From c749f6760d69f6594a8b84ba8ab195d838766d89 Mon Sep 17 00:00:00 2001 From: Breno Rodrigues Guimaraes Date: Fri, 17 Mar 2023 19:06:12 -0300 Subject: Use a different letter for section tainting --- src/patchelf.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/patchelf.cc b/src/patchelf.cc index 1a90edb..37e6479 100644 --- a/src/patchelf.cc +++ b/src/patchelf.cc @@ -664,14 +664,14 @@ template void ElfFile::writeReplacedSections(Elf_Off & curOff, Elf_Addr startAddr, Elf_Off startOffset) { - /* Overwrite the old section contents with 'X's. Do this + /* Overwrite the old section contents with 'Z's. Do this *before* writing the new section contents (below) to prevent clobbering previously written new section contents. */ for (auto & i : replacedSections) { const std::string & sectionName = i.first; const Elf_Shdr & shdr = findSectionHeader(sectionName); if (rdi(shdr.sh_type) != SHT_NOBITS) - memset(fileContents->data() + rdi(shdr.sh_offset), 'X', rdi(shdr.sh_size)); + memset(fileContents->data() + rdi(shdr.sh_offset), 'Z', rdi(shdr.sh_size)); } std::set noted_phdrs = {}; -- cgit v1.2.1 From 75e4daaf29f10d2b31be4991507bfa0673b4e9e4 Mon Sep 17 00:00:00 2001 From: Breno Rodrigues Guimaraes Date: Fri, 17 Mar 2023 17:55:32 -0300 Subject: Add infrastructure to iterate on all objects that are string indexes --- src/patchelf.cc | 40 ++++++++++++++++++++++++++++++++++++++-- src/patchelf.h | 38 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 74 insertions(+), 4 deletions(-) diff --git a/src/patchelf.cc b/src/patchelf.cc index 37e6479..f2f9043 100644 --- a/src/patchelf.cc +++ b/src/patchelf.cc @@ -2293,6 +2293,42 @@ void ElfFile::modifyExecstack(ExecstackMode op) printf("execstack: %c\n", result); } +template +template +void ElfFile::forAllStringReferences(Elf_Shdr& strTabHdr, StrIdxCallback&& fn) +{ + for (auto& sym : tryGetSectionSpan(".dynsym")) + fn(sym.st_name); + + for (auto& dyn : tryGetSectionSpan(".dynamic")) + switch (rdi(dyn.d_tag)) + { + case DT_NEEDED: + case DT_SONAME: + case DT_RPATH: + case DT_RUNPATH: fn(dyn.d_un.d_val); + default:; + } + + if (auto verdHdr = tryFindSectionHeader(".gnu.version_d")) + { + if (&shdrs.at(rdi(verdHdr->get().sh_link)) == &strTabHdr) + forAll_ElfVer(getSectionSpan(*verdHdr), + [] (auto& /*vd*/) {}, + [&] (auto& vda) { fn(vda.vda_name); } + ); + } + + if (auto vernHdr = tryFindSectionHeader(".gnu.version_r")) + { + if (&shdrs.at(rdi(vernHdr->get().sh_link)) == &strTabHdr) + forAll_ElfVer(getSectionSpan(*vernHdr), + [&] (auto& vn) { fn(vn.vn_file); }, + [&] (auto& vna) { fn(vna.vna_name); } + ); + } +} + static bool printInterpreter = false; static bool printOsAbi = false; static bool setOsAbi = false; @@ -2397,9 +2433,9 @@ static void patchElf() const std::string & outputFileName2 = outputFileName.empty() ? fileName : outputFileName; if (getElfType(fileContents).is32Bit) - patchElf2(ElfFile(fileContents), fileContents, outputFileName2); + patchElf2(ElfFile(fileContents), fileContents, outputFileName2); else - patchElf2(ElfFile(fileContents), fileContents, outputFileName2); + patchElf2(ElfFile(fileContents), fileContents, outputFileName2); } } diff --git a/src/patchelf.h b/src/patchelf.h index 9fab18c..4e229d6 100644 --- a/src/patchelf.h +++ b/src/patchelf.h @@ -10,8 +10,8 @@ using FileContents = std::shared_ptr>; -#define ElfFileParams class Elf_Ehdr, class Elf_Phdr, class Elf_Shdr, class Elf_Addr, class Elf_Off, class Elf_Dyn, class Elf_Sym, class Elf_Verneed, class Elf_Versym, class Elf_Rel, class Elf_Rela, unsigned ElfClass -#define ElfFileParamNames Elf_Ehdr, Elf_Phdr, Elf_Shdr, Elf_Addr, Elf_Off, Elf_Dyn, Elf_Sym, Elf_Verneed, Elf_Versym, Elf_Rel, Elf_Rela, ElfClass +#define ElfFileParams class Elf_Ehdr, class Elf_Phdr, class Elf_Shdr, class Elf_Addr, class Elf_Off, class Elf_Dyn, class Elf_Sym, class Elf_Versym, class Elf_Verdef, class Elf_Verdaux, class Elf_Verneed, class Elf_Vernaux, class Elf_Rel, class Elf_Rela, unsigned ElfClass +#define ElfFileParamNames Elf_Ehdr, Elf_Phdr, Elf_Shdr, Elf_Addr, Elf_Off, Elf_Dyn, Elf_Sym, Elf_Versym, Elf_Verdef, Elf_Verdaux, Elf_Verneed, Elf_Vernaux, Elf_Rel, Elf_Rela, ElfClass template struct span @@ -237,6 +237,40 @@ private: } } + template + void forAllStringReferences(const Elf_Shdr& strTabHdr, StrIdxCallback&& fn); + + template + auto follow(U* ptr, size_t offset) -> T* { + return offset ? (T*)(((char*)ptr)+offset) : nullptr; + }; + + template + void forAll_ElfVer(span vdspan, VdFn&& vdfn, VaFn&& vafn) + { + auto* vd = vdspan.begin(); + for (; vd; vd = follow(vd, rdi(vd->vd_next))) + { + vdfn(*vd); + auto va = follow(vd, rdi(vd->vd_aux)); + for (; va; va = follow(va, rdi(va->vda_next))) + vafn(*va); + } + } + + template + void forAll_ElfVer(span vnspan, VnFn&& vnfn, VaFn&& vafn) + { + auto* vn = vnspan.begin(); + for (; vn; vn = follow(vn, rdi(vn->vn_next))) + { + vnfn(*vn); + auto va = follow(vn, rdi(vn->vn_aux)); + for (; va; va = follow(va, rdi(va->vna_next))) + vafn(*va); + } + } + /* Convert an integer in big or little endian representation (as specified by the ELF header) to this platform's integer representation. */ -- cgit v1.2.1 From 8b32fae32d8bfc0770bb4948254db50b6ebbc39e Mon Sep 17 00:00:00 2001 From: Breno Rodrigues Guimaraes Date: Fri, 17 Mar 2023 18:15:46 -0300 Subject: Check for other references to the RPATH string --- src/patchelf.cc | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/src/patchelf.cc b/src/patchelf.cc index f2f9043..ee00918 100644 --- a/src/patchelf.cc +++ b/src/patchelf.cc @@ -1538,7 +1538,7 @@ void ElfFile::modifyRPath(RPathOp op, /* !!! We assume that the virtual address in the DT_STRTAB entry of the dynamic section corresponds to the .dynstr section. */ - auto shdrDynStr = findSectionHeader(".dynstr"); + auto& shdrDynStr = findSectionHeader(".dynstr"); char * strTab = (char *) fileContents->data() + rdi(shdrDynStr.sh_offset); @@ -1621,24 +1621,39 @@ void ElfFile::modifyRPath(RPathOp op, } changed = true; - /* Zero out the previous rpath to prevent retained dependencies in - Nix. */ + bool rpathStrShared = false; size_t rpathSize = 0; if (rpath) { - rpathSize = strlen(rpath); + std::string_view rpathView {rpath}; + rpathSize = rpathView.size(); + + size_t rpathStrReferences = 0; + forAllStringReferences(shdrDynStr, [&] (auto refIdx) { + if (rpathView.end() == std::string_view(strTab + rdi(refIdx)).end()) + rpathStrReferences++; + }); + assert(rpathStrReferences >= 1); + debug("Number of rpath references: %lu\n", rpathStrReferences); + rpathStrShared = rpathStrReferences > 1; + } + + /* Zero out the previous rpath to prevent retained dependencies in + Nix. */ + if (rpath && !rpathStrShared) { + debug("Tainting old rpath with Xs\n"); memset(rpath, 'X', rpathSize); } debug("new rpath is '%s'\n", newRPath.c_str()); - if (newRPath.size() <= rpathSize) { + if (!rpathStrShared && newRPath.size() <= rpathSize) { if (rpath) memcpy(rpath, newRPath.c_str(), newRPath.size() + 1); return; } /* Grow the .dynstr section to make room for the new RPATH. */ - debug("rpath is too long, resizing...\n"); + debug("rpath is too long or shared, resizing...\n"); std::string & newDynStr = replaceSection(".dynstr", rdi(shdrDynStr.sh_size) + newRPath.size() + 1); @@ -2295,7 +2310,7 @@ void ElfFile::modifyExecstack(ExecstackMode op) template template -void ElfFile::forAllStringReferences(Elf_Shdr& strTabHdr, StrIdxCallback&& fn) +void ElfFile::forAllStringReferences(const Elf_Shdr& strTabHdr, StrIdxCallback&& fn) { for (auto& sym : tryGetSectionSpan(".dynsym")) fn(sym.st_name); -- cgit v1.2.1 From 860c04dbd6fd290c6b2856ac7d467570722be3a5 Mon Sep 17 00:00:00 2001 From: Breno Rodrigues Guimaraes Date: Fri, 17 Mar 2023 18:20:35 -0300 Subject: Add test --- tests/Makefile.am | 6 +++++- tests/shared-rpath.c | 2 ++ tests/shared-rpath.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 tests/shared-rpath.c create mode 100755 tests/shared-rpath.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index 0b648f8..5dba804 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -49,6 +49,7 @@ src_TESTS = \ modify-execstack.sh \ rename-dynamic-symbols.sh \ overlapping-segments-after-rounding.sh \ + shared-rpath.sh \ empty-note.sh build_TESTS = \ @@ -121,7 +122,7 @@ check_DATA = libbig-dynstr.debug # - with libtool, it is difficult to control options # - with libtool, it is not possible to compile convenience *dynamic* libraries :-( check_PROGRAMS += libfoo.so libfoo-scoped.so libbar.so libbar-scoped.so libsimple.so libsimple-execstack.so libbuildid.so libtoomanystrtab.so \ - phdr-corruption.so many-syms-main libmany-syms.so liboveralign.so + phdr-corruption.so many-syms-main libmany-syms.so liboveralign.so libshared-rpath.so libbuildid_so_SOURCES = simple.c libbuildid_so_LDFLAGS = $(LDFLAGS_sharedlib) -Wl,--build-id @@ -148,6 +149,9 @@ libsimple_so_LDFLAGS = $(LDFLAGS_sharedlib) -Wl,-z,noexecstack liboveralign_so_SOURCES = simple.c liboveralign_so_LDFLAGS = $(LDFLAGS_sharedlib) -Wl,-z,max-page-size=0x10000 +libshared_rpath_so_SOURCES = shared-rpath.c +libshared_rpath_so_LDFLAGS = $(LDFLAGS_sharedlib) -Wl,-rpath=a_symbol_name + libsimple_execstack_so_SOURCES = simple.c libsimple_execstack_so_LDFLAGS = $(LDFLAGS_sharedlib) -Wl,-z,execstack diff --git a/tests/shared-rpath.c b/tests/shared-rpath.c new file mode 100644 index 0000000..8a3ee7c --- /dev/null +++ b/tests/shared-rpath.c @@ -0,0 +1,2 @@ +int a_symbol_name; +int foo() { return a_symbol_name; } diff --git a/tests/shared-rpath.sh b/tests/shared-rpath.sh new file mode 100755 index 0000000..8e6e26f --- /dev/null +++ b/tests/shared-rpath.sh @@ -0,0 +1,51 @@ +#! /bin/sh -e + +PATCHELF=$(readlink -f "../src/patchelf") +SCRATCH="scratch/$(basename "$0" .sh)" +READELF=${READELF:-readelf} + +LIB_NAME="${PWD}/libshared-rpath.so" + +rm -rf "${SCRATCH}" +mkdir -p "${SCRATCH}" +cd "${SCRATCH}" + +has_x() { + strings "$1" | grep -c "XXXXXXXX" +} + +nm -D "${LIB_NAME}" | grep a_symbol_name +previous_cnt="$(strings "${LIB_NAME}" | grep -c a_symbol_name)" + +echo "#### Number of a_symbol_name strings in the library: $previous_cnt" + +echo "#### Rename the rpath to something larger than the original" +# Pathelf should detect that the rpath string is shared with the symbol name string and avoid +# tainting the string with Xs +"${PATCHELF}" --set-rpath a_very_big_rpath_that_is_larger_than_original --output liblarge-rpath.so "${LIB_NAME}" + +echo "#### Checking symbol is still there" +nm -D liblarge-rpath.so | grep a_symbol_name + +echo "#### Checking there are no Xs" +[ "$(has_x liblarge-rpath.so)" -eq 0 ] || exit 1 + +current_cnt="$(strings liblarge-rpath.so | grep -c a_symbol_name)" +echo "#### Number of a_symbol_name strings in the modified library: $current_cnt" +[ "$current_cnt" -eq "$previous_cnt" ] || exit 1 + +echo "#### Rename the rpath to something shorter than the original" +# Pathelf should detect that the rpath string is shared with the symbol name string and avoid +# overwriting the existing string +"${PATCHELF}" --set-rpath shrt_rpth --output libshort-rpath.so "${LIB_NAME}" + +echo "#### Checking symbol is still there" +nm -D libshort-rpath.so | grep a_symbol_name + +echo "#### Number of a_symbol_name strings in the modified library: $current_cnt" +current_cnt="$(strings libshort-rpath.so | grep -c a_symbol_name)" +[ "$current_cnt" -eq "$previous_cnt" ] || exit 1 + +echo "#### Now liblarge-rpath.so should have its own rpath, so it should be allowed to taint it" +"${PATCHELF}" --set-rpath a_very_big_rpath_that_is_larger_than_original__even_larger --output liblarge-rpath2.so liblarge-rpath.so +[ "$(has_x liblarge-rpath2.so)" -eq 1 ] || exit 1 -- cgit v1.2.1