From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dd14210.kasserver.com (dd14210.kasserver.com [85.13.138.83]) by sourceware.org (Postfix) with ESMTPS id 8A6D5385842F for ; Mon, 11 Jul 2022 16:40:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 8A6D5385842F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=milianw.de Authentication-Results: sourceware.org; spf=none smtp.mailfrom=milianw.de Received: from milian-workstation.localnet (p54a1bbed.dip0.t-ipconnect.de [84.161.187.237]) by dd14210.kasserver.com (Postfix) with ESMTPSA id 41126240687 for ; Mon, 11 Jul 2022 18:40:20 +0200 (CEST) From: Milian Wolff To: elfutils-devel@sourceware.org Subject: runtime validation of DT_SYMTAB lookups - why is there no DT_SYMSZ? Date: Mon, 11 Jul 2022 18:40:12 +0200 Message-ID: <2825590.45ddzSUfD6@milian-workstation> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1753988.G8dBGLP7K7"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Spamd-Bar: / X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2022 16:40:24 -0000 --nextPart1753988.G8dBGLP7K7 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" From: Milian Wolff To: elfutils-devel@sourceware.org Date: Mon, 11 Jul 2022 18:40:12 +0200 Message-ID: <2825590.45ddzSUfD6@milian-workstation> MIME-Version: 1.0 Hey there, in heaptrack I have code to runtime attach to a program and then rewrite the various rel / rela / jmprel tables to intercept calls to malloc & friends. This works, but now I have received a crash report for what seems to be an invalid DSO file: The jmprel table contains an invalid entry which points to an out-of-bounds symbol, leading to a crash when we try to look at the symbol's name. I would like to protect against this crash by detecting the invalid symbols. But to do that, I would need to know the size of the symbol table, which is much harder than I would have hoped: We have: ``` #define DT_SYMTAB 6 /* Address of symbol table */ #define DT_SYMENT 11 /* Size of one symbol table entry */ ``` But there is no `DT_SYMSZ` or similar, which we would need to validate symbol indices. Am I overlooking something or is that really missing? Does anyone know why? The other tables have that, e.g.: ``` #define DT_PLTRELSZ 2 /* Size in bytes of PLT relocs */ #define DT_RELASZ 8 /* Total size of Rela relocs */ #define DT_STRSZ 10 /* Size of string table */ #define DT_RELSZ 18 /* Total size of Rel relocs */ ``` Why is this missing for the symtab? The only viable alternative seems to be to mmap the file completely to access the Elf header and then iterate over the Elf sections to query the size of the SHT_DYNSYM section. This is pretty complicated, and costly. Does anyone have a better solution that would allow me to validate symbol indices? Thanks PS: eu-elflint reports this for the broken DSOs e.g.: ``` $ eu-elflint libQt5Qml.so.5.12 section [ 3] '.dynsym': symbol 1272: st_value out of bounds section [ 3] '.dynsym': symbol 3684: st_value out of bounds section [29] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol size 0 does not match .got section size 18340 section [29] '.symtab': _DYNAMIC symbol size 0 does not match dynamic segment size 336 section [29] '.symtab': symbol 25720: st_value out of bounds section [29] '.symtab': symbol 27227: st_value out of bounds ``` Does anyone know how this can happen? Is this a bug in the toolchain? -- Milian Wolff mail@milianw.de http://milianw.de --nextPart1753988.G8dBGLP7K7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEezawi1aUvUGg3A1+8zYW/HGdOX8FAmLMUmwACgkQ8zYW/HGd OX8SIw//dR4AAuas9qWpc1UgwRDCITcEHdkV+JNZ3c8cEzS+Sr4ImDHJTqD4cq3J NKXWzEvXFhIKoRW2NwsNwLLWk4OiPzOmKwuCYOq9DxLbeN053J33VoJF0g+CE+Ns egSQnvFLsfN4LnulQplaAVyPZ5bjW9EwTYECWi5yFLst9/mqrIH4RvPUHxq7phEj ph9UCMwN5xvb5IVdy/lHOIhzn8Oo2yjlyaCFHeXfdcQ/nObX27eP6fwk3er07vcY kuSc8SGam/KUiH3qQ9wtCqt7lpvehWnEnFAx6EOvmuB4zqT+X7q6VtMu6kLSJbWY KMDpZtfEk+zLo8Mt/GbnqmVpF20xks7QVCCp5dIERYcbeAPCEn9B9TA7hgmujfBa 9YN0KuaaOUj+yiffazWNOBuTVSrIm2ON4kJPonbsgytxX418JjsYeMa+8Cf3jKaG V30OWHNi/qyCw3scf70uypLRN4JDxMPYi06dN2Chi0UQhxfgTV29rk2zNolTXcjc VZEB+TmjK9ZmazWojdo6qQFLZptDEBMg8dZfq9+Nfwb5nUDf3XzuySX3Sm2vXBdZ 23QSUWN9Pb2a79eG5nADmStTP+smQUsAYMrHpubMsm9aZ2JWVvd0iNi5XtuQai4g 0yhTQOaqOTss7SOGfEZNFMumUqkrwg7GU4A/DfvvGeePdeNesIA= =C5vJ -----END PGP SIGNATURE----- --nextPart1753988.G8dBGLP7K7--