[llvm-bugs] [Bug 39678] New: Problems with dynamic section entries

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Nov 15 10:30:16 PST 2018 

https://bugs.llvm.org/show_bug.cgi?id=39678

            Bug ID: 39678
           Summary: Problems with dynamic section entries
           Product: lld
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: ELF
          Assignee: unassignedbugs at nondot.org
          Reporter: bztemail at gmail.com
                CC: llvm-bugs at lists.llvm.org, peter.smith at linaro.org

Hi,

I had issues with my run-time linker when I used ELF64 files linked by lld.
I've debugged my code and it turned out it was reading beyond the relocation
entries, outside of the relocation record section.

So I've cross-referenced the ELF outputs created by GNU ld and LLVM lld on two
architectures, x86_64 and AArch64. Let me share my findings with you, maybe
it's useful. I've attached the readelf output in all four cases, but I'll
summarize it up.

First of all, the .rela.dyn section is good in all four cases. But
unfortunately my run-time linker can't use sections, it has to use the dynamic
entries (DT_*) referenced from program headers, and that has some
inconsistencies (for both GNU ld and LLVM lld).

GNU ld and x86_64: .rela.dyn is at 0xf220 - 0xf42e. RELA points to 0xf220 which
is correct, and it's size is 24, also correct (has only one entry). JMPREL
points to the same address which is not correct (it should point to the first
JUMP_SLOT), the size is also not correct, because RELA+RELASZ+PLTRELSZ is
bigger than 0xf42e. That doesn't really matter because JMPREL+PLTRELSZ is
0xf42e which is correct.

LLVM lld and x86_64: .rela.dyn is at 0xf1a0 - 0xf728. RELA points to 0xf1a0
which is correct, but it's size covers the entire section, which is not. Unlike
with GNU ld, JMPREL points correctly to the first JUMP_SLOT, but again, it's
size is the size of the entire rela section. This is not good, because both
RELA+RELASZ+PLTRELSZ and JMP+PLTRELSZ is bigger than 0xf728, causing reading
relocation entries outside of .rela.dyn.

GNU ld and AArch64: .rela.dyn is at 0x10bd0 - 0x11200. This is as the book
says, surprisingly everything is correct. RELA points to 0x10bd0, and
RELA+RELASZ equals to JMPREL which also points to the first JUMP_SLOT. Also
RELA+RELASZ+PLTRELSZ=0x11200 and JMPREL+PLTRELSZ=0x11200 which equals to the
end of .rela.dyn correctly.

LLVM lld and AArch64: .rela.dyn is at 0x14b10 - 0x151b8. Just like with x86_64,
RELA and JMPREL are correct, but their sizes are not. Both RELA+RELASZ+PLTRELSZ
and JMPREL+PLTRELSZ points beyond the end of .rela.dyn section, causing reading
reloaction entries outside .rela.dyn section.

Conclusion: at a minimum, I think PLTRELSZ must be corrected, so that
JMPREL+PLTRELSZ would not point beyond the end of .rela.dyn section.

Hope you'll find my test results useful,
bzt

-------------------- X86_64 -----------------------
--- GCC / ld ---

  [ 6] .rela.dyn         RELA             000000000000f220  0000f220
       00000000000002e8  0000000000000018   A       4     0     8

Dynamic section at offset 0x10110 contains 16 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libc.so]
 0x0000000000000010 (SYMBOLIC)           0x0
 0x000000000000000c (INIT)               0x100
 0x0000000000000004 (HASH)               0xe868
 0x0000000000000005 (STRTAB)             0xf008
 0x0000000000000006 (SYMTAB)             0xea08
 0x000000000000000a (STRSZ)              534 (bytes)
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000003 (PLTGOT)             0x10008
 0x0000000000000002 (PLTRELSZ)           744 (bytes)
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000017 (JMPREL)             0xf220
 0x0000000000000007 (RELA)               0xf220
 0x0000000000000008 (RELASZ)             24 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x0000000000000000 (NULL)               0x0

Relocation section '.rela.dyn' at offset 0xf220 contains 31 entries:
  Offset          Info           Type           Sym. Value    Sym. Name +
Addend
000000010000  001300000006 R_X86_64_GLOB_DAT 0000000000000000 _debug + 0
000000010020  000100000007 R_X86_64_JUMP_SLO 0000000000000000 getuidp + 0
000000010028  000200000007 R_X86_64_JUMP_SLO 0000000000000000 strcpy + 0


--- Clang / lld ---

  [ 5] .rela.dyn         RELA             000000000000f1a0  0000f1a0
       0000000000000588  0000000000000018   A       3     0     8

Dynamic section at offset 0x101f0 contains 17 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libc.so]
 0x000000000000001e (FLAGS)              SYMBOLIC
 0x0000000000000007 (RELA)               0xf1a0
 0x0000000000000008 (RELASZ)             1416 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x000000006ffffff9 (RELACOUNT)          27
 0x0000000000000017 (JMPREL)             0xf440
 0x0000000000000002 (PLTRELSZ)           1416 (bytes)
 0x0000000000000003 (PLTGOT)             0x100e0
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000006 (SYMTAB)             0xe960
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000005 (STRTAB)             0xef78
 0x000000000000000a (STRSZ)              550 (bytes)
 0x0000000000000004 (HASH)               0xf728
 0x000000000000000c (INIT)               0x100
 0x0000000000000000 (NULL)               0x0

Relocation section '.rela.dyn' at offset 0xf1a0 contains 59 entries:
  Offset          Info           Type           Sym. Value    Sym. Name +
Addend
000000010000  000000000008 R_X86_64_RELATIVE                    11398
...
0000000100d8  000000000008 R_X86_64_RELATIVE                    11358
000000010020  000500000006 R_X86_64_GLOB_DAT 0000000000000000 _debug + 0
0000000100f8  000400000007 R_X86_64_JUMP_SLO 0000000000000000 mq_dispatch + 0
000000010100  000200000007 R_X86_64_JUMP_SLO 0000000000000000 exit + 0

-------------------- AArch64 -----------------------
--- GCC / ld ---

  [ 6] .rela.dyn         RELA             0000000000010bd0  00010bd0
       0000000000000630  0000000000000018   A       4     0     8

Dynamic section at offset 0x12200 contains 16 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libc.so]
 0x0000000000000010 (SYMBOLIC)           0x0
 0x0000000000000004 (HASH)               0x10208
 0x0000000000000005 (STRTAB)             0x109c0
 0x0000000000000006 (SYMTAB)             0x103a8
 0x000000000000000a (STRSZ)              528 (bytes)
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000003 (PLTGOT)             0x120f8
 0x0000000000000002 (PLTRELSZ)           720 (bytes)
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000017 (JMPREL)             0x10f30
 0x0000000000000007 (RELA)               0x10bd0
 0x0000000000000008 (RELASZ)             864 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x000000006ffffff9 (RELACOUNT)          35
 0x0000000000000000 (NULL)               0x0

Relocation section '.rela.dyn' at offset 0x10bd0 contains 66 entries:
  Offset          Info           Type           Sym. Value    Sym. Name +
Addend
000000012008  000000000403 R_AARCH64_RELATIV                    133d8
...
000000012370  000000000403 R_AARCH64_RELATIV                    100e0
000000012050  001500000401 R_AARCH64_GLOB_DA 0000000000000000 _debug + 0
000000012110  000300000402 R_AARCH64_JUMP_SL 0000000000000000 getuidp + 0
000000012118  000400000402 R_AARCH64_JUMP_SL 0000000000000000 strcpy + 0


--- Clang / lld ---

  [ 5] .rela.dyn         RELA             0000000000014b10  00014b10
       00000000000006a8  0000000000000018   A       3     0     8

Dynamic section at offset 0x16250 contains 16 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libc.so]
 0x000000000000001e (FLAGS)              SYMBOLIC
 0x0000000000000007 (RELA)               0x14b10
 0x0000000000000008 (RELASZ)             1704 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x000000006ffffff9 (RELACOUNT)          39
 0x0000000000000017 (JMPREL)             0x14f30
 0x0000000000000002 (PLTRELSZ)           1704 (bytes)
 0x0000000000000003 (PLTGOT)             0x16160
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000006 (SYMTAB)             0x142f0
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000005 (STRTAB)             0x148f0
 0x000000000000000a (STRSZ)              544 (bytes)
 0x0000000000000004 (HASH)               0x151b8
 0x0000000000000000 (NULL)               0x0

Relocation section '.rela.dyn' at offset 0x14b10 contains 71 entries:
  Offset          Info           Type           Sym. Value    Sym. Name +
Addend
000000016000  000000000403 R_AARCH64_RELATIV                    173e8
...
000000016158  000000000403 R_AARCH64_RELATIV                    173a8
000000016020  000400000401 R_AARCH64_GLOB_DA 0000000000000000 _debug + 0
0000000160a0  002300000401 R_AARCH64_GLOB_DA 0000000000000000 errno + 0
0000000160a8  002800000401 R_AARCH64_GLOB_DA 0000000000000000 time + 0
000000016148  003100000401 R_AARCH64_GLOB_DA 0000000000000000 meminfo + 0
0000000160e0  003200000401 R_AARCH64_GLOB_DA 0000000000000000 mq_recv + 0
000000016178  000300000402 R_AARCH64_JUMP_SL 0000000000000000 mq_dispatch + 0
000000016180  000100000402 R_AARCH64_JUMP_SL 0000000000000000 exit + 0

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181115/17630892/attachment-0001.html>

More information about the llvm-bugs mailing list