This is an archive of the discontinued LLVM Phabricator instance.

Differential D81937

[llvm-readobj] - Do not crash when GnuHashTable->symndx is greater than the dynamic symbols count.
ClosedPublic

Authored by grimar on Jun 16 2020, 7:07 AM.

Details

Reviewers
jhenderson
MaskRay
espindola
Commits
rG88c8581d9fe4: [llvm-readobj] - Do not crash when GnuHashTable->symndx is greater than the…
Summary

Elf_GnuHash_Impl has the following method:

ArrayRef<Elf_Word> values(unsigned DynamicSymCount) const {
  return ArrayRef<Elf_Word>(buckets().end(), DynamicSymCount - symndx);
}

When DynamicSymCount is less than symndx we return an array with the huge broken size.
This patch fixes the issue ans adds an assert. This assert helped to fix an issue
in one of the test cases.

The printGnuHashHistogram method also needs to be fixed. I am planning to fix it
independently after we land the D81928, which will allow to reuse the code that validates
the GNU hash table before the dumping.

Depends on: D81928

Diff Detail

Event Timeline

grimar created this revision.Jun 16 2020, 7:07 AM
Herald added a reviewer: espindola. · View Herald TranscriptJun 16 2020, 7:08 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: rupprecht, emaste. · View Herald Transcript
grimar added a parent revision: D81928: [llvm-readobj] - Split the printGnuHashTable(). NFCI..Jun 16 2020, 7:08 AM
grimar marked an inline comment as done.Jun 16 2020, 7:11 AM
grimar added inline comments.
llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
258

I had to fix this test case because this place was wrong and the code adds an assert:
assert(DynamicSymCount >= symndx); which is triggered if this test case is not fixed.

We still want to make this assert never happen. I've mentioned in the description that it
is related to printGnuHashHistogram and probably should be fixed independently.

MaskRay accepted this revision.Jun 16 2020, 10:22 PM

Looks great!

This revision is now accepted and ready to land.Jun 16 2020, 10:22 PM
jhenderson accepted this revision.Jun 17 2020, 12:32 AM

LGTM, with nit.

llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
214–215

whilst you're modifying this line: "described with" -> "described by"

jhenderson mentioned this in D81928: [llvm-readobj] - Split the printGnuHashTable(). NFCI..Jun 17 2020, 12:40 AM
Closed by commit rG88c8581d9fe4: [llvm-readobj] - Do not crash when GnuHashTable->symndx is greater than the… (authored by grimar). · Explain WhyJun 17 2020, 4:49 AM
This revision was automatically updated to reflect the committed changes.
grimar mentioned this in D82010: [llvm-readobj] - Add a validation of the GNU hash table to printGnuHashHistogram()..Jun 17 2020, 5:56 AM
grimar mentioned this in rGc587b076a0e5: [llvm-readobj] - Add a validation of the GNU hash table to….Jun 19 2020, 4:49 AM

Revision Contents

PathSize
llvm/
include/
llvm/
Object/
1 line
test/
tools/
llvm-readobj/
ELF/
24 lines
14 lines
tools/
llvm-readobj/
13 lines

Diff 271336

llvm/include/llvm/Object/ELFTypes.h

Show First 20 LinesShow All 533 Lines▼ Show 20 Linesstruct Elf_GnuHash_Impl {
} }
ArrayRef<Elf_Word> buckets() const { ArrayRef<Elf_Word> buckets() const {
return ArrayRef<Elf_Word>( return ArrayRef<Elf_Word>(
reinterpret_cast<const Elf_Word *>(filter().end()), nbuckets); reinterpret_cast<const Elf_Word *>(filter().end()), nbuckets);
} }
ArrayRef<Elf_Word> values(unsigned DynamicSymCount) const { ArrayRef<Elf_Word> values(unsigned DynamicSymCount) const {
assert(DynamicSymCount >= symndx);
return ArrayRef<Elf_Word>(buckets().end(), DynamicSymCount - symndx); return ArrayRef<Elf_Word>(buckets().end(), DynamicSymCount - symndx);
} }
}; };
// Compressed section headers. // Compressed section headers.
// http://www.sco.com/developers/gabi/latest/ch4.sheader.html#compression_header // http://www.sco.com/developers/gabi/latest/ch4.sheader.html#compression_header
template <endianness TargetEndianness> template <endianness TargetEndianness>
struct Elf_Chdr_Impl<ELFType<TargetEndianness, false>> { struct Elf_Chdr_Impl<ELFType<TargetEndianness, false>> {
▲ Show 20 LinesShow All 218 LinesShow Last 20 Lines

llvm/test/tools/llvm-readobj/ELF/gnuhash.test

Show First 20 LinesShow All 223 Lines▼ Show 20 Lines
## Such sections normally have a single zero entry in the bloom ## Such sections normally have a single zero entry in the bloom
## filter, a single zero entry in the hash bucket and no values. ## filter, a single zero entry in the hash bucket and no values.
## ##
## The index of the first symbol in the dynamic symbol table ## The index of the first symbol in the dynamic symbol table
## included in the hash table can be set to the number of dynamic symbols, ## included in the hash table can be set to the number of dynamic symbols,
## which is one larger than the index of the last dynamic symbol. ## which is one larger than the index of the last dynamic symbol.
## For empty tables however, this value is unimportant and can be ignored. ## For empty tables however, this value is unimportant and can be ignored.
# RUN: yaml2obj --docnum=5 %s -o %t.empty ## Case A: set the index of the first symbol in the dynamic symbol table to
# RUN: llvm-readobj --gnu-hash-table %t.empty 2>&1 \ ## the number of dynamic symbols.
# RUN: | FileCheck %s -DFILE=%t.empty --check-prefix=EMPTY --implicit-check-not="warning:" # RUN: yaml2obj --docnum=5 -DSYMNDX=0x1 %s -o %t.empty.1
# RUN: llvm-readelf --gnu-hash-table %t.empty 2>&1 \ # RUN: llvm-readobj --gnu-hash-table %t.empty.1 2>&1 \
# RUN: | FileCheck %s -DFILE=%t.empty --check-prefix=EMPTY --implicit-check-not="warning:" # RUN: | FileCheck %s -DFILE=%t.empty.1 -DSYMNDX=1 --check-prefix=EMPTY --implicit-check-not="warning:"
# RUN: llvm-readelf --gnu-hash-table %t.empty.1 2>&1 \
# RUN: | FileCheck %s -DFILE=%t.empty.1 -DSYMNDX=1 --check-prefix=EMPTY --implicit-check-not="warning:"
## Case B: set the index of the first symbol in the dynamic symbol table to
## an arbitrary value that is larger than the number of dynamic symbols.
# RUN: yaml2obj --docnum=5 -DSYMNDX=0x2 %s -o %t.empty.2
# RUN: llvm-readobj --gnu-hash-table %t.empty.2 2>&1 \
# RUN: | FileCheck %s -DFILE=%t.empty.2 -DSYMNDX=2 --check-prefix=EMPTY --implicit-check-not="warning:"
# RUN: llvm-readelf --gnu-hash-table %t.empty.2 2>&1 \
# RUN: | FileCheck %s -DFILE=%t.empty.2 -DSYMNDX=2 --check-prefix=EMPTY --implicit-check-not="warning:"
# EMPTY: GnuHashTable { # EMPTY: GnuHashTable {
# EMPTY-NEXT: Num Buckets: 1 # EMPTY-NEXT: Num Buckets: 1
# EMPTY-NEXT: First Hashed Symbol Index: 1 # EMPTY-NEXT: First Hashed Symbol Index: [[SYMNDX]]
# EMPTY-NEXT: Num Mask Words: 1 # EMPTY-NEXT: Num Mask Words: 1
# EMPTY-NEXT: Shift Count: 0 # EMPTY-NEXT: Shift Count: 0
# EMPTY-NEXT: Bloom Filter: [0x0] # EMPTY-NEXT: Bloom Filter: [0x0]
# EMPTY-NEXT: Buckets: [0] # EMPTY-NEXT: Buckets: [0]
# EMPTY-NEXT: Values: [] # EMPTY-NEXT: Values: []
# EMPTY-NEXT: } # EMPTY-NEXT: }
--- !ELF --- !ELF
FileHeader: FileHeader:
Class: ELFCLASS64 Class: ELFCLASS64
Data: ELFDATA2LSB Data: ELFDATA2LSB
Type: ET_DYN Type: ET_DYN
Machine: EM_X86_64 Machine: EM_X86_64
Sections: Sections:
- Name: .gnu.hash - Name: .gnu.hash
Type: SHT_GNU_HASH Type: SHT_GNU_HASH
Flags: [ SHF_ALLOC ] Flags: [ SHF_ALLOC ]
Header: Header:
SymNdx: 0x1 SymNdx: [[SYMNDX]]
Shift2: 0x0 Shift2: 0x0
BloomFilter: [ 0x0 ] BloomFilter: [ 0x0 ]
HashBuckets: [ 0x0 ] HashBuckets: [ 0x0 ]
HashValues: [ ] HashValues: [ ]
- Name: .dynamic - Name: .dynamic
Type: SHT_DYNAMIC Type: SHT_DYNAMIC
Flags: [ SHF_ALLOC ] Flags: [ SHF_ALLOC ]
Link: 0 Link: 0
▲ Show 20 LinesShow All 41 LinesShow Last 20 Lines

llvm/test/tools/llvm-readobj/ELF/hash-histogram.test

Show First 20 LinesShow All 205 Lines▼ Show 20 LinesProgramHeaders:
- Type: PT_LOAD - Type: PT_LOAD
Sections: Sections:
- Section: .hash - Section: .hash
- Section: .dynamic - Section: .dynamic
## Check we dump a histogram for the .gnu.hash table even when the .hash table is skipped. ## Check we dump a histogram for the .gnu.hash table even when the .hash table is skipped.
## Case A: the .hash table has no data to build histogram and it is skipped. ## Case A: the .hash table has no data to build histogram and it is skipped.
## (NBUCKET == 0x1 is a no-op: it does not change the number of buckets described with the "Bucket" key). ## (NBUCKET == 0x2 is a no-op: it does not change the number of buckets described by the "Bucket" key).
# RUN: yaml2obj --docnum=5 -DNBUCKET=0x1 %s -o %t5.o # RUN: yaml2obj --docnum=5 -DNBUCKET=0x2 %s -o %t5.o
jhendersonUnsubmitted
Not Done
ReplyInline Actions

whilst you're modifying this line: "described with" -> "described by"

jhenderson: whilst you're modifying this line: "described with" -> "described by"
# RUN: llvm-readelf --elf-hash-histogram %t5.o 2>&1 | \ # RUN: llvm-readelf --elf-hash-histogram %t5.o 2>&1 | \
# RUN: FileCheck %s --check-prefix=GNU-HASH --implicit-check-not="Histogram" # RUN: FileCheck %s --check-prefix=GNU-HASH --implicit-check-not="Histogram"
## Case B: the .hash table has a broken nbucket field. We report a warning ## Case B: the .hash table has a broken nbucket field. We report a warning
## and skip dumping of the .hash table. ## and skip dumping of the .hash table.
# RUN: yaml2obj --docnum=5 -DNBUCKET=0xffffffff %s -o %t6.o # RUN: yaml2obj --docnum=5 -DNBUCKET=0xffffffff %s -o %t6.o
# RUN: llvm-readelf --elf-hash-histogram %t6.o 2>&1 | \ # RUN: llvm-readelf --elf-hash-histogram %t6.o 2>&1 | \
# RUN: FileCheck %s -DFILE=%t6.o --check-prefixes=WARN,GNU-HASH # RUN: FileCheck %s -DFILE=%t6.o --check-prefixes=WARN,GNU-HASH
# WARN: warning: '[[FILE]]': the hash table at offset 0x78 goes past the end of the file (0x350), nbucket = 4294967295, nchain = 1 # WARN: warning: '[[FILE]]': the hash table at offset 0x78 goes past the end of the file (0x358), nbucket = 4294967295, nchain = 2
# GNU-HASH: Histogram for `.gnu.hash' bucket list length (total of 1 buckets) # GNU-HASH: Histogram for `.gnu.hash' bucket list length (total of 3 buckets)
--- !ELF --- !ELF
FileHeader: FileHeader:
Class: ELFCLASS64 Class: ELFCLASS64
Data: ELFDATA2LSB Data: ELFDATA2LSB
Type: ET_DYN Type: ET_DYN
Machine: EM_X86_64 Machine: EM_X86_64
Sections: Sections:
- Name: .hash - Name: .hash
Type: SHT_HASH Type: SHT_HASH
Flags: [ SHF_ALLOC ] Flags: [ SHF_ALLOC ]
Bucket: [ 0 ] Bucket: [ 0 ]
NBucket: [[NBUCKET]] NBucket: [[NBUCKET]]
Chain: [ 0 ] Chain: [ 0, 0 ]
- Name: .gnu.hash - Name: .gnu.hash
Type: SHT_GNU_HASH Type: SHT_GNU_HASH
Flags: [ SHF_ALLOC ] Flags: [ SHF_ALLOC ]
Header: Header:
SymNdx: 0x1 SymNdx: 0x1
Shift2: 0x0 Shift2: 0x0
BloomFilter: [ 0x0 ] BloomFilter: [ 0x0 ]
HashBuckets: [ 0x00000001, 0x00000004, 0x00000000 ] HashBuckets: [ 0x00000001, 0x00000004, 0x00000000 ]
HashValues: [ 0x0B887388 ] HashValues: [ 0x0B887388 ]
- Name: .dynamic - Name: .dynamic
Type: SHT_DYNAMIC Type: SHT_DYNAMIC
Flags: [ SHF_WRITE, SHF_ALLOC ] Flags: [ SHF_WRITE, SHF_ALLOC ]
Entries: Entries:
- Tag: DT_HASH - Tag: DT_HASH
Value: 0x0 Value: 0x0
- Tag: DT_GNU_HASH - Tag: DT_GNU_HASH
## sizeof(.hash) == 0x28. ## sizeof(.hash) == 0x14.
Value: 0x28 Value: 0x14
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I had to fix this test case because this place was wrong and the code adds an assert:
assert(DynamicSymCount >= symndx); which is triggered if this test case is not fixed.

We still want to make this assert never happen. I've mentioned in the description that it
is related to printGnuHashHistogram and probably should be fixed independently.

grimar: I had to fix this test case because this place was wrong and the code adds an assert: `assert…
- Tag: DT_NULL - Tag: DT_NULL
Value: 0x0 Value: 0x0
DynamicSymbols: DynamicSymbols:
- Name: foo - Name: foo
ProgramHeaders: ProgramHeaders:
- Type: PT_LOAD - Type: PT_LOAD
Sections: Sections:
- Section: .hash - Section: .hash
▲ Show 20 LinesShow All 54 LinesShow Last 20 Lines

llvm/tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 2,725 Lines▼ Show 20 Lines return createError("unable to dump 'Values' for the SHT_GNU_HASH "
"section: the dynamic symbol table is empty"); "section: the dynamic symbol table is empty");
if (GnuHashTable->symndx < NumSyms) if (GnuHashTable->symndx < NumSyms)
return GnuHashTable->values(NumSyms); return GnuHashTable->values(NumSyms);
// A normal empty GNU hash table section produced by linker might have // A normal empty GNU hash table section produced by linker might have
// symndx set to the number of dynamic symbols + 1 (for the zero symbol) // symndx set to the number of dynamic symbols + 1 (for the zero symbol)
// and have dummy null values in the Bloom filter and in the buckets // and have dummy null values in the Bloom filter and in the buckets
// vector. It happens because the value of symndx is not important for // vector (or no values at all). It happens because the value of symndx is not
// dynamic loaders when the GNU hash table is empty. They just skip the // important for dynamic loaders when the GNU hash table is empty. They just
// whole object during symbol lookup. In such cases, the symndx value is // skip the whole object during symbol lookup. In such cases, the symndx value
// irrelevant and we should not report a warning. // is irrelevant and we should not report a warning.
ArrayRef<typename ELFT::Word> Buckets = GnuHashTable->buckets(); ArrayRef<typename ELFT::Word> Buckets = GnuHashTable->buckets();
if (!llvm::all_of(Buckets, [](typename ELFT::Word V) { return V == 0; })) if (!llvm::all_of(Buckets, [](typename ELFT::Word V) { return V == 0; }))
return createError("the first hashed symbol index (" + return createError("the first hashed symbol index (" +
Twine(GnuHashTable->symndx) + Twine(GnuHashTable->symndx) +
") is larger than the number of dynamic symbols (" + ") is larger than the number of dynamic symbols (" +
Twine(NumSyms) + ")"); Twine(NumSyms) + ")");
// There is no way to represent an array of (dynamic symbols count - symndx)
return GnuHashTable->values(NumSyms); // length.
return ArrayRef<typename ELFT::Word>();
} }
template <typename ELFT> template <typename ELFT>
void ELFDumper<ELFT>::printGnuHashTable(const object::ObjectFile *Obj) { void ELFDumper<ELFT>::printGnuHashTable(const object::ObjectFile *Obj) {
DictScope D(W, "GnuHashTable"); DictScope D(W, "GnuHashTable");
if (!GnuHashTable) if (!GnuHashTable)
return; return;
▲ Show 20 LinesShow All 4,129 LinesShow Last 20 Lines