This is an archive of the discontinued LLVM Phabricator instance.

Differential D90214

[llvm-readobj/elf] - Fix a crash when dumping a dynamic relocation that refer to a symbol past the EOF.
ClosedPublic

Authored by grimar on Oct 27 2020, 2:25 AM.

Details

Reviewers
jhenderson
MaskRay
espindola
Commits
rGd6d6fdb068af: [llvm-readobj/elf] - Fix a crash when dumping a dynamic relocation that refer…
Summary

There is a possible scenario when we crash when dumping dynamic relocations.
For that we should have no section headers (to take the number of synamic symbols from)
and a dynamic relocation that refers to a symbol with an index that is too large to be in a file.

The patch fixes it.

Diff Detail

Event Timeline

grimar created this revision.Oct 27 2020, 2:25 AM
Herald added a reviewer: espindola. · View Herald TranscriptOct 27 2020, 2:25 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: rupprecht, emaste. · View Herald Transcript
grimar requested review of this revision.Oct 27 2020, 2:25 AM
jhenderson added inline comments.Oct 27 2020, 3:26 AM
llvm/test/tools/llvm-readobj/ELF/broken-dynamic-reloc.test
384–385

These values are presumably tied to the size of data in other implicit sections, right? Could we arrange for those sections to appear before .dynsym, as well as the .rela.dyn section? That way, the .dynsym will actually appear at the end of the file, and it would be easier to see that the symbol indexes are what you say they are.

It's probably also worth expanding on what is meant by "valid" here, since the .dynsym appears to be essentially empty (and therefore any indexes into it could be viewed as invalid).

grimar updated this revision to Diff 300958.Oct 27 2020, 5:15 AM
grimar marked an inline comment as done.
  • Addressed review comments.
  • Now depends on D90224.
grimar added a parent revision: D90224: [yaml2obj] - Support the "Offset" key for the .dynsym section..Oct 27 2020, 5:15 AM
jhenderson added inline comments.Oct 27 2020, 9:13 AM
llvm/test/tools/llvm-readobj/ELF/broken-dynamic-reloc.test
380

I'm a little confused - why isn't this symbol something like 0x1 or 0x2? If the .dynsym is the very last thing in the output, then the at-EOF index should be the number of dynamic symbols.

grimar marked an inline comment as done.Oct 28 2020, 1:21 AM
grimar added inline comments.
llvm/test/tools/llvm-readobj/ELF/broken-dynamic-reloc.test
380

I've investigated it and found multiple reasons:

  1. There is a .dynstr section, which we also write after.
  2. Also we write the content of .strtab and .shstrtab implicit sections (both are empty and has size == 1). Here I think that the fact we still write the content of .shstrtab with NoHeaders: true is a bug. We don't add section names to it already, but we should just drop it from the output.
  3. We still: a) Align the start of the section header table, what affects the output size. (BUG) b) We still write it. (BUG)

I am going to fix it. Though it will be a separate independent set of changes.

384–385

Done.

jhenderson added inline comments.Oct 28 2020, 2:29 AM
llvm/test/tools/llvm-readobj/ELF/broken-dynamic-reloc.test
380

Sounds reasonable, thanks!

grimar updated this revision to Diff 301552.EditedOct 29 2020, 3:25 AM
grimar marked 2 inline comments as done.
  • Rebased after landing D90295.
  • Updated the test case.
llvm/test/tools/llvm-readobj/ELF/broken-dynamic-reloc.test
380

I've updated the test.

jhenderson accepted this revision.Oct 29 2020, 3:54 AM

Great, LGTM!

This revision is now accepted and ready to land.Oct 29 2020, 3:54 AM
Closed by commit rGd6d6fdb068af: [llvm-readobj/elf] - Fix a crash when dumping a dynamic relocation that refer… (authored by grimar). · Explain WhyOct 29 2020, 5:39 AM
This revision was automatically updated to reflect the committed changes.
grimar added a commit: rGd6d6fdb068af: [llvm-readobj/elf] - Fix a crash when dumping a dynamic relocation that refer….

Revision Contents

PathSize
llvm/
test/
tools/
llvm-readobj/
ELF/
94 lines
tools/
llvm-readobj/
17 lines

Diff 301588

llvm/test/tools/llvm-readobj/ELF/broken-dynamic-reloc.test

Show First 20 LinesShow All 313 Lines▼ Show 20 Lines## 0x18 == offset of .rel.dyn == size of .rela.dyn section.
Value: 0x0 Value: 0x0
DynamicSymbols: [] DynamicSymbols: []
ProgramHeaders: ProgramHeaders:
- Type: PT_LOAD - Type: PT_LOAD
Sections: Sections:
- Section: .rela.dyn - Section: .rela.dyn
- Section: .rel.dyn - Section: .rel.dyn
- Section: .dynamic - Section: .dynamic
## Check that llvm-readobj/llvm-readelf reports a warning when dumping a relocation
## which refers to a symbol past the end of the file.
# RUN: yaml2obj --docnum=7 %s -o %t7
# RUN: llvm-readobj --dyn-relocations %t7 2>&1 | \
# RUN: FileCheck %s -DFILE=%t7 --check-prefix=PAST-EOF-LLVM
# RUN: llvm-readelf --dyn-relocations %t7 2>&1 | \
# RUN: FileCheck %s -DFILE=%t7 --check-prefix=PAST-EOF-GNU
# PAST-EOF-LLVM: Dynamic Relocations {
# PAST-EOF-LLVM-NEXT: warning: '[[FILE]]': unable to get name of the dynamic symbol with index 1: st_name (0x1) is past the end of the string table of size 0x0
# PAST-EOF-LLVM-NEXT: 0x0 R_X86_64_NONE <corrupt> 0x0
# PAST-EOF-LLVM-NEXT: warning: '[[FILE]]': unable to get name of the dynamic symbol with index 2: symbol at 0x330 goes past the end of the file (0x330)
# PAST-EOF-LLVM-NEXT: 0x0 R_X86_64_NONE <corrupt> 0x0
# PAST-EOF-LLVM-NEXT: warning: '[[FILE]]': unable to get name of the dynamic symbol with index 4294967295: symbol at 0x18000002e8 goes past the end of the file (0x330)
# PAST-EOF-LLVM-NEXT: 0x0 R_X86_64_NONE <corrupt> 0x0
# PAST-EOF-LLVM-NEXT: }
# PAST-EOF-GNU: 'RELA' relocation section at offset 0x200 contains 72 bytes:
# PAST-EOF-GNU-NEXT: Offset Info Type Symbol's Value Symbol's Name + Addend
# PAST-EOF-GNU-NEXT: warning: '[[FILE]]': unable to get name of the dynamic symbol with index 1: st_name (0x1) is past the end of the string table of size 0x0
# PAST-EOF-GNU-NEXT: 0000000000000000 0000000100000000 R_X86_64_NONE 0000000000000000 <corrupt> + 0
# PAST-EOF-GNU-NEXT: warning: '[[FILE]]': unable to get name of the dynamic symbol with index 2: symbol at 0x330 goes past the end of the file (0x330)
# PAST-EOF-GNU-NEXT: 0000000000000000 0000000200000000 R_X86_64_NONE <corrupt> + 0
# PAST-EOF-GNU-NEXT: warning: '[[FILE]]': unable to get name of the dynamic symbol with index 4294967295: symbol at 0x18000002e8 goes past the end of the file (0x330)
# PAST-EOF-GNU-NEXT: 0000000000000000 ffffffff00000000 R_X86_64_NONE <corrupt> + 0
--- !ELF
FileHeader:
Class: ELFCLASS64
Data: ELFDATA2LSB
Type: ET_DYN
Machine: EM_X86_64
Sections:
- Name: .dynamic
Type: SHT_DYNAMIC
Flags: [ SHF_ALLOC ]
Address: 0x100
Offset: 0x100
Entries:
- Tag: DT_RELA
Value: 0x200
- Tag: DT_SYMTAB
Value: 0x300
- Tag: DT_RELASZ
Value: 0x48
- Tag: DT_RELAENT
Value: 0x18
- Tag: DT_NULL
Value: 0x0
- Name: .rela.dyn
Type: SHT_RELA
Flags: [ SHF_ALLOC ]
Address: 0x200
Offset: 0x200
Relocations:
## This symbol is located right before the EOF, so we can dump it.
- Symbol: 0x1
jhendersonUnsubmitted
Done
ReplyInline Actions

I'm a little confused - why isn't this symbol something like 0x1 or 0x2? If the .dynsym is the very last thing in the output, then the at-EOF index should be the number of dynamic symbols.

jhenderson: I'm a little confused - why isn't this symbol something like 0x1 or 0x2? If the .dynsym is the…
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I've investigated it and found multiple reasons:

  1. There is a .dynstr section, which we also write after.
  2. Also we write the content of .strtab and .shstrtab implicit sections (both are empty and has size == 1). Here I think that the fact we still write the content of .shstrtab with NoHeaders: true is a bug. We don't add section names to it already, but we should just drop it from the output.
  3. We still: a) Align the start of the section header table, what affects the output size. (BUG) b) We still write it. (BUG)

I am going to fix it. Though it will be a separate independent set of changes.

grimar: I've investigated it and found multiple reasons: 1) There is a `.dynstr` section, which we…
jhendersonUnsubmitted
Done
ReplyInline Actions

Sounds reasonable, thanks!

jhenderson: Sounds reasonable, thanks!
grimarAuthorUnsubmitted
Done
ReplyInline Actions

I've updated the test.

grimar: I've updated the test.
Type: R_X86_64_NONE
## The next symbol, which goes past the EOF.
- Symbol: 0x2
Type: R_X86_64_NONE
## One more symbol that goes past the EOF
jhendersonUnsubmitted
Done
ReplyInline Actions

These values are presumably tied to the size of data in other implicit sections, right? Could we arrange for those sections to appear before .dynsym, as well as the .rela.dyn section? That way, the .dynsym will actually appear at the end of the file, and it would be easier to see that the symbol indexes are what you say they are.

It's probably also worth expanding on what is meant by "valid" here, since the .dynsym appears to be essentially empty (and therefore any indexes into it could be viewed as invalid).

jhenderson: These values are presumably tied to the size of data in other implicit sections, right? Could…
grimarAuthorUnsubmitted
Done
ReplyInline Actions

Done.

grimar: Done.
## with the maximal possible index.
- Symbol: 0xFFFFFFFF
Type: R_X86_64_NONE
## Place all implicit sections here to make the .dynsym section to be the
## last in the file. This makes the task of validating offsets a bit easier.
- Name: .dynstr
Type: SHT_STRTAB
- Name: .strtab
Type: SHT_STRTAB
- Name: .shstrtab
Type: SHT_STRTAB
- Name: .dynsym
Type: SHT_DYNSYM
Flags: [ SHF_ALLOC ]
Address: 0x300
Offset: 0x300
DynamicSymbols:
- Name: foo
ProgramHeaders:
- Type: PT_LOAD
Offset: 0x0
Sections:
- Section: .dynamic
- Section: .rela.dyn
- Section: .dynsym
- Type: PT_DYNAMIC
Sections:
- Section: .dynamic
SectionHeaderTable:
NoHeaders: true

llvm/tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 4,487 Lines▼ Show 20 Lines
} }
namespace { namespace {
template <class ELFT> template <class ELFT>
RelSymbol<ELFT> getSymbolForReloc(const ELFFile<ELFT> &Obj, StringRef FileName, RelSymbol<ELFT> getSymbolForReloc(const ELFFile<ELFT> &Obj, StringRef FileName,
const ELFDumper<ELFT> &Dumper, const ELFDumper<ELFT> &Dumper,
const Relocation<ELFT> &Reloc) { const Relocation<ELFT> &Reloc) {
auto WarnAndReturn = [&](const typename ELFT::Sym *Sym, using Elf_Sym = typename ELFT::Sym;
auto WarnAndReturn = [&](const Elf_Sym *Sym,
const Twine &Reason) -> RelSymbol<ELFT> { const Twine &Reason) -> RelSymbol<ELFT> {
reportWarning( reportWarning(
createError("unable to get name of the dynamic symbol with index " + createError("unable to get name of the dynamic symbol with index " +
Twine(Reloc.Symbol) + ": " + Reason), Twine(Reloc.Symbol) + ": " + Reason),
FileName); FileName);
return {Sym, "<corrupt>"}; return {Sym, "<corrupt>"};
}; };
ArrayRef<typename ELFT::Sym> Symbols = Dumper.dynamic_symbols(); ArrayRef<Elf_Sym> Symbols = Dumper.dynamic_symbols();
const typename ELFT::Sym *FirstSym = Symbols.begin(); const Elf_Sym *FirstSym = Symbols.begin();
if (!FirstSym) if (!FirstSym)
return WarnAndReturn(nullptr, "no dynamic symbol table found"); return WarnAndReturn(nullptr, "no dynamic symbol table found");
// We might have an object without a section header. In this case the size of // We might have an object without a section header. In this case the size of
// Symbols is zero, because there is no way to know the size of the dynamic // Symbols is zero, because there is no way to know the size of the dynamic
// table. We should allow this case and not print a warning. // table. We should allow this case and not print a warning.
if (!Symbols.empty() && Reloc.Symbol >= Symbols.size()) if (!Symbols.empty() && Reloc.Symbol >= Symbols.size())
return WarnAndReturn( return WarnAndReturn(
nullptr, nullptr,
"index is greater than or equal to the number of dynamic symbols (" + "index is greater than or equal to the number of dynamic symbols (" +
Twine(Symbols.size()) + ")"); Twine(Symbols.size()) + ")");
const typename ELFT::Sym *Sym = FirstSym + Reloc.Symbol; const uint64_t FileSize = Obj.getBufSize();
const uint64_t SymOffset = ((const uint8_t *)FirstSym - Obj.base()) +
(uint64_t)Reloc.Symbol * sizeof(Elf_Sym);
if (SymOffset + sizeof(Elf_Sym) > FileSize)
return WarnAndReturn(nullptr, "symbol at 0x" + Twine::utohexstr(SymOffset) +
" goes past the end of the file (0x" +
Twine::utohexstr(FileSize) + ")");
const Elf_Sym *Sym = FirstSym + Reloc.Symbol;
Expected<StringRef> ErrOrName = Sym->getName(Dumper.getDynamicStringTable()); Expected<StringRef> ErrOrName = Sym->getName(Dumper.getDynamicStringTable());
if (!ErrOrName) if (!ErrOrName)
return WarnAndReturn(Sym, toString(ErrOrName.takeError())); return WarnAndReturn(Sym, toString(ErrOrName.takeError()));
return {Sym == FirstSym ? nullptr : Sym, maybeDemangle(*ErrOrName)}; return {Sym == FirstSym ? nullptr : Sym, maybeDemangle(*ErrOrName)};
} }
} // namespace } // namespace
▲ Show 20 LinesShow All 2,482 LinesShow Last 20 Lines