • Addressed review comments.
grimar edited the summary of this revision. (Show Details)Oct 1 2019, 4:23 AM
jhenderson accepted this revision.Oct 1 2019, 6:01 AM

LGTM, with one nit.

test/tools/llvm-readobj/elf-hash-symbols.test
393 ↗(On Diff #222589)

Nit: missing trailing full stop.

This revision is now accepted and ready to land.Oct 1 2019, 6:01 AM
Closed by commit rL373476: [llvm-readelf] - Report a warning when .hash section contains a chain with a… (authored by grimar). · Explain WhyOct 2 2019, 7:10 AM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptOct 2 2019, 7:10 AM
grimar mentioned this in D68771: [llvm-readelf] - Do not enter an infinite loop when printing histogram..Oct 10 2019, 2:47 AM
grimar mentioned this in rL374344: [llvm-readelf] - Do not enter an infinite loop when printing histogram..Oct 10 2019, 6:29 AM
grimar mentioned this in rG55f1be09967e: [llvm-readelf] - Do not enter an infinite loop when printing histogram..

Revision Contents

PathSize
llvm/
trunk/
test/
tools/
llvm-readobj/
40 lines
tools/
llvm-readobj/
11 lines

Diff 222828

llvm/trunk/test/tools/llvm-readobj/elf-hash-symbols.test

Show First 20 LinesShow All 355 Lines▼ Show 20 Lines Sections:
- Section: .dynamic - Section: .dynamic
- Section: .text.foo - Section: .text.foo
- Type: PT_DYNAMIC - Type: PT_DYNAMIC
Flags: [ PF_R ] Flags: [ PF_R ]
VAddr: 0x1000 VAddr: 0x1000
PAddr: 0x1000 PAddr: 0x1000
Sections: Sections:
- Section: .dynamic - Section: .dynamic
## Show that we report a warning for a hash table which contains an entry of
## the bucket array pointing to a cycle.
# RUN: yaml2obj --docnum=6 %s -o %t6.so
# RUN: llvm-readelf --hash-symbols %t6.so 2>&1 | FileCheck %s -DFILE=%t6.so --check-prefix=BROKEN
# BROKEN: Symbol table of .hash for image:
# BROKEN-NEXT: Num Buc: Value Size Type Bind Vis Ndx Name
# BROKEN-NEXT: 1 0: 00000000 0 NOTYPE LOCAL DEFAULT UND aaa
# BROKEN: warning: '[[FILE]]': .hash section is invalid: bucket 1: a cycle was detected in the linked chain
--- !ELF
FileHeader:
Class: ELFCLASS32
Data: ELFDATA2LSB
Type: ET_DYN
Machine: EM_386
Sections:
- Name: .hash
Type: SHT_HASH
Link: .dynsym
Bucket: [ 1 ]
Chain: [ 1, 1 ]
- Name: .dynamic
Type: SHT_DYNAMIC
Entries:
## llvm-readelf will read the hash table from the file offset
## p_offset + (p_vaddr - DT_HASH) = p_offset + (0 - 0) = p_offset,
## which is the start of PT_LOAD, i.e. the file offset of .hash.
- Tag: DT_HASH
Value: 0x0
DynamicSymbols:
- Name: aaa
- Name: bbb
ProgramHeaders:
- Type: PT_LOAD
Sections:
- Section: .hash
- Section: .dynamic

llvm/trunk/tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 3,431 Lines▼ Show 20 Lines else
OS << " Num Buc: Value Size Type Bind Vis Ndx Name"; OS << " Num Buc: Value Size Type Bind Vis Ndx Name";
OS << "\n"; OS << "\n";
auto Buckets = SysVHash->buckets(); auto Buckets = SysVHash->buckets();
auto Chains = SysVHash->chains(); auto Chains = SysVHash->chains();
for (uint32_t Buc = 0; Buc < SysVHash->nbucket; Buc++) { for (uint32_t Buc = 0; Buc < SysVHash->nbucket; Buc++) {
if (Buckets[Buc] == ELF::STN_UNDEF) if (Buckets[Buc] == ELF::STN_UNDEF)
continue; continue;
std::vector<bool> Visited(SysVHash->nchain);
for (uint32_t Ch = Buckets[Buc]; Ch < SysVHash->nchain; Ch = Chains[Ch]) { for (uint32_t Ch = Buckets[Buc]; Ch < SysVHash->nchain; Ch = Chains[Ch]) {
if (Ch == ELF::STN_UNDEF) if (Ch == ELF::STN_UNDEF)
break; break;
if (Visited[Ch]) {
reportWarning(
createError(".hash section is invalid: bucket " + Twine(Ch) +
": a cycle was detected in the linked chain"),
this->FileName);
break;
}
printHashedSymbol(Obj, &DynSyms[0], Ch, StringTable, Buc); printHashedSymbol(Obj, &DynSyms[0], Ch, StringTable, Buc);
Visited[Ch] = true;
} }
} }
} }
// Try printing .gnu.hash // Try printing .gnu.hash
if (auto GnuHash = this->dumper()->getGnuHashTable()) { if (auto GnuHash = this->dumper()->getGnuHashTable()) {
OS << "\n Symbol table of .gnu.hash for image:\n"; OS << "\n Symbol table of .gnu.hash for image:\n";
if (ELFT::Is64Bits) if (ELFT::Is64Bits)
▲ Show 20 LinesShow All 2,564 LinesShow Last 20 Lines