BFD misreading symbols from ancient SysV COFF objects

BFD misreading symbols from ancient SysV COFF objects

[Tavis Ormandy]

Hello, I've been doing some software archeology for fun and have
found an interesting COFF object file for SysV386. It seems to have been
compiled with GCC, the link timestamp is Sat Sep 8 06:23:50 1990, so
probably GCC 1.3X.

I was hoping I might just be able to `objcopy -O elf32-i386 foo.o fooelf.o`,
but sadly that didn't work... but it *almost* works and maybe I'm just
doing something wrong...

I found the file on the installation media for Lotus 1-2-3 for UNIX. I
don't really know why they did this, or if it was even intentional
(maybe a UNIX historian does?).

$ file 123.o
123.o: Intel 80386 COFF object file, not stripped, 5 sections, symbol offset=0x1efbdc, 19755 symbols, optional header size 28
$ nm 123.o  | tail
00810410 d yield_adjust
00806316 D yield_count
00000004 C yield_flag
008023c4 D yldflag
0080c484 d zero
0080c58c d zero.0
00000002 C zone_len
00803c8c d zoom_origins
00036650 T zoom_panel

If I look at these symbols though, they're not quite right:

$ objdump --disassemble=open 123.o

123.o:     file format pe-i386


Disassembly of section .text:

000e21cc <open>:
   e21cc:       81 4c 24 04 00 01 00    orl    $0x100,0x4(%esp)
   e21d3:       00 
   e21d4:       b8 30 00 00 00          mov    $0x30,%eax
   e21d9:       ba 28 22 0e 00          mov    $0xe2228,%edx
   e21de:       eb 3a                   jmp    e221a <brk+0x1>

That doesn't look like the function prolog or iBCS lcall7 call I would
expect...

However, poking around I think all symbols are off by 0xf8..:

$ objdump --start-address=$((0xe21cc - 0xf8)) -d 123.o | head
   e20d4:       b8 05 00 00 00          mov    $0x5,%eax
   e20d9:       9a 00 00 00 00 07 00    lcall  $0x7,$0x0
   e20e0:       0f 82 c6 01 00 00       jb     e22ac <write+0x8>

Now that looks like an lcall7 open()!

The magic number 0xf8 is interesting, it's also the start address:

$ objdump -f 123.o

123.o:     file format pe-i386
architecture: i386, flags 0x0000003d:
HAS_RELOC, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS
start address 0x000000f8

Do you think this is a BFD bug, or am I doing something wrong?

I can put the file online if someone wants to look.

Thanks, Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@sdf.org
_\_V _( ) _( )  @taviso

Re: BFD misreading symbols from ancient SysV COFF objects

[Tavis Ormandy]

On 2022-04-19, Tavis Ormandy via Binutils wrote:
> Hello, I've been doing some software archeology for fun and have
> found an interesting COFF object file for SysV386. It seems to have been
> compiled with GCC, the link timestamp is Sat Sep 8 06:23:50 1990, so
> probably GCC 1.3X.
>
> I was hoping I might just be able to `objcopy -O elf32-i386 foo.o fooelf.o`,
> but sadly that didn't work... but it *almost* works and maybe I'm just
> doing something wrong...

I was able to get this working, FYI. It does work okay in binutils-2.38,
I had assumed my distribution's binutils was modern enough, but earlier
versions can crash or give wrong output!

In case anyone would like to read about it, https://lock.cmpxchg8b.com/linux123.html

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@sdf.org
_\_V _( ) _( )  @taviso