elf2flt: fix for segfault on some ARM ELFs #20
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vapier
requested changes
Aug 18, 2021
mpilawa
force-pushed
the
pullreq/elf2flt-segfault
branch
from
987fcb6
to
79d3e86
Compare
|
latest version looks great, but you'll need to rebase onto the latest branch. can you pull+rebase so i can merge ? |
I believe a bug was introduced in commit [1], which was done to move the .ARM.exidx input section from .data to .text output section. However, in doing so, the dynamic memory allocation for .text [elf2flt.c:~L1907: 'text = xmalloc(text_len);'] was not modified to allow for the additional .ARM.exidx section. The result was that most of the time malloc() allocated enough extra memory [due to page-size or similar allocation boundaries] such that a small additional section went unnoticed. However, in unlucky cases, the memory required for just the .text section fit almost perfectly within an allocation boundary, and the extra .ARM.exidx section exceeded the allocation, and thus produced a segfault when the memory was written. The fix here modifies the calculation of 'text_len' in main() with logic similar to that of the original fix in [1] to output_relocs(), such that the correct amount of memory is allocated. The code is also modified such that 'data_len' is also calculated correctly, and does not over-allocate memory. This is necessary because the logic in main() is not a single grouping of if-elseif... priority logic as in output_relocs(). The change also attempts to be even more specific with input section selections for .text and .data output sections. .text is only selected for input sections flagged as (SEC_CODE || (SEC_DATA && SEC_READONLY && SEC_RELOC)) .data is only selected for input sections flagged as (SEC_DATA && !(SEC_READONLY && SEC_RELOC)) The change appears to work correctly for previously segfault-causing ELF with these processed sections... SEC_FLAGS:0x0000011f SEC_NAME:.text SEC_FLAGS:0x0000012f SEC_NAME:.ARM.exidx SEC_FLAGS:0x00000127 SEC_NAME:.data SEC_FLAGS:0x00000123 SEC_NAME:.tm_clone_table SEC_FLAGS:0x0000012b SEC_NAME:.eh_frame SEC_FLAGS:0x00000001 SEC_NAME:.bss SEC_FLAGS:0x00000100 SEC_NAME:.stack SEC_FLAGS:0x01800108 SEC_NAME:.comment SEC_FLAGS:0x00000108 SEC_NAME:.ARM.attributes SEC_FLAGS:0x0000210c SEC_NAME:.debug_aranges SEC_FLAGS:0x0000210c SEC_NAME:.debug_info SEC_FLAGS:0x00002108 SEC_NAME:.debug_abbrev SEC_FLAGS:0x0000210c SEC_NAME:.debug_line SEC_FLAGS:0x0000210c SEC_NAME:.debug_frame SEC_FLAGS:0x01802108 SEC_NAME:.debug_str SEC_FLAGS:0x0000210c SEC_NAME:.debug_loc SEC_FLAGS:0x00002108 SEC_NAME:.debug_ranges It should also be pointed out that this commit may impact the regression noted in [2] and pull-request [3]. With this code change in place, elf2flt will put section .eh_frame with flags=0x12b in the .data output section. If the flags for an .eh_frame section were 0x12f (same as .ARM.exidx), then it would end up in .text output section. A few cosmetic changes are included as well. [1] uclinux-dev@73325b7 [2] uclinux-dev#12 [3] uclinux-dev#16 Signed-off-by: Mike Pilawa <Mike.Pilawa@csiro.au>
mpilawa
force-pushed
the
pullreq/elf2flt-segfault
branch
from
79d3e86
to
5717d9f
Compare
|
Should be all in sync and good to go now. |
|
thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I believe a bug was introduced in commit [1], which was done to move the .ARM.exidx input section from .data to .text output section. However, in doing so, the dynamic memory allocation for .text [elf2flt.c:~L1907: 'text = xmalloc(text_len);'] was not modified to allow for the additional .ARM.exidx section. The result was that most of the time malloc() allocated enough extra memory [due to page-size or similar allocation boundaries] such that a small additional section went unnoticed. However, in unlucky cases, the memory required for just the .text section fit almost perfectly within an allocation boundary, and the extra .ARM.exidx section exceeded the allocation, and thus produced a segfault when the memory was written.
The fix here modifies the calculation of 'text_len' in main() with logic similar to that of the original fix in [1] to output_relocs(), such that the correct amount of memory is allocated. The code is also modified such that 'data_len' is also calculated correctly, and does not over-allocate memory. This is necessary because the logic in main() is not a single grouping of if-elseif... priority logic as in output_relocs().
The change also attempts to be even more specific with input section selections for .text and .data output sections.
.text is only selected for input sections flagged as (SEC_CODE || (SEC_DATA && SEC_READONLY && SEC_RELOC))
.data is only selected for input sections flagged as (SEC_DATA && !(SEC_READONLY && SEC_RELOC))
The change appears to work correctly for previously segfault-causing ELF with these processed sections...
SEC_FLAGS:0x0000011f SEC_NAME:.text
SEC_FLAGS:0x0000012f SEC_NAME:.ARM.exidx
SEC_FLAGS:0x00000127 SEC_NAME:.data
SEC_FLAGS:0x00000123 SEC_NAME:.tm_clone_table
SEC_FLAGS:0x0000012b SEC_NAME:.eh_frame
SEC_FLAGS:0x00000001 SEC_NAME:.bss
SEC_FLAGS:0x00000100 SEC_NAME:.stack
SEC_FLAGS:0x01800108 SEC_NAME:.comment
SEC_FLAGS:0x00000108 SEC_NAME:.ARM.attributes
SEC_FLAGS:0x0000210c SEC_NAME:.debug_aranges
SEC_FLAGS:0x0000210c SEC_NAME:.debug_info
SEC_FLAGS:0x00002108 SEC_NAME:.debug_abbrev
SEC_FLAGS:0x0000210c SEC_NAME:.debug_line
SEC_FLAGS:0x0000210c SEC_NAME:.debug_frame
SEC_FLAGS:0x01802108 SEC_NAME:.debug_str
SEC_FLAGS:0x0000210c SEC_NAME:.debug_loc
SEC_FLAGS:0x00002108 SEC_NAME:.debug_ranges
It should also be pointed out that this commit may impact the regression noted in [2] and pull-request [3].
With this code change in place, elf2flt will put section .eh_frame with flags=0x12b in the .data output section. If the flags for an .eh_frame section were 0x12f (same as .ARM.exidx), then it would end up in .text output section.
A few cosmetic changes are included as well.
[1] 73325b7
[2] #12
[3] #16
Signed-off-by: Mike Pilawa Mike.Pilawa@csiro.au