1 /* Pedantic checking of ELF files compliance with gABI/psABI spec.
2    Copyright (C) 2001-2015, 2017, 2018 Red Hat, Inc.
3    This file is part of elfutils.
4    Written by Ulrich Drepper <drepper@redhat.com>, 2001.
5 
6    This file is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10 
11    elfutils is distributed in the hope that it will be useful, but
12    WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15 
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
18 
19 #ifdef HAVE_CONFIG_H
20 # include <config.h>
21 #endif
22 
23 #include <argp.h>
24 #include <assert.h>
25 #include <byteswap.h>
26 #include <endian.h>
27 #include <fcntl.h>
28 #include <gelf.h>
29 #include <inttypes.h>
30 #include <libintl.h>
31 #include <locale.h>
32 #include <stdbool.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #include <sys/stat.h>
37 
38 #include <elf-knowledge.h>
39 #include <libeu.h>
40 #include <system.h>
41 #include <printversion.h>
42 #include "../libelf/libelfP.h"
43 #include "../libelf/common.h"
44 #include "../libebl/libeblP.h"
45 #include "../libdw/libdwP.h"
46 #include "../libdwfl/libdwflP.h"
47 #include "../libdw/memory-access.h"
48 
49 
50 /* Name and version of program.  */
51 ARGP_PROGRAM_VERSION_HOOK_DEF = print_version;
52 
53 /* Bug report address.  */
54 ARGP_PROGRAM_BUG_ADDRESS_DEF = PACKAGE_BUGREPORT;
55 
56 #define ARGP_strict	300
57 #define ARGP_gnuld	301
58 
59 /* Definitions of arguments for argp functions.  */
60 static const struct argp_option options[] =
61 {
62   { "strict", ARGP_strict, NULL, 0,
63     N_("Be extremely strict, flag level 2 features."), 0 },
64   { "quiet", 'q', NULL, 0, N_("Do not print anything if successful"), 0 },
65   { "debuginfo", 'd', NULL, 0, N_("Binary is a separate debuginfo file"), 0 },
66   { "gnu-ld", ARGP_gnuld, NULL, 0,
67     N_("Binary has been created with GNU ld and is therefore known to be \
68 broken in certain ways"), 0 },
69   { NULL, 0, NULL, 0, NULL, 0 }
70 };
71 
72 /* Short description of program.  */
73 static const char doc[] = N_("\
74 Pedantic checking of ELF files compliance with gABI/psABI spec.");
75 
76 /* Strings for arguments in help texts.  */
77 static const char args_doc[] = N_("FILE...");
78 
79 /* Prototype for option handler.  */
80 static error_t parse_opt (int key, char *arg, struct argp_state *state);
81 
82 /* Data structure to communicate with argp functions.  */
83 static struct argp argp =
84 {
85   options, parse_opt, args_doc, doc, NULL, NULL, NULL
86 };
87 
88 
89 /* Declarations of local functions.  */
90 static void process_file (int fd, Elf *elf, const char *prefix,
91 			  const char *suffix, const char *fname, size_t size,
92 			  bool only_one);
93 static void process_elf_file (Elf *elf, const char *prefix, const char *suffix,
94 			      const char *fname, size_t size, bool only_one);
95 static void check_note_section (Ebl *ebl, GElf_Ehdr *ehdr,
96 				GElf_Shdr *shdr, int idx);
97 
98 
99 /* Report an error.  */
100 #define ERROR(str, args...) \
101   do {									      \
102     printf (str, ##args);						      \
103     ++error_count;							      \
104   } while (0)
105 static unsigned int error_count;
106 
107 /* True if we should perform very strict testing.  */
108 static bool be_strict;
109 
110 /* True if no message is to be printed if the run is successful.  */
111 static bool be_quiet;
112 
113 /* True if binary is from strip -f, not a normal ELF file.  */
114 static bool is_debuginfo;
115 
116 /* True if binary is assumed to be generated with GNU ld.  */
117 static bool gnuld;
118 
119 /* Index of section header string table.  */
120 static uint32_t shstrndx;
121 
122 /* Array to count references in section groups.  */
123 static int *scnref;
124 
125 /* Numbers of sections and program headers.  */
126 static unsigned int shnum;
127 static unsigned int phnum;
128 
129 
130 int
main(int argc,char * argv[])131 main (int argc, char *argv[])
132 {
133   /* Set locale.  */
134   setlocale (LC_ALL, "");
135 
136   /* Initialize the message catalog.  */
137   textdomain (PACKAGE_TARNAME);
138 
139   /* Parse and process arguments.  */
140   int remaining;
141   argp_parse (&argp, argc, argv, 0, &remaining, NULL);
142 
143   /* Before we start tell the ELF library which version we are using.  */
144   elf_version (EV_CURRENT);
145 
146   /* Now process all the files given at the command line.  */
147   bool only_one = remaining + 1 == argc;
148   do
149     {
150       /* Open the file.  */
151       int fd = open (argv[remaining], O_RDONLY);
152       if (fd == -1)
153 	{
154 	  error (0, errno, _("cannot open input file '%s'"), argv[remaining]);
155 	  continue;
156 	}
157 
158       /* Create an `Elf' descriptor.  */
159       Elf *elf = elf_begin (fd, ELF_C_READ_MMAP, NULL);
160       if (elf == NULL)
161 	ERROR (_("cannot generate Elf descriptor for '%s': %s\n"),
162 	       argv[remaining], elf_errmsg (-1));
163       else
164 	{
165 	  unsigned int prev_error_count = error_count;
166 	  struct stat st;
167 
168 	  if (fstat (fd, &st) != 0)
169 	    {
170 	      printf ("cannot stat '%s': %m\n", argv[remaining]);
171 	      close (fd);
172 	      continue;
173 	    }
174 
175 	  process_file (fd, elf, NULL, NULL, argv[remaining], st.st_size,
176 			only_one);
177 
178 	  /* Now we can close the descriptor.  */
179 	  if (elf_end (elf) != 0)
180 	    ERROR (_("error while closing Elf descriptor: %s\n"),
181 		   elf_errmsg (-1));
182 
183 	  if (prev_error_count == error_count && !be_quiet)
184 	    puts (_("No errors"));
185 	}
186 
187       close (fd);
188     }
189   while (++remaining < argc);
190 
191   return error_count != 0;
192 }
193 
194 
195 /* Handle program arguments.  */
196 static error_t
parse_opt(int key,char * arg,struct argp_state * state)197 parse_opt (int key, char *arg __attribute__ ((unused)),
198 	   struct argp_state *state __attribute__ ((unused)))
199 {
200   switch (key)
201     {
202     case ARGP_strict:
203       be_strict = true;
204       break;
205 
206     case 'q':
207       be_quiet = true;
208       break;
209 
210     case 'd':
211       is_debuginfo = true;
212       break;
213 
214     case ARGP_gnuld:
215       gnuld = true;
216       break;
217 
218     case ARGP_KEY_NO_ARGS:
219       fputs (_("Missing file name.\n"), stderr);
220       argp_help (&argp, stderr, ARGP_HELP_SEE, program_invocation_short_name);
221       exit (EXIT_FAILURE);
222 
223     default:
224       return ARGP_ERR_UNKNOWN;
225     }
226   return 0;
227 }
228 
229 
230 /* Process one file.  */
231 static void
process_file(int fd,Elf * elf,const char * prefix,const char * suffix,const char * fname,size_t size,bool only_one)232 process_file (int fd, Elf *elf, const char *prefix, const char *suffix,
233 	      const char *fname, size_t size, bool only_one)
234 {
235   /* We can handle two types of files: ELF files and archives.  */
236   Elf_Kind kind = elf_kind (elf);
237 
238   switch (kind)
239     {
240     case ELF_K_ELF:
241       /* Yes!  It's an ELF file.  */
242       process_elf_file (elf, prefix, suffix, fname, size, only_one);
243       break;
244 
245     case ELF_K_AR:
246       {
247 	Elf *subelf;
248 	Elf_Cmd cmd = ELF_C_READ_MMAP;
249 	size_t prefix_len = prefix == NULL ? 0 : strlen (prefix);
250 	size_t fname_len = strlen (fname) + 1;
251 	char new_prefix[prefix_len + 1 + fname_len];
252 	char new_suffix[(suffix == NULL ? 0 : strlen (suffix)) + 2];
253 	char *cp = new_prefix;
254 
255 	/* Create the full name of the file.  */
256 	if (prefix != NULL)
257 	  {
258 	    cp = mempcpy (cp, prefix, prefix_len);
259 	    *cp++ = '(';
260 	    strcpy (stpcpy (new_suffix, suffix), ")");
261 	  }
262 	else
263 	  new_suffix[0] = '\0';
264 	memcpy (cp, fname, fname_len);
265 
266 	/* It's an archive.  We process each file in it.  */
267 	while ((subelf = elf_begin (fd, cmd, elf)) != NULL)
268 	  {
269 	    kind = elf_kind (subelf);
270 
271 	    /* Call this function recursively.  */
272 	    if (kind == ELF_K_ELF || kind == ELF_K_AR)
273 	      {
274 		Elf_Arhdr *arhdr = elf_getarhdr (subelf);
275 		assert (arhdr != NULL);
276 
277 		process_file (fd, subelf, new_prefix, new_suffix,
278 			      arhdr->ar_name, arhdr->ar_size, false);
279 	      }
280 
281 	    /* Get next archive element.  */
282 	    cmd = elf_next (subelf);
283 	    if (elf_end (subelf) != 0)
284 	      ERROR (_(" error while freeing sub-ELF descriptor: %s\n"),
285 		     elf_errmsg (-1));
286 	  }
287       }
288       break;
289 
290     default:
291       /* We cannot do anything.  */
292       ERROR (_("\
293 Not an ELF file - it has the wrong magic bytes at the start\n"));
294       break;
295     }
296 }
297 
298 
299 static const char *
section_name(Ebl * ebl,int idx)300 section_name (Ebl *ebl, int idx)
301 {
302   GElf_Shdr shdr_mem;
303   GElf_Shdr *shdr;
304   const char *ret;
305 
306   if ((unsigned int) idx > shnum)
307     return "<invalid>";
308 
309   shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
310   if (shdr == NULL)
311     return "<invalid>";
312 
313   ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
314   if (ret == NULL)
315     return "<invalid>";
316   return ret;
317 }
318 
319 
320 static const int valid_e_machine[] =
321   {
322     EM_M32, EM_SPARC, EM_386, EM_68K, EM_88K, EM_860, EM_MIPS, EM_S370,
323     EM_MIPS_RS3_LE, EM_PARISC, EM_VPP500, EM_SPARC32PLUS, EM_960, EM_PPC,
324     EM_PPC64, EM_S390, EM_V800, EM_FR20, EM_RH32, EM_RCE, EM_ARM,
325     EM_FAKE_ALPHA, EM_SH, EM_SPARCV9, EM_TRICORE, EM_ARC, EM_H8_300,
326     EM_H8_300H, EM_H8S, EM_H8_500, EM_IA_64, EM_MIPS_X, EM_COLDFIRE,
327     EM_68HC12, EM_MMA, EM_PCP, EM_NCPU, EM_NDR1, EM_STARCORE, EM_ME16,
328     EM_ST100, EM_TINYJ, EM_X86_64, EM_PDSP, EM_FX66, EM_ST9PLUS, EM_ST7,
329     EM_68HC16, EM_68HC11, EM_68HC08, EM_68HC05, EM_SVX, EM_ST19, EM_VAX,
330     EM_CRIS, EM_JAVELIN, EM_FIREPATH, EM_ZSP, EM_MMIX, EM_HUANY, EM_PRISM,
331     EM_AVR, EM_FR30, EM_D10V, EM_D30V, EM_V850, EM_M32R, EM_MN10300,
332     EM_MN10200, EM_PJ, EM_OPENRISC, EM_ARC_A5, EM_XTENSA, EM_ALPHA,
333     EM_TILEGX, EM_TILEPRO, EM_AARCH64, EM_BPF, EM_RISCV, EM_CSKY
334   };
335 #define nvalid_e_machine \
336   (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
337 
338 
339 static void
check_elf_header(Ebl * ebl,GElf_Ehdr * ehdr,size_t size)340 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
341 {
342   char buf[512];
343   size_t cnt;
344 
345   /* Check e_ident field.  */
346   if (ehdr->e_ident[EI_MAG0] != ELFMAG0)
347     ERROR ("e_ident[%d] != '%c'\n", EI_MAG0, ELFMAG0);
348   if (ehdr->e_ident[EI_MAG1] != ELFMAG1)
349     ERROR ("e_ident[%d] != '%c'\n", EI_MAG1, ELFMAG1);
350   if (ehdr->e_ident[EI_MAG2] != ELFMAG2)
351     ERROR ("e_ident[%d] != '%c'\n", EI_MAG2, ELFMAG2);
352   if (ehdr->e_ident[EI_MAG3] != ELFMAG3)
353     ERROR ("e_ident[%d] != '%c'\n", EI_MAG3, ELFMAG3);
354 
355   if (ehdr->e_ident[EI_CLASS] != ELFCLASS32
356       && ehdr->e_ident[EI_CLASS] != ELFCLASS64)
357     ERROR (_("e_ident[%d] == %d is no known class\n"),
358 	   EI_CLASS, ehdr->e_ident[EI_CLASS]);
359 
360   if (ehdr->e_ident[EI_DATA] != ELFDATA2LSB
361       && ehdr->e_ident[EI_DATA] != ELFDATA2MSB)
362     ERROR (_("e_ident[%d] == %d is no known data encoding\n"),
363 	   EI_DATA, ehdr->e_ident[EI_DATA]);
364 
365   if (ehdr->e_ident[EI_VERSION] != EV_CURRENT)
366     ERROR (_("unknown ELF header version number e_ident[%d] == %d\n"),
367 	   EI_VERSION, ehdr->e_ident[EI_VERSION]);
368 
369   /* We currently don't handle any OS ABIs other than Linux and the
370      kFreeBSD variant of Debian.  */
371   if (ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE
372       && ehdr->e_ident[EI_OSABI] != ELFOSABI_LINUX
373       && ehdr->e_ident[EI_OSABI] != ELFOSABI_FREEBSD)
374     ERROR (_("unsupported OS ABI e_ident[%d] == '%s'\n"),
375 	   EI_OSABI,
376 	   ebl_osabi_name (ebl, ehdr->e_ident[EI_OSABI], buf, sizeof (buf)));
377 
378   /* No ABI versions other than zero are supported either.  */
379   if (ehdr->e_ident[EI_ABIVERSION] != 0)
380     ERROR (_("unsupported ABI version e_ident[%d] == %d\n"),
381 	   EI_ABIVERSION, ehdr->e_ident[EI_ABIVERSION]);
382 
383   for (cnt = EI_PAD; cnt < EI_NIDENT; ++cnt)
384     if (ehdr->e_ident[cnt] != 0)
385       ERROR (_("e_ident[%zu] is not zero\n"), cnt);
386 
387   /* Check the e_type field.  */
388   if (ehdr->e_type != ET_REL && ehdr->e_type != ET_EXEC
389       && ehdr->e_type != ET_DYN && ehdr->e_type != ET_CORE)
390     ERROR (_("unknown object file type %d\n"), ehdr->e_type);
391 
392   /* Check the e_machine field.  */
393   for (cnt = 0; cnt < nvalid_e_machine; ++cnt)
394     if (valid_e_machine[cnt] == ehdr->e_machine)
395       break;
396   if (cnt == nvalid_e_machine)
397     ERROR (_("unknown machine type %d\n"), ehdr->e_machine);
398 
399   /* Check the e_version field.  */
400   if (ehdr->e_version != EV_CURRENT)
401     ERROR (_("unknown object file version\n"));
402 
403   /* Check the e_phoff and e_phnum fields.  */
404   if (ehdr->e_phoff == 0)
405     {
406       if (ehdr->e_phnum != 0)
407 	ERROR (_("invalid program header offset\n"));
408       else if (ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN)
409 	ERROR (_("\
410 executables and DSOs cannot have zero program header offset\n"));
411     }
412   else if (ehdr->e_phnum == 0)
413     ERROR (_("invalid number of program header entries\n"));
414 
415   /* Check the e_shoff field.  */
416   shnum = ehdr->e_shnum;
417   shstrndx = ehdr->e_shstrndx;
418   if (ehdr->e_shoff == 0)
419     {
420       if (ehdr->e_shnum != 0)
421 	ERROR (_("invalid section header table offset\n"));
422       else if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN
423 	       && ehdr->e_type != ET_CORE)
424 	ERROR (_("section header table must be present\n"));
425     }
426   else
427     {
428       if (ehdr->e_shnum == 0)
429 	{
430 	  /* Get the header of the zeroth section.  The sh_size field
431 	     might contain the section number.  */
432 	  GElf_Shdr shdr_mem;
433 	  GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
434 	  if (shdr != NULL)
435 	    {
436 	      /* The error will be reported later.  */
437 	      if (shdr->sh_size == 0)
438 		ERROR (_("\
439 invalid number of section header table entries\n"));
440 	      else
441 		shnum = shdr->sh_size;
442 	    }
443 	}
444 
445       if (ehdr->e_shstrndx == SHN_XINDEX)
446 	{
447 	  /* Get the header of the zeroth section.  The sh_size field
448 	     might contain the section number.  */
449 	  GElf_Shdr shdr_mem;
450 	  GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
451 	  if (shdr != NULL && shdr->sh_link < shnum)
452 	    shstrndx = shdr->sh_link;
453 	}
454       else if (shstrndx >= shnum)
455 	ERROR (_("invalid section header index\n"));
456     }
457 
458   /* Check the shdrs actually exist.  And uncompress them before
459      further checking.  Indexes between sections reference the
460      uncompressed data.  */
461   unsigned int scnt;
462   Elf_Scn *scn = NULL;
463   for (scnt = 1; scnt < shnum; ++scnt)
464      {
465 	scn = elf_nextscn (ebl->elf, scn);
466 	if (scn == NULL)
467 	  break;
468 	/* If the section wasn't compressed this does nothing, but
469 	   returns an error.  We don't care.  */
470 	if (elf_compress (scn, 0, 0) < 0) { ; }
471      }
472   if (scnt < shnum)
473     ERROR (_("Can only check %u headers, shnum was %u\n"), scnt, shnum);
474   shnum = scnt;
475 
476   phnum = ehdr->e_phnum;
477   if (ehdr->e_phnum == PN_XNUM)
478     {
479       /* Get the header of the zeroth section.  The sh_info field
480 	 might contain the phnum count.  */
481       GElf_Shdr shdr_mem;
482       GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
483       if (shdr != NULL)
484 	{
485 	  /* The error will be reported later.  */
486 	  if (shdr->sh_info < PN_XNUM)
487 	    ERROR (_("\
488 invalid number of program header table entries\n"));
489 	  else
490 	    phnum = shdr->sh_info;
491 	}
492     }
493 
494   /* Check the phdrs actually exist. */
495   unsigned int pcnt;
496   for (pcnt = 0; pcnt < phnum; ++pcnt)
497      {
498 	GElf_Phdr phdr_mem;
499 	GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
500 	if (phdr == NULL)
501 	  break;
502      }
503   if (pcnt < phnum)
504     ERROR (_("Can only check %u headers, phnum was %u\n"), pcnt, phnum);
505   phnum = pcnt;
506 
507   /* Check the e_flags field.  */
508   if (!ebl_machine_flag_check (ebl, ehdr->e_flags))
509     ERROR (_("invalid machine flags: %s\n"),
510 	   ebl_machine_flag_name (ebl, ehdr->e_flags, buf, sizeof (buf)));
511 
512   /* Check e_ehsize, e_phentsize, and e_shentsize fields.  */
513   if (gelf_getclass (ebl->elf) == ELFCLASS32)
514     {
515       if (ehdr->e_ehsize != 0 && ehdr->e_ehsize != sizeof (Elf32_Ehdr))
516 	ERROR (_("invalid ELF header size: %hd\n"), ehdr->e_ehsize);
517 
518       if (ehdr->e_phentsize != 0 && ehdr->e_phentsize != sizeof (Elf32_Phdr))
519 	ERROR (_("invalid program header size: %hd\n"),
520 	       ehdr->e_phentsize);
521       else if (ehdr->e_phoff + phnum * ehdr->e_phentsize > size)
522 	ERROR (_("invalid program header position or size\n"));
523 
524       if (ehdr->e_shentsize != 0 && ehdr->e_shentsize != sizeof (Elf32_Shdr))
525 	ERROR (_("invalid section header size: %hd\n"),
526 	       ehdr->e_shentsize);
527       else if (ehdr->e_shoff + shnum * ehdr->e_shentsize > size)
528 	ERROR (_("invalid section header position or size\n"));
529     }
530   else if (gelf_getclass (ebl->elf) == ELFCLASS64)
531     {
532       if (ehdr->e_ehsize != 0 && ehdr->e_ehsize != sizeof (Elf64_Ehdr))
533 	ERROR (_("invalid ELF header size: %hd\n"), ehdr->e_ehsize);
534 
535       if (ehdr->e_phentsize != 0 && ehdr->e_phentsize != sizeof (Elf64_Phdr))
536 	ERROR (_("invalid program header size: %hd\n"),
537 	       ehdr->e_phentsize);
538       else if (ehdr->e_phoff + phnum * ehdr->e_phentsize > size)
539 	ERROR (_("invalid program header position or size\n"));
540 
541       if (ehdr->e_shentsize != 0 && ehdr->e_shentsize != sizeof (Elf64_Shdr))
542 	ERROR (_("invalid section header size: %hd\n"),
543 	       ehdr->e_shentsize);
544       else if (ehdr->e_shoff + shnum * ehdr->e_shentsize > size)
545 	ERROR (_("invalid section header position or size\n"));
546     }
547 }
548 
549 
550 /* Check that there is a section group section with index < IDX which
551    contains section IDX and that there is exactly one.  */
552 static void
check_scn_group(Ebl * ebl,int idx)553 check_scn_group (Ebl *ebl, int idx)
554 {
555   if (scnref[idx] == 0)
556     {
557       /* No reference so far.  Search following sections, maybe the
558 	 order is wrong.  */
559       size_t cnt;
560 
561       for (cnt = idx + 1; cnt < shnum; ++cnt)
562 	{
563 	  Elf_Scn *scn = elf_getscn (ebl->elf, cnt);
564 	  GElf_Shdr shdr_mem;
565 	  GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
566 	  if (shdr == NULL)
567 	    /* We cannot get the section header so we cannot check it.
568 	       The error to get the section header will be shown
569 	       somewhere else.  */
570 	    continue;
571 
572 	  if (shdr->sh_type != SHT_GROUP)
573 	    continue;
574 
575 	  Elf_Data *data = elf_getdata (scn, NULL);
576 	  if (data == NULL || data->d_buf == NULL
577 	      || data->d_size < sizeof (Elf32_Word))
578 	    /* Cannot check the section.  */
579 	    continue;
580 
581 	  Elf32_Word *grpdata = (Elf32_Word *) data->d_buf;
582 	  for (size_t inner = 1; inner < data->d_size / sizeof (Elf32_Word);
583 	       ++inner)
584 	    if (grpdata[inner] == (Elf32_Word) idx)
585 	      goto out;
586 	}
587 
588     out:
589       if (cnt == shnum)
590 	ERROR (_("\
591 section [%2d] '%s': section with SHF_GROUP flag set not part of a section group\n"),
592 	       idx, section_name (ebl, idx));
593       else
594 	ERROR (_("\
595 section [%2d] '%s': section group [%2zu] '%s' does not precede group member\n"),
596 	       idx, section_name (ebl, idx),
597 	       cnt, section_name (ebl, cnt));
598     }
599 }
600 
601 
602 static void
check_symtab(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)603 check_symtab (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
604 {
605   bool no_xndx_warned = false;
606   int no_pt_tls = 0;
607   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
608   if (data == NULL)
609     {
610       ERROR (_("section [%2d] '%s': cannot get section data\n"),
611 	     idx, section_name (ebl, idx));
612       return;
613     }
614 
615   GElf_Shdr strshdr_mem;
616   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
617 				     &strshdr_mem);
618   if (strshdr == NULL)
619     return;
620 
621   if (strshdr->sh_type != SHT_STRTAB)
622     {
623       ERROR (_("section [%2d] '%s': referenced as string table for section [%2d] '%s' but type is not SHT_STRTAB\n"),
624 	     shdr->sh_link, section_name (ebl, shdr->sh_link),
625 	     idx, section_name (ebl, idx));
626       strshdr = NULL;
627     }
628 
629   /* Search for an extended section index table section.  */
630   Elf_Data *xndxdata = NULL;
631   Elf32_Word xndxscnidx = 0;
632   bool found_xndx = false;
633   for (size_t cnt = 1; cnt < shnum; ++cnt)
634     if (cnt != (size_t) idx)
635       {
636 	Elf_Scn *xndxscn = elf_getscn (ebl->elf, cnt);
637 	GElf_Shdr xndxshdr_mem;
638 	GElf_Shdr *xndxshdr = gelf_getshdr (xndxscn, &xndxshdr_mem);
639 	if (xndxshdr == NULL)
640 	  continue;
641 
642 	if (xndxshdr->sh_type == SHT_SYMTAB_SHNDX
643 	    && xndxshdr->sh_link == (GElf_Word) idx)
644 	  {
645 	    if (found_xndx)
646 	      ERROR (_("\
647 section [%2d] '%s': symbol table cannot have more than one extended index section\n"),
648 		     idx, section_name (ebl, idx));
649 
650 	    xndxdata = elf_getdata (xndxscn, NULL);
651 	    xndxscnidx = elf_ndxscn (xndxscn);
652 	    found_xndx = true;
653 	  }
654       }
655 
656   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
657   if (shdr->sh_entsize != sh_entsize)
658     ERROR (_("\
659 section [%2u] '%s': entry size is does not match ElfXX_Sym\n"),
660 	   idx, section_name (ebl, idx));
661   else if (shdr->sh_info > shdr->sh_size / sh_entsize)
662     ERROR (_("\
663 section [%2u] '%s': number of local entries in 'st_info' larger than table size\n"),
664 	   idx, section_name (ebl, idx));
665 
666   /* Test the zeroth entry.  */
667   GElf_Sym sym_mem;
668   Elf32_Word xndx;
669   GElf_Sym *sym = gelf_getsymshndx (data, xndxdata, 0, &sym_mem, &xndx);
670   if (sym == NULL)
671       ERROR (_("section [%2d] '%s': cannot get symbol %d: %s\n"),
672 	     idx, section_name (ebl, idx), 0, elf_errmsg (-1));
673   else
674     {
675       if (sym->st_name != 0)
676 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
677 	       idx, section_name (ebl, idx), "st_name");
678       if (sym->st_value != 0)
679 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
680 	       idx, section_name (ebl, idx), "st_value");
681       if (sym->st_size != 0)
682 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
683 	       idx, section_name (ebl, idx), "st_size");
684       if (sym->st_info != 0)
685 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
686 	       idx, section_name (ebl, idx), "st_info");
687       if (sym->st_other != 0)
688 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
689 	       idx, section_name (ebl, idx), "st_other");
690       if (sym->st_shndx != 0)
691 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
692 	       idx, section_name (ebl, idx), "st_shndx");
693       if (xndxdata != NULL && xndx != 0)
694 	ERROR (_("\
695 section [%2d] '%s': XINDEX for zeroth entry not zero\n"),
696 	       xndxscnidx, section_name (ebl, xndxscnidx));
697     }
698 
699   for (size_t cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
700     {
701       sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
702       if (sym == NULL)
703 	{
704 	  ERROR (_("section [%2d] '%s': cannot get symbol %zu: %s\n"),
705 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
706 	  continue;
707 	}
708 
709       const char *name = "<invalid>";
710       if (strshdr == NULL)
711 	name = "";
712       else if (sym->st_name >= strshdr->sh_size)
713 	ERROR (_("\
714 section [%2d] '%s': symbol %zu: invalid name value\n"),
715 	       idx, section_name (ebl, idx), cnt);
716       else
717 	{
718 	  name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
719 	  if (name == NULL)
720 	    name = "";
721 	}
722 
723       if (sym->st_shndx == SHN_XINDEX)
724 	{
725 	  if (xndxdata == NULL)
726 	    {
727 	      if (!no_xndx_warned)
728 		ERROR (_("\
729 section [%2d] '%s': symbol %zu (%s): too large section index but no extended section index section\n"),
730 		       idx, section_name (ebl, idx), cnt, name);
731 	      no_xndx_warned = true;
732 	    }
733 	  else if (xndx < SHN_LORESERVE)
734 	    ERROR (_("\
735 section [%2d] '%s': symbol %zu (%s): XINDEX used for index which would fit in st_shndx (%" PRIu32 ")\n"),
736 		   xndxscnidx, section_name (ebl, xndxscnidx), cnt, name,
737 		   xndx);
738 	}
739       else if ((sym->st_shndx >= SHN_LORESERVE
740 		// && sym->st_shndx <= SHN_HIRESERVE    always true
741 		&& sym->st_shndx != SHN_ABS
742 		&& sym->st_shndx != SHN_COMMON)
743 	       || (sym->st_shndx >= shnum
744 		   && (sym->st_shndx < SHN_LORESERVE
745 		       /* || sym->st_shndx > SHN_HIRESERVE  always false */)))
746 	ERROR (_("\
747 section [%2d] '%s': symbol %zu (%s): invalid section index\n"),
748 	       idx, section_name (ebl, idx), cnt, name);
749       else
750 	xndx = sym->st_shndx;
751 
752       if (GELF_ST_TYPE (sym->st_info) >= STT_NUM
753 	  && !ebl_symbol_type_name (ebl, GELF_ST_TYPE (sym->st_info), NULL, 0))
754 	ERROR (_("section [%2d] '%s': symbol %zu (%s): unknown type\n"),
755 	       idx, section_name (ebl, idx), cnt, name);
756 
757       if (GELF_ST_BIND (sym->st_info) >= STB_NUM
758 	  && !ebl_symbol_binding_name (ebl, GELF_ST_BIND (sym->st_info), NULL,
759 				       0))
760 	ERROR (_("\
761 section [%2d] '%s': symbol %zu (%s): unknown symbol binding\n"),
762 	       idx, section_name (ebl, idx), cnt, name);
763       if (GELF_ST_BIND (sym->st_info) == STB_GNU_UNIQUE
764 	  && GELF_ST_TYPE (sym->st_info) != STT_OBJECT)
765 	ERROR (_("\
766 section [%2d] '%s': symbol %zu (%s): unique symbol not of object type\n"),
767 	       idx, section_name (ebl, idx), cnt, name);
768 
769       if (xndx == SHN_COMMON)
770 	{
771 	  /* Common symbols can only appear in relocatable files.  */
772 	  if (ehdr->e_type != ET_REL)
773 	    ERROR (_("\
774 section [%2d] '%s': symbol %zu (%s): COMMON only allowed in relocatable files\n"),
775 		   idx, section_name (ebl, idx), cnt, name);
776 	  if (cnt < shdr->sh_info)
777 	    ERROR (_("\
778 section [%2d] '%s': symbol %zu (%s): local COMMON symbols are nonsense\n"),
779 		   idx, section_name (ebl, idx), cnt, name);
780 	  if (GELF_R_TYPE (sym->st_info) == STT_FUNC)
781 	    ERROR (_("\
782 section [%2d] '%s': symbol %zu (%s): function in COMMON section is nonsense\n"),
783 		   idx, section_name (ebl, idx), cnt, name);
784 	}
785       else if (xndx > 0 && xndx < shnum)
786 	{
787 	  GElf_Shdr destshdr_mem;
788 	  GElf_Shdr *destshdr;
789 
790 	  destshdr = gelf_getshdr (elf_getscn (ebl->elf, xndx), &destshdr_mem);
791 	  if (destshdr != NULL)
792 	    {
793 	      GElf_Addr sh_addr = (ehdr->e_type == ET_REL ? 0
794 				   : destshdr->sh_addr);
795 	      GElf_Addr st_value;
796 	      if (GELF_ST_TYPE (sym->st_info) == STT_FUNC
797 		  || (GELF_ST_TYPE (sym->st_info) == STT_GNU_IFUNC))
798 		st_value = sym->st_value & ebl_func_addr_mask (ebl);
799 	      else
800 		st_value = sym->st_value;
801 	      if (GELF_ST_TYPE (sym->st_info) != STT_TLS)
802 		{
803 		  if (! ebl_check_special_symbol (ebl, sym, name,
804 						  destshdr))
805 		    {
806 		      if (st_value - sh_addr > destshdr->sh_size)
807 			{
808 			  /* GNU ld has severe bugs.  When it decides to remove
809 			     empty sections it leaves symbols referencing them
810 			     behind.  These are symbols in .symtab or .dynsym
811 			     and for the named symbols have zero size.  See
812 			     sourceware PR13621.  */
813 			  if (!gnuld
814 			      || (strcmp (section_name (ebl, idx), ".symtab")
815 			          && strcmp (section_name (ebl, idx),
816 					     ".dynsym"))
817 			      || sym->st_size != 0
818 			      || (strcmp (name, "__preinit_array_start") != 0
819 				  && strcmp (name, "__preinit_array_end") != 0
820 				  && strcmp (name, "__init_array_start") != 0
821 				  && strcmp (name, "__init_array_end") != 0
822 				  && strcmp (name, "__fini_array_start") != 0
823 				  && strcmp (name, "__fini_array_end") != 0
824 				  && strcmp (name, "__bss_start") != 0
825 				  && strcmp (name, "__bss_start__") != 0
826 				  && strcmp (name, "__TMC_END__") != 0
827 				  && strcmp (name, ".TOC.") != 0
828 				  && strcmp (name, "_edata") != 0
829 				  && strcmp (name, "__edata") != 0
830 				  && strcmp (name, "_end") != 0
831 				  && strcmp (name, "__end") != 0))
832 			    ERROR (_("\
833 section [%2d] '%s': symbol %zu (%s): st_value out of bounds\n"),
834 				   idx, section_name (ebl, idx), cnt, name);
835 			}
836 		      else if ((st_value - sh_addr
837 				+ sym->st_size) > destshdr->sh_size)
838 			ERROR (_("\
839 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
840 			       idx, section_name (ebl, idx), cnt, name,
841 			       (int) xndx, section_name (ebl, xndx));
842 		    }
843 		}
844 	      else
845 		{
846 		  if ((destshdr->sh_flags & SHF_TLS) == 0)
847 		    ERROR (_("\
848 section [%2d] '%s': symbol %zu (%s): referenced section [%2d] '%s' does not have SHF_TLS flag set\n"),
849 			   idx, section_name (ebl, idx), cnt, name,
850 			   (int) xndx, section_name (ebl, xndx));
851 
852 		  if (ehdr->e_type == ET_REL)
853 		    {
854 		      /* For object files the symbol value must fall
855 			 into the section.  */
856 		      if (st_value > destshdr->sh_size)
857 			ERROR (_("\
858 section [%2d] '%s': symbol %zu (%s): st_value out of bounds of referenced section [%2d] '%s'\n"),
859 			       idx, section_name (ebl, idx), cnt, name,
860 			       (int) xndx, section_name (ebl, xndx));
861 		      else if (st_value + sym->st_size
862 			       > destshdr->sh_size)
863 			ERROR (_("\
864 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
865 			       idx, section_name (ebl, idx), cnt, name,
866 			       (int) xndx, section_name (ebl, xndx));
867 		    }
868 		  else
869 		    {
870 		      GElf_Phdr phdr_mem;
871 		      GElf_Phdr *phdr = NULL;
872 		      unsigned int pcnt;
873 
874 		      for (pcnt = 0; pcnt < phnum; ++pcnt)
875 			{
876 			  phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
877 			  if (phdr != NULL && phdr->p_type == PT_TLS)
878 			    break;
879 			}
880 
881 		      if (pcnt == phnum)
882 			{
883 			  if (no_pt_tls++ == 0)
884 			    ERROR (_("\
885 section [%2d] '%s': symbol %zu (%s): TLS symbol but no TLS program header entry\n"),
886 				   idx, section_name (ebl, idx), cnt, name);
887 			}
888 		      else if (phdr == NULL)
889 			{
890 			    ERROR (_("\
891 section [%2d] '%s': symbol %zu (%s): TLS symbol but couldn't get TLS program header entry\n"),
892 				   idx, section_name (ebl, idx), cnt, name);
893 			}
894 		      else if (!is_debuginfo)
895 			{
896 			  if (st_value
897 			      < destshdr->sh_offset - phdr->p_offset)
898 			    ERROR (_("\
899 section [%2d] '%s': symbol %zu (%s): st_value short of referenced section [%2d] '%s'\n"),
900 				   idx, section_name (ebl, idx), cnt, name,
901 				   (int) xndx, section_name (ebl, xndx));
902 			  else if (st_value
903 				   > (destshdr->sh_offset - phdr->p_offset
904 				      + destshdr->sh_size))
905 			    ERROR (_("\
906 section [%2d] '%s': symbol %zu (%s): st_value out of bounds of referenced section [%2d] '%s'\n"),
907 				   idx, section_name (ebl, idx), cnt, name,
908 				   (int) xndx, section_name (ebl, xndx));
909 			  else if (st_value + sym->st_size
910 				   > (destshdr->sh_offset - phdr->p_offset
911 				      + destshdr->sh_size))
912 			    ERROR (_("\
913 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
914 				   idx, section_name (ebl, idx), cnt, name,
915 				   (int) xndx, section_name (ebl, xndx));
916 			}
917 		    }
918 		}
919 	    }
920 	}
921 
922       if (GELF_ST_BIND (sym->st_info) == STB_LOCAL)
923 	{
924 	  if (cnt >= shdr->sh_info)
925 	    ERROR (_("\
926 section [%2d] '%s': symbol %zu (%s): local symbol outside range described in sh_info\n"),
927 		   idx, section_name (ebl, idx), cnt, name);
928 	}
929       else
930 	{
931 	  if (cnt < shdr->sh_info)
932 	    ERROR (_("\
933 section [%2d] '%s': symbol %zu (%s): non-local symbol outside range described in sh_info\n"),
934 		   idx, section_name (ebl, idx), cnt, name);
935 	}
936 
937       if (GELF_ST_TYPE (sym->st_info) == STT_SECTION
938 	  && GELF_ST_BIND (sym->st_info) != STB_LOCAL)
939 	ERROR (_("\
940 section [%2d] '%s': symbol %zu (%s): non-local section symbol\n"),
941 	       idx, section_name (ebl, idx), cnt, name);
942 
943       if (name != NULL)
944 	{
945 	  if (strcmp (name, "_GLOBAL_OFFSET_TABLE_") == 0)
946 	    {
947 	      /* Check that address and size match the global offset table.  */
948 
949 	      GElf_Shdr destshdr_mem;
950 	      GElf_Shdr *destshdr = gelf_getshdr (elf_getscn (ebl->elf, xndx),
951 						  &destshdr_mem);
952 
953 	      if (destshdr == NULL && xndx == SHN_ABS)
954 		{
955 		  /* In a DSO, we have to find the GOT section by name.  */
956 		  Elf_Scn *gotscn = NULL;
957 		  Elf_Scn *gscn = NULL;
958 		  while ((gscn = elf_nextscn (ebl->elf, gscn)) != NULL)
959 		    {
960 		      destshdr = gelf_getshdr (gscn, &destshdr_mem);
961 		      assert (destshdr != NULL);
962 		      const char *sname = elf_strptr (ebl->elf,
963 						      shstrndx,
964 						      destshdr->sh_name);
965 		      if (sname != NULL)
966 			{
967 			  if (strcmp (sname, ".got.plt") == 0)
968 			    break;
969 			  if (strcmp (sname, ".got") == 0)
970 			    /* Do not stop looking.
971 			       There might be a .got.plt section.  */
972 			    gotscn = gscn;
973 			}
974 
975 		      destshdr = NULL;
976 		    }
977 
978 		  if (destshdr == NULL && gotscn != NULL)
979 		    destshdr = gelf_getshdr (gotscn, &destshdr_mem);
980 		}
981 
982 	      const char *sname = ((destshdr == NULL || xndx == SHN_UNDEF)
983 				   ? NULL
984 				   : elf_strptr (ebl->elf, shstrndx,
985 						 destshdr->sh_name));
986 	      if (sname == NULL)
987 		{
988 		  if (xndx != SHN_UNDEF || ehdr->e_type != ET_REL)
989 		    ERROR (_("\
990 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol refers to \
991 bad section [%2d]\n"),
992 			   idx, section_name (ebl, idx), xndx);
993 		}
994 	      else if (strcmp (sname, ".got.plt") != 0
995 		       && strcmp (sname, ".got") != 0)
996 		ERROR (_("\
997 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol refers to \
998 section [%2d] '%s'\n"),
999 		       idx, section_name (ebl, idx), xndx, sname);
1000 
1001 	      if (destshdr != NULL)
1002 		{
1003 		  /* Found it.  */
1004 		  if (!ebl_check_special_symbol (ebl, sym, name,
1005 						 destshdr))
1006 		    {
1007 		      if (ehdr->e_type != ET_REL
1008 			  && sym->st_value != destshdr->sh_addr)
1009 			/* This test is more strict than the psABIs which
1010 			   usually allow the symbol to be in the middle of
1011 			   the .got section, allowing negative offsets.  */
1012 			ERROR (_("\
1013 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol value %#" PRIx64 " does not match %s section address %#" PRIx64 "\n"),
1014 			       idx, section_name (ebl, idx),
1015 			       (uint64_t) sym->st_value,
1016 			       sname, (uint64_t) destshdr->sh_addr);
1017 
1018 		      if (!gnuld && sym->st_size != destshdr->sh_size)
1019 			ERROR (_("\
1020 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol size %" PRIu64 " does not match %s section size %" PRIu64 "\n"),
1021 			       idx, section_name (ebl, idx),
1022 			       (uint64_t) sym->st_size,
1023 			       sname, (uint64_t) destshdr->sh_size);
1024 		    }
1025 		}
1026 	      else
1027 		ERROR (_("\
1028 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol present, but no .got section\n"),
1029 		       idx, section_name (ebl, idx));
1030 	    }
1031 	  else if (strcmp (name, "_DYNAMIC") == 0)
1032 	    /* Check that address and size match the dynamic section.
1033 	       We locate the dynamic section via the program header
1034 	       entry.  */
1035 	    for (unsigned int pcnt = 0; pcnt < phnum; ++pcnt)
1036 	      {
1037 		GElf_Phdr phdr_mem;
1038 		GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
1039 
1040 		if (phdr != NULL && phdr->p_type == PT_DYNAMIC)
1041 		  {
1042 		    if (sym->st_value != phdr->p_vaddr)
1043 		      ERROR (_("\
1044 section [%2d] '%s': _DYNAMIC_ symbol value %#" PRIx64 " does not match dynamic segment address %#" PRIx64 "\n"),
1045 			     idx, section_name (ebl, idx),
1046 			     (uint64_t) sym->st_value,
1047 			     (uint64_t) phdr->p_vaddr);
1048 
1049 		    if (!gnuld && sym->st_size != phdr->p_memsz)
1050 		      ERROR (_("\
1051 section [%2d] '%s': _DYNAMIC symbol size %" PRIu64 " does not match dynamic segment size %" PRIu64 "\n"),
1052 			     idx, section_name (ebl, idx),
1053 			     (uint64_t) sym->st_size,
1054 			     (uint64_t) phdr->p_memsz);
1055 
1056 		    break;
1057 		  }
1058 	    }
1059 	}
1060 
1061       if (GELF_ST_VISIBILITY (sym->st_other) != STV_DEFAULT
1062 	  && shdr->sh_type == SHT_DYNSYM)
1063 	ERROR (_("\
1064 section [%2d] '%s': symbol %zu (%s): symbol in dynamic symbol table with non-default visibility\n"),
1065 	       idx, section_name (ebl, idx), cnt, name);
1066       if (! ebl_check_st_other_bits (ebl, sym->st_other))
1067 	ERROR (_("\
1068 section [%2d] '%s': symbol %zu (%s): unknown bit set in st_other\n"),
1069 	       idx, section_name (ebl, idx), cnt, name);
1070 
1071     }
1072 }
1073 
1074 
1075 static bool
is_rel_dyn(Ebl * ebl,const GElf_Ehdr * ehdr,int idx,const GElf_Shdr * shdr,bool is_rela)1076 is_rel_dyn (Ebl *ebl, const GElf_Ehdr *ehdr, int idx, const GElf_Shdr *shdr,
1077 	    bool is_rela)
1078 {
1079   /* If this is no executable or DSO it cannot be a .rel.dyn section.  */
1080   if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1081     return false;
1082 
1083   /* Check the section name.  Unfortunately necessary.  */
1084   if (strcmp (section_name (ebl, idx), is_rela ? ".rela.dyn" : ".rel.dyn"))
1085     return false;
1086 
1087   /* When a .rel.dyn section is used a DT_RELCOUNT dynamic section
1088      entry can be present as well.  */
1089   Elf_Scn *scn = NULL;
1090   while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
1091     {
1092       GElf_Shdr rcshdr_mem;
1093       const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
1094 
1095       if (rcshdr == NULL)
1096 	break;
1097 
1098       if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize != 0)
1099 	{
1100 	  /* Found the dynamic section.  Look through it.  */
1101 	  Elf_Data *d = elf_getdata (scn, NULL);
1102 	  size_t cnt;
1103 
1104 	  if (d == NULL)
1105 	    ERROR (_("\
1106 section [%2d] '%s': cannot get section data.\n"),
1107 		   idx, section_name (ebl, idx));
1108 
1109 	  for (cnt = 1; cnt < rcshdr->sh_size / rcshdr->sh_entsize; ++cnt)
1110 	    {
1111 	      GElf_Dyn dyn_mem;
1112 	      GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
1113 
1114 	      if (dyn == NULL)
1115 		break;
1116 
1117 	      if (dyn->d_tag == DT_RELCOUNT)
1118 		{
1119 		  /* Found it.  Does the type match.  */
1120 		  if (is_rela)
1121 		    ERROR (_("\
1122 section [%2d] '%s': DT_RELCOUNT used for this RELA section\n"),
1123 			   idx, section_name (ebl, idx));
1124 		  else
1125 		    {
1126 		      /* Does the number specified number of relative
1127 			 relocations exceed the total number of
1128 			 relocations?  */
1129 		      if (shdr->sh_entsize != 0
1130 			  && dyn->d_un.d_val > (shdr->sh_size
1131 						/ shdr->sh_entsize))
1132 			ERROR (_("\
1133 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1134 			       idx, section_name (ebl, idx),
1135 			       (int) dyn->d_un.d_val);
1136 
1137 		      /* Make sure the specified number of relocations are
1138 			 relative.  */
1139 		      Elf_Data *reldata = elf_getdata (elf_getscn (ebl->elf,
1140 								   idx), NULL);
1141 		      if (reldata != NULL && shdr->sh_entsize != 0)
1142 			for (size_t inner = 0;
1143 			     inner < shdr->sh_size / shdr->sh_entsize;
1144 			     ++inner)
1145 			  {
1146 			    GElf_Rel rel_mem;
1147 			    GElf_Rel *rel = gelf_getrel (reldata, inner,
1148 							 &rel_mem);
1149 			    if (rel == NULL)
1150 			      /* The problem will be reported elsewhere.  */
1151 			      break;
1152 
1153 			    if (ebl_relative_reloc_p (ebl,
1154 						      GELF_R_TYPE (rel->r_info)))
1155 			      {
1156 				if (inner >= dyn->d_un.d_val)
1157 				  ERROR (_("\
1158 section [%2d] '%s': relative relocations after index %d as specified by DT_RELCOUNT\n"),
1159 					 idx, section_name (ebl, idx),
1160 					 (int) dyn->d_un.d_val);
1161 			      }
1162 			    else if (inner < dyn->d_un.d_val)
1163 			      ERROR (_("\
1164 section [%2d] '%s': non-relative relocation at index %zu; DT_RELCOUNT specified %d relative relocations\n"),
1165 				     idx, section_name (ebl, idx),
1166 				     inner, (int) dyn->d_un.d_val);
1167 			  }
1168 		    }
1169 		}
1170 
1171 	      if (dyn->d_tag == DT_RELACOUNT)
1172 		{
1173 		  /* Found it.  Does the type match.  */
1174 		  if (!is_rela)
1175 		    ERROR (_("\
1176 section [%2d] '%s': DT_RELACOUNT used for this REL section\n"),
1177 			   idx, section_name (ebl, idx));
1178 		  else
1179 		    {
1180 		      /* Does the number specified number of relative
1181 			 relocations exceed the total number of
1182 			 relocations?  */
1183 		      if (shdr->sh_entsize != 0
1184 			  && dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1185 			ERROR (_("\
1186 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1187 			       idx, section_name (ebl, idx),
1188 			       (int) dyn->d_un.d_val);
1189 
1190 		      /* Make sure the specified number of relocations are
1191 			 relative.  */
1192 		      Elf_Data *reldata = elf_getdata (elf_getscn (ebl->elf,
1193 								   idx), NULL);
1194 		      if (reldata != NULL && shdr->sh_entsize != 0)
1195 			for (size_t inner = 0;
1196 			     inner < shdr->sh_size / shdr->sh_entsize;
1197 			     ++inner)
1198 			  {
1199 			    GElf_Rela rela_mem;
1200 			    GElf_Rela *rela = gelf_getrela (reldata, inner,
1201 							    &rela_mem);
1202 			    if (rela == NULL)
1203 			      /* The problem will be reported elsewhere.  */
1204 			      break;
1205 
1206 			    if (ebl_relative_reloc_p (ebl,
1207 						      GELF_R_TYPE (rela->r_info)))
1208 			      {
1209 				if (inner >= dyn->d_un.d_val)
1210 				  ERROR (_("\
1211 section [%2d] '%s': relative relocations after index %d as specified by DT_RELCOUNT\n"),
1212 					 idx, section_name (ebl, idx),
1213 					 (int) dyn->d_un.d_val);
1214 			      }
1215 			    else if (inner < dyn->d_un.d_val)
1216 			      ERROR (_("\
1217 section [%2d] '%s': non-relative relocation at index %zu; DT_RELCOUNT specified %d relative relocations\n"),
1218 				     idx, section_name (ebl, idx),
1219 				     inner, (int) dyn->d_un.d_val);
1220 			  }
1221 		    }
1222 		}
1223 	    }
1224 
1225 	  break;
1226 	}
1227     }
1228 
1229   return true;
1230 }
1231 
1232 
1233 struct loaded_segment
1234 {
1235   GElf_Addr from;
1236   GElf_Addr to;
1237   bool read_only;
1238   struct loaded_segment *next;
1239 };
1240 
1241 
1242 /* Check whether binary has text relocation flag set.  */
1243 static bool textrel;
1244 
1245 /* Keep track of whether text relocation flag is needed.  */
1246 static bool needed_textrel;
1247 
1248 
1249 static bool
check_reloc_shdr(Ebl * ebl,const GElf_Ehdr * ehdr,const GElf_Shdr * shdr,int idx,int reltype,GElf_Shdr ** destshdrp,GElf_Shdr * destshdr_memp,struct loaded_segment ** loadedp)1250 check_reloc_shdr (Ebl *ebl, const GElf_Ehdr *ehdr, const GElf_Shdr *shdr,
1251 		  int idx, int reltype, GElf_Shdr **destshdrp,
1252 		  GElf_Shdr *destshdr_memp, struct loaded_segment **loadedp)
1253 {
1254   bool reldyn = false;
1255 
1256   /* Check whether the link to the section we relocate is reasonable.  */
1257   if (shdr->sh_info >= shnum)
1258     ERROR (_("section [%2d] '%s': invalid destination section index\n"),
1259 	   idx, section_name (ebl, idx));
1260   else if (shdr->sh_info != 0)
1261     {
1262       *destshdrp = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_info),
1263 				 destshdr_memp);
1264       if (*destshdrp != NULL)
1265 	{
1266 	  if(! ebl_check_reloc_target_type (ebl, (*destshdrp)->sh_type))
1267 	    {
1268 	      reldyn = is_rel_dyn (ebl, ehdr, idx, shdr, true);
1269 	      if (!reldyn)
1270 		ERROR (_("\
1271 section [%2d] '%s': invalid destination section type\n"),
1272 		       idx, section_name (ebl, idx));
1273 	      else
1274 		{
1275 		  /* There is no standard, but we require that .rel{,a}.dyn
1276 		     sections have a sh_info value of zero.  */
1277 		  if (shdr->sh_info != 0)
1278 		    ERROR (_("\
1279 section [%2d] '%s': sh_info should be zero\n"),
1280 			   idx, section_name (ebl, idx));
1281 		}
1282 	    }
1283 
1284 	  if ((((*destshdrp)->sh_flags & SHF_MERGE) != 0)
1285 	      && ((*destshdrp)->sh_flags & SHF_STRINGS) != 0)
1286 	    ERROR (_("\
1287 section [%2d] '%s': no relocations for merge-able string sections possible\n"),
1288 		   idx, section_name (ebl, idx));
1289 	}
1290     }
1291 
1292   size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
1293   if (shdr->sh_entsize != sh_entsize)
1294     ERROR (_(reltype == ELF_T_RELA ? "\
1295 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
1296 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
1297 	   idx, section_name (ebl, idx));
1298 
1299   /* In preparation of checking whether relocations are text
1300      relocations or not we need to determine whether the file is
1301      flagged to have text relocation and we need to determine a) what
1302      the loaded segments are and b) which are read-only.  This will
1303      also allow us to determine whether the same reloc section is
1304      modifying loaded and not loaded segments.  */
1305   for (unsigned int i = 0; i < phnum; ++i)
1306     {
1307       GElf_Phdr phdr_mem;
1308       GElf_Phdr *phdr = gelf_getphdr (ebl->elf, i, &phdr_mem);
1309       if (phdr == NULL)
1310 	continue;
1311 
1312       if (phdr->p_type == PT_LOAD)
1313 	{
1314 	  struct loaded_segment *newp = xmalloc (sizeof (*newp));
1315 	  newp->from = phdr->p_vaddr;
1316 	  newp->to = phdr->p_vaddr + phdr->p_memsz;
1317 	  newp->read_only = (phdr->p_flags & PF_W) == 0;
1318 	  newp->next = *loadedp;
1319 	  *loadedp = newp;
1320 	}
1321       else if (phdr->p_type == PT_DYNAMIC)
1322 	{
1323 	  Elf_Scn *dynscn = gelf_offscn (ebl->elf, phdr->p_offset);
1324 	  GElf_Shdr dynshdr_mem;
1325 	  GElf_Shdr *dynshdr = gelf_getshdr (dynscn, &dynshdr_mem);
1326 	  Elf_Data *dyndata = elf_getdata (dynscn, NULL);
1327 	  if (dynshdr != NULL && dynshdr->sh_type == SHT_DYNAMIC
1328 	      && dyndata != NULL && dynshdr->sh_entsize != 0)
1329 	    for (size_t j = 0; j < dynshdr->sh_size / dynshdr->sh_entsize; ++j)
1330 	      {
1331 		GElf_Dyn dyn_mem;
1332 		GElf_Dyn *dyn = gelf_getdyn (dyndata, j, &dyn_mem);
1333 		if (dyn != NULL
1334 		    && (dyn->d_tag == DT_TEXTREL
1335 			|| (dyn->d_tag == DT_FLAGS
1336 			    && (dyn->d_un.d_val & DF_TEXTREL) != 0)))
1337 		  {
1338 		    textrel = true;
1339 		    break;
1340 		  }
1341 	      }
1342 	}
1343     }
1344 
1345   /* A quick test which can be easily done here (although it is a bit
1346      out of place): the text relocation flag makes only sense if there
1347      is a segment which is not writable.  */
1348   if (textrel)
1349     {
1350       struct loaded_segment *seg = *loadedp;
1351       while (seg != NULL && !seg->read_only)
1352 	seg = seg->next;
1353       if (seg == NULL)
1354 	ERROR (_("\
1355 text relocation flag set but there is no read-only segment\n"));
1356     }
1357 
1358   return reldyn;
1359 }
1360 
1361 
1362 enum load_state
1363   {
1364     state_undecided,
1365     state_loaded,
1366     state_unloaded,
1367     state_error
1368   };
1369 
1370 
1371 static void
check_one_reloc(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * relshdr,int idx,size_t cnt,const GElf_Shdr * symshdr,Elf_Data * symdata,GElf_Addr r_offset,GElf_Xword r_info,const GElf_Shdr * destshdr,bool reldyn,struct loaded_segment * loaded,enum load_state * statep)1372 check_one_reloc (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *relshdr, int idx,
1373 		 size_t cnt, const GElf_Shdr *symshdr, Elf_Data *symdata,
1374 		 GElf_Addr r_offset, GElf_Xword r_info,
1375 		 const GElf_Shdr *destshdr, bool reldyn,
1376 		 struct loaded_segment *loaded, enum load_state *statep)
1377 {
1378   bool known_broken = gnuld;
1379 
1380   if (!ebl_reloc_type_check (ebl, GELF_R_TYPE (r_info)))
1381     ERROR (_("section [%2d] '%s': relocation %zu: invalid type\n"),
1382 	   idx, section_name (ebl, idx), cnt);
1383   else if (((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1384 	    /* The executable/DSO can contain relocation sections with
1385 	       all the relocations the linker has applied.  Those sections
1386 	       are marked non-loaded, though.  */
1387 	    || (relshdr->sh_flags & SHF_ALLOC) != 0)
1388 	   && !ebl_reloc_valid_use (ebl, GELF_R_TYPE (r_info)))
1389     ERROR (_("\
1390 section [%2d] '%s': relocation %zu: relocation type invalid for the file type\n"),
1391 	   idx, section_name (ebl, idx), cnt);
1392 
1393   if (symshdr != NULL
1394       && ((GELF_R_SYM (r_info) + 1)
1395 	  * gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT)
1396 	  > symshdr->sh_size))
1397     ERROR (_("\
1398 section [%2d] '%s': relocation %zu: invalid symbol index\n"),
1399 	   idx, section_name (ebl, idx), cnt);
1400 
1401   /* No more tests if this is a no-op relocation.  */
1402   if (ebl_none_reloc_p (ebl, GELF_R_TYPE (r_info)))
1403     return;
1404 
1405   if (ebl_gotpc_reloc_check (ebl, GELF_R_TYPE (r_info)))
1406     {
1407       const char *name;
1408       char buf[64];
1409       GElf_Sym sym_mem;
1410       GElf_Sym *sym = gelf_getsym (symdata, GELF_R_SYM (r_info), &sym_mem);
1411       if (sym != NULL
1412 	  /* Get the name for the symbol.  */
1413 	  && (name = elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1414 	  && strcmp (name, "_GLOBAL_OFFSET_TABLE_") !=0 )
1415 	ERROR (_("\
1416 section [%2d] '%s': relocation %zu: only symbol '_GLOBAL_OFFSET_TABLE_' can be used with %s\n"),
1417 	       idx, section_name (ebl, idx), cnt,
1418 	       ebl_reloc_type_name (ebl, GELF_R_SYM (r_info),
1419 				    buf, sizeof (buf)));
1420     }
1421 
1422   if (reldyn)
1423     {
1424       // XXX TODO Check .rel.dyn section addresses.
1425     }
1426   else if (!known_broken)
1427     {
1428       if (destshdr != NULL
1429 	  && GELF_R_TYPE (r_info) != 0
1430 	  && (r_offset - (ehdr->e_type == ET_REL ? 0
1431 			  : destshdr->sh_addr)) >= destshdr->sh_size)
1432 	ERROR (_("\
1433 section [%2d] '%s': relocation %zu: offset out of bounds\n"),
1434 	       idx, section_name (ebl, idx), cnt);
1435     }
1436 
1437   GElf_Sym sym_mem;
1438   GElf_Sym *sym = gelf_getsym (symdata, GELF_R_SYM (r_info), &sym_mem);
1439 
1440   if (ebl_copy_reloc_p (ebl, GELF_R_TYPE (r_info))
1441       /* Make sure the referenced symbol is an object or unspecified.  */
1442       && sym != NULL
1443       && GELF_ST_TYPE (sym->st_info) != STT_NOTYPE
1444       && GELF_ST_TYPE (sym->st_info) != STT_OBJECT)
1445     {
1446       char buf[64];
1447       ERROR (_("section [%2d] '%s': relocation %zu: copy relocation against symbol of type %s\n"),
1448 	     idx, section_name (ebl, idx), cnt,
1449 	     ebl_symbol_type_name (ebl, GELF_ST_TYPE (sym->st_info),
1450 				   buf, sizeof (buf)));
1451     }
1452 
1453   if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1454       || (relshdr->sh_flags & SHF_ALLOC) != 0)
1455     {
1456       bool in_loaded_seg = false;
1457       while (loaded != NULL)
1458 	{
1459 	  if (r_offset < loaded->to
1460 	      && r_offset + (sym == NULL ? 0 : sym->st_size) >= loaded->from)
1461 	    {
1462 	      /* The symbol is in this segment.  */
1463 	      if  (loaded->read_only)
1464 		{
1465 		  if (textrel)
1466 		    needed_textrel = true;
1467 		  else
1468 		    ERROR (_("section [%2d] '%s': relocation %zu: read-only section modified but text relocation flag not set\n"),
1469 			   idx, section_name (ebl, idx), cnt);
1470 		}
1471 
1472 	      in_loaded_seg = true;
1473 	    }
1474 
1475 	  loaded = loaded->next;
1476 	}
1477 
1478       if (*statep == state_undecided)
1479 	*statep = in_loaded_seg ? state_loaded : state_unloaded;
1480       else if ((*statep == state_unloaded && in_loaded_seg)
1481 	       || (*statep == state_loaded && !in_loaded_seg))
1482 	{
1483 	  ERROR (_("\
1484 section [%2d] '%s': relocations are against loaded and unloaded data\n"),
1485 		 idx, section_name (ebl, idx));
1486 	  *statep = state_error;
1487 	}
1488     }
1489 }
1490 
1491 
1492 static void
check_rela(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1493 check_rela (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1494 {
1495   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1496   if (data == NULL)
1497     {
1498       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1499 	     idx, section_name (ebl, idx));
1500       return;
1501     }
1502 
1503   /* Check the fields of the section header.  */
1504   GElf_Shdr destshdr_mem;
1505   GElf_Shdr *destshdr = NULL;
1506   struct loaded_segment *loaded = NULL;
1507   bool reldyn = check_reloc_shdr (ebl, ehdr, shdr, idx, ELF_T_RELA, &destshdr,
1508 				  &destshdr_mem, &loaded);
1509 
1510   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1511   GElf_Shdr symshdr_mem;
1512   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1513   Elf_Data *symdata = elf_getdata (symscn, NULL);
1514   enum load_state state = state_undecided;
1515 
1516   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1517   for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1518     {
1519       GElf_Rela rela_mem;
1520       GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
1521       if (rela == NULL)
1522 	{
1523 	  ERROR (_("\
1524 section [%2d] '%s': cannot get relocation %zu: %s\n"),
1525 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1526 	  continue;
1527 	}
1528 
1529       check_one_reloc (ebl, ehdr, shdr, idx, cnt, symshdr, symdata,
1530 		       rela->r_offset, rela->r_info, destshdr, reldyn, loaded,
1531 		       &state);
1532     }
1533 
1534   while (loaded != NULL)
1535     {
1536       struct loaded_segment *old = loaded;
1537       loaded = loaded->next;
1538       free (old);
1539     }
1540 }
1541 
1542 
1543 static void
check_rel(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1544 check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1545 {
1546   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1547   if (data == NULL)
1548     {
1549       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1550 	     idx, section_name (ebl, idx));
1551       return;
1552     }
1553 
1554   /* Check the fields of the section header.  */
1555   GElf_Shdr destshdr_mem;
1556   GElf_Shdr *destshdr = NULL;
1557   struct loaded_segment *loaded = NULL;
1558   bool reldyn = check_reloc_shdr (ebl, ehdr, shdr, idx, ELF_T_REL, &destshdr,
1559 				  &destshdr_mem, &loaded);
1560 
1561   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1562   GElf_Shdr symshdr_mem;
1563   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1564   Elf_Data *symdata = elf_getdata (symscn, NULL);
1565   enum load_state state = state_undecided;
1566 
1567   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1568   for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1569     {
1570       GElf_Rel rel_mem;
1571       GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
1572       if (rel == NULL)
1573 	{
1574 	  ERROR (_("\
1575 section [%2d] '%s': cannot get relocation %zu: %s\n"),
1576 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1577 	  continue;
1578 	}
1579 
1580       check_one_reloc (ebl, ehdr, shdr, idx, cnt, symshdr, symdata,
1581 		       rel->r_offset, rel->r_info, destshdr, reldyn, loaded,
1582 		       &state);
1583     }
1584 
1585   while (loaded != NULL)
1586     {
1587       struct loaded_segment *old = loaded;
1588       loaded = loaded->next;
1589       free (old);
1590     }
1591 }
1592 
1593 
1594 /* Number of dynamic sections.  */
1595 static int ndynamic;
1596 
1597 
1598 static void
check_dynamic(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1599 check_dynamic (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1600 {
1601   Elf_Data *data;
1602   GElf_Shdr strshdr_mem;
1603   GElf_Shdr *strshdr;
1604   size_t cnt;
1605   static const bool dependencies[DT_NUM][DT_NUM] =
1606     {
1607       [DT_NEEDED] = { [DT_STRTAB] = true },
1608       [DT_PLTRELSZ] = { [DT_JMPREL] = true },
1609       [DT_HASH] = { [DT_SYMTAB] = true },
1610       [DT_STRTAB] = { [DT_STRSZ] = true },
1611       [DT_SYMTAB] = { [DT_STRTAB] = true, [DT_SYMENT] = true },
1612       [DT_RELA] = { [DT_RELASZ] = true, [DT_RELAENT] = true },
1613       [DT_RELASZ] = { [DT_RELA] = true },
1614       [DT_RELAENT] = { [DT_RELA] = true },
1615       [DT_STRSZ] = { [DT_STRTAB] = true },
1616       [DT_SYMENT] = { [DT_SYMTAB] = true },
1617       [DT_SONAME] = { [DT_STRTAB] = true },
1618       [DT_RPATH] = { [DT_STRTAB] = true },
1619       [DT_REL] = { [DT_RELSZ] = true, [DT_RELENT] = true },
1620       [DT_RELSZ] = { [DT_REL] = true },
1621       [DT_RELENT] = { [DT_REL] = true },
1622       [DT_JMPREL] = { [DT_PLTRELSZ] = true, [DT_PLTREL] = true },
1623       [DT_RUNPATH] = { [DT_STRTAB] = true },
1624       [DT_PLTREL] = { [DT_JMPREL] = true },
1625     };
1626   bool has_dt[DT_NUM];
1627   bool has_val_dt[DT_VALNUM];
1628   bool has_addr_dt[DT_ADDRNUM];
1629   static const bool level2[DT_NUM] =
1630     {
1631       [DT_RPATH] = true,
1632       [DT_SYMBOLIC] = true,
1633       [DT_TEXTREL] = true,
1634       [DT_BIND_NOW] = true
1635     };
1636   static const bool mandatory[DT_NUM] =
1637     {
1638       [DT_NULL] = true,
1639       [DT_STRTAB] = true,
1640       [DT_SYMTAB] = true,
1641       [DT_STRSZ] = true,
1642       [DT_SYMENT] = true
1643     };
1644 
1645   memset (has_dt, '\0', sizeof (has_dt));
1646   memset (has_val_dt, '\0', sizeof (has_val_dt));
1647   memset (has_addr_dt, '\0', sizeof (has_addr_dt));
1648 
1649   if (++ndynamic == 2)
1650     ERROR (_("more than one dynamic section present\n"));
1651 
1652   data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1653   if (data == NULL)
1654     {
1655       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1656 	     idx, section_name (ebl, idx));
1657       return;
1658     }
1659 
1660   strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &strshdr_mem);
1661   if (strshdr != NULL && strshdr->sh_type != SHT_STRTAB)
1662     ERROR (_("\
1663 section [%2d] '%s': referenced as string table for section [%2d] '%s' but type is not SHT_STRTAB\n"),
1664 	   shdr->sh_link, section_name (ebl, shdr->sh_link),
1665 	   idx, section_name (ebl, idx));
1666   else if (strshdr == NULL)
1667     {
1668       ERROR (_("\
1669 section [%2d]: referenced as string table for section [%2d] '%s' but section link value is invalid\n"),
1670 	   shdr->sh_link, idx, section_name (ebl, idx));
1671       return;
1672     }
1673 
1674   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1675   if (shdr->sh_entsize != sh_entsize)
1676     ERROR (_("\
1677 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1678 	   idx, section_name (ebl, idx));
1679 
1680   if (shdr->sh_info != 0)
1681     ERROR (_("section [%2d] '%s': sh_info not zero\n"),
1682 	   idx, section_name (ebl, idx));
1683 
1684   bool non_null_warned = false;
1685   for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1686     {
1687       GElf_Dyn dyn_mem;
1688       GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
1689       if (dyn == NULL)
1690 	{
1691 	  ERROR (_("\
1692 section [%2d] '%s': cannot get dynamic section entry %zu: %s\n"),
1693 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1694 	  continue;
1695 	}
1696 
1697       if (has_dt[DT_NULL] && dyn->d_tag != DT_NULL && ! non_null_warned)
1698 	{
1699 	  ERROR (_("\
1700 section [%2d] '%s': non-DT_NULL entries follow DT_NULL entry\n"),
1701 		 idx, section_name (ebl, idx));
1702 	  non_null_warned = true;
1703 	}
1704 
1705       if (!ebl_dynamic_tag_check (ebl, dyn->d_tag))
1706 	ERROR (_("section [%2d] '%s': entry %zu: unknown tag\n"),
1707 	       idx, section_name (ebl, idx), cnt);
1708 
1709       if (dyn->d_tag >= 0 && dyn->d_tag < DT_NUM)
1710 	{
1711 	  if (has_dt[dyn->d_tag]
1712 	      && dyn->d_tag != DT_NEEDED
1713 	      && dyn->d_tag != DT_NULL
1714 	      && dyn->d_tag != DT_POSFLAG_1)
1715 	    {
1716 	      char buf[50];
1717 	      ERROR (_("\
1718 section [%2d] '%s': entry %zu: more than one entry with tag %s\n"),
1719 		     idx, section_name (ebl, idx), cnt,
1720 		     ebl_dynamic_tag_name (ebl, dyn->d_tag,
1721 					   buf, sizeof (buf)));
1722 	    }
1723 
1724 	  if (be_strict && level2[dyn->d_tag])
1725 	    {
1726 	      char buf[50];
1727 	      ERROR (_("\
1728 section [%2d] '%s': entry %zu: level 2 tag %s used\n"),
1729 		     idx, section_name (ebl, idx), cnt,
1730 		     ebl_dynamic_tag_name (ebl, dyn->d_tag,
1731 					   buf, sizeof (buf)));
1732 	    }
1733 
1734 	  has_dt[dyn->d_tag] = true;
1735 	}
1736       else if (dyn->d_tag >= 0 && dyn->d_tag <= DT_VALRNGHI
1737 	       && DT_VALTAGIDX (dyn->d_tag) < DT_VALNUM)
1738 	has_val_dt[DT_VALTAGIDX (dyn->d_tag)] = true;
1739       else if (dyn->d_tag >= 0 && dyn->d_tag <= DT_ADDRRNGHI
1740 	       && DT_ADDRTAGIDX (dyn->d_tag) < DT_ADDRNUM)
1741 	has_addr_dt[DT_ADDRTAGIDX (dyn->d_tag)] = true;
1742 
1743       if (dyn->d_tag == DT_PLTREL && dyn->d_un.d_val != DT_REL
1744 	  && dyn->d_un.d_val != DT_RELA)
1745 	ERROR (_("\
1746 section [%2d] '%s': entry %zu: DT_PLTREL value must be DT_REL or DT_RELA\n"),
1747 	       idx, section_name (ebl, idx), cnt);
1748 
1749       /* Check that addresses for entries are in loaded segments.  */
1750       switch (dyn->d_tag)
1751 	{
1752 	  size_t n;
1753 	case DT_STRTAB:
1754 	  /* We require the referenced section is the same as the one
1755 	     specified in sh_link.  */
1756 	  if (strshdr->sh_addr != dyn->d_un.d_val)
1757 	    {
1758 	      ERROR (_("\
1759 section [%2d] '%s': entry %zu: pointer does not match address of section [%2d] '%s' referenced by sh_link\n"),
1760 		     idx, section_name (ebl, idx), cnt,
1761 		     shdr->sh_link, section_name (ebl, shdr->sh_link));
1762 	      break;
1763 	    }
1764 	  goto check_addr;
1765 
1766 	default:
1767 	  if (dyn->d_tag < DT_ADDRRNGLO || dyn->d_tag > DT_ADDRRNGHI)
1768 	    /* Value is no pointer.  */
1769 	    break;
1770 	  FALLTHROUGH;
1771 
1772 	case DT_AUXILIARY:
1773 	case DT_FILTER:
1774 	case DT_FINI:
1775 	case DT_FINI_ARRAY:
1776 	case DT_HASH:
1777 	case DT_INIT:
1778 	case DT_INIT_ARRAY:
1779 	case DT_JMPREL:
1780 	case DT_PLTGOT:
1781 	case DT_REL:
1782 	case DT_RELA:
1783 	case DT_SYMBOLIC:
1784 	case DT_SYMTAB:
1785 	case DT_VERDEF:
1786 	case DT_VERNEED:
1787 	case DT_VERSYM:
1788 	check_addr:
1789 	  for (n = 0; n < phnum; ++n)
1790 	    {
1791 	      GElf_Phdr phdr_mem;
1792 	      GElf_Phdr *phdr = gelf_getphdr (ebl->elf, n, &phdr_mem);
1793 	      if (phdr != NULL && phdr->p_type == PT_LOAD
1794 		  && phdr->p_vaddr <= dyn->d_un.d_ptr
1795 		  && phdr->p_vaddr + phdr->p_memsz > dyn->d_un.d_ptr)
1796 		break;
1797 	    }
1798 	  if (unlikely (n >= phnum))
1799 	    {
1800 	      char buf[50];
1801 	      ERROR (_("\
1802 section [%2d] '%s': entry %zu: %s value must point into loaded segment\n"),
1803 		     idx, section_name (ebl, idx), cnt,
1804 		     ebl_dynamic_tag_name (ebl, dyn->d_tag, buf,
1805 					   sizeof (buf)));
1806 	    }
1807 	  break;
1808 
1809 	case DT_NEEDED:
1810 	case DT_RPATH:
1811 	case DT_RUNPATH:
1812 	case DT_SONAME:
1813 	  if (dyn->d_un.d_ptr >= strshdr->sh_size)
1814 	    {
1815 	      char buf[50];
1816 	      ERROR (_("\
1817 section [%2d] '%s': entry %zu: %s value must be valid offset in section [%2d] '%s'\n"),
1818 		     idx, section_name (ebl, idx), cnt,
1819 		     ebl_dynamic_tag_name (ebl, dyn->d_tag, buf,
1820 					   sizeof (buf)),
1821 		     shdr->sh_link, section_name (ebl, shdr->sh_link));
1822 	    }
1823 	  break;
1824 	}
1825     }
1826 
1827   for (cnt = 1; cnt < DT_NUM; ++cnt)
1828     if (has_dt[cnt])
1829       {
1830 	for (int inner = 0; inner < DT_NUM; ++inner)
1831 	  if (dependencies[cnt][inner] && ! has_dt[inner])
1832 	    {
1833 	      char buf1[50];
1834 	      char buf2[50];
1835 
1836 	      ERROR (_("\
1837 section [%2d] '%s': contains %s entry but not %s\n"),
1838 		     idx, section_name (ebl, idx),
1839 		     ebl_dynamic_tag_name (ebl, cnt, buf1, sizeof (buf1)),
1840 		     ebl_dynamic_tag_name (ebl, inner, buf2, sizeof (buf2)));
1841 	    }
1842       }
1843     else
1844       {
1845 	if (mandatory[cnt])
1846 	  {
1847 	    char buf[50];
1848 	    ERROR (_("\
1849 section [%2d] '%s': mandatory tag %s not present\n"),
1850 		   idx, section_name (ebl, idx),
1851 		   ebl_dynamic_tag_name (ebl, cnt, buf, sizeof (buf)));
1852 	  }
1853       }
1854 
1855   /* Make sure we have an hash table.  */
1856   if (!has_dt[DT_HASH] && !has_addr_dt[DT_ADDRTAGIDX (DT_GNU_HASH)])
1857     ERROR (_("\
1858 section [%2d] '%s': no hash section present\n"),
1859 	   idx, section_name (ebl, idx));
1860 
1861   /* The GNU-style hash table also needs a symbol table.  */
1862   if (!has_dt[DT_HASH] && has_addr_dt[DT_ADDRTAGIDX (DT_GNU_HASH)]
1863       && !has_dt[DT_SYMTAB])
1864     ERROR (_("\
1865 section [%2d] '%s': contains %s entry but not %s\n"),
1866 	   idx, section_name (ebl, idx),
1867 	   "DT_GNU_HASH", "DT_SYMTAB");
1868 
1869   /* Check the rel/rela tags.  At least one group must be available.  */
1870   if ((has_dt[DT_RELA] || has_dt[DT_RELASZ] || has_dt[DT_RELAENT])
1871       && (!has_dt[DT_RELA] || !has_dt[DT_RELASZ] || !has_dt[DT_RELAENT]))
1872     ERROR (_("\
1873 section [%2d] '%s': not all of %s, %s, and %s are present\n"),
1874 	   idx, section_name (ebl, idx),
1875 	   "DT_RELA", "DT_RELASZ", "DT_RELAENT");
1876 
1877   if ((has_dt[DT_REL] || has_dt[DT_RELSZ] || has_dt[DT_RELENT])
1878       && (!has_dt[DT_REL] || !has_dt[DT_RELSZ] || !has_dt[DT_RELENT]))
1879     ERROR (_("\
1880 section [%2d] '%s': not all of %s, %s, and %s are present\n"),
1881 	   idx, section_name (ebl, idx),
1882 	   "DT_REL", "DT_RELSZ", "DT_RELENT");
1883 
1884   /* Check that all prelink sections are present if any of them is.  */
1885   if (has_val_dt[DT_VALTAGIDX (DT_GNU_PRELINKED)]
1886       || has_val_dt[DT_VALTAGIDX (DT_CHECKSUM)])
1887     {
1888       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_PRELINKED)])
1889 	ERROR (_("\
1890 section [%2d] '%s': %s tag missing in DSO marked during prelinking\n"),
1891 	       idx, section_name (ebl, idx), "DT_GNU_PRELINKED");
1892       if (!has_val_dt[DT_VALTAGIDX (DT_CHECKSUM)])
1893 	ERROR (_("\
1894 section [%2d] '%s': %s tag missing in DSO marked during prelinking\n"),
1895 	       idx, section_name (ebl, idx), "DT_CHECKSUM");
1896 
1897       /* Only DSOs can be marked like this.  */
1898       if (ehdr->e_type != ET_DYN)
1899 	ERROR (_("\
1900 section [%2d] '%s': non-DSO file marked as dependency during prelink\n"),
1901 	       idx, section_name (ebl, idx));
1902     }
1903 
1904   if (has_val_dt[DT_VALTAGIDX (DT_GNU_CONFLICTSZ)]
1905       || has_val_dt[DT_VALTAGIDX (DT_GNU_LIBLISTSZ)]
1906       || has_addr_dt[DT_ADDRTAGIDX (DT_GNU_CONFLICT)]
1907       || has_addr_dt[DT_ADDRTAGIDX (DT_GNU_LIBLIST)])
1908     {
1909       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_CONFLICTSZ)])
1910 	ERROR (_("\
1911 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1912 	       idx, section_name (ebl, idx), "DT_GNU_CONFLICTSZ");
1913       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_LIBLISTSZ)])
1914 	ERROR (_("\
1915 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1916 	       idx, section_name (ebl, idx), "DT_GNU_LIBLISTSZ");
1917       if (!has_addr_dt[DT_ADDRTAGIDX (DT_GNU_CONFLICT)])
1918 	ERROR (_("\
1919 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1920 	       idx, section_name (ebl, idx), "DT_GNU_CONFLICT");
1921       if (!has_addr_dt[DT_ADDRTAGIDX (DT_GNU_LIBLIST)])
1922 	ERROR (_("\
1923 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1924 	       idx, section_name (ebl, idx), "DT_GNU_LIBLIST");
1925     }
1926 }
1927 
1928 
1929 static void
check_symtab_shndx(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1930 check_symtab_shndx (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1931 {
1932   if (ehdr->e_type != ET_REL)
1933     {
1934       ERROR (_("\
1935 section [%2d] '%s': only relocatable files can have extended section index\n"),
1936 	     idx, section_name (ebl, idx));
1937       return;
1938     }
1939 
1940   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1941   GElf_Shdr symshdr_mem;
1942   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1943   if (symshdr != NULL && symshdr->sh_type != SHT_SYMTAB)
1944     ERROR (_("\
1945 section [%2d] '%s': extended section index section not for symbol table\n"),
1946 	   idx, section_name (ebl, idx));
1947   else if (symshdr == NULL)
1948     ERROR (_("\
1949 section [%2d] '%s': sh_link extended section index [%2d] is invalid\n"),
1950 	   idx, section_name (ebl, idx), shdr->sh_link);
1951   Elf_Data *symdata = elf_getdata (symscn, NULL);
1952   if (symdata == NULL)
1953     ERROR (_("cannot get data for symbol section\n"));
1954 
1955   if (shdr->sh_entsize != sizeof (Elf32_Word))
1956     ERROR (_("\
1957 section [%2d] '%s': entry size does not match Elf32_Word\n"),
1958 	   idx, section_name (ebl, idx));
1959 
1960   if (symshdr != NULL
1961       && shdr->sh_entsize != 0
1962       && symshdr->sh_entsize != 0
1963       && (shdr->sh_size / shdr->sh_entsize
1964 	  < symshdr->sh_size / symshdr->sh_entsize))
1965     ERROR (_("\
1966 section [%2d] '%s': extended index table too small for symbol table\n"),
1967 	   idx, section_name (ebl, idx));
1968 
1969   if (shdr->sh_info != 0)
1970     ERROR (_("section [%2d] '%s': sh_info not zero\n"),
1971 	   idx, section_name (ebl, idx));
1972 
1973   for (size_t cnt = idx + 1; cnt < shnum; ++cnt)
1974     {
1975       GElf_Shdr rshdr_mem;
1976       GElf_Shdr *rshdr = gelf_getshdr (elf_getscn (ebl->elf, cnt), &rshdr_mem);
1977       if (rshdr != NULL && rshdr->sh_type == SHT_SYMTAB_SHNDX
1978 	  && rshdr->sh_link == shdr->sh_link)
1979 	{
1980 	  ERROR (_("\
1981 section [%2d] '%s': extended section index in section [%2zu] '%s' refers to same symbol table\n"),
1982 		 idx, section_name (ebl, idx),
1983 		 cnt, section_name (ebl, cnt));
1984 	  break;
1985 	}
1986     }
1987 
1988   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1989   if (data == NULL || data->d_buf == NULL)
1990     {
1991       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1992 	     idx, section_name (ebl, idx));
1993       return;
1994     }
1995 
1996   if (data->d_size < sizeof (Elf32_Word)
1997       || *((Elf32_Word *) data->d_buf) != 0)
1998     ERROR (_("symbol 0 should have zero extended section index\n"));
1999 
2000   for (size_t cnt = 1; cnt < data->d_size / sizeof (Elf32_Word); ++cnt)
2001     {
2002       Elf32_Word xndx = ((Elf32_Word *) data->d_buf)[cnt];
2003 
2004       if (xndx != 0)
2005 	{
2006 	  GElf_Sym sym_data;
2007 	  GElf_Sym *sym = gelf_getsym (symdata, cnt, &sym_data);
2008 	  if (sym == NULL)
2009 	    {
2010 	      ERROR (_("cannot get data for symbol %zu\n"), cnt);
2011 	      continue;
2012 	    }
2013 
2014 	  if (sym->st_shndx != SHN_XINDEX)
2015 	    ERROR (_("\
2016 extended section index is %" PRIu32 " but symbol index is not XINDEX\n"),
2017 		   (uint32_t) xndx);
2018 	}
2019     }
2020 }
2021 
2022 
2023 static void
check_sysv_hash(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2024 check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2025 		 GElf_Shdr *symshdr)
2026 {
2027   Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
2028   Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
2029 
2030   if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
2031     {
2032       ERROR (_("\
2033 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
2034 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2035 	     (long int) ((2 + nbucket + nchain) * sizeof (Elf32_Word)));
2036       return;
2037     }
2038 
2039   size_t maxidx = nchain;
2040 
2041   if (symshdr != NULL && symshdr->sh_entsize != 0)
2042     {
2043       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
2044 
2045       if (nchain > symshdr->sh_size / symshdr->sh_entsize)
2046 	ERROR (_("section [%2d] '%s': chain array too large\n"),
2047 	       idx, section_name (ebl, idx));
2048 
2049       maxidx = symsize;
2050     }
2051 
2052   Elf32_Word *buf = (Elf32_Word *) data->d_buf;
2053   Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
2054   size_t cnt;
2055   for (cnt = 2; cnt < 2 + nbucket; ++cnt)
2056     {
2057       if (buf + cnt >= end)
2058 	break;
2059       else if (buf[cnt] >= maxidx)
2060       ERROR (_("\
2061 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
2062 	     idx, section_name (ebl, idx), cnt - 2);
2063     }
2064 
2065   for (; cnt < 2 + nbucket + nchain; ++cnt)
2066     {
2067       if (buf + cnt >= end)
2068 	break;
2069       else if (buf[cnt] >= maxidx)
2070       ERROR (_("\
2071 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
2072 	     idx, section_name (ebl, idx), cnt - 2 - nbucket);
2073     }
2074 }
2075 
2076 
2077 static void
check_sysv_hash64(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2078 check_sysv_hash64 (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2079 		 GElf_Shdr *symshdr)
2080 {
2081   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
2082   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
2083 
2084   uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword);
2085   if (maxwords < 2
2086       || maxwords - 2 < nbucket
2087       || maxwords - 2 - nbucket < nchain)
2088     {
2089       ERROR (_("\
2090 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
2091 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2092 	     (long int) ((2 + nbucket + nchain) * sizeof (Elf64_Xword)));
2093       return;
2094     }
2095 
2096   size_t maxidx = nchain;
2097 
2098   if (symshdr != NULL && symshdr->sh_entsize != 0)
2099     {
2100       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
2101 
2102       if (nchain > symshdr->sh_size / symshdr->sh_entsize)
2103 	ERROR (_("section [%2d] '%s': chain array too large\n"),
2104 	       idx, section_name (ebl, idx));
2105 
2106       maxidx = symsize;
2107     }
2108 
2109   Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
2110   Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
2111   size_t cnt;
2112   for (cnt = 2; cnt < 2 + nbucket; ++cnt)
2113     {
2114       if (buf + cnt >= end)
2115 	break;
2116       else if (buf[cnt] >= maxidx)
2117       ERROR (_("\
2118 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
2119 	     idx, section_name (ebl, idx), cnt - 2);
2120     }
2121 
2122   for (; cnt < 2 + nbucket + nchain; ++cnt)
2123     {
2124       if (buf + cnt >= end)
2125 	break;
2126       else if (buf[cnt] >= maxidx)
2127       ERROR (_("\
2128 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
2129 	       idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
2130     }
2131 }
2132 
2133 
2134 static void
check_gnu_hash(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2135 check_gnu_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2136 		GElf_Shdr *symshdr)
2137 {
2138   if (data->d_size < 4 * sizeof (Elf32_Word))
2139     {
2140       ERROR (_("\
2141 section [%2d] '%s': not enough data\n"),
2142 	     idx, section_name (ebl, idx));
2143       return;
2144     }
2145 
2146   Elf32_Word nbuckets = ((Elf32_Word *) data->d_buf)[0];
2147   Elf32_Word symbias = ((Elf32_Word *) data->d_buf)[1];
2148   Elf32_Word bitmask_words = ((Elf32_Word *) data->d_buf)[2];
2149 
2150   if (bitmask_words == 0 || !powerof2 (bitmask_words))
2151     {
2152       ERROR (_("\
2153 section [%2d] '%s': bitmask size zero or not power of 2: %u\n"),
2154 	     idx, section_name (ebl, idx), bitmask_words);
2155       return;
2156     }
2157 
2158   size_t bitmask_idxmask = bitmask_words - 1;
2159   if (gelf_getclass (ebl->elf) == ELFCLASS64)
2160     bitmask_words *= 2;
2161   Elf32_Word shift = ((Elf32_Word *) data->d_buf)[3];
2162 
2163   /* Is there still room for the sym chain?
2164      Use uint64_t calculation to prevent 32bit overflow.  */
2165   uint64_t used_buf = (4ULL + bitmask_words + nbuckets) * sizeof (Elf32_Word);
2166   if (used_buf > data->d_size)
2167     {
2168       ERROR (_("\
2169 section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
2170 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2171 	     (long int) used_buf);
2172       return;
2173     }
2174 
2175   if (shift > 31)
2176     {
2177       ERROR (_("\
2178 section [%2d] '%s': 2nd hash function shift too big: %u\n"),
2179 	     idx, section_name (ebl, idx), shift);
2180       return;
2181     }
2182 
2183   size_t maxidx = shdr->sh_size / sizeof (Elf32_Word) - (4 + bitmask_words
2184 							 + nbuckets);
2185 
2186   if (symshdr != NULL && symshdr->sh_entsize != 0)
2187     maxidx = MIN (maxidx, symshdr->sh_size / symshdr->sh_entsize);
2188 
2189   /* We need the symbol section data.  */
2190   Elf_Data *symdata = elf_getdata (elf_getscn (ebl->elf, shdr->sh_link), NULL);
2191 
2192   union
2193   {
2194     Elf32_Word *p32;
2195     Elf64_Xword *p64;
2196   } bitmask = { .p32 = &((Elf32_Word *) data->d_buf)[4] },
2197       collected = { .p32 = xcalloc (bitmask_words, sizeof (Elf32_Word)) };
2198 
2199   size_t classbits = gelf_getclass (ebl->elf) == ELFCLASS32 ? 32 : 64;
2200 
2201   size_t cnt;
2202   for (cnt = 4 + bitmask_words; cnt < 4 + bitmask_words + nbuckets; ++cnt)
2203     {
2204       Elf32_Word symidx = ((Elf32_Word *) data->d_buf)[cnt];
2205 
2206       if (symidx == 0)
2207 	continue;
2208 
2209       if (symidx < symbias)
2210 	{
2211 	  ERROR (_("\
2212 section [%2d] '%s': hash chain for bucket %zu lower than symbol index bias\n"),
2213 		 idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2214 	  continue;
2215 	}
2216 
2217       while (symidx - symbias < maxidx)
2218 	{
2219 	  Elf32_Word chainhash = ((Elf32_Word *) data->d_buf)[4
2220 							      + bitmask_words
2221 							      + nbuckets
2222 							      + symidx
2223 							      - symbias];
2224 
2225 	  if (symdata != NULL)
2226 	    {
2227 	      /* Check that the referenced symbol is not undefined.  */
2228 	      GElf_Sym sym_mem;
2229 	      GElf_Sym *sym = gelf_getsym (symdata, symidx, &sym_mem);
2230 	      if (sym != NULL && sym->st_shndx == SHN_UNDEF
2231 		  && GELF_ST_TYPE (sym->st_info) != STT_FUNC)
2232 		ERROR (_("\
2233 section [%2d] '%s': symbol %u referenced in chain for bucket %zu is undefined\n"),
2234 		       idx, section_name (ebl, idx), symidx,
2235 		       cnt - (4 + bitmask_words));
2236 
2237 	      const char *symname = (sym != NULL
2238 				     ? elf_strptr (ebl->elf, symshdr->sh_link,
2239 						   sym->st_name)
2240 				     : NULL);
2241 	      if (symname != NULL)
2242 		{
2243 		  Elf32_Word hval = elf_gnu_hash (symname);
2244 		  if ((hval & ~1u) != (chainhash & ~1u))
2245 		    ERROR (_("\
2246 section [%2d] '%s': hash value for symbol %u in chain for bucket %zu wrong\n"),
2247 			   idx, section_name (ebl, idx), symidx,
2248 			   cnt - (4 + bitmask_words));
2249 
2250 		  /* Set the bits in the bitmask.  */
2251 		  size_t maskidx = (hval / classbits) & bitmask_idxmask;
2252 		  if (maskidx >= bitmask_words)
2253 		    {
2254 		      ERROR (_("\
2255 section [%2d] '%s': mask index for symbol %u in chain for bucket %zu wrong\n"),
2256 			     idx, section_name (ebl, idx), symidx,
2257 			     cnt - (4 + bitmask_words));
2258 		      return;
2259 		    }
2260 		  if (classbits == 32)
2261 		    {
2262 		      collected.p32[maskidx]
2263 			|= UINT32_C (1) << (hval & (classbits - 1));
2264 		      collected.p32[maskidx]
2265 			|= UINT32_C (1) << ((hval >> shift) & (classbits - 1));
2266 		    }
2267 		  else
2268 		    {
2269 		      collected.p64[maskidx]
2270 			|= UINT64_C (1) << (hval & (classbits - 1));
2271 		      collected.p64[maskidx]
2272 			|= UINT64_C (1) << ((hval >> shift) & (classbits - 1));
2273 		    }
2274 		}
2275 	    }
2276 
2277 	  if ((chainhash & 1) != 0)
2278 	    break;
2279 
2280 	  ++symidx;
2281 	}
2282 
2283       if (symidx - symbias >= maxidx)
2284 	ERROR (_("\
2285 section [%2d] '%s': hash chain for bucket %zu out of bounds\n"),
2286 	       idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2287       else if (symshdr != NULL && symshdr->sh_entsize != 0
2288 	       && symidx > symshdr->sh_size / symshdr->sh_entsize)
2289 	ERROR (_("\
2290 section [%2d] '%s': symbol reference in chain for bucket %zu out of bounds\n"),
2291 	       idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2292     }
2293 
2294   if (memcmp (collected.p32, bitmask.p32, bitmask_words * sizeof (Elf32_Word)))
2295     ERROR (_("\
2296 section [%2d] '%s': bitmask does not match names in the hash table\n"),
2297 	   idx, section_name (ebl, idx));
2298 
2299   free (collected.p32);
2300 }
2301 
2302 
2303 static void
check_hash(int tag,Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)2304 check_hash (int tag, Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
2305 {
2306   if (ehdr->e_type == ET_REL)
2307     {
2308       ERROR (_("\
2309 section [%2d] '%s': relocatable files cannot have hash tables\n"),
2310 	     idx, section_name (ebl, idx));
2311       return;
2312     }
2313 
2314   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
2315   if (data == NULL || data->d_buf == NULL)
2316     {
2317       ERROR (_("section [%2d] '%s': cannot get section data\n"),
2318 	     idx, section_name (ebl, idx));
2319       return;
2320     }
2321 
2322   GElf_Shdr symshdr_mem;
2323   GElf_Shdr *symshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
2324 				     &symshdr_mem);
2325   if (symshdr != NULL && symshdr->sh_type != SHT_DYNSYM)
2326     ERROR (_("\
2327 section [%2d] '%s': hash table not for dynamic symbol table\n"),
2328 	   idx, section_name (ebl, idx));
2329   else if (symshdr == NULL)
2330     ERROR (_("\
2331 section [%2d] '%s': invalid sh_link symbol table section index [%2d]\n"),
2332 	   idx, section_name (ebl, idx), shdr->sh_link);
2333 
2334   size_t expect_entsize = (tag == SHT_GNU_HASH
2335 			   ? (gelf_getclass (ebl->elf) == ELFCLASS32
2336 			      ? sizeof (Elf32_Word) : 0)
2337 			   : (size_t) ebl_sysvhash_entrysize (ebl));
2338 
2339   if (shdr->sh_entsize != expect_entsize)
2340     ERROR (_("\
2341 section [%2d] '%s': hash table entry size incorrect\n"),
2342 	   idx, section_name (ebl, idx));
2343 
2344   if ((shdr->sh_flags & SHF_ALLOC) == 0)
2345     ERROR (_("section [%2d] '%s': not marked to be allocated\n"),
2346 	   idx, section_name (ebl, idx));
2347 
2348   if (shdr->sh_size < (tag == SHT_GNU_HASH ? 4 : 2) * (expect_entsize ?: 4))
2349     {
2350       ERROR (_("\
2351 section [%2d] '%s': hash table has not even room for initial administrative entries\n"),
2352 	     idx, section_name (ebl, idx));
2353       return;
2354     }
2355 
2356   switch (tag)
2357     {
2358     case SHT_HASH:
2359       if (ebl_sysvhash_entrysize (ebl) == sizeof (Elf64_Xword))
2360 	check_sysv_hash64 (ebl, shdr, data, idx, symshdr);
2361       else
2362 	check_sysv_hash (ebl, shdr, data, idx, symshdr);
2363       break;
2364 
2365     case SHT_GNU_HASH:
2366       check_gnu_hash (ebl, shdr, data, idx, symshdr);
2367       break;
2368 
2369     default:
2370       assert (! "should not happen");
2371     }
2372 }
2373 
2374 
2375 /* Compare content of both hash tables, it must be identical.  */
2376 static void
compare_hash_gnu_hash(Ebl * ebl,GElf_Ehdr * ehdr,size_t hash_idx,size_t gnu_hash_idx)2377 compare_hash_gnu_hash (Ebl *ebl, GElf_Ehdr *ehdr, size_t hash_idx,
2378 		       size_t gnu_hash_idx)
2379 {
2380   Elf_Scn *hash_scn = elf_getscn (ebl->elf, hash_idx);
2381   Elf_Data *hash_data = elf_getdata (hash_scn, NULL);
2382   GElf_Shdr hash_shdr_mem;
2383   GElf_Shdr *hash_shdr = gelf_getshdr (hash_scn, &hash_shdr_mem);
2384   Elf_Scn *gnu_hash_scn = elf_getscn (ebl->elf, gnu_hash_idx);
2385   Elf_Data *gnu_hash_data = elf_getdata (gnu_hash_scn, NULL);
2386   GElf_Shdr gnu_hash_shdr_mem;
2387   GElf_Shdr *gnu_hash_shdr = gelf_getshdr (gnu_hash_scn, &gnu_hash_shdr_mem);
2388 
2389   if (hash_shdr == NULL || gnu_hash_shdr == NULL
2390       || hash_data == NULL || hash_data->d_buf == NULL
2391       || gnu_hash_data == NULL || gnu_hash_data->d_buf == NULL)
2392     /* None of these pointers should be NULL since we used the
2393        sections already.  We are careful nonetheless.  */
2394     return;
2395 
2396   /* The link must point to the same symbol table.  */
2397   if (hash_shdr->sh_link != gnu_hash_shdr->sh_link)
2398     {
2399       ERROR (_("\
2400 sh_link in hash sections [%2zu] '%s' and [%2zu] '%s' not identical\n"),
2401 	     hash_idx, elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name),
2402 	     gnu_hash_idx,
2403 	     elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2404       return;
2405     }
2406 
2407   Elf_Scn *sym_scn = elf_getscn (ebl->elf, hash_shdr->sh_link);
2408   Elf_Data *sym_data = elf_getdata (sym_scn, NULL);
2409   GElf_Shdr sym_shdr_mem;
2410   GElf_Shdr *sym_shdr = gelf_getshdr (sym_scn, &sym_shdr_mem);
2411 
2412   if (sym_data == NULL || sym_data->d_buf == NULL
2413       || sym_shdr == NULL || sym_shdr->sh_entsize == 0)
2414     return;
2415 
2416   const char *hash_name;
2417   const char *gnu_hash_name;
2418   hash_name  = elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name);
2419   gnu_hash_name  = elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name);
2420 
2421   if (gnu_hash_data->d_size < 4 * sizeof (Elf32_Word))
2422     {
2423       ERROR (_("\
2424 hash section [%2zu] '%s' does not contain enough data\n"),
2425 	     gnu_hash_idx, gnu_hash_name);
2426       return;
2427     }
2428 
2429   uint32_t nentries = sym_shdr->sh_size / sym_shdr->sh_entsize;
2430   char *used = alloca (nentries);
2431   memset (used, '\0', nentries);
2432 
2433   /* First go over the GNU_HASH table and mark the entries as used.  */
2434   const Elf32_Word *gnu_hasharr = (Elf32_Word *) gnu_hash_data->d_buf;
2435   Elf32_Word gnu_nbucket = gnu_hasharr[0];
2436   Elf32_Word gnu_symbias = gnu_hasharr[1];
2437   const int bitmap_factor = ehdr->e_ident[EI_CLASS] == ELFCLASS32 ? 1 : 2;
2438   const Elf32_Word *gnu_bucket = (gnu_hasharr
2439 				  + (4 + gnu_hasharr[2] * bitmap_factor));
2440   const Elf32_Word *gnu_chain = gnu_bucket + gnu_hasharr[0];
2441 
2442   if (gnu_hasharr[2] == 0)
2443     {
2444       ERROR (_("\
2445 hash section [%2zu] '%s' has zero bit mask words\n"),
2446 	     gnu_hash_idx, gnu_hash_name);
2447       return;
2448     }
2449 
2450   uint64_t used_buf = ((4ULL + gnu_hasharr[2] * bitmap_factor + gnu_nbucket)
2451 		       * sizeof (Elf32_Word));
2452   uint32_t max_nsyms = (gnu_hash_data->d_size - used_buf) / sizeof (Elf32_Word);
2453   if (used_buf > gnu_hash_data->d_size)
2454     {
2455       ERROR (_("\
2456 hash section [%2zu] '%s' uses too much data\n"),
2457 	     gnu_hash_idx, gnu_hash_name);
2458       return;
2459     }
2460 
2461   for (Elf32_Word cnt = 0; cnt < gnu_nbucket; ++cnt)
2462     {
2463       if (gnu_bucket[cnt] != STN_UNDEF)
2464 	{
2465 	  Elf32_Word symidx = gnu_bucket[cnt] - gnu_symbias;
2466 	  do
2467 	    {
2468 	      if (symidx >= max_nsyms || symidx + gnu_symbias >= nentries)
2469 		{
2470 		  ERROR (_("\
2471 hash section [%2zu] '%s' invalid symbol index %" PRIu32 " (max_nsyms: %" PRIu32 ", nentries: %" PRIu32 "\n"),
2472 			 gnu_hash_idx, gnu_hash_name, symidx, max_nsyms, nentries);
2473 		  return;
2474 		}
2475 	      used[symidx + gnu_symbias] |= 1;
2476 	    }
2477 	  while ((gnu_chain[symidx++] & 1u) == 0);
2478 	}
2479     }
2480 
2481   /* Now go over the old hash table and check that we cover the same
2482      entries.  */
2483   if (hash_shdr->sh_entsize == sizeof (Elf32_Word))
2484     {
2485       const Elf32_Word *hasharr = (Elf32_Word *) hash_data->d_buf;
2486       if (hash_data->d_size < 2 * sizeof (Elf32_Word))
2487 	{
2488 	  ERROR (_("\
2489 hash section [%2zu] '%s' does not contain enough data\n"),
2490 		 hash_idx, hash_name);
2491 	  return;
2492 	}
2493 
2494       Elf32_Word nbucket = hasharr[0];
2495       Elf32_Word nchain = hasharr[1];
2496       uint64_t hash_used = (2ULL + nchain + nbucket) * sizeof (Elf32_Word);
2497       if (hash_used > hash_data->d_size)
2498 	{
2499 	  ERROR (_("\
2500 hash section [%2zu] '%s' uses too much data\n"),
2501 		 hash_idx, hash_name);
2502 	  return;
2503 	}
2504 
2505       const Elf32_Word *bucket = &hasharr[2];
2506       const Elf32_Word *chain = &hasharr[2 + nbucket];
2507 
2508       for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
2509 	{
2510 	  Elf32_Word symidx = bucket[cnt];
2511 	  while (symidx != STN_UNDEF && symidx < nentries && symidx < nchain)
2512 	    {
2513 	      used[symidx] |= 2;
2514 	      symidx = chain[symidx];
2515 	    }
2516 	}
2517     }
2518   else if (hash_shdr->sh_entsize == sizeof (Elf64_Xword))
2519     {
2520       const Elf64_Xword *hasharr = (Elf64_Xword *) hash_data->d_buf;
2521       if (hash_data->d_size < 2 * sizeof (Elf32_Word))
2522 	{
2523 	  ERROR (_("\
2524 hash section [%2zu] '%s' does not contain enough data\n"),
2525 		 hash_idx, hash_name);
2526 	  return;
2527 	}
2528 
2529       Elf64_Xword nbucket = hasharr[0];
2530       Elf64_Xword nchain = hasharr[1];
2531       uint64_t maxwords = hash_data->d_size / sizeof (Elf64_Xword);
2532       if (maxwords < 2
2533 	  || maxwords - 2 < nbucket
2534 	  || maxwords - 2 - nbucket < nchain)
2535 	{
2536 	  ERROR (_("\
2537 hash section [%2zu] '%s' uses too much data\n"),
2538 		 hash_idx, hash_name);
2539 	  return;
2540 	}
2541 
2542       const Elf64_Xword *bucket = &hasharr[2];
2543       const Elf64_Xword *chain = &hasharr[2 + nbucket];
2544 
2545       for (Elf64_Xword cnt = 0; cnt < nbucket; ++cnt)
2546 	{
2547 	  Elf64_Xword symidx = bucket[cnt];
2548 	  while (symidx != STN_UNDEF && symidx < nentries && symidx < nchain)
2549 	    {
2550 	      used[symidx] |= 2;
2551 	      symidx = chain[symidx];
2552 	    }
2553 	}
2554     }
2555   else
2556     {
2557       ERROR (_("\
2558 hash section [%2zu] '%s' invalid sh_entsize\n"),
2559 	     hash_idx, hash_name);
2560       return;
2561     }
2562 
2563   /* Now see which entries are not set in one or both hash tables
2564      (unless the symbol is undefined in which case it can be omitted
2565      in the new table format).  */
2566   if ((used[0] & 1) != 0)
2567     ERROR (_("section [%2zu] '%s': reference to symbol index 0\n"),
2568 	   gnu_hash_idx,
2569 	   elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2570   if ((used[0] & 2) != 0)
2571     ERROR (_("section [%2zu] '%s': reference to symbol index 0\n"),
2572 	   hash_idx, elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name));
2573 
2574   for (uint32_t cnt = 1; cnt < nentries; ++cnt)
2575     if (used[cnt] != 0 && used[cnt] != 3)
2576       {
2577 	if (used[cnt] == 1)
2578 	  ERROR (_("\
2579 symbol %d referenced in new hash table in [%2zu] '%s' but not in old hash table in [%2zu] '%s'\n"),
2580 		 cnt, gnu_hash_idx,
2581 		 elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name),
2582 		 hash_idx,
2583 		 elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name));
2584 	else
2585 	  {
2586 	    GElf_Sym sym_mem;
2587 	    GElf_Sym *sym = gelf_getsym (sym_data, cnt, &sym_mem);
2588 
2589 	    if (sym != NULL && sym->st_shndx != STN_UNDEF)
2590 	      ERROR (_("\
2591 symbol %d referenced in old hash table in [%2zu] '%s' but not in new hash table in [%2zu] '%s'\n"),
2592 		     cnt, hash_idx,
2593 		     elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name),
2594 		     gnu_hash_idx,
2595 		     elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2596 	  }
2597       }
2598 }
2599 
2600 
2601 static void
check_null(Ebl * ebl,GElf_Shdr * shdr,int idx)2602 check_null (Ebl *ebl, GElf_Shdr *shdr, int idx)
2603 {
2604 #define TEST(name, extra) \
2605   if (extra && shdr->sh_##name != 0)					      \
2606     ERROR (_("section [%2d] '%s': nonzero sh_%s for NULL section\n"),  \
2607 	   idx, section_name (ebl, idx), #name)
2608 
2609   TEST (name, 1);
2610   TEST (flags, 1);
2611   TEST (addr, 1);
2612   TEST (offset, 1);
2613   TEST (size, idx != 0);
2614   TEST (link, idx != 0);
2615   TEST (info, 1);
2616   TEST (addralign, 1);
2617   TEST (entsize, 1);
2618 }
2619 
2620 
2621 static void
check_group(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)2622 check_group (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
2623 {
2624   if (ehdr->e_type != ET_REL)
2625     {
2626       ERROR (_("\
2627 section [%2d] '%s': section groups only allowed in relocatable object files\n"),
2628 	     idx, section_name (ebl, idx));
2629       return;
2630     }
2631 
2632   /* Check that sh_link is an index of a symbol table.  */
2633   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
2634   GElf_Shdr symshdr_mem;
2635   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
2636   if (symshdr == NULL)
2637     ERROR (_("section [%2d] '%s': cannot get symbol table: %s\n"),
2638 	   idx, section_name (ebl, idx), elf_errmsg (-1));
2639   else
2640     {
2641       if (symshdr->sh_type != SHT_SYMTAB)
2642 	ERROR (_("\
2643 section [%2d] '%s': section reference in sh_link is no symbol table\n"),
2644 	       idx, section_name (ebl, idx));
2645 
2646       if (shdr->sh_info >= symshdr->sh_size / gelf_fsize (ebl->elf, ELF_T_SYM,
2647 							  1, EV_CURRENT))
2648 	ERROR (_("\
2649 section [%2d] '%s': invalid symbol index in sh_info\n"),
2650 	       idx, section_name (ebl, idx));
2651 
2652       if (shdr->sh_flags != 0)
2653 	ERROR (_("section [%2d] '%s': sh_flags not zero\n"),
2654 	       idx, section_name (ebl, idx));
2655 
2656       GElf_Sym sym_data;
2657       GElf_Sym *sym = gelf_getsym (elf_getdata (symscn, NULL), shdr->sh_info,
2658 				   &sym_data);
2659       if (sym == NULL)
2660 	ERROR (_("\
2661 section [%2d] '%s': cannot get symbol for signature\n"),
2662 	       idx, section_name (ebl, idx));
2663       else if (elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name) == NULL)
2664 	ERROR (_("\
2665 section [%2d] '%s': cannot get symbol name for signature\n"),
2666 	       idx, section_name (ebl, idx));
2667       else if (strcmp (elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name),
2668 		       "") == 0)
2669 	ERROR (_("\
2670 section [%2d] '%s': signature symbol cannot be empty string\n"),
2671 	       idx, section_name (ebl, idx));
2672 
2673       if (be_strict
2674 	  && shdr->sh_entsize != elf32_fsize (ELF_T_WORD, 1, EV_CURRENT))
2675 	ERROR (_("section [%2d] '%s': sh_flags not set correctly\n"),
2676 	       idx, section_name (ebl, idx));
2677     }
2678 
2679   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
2680   if (data == NULL || data->d_buf == NULL)
2681     ERROR (_("section [%2d] '%s': cannot get data: %s\n"),
2682 	   idx, section_name (ebl, idx), elf_errmsg (-1));
2683   else
2684     {
2685       size_t elsize = elf32_fsize (ELF_T_WORD, 1, EV_CURRENT);
2686       size_t cnt;
2687       Elf32_Word val;
2688 
2689       if (data->d_size % elsize != 0)
2690 	ERROR (_("\
2691 section [%2d] '%s': section size not multiple of sizeof(Elf32_Word)\n"),
2692 	       idx, section_name (ebl, idx));
2693 
2694       if (data->d_size < elsize)
2695 	{
2696 	  ERROR (_("\
2697 section [%2d] '%s': section group without flags word\n"),
2698 	       idx, section_name (ebl, idx));
2699 	  return;
2700 	}
2701       else if (be_strict)
2702 	{
2703 	  if (data->d_size < 2 * elsize)
2704 	    ERROR (_("\
2705 section [%2d] '%s': section group without member\n"),
2706 		   idx, section_name (ebl, idx));
2707 	  else if (data->d_size < 3 * elsize)
2708 	    ERROR (_("\
2709 section [%2d] '%s': section group with only one member\n"),
2710 		   idx, section_name (ebl, idx));
2711 	}
2712 
2713 #if ALLOW_UNALIGNED
2714       val = *((Elf32_Word *) data->d_buf);
2715 #else
2716       memcpy (&val, data->d_buf, elsize);
2717 #endif
2718       if ((val & ~GRP_COMDAT) != 0)
2719 	ERROR (_("section [%2d] '%s': unknown section group flags\n"),
2720 	       idx, section_name (ebl, idx));
2721 
2722       for (cnt = elsize; cnt + elsize <= data->d_size; cnt += elsize)
2723 	{
2724 #if ALLOW_UNALIGNED
2725 	  val = *((Elf32_Word *) ((char *) data->d_buf + cnt));
2726 #else
2727 	  memcpy (&val, (char *) data->d_buf + cnt, elsize);
2728 #endif
2729 
2730 	  if (val > shnum)
2731 	    ERROR (_("\
2732 section [%2d] '%s': section index %zu out of range\n"),
2733 		   idx, section_name (ebl, idx), cnt / elsize);
2734 	  else
2735 	    {
2736 	      GElf_Shdr refshdr_mem;
2737 	      GElf_Shdr *refshdr = gelf_getshdr (elf_getscn (ebl->elf, val),
2738 						 &refshdr_mem);
2739 	      if (refshdr == NULL)
2740 		ERROR (_("\
2741 section [%2d] '%s': cannot get section header for element %zu: %s\n"),
2742 		       idx, section_name (ebl, idx), cnt / elsize,
2743 		       elf_errmsg (-1));
2744 	      else
2745 		{
2746 		  if (refshdr->sh_type == SHT_GROUP)
2747 		    ERROR (_("\
2748 section [%2d] '%s': section group contains another group [%2d] '%s'\n"),
2749 			   idx, section_name (ebl, idx),
2750 			   val, section_name (ebl, val));
2751 
2752 		  if ((refshdr->sh_flags & SHF_GROUP) == 0)
2753 		    ERROR (_("\
2754 section [%2d] '%s': element %zu references section [%2d] '%s' without SHF_GROUP flag set\n"),
2755 			   idx, section_name (ebl, idx), cnt / elsize,
2756 			   val, section_name (ebl, val));
2757 		}
2758 
2759 	      if (val < shnum && ++scnref[val] == 2)
2760 		ERROR (_("\
2761 section [%2d] '%s' is contained in more than one section group\n"),
2762 		       val, section_name (ebl, val));
2763 	    }
2764 	}
2765     }
2766 }
2767 
2768 
2769 static const char *
section_flags_string(GElf_Word flags,char * buf,size_t len)2770 section_flags_string (GElf_Word flags, char *buf, size_t len)
2771 {
2772   if (flags == 0)
2773     return "none";
2774 
2775   static const struct
2776   {
2777     GElf_Word flag;
2778     const char *name;
2779   } known_flags[] =
2780     {
2781 #define NEWFLAG(name) { SHF_##name, #name }
2782       NEWFLAG (WRITE),
2783       NEWFLAG (ALLOC),
2784       NEWFLAG (EXECINSTR),
2785       NEWFLAG (MERGE),
2786       NEWFLAG (STRINGS),
2787       NEWFLAG (INFO_LINK),
2788       NEWFLAG (LINK_ORDER),
2789       NEWFLAG (OS_NONCONFORMING),
2790       NEWFLAG (GROUP),
2791       NEWFLAG (TLS),
2792       NEWFLAG (COMPRESSED),
2793       NEWFLAG (GNU_RETAIN),
2794       NEWFLAG (ORDERED),
2795       NEWFLAG (EXCLUDE)
2796     };
2797 #undef NEWFLAG
2798   const size_t nknown_flags = sizeof (known_flags) / sizeof (known_flags[0]);
2799 
2800   char *cp = buf;
2801 
2802   for (size_t cnt = 0; cnt < nknown_flags; ++cnt)
2803     if (flags & known_flags[cnt].flag)
2804       {
2805 	if (cp != buf && len > 1)
2806 	  {
2807 	    *cp++ = '|';
2808 	    --len;
2809 	  }
2810 
2811 	size_t ncopy = MIN (len - 1, strlen (known_flags[cnt].name));
2812 	cp = mempcpy (cp, known_flags[cnt].name, ncopy);
2813 	len -= ncopy;
2814 
2815 	flags ^= known_flags[cnt].flag;
2816       }
2817 
2818   if (flags != 0 || cp == buf)
2819     {
2820       int r = snprintf (cp, len - 1, "%s%" PRIx64,
2821 			(cp == buf) ? "" : "|", (uint64_t) flags);
2822       if (r > 0)
2823 	cp += r;
2824     }
2825   *cp = '\0';
2826 
2827   return buf;
2828 }
2829 
2830 
2831 static int
has_copy_reloc(Ebl * ebl,unsigned int symscnndx,unsigned int symndx)2832 has_copy_reloc (Ebl *ebl, unsigned int symscnndx, unsigned int symndx)
2833 {
2834   /* First find the relocation section for the symbol table.  */
2835   Elf_Scn *scn = NULL;
2836   GElf_Shdr shdr_mem;
2837   GElf_Shdr *shdr = NULL;
2838   while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
2839     {
2840       shdr = gelf_getshdr (scn, &shdr_mem);
2841       if (shdr != NULL
2842 	  && (shdr->sh_type == SHT_REL || shdr->sh_type == SHT_RELA)
2843 	  && shdr->sh_link == symscnndx)
2844 	/* Found the section.  */
2845 	break;
2846     }
2847 
2848   if (scn == NULL)
2849     return 0;
2850 
2851   Elf_Data *data = elf_getdata (scn, NULL);
2852   if (data == NULL || shdr->sh_entsize == 0)
2853     return 0;
2854 
2855   if (shdr->sh_type == SHT_REL)
2856     for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize; ++i)
2857       {
2858 	GElf_Rel rel_mem;
2859 	GElf_Rel *rel = gelf_getrel (data, i, &rel_mem);
2860 	if (rel == NULL)
2861 	  continue;
2862 
2863 	if (GELF_R_SYM (rel->r_info) == symndx
2864 	    && ebl_copy_reloc_p (ebl, GELF_R_TYPE (rel->r_info)))
2865 	  return 1;
2866       }
2867   else
2868     for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize; ++i)
2869       {
2870 	GElf_Rela rela_mem;
2871 	GElf_Rela *rela = gelf_getrela (data, i, &rela_mem);
2872 	if (rela == NULL)
2873 	  continue;
2874 
2875 	if (GELF_R_SYM (rela->r_info) == symndx
2876 	    && ebl_copy_reloc_p (ebl, GELF_R_TYPE (rela->r_info)))
2877 	  return 1;
2878       }
2879 
2880   return 0;
2881 }
2882 
2883 
2884 static int
in_nobits_scn(Ebl * ebl,unsigned int shndx)2885 in_nobits_scn (Ebl *ebl, unsigned int shndx)
2886 {
2887   GElf_Shdr shdr_mem;
2888   GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, shndx), &shdr_mem);
2889   return shdr != NULL && shdr->sh_type == SHT_NOBITS;
2890 }
2891 
2892 
2893 static struct version_namelist
2894 {
2895   const char *objname;
2896   const char *name;
2897   GElf_Versym ndx;
2898   enum { ver_def, ver_need } type;
2899   struct version_namelist *next;
2900 } *version_namelist;
2901 
2902 
2903 static int
add_version(const char * objname,const char * name,GElf_Versym ndx,int type)2904 add_version (const char *objname, const char *name, GElf_Versym ndx, int type)
2905 {
2906   /* Check that there are no duplications.  */
2907   struct version_namelist *nlp = version_namelist;
2908   while (nlp != NULL)
2909     {
2910       if (((nlp->objname == NULL && objname == NULL)
2911 	   || (nlp->objname != NULL && objname != NULL
2912 	       && strcmp (nlp->objname, objname) == 0))
2913 	  && strcmp (nlp->name, name) == 0)
2914 	return nlp->type == ver_def ? 1 : -1;
2915       nlp = nlp->next;
2916     }
2917 
2918   nlp = xmalloc (sizeof (*nlp));
2919   nlp->objname = objname;
2920   nlp->name = name;
2921   nlp->ndx = ndx;
2922   nlp->type = type;
2923   nlp->next = version_namelist;
2924   version_namelist = nlp;
2925 
2926   return 0;
2927 }
2928 
2929 
2930 static void
check_versym(Ebl * ebl,int idx)2931 check_versym (Ebl *ebl, int idx)
2932 {
2933   Elf_Scn *scn = elf_getscn (ebl->elf, idx);
2934   GElf_Shdr shdr_mem;
2935   GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
2936   if (shdr == NULL)
2937     /* The error has already been reported.  */
2938     return;
2939 
2940   Elf_Data *data = elf_getdata (scn, NULL);
2941   if (data == NULL)
2942     {
2943       ERROR (_("section [%2d] '%s': cannot get section data\n"),
2944 	     idx, section_name (ebl, idx));
2945       return;
2946     }
2947 
2948   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
2949   GElf_Shdr symshdr_mem;
2950   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
2951   if (symshdr == NULL)
2952     /* The error has already been reported.  */
2953     return;
2954 
2955   if (symshdr->sh_type != SHT_DYNSYM)
2956     {
2957       ERROR (_("\
2958 section [%2d] '%s' refers in sh_link to section [%2d] '%s' which is no dynamic symbol table\n"),
2959 	     idx, section_name (ebl, idx),
2960 	     shdr->sh_link, section_name (ebl, shdr->sh_link));
2961       return;
2962     }
2963 
2964   /* The number of elements in the version symbol table must be the
2965      same as the number of symbols.  */
2966   if (shdr->sh_entsize != 0 && symshdr->sh_entsize != 0
2967       && (shdr->sh_size / shdr->sh_entsize
2968 	  != symshdr->sh_size / symshdr->sh_entsize))
2969     ERROR (_("\
2970 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
2971 	   idx, section_name (ebl, idx),
2972 	   shdr->sh_link, section_name (ebl, shdr->sh_link));
2973 
2974   Elf_Data *symdata = elf_getdata (symscn, NULL);
2975   if (symdata == NULL || shdr->sh_entsize == 0)
2976     /* The error has already been reported.  */
2977     return;
2978 
2979   for (int cnt = 1; (size_t) cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
2980     {
2981       GElf_Versym versym_mem;
2982       GElf_Versym *versym = gelf_getversym (data, cnt, &versym_mem);
2983       if (versym == NULL)
2984 	{
2985 	  ERROR (_("\
2986 section [%2d] '%s': symbol %d: cannot read version data\n"),
2987 		 idx, section_name (ebl, idx), cnt);
2988 	  break;
2989 	}
2990 
2991       GElf_Sym sym_mem;
2992       GElf_Sym *sym = gelf_getsym (symdata, cnt, &sym_mem);
2993       if (sym == NULL)
2994 	/* Already reported elsewhere.  */
2995 	continue;
2996 
2997       if (*versym == VER_NDX_GLOBAL)
2998 	{
2999 	  /* Global symbol.  Make sure it is not defined as local.  */
3000 	  if (GELF_ST_BIND (sym->st_info) == STB_LOCAL)
3001 	    ERROR (_("\
3002 section [%2d] '%s': symbol %d: local symbol with global scope\n"),
3003 		   idx, section_name (ebl, idx), cnt);
3004 	}
3005       else if (*versym != VER_NDX_LOCAL)
3006 	{
3007 	  /* Versioned symbol.  Make sure it is not defined as local.  */
3008 	  if (!gnuld && GELF_ST_BIND (sym->st_info) == STB_LOCAL)
3009 	    ERROR (_("\
3010 section [%2d] '%s': symbol %d: local symbol with version\n"),
3011 		   idx, section_name (ebl, idx), cnt);
3012 
3013 	  /* Look through the list of defined versions and locate the
3014 	     index we need for this symbol.  */
3015 	  struct version_namelist *runp = version_namelist;
3016 	  while (runp != NULL)
3017 	    if (runp->ndx == (*versym & (GElf_Versym) 0x7fff))
3018 	      break;
3019 	    else
3020 	      runp = runp->next;
3021 
3022 	  if (runp == NULL)
3023 	    ERROR (_("\
3024 section [%2d] '%s': symbol %d: invalid version index %d\n"),
3025 		   idx, section_name (ebl, idx), cnt, (int) *versym);
3026 	  else if (sym->st_shndx == SHN_UNDEF
3027 		   && runp->type == ver_def)
3028 	    ERROR (_("\
3029 section [%2d] '%s': symbol %d: version index %d is for defined version\n"),
3030 		   idx, section_name (ebl, idx), cnt, (int) *versym);
3031 	  else if (sym->st_shndx != SHN_UNDEF
3032 		   && runp->type == ver_need)
3033 	    {
3034 	      /* Unless this symbol has a copy relocation associated
3035 		 this must not happen.  */
3036 	      if (!has_copy_reloc (ebl, shdr->sh_link, cnt)
3037 		  && !in_nobits_scn (ebl, sym->st_shndx))
3038 		ERROR (_("\
3039 section [%2d] '%s': symbol %d: version index %d is for requested version\n"),
3040 		       idx, section_name (ebl, idx), cnt, (int) *versym);
3041 	    }
3042 	}
3043     }
3044 }
3045 
3046 
3047 static int
unknown_dependency_p(Elf * elf,const char * fname)3048 unknown_dependency_p (Elf *elf, const char *fname)
3049 {
3050   GElf_Phdr phdr_mem;
3051   GElf_Phdr *phdr = NULL;
3052 
3053   unsigned int i;
3054   for (i = 0; i < phnum; ++i)
3055     if ((phdr = gelf_getphdr (elf, i, &phdr_mem)) != NULL
3056 	&& phdr->p_type == PT_DYNAMIC)
3057       break;
3058 
3059   if (i == phnum)
3060     return 1;
3061   assert (phdr != NULL);
3062   Elf_Scn *scn = gelf_offscn (elf, phdr->p_offset);
3063   GElf_Shdr shdr_mem;
3064   GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
3065   Elf_Data *data = elf_getdata (scn, NULL);
3066   if (shdr != NULL && shdr->sh_type == SHT_DYNAMIC
3067       && data != NULL && shdr->sh_entsize != 0)
3068     for (size_t j = 0; j < shdr->sh_size / shdr->sh_entsize; ++j)
3069       {
3070 	GElf_Dyn dyn_mem;
3071 	GElf_Dyn *dyn = gelf_getdyn (data, j, &dyn_mem);
3072 	if (dyn != NULL && dyn->d_tag == DT_NEEDED)
3073 	  {
3074 	    const char *str = elf_strptr (elf, shdr->sh_link, dyn->d_un.d_val);
3075 	    if (str != NULL && strcmp (str, fname) == 0)
3076 	      /* Found it.  */
3077 	      return 0;
3078 	  }
3079       }
3080 
3081   return 1;
3082 }
3083 
3084 
3085 static unsigned int nverneed;
3086 
3087 static void
check_verneed(Ebl * ebl,GElf_Shdr * shdr,int idx)3088 check_verneed (Ebl *ebl, GElf_Shdr *shdr, int idx)
3089 {
3090   if (++nverneed == 2)
3091     ERROR (_("more than one version reference section present\n"));
3092 
3093   GElf_Shdr strshdr_mem;
3094   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
3095 				     &strshdr_mem);
3096   if (strshdr == NULL)
3097     return;
3098   if (strshdr->sh_type != SHT_STRTAB)
3099     ERROR (_("\
3100 section [%2d] '%s': sh_link does not link to string table\n"),
3101 	   idx, section_name (ebl, idx));
3102 
3103   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
3104   if (data == NULL)
3105     {
3106       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3107 	     idx, section_name (ebl, idx));
3108       return;
3109     }
3110   unsigned int offset = 0;
3111   for (Elf64_Word cnt = shdr->sh_info; cnt > 0; )
3112     {
3113       cnt--;
3114 
3115       /* Get the data at the next offset.  */
3116       GElf_Verneed needmem;
3117       GElf_Verneed *need = gelf_getverneed (data, offset, &needmem);
3118       if (need == NULL)
3119 	break;
3120 
3121       unsigned int auxoffset = offset + need->vn_aux;
3122 
3123       if (need->vn_version != EV_CURRENT)
3124 	ERROR (_("\
3125 section [%2d] '%s': entry %d has wrong version %d\n"),
3126 	       idx, section_name (ebl, idx), cnt, (int) need->vn_version);
3127 
3128       if (need->vn_cnt > 0 && need->vn_aux < gelf_fsize (ebl->elf, ELF_T_VNEED,
3129 							 1, EV_CURRENT))
3130 	{
3131 	  ERROR (_("\
3132 section [%2d] '%s': entry %d has wrong offset of auxiliary data\n"),
3133 	         idx, section_name (ebl, idx), cnt);
3134 	  break;
3135 	}
3136 
3137       const char *libname = elf_strptr (ebl->elf, shdr->sh_link,
3138 					need->vn_file);
3139       if (libname == NULL)
3140 	{
3141 	  ERROR (_("\
3142 section [%2d] '%s': entry %d has invalid file reference\n"),
3143 		 idx, section_name (ebl, idx), cnt);
3144 	  goto next_need;
3145 	}
3146 
3147       /* Check that there is a DT_NEEDED entry for the referenced library.  */
3148       if (unknown_dependency_p (ebl->elf, libname))
3149 	ERROR (_("\
3150 section [%2d] '%s': entry %d references unknown dependency\n"),
3151 	       idx, section_name (ebl, idx), cnt);
3152 
3153       for (int cnt2 = need->vn_cnt; --cnt2 >= 0; )
3154 	{
3155 	  GElf_Vernaux auxmem;
3156 	  GElf_Vernaux *aux = gelf_getvernaux (data, auxoffset, &auxmem);
3157 	  if (aux == NULL)
3158 	    break;
3159 
3160 	  if ((aux->vna_flags & ~VER_FLG_WEAK) != 0)
3161 	    ERROR (_("\
3162 section [%2d] '%s': auxiliary entry %d of entry %d has unknown flag\n"),
3163 		   idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3164 
3165 	  const char *verstr = elf_strptr (ebl->elf, shdr->sh_link,
3166 					   aux->vna_name);
3167 	  if (verstr == NULL)
3168 	    {
3169 	      ERROR (_("\
3170 section [%2d] '%s': auxiliary entry %d of entry %d has invalid name reference\n"),
3171 		     idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3172 	      break;
3173 	    }
3174 	  else
3175 	    {
3176 	      GElf_Word hashval = elf_hash (verstr);
3177 	      if (hashval != aux->vna_hash)
3178 		ERROR (_("\
3179 section [%2d] '%s': auxiliary entry %d of entry %d has wrong hash value: %#x, expected %#x\n"),
3180 		       idx, section_name (ebl, idx), need->vn_cnt - cnt2,
3181 		       cnt, (int) hashval, (int) aux->vna_hash);
3182 
3183 	      int res = add_version (libname, verstr, aux->vna_other,
3184 				     ver_need);
3185 	      if (unlikely (res !=0))
3186 		{
3187 		  ERROR (_("\
3188 section [%2d] '%s': auxiliary entry %d of entry %d has duplicate version name '%s'\n"),
3189 			 idx, section_name (ebl, idx), need->vn_cnt - cnt2,
3190 			 cnt, verstr);
3191 		}
3192 	    }
3193 
3194 	  if ((aux->vna_next != 0 || cnt2 > 0)
3195 	      && aux->vna_next < gelf_fsize (ebl->elf, ELF_T_VNAUX, 1,
3196 					     EV_CURRENT))
3197 	    {
3198 	      ERROR (_("\
3199 section [%2d] '%s': auxiliary entry %d of entry %d has wrong next field\n"),
3200 		     idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3201 	      break;
3202 	    }
3203 
3204 	  auxoffset += MAX (aux->vna_next,
3205 			    gelf_fsize (ebl->elf, ELF_T_VNAUX, 1, EV_CURRENT));
3206 	}
3207 
3208       /* Find the next offset.  */
3209     next_need:
3210       offset += need->vn_next;
3211 
3212       if ((need->vn_next != 0 || cnt > 0)
3213 	  && offset < auxoffset)
3214 	{
3215 	  ERROR (_("\
3216 section [%2d] '%s': entry %d has invalid offset to next entry\n"),
3217 	         idx, section_name (ebl, idx), cnt);
3218 	  break;
3219 	}
3220 
3221       if (need->vn_next == 0 && cnt > 0)
3222 	{
3223 	  ERROR (_("\
3224 section [%2d] '%s': entry %d has zero offset to next entry, but sh_info says there are more entries\n"),
3225 	         idx, section_name (ebl, idx), cnt);
3226 	  break;
3227 	}
3228     }
3229 }
3230 
3231 
3232 static unsigned int nverdef;
3233 
3234 static void
check_verdef(Ebl * ebl,GElf_Shdr * shdr,int idx)3235 check_verdef (Ebl *ebl, GElf_Shdr *shdr, int idx)
3236 {
3237   if (++nverdef == 2)
3238     ERROR (_("more than one version definition section present\n"));
3239 
3240   GElf_Shdr strshdr_mem;
3241   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
3242 				     &strshdr_mem);
3243   if (strshdr == NULL)
3244     return;
3245   if (strshdr->sh_type != SHT_STRTAB)
3246     ERROR (_("\
3247 section [%2d] '%s': sh_link does not link to string table\n"),
3248 	   idx, section_name (ebl, idx));
3249 
3250   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
3251   if (data == NULL)
3252     {
3253     no_data:
3254       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3255 	     idx, section_name (ebl, idx));
3256       return;
3257     }
3258 
3259   /* Iterate over all version definition entries.  We check that there
3260      is a BASE entry and that each index is unique.  To do the later
3261      we collection the information in a list which is later
3262      examined.  */
3263   struct namelist
3264   {
3265     const char *name;
3266     struct namelist *next;
3267   } *namelist = NULL;
3268   struct namelist *refnamelist = NULL;
3269 
3270   bool has_base = false;
3271   unsigned int offset = 0;
3272   for (Elf64_Word cnt = shdr->sh_info; cnt > 0; )
3273     {
3274       cnt--;
3275 
3276       /* Get the data at the next offset.  */
3277       GElf_Verdef defmem;
3278       GElf_Verdef *def = gelf_getverdef (data, offset, &defmem);
3279       if (def == NULL)
3280 	goto no_data;
3281 
3282       if ((def->vd_flags & VER_FLG_BASE) != 0)
3283 	{
3284 	  if (has_base)
3285 	    ERROR (_("\
3286 section [%2d] '%s': more than one BASE definition\n"),
3287 		   idx, section_name (ebl, idx));
3288 	  if (def->vd_ndx != VER_NDX_GLOBAL)
3289 	    ERROR (_("\
3290 section [%2d] '%s': BASE definition must have index VER_NDX_GLOBAL\n"),
3291 		   idx, section_name (ebl, idx));
3292 	  has_base = true;
3293 	}
3294       if ((def->vd_flags & ~(VER_FLG_BASE|VER_FLG_WEAK)) != 0)
3295 	ERROR (_("\
3296 section [%2d] '%s': entry %d has unknown flag\n"),
3297 	       idx, section_name (ebl, idx), cnt);
3298 
3299       if (def->vd_version != EV_CURRENT)
3300 	ERROR (_("\
3301 section [%2d] '%s': entry %d has wrong version %d\n"),
3302 	       idx, section_name (ebl, idx), cnt, (int) def->vd_version);
3303 
3304       if (def->vd_cnt > 0 && def->vd_aux < gelf_fsize (ebl->elf, ELF_T_VDEF,
3305 						       1, EV_CURRENT))
3306 	{
3307 	  ERROR (_("\
3308 section [%2d] '%s': entry %d has wrong offset of auxiliary data\n"),
3309 	         idx, section_name (ebl, idx), cnt);
3310 	  break;
3311 	}
3312 
3313       unsigned int auxoffset = offset + def->vd_aux;
3314       GElf_Verdaux auxmem;
3315       GElf_Verdaux *aux = gelf_getverdaux (data, auxoffset, &auxmem);
3316       if (aux == NULL)
3317 	goto no_data;
3318 
3319       const char *name = elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name);
3320       if (name == NULL)
3321 	{
3322 	  ERROR (_("\
3323 section [%2d] '%s': entry %d has invalid name reference\n"),
3324 		 idx, section_name (ebl, idx), cnt);
3325 	  goto next_def;
3326 	}
3327       GElf_Word hashval = elf_hash (name);
3328       if (def->vd_hash != hashval)
3329 	ERROR (_("\
3330 section [%2d] '%s': entry %d has wrong hash value: %#x, expected %#x\n"),
3331 	       idx, section_name (ebl, idx), cnt, (int) hashval,
3332 	       (int) def->vd_hash);
3333 
3334       int res = add_version (NULL, name, def->vd_ndx, ver_def);
3335       if (unlikely (res !=0))
3336 	{
3337 	  ERROR (_("\
3338 section [%2d] '%s': entry %d has duplicate version name '%s'\n"),
3339 		 idx, section_name (ebl, idx), cnt, name);
3340 	}
3341 
3342       struct namelist *newname = alloca (sizeof (*newname));
3343       newname->name = name;
3344       newname->next = namelist;
3345       namelist = newname;
3346 
3347       auxoffset += aux->vda_next;
3348       for (int cnt2 = 1; cnt2 < def->vd_cnt; ++cnt2)
3349 	{
3350 	  aux = gelf_getverdaux (data, auxoffset, &auxmem);
3351 	  if (aux == NULL)
3352 	    goto no_data;
3353 
3354 	  name = elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name);
3355 	  if (name == NULL)
3356 	    {
3357 	      ERROR (_("\
3358 section [%2d] '%s': entry %d has invalid name reference in auxiliary data\n"),
3359 		     idx, section_name (ebl, idx), cnt);
3360 	      break;
3361 	    }
3362 	  else
3363 	    {
3364 	      newname = alloca (sizeof (*newname));
3365 	      newname->name = name;
3366 	      newname->next = refnamelist;
3367 	      refnamelist = newname;
3368 	    }
3369 
3370 	  if ((aux->vda_next != 0 || cnt2 + 1 < def->vd_cnt)
3371 	      && aux->vda_next < gelf_fsize (ebl->elf, ELF_T_VDAUX, 1,
3372 					     EV_CURRENT))
3373 	    {
3374 	      ERROR (_("\
3375 section [%2d] '%s': entry %d has wrong next field in auxiliary data\n"),
3376 		     idx, section_name (ebl, idx), cnt);
3377 	      break;
3378 	    }
3379 
3380 	  auxoffset += MAX (aux->vda_next,
3381 			    gelf_fsize (ebl->elf, ELF_T_VDAUX, 1, EV_CURRENT));
3382 	}
3383 
3384       /* Find the next offset.  */
3385     next_def:
3386       offset += def->vd_next;
3387 
3388       if ((def->vd_next != 0 || cnt > 0)
3389 	  && offset < auxoffset)
3390 	{
3391 	  ERROR (_("\
3392 section [%2d] '%s': entry %d has invalid offset to next entry\n"),
3393 	         idx, section_name (ebl, idx), cnt);
3394 	  break;
3395 	}
3396 
3397       if (def->vd_next == 0 && cnt > 0)
3398 	{
3399 	  ERROR (_("\
3400 section [%2d] '%s': entry %d has zero offset to next entry, but sh_info says there are more entries\n"),
3401 	         idx, section_name (ebl, idx), cnt);
3402 	  break;
3403 	}
3404     }
3405 
3406   if (!has_base)
3407     ERROR (_("section [%2d] '%s': no BASE definition\n"),
3408 	   idx, section_name (ebl, idx));
3409 
3410   /* Check whether the referenced names are available.  */
3411   while (namelist != NULL)
3412     {
3413       struct version_namelist *runp = version_namelist;
3414       while (runp != NULL)
3415 	{
3416 	  if (runp->type == ver_def
3417 	      && strcmp (runp->name, namelist->name) == 0)
3418 	    break;
3419 	  runp = runp->next;
3420 	}
3421 
3422       if (runp == NULL)
3423 	ERROR (_("\
3424 section [%2d] '%s': unknown parent version '%s'\n"),
3425 	       idx, section_name (ebl, idx), namelist->name);
3426 
3427       namelist = namelist->next;
3428     }
3429 }
3430 
3431 static inline size_t
buffer_pos(Elf_Data * data,const unsigned char * p)3432 buffer_pos (Elf_Data *data, const unsigned char *p)
3433 {
3434   return p - (const unsigned char *) data->d_buf;
3435 }
3436 
3437 static inline size_t
buffer_left(Elf_Data * data,const unsigned char * p)3438 buffer_left (Elf_Data *data, const unsigned char *p)
3439 {
3440   return (const unsigned char *) data->d_buf + data->d_size - p;
3441 }
3442 
3443 static void
check_attributes(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)3444 check_attributes (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
3445 {
3446   if (shdr->sh_size == 0)
3447     {
3448       ERROR (_("section [%2d] '%s': empty object attributes section\n"),
3449 	     idx, section_name (ebl, idx));
3450       return;
3451     }
3452 
3453   Elf_Data *data = elf_rawdata (elf_getscn (ebl->elf, idx), NULL);
3454   if (data == NULL || data->d_size == 0 || data->d_buf == NULL)
3455     {
3456       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3457 	     idx, section_name (ebl, idx));
3458       return;
3459     }
3460 
3461   const unsigned char *p = data->d_buf;
3462   if (*p++ != 'A')
3463     {
3464       ERROR (_("section [%2d] '%s': unrecognized attribute format\n"),
3465 	     idx, section_name (ebl, idx));
3466       return;
3467     }
3468 
3469   while (buffer_left (data, p) >= 4)
3470     {
3471       uint32_t len;
3472       memcpy (&len, p, sizeof len);
3473 
3474       if (len == 0)
3475 	ERROR (_("\
3476 section [%2d] '%s': offset %zu: zero length field in attribute section\n"),
3477 	       idx, section_name (ebl, idx), buffer_pos (data, p));
3478 
3479       if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
3480 	CONVERT (len);
3481 
3482       if (len > buffer_left (data, p))
3483 	{
3484 	  ERROR (_("\
3485 section [%2d] '%s': offset %zu: invalid length in attribute section\n"),
3486 		 idx, section_name (ebl, idx), buffer_pos (data, p));
3487 	  break;
3488 	}
3489 
3490       const unsigned char *name = p + sizeof len;
3491       p += len;
3492 
3493       unsigned const char *q = memchr (name, '\0', len);
3494       if (q == NULL)
3495 	{
3496 	  ERROR (_("\
3497 section [%2d] '%s': offset %zu: unterminated vendor name string\n"),
3498 		 idx, section_name (ebl, idx), buffer_pos (data, p));
3499 	  break;
3500 	}
3501       ++q;
3502 
3503       if (q - name == sizeof "gnu" && !memcmp (name, "gnu", sizeof "gnu"))
3504 	while (q < p)
3505 	  {
3506 	    unsigned const char *chunk = q;
3507 
3508 	    unsigned int subsection_tag;
3509 	    get_uleb128 (subsection_tag, q, p);
3510 
3511 	    if (q >= p)
3512 	      {
3513 		ERROR (_("\
3514 section [%2d] '%s': offset %zu: endless ULEB128 in attribute subsection tag\n"),
3515 		       idx, section_name (ebl, idx), buffer_pos (data, chunk));
3516 		break;
3517 	      }
3518 
3519 	    uint32_t subsection_len;
3520 	    if (p - q < (ptrdiff_t) sizeof subsection_len)
3521 	      {
3522 		ERROR (_("\
3523 section [%2d] '%s': offset %zu: truncated attribute section\n"),
3524 		       idx, section_name (ebl, idx), buffer_pos (data, q));
3525 		break;
3526 	      }
3527 
3528 	    memcpy (&subsection_len, q, sizeof subsection_len);
3529 	    if (subsection_len == 0)
3530 	      {
3531 		ERROR (_("\
3532 section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"),
3533 		       idx, section_name (ebl, idx), buffer_pos (data, q));
3534 
3535 		q += sizeof subsection_len;
3536 		continue;
3537 	      }
3538 
3539 	    if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
3540 	      CONVERT (subsection_len);
3541 
3542 	    /* Don't overflow, ptrdiff_t might be 32bits, but signed.  */
3543 	    if (p - chunk < (ptrdiff_t) subsection_len
3544 	        || subsection_len >= (uint32_t) PTRDIFF_MAX)
3545 	      {
3546 		ERROR (_("\
3547 section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"),
3548 		       idx, section_name (ebl, idx), buffer_pos (data, q));
3549 		break;
3550 	      }
3551 
3552 	    const unsigned char *subsection_end = chunk + subsection_len;
3553 	    chunk = q;
3554 	    q = subsection_end;
3555 
3556 	    if (subsection_tag != 1) /* Tag_File */
3557 	      ERROR (_("\
3558 section [%2d] '%s': offset %zu: attribute subsection has unexpected tag %u\n"),
3559 		     idx, section_name (ebl, idx), buffer_pos (data, chunk), subsection_tag);
3560 	    else
3561 	      {
3562 		chunk += sizeof subsection_len;
3563 		while (chunk < q)
3564 		  {
3565 		    unsigned int tag;
3566 		    get_uleb128 (tag, chunk, q);
3567 
3568 		    uint64_t value = 0;
3569 		    const unsigned char *r = chunk;
3570 		    if (tag == 32 || (tag & 1) == 0)
3571 		      {
3572 			get_uleb128 (value, r, q);
3573 			if (r > q)
3574 			  {
3575 			    ERROR (_("\
3576 section [%2d] '%s': offset %zu: endless ULEB128 in attribute tag\n"),
3577 				   idx, section_name (ebl, idx), buffer_pos (data, chunk));
3578 			    break;
3579 			  }
3580 		      }
3581 		    if (tag == 32 || (tag & 1) != 0)
3582 		      {
3583 			r = memchr (r, '\0', q - r);
3584 			if (r == NULL)
3585 			  {
3586 			    ERROR (_("\
3587 section [%2d] '%s': offset %zu: unterminated string in attribute\n"),
3588 				   idx, section_name (ebl, idx), buffer_pos (data, chunk));
3589 			    break;
3590 			  }
3591 			++r;
3592 		      }
3593 
3594 		    const char *tag_name = NULL;
3595 		    const char *value_name = NULL;
3596 		    if (!ebl_check_object_attribute (ebl, (const char *) name,
3597 						     tag, value,
3598 						     &tag_name, &value_name))
3599 		      ERROR (_("\
3600 section [%2d] '%s': offset %zu: unrecognized attribute tag %u\n"),
3601 			     idx, section_name (ebl, idx), buffer_pos (data, chunk), tag);
3602 		    else if ((tag & 1) == 0 && value_name == NULL)
3603 		      ERROR (_("\
3604 section [%2d] '%s': offset %zu: unrecognized %s attribute value %" PRIu64 "\n"),
3605 			     idx, section_name (ebl, idx), buffer_pos (data, chunk),
3606 			     tag_name, value);
3607 
3608 		    chunk = r;
3609 		  }
3610 	      }
3611 	  }
3612       else
3613 	ERROR (_("\
3614 section [%2d] '%s': offset %zu: vendor '%s' unknown\n"),
3615 	       idx, section_name (ebl, idx), buffer_pos (data, p), name);
3616     }
3617 
3618   if (buffer_left (data, p) != 0)
3619     ERROR (_("\
3620 section [%2d] '%s': offset %zu: extra bytes after last attribute section\n"),
3621 	   idx, section_name (ebl, idx), buffer_pos (data, p));
3622 }
3623 
3624 static bool has_loadable_segment;
3625 static bool has_interp_segment;
3626 
3627 static const struct
3628 {
3629   const char *name;
3630   size_t namelen;
3631   GElf_Word type;
3632   enum { unused, exact, atleast, exact_or_gnuld } attrflag;
3633   GElf_Word attr;
3634   GElf_Word attr2;
3635 } special_sections[] =
3636   {
3637     /* See figure 4-14 in the gABI.  */
3638     { ".bss", 5, SHT_NOBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3639     { ".comment", 8, SHT_PROGBITS, atleast, 0, SHF_MERGE | SHF_STRINGS },
3640     { ".data", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3641     { ".data1", 7, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3642     { ".debug_str", 11, SHT_PROGBITS, exact_or_gnuld, SHF_MERGE | SHF_STRINGS, 0 },
3643     { ".debug_line_str", 16, SHT_PROGBITS, exact_or_gnuld, SHF_MERGE | SHF_STRINGS, 0 },
3644     { ".debug", 6, SHT_PROGBITS, exact, 0, 0 },
3645     { ".dynamic", 9, SHT_DYNAMIC, atleast, SHF_ALLOC, SHF_WRITE },
3646     { ".dynstr", 8, SHT_STRTAB, exact, SHF_ALLOC, 0 },
3647     { ".dynsym", 8, SHT_DYNSYM, exact, SHF_ALLOC, 0 },
3648     { ".fini", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3649     { ".fini_array", 12, SHT_FINI_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3650     { ".got", 5, SHT_PROGBITS, unused, 0, 0 }, // XXX more info?
3651     { ".hash", 6, SHT_HASH, exact, SHF_ALLOC, 0 },
3652     { ".init", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3653     { ".init_array", 12, SHT_INIT_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3654     { ".interp", 8, SHT_PROGBITS, atleast, 0, SHF_ALLOC }, // XXX more tests?
3655     { ".line", 6, SHT_PROGBITS, exact, 0, 0 },
3656     { ".note", 6, SHT_NOTE, atleast, 0, SHF_ALLOC },
3657     { ".plt", 5, SHT_PROGBITS, unused, 0, 0 }, // XXX more tests
3658     { ".preinit_array", 15, SHT_PREINIT_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3659     { ".rela", 5, SHT_RELA, atleast, 0, SHF_ALLOC | SHF_INFO_LINK }, // XXX more tests
3660     { ".rel", 4, SHT_REL, atleast, 0, SHF_ALLOC | SHF_INFO_LINK }, // XXX more tests
3661     { ".rodata", 8, SHT_PROGBITS, atleast, SHF_ALLOC, SHF_MERGE | SHF_STRINGS },
3662     { ".rodata1", 9, SHT_PROGBITS, atleast, SHF_ALLOC, SHF_MERGE | SHF_STRINGS },
3663     { ".shstrtab", 10, SHT_STRTAB, exact, 0, 0 },
3664     { ".strtab", 8, SHT_STRTAB, atleast, 0, SHF_ALLOC }, // XXX more tests
3665     { ".symtab", 8, SHT_SYMTAB, atleast, 0, SHF_ALLOC }, // XXX more tests
3666     { ".symtab_shndx", 14, SHT_SYMTAB_SHNDX, atleast, 0, SHF_ALLOC }, // XXX more tests
3667     { ".tbss", 6, SHT_NOBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3668     { ".tdata", 7, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3669     { ".tdata1", 8, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3670     { ".text", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3671 
3672     /* The following are GNU extensions.  */
3673     { ".gnu.version", 13, SHT_GNU_versym, exact, SHF_ALLOC, 0 },
3674     { ".gnu.version_d", 15, SHT_GNU_verdef, exact, SHF_ALLOC, 0 },
3675     { ".gnu.version_r", 15, SHT_GNU_verneed, exact, SHF_ALLOC, 0 },
3676     { ".gnu.attributes", 16, SHT_GNU_ATTRIBUTES, exact, 0, 0 },
3677   };
3678 #define nspecial_sections \
3679   (sizeof (special_sections) / sizeof (special_sections[0]))
3680 
3681 #define IS_KNOWN_SPECIAL(idx, string, prefix)			      \
3682   (special_sections[idx].namelen == sizeof string - (prefix ? 1 : 0)  \
3683    && !memcmp (special_sections[idx].name, string, \
3684 	       sizeof string - (prefix ? 1 : 0)))
3685 
3686 /* Extra section flags that might or might not be added to the section
3687    and have to be ignored.  */
3688 #define EXTRA_SHFLAGS (SHF_LINK_ORDER \
3689 		       | SHF_GNU_RETAIN \
3690 		       | SHF_GROUP \
3691 		       | SHF_COMPRESSED)
3692 
3693 
3694 /* Indices of some sections we need later.  */
3695 static size_t eh_frame_hdr_scnndx;
3696 static size_t eh_frame_scnndx;
3697 static size_t gcc_except_table_scnndx;
3698 
3699 
3700 static void
check_sections(Ebl * ebl,GElf_Ehdr * ehdr)3701 check_sections (Ebl *ebl, GElf_Ehdr *ehdr)
3702 {
3703   if (ehdr->e_shoff == 0)
3704     /* No section header.  */
3705     return;
3706 
3707   /* Allocate array to count references in section groups.  */
3708   scnref = xcalloc (shnum, sizeof (int));
3709 
3710   /* Check the zeroth section first.  It must not have any contents
3711      and the section header must contain nonzero value at most in the
3712      sh_size and sh_link fields.  */
3713   GElf_Shdr shdr_mem;
3714   GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
3715   if (shdr == NULL)
3716     ERROR (_("cannot get section header of zeroth section\n"));
3717   else
3718     {
3719       if (shdr->sh_name != 0)
3720 	ERROR (_("zeroth section has nonzero name\n"));
3721       if (shdr->sh_type != 0)
3722 	ERROR (_("zeroth section has nonzero type\n"));
3723       if (shdr->sh_flags != 0)
3724 	ERROR (_("zeroth section has nonzero flags\n"));
3725       if (shdr->sh_addr != 0)
3726 	ERROR (_("zeroth section has nonzero address\n"));
3727       if (shdr->sh_offset != 0)
3728 	ERROR (_("zeroth section has nonzero offset\n"));
3729       if (shdr->sh_addralign != 0)
3730 	ERROR (_("zeroth section has nonzero align value\n"));
3731       if (shdr->sh_entsize != 0)
3732 	ERROR (_("zeroth section has nonzero entry size value\n"));
3733 
3734       if (shdr->sh_size != 0 && ehdr->e_shnum != 0)
3735 	ERROR (_("\
3736 zeroth section has nonzero size value while ELF header has nonzero shnum value\n"));
3737 
3738       if (shdr->sh_link != 0 && ehdr->e_shstrndx != SHN_XINDEX)
3739 	ERROR (_("\
3740 zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx\n"));
3741 
3742       if (shdr->sh_info != 0 && ehdr->e_phnum != PN_XNUM)
3743 	ERROR (_("\
3744 zeroth section has nonzero link value while ELF header does not signal overflow in phnum\n"));
3745     }
3746 
3747   int *segment_flags = xcalloc (phnum, sizeof segment_flags[0]);
3748 
3749   bool dot_interp_section = false;
3750 
3751   size_t hash_idx = 0;
3752   size_t gnu_hash_idx = 0;
3753 
3754   size_t versym_scnndx = 0;
3755   for (size_t cnt = 1; cnt < shnum; ++cnt)
3756     {
3757       Elf_Scn *scn = elf_getscn (ebl->elf, cnt);
3758       shdr = gelf_getshdr (scn, &shdr_mem);
3759       if (shdr == NULL)
3760 	{
3761 	  ERROR (_("\
3762 cannot get section header for section [%2zu] '%s': %s\n"),
3763 		 cnt, section_name (ebl, cnt), elf_errmsg (-1));
3764 	  continue;
3765 	}
3766 
3767       const char *scnname = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
3768 
3769       if (scnname == NULL)
3770 	ERROR (_("section [%2zu]: invalid name\n"), cnt);
3771       else
3772 	{
3773 	  /* Check whether it is one of the special sections defined in
3774 	     the gABI.  */
3775 	  size_t s;
3776 	  for (s = 0; s < nspecial_sections; ++s)
3777 	    if (strncmp (scnname, special_sections[s].name,
3778 			 special_sections[s].namelen) == 0)
3779 	      {
3780 		char stbuf1[100];
3781 		char stbuf2[100];
3782 		char stbuf3[100];
3783 
3784 		GElf_Word good_type = special_sections[s].type;
3785 		if (IS_KNOWN_SPECIAL (s, ".plt", false)
3786 		    && ebl_bss_plt_p (ebl))
3787 		  good_type = SHT_NOBITS;
3788 
3789 		/* In a debuginfo file, any normal section can be SHT_NOBITS.
3790 		   This is only invalid for DWARF sections and .shstrtab.  */
3791 		if (shdr->sh_type != good_type
3792 		    && (shdr->sh_type != SHT_NOBITS
3793 			|| !is_debuginfo
3794 			|| IS_KNOWN_SPECIAL (s, ".debug_str", false)
3795 			|| IS_KNOWN_SPECIAL (s, ".debug", true)
3796 			|| IS_KNOWN_SPECIAL (s, ".shstrtab", false)))
3797 		  ERROR (_("\
3798 section [%2d] '%s' has wrong type: expected %s, is %s\n"),
3799 			 (int) cnt, scnname,
3800 			 ebl_section_type_name (ebl, special_sections[s].type,
3801 						stbuf1, sizeof (stbuf1)),
3802 			 ebl_section_type_name (ebl, shdr->sh_type,
3803 						stbuf2, sizeof (stbuf2)));
3804 
3805 		if (special_sections[s].attrflag == exact
3806 		    || special_sections[s].attrflag == exact_or_gnuld)
3807 		  {
3808 		    /* Except for the link order, retain, group bit and
3809 		       compression flag all the other bits should
3810 		       match exactly.  */
3811 		    if ((shdr->sh_flags & ~EXTRA_SHFLAGS)
3812 			!= special_sections[s].attr
3813 			&& (special_sections[s].attrflag == exact || !gnuld))
3814 		      ERROR (_("\
3815 section [%2zu] '%s' has wrong flags: expected %s, is %s\n"),
3816 			     cnt, scnname,
3817 			     section_flags_string (special_sections[s].attr,
3818 						   stbuf1, sizeof (stbuf1)),
3819 			     section_flags_string (shdr->sh_flags
3820 						   & ~EXTRA_SHFLAGS,
3821 						   stbuf2, sizeof (stbuf2)));
3822 		  }
3823 		else if (special_sections[s].attrflag == atleast)
3824 		  {
3825 		    if ((shdr->sh_flags & special_sections[s].attr)
3826 			!= special_sections[s].attr
3827 			|| ((shdr->sh_flags
3828 			     & ~(EXTRA_SHFLAGS
3829 				 | special_sections[s].attr
3830 				 | special_sections[s].attr2))
3831 			    != 0))
3832 		      ERROR (_("\
3833 section [%2zu] '%s' has wrong flags: expected %s and possibly %s, is %s\n"),
3834 			     cnt, scnname,
3835 			     section_flags_string (special_sections[s].attr,
3836 						   stbuf1, sizeof (stbuf1)),
3837 			     section_flags_string (special_sections[s].attr2,
3838 						   stbuf2, sizeof (stbuf2)),
3839 			     section_flags_string (shdr->sh_flags
3840 						   & ~EXTRA_SHFLAGS,
3841 						   stbuf3, sizeof (stbuf3)));
3842 		  }
3843 
3844 		if (strcmp (scnname, ".interp") == 0)
3845 		  {
3846 		    dot_interp_section = true;
3847 
3848 		    if (ehdr->e_type == ET_REL)
3849 		      ERROR (_("\
3850 section [%2zu] '%s' present in object file\n"),
3851 			     cnt, scnname);
3852 
3853 		    if ((shdr->sh_flags & SHF_ALLOC) != 0
3854 			&& !has_loadable_segment)
3855 		      ERROR (_("\
3856 section [%2zu] '%s' has SHF_ALLOC flag set but there is no loadable segment\n"),
3857 			     cnt, scnname);
3858 		    else if ((shdr->sh_flags & SHF_ALLOC) == 0
3859 			     && has_loadable_segment)
3860 		      ERROR (_("\
3861 section [%2zu] '%s' has SHF_ALLOC flag not set but there are loadable segments\n"),
3862 			     cnt, scnname);
3863 		  }
3864 		else
3865 		  {
3866 		    if (strcmp (scnname, ".symtab_shndx") == 0
3867 			&& ehdr->e_type != ET_REL)
3868 		      ERROR (_("\
3869 section [%2zu] '%s' is extension section index table in non-object file\n"),
3870 			     cnt, scnname);
3871 
3872 		    /* These sections must have the SHF_ALLOC flag set iff
3873 		       a loadable segment is available.
3874 
3875 		       .relxxx
3876 		       .strtab
3877 		       .symtab
3878 		       .symtab_shndx
3879 
3880 		       Check that if there is a reference from the
3881 		       loaded section these sections also have the
3882 		       ALLOC flag set.  */
3883 #if 0
3884 		    // XXX TODO
3885 		    if ((shdr->sh_flags & SHF_ALLOC) != 0
3886 			&& !has_loadable_segment)
3887 		      ERROR (_("\
3888 section [%2zu] '%s' has SHF_ALLOC flag set but there is no loadable segment\n"),
3889 			     cnt, scnname);
3890 		    else if ((shdr->sh_flags & SHF_ALLOC) == 0
3891 			     && has_loadable_segment)
3892 		      ERROR (_("\
3893 section [%2zu] '%s' has SHF_ALLOC flag not set but there are loadable segments\n"),
3894 			     cnt, scnname);
3895 #endif
3896 		  }
3897 
3898 		break;
3899 	      }
3900 
3901 	  /* Remember a few special sections for later.  */
3902 	  if (strcmp (scnname, ".eh_frame_hdr") == 0)
3903 	    eh_frame_hdr_scnndx = cnt;
3904 	  else if (strcmp (scnname, ".eh_frame") == 0)
3905 	    eh_frame_scnndx = cnt;
3906 	  else if (strcmp (scnname, ".gcc_except_table") == 0)
3907 	    gcc_except_table_scnndx = cnt;
3908 	}
3909 
3910       if (shdr->sh_entsize != 0 && shdr->sh_size % shdr->sh_entsize)
3911 	ERROR (_("\
3912 section [%2zu] '%s': size not multiple of entry size\n"),
3913 	       cnt, section_name (ebl, cnt));
3914 
3915       if (elf_strptr (ebl->elf, shstrndx, shdr->sh_name) == NULL)
3916 	ERROR (_("cannot get section header\n"));
3917 
3918       if (shdr->sh_type >= SHT_NUM
3919 	  && shdr->sh_type != SHT_GNU_ATTRIBUTES
3920 	  && shdr->sh_type != SHT_GNU_LIBLIST
3921 	  && shdr->sh_type != SHT_CHECKSUM
3922 	  && shdr->sh_type != SHT_GNU_verdef
3923 	  && shdr->sh_type != SHT_GNU_verneed
3924 	  && shdr->sh_type != SHT_GNU_versym
3925 	  && ebl_section_type_name (ebl, shdr->sh_type, NULL, 0) == NULL)
3926 	ERROR (_("section [%2zu] '%s' has unsupported type %d\n"),
3927 	       cnt, section_name (ebl, cnt),
3928 	       (int) shdr->sh_type);
3929 
3930 #define ALL_SH_FLAGS (SHF_WRITE | SHF_ALLOC | SHF_EXECINSTR | SHF_MERGE \
3931 		      | SHF_STRINGS | SHF_INFO_LINK | SHF_LINK_ORDER \
3932 		      | SHF_OS_NONCONFORMING | SHF_GROUP | SHF_TLS \
3933 		      | SHF_COMPRESSED | SHF_GNU_RETAIN)
3934       if (shdr->sh_flags & ~(GElf_Xword) ALL_SH_FLAGS)
3935 	{
3936 	  GElf_Xword sh_flags = shdr->sh_flags & ~(GElf_Xword) ALL_SH_FLAGS;
3937 	  if (sh_flags & SHF_MASKPROC)
3938 	    {
3939 	      /* Strictly speaking SHF_EXCLUDE is a processor specific
3940 		 section flag, but it is used generically in the GNU
3941 		 toolchain.  */
3942 	      if (gnuld)
3943 		sh_flags &= ~(GElf_Xword) SHF_EXCLUDE;
3944 	      if (!ebl_machine_section_flag_check (ebl,
3945 						   sh_flags & SHF_MASKPROC))
3946 		ERROR (_("section [%2zu] '%s'"
3947 				" contains invalid processor-specific flag(s)"
3948 				" %#" PRIx64 "\n"),
3949 		       cnt, section_name (ebl, cnt), sh_flags & SHF_MASKPROC);
3950 	      sh_flags &= ~(GElf_Xword) SHF_MASKPROC;
3951 	    }
3952 	  if (sh_flags & SHF_MASKOS)
3953 	    if (gnuld)
3954 	      sh_flags &= ~(GElf_Xword) SHF_GNU_RETAIN;
3955 	  if (sh_flags != 0)
3956 	    ERROR (_("section [%2zu] '%s' contains unknown flag(s)"
3957 			    " %#" PRIx64 "\n"),
3958 		   cnt, section_name (ebl, cnt), sh_flags);
3959 	}
3960       if (shdr->sh_flags & SHF_TLS)
3961 	{
3962 	  // XXX Correct?
3963 	  if (shdr->sh_addr != 0 && !gnuld)
3964 	    ERROR (_("\
3965 section [%2zu] '%s': thread-local data sections address not zero\n"),
3966 		   cnt, section_name (ebl, cnt));
3967 
3968 	  // XXX TODO more tests!?
3969 	}
3970 
3971       if (shdr->sh_flags & SHF_COMPRESSED)
3972 	{
3973 	  if (shdr->sh_flags & SHF_ALLOC)
3974 	    ERROR (_("\
3975 section [%2zu] '%s': allocated section cannot be compressed\n"),
3976 		   cnt, section_name (ebl, cnt));
3977 
3978 	  if (shdr->sh_type == SHT_NOBITS)
3979 	    ERROR (_("\
3980 section [%2zu] '%s': nobits section cannot be compressed\n"),
3981 		   cnt, section_name (ebl, cnt));
3982 
3983 	  GElf_Chdr chdr;
3984 	  if (gelf_getchdr (scn, &chdr) == NULL)
3985 	    ERROR (_("\
3986 section [%2zu] '%s': compressed section with no compression header: %s\n"),
3987 		   cnt, section_name (ebl, cnt), elf_errmsg (-1));
3988 	}
3989 
3990       if (shdr->sh_link >= shnum)
3991 	ERROR (_("\
3992 section [%2zu] '%s': invalid section reference in link value\n"),
3993 	       cnt, section_name (ebl, cnt));
3994 
3995       if (SH_INFO_LINK_P (shdr) && shdr->sh_info >= shnum)
3996 	ERROR (_("\
3997 section [%2zu] '%s': invalid section reference in info value\n"),
3998 	       cnt, section_name (ebl, cnt));
3999 
4000       if ((shdr->sh_flags & SHF_MERGE) == 0
4001 	  && (shdr->sh_flags & SHF_STRINGS) != 0
4002 	  && be_strict)
4003 	ERROR (_("\
4004 section [%2zu] '%s': strings flag set without merge flag\n"),
4005 	       cnt, section_name (ebl, cnt));
4006 
4007       if ((shdr->sh_flags & SHF_MERGE) != 0 && shdr->sh_entsize == 0)
4008 	ERROR (_("\
4009 section [%2zu] '%s': merge flag set but entry size is zero\n"),
4010 	       cnt, section_name (ebl, cnt));
4011 
4012       if (shdr->sh_flags & SHF_GROUP)
4013 	check_scn_group (ebl, cnt);
4014 
4015       if (shdr->sh_flags & SHF_EXECINSTR)
4016 	{
4017 	  switch (shdr->sh_type)
4018 	    {
4019 	    case SHT_PROGBITS:
4020 	      break;
4021 
4022 	    case SHT_NOBITS:
4023 	      if (is_debuginfo)
4024 		break;
4025 	      FALLTHROUGH;
4026 	    default:
4027 	      ERROR (_("\
4028 section [%2zu] '%s' has unexpected type %d for an executable section\n"),
4029 		     cnt, section_name (ebl, cnt), shdr->sh_type);
4030 	      break;
4031 	    }
4032 
4033 	  if (shdr->sh_flags & SHF_WRITE)
4034 	    {
4035 	      if (is_debuginfo && shdr->sh_type != SHT_NOBITS)
4036 		ERROR (_("\
4037 section [%2zu] '%s' must be of type NOBITS in debuginfo files\n"),
4038 		       cnt, section_name (ebl, cnt));
4039 
4040 	      if (!is_debuginfo
4041 		  && !ebl_check_special_section (ebl, cnt, shdr,
4042 						 section_name (ebl, cnt)))
4043 		ERROR (_("\
4044 section [%2zu] '%s' is both executable and writable\n"),
4045 		       cnt, section_name (ebl, cnt));
4046 	    }
4047 	}
4048 
4049       if (ehdr->e_type != ET_REL && (shdr->sh_flags & SHF_ALLOC) != 0
4050 	  && !is_debuginfo)
4051 	{
4052 	  /* Make sure the section is contained in a loaded segment
4053 	     and that the initialization part matches NOBITS sections.  */
4054 	  unsigned int pcnt;
4055 	  GElf_Phdr phdr_mem;
4056 	  GElf_Phdr *phdr;
4057 
4058 	  for (pcnt = 0; pcnt < phnum; ++pcnt)
4059 	    if ((phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem)) != NULL
4060 		&& ((phdr->p_type == PT_LOAD
4061 		     && (shdr->sh_flags & SHF_TLS) == 0)
4062 		    || (phdr->p_type == PT_TLS
4063 			&& (shdr->sh_flags & SHF_TLS) != 0))
4064 		&& phdr->p_offset <= shdr->sh_offset
4065 		&& ((shdr->sh_offset - phdr->p_offset <= phdr->p_filesz
4066 		     && (shdr->sh_offset - phdr->p_offset < phdr->p_filesz
4067 			 || shdr->sh_size == 0))
4068 		    || (shdr->sh_offset - phdr->p_offset < phdr->p_memsz
4069 			&& shdr->sh_type == SHT_NOBITS)))
4070 	      {
4071 		/* Found the segment.  */
4072 		if (phdr->p_offset + phdr->p_memsz
4073 		    < shdr->sh_offset + shdr->sh_size)
4074 		  ERROR (_("\
4075 section [%2zu] '%s' not fully contained in segment of program header entry %d\n"),
4076 			 cnt, section_name (ebl, cnt), pcnt);
4077 
4078 		if (shdr->sh_type == SHT_NOBITS)
4079 		  {
4080 		    if (shdr->sh_offset < phdr->p_offset + phdr->p_filesz
4081 			&& !is_debuginfo)
4082 		      {
4083 			if (!gnuld)
4084 			  ERROR (_("\
4085 section [%2zu] '%s' has type NOBITS but is read from the file in segment of program header entry %d\n"),
4086 				 cnt, section_name (ebl, cnt), pcnt);
4087 			else
4088 			  {
4089 			    /* This is truly horrible. GNU ld might put a
4090 			       NOBITS section in the middle of a PT_LOAD
4091 			       segment, assuming the next gap in the file
4092 			       actually consists of zero bits...
4093 			       So it really is like a PROGBITS section
4094 			       where the data is all zeros.  Check those
4095 			       zero bytes are really there.  */
4096 			    bool bad;
4097 			    Elf_Data *databits;
4098 			    databits = elf_getdata_rawchunk (ebl->elf,
4099 							     shdr->sh_offset,
4100 							     shdr->sh_size,
4101 							     ELF_T_BYTE);
4102 			    bad = (databits == NULL
4103 				   || databits->d_size != shdr->sh_size);
4104 			    for (size_t idx = 0;
4105 				 ! bad && idx < databits->d_size;
4106 				 idx++)
4107 			      bad = ((char *) databits->d_buf)[idx] != 0;
4108 
4109 			    if (bad)
4110 			      ERROR (_("\
4111 section [%2zu] '%s' has type NOBITS but is read from the file in segment of program header entry %d and file contents is non-zero\n"),
4112 				     cnt, section_name (ebl, cnt), pcnt);
4113 			  }
4114 		      }
4115 		  }
4116 		else
4117 		  {
4118 		    const GElf_Off end = phdr->p_offset + phdr->p_filesz;
4119 		    if (shdr->sh_offset > end ||
4120 			(shdr->sh_offset == end && shdr->sh_size != 0))
4121 		      ERROR (_("\
4122 section [%2zu] '%s' has not type NOBITS but is not read from the file in segment of program header entry %d\n"),
4123 			 cnt, section_name (ebl, cnt), pcnt);
4124 		  }
4125 
4126 		if (shdr->sh_type != SHT_NOBITS)
4127 		  {
4128 		    if ((shdr->sh_flags & SHF_EXECINSTR) != 0)
4129 		      {
4130 			segment_flags[pcnt] |= PF_X;
4131 			if ((phdr->p_flags & PF_X) == 0)
4132 			  ERROR (_("\
4133 section [%2zu] '%s' is executable in nonexecutable segment %d\n"),
4134 				 cnt, section_name (ebl, cnt), pcnt);
4135 		      }
4136 
4137 		    if ((shdr->sh_flags & SHF_WRITE) != 0)
4138 		      {
4139 			segment_flags[pcnt] |= PF_W;
4140 			if (0	/* XXX vdso images have this */
4141 			    && (phdr->p_flags & PF_W) == 0)
4142 			  ERROR (_("\
4143 section [%2zu] '%s' is writable in unwritable segment %d\n"),
4144 				 cnt, section_name (ebl, cnt), pcnt);
4145 		      }
4146 		  }
4147 
4148 		break;
4149 	      }
4150 
4151 	  if (pcnt == phnum)
4152 	    ERROR (_("\
4153 section [%2zu] '%s': alloc flag set but section not in any loaded segment\n"),
4154 		   cnt, section_name (ebl, cnt));
4155 	}
4156 
4157       if (cnt == shstrndx && shdr->sh_type != SHT_STRTAB)
4158 	ERROR (_("\
4159 section [%2zu] '%s': ELF header says this is the section header string table but type is not SHT_TYPE\n"),
4160 	       cnt, section_name (ebl, cnt));
4161 
4162       switch (shdr->sh_type)
4163 	{
4164 	case SHT_DYNSYM:
4165 	  if (ehdr->e_type == ET_REL)
4166 	    ERROR (_("\
4167 section [%2zu] '%s': relocatable files cannot have dynamic symbol tables\n"),
4168 		   cnt, section_name (ebl, cnt));
4169 	  FALLTHROUGH;
4170 	case SHT_SYMTAB:
4171 	  check_symtab (ebl, ehdr, shdr, cnt);
4172 	  break;
4173 
4174 	case SHT_RELA:
4175 	  check_rela (ebl, ehdr, shdr, cnt);
4176 	  break;
4177 
4178 	case SHT_REL:
4179 	  check_rel (ebl, ehdr, shdr, cnt);
4180 	  break;
4181 
4182 	case SHT_DYNAMIC:
4183 	  check_dynamic (ebl, ehdr, shdr, cnt);
4184 	  break;
4185 
4186 	case SHT_SYMTAB_SHNDX:
4187 	  check_symtab_shndx (ebl, ehdr, shdr, cnt);
4188 	  break;
4189 
4190 	case SHT_HASH:
4191 	  check_hash (shdr->sh_type, ebl, ehdr, shdr, cnt);
4192 	  hash_idx = cnt;
4193 	  break;
4194 
4195 	case SHT_GNU_HASH:
4196 	  check_hash (shdr->sh_type, ebl, ehdr, shdr, cnt);
4197 	  gnu_hash_idx = cnt;
4198 	  break;
4199 
4200 	case SHT_NULL:
4201 	  check_null (ebl, shdr, cnt);
4202 	  break;
4203 
4204 	case SHT_GROUP:
4205 	  check_group (ebl, ehdr, shdr, cnt);
4206 	  break;
4207 
4208 	case SHT_NOTE:
4209 	  check_note_section (ebl, ehdr, shdr, cnt);
4210 	  break;
4211 
4212 	case SHT_GNU_versym:
4213 	  /* We cannot process this section now since we have no guarantee
4214 	     that the verneed and verdef sections have already been read.
4215 	     Just remember the section index.  */
4216 	  if (versym_scnndx != 0)
4217 	    ERROR (_("more than one version symbol table present\n"));
4218 	  versym_scnndx = cnt;
4219 	  break;
4220 
4221 	case SHT_GNU_verneed:
4222 	  check_verneed (ebl, shdr, cnt);
4223 	  break;
4224 
4225 	case SHT_GNU_verdef:
4226 	  check_verdef (ebl, shdr, cnt);
4227 	  break;
4228 
4229 	case SHT_GNU_ATTRIBUTES:
4230 	  check_attributes (ebl, ehdr, shdr, cnt);
4231 	  break;
4232 
4233 	default:
4234 	  /* Nothing.  */
4235 	  break;
4236 	}
4237     }
4238 
4239   if (has_interp_segment && !dot_interp_section)
4240     ERROR (_("INTERP program header entry but no .interp section\n"));
4241 
4242   if (!is_debuginfo)
4243     for (unsigned int pcnt = 0; pcnt < phnum; ++pcnt)
4244       {
4245 	GElf_Phdr phdr_mem;
4246 	GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
4247 	if (phdr != NULL && (phdr->p_type == PT_LOAD || phdr->p_type == PT_TLS))
4248 	  {
4249 	    if ((phdr->p_flags & PF_X) != 0
4250 		&& (segment_flags[pcnt] & PF_X) == 0)
4251 	      ERROR (_("\
4252 loadable segment [%u] is executable but contains no executable sections\n"),
4253 		     pcnt);
4254 
4255 	    if ((phdr->p_flags & PF_W) != 0
4256 		&& (segment_flags[pcnt] & PF_W) == 0)
4257 	      ERROR (_("\
4258 loadable segment [%u] is writable but contains no writable sections\n"),
4259 		     pcnt);
4260 	  }
4261       }
4262 
4263   free (segment_flags);
4264 
4265   if (version_namelist != NULL)
4266     {
4267       if (versym_scnndx == 0)
4268     ERROR (_("\
4269 no .gnu.versym section present but .gnu.versym_d or .gnu.versym_r section exist\n"));
4270       else
4271 	check_versym (ebl, versym_scnndx);
4272 
4273       /* Check for duplicate index numbers.  */
4274       do
4275 	{
4276 	  struct version_namelist *runp = version_namelist->next;
4277 	  while (runp != NULL)
4278 	    {
4279 	      if (version_namelist->ndx == runp->ndx)
4280 		{
4281 		  ERROR (_("duplicate version index %d\n"),
4282 			 (int) version_namelist->ndx);
4283 		  break;
4284 		}
4285 	      runp = runp->next;
4286 	    }
4287 
4288 	  struct version_namelist *old = version_namelist;
4289 	  version_namelist = version_namelist->next;
4290 	  free (old);
4291 	}
4292       while (version_namelist != NULL);
4293     }
4294   else if (versym_scnndx != 0)
4295     ERROR (_("\
4296 .gnu.versym section present without .gnu.versym_d or .gnu.versym_r\n"));
4297 
4298   if (hash_idx != 0 && gnu_hash_idx != 0)
4299     compare_hash_gnu_hash (ebl, ehdr, hash_idx, gnu_hash_idx);
4300 
4301   free (scnref);
4302 }
4303 
4304 
4305 static GElf_Off
check_note_data(Ebl * ebl,const GElf_Ehdr * ehdr,Elf_Data * data,int shndx,int phndx,GElf_Off start)4306 check_note_data (Ebl *ebl, const GElf_Ehdr *ehdr,
4307 		 Elf_Data *data, int shndx, int phndx, GElf_Off start)
4308 {
4309   size_t offset = 0;
4310   size_t last_offset = 0;
4311   GElf_Nhdr nhdr;
4312   size_t name_offset;
4313   size_t desc_offset;
4314   while (offset < data->d_size
4315 	 && (offset = gelf_getnote (data, offset,
4316 				    &nhdr, &name_offset, &desc_offset)) > 0)
4317     {
4318       last_offset = offset;
4319 
4320       /* Make sure it is one of the note types we know about.  */
4321       if (ehdr->e_type == ET_CORE)
4322 	switch (nhdr.n_type)
4323 	  {
4324 	  case NT_PRSTATUS:
4325 	  case NT_FPREGSET:
4326 	  case NT_PRPSINFO:
4327 	  case NT_TASKSTRUCT:		/* NT_PRXREG on Solaris.  */
4328 	  case NT_PLATFORM:
4329 	  case NT_AUXV:
4330 	  case NT_GWINDOWS:
4331 	  case NT_ASRS:
4332 	  case NT_PSTATUS:
4333 	  case NT_PSINFO:
4334 	  case NT_PRCRED:
4335 	  case NT_UTSNAME:
4336 	  case NT_LWPSTATUS:
4337 	  case NT_LWPSINFO:
4338 	  case NT_PRFPXREG:
4339 	    /* Known type.  */
4340 	    break;
4341 
4342 	  default:
4343 	    if (shndx == 0)
4344 	      ERROR (_("\
4345 phdr[%d]: unknown core file note type %" PRIu32 " at offset %" PRIu64 "\n"),
4346 		     phndx, (uint32_t) nhdr.n_type, start + offset);
4347 	    else
4348 	      ERROR (_("\
4349 section [%2d] '%s': unknown core file note type %" PRIu32
4350 			      " at offset %zu\n"),
4351 		     shndx, section_name (ebl, shndx),
4352 		     (uint32_t) nhdr.n_type, offset);
4353 	  }
4354       else
4355 	switch (nhdr.n_type)
4356 	  {
4357 	  case NT_GNU_ABI_TAG:
4358 	  case NT_GNU_HWCAP:
4359 	  case NT_GNU_BUILD_ID:
4360 	  case NT_GNU_GOLD_VERSION:
4361 	  case NT_GNU_PROPERTY_TYPE_0:
4362 	    if (nhdr.n_namesz == sizeof ELF_NOTE_GNU
4363 		&& strcmp (data->d_buf + name_offset, ELF_NOTE_GNU) == 0)
4364 	      break;
4365 	    else
4366 	      {
4367 		/* NT_VERSION is 1, same as NT_GNU_ABI_TAG.  It has no
4368 		   descriptor and (ab)uses the name as version string.  */
4369 		if (nhdr.n_descsz == 0 && nhdr.n_type == NT_VERSION)
4370 		  break;
4371 	      }
4372 	      goto unknown_note;
4373 
4374 	  case NT_GNU_BUILD_ATTRIBUTE_OPEN:
4375 	  case NT_GNU_BUILD_ATTRIBUTE_FUNC:
4376 	    /* GNU Build Attributes store most data in the owner
4377 	       name, which must start with the
4378 	       ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX "GA".  */
4379 	    if (nhdr.n_namesz >= sizeof ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX
4380 		&& strncmp (data->d_buf + name_offset,
4381 			    ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX,
4382 			    strlen (ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX)) == 0)
4383 	      break;
4384 	    else
4385 	      goto unknown_note;
4386 
4387 	  case 0:
4388 	    /* Linux vDSOs use a type 0 note for the kernel version word.  */
4389 	    if (nhdr.n_namesz == sizeof "Linux"
4390 		&& !memcmp (data->d_buf + name_offset, "Linux", sizeof "Linux"))
4391 	      break;
4392 	    FALLTHROUGH;
4393 	  default:
4394 	    {
4395 	    unknown_note:
4396 	    if (shndx == 0)
4397 	      ERROR (_("\
4398 phdr[%d]: unknown object file note type %" PRIu32 " with owner name '%s' at offset %zu\n"),
4399 		     phndx, (uint32_t) nhdr.n_type,
4400 		     (char *) data->d_buf + name_offset, offset);
4401 	    else
4402 	      ERROR (_("\
4403 section [%2d] '%s': unknown object file note type %" PRIu32
4404 			      " with owner name '%s' at offset %zu\n"),
4405 		     shndx, section_name (ebl, shndx),
4406 		     (uint32_t) nhdr.n_type,
4407 		     (char *) data->d_buf + name_offset, offset);
4408 	    }
4409 	  }
4410     }
4411 
4412   return last_offset;
4413 }
4414 
4415 
4416 static void
check_note(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Phdr * phdr,int cnt)4417 check_note (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Phdr *phdr, int cnt)
4418 {
4419   if (ehdr->e_type != ET_CORE && ehdr->e_type != ET_REL
4420       && ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
4421     ERROR (_("\
4422 phdr[%d]: no note entries defined for the type of file\n"),
4423 	   cnt);
4424 
4425   if (is_debuginfo)
4426     /* The p_offset values in a separate debug file are bogus.  */
4427     return;
4428 
4429   if (phdr->p_filesz == 0)
4430     return;
4431 
4432   GElf_Off notes_size = 0;
4433   Elf_Data *data = elf_getdata_rawchunk (ebl->elf,
4434 					 phdr->p_offset, phdr->p_filesz,
4435 					 (phdr->p_align == 8
4436 					  ? ELF_T_NHDR8 : ELF_T_NHDR));
4437   if (data != NULL && data->d_buf != NULL)
4438     notes_size = check_note_data (ebl, ehdr, data, 0, cnt, phdr->p_offset);
4439 
4440   if (notes_size == 0)
4441     ERROR (_("phdr[%d]: cannot get content of note section: %s\n"),
4442 	   cnt, elf_errmsg (-1));
4443   else if (notes_size != phdr->p_filesz)
4444     ERROR (_("phdr[%d]: extra %" PRIu64 " bytes after last note\n"),
4445 	   cnt, phdr->p_filesz - notes_size);
4446 }
4447 
4448 
4449 static void
check_note_section(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)4450 check_note_section (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
4451 {
4452   if (shdr->sh_size == 0)
4453     return;
4454 
4455   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
4456   if (data == NULL || data->d_buf == NULL)
4457     {
4458       ERROR (_("section [%2d] '%s': cannot get section data\n"),
4459 	     idx, section_name (ebl, idx));
4460       return;
4461     }
4462 
4463   if (ehdr->e_type != ET_CORE && ehdr->e_type != ET_REL
4464       && ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
4465     ERROR (_("\
4466 section [%2d] '%s': no note entries defined for the type of file\n"),
4467 	     idx, section_name (ebl, idx));
4468 
4469   GElf_Off notes_size = check_note_data (ebl, ehdr, data, idx, 0, 0);
4470 
4471   if (notes_size == 0)
4472     ERROR (_("section [%2d] '%s': cannot get content of note section\n"),
4473 	   idx, section_name (ebl, idx));
4474   else if (notes_size != shdr->sh_size)
4475     ERROR (_("section [%2d] '%s': extra %" PRIu64
4476 		    " bytes after last note\n"),
4477 	   idx, section_name (ebl, idx), shdr->sh_size - notes_size);
4478 }
4479 
4480 
4481 /* Index of the PT_GNU_EH_FRAME program eader entry.  */
4482 static int pt_gnu_eh_frame_pndx;
4483 
4484 
4485 static void
check_program_header(Ebl * ebl,GElf_Ehdr * ehdr)4486 check_program_header (Ebl *ebl, GElf_Ehdr *ehdr)
4487 {
4488   if (ehdr->e_phoff == 0)
4489     return;
4490 
4491   if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN
4492       && ehdr->e_type != ET_CORE)
4493     ERROR (_("\
4494 only executables, shared objects, and core files can have program headers\n"));
4495 
4496   int num_pt_interp = 0;
4497   int num_pt_tls = 0;
4498   int num_pt_relro = 0;
4499 
4500   for (unsigned int cnt = 0; cnt < phnum; ++cnt)
4501     {
4502       GElf_Phdr phdr_mem;
4503       GElf_Phdr *phdr;
4504 
4505       phdr = gelf_getphdr (ebl->elf, cnt, &phdr_mem);
4506       if (phdr == NULL)
4507 	{
4508 	  ERROR (_("cannot get program header entry %d: %s\n"),
4509 		 cnt, elf_errmsg (-1));
4510 	  continue;
4511 	}
4512 
4513       if (phdr->p_type >= PT_NUM && phdr->p_type != PT_GNU_EH_FRAME
4514 	  && phdr->p_type != PT_GNU_STACK && phdr->p_type != PT_GNU_RELRO
4515 	  && phdr->p_type != PT_GNU_PROPERTY
4516 	  /* Check for a known machine-specific type.  */
4517 	  && ebl_segment_type_name (ebl, phdr->p_type, NULL, 0) == NULL)
4518 	ERROR (_("\
4519 program header entry %d: unknown program header entry type %#" PRIx64 "\n"),
4520 	       cnt, (uint64_t) phdr->p_type);
4521 
4522       if (phdr->p_type == PT_LOAD)
4523 	has_loadable_segment = true;
4524       else if (phdr->p_type == PT_INTERP)
4525 	{
4526 	  if (++num_pt_interp != 1)
4527 	    {
4528 	      if (num_pt_interp == 2)
4529 		ERROR (_("\
4530 more than one INTERP entry in program header\n"));
4531 	    }
4532 	  has_interp_segment = true;
4533 	}
4534       else if (phdr->p_type == PT_TLS)
4535 	{
4536 	  if (++num_pt_tls == 2)
4537 	    ERROR (_("more than one TLS entry in program header\n"));
4538 	}
4539       else if (phdr->p_type == PT_NOTE)
4540 	check_note (ebl, ehdr, phdr, cnt);
4541       else if (phdr->p_type == PT_DYNAMIC)
4542 	{
4543 	  if (ehdr->e_type == ET_EXEC && ! has_interp_segment)
4544 	    ERROR (_("\
4545 static executable cannot have dynamic sections\n"));
4546 	  else
4547 	    {
4548 	      /* Check that the .dynamic section, if it exists, has
4549 		 the same address.  */
4550 	      Elf_Scn *scn = NULL;
4551 	      while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
4552 		{
4553 		  GElf_Shdr shdr_mem;
4554 		  GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
4555 		  if (shdr != NULL && shdr->sh_type == SHT_DYNAMIC)
4556 		    {
4557 		      if (phdr->p_offset != shdr->sh_offset)
4558 			ERROR (_("\
4559 dynamic section reference in program header has wrong offset\n"));
4560 		      if (phdr->p_memsz != shdr->sh_size)
4561 			ERROR (_("\
4562 dynamic section size mismatch in program and section header\n"));
4563 		      break;
4564 		    }
4565 		}
4566 	    }
4567 	}
4568       else if (phdr->p_type == PT_GNU_RELRO)
4569 	{
4570 	  if (++num_pt_relro == 2)
4571 	    ERROR (_("\
4572 more than one GNU_RELRO entry in program header\n"));
4573 	  else
4574 	    {
4575 	      /* Check that the region is in a writable segment.  */
4576 	      unsigned int inner;
4577 	      for (inner = 0; inner < phnum; ++inner)
4578 		{
4579 		  GElf_Phdr phdr2_mem;
4580 		  GElf_Phdr *phdr2;
4581 
4582 		  phdr2 = gelf_getphdr (ebl->elf, inner, &phdr2_mem);
4583 		  if (phdr2 == NULL)
4584 		    continue;
4585 
4586 		  if (phdr2->p_type == PT_LOAD
4587 		      && phdr->p_vaddr >= phdr2->p_vaddr
4588 		      && (phdr->p_vaddr + phdr->p_memsz
4589 			  <= phdr2->p_vaddr + phdr2->p_memsz))
4590 		    {
4591 		      if ((phdr2->p_flags & PF_W) == 0)
4592 			ERROR (_("\
4593 loadable segment GNU_RELRO applies to is not writable\n"));
4594 		      /* Unless fully covered, relro flags could be a
4595 			 subset of the phdrs2 flags.  For example the load
4596 			 segment could also have PF_X set.  */
4597 		      if (phdr->p_vaddr == phdr2->p_vaddr
4598 			  && (phdr->p_vaddr + phdr->p_memsz
4599 			      == phdr2->p_vaddr + phdr2->p_memsz))
4600 			{
4601 			  if ((phdr2->p_flags & ~PF_W)
4602 			      != (phdr->p_flags & ~PF_W))
4603 			    ERROR (_("\
4604 loadable segment [%u] flags do not match GNU_RELRO [%u] flags\n"),
4605 				   cnt, inner);
4606 			}
4607 		      else
4608 			{
4609 			  if ((phdr->p_flags & ~phdr2->p_flags) != 0)
4610 			    ERROR (_("\
4611 GNU_RELRO [%u] flags are not a subset of the loadable segment [%u] flags\n"),
4612 				   inner, cnt);
4613 			}
4614 		      break;
4615 		    }
4616 		}
4617 
4618 	      if (inner >= phnum)
4619 		ERROR (_("\
4620 %s segment not contained in a loaded segment\n"), "GNU_RELRO");
4621 	    }
4622 	}
4623       else if (phdr->p_type == PT_PHDR)
4624 	{
4625 	  /* Check that the region is in a writable segment.  */
4626 	  unsigned int inner;
4627 	  for (inner = 0; inner < phnum; ++inner)
4628 	    {
4629 	      GElf_Phdr phdr2_mem;
4630 	      GElf_Phdr *phdr2;
4631 
4632 	      phdr2 = gelf_getphdr (ebl->elf, inner, &phdr2_mem);
4633 	      if (phdr2 != NULL
4634 		  && phdr2->p_type == PT_LOAD
4635 		  && phdr->p_vaddr >= phdr2->p_vaddr
4636 		  && (phdr->p_vaddr + phdr->p_memsz
4637 		      <= phdr2->p_vaddr + phdr2->p_memsz))
4638 		break;
4639 	    }
4640 
4641 	  if (inner >= phnum)
4642 	    ERROR (_("\
4643 %s segment not contained in a loaded segment\n"), "PHDR");
4644 
4645 	  /* Check that offset in segment corresponds to offset in ELF
4646 	     header.  */
4647 	  if (phdr->p_offset != ehdr->e_phoff)
4648 	    ERROR (_("\
4649 program header offset in ELF header and PHDR entry do not match"));
4650 	}
4651       else if (phdr->p_type == PT_GNU_EH_FRAME)
4652 	{
4653 	  /* If there is an .eh_frame_hdr section it must be
4654 	     referenced by this program header entry.  */
4655 	  Elf_Scn *scn = NULL;
4656 	  GElf_Shdr shdr_mem;
4657 	  GElf_Shdr *shdr = NULL;
4658 	  bool any = false;
4659 	  while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
4660 	    {
4661 	      any = true;
4662 	      shdr = gelf_getshdr (scn, &shdr_mem);
4663 	      if (shdr != NULL
4664 		  && ((is_debuginfo && shdr->sh_type == SHT_NOBITS)
4665 		      || (! is_debuginfo
4666 			  && (shdr->sh_type == SHT_PROGBITS
4667 			      || shdr->sh_type == SHT_X86_64_UNWIND)))
4668 		  && elf_strptr (ebl->elf, shstrndx, shdr->sh_name) != NULL
4669 		  && ! strcmp (".eh_frame_hdr",
4670 			       elf_strptr (ebl->elf, shstrndx, shdr->sh_name)))
4671 		{
4672 		  if (! is_debuginfo)
4673 		    {
4674 		      if (phdr->p_offset != shdr->sh_offset)
4675 			ERROR (_("\
4676 call frame search table reference in program header has wrong offset\n"));
4677 		      if (phdr->p_memsz != shdr->sh_size)
4678 			ERROR (_("\
4679 call frame search table size mismatch in program and section header\n"));
4680 		    }
4681 		  break;
4682 		}
4683 	    }
4684 
4685 	  if (scn == NULL)
4686 	    {
4687 	      /* If there is no section header table we don't
4688 		 complain.  But if there is one there should be an
4689 		 entry for .eh_frame_hdr.  */
4690 	      if (any)
4691 		ERROR (_("\
4692 PT_GNU_EH_FRAME present but no .eh_frame_hdr section\n"));
4693 	    }
4694 	  else
4695 	    {
4696 	      /* The section must be allocated and not be writable and
4697 		 executable.  */
4698 	      if ((phdr->p_flags & PF_R) == 0)
4699 		ERROR (_("\
4700 call frame search table must be allocated\n"));
4701 	      else if (shdr != NULL && (shdr->sh_flags & SHF_ALLOC) == 0)
4702 		ERROR (_("\
4703 section [%2zu] '%s' must be allocated\n"), elf_ndxscn (scn), ".eh_frame_hdr");
4704 
4705 	      if ((phdr->p_flags & PF_W) != 0)
4706 		ERROR (_("\
4707 call frame search table must not be writable\n"));
4708 	      else if (shdr != NULL && (shdr->sh_flags & SHF_WRITE) != 0)
4709 		ERROR (_("\
4710 section [%2zu] '%s' must not be writable\n"),
4711 		       elf_ndxscn (scn), ".eh_frame_hdr");
4712 
4713 	      if ((phdr->p_flags & PF_X) != 0)
4714 		ERROR (_("\
4715 call frame search table must not be executable\n"));
4716 	      else if (shdr != NULL && (shdr->sh_flags & SHF_EXECINSTR) != 0)
4717 		ERROR (_("\
4718 section [%2zu] '%s' must not be executable\n"),
4719 		       elf_ndxscn (scn), ".eh_frame_hdr");
4720 	    }
4721 
4722 	  /* Remember which entry this is.  */
4723 	  pt_gnu_eh_frame_pndx = cnt;
4724 	}
4725 
4726       if (phdr->p_filesz > phdr->p_memsz
4727 	  && (phdr->p_memsz != 0 || phdr->p_type != PT_NOTE))
4728 	ERROR (_("\
4729 program header entry %d: file size greater than memory size\n"),
4730 	       cnt);
4731 
4732       if (phdr->p_align > 1)
4733 	{
4734 	  if (!powerof2 (phdr->p_align))
4735 	    ERROR (_("\
4736 program header entry %d: alignment not a power of 2\n"), cnt);
4737 	  else if ((phdr->p_vaddr - phdr->p_offset) % phdr->p_align != 0)
4738 	    ERROR (_("\
4739 program header entry %d: file offset and virtual address not module of alignment\n"), cnt);
4740 	}
4741     }
4742 }
4743 
4744 
4745 static void
check_exception_data(Ebl * ebl,GElf_Ehdr * ehdr)4746 check_exception_data (Ebl *ebl __attribute__ ((unused)),
4747 		      GElf_Ehdr *ehdr __attribute__ ((unused)))
4748 {
4749   if ((ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN)
4750       && pt_gnu_eh_frame_pndx == 0 && eh_frame_hdr_scnndx != 0)
4751     ERROR (_("executable/DSO with .eh_frame_hdr section does not have "
4752 		    "a PT_GNU_EH_FRAME program header entry"));
4753 }
4754 
4755 
4756 /* Process one file.  */
4757 static void
process_elf_file(Elf * elf,const char * prefix,const char * suffix,const char * fname,size_t size,bool only_one)4758 process_elf_file (Elf *elf, const char *prefix, const char *suffix,
4759 		  const char *fname, size_t size, bool only_one)
4760 {
4761   /* Reset variables.  */
4762   ndynamic = 0;
4763   nverneed = 0;
4764   nverdef = 0;
4765   textrel = false;
4766   needed_textrel = false;
4767   has_loadable_segment = false;
4768   has_interp_segment = false;
4769 
4770   GElf_Ehdr ehdr_mem;
4771   GElf_Ehdr *ehdr = gelf_getehdr (elf, &ehdr_mem);
4772   Ebl *ebl;
4773 
4774   /* Print the file name.  */
4775   if (!only_one)
4776     {
4777       if (prefix != NULL)
4778 	printf ("\n%s(%s)%s:\n", prefix, fname, suffix);
4779       else
4780 	printf ("\n%s:\n", fname);
4781     }
4782 
4783   if (ehdr == NULL)
4784     {
4785       ERROR (_("cannot read ELF header: %s\n"), elf_errmsg (-1));
4786       return;
4787     }
4788 
4789   ebl = ebl_openbackend (elf);
4790   /* If there is no appropriate backend library we cannot test
4791      architecture and OS specific features.  Any encountered extension
4792      is an error.  Often we'll get a "dummy" ebl, except if something
4793      really bad happen, like a totally corrupted ELF file or out of
4794      memory situation.  */
4795   if (ebl == NULL)
4796     {
4797       ERROR (_("cannot create backend for ELF file\n"));
4798       return;
4799     }
4800 
4801   /* Go straight by the gABI, check all the parts in turn.  */
4802   check_elf_header (ebl, ehdr, size);
4803 
4804   /* Check the program header.  */
4805   check_program_header (ebl, ehdr);
4806 
4807   /* Next the section headers.  It is OK if there are no section
4808      headers at all.  */
4809   check_sections (ebl, ehdr);
4810 
4811   /* Check the exception handling data, if it exists.  */
4812   if (pt_gnu_eh_frame_pndx != 0 || eh_frame_hdr_scnndx != 0
4813       || eh_frame_scnndx != 0 || gcc_except_table_scnndx != 0)
4814     check_exception_data (ebl, ehdr);
4815 
4816   /* Report if no relocation section needed the text relocation flag.  */
4817   if (textrel && !needed_textrel)
4818     ERROR (_("text relocation flag set but not needed\n"));
4819 
4820   /* Free the resources.  */
4821   ebl_closebackend (ebl);
4822 }
4823 
4824 
4825 #include "debugpred.h"
4826