ELF Parser locating imports incorrectly (PPC)

[ogre2007]

Work environment

Arch Linux x86-64
PPC-32 ELF
radare2 2.5.0-git 17805 @ linux-x86-64 git.2.4.0-282-g43af9e3bb
commit: 43af9e3 build: 2018-04-06__23:16:3

I've compiled a simple hello world binary with toolchain for ppc build via crosstools-ng , and tried to analyze it with R2.

Expected behavior

Imports of file (printf func) is actually located at 0x1002**** addresses, and one can see it from objdumpD.txt file that I've added to zip archive. So rabin2 -ii hello.ppc or is should show it in output, and aaa; pdf main should show, that printf functions is called from there.
(something like this)

Actual behavior

However, ii, is commands show, that printf function and other imports is located at invalid 0x4743430a addresses:

and r2 cant realize, that address called from main subroutine is actually printf function, therefore there is no Xref to string being used here.

Steps to reproduce the behavior

just run rabin2 -is to see that imports is too far.

Additional Logs, screenshots, source-code, configuration dump, ...

hello-ppc.zip
There is source file, binary file, and objdump -D output file

One more thing

I'll be happy if someone will give me any hints to track down and fix this issue, so please respond even if you're not working on this arch etc.

[ogre2007]

Well, as I see problem may be hiding in finding relocations:

So maybe we need to check code that parsing PT_DYNAMIC header and reloc table

[ogre2007]

Still actual with master. Found out, that problem is compilation specific. Because binary from another toolchain is disassembled well

[radare]

Fixed in #10526

[radare]

i added a test too

[ret2libc]

@radare Shall it be closed then?

[Maijin]

Not it's not merged

[ret2libc]

Reopening this issue because while testing the provided binary (hello.ppc) I still get the wrong output.

$ ./binr/rabin2/rabin2 -iR ~/Downloads/hello.ppc
[Imports]
Num  Vaddr       Bind      Type Name
   1 0x4743430a  GLOBAL    FUNC printf
   2 0x4743431a    WEAK  NOTYPE __gmon_start__
   3 0x4743432a  GLOBAL    FUNC __libc_start_main
   0 0x00000000  (null)  (null)
[Relocations]

0 relocations

[ret2libc]

@radare Moreover, the fix 5080179 does not seem to really fix the mosquito binary either.

ii on that binary gives some results that may seem, at a first look, correct, but if you look at the imp.XXXX entries they are all in the wrong place (e.g. imp.unlink falls where there is the .init_array).

I noticed this because I'm refactoring the get_import_addr function in elf.c and I was surprised to find that ppc64 was the only one to require the rel_sec section to compute the import address. Where did you discover that?

[radare]

Discover what

…

On 4 Jan 2019, at 17:45, Riccardo Schirone ***@***.***> wrote: @radare Moreover, the fix 5080179 does not seem to really fix the mosquito binary either. ii on that binary gives some results that may seem, at a first look, correct, but if you look at the imp.XXXX entries they are all in the wrong place (e.g. imp.unlink falls where there is the .init_array). I noticed this because I'm refactoring the get_import_addr function in elf.c and I was surprised to find that ppc64 was the only one to require the rel_sec section to compute the import address. Where did you discover that? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ret2libc]

Discover what

That you need to use rel_sec->offset to compute the PPC import addresses.

[ret2libc]

I'm no PPC expert, but something like the following improves a bit the situation, though it is not perfect.

From 9902b2082d55ffb1e39853adf2e127d8b89c5da8 Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Wed, 22 Apr 2020 16:04:15 +0200
Subject: [PATCH] Add PPC relocs

---
 libr/bin/p/bin_elf.inc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libr/bin/p/bin_elf.inc b/libr/bin/p/bin_elf.inc
index 61d1570a6..b7595cca6 100644
--- a/libr/bin/p/bin_elf.inc
+++ b/libr/bin/p/bin_elf.inc
@@ -648,6 +648,15 @@ static RBinReloc *reloc_convert(struct Elf_(r_bin_elf_obj_t) *bin, RBinElfReloc
 		 ////eprintf("TODO(eddyb): uninmplemented ELF/ARM reloc type %i\n", rel->type);
 		}
 		break;
+	case EM_PPC: switch (rel->type) {
+		case R_PPC_NONE:	break;
+		case R_PPC_GLOB_DAT:	ADD (32, 0);
+		case R_PPC_JMP_SLOT:	ADD (32, 0);
+		default:
+			eprintf ("unimplemented ELF/PPC reloc type %d\n", rel->type);
+			break;
+		}
+		break;
 	default: break;
 	}
 
-- 
2.25.3

In particular, the following solution identifies the relocations, but there are dupped ones (I think because they are both in RELA and REL sections). Also, I can't find any PLT section, but as I said I'm no PPC expert. Maybe this can be useful as a starting point for someone else interested.

[ghost]

@ret2libc Indeed there is some duplication, the main problem is that the duplication come from the relocation table. This is not a bug. The binary seems to be invalid but functional. I don't know which entry we need to keep, the last one, first one, ect...
Maybe we can keep duplication so the user can understand the problem.

[ret2libc]

@ret2libc Indeed there is some duplication, the main problem is that the duplication come from the relocation table. This is not a bug. The binary seems to be invalid but functional. I don't know which entry we need to keep, the last one, first one, ect...
Maybe we can keep duplication so the user can understand the problem.

Yeah I think we can live with the duplication, however I am not 100% confident of the patch I wrote above as I'm no PPC expert. We may include it nonetheless, as it improves a bit the situation, but it would be better to have someone familiar with PPC looking at this.

[ghost]

but it would be better to have someone familiar with PPC looking at this.

We can ask on telegram?

[ghost]

I'm no PPC expert, but something like the following improves a bit the situation, though it is not perfect.

From 9902b2082d55ffb1e39853adf2e127d8b89c5da8 Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Wed, 22 Apr 2020 16:04:15 +0200
Subject: [PATCH] Add PPC relocs

---
 libr/bin/p/bin_elf.inc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libr/bin/p/bin_elf.inc b/libr/bin/p/bin_elf.inc
index 61d1570a6..b7595cca6 100644
--- a/libr/bin/p/bin_elf.inc
+++ b/libr/bin/p/bin_elf.inc
@@ -648,6 +648,15 @@ static RBinReloc *reloc_convert(struct Elf_(r_bin_elf_obj_t) *bin, RBinElfReloc
 		 ////eprintf("TODO(eddyb): uninmplemented ELF/ARM reloc type %i\n", rel->type);
 		}
 		break;
+	case EM_PPC: switch (rel->type) {
+		case R_PPC_NONE:	break;
+		case R_PPC_GLOB_DAT:	ADD (32, 0);
+		case R_PPC_JMP_SLOT:	ADD (32, 0);
+		default:
+			eprintf ("unimplemented ELF/PPC reloc type %d\n", rel->type);
+			break;
+		}
+		break;
 	default: break;
 	}
 
-- 
2.25.3

In particular, the following solution identifies the relocations, but there are dupped ones (I think because they are both in RELA and REL sections). Also, I can't find any PLT section, but as I said I'm no PPC expert. Maybe this can be useful as a starting point for someone else interested.

I think we can push this patch, if someone isn't happy he will create an issue.

[ret2libc]

I think we can push this patch, if someone isn't happy he will create an issue.

I agree. Are you willing to do it? Otherwise I can do it.

[ghost]

I can do this.

[ghost]

Done, i had one regression test