Fix incorrect file offset calculation in memory mapping #220
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pablogsal
changed the title
1 task
pablogsal
force-pushed
the
elf_fix_core
branch
9 times, most recently
from
1b17fec to
3b04fd4
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #220 +/- ##
==========================================
- Coverage 83.51% 83.33% -0.19%
==========================================
Files 46 46
Lines 6201 6248 +47
Branches 134 458 +324
==========================================
+ Hits 5179 5207 +28
- Misses 1020 1041 +21
+ Partials 2 0 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
pablogsal
force-pushed
the
elf_fix_core
branch
2 times, most recently
from
5644a23 to
813c89f
Compare
pablogsal
commented
Jan 24, 2025
godlygeek
requested changes
Jan 25, 2025
Contributor
godlygeek
left a comment
godlygeek
left a comment
There was a problem hiding this comment.
The commit messages for the fighting-the-CI commits need rewording to explain the rationale for the changes. Other than that...
godlygeek
force-pushed
the
elf_fix_core
branch
from
a2bd7ae to
4d7ba7a
Compare
godlygeek
approved these changes
Feb 12, 2025
Contributor
There was a problem hiding this comment.
OK, I've pushed a bunch of fixup commits for minor improvements, plus one bug fix for a bug that I think has existed for as long as pystack. Please review my changes, and if you're happy with them feel free to squash and land this. Let me know if you dislike any of the fixups, or if you disagree with my diagnosis of the range check bug.
Contributor
|
Oh, and the fixup commits actually have commit message bodies, so each one should explain the rationale for the change. |
godlygeek
force-pushed
the
elf_fix_core
branch
from
884bce2 to
f0c0657
Compare
pablogsal
force-pushed
the
elf_fix_core
branch
from
f0c0657 to
c59bad8
Compare
The latest version supports Python 3.13, and the older version that we were pinning to now causes CI failures. Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
The latest version of mypy enforces that enum members do not have type annotations, because the type of every member of a subclass of `Enum` is that subclass itself. Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
The current implementation incorrectly assumes that calculating a file offset from a process memory address can be done using a simple subtraction from the library's load address. This assumption doesn't hold for binaries with non-standard ELF layouts, where PT_LOAD segments may have different virtual address to file offset mappings. Fix the issue by: 1. First converting the absolute process address to a library-relative offset by subtracting the library's load point in the process 2. Finding the PT_LOAD segment in the ELF file that contains this offset 3. Using the segment's p_vaddr and p_offset to calculate the correct file offset To avoid performance penalties from repeatedly parsing ELF files, add caching of PT_LOAD segments per library. Example of what was wrong: old: file_offset = addr - lib_start new: file_offset = ((addr - lib_start) - segment->p_vaddr) + segment->p_offset This fixes an issue where pystack would read from incorrect file offsets when analyzing binaries compiled with non-standard layout options (e.g., when using the gold linker with custom flags). Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
The end address is exclusive, not inclusive. This off-by-one could mean that we look at the wrong shared library for a given address if it occurs at the very start of start of a mapping. Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
pablogsal
force-pushed
the
elf_fix_core
branch
from
c59bad8 to
def56f4
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current implementation incorrectly assumes that calculating a file
offset from a process memory address can be done using a simple
subtraction from the library's load address. This assumption doesn't
hold for binaries with non-standard ELF layouts, where PT_LOAD segments
may have different virtual address to file offset mappings.
Fix the issue by:
offset by subtracting the library's load point in the process
file offset
To avoid performance penalties from repeatedly parsing ELF files, add
caching of PT_LOAD segments per library.
Example of what was wrong:
old: file_offset = addr - lib_start
new: file_offset = ((addr - lib_start) - segment->p_vaddr) + segment->p_offset
This fixes an issue where pystack would read from incorrect file offsets
when analyzing binaries compiled with non-standard layout options (e.g.,
when using the gold linker with custom flags).