1 /* Pedantic checking of ELF files compliance with gABI/psABI spec.
2    Copyright (C) 2001-2015, 2017, 2018 Red Hat, Inc.
3    This file is part of elfutils.
4    Written by Ulrich Drepper <drepper@redhat.com>, 2001.
5 
6    This file is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10 
11    elfutils is distributed in the hope that it will be useful, but
12    WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15 
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
18 
19 #ifdef HAVE_CONFIG_H
20 # include <config.h>
21 #endif
22 
23 #include <argp.h>
24 #include <assert.h>
25 #include <byteswap.h>
26 #include <endian.h>
27 #include <fcntl.h>
28 #include <gelf.h>
29 #include <inttypes.h>
30 #include <locale.h>
31 #include <stdbool.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <unistd.h>
35 #include <sys/stat.h>
36 
37 #include <elf-knowledge.h>
38 #include <libeu.h>
39 #include <system.h>
40 #include <printversion.h>
41 #include "../libelf/libelfP.h"
42 #include "../libelf/common.h"
43 #include "../libebl/libeblP.h"
44 #include "../libdw/libdwP.h"
45 #include "../libdwfl/libdwflP.h"
46 #include "../libdw/memory-access.h"
47 
48 
49 /* Name and version of program.  */
50 ARGP_PROGRAM_VERSION_HOOK_DEF = print_version;
51 
52 /* Bug report address.  */
53 ARGP_PROGRAM_BUG_ADDRESS_DEF = PACKAGE_BUGREPORT;
54 
55 #define ARGP_strict	300
56 #define ARGP_gnuld	301
57 
58 /* Definitions of arguments for argp functions.  */
59 static const struct argp_option options[] =
60 {
61   { "strict", ARGP_strict, NULL, 0,
62     N_("Be extremely strict, flag level 2 features."), 0 },
63   { "quiet", 'q', NULL, 0, N_("Do not print anything if successful"), 0 },
64   { "debuginfo", 'd', NULL, 0, N_("Binary is a separate debuginfo file"), 0 },
65   { "gnu-ld", ARGP_gnuld, NULL, 0,
66     N_("Binary has been created with GNU ld and is therefore known to be \
67 broken in certain ways"), 0 },
68   { NULL, 0, NULL, 0, NULL, 0 }
69 };
70 
71 /* Short description of program.  */
72 static const char doc[] = N_("\
73 Pedantic checking of ELF files compliance with gABI/psABI spec.");
74 
75 /* Strings for arguments in help texts.  */
76 static const char args_doc[] = N_("FILE...");
77 
78 /* Prototype for option handler.  */
79 static error_t parse_opt (int key, char *arg, struct argp_state *state);
80 
81 /* Data structure to communicate with argp functions.  */
82 static struct argp argp =
83 {
84   options, parse_opt, args_doc, doc, NULL, NULL, NULL
85 };
86 
87 
88 /* Declarations of local functions.  */
89 static void process_file (int fd, Elf *elf, const char *prefix,
90 			  const char *suffix, const char *fname, size_t size,
91 			  bool only_one);
92 static void process_elf_file (Elf *elf, const char *prefix, const char *suffix,
93 			      const char *fname, size_t size, bool only_one);
94 static void check_note_section (Ebl *ebl, GElf_Ehdr *ehdr,
95 				GElf_Shdr *shdr, int idx);
96 
97 
98 /* Report an error.  */
99 #define ERROR(str, args...) \
100   do {									      \
101     printf (str, ##args);						      \
102     ++error_count;							      \
103   } while (0)
104 static unsigned int error_count;
105 
106 /* True if we should perform very strict testing.  */
107 static bool be_strict;
108 
109 /* True if no message is to be printed if the run is successful.  */
110 static bool be_quiet;
111 
112 /* True if binary is from strip -f, not a normal ELF file.  */
113 static bool is_debuginfo;
114 
115 /* True if binary is assumed to be generated with GNU ld.  */
116 static bool gnuld;
117 
118 /* Index of section header string table.  */
119 static uint32_t shstrndx;
120 
121 /* Array to count references in section groups.  */
122 static int *scnref;
123 
124 /* Numbers of sections and program headers.  */
125 static unsigned int shnum;
126 static unsigned int phnum;
127 
128 
129 int
main(int argc,char * argv[])130 main (int argc, char *argv[])
131 {
132   /* Set locale.  */
133   setlocale (LC_ALL, "");
134 
135   /* Initialize the message catalog.  */
136   textdomain (PACKAGE_TARNAME);
137 
138   /* Parse and process arguments.  */
139   int remaining;
140   argp_parse (&argp, argc, argv, 0, &remaining, NULL);
141 
142   /* Before we start tell the ELF library which version we are using.  */
143   elf_version (EV_CURRENT);
144 
145   /* Now process all the files given at the command line.  */
146   bool only_one = remaining + 1 == argc;
147   do
148     {
149       /* Open the file.  */
150       int fd = open (argv[remaining], O_RDONLY);
151       if (fd == -1)
152 	{
153 	  error (0, errno, _("cannot open input file '%s'"), argv[remaining]);
154 	  continue;
155 	}
156 
157       /* Create an `Elf' descriptor.  */
158       Elf *elf = elf_begin (fd, ELF_C_READ_MMAP, NULL);
159       if (elf == NULL)
160 	ERROR (_("cannot generate Elf descriptor for '%s': %s\n"),
161 	       argv[remaining], elf_errmsg (-1));
162       else
163 	{
164 	  unsigned int prev_error_count = error_count;
165 	  struct stat st;
166 
167 	  if (fstat (fd, &st) != 0)
168 	    {
169 	      printf ("cannot stat '%s': %m\n", argv[remaining]);
170 	      close (fd);
171 	      continue;
172 	    }
173 
174 	  process_file (fd, elf, NULL, NULL, argv[remaining], st.st_size,
175 			only_one);
176 
177 	  /* Now we can close the descriptor.  */
178 	  if (elf_end (elf) != 0)
179 	    ERROR (_("error while closing Elf descriptor: %s\n"),
180 		   elf_errmsg (-1));
181 
182 	  if (prev_error_count == error_count && !be_quiet)
183 	    puts (_("No errors"));
184 	}
185 
186       close (fd);
187     }
188   while (++remaining < argc);
189 
190   return error_count != 0;
191 }
192 
193 
194 /* Handle program arguments.  */
195 static error_t
parse_opt(int key,char * arg,struct argp_state * state)196 parse_opt (int key, char *arg __attribute__ ((unused)),
197 	   struct argp_state *state __attribute__ ((unused)))
198 {
199   switch (key)
200     {
201     case ARGP_strict:
202       be_strict = true;
203       break;
204 
205     case 'q':
206       be_quiet = true;
207       break;
208 
209     case 'd':
210       is_debuginfo = true;
211       break;
212 
213     case ARGP_gnuld:
214       gnuld = true;
215       break;
216 
217     case ARGP_KEY_NO_ARGS:
218       fputs (_("Missing file name.\n"), stderr);
219       argp_help (&argp, stderr, ARGP_HELP_SEE, program_invocation_short_name);
220       exit (EXIT_FAILURE);
221 
222     default:
223       return ARGP_ERR_UNKNOWN;
224     }
225   return 0;
226 }
227 
228 
229 /* Process one file.  */
230 static void
process_file(int fd,Elf * elf,const char * prefix,const char * suffix,const char * fname,size_t size,bool only_one)231 process_file (int fd, Elf *elf, const char *prefix, const char *suffix,
232 	      const char *fname, size_t size, bool only_one)
233 {
234   /* We can handle two types of files: ELF files and archives.  */
235   Elf_Kind kind = elf_kind (elf);
236 
237   switch (kind)
238     {
239     case ELF_K_ELF:
240       /* Yes!  It's an ELF file.  */
241       process_elf_file (elf, prefix, suffix, fname, size, only_one);
242       break;
243 
244     case ELF_K_AR:
245       {
246 	Elf *subelf;
247 	Elf_Cmd cmd = ELF_C_READ_MMAP;
248 	size_t prefix_len = prefix == NULL ? 0 : strlen (prefix);
249 	size_t fname_len = strlen (fname) + 1;
250 	char new_prefix[prefix_len + 1 + fname_len];
251 	char new_suffix[(suffix == NULL ? 0 : strlen (suffix)) + 2];
252 	char *cp = new_prefix;
253 
254 	/* Create the full name of the file.  */
255 	if (prefix != NULL)
256 	  {
257 	    cp = mempcpy (cp, prefix, prefix_len);
258 	    *cp++ = '(';
259 	    strcpy (stpcpy (new_suffix, suffix), ")");
260 	  }
261 	else
262 	  new_suffix[0] = '\0';
263 	memcpy (cp, fname, fname_len);
264 
265 	/* It's an archive.  We process each file in it.  */
266 	while ((subelf = elf_begin (fd, cmd, elf)) != NULL)
267 	  {
268 	    kind = elf_kind (subelf);
269 
270 	    /* Call this function recursively.  */
271 	    if (kind == ELF_K_ELF || kind == ELF_K_AR)
272 	      {
273 		Elf_Arhdr *arhdr = elf_getarhdr (subelf);
274 		assert (arhdr != NULL);
275 
276 		process_file (fd, subelf, new_prefix, new_suffix,
277 			      arhdr->ar_name, arhdr->ar_size, false);
278 	      }
279 
280 	    /* Get next archive element.  */
281 	    cmd = elf_next (subelf);
282 	    if (elf_end (subelf) != 0)
283 	      ERROR (_(" error while freeing sub-ELF descriptor: %s\n"),
284 		     elf_errmsg (-1));
285 	  }
286       }
287       break;
288 
289     default:
290       /* We cannot do anything.  */
291       ERROR (_("\
292 Not an ELF file - it has the wrong magic bytes at the start\n"));
293       break;
294     }
295 }
296 
297 
298 static const char *
section_name(Ebl * ebl,int idx)299 section_name (Ebl *ebl, int idx)
300 {
301   GElf_Shdr shdr_mem;
302   GElf_Shdr *shdr;
303   const char *ret;
304 
305   if ((unsigned int) idx > shnum)
306     return "<invalid>";
307 
308   shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
309   if (shdr == NULL)
310     return "<invalid>";
311 
312   ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
313   if (ret == NULL)
314     return "<invalid>";
315   return ret;
316 }
317 
318 
319 static const int valid_e_machine[] =
320   {
321     EM_M32, EM_SPARC, EM_386, EM_68K, EM_88K, EM_860, EM_MIPS, EM_S370,
322     EM_MIPS_RS3_LE, EM_PARISC, EM_VPP500, EM_SPARC32PLUS, EM_960, EM_PPC,
323     EM_PPC64, EM_S390, EM_V800, EM_FR20, EM_RH32, EM_RCE, EM_ARM,
324     EM_FAKE_ALPHA, EM_SH, EM_SPARCV9, EM_TRICORE, EM_ARC, EM_H8_300,
325     EM_H8_300H, EM_H8S, EM_H8_500, EM_IA_64, EM_MIPS_X, EM_COLDFIRE,
326     EM_68HC12, EM_MMA, EM_PCP, EM_NCPU, EM_NDR1, EM_STARCORE, EM_ME16,
327     EM_ST100, EM_TINYJ, EM_X86_64, EM_PDSP, EM_FX66, EM_ST9PLUS, EM_ST7,
328     EM_68HC16, EM_68HC11, EM_68HC08, EM_68HC05, EM_SVX, EM_ST19, EM_VAX,
329     EM_CRIS, EM_JAVELIN, EM_FIREPATH, EM_ZSP, EM_MMIX, EM_HUANY, EM_PRISM,
330     EM_AVR, EM_FR30, EM_D10V, EM_D30V, EM_V850, EM_M32R, EM_MN10300,
331     EM_MN10200, EM_PJ, EM_OPENRISC, EM_ARC_A5, EM_XTENSA, EM_ALPHA,
332     EM_TILEGX, EM_TILEPRO, EM_AARCH64, EM_BPF, EM_RISCV, EM_CSKY
333   };
334 #define nvalid_e_machine \
335   (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
336 
337 
338 static void
check_elf_header(Ebl * ebl,GElf_Ehdr * ehdr,size_t size)339 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
340 {
341   char buf[512];
342   size_t cnt;
343 
344   /* Check e_ident field.  */
345   if (ehdr->e_ident[EI_MAG0] != ELFMAG0)
346     ERROR ("e_ident[%d] != '%c'\n", EI_MAG0, ELFMAG0);
347   if (ehdr->e_ident[EI_MAG1] != ELFMAG1)
348     ERROR ("e_ident[%d] != '%c'\n", EI_MAG1, ELFMAG1);
349   if (ehdr->e_ident[EI_MAG2] != ELFMAG2)
350     ERROR ("e_ident[%d] != '%c'\n", EI_MAG2, ELFMAG2);
351   if (ehdr->e_ident[EI_MAG3] != ELFMAG3)
352     ERROR ("e_ident[%d] != '%c'\n", EI_MAG3, ELFMAG3);
353 
354   if (ehdr->e_ident[EI_CLASS] != ELFCLASS32
355       && ehdr->e_ident[EI_CLASS] != ELFCLASS64)
356     ERROR (_("e_ident[%d] == %d is no known class\n"),
357 	   EI_CLASS, ehdr->e_ident[EI_CLASS]);
358 
359   if (ehdr->e_ident[EI_DATA] != ELFDATA2LSB
360       && ehdr->e_ident[EI_DATA] != ELFDATA2MSB)
361     ERROR (_("e_ident[%d] == %d is no known data encoding\n"),
362 	   EI_DATA, ehdr->e_ident[EI_DATA]);
363 
364   if (ehdr->e_ident[EI_VERSION] != EV_CURRENT)
365     ERROR (_("unknown ELF header version number e_ident[%d] == %d\n"),
366 	   EI_VERSION, ehdr->e_ident[EI_VERSION]);
367 
368   /* We currently don't handle any OS ABIs other than Linux and the
369      kFreeBSD variant of Debian.  */
370   if (ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE
371       && ehdr->e_ident[EI_OSABI] != ELFOSABI_LINUX
372       && ehdr->e_ident[EI_OSABI] != ELFOSABI_FREEBSD)
373     ERROR (_("unsupported OS ABI e_ident[%d] == '%s'\n"),
374 	   EI_OSABI,
375 	   ebl_osabi_name (ebl, ehdr->e_ident[EI_OSABI], buf, sizeof (buf)));
376 
377   /* No ABI versions other than zero are supported either.  */
378   if (ehdr->e_ident[EI_ABIVERSION] != 0)
379     ERROR (_("unsupported ABI version e_ident[%d] == %d\n"),
380 	   EI_ABIVERSION, ehdr->e_ident[EI_ABIVERSION]);
381 
382   for (cnt = EI_PAD; cnt < EI_NIDENT; ++cnt)
383     if (ehdr->e_ident[cnt] != 0)
384       ERROR (_("e_ident[%zu] is not zero\n"), cnt);
385 
386   /* Check the e_type field.  */
387   if (ehdr->e_type != ET_REL && ehdr->e_type != ET_EXEC
388       && ehdr->e_type != ET_DYN && ehdr->e_type != ET_CORE)
389     ERROR (_("unknown object file type %d\n"), ehdr->e_type);
390 
391   /* Check the e_machine field.  */
392   for (cnt = 0; cnt < nvalid_e_machine; ++cnt)
393     if (valid_e_machine[cnt] == ehdr->e_machine)
394       break;
395   if (cnt == nvalid_e_machine)
396     ERROR (_("unknown machine type %d\n"), ehdr->e_machine);
397 
398   /* Check the e_version field.  */
399   if (ehdr->e_version != EV_CURRENT)
400     ERROR (_("unknown object file version\n"));
401 
402   /* Check the e_phoff and e_phnum fields.  */
403   if (ehdr->e_phoff == 0)
404     {
405       if (ehdr->e_phnum != 0)
406 	ERROR (_("invalid program header offset\n"));
407       else if (ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN)
408 	ERROR (_("\
409 executables and DSOs cannot have zero program header offset\n"));
410     }
411   else if (ehdr->e_phnum == 0)
412     ERROR (_("invalid number of program header entries\n"));
413 
414   /* Check the e_shoff field.  */
415   shnum = ehdr->e_shnum;
416   shstrndx = ehdr->e_shstrndx;
417   if (ehdr->e_shoff == 0)
418     {
419       if (ehdr->e_shnum != 0)
420 	ERROR (_("invalid section header table offset\n"));
421       else if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN
422 	       && ehdr->e_type != ET_CORE)
423 	ERROR (_("section header table must be present\n"));
424     }
425   else
426     {
427       if (ehdr->e_shnum == 0)
428 	{
429 	  /* Get the header of the zeroth section.  The sh_size field
430 	     might contain the section number.  */
431 	  GElf_Shdr shdr_mem;
432 	  GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
433 	  if (shdr != NULL)
434 	    {
435 	      /* The error will be reported later.  */
436 	      if (shdr->sh_size == 0)
437 		ERROR (_("\
438 invalid number of section header table entries\n"));
439 	      else
440 		shnum = shdr->sh_size;
441 	    }
442 	}
443 
444       if (ehdr->e_shstrndx == SHN_XINDEX)
445 	{
446 	  /* Get the header of the zeroth section.  The sh_size field
447 	     might contain the section number.  */
448 	  GElf_Shdr shdr_mem;
449 	  GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
450 	  if (shdr != NULL && shdr->sh_link < shnum)
451 	    shstrndx = shdr->sh_link;
452 	}
453       else if (shstrndx >= shnum)
454 	ERROR (_("invalid section header index\n"));
455     }
456 
457   /* Check the shdrs actually exist.  And uncompress them before
458      further checking.  Indexes between sections reference the
459      uncompressed data.  */
460   unsigned int scnt;
461   Elf_Scn *scn = NULL;
462   for (scnt = 1; scnt < shnum; ++scnt)
463      {
464 	scn = elf_nextscn (ebl->elf, scn);
465 	if (scn == NULL)
466 	  break;
467 	/* If the section wasn't compressed this does nothing, but
468 	   returns an error.  We don't care.  */
469 	if (elf_compress (scn, 0, 0) < 0) { ; }
470      }
471   if (scnt < shnum)
472     ERROR (_("Can only check %u headers, shnum was %u\n"), scnt, shnum);
473   shnum = scnt;
474 
475   phnum = ehdr->e_phnum;
476   if (ehdr->e_phnum == PN_XNUM)
477     {
478       /* Get the header of the zeroth section.  The sh_info field
479 	 might contain the phnum count.  */
480       GElf_Shdr shdr_mem;
481       GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
482       if (shdr != NULL)
483 	{
484 	  /* The error will be reported later.  */
485 	  if (shdr->sh_info < PN_XNUM)
486 	    ERROR (_("\
487 invalid number of program header table entries\n"));
488 	  else
489 	    phnum = shdr->sh_info;
490 	}
491     }
492 
493   /* Check the phdrs actually exist. */
494   unsigned int pcnt;
495   for (pcnt = 0; pcnt < phnum; ++pcnt)
496      {
497 	GElf_Phdr phdr_mem;
498 	GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
499 	if (phdr == NULL)
500 	  break;
501      }
502   if (pcnt < phnum)
503     ERROR (_("Can only check %u headers, phnum was %u\n"), pcnt, phnum);
504   phnum = pcnt;
505 
506   /* Check the e_flags field.  */
507   if (!ebl_machine_flag_check (ebl, ehdr->e_flags))
508     ERROR (_("invalid machine flags: %s\n"),
509 	   ebl_machine_flag_name (ebl, ehdr->e_flags, buf, sizeof (buf)));
510 
511   /* Check e_ehsize, e_phentsize, and e_shentsize fields.  */
512   if (gelf_getclass (ebl->elf) == ELFCLASS32)
513     {
514       if (ehdr->e_ehsize != 0 && ehdr->e_ehsize != sizeof (Elf32_Ehdr))
515 	ERROR (_("invalid ELF header size: %hd\n"), ehdr->e_ehsize);
516 
517       if (ehdr->e_phentsize != 0 && ehdr->e_phentsize != sizeof (Elf32_Phdr))
518 	ERROR (_("invalid program header size: %hd\n"),
519 	       ehdr->e_phentsize);
520       else if (ehdr->e_phoff + phnum * ehdr->e_phentsize > size)
521 	ERROR (_("invalid program header position or size\n"));
522 
523       if (ehdr->e_shentsize != 0 && ehdr->e_shentsize != sizeof (Elf32_Shdr))
524 	ERROR (_("invalid section header size: %hd\n"),
525 	       ehdr->e_shentsize);
526       else if (ehdr->e_shoff + shnum * ehdr->e_shentsize > size)
527 	ERROR (_("invalid section header position or size\n"));
528     }
529   else if (gelf_getclass (ebl->elf) == ELFCLASS64)
530     {
531       if (ehdr->e_ehsize != 0 && ehdr->e_ehsize != sizeof (Elf64_Ehdr))
532 	ERROR (_("invalid ELF header size: %hd\n"), ehdr->e_ehsize);
533 
534       if (ehdr->e_phentsize != 0 && ehdr->e_phentsize != sizeof (Elf64_Phdr))
535 	ERROR (_("invalid program header size: %hd\n"),
536 	       ehdr->e_phentsize);
537       else if (ehdr->e_phoff + phnum * ehdr->e_phentsize > size)
538 	ERROR (_("invalid program header position or size\n"));
539 
540       if (ehdr->e_shentsize != 0 && ehdr->e_shentsize != sizeof (Elf64_Shdr))
541 	ERROR (_("invalid section header size: %hd\n"),
542 	       ehdr->e_shentsize);
543       else if (ehdr->e_shoff + shnum * ehdr->e_shentsize > size)
544 	ERROR (_("invalid section header position or size\n"));
545     }
546 }
547 
548 
549 /* Check that there is a section group section with index < IDX which
550    contains section IDX and that there is exactly one.  */
551 static void
check_scn_group(Ebl * ebl,int idx)552 check_scn_group (Ebl *ebl, int idx)
553 {
554   if (scnref[idx] == 0)
555     {
556       /* No reference so far.  Search following sections, maybe the
557 	 order is wrong.  */
558       size_t cnt;
559 
560       for (cnt = idx + 1; cnt < shnum; ++cnt)
561 	{
562 	  Elf_Scn *scn = elf_getscn (ebl->elf, cnt);
563 	  GElf_Shdr shdr_mem;
564 	  GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
565 	  if (shdr == NULL)
566 	    /* We cannot get the section header so we cannot check it.
567 	       The error to get the section header will be shown
568 	       somewhere else.  */
569 	    continue;
570 
571 	  if (shdr->sh_type != SHT_GROUP)
572 	    continue;
573 
574 	  Elf_Data *data = elf_getdata (scn, NULL);
575 	  if (data == NULL || data->d_buf == NULL
576 	      || data->d_size < sizeof (Elf32_Word))
577 	    /* Cannot check the section.  */
578 	    continue;
579 
580 	  Elf32_Word *grpdata = (Elf32_Word *) data->d_buf;
581 	  for (size_t inner = 1; inner < data->d_size / sizeof (Elf32_Word);
582 	       ++inner)
583 	    if (grpdata[inner] == (Elf32_Word) idx)
584 	      goto out;
585 	}
586 
587     out:
588       if (cnt == shnum)
589 	ERROR (_("\
590 section [%2d] '%s': section with SHF_GROUP flag set not part of a section group\n"),
591 	       idx, section_name (ebl, idx));
592       else
593 	ERROR (_("\
594 section [%2d] '%s': section group [%2zu] '%s' does not precede group member\n"),
595 	       idx, section_name (ebl, idx),
596 	       cnt, section_name (ebl, cnt));
597     }
598 }
599 
600 
601 static void
check_symtab(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)602 check_symtab (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
603 {
604   bool no_xndx_warned = false;
605   int no_pt_tls = 0;
606   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
607   if (data == NULL)
608     {
609       ERROR (_("section [%2d] '%s': cannot get section data\n"),
610 	     idx, section_name (ebl, idx));
611       return;
612     }
613 
614   GElf_Shdr strshdr_mem;
615   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
616 				     &strshdr_mem);
617   if (strshdr == NULL)
618     return;
619 
620   if (strshdr->sh_type != SHT_STRTAB)
621     {
622       ERROR (_("section [%2d] '%s': referenced as string table for section [%2d] '%s' but type is not SHT_STRTAB\n"),
623 	     shdr->sh_link, section_name (ebl, shdr->sh_link),
624 	     idx, section_name (ebl, idx));
625       strshdr = NULL;
626     }
627 
628   /* Search for an extended section index table section.  */
629   Elf_Data *xndxdata = NULL;
630   Elf32_Word xndxscnidx = 0;
631   bool found_xndx = false;
632   for (size_t cnt = 1; cnt < shnum; ++cnt)
633     if (cnt != (size_t) idx)
634       {
635 	Elf_Scn *xndxscn = elf_getscn (ebl->elf, cnt);
636 	GElf_Shdr xndxshdr_mem;
637 	GElf_Shdr *xndxshdr = gelf_getshdr (xndxscn, &xndxshdr_mem);
638 	if (xndxshdr == NULL)
639 	  continue;
640 
641 	if (xndxshdr->sh_type == SHT_SYMTAB_SHNDX
642 	    && xndxshdr->sh_link == (GElf_Word) idx)
643 	  {
644 	    if (found_xndx)
645 	      ERROR (_("\
646 section [%2d] '%s': symbol table cannot have more than one extended index section\n"),
647 		     idx, section_name (ebl, idx));
648 
649 	    xndxdata = elf_getdata (xndxscn, NULL);
650 	    xndxscnidx = elf_ndxscn (xndxscn);
651 	    found_xndx = true;
652 	  }
653       }
654 
655   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
656   if (shdr->sh_entsize != sh_entsize)
657     ERROR (_("\
658 section [%2u] '%s': entry size is does not match ElfXX_Sym\n"),
659 	   idx, section_name (ebl, idx));
660   else if (shdr->sh_info > shdr->sh_size / sh_entsize)
661     ERROR (_("\
662 section [%2u] '%s': number of local entries in 'st_info' larger than table size\n"),
663 	   idx, section_name (ebl, idx));
664 
665   /* Test the zeroth entry.  */
666   GElf_Sym sym_mem;
667   Elf32_Word xndx;
668   GElf_Sym *sym = gelf_getsymshndx (data, xndxdata, 0, &sym_mem, &xndx);
669   if (sym == NULL)
670       ERROR (_("section [%2d] '%s': cannot get symbol %d: %s\n"),
671 	     idx, section_name (ebl, idx), 0, elf_errmsg (-1));
672   else
673     {
674       if (sym->st_name != 0)
675 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
676 	       idx, section_name (ebl, idx), "st_name");
677       if (sym->st_value != 0)
678 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
679 	       idx, section_name (ebl, idx), "st_value");
680       if (sym->st_size != 0)
681 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
682 	       idx, section_name (ebl, idx), "st_size");
683       if (sym->st_info != 0)
684 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
685 	       idx, section_name (ebl, idx), "st_info");
686       if (sym->st_other != 0)
687 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
688 	       idx, section_name (ebl, idx), "st_other");
689       if (sym->st_shndx != 0)
690 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
691 	       idx, section_name (ebl, idx), "st_shndx");
692       if (xndxdata != NULL && xndx != 0)
693 	ERROR (_("\
694 section [%2d] '%s': XINDEX for zeroth entry not zero\n"),
695 	       xndxscnidx, section_name (ebl, xndxscnidx));
696     }
697 
698   for (size_t cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
699     {
700       sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
701       if (sym == NULL)
702 	{
703 	  ERROR (_("section [%2d] '%s': cannot get symbol %zu: %s\n"),
704 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
705 	  continue;
706 	}
707 
708       const char *name = "<invalid>";
709       if (strshdr == NULL)
710 	name = "";
711       else if (sym->st_name >= strshdr->sh_size)
712 	ERROR (_("\
713 section [%2d] '%s': symbol %zu: invalid name value\n"),
714 	       idx, section_name (ebl, idx), cnt);
715       else
716 	{
717 	  name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
718 	  if (name == NULL)
719 	    name = "";
720 	}
721 
722       if (sym->st_shndx == SHN_XINDEX)
723 	{
724 	  if (xndxdata == NULL)
725 	    {
726 	      if (!no_xndx_warned)
727 		ERROR (_("\
728 section [%2d] '%s': symbol %zu (%s): too large section index but no extended section index section\n"),
729 		       idx, section_name (ebl, idx), cnt, name);
730 	      no_xndx_warned = true;
731 	    }
732 	  else if (xndx < SHN_LORESERVE)
733 	    ERROR (_("\
734 section [%2d] '%s': symbol %zu (%s): XINDEX used for index which would fit in st_shndx (%" PRIu32 ")\n"),
735 		   xndxscnidx, section_name (ebl, xndxscnidx), cnt, name,
736 		   xndx);
737 	}
738       else if ((sym->st_shndx >= SHN_LORESERVE
739 		// && sym->st_shndx <= SHN_HIRESERVE    always true
740 		&& sym->st_shndx != SHN_ABS
741 		&& sym->st_shndx != SHN_COMMON)
742 	       || (sym->st_shndx >= shnum
743 		   && (sym->st_shndx < SHN_LORESERVE
744 		       /* || sym->st_shndx > SHN_HIRESERVE  always false */)))
745 	ERROR (_("\
746 section [%2d] '%s': symbol %zu (%s): invalid section index\n"),
747 	       idx, section_name (ebl, idx), cnt, name);
748       else
749 	xndx = sym->st_shndx;
750 
751       if (GELF_ST_TYPE (sym->st_info) >= STT_NUM
752 	  && !ebl_symbol_type_name (ebl, GELF_ST_TYPE (sym->st_info), NULL, 0))
753 	ERROR (_("section [%2d] '%s': symbol %zu (%s): unknown type\n"),
754 	       idx, section_name (ebl, idx), cnt, name);
755 
756       if (GELF_ST_BIND (sym->st_info) >= STB_NUM
757 	  && !ebl_symbol_binding_name (ebl, GELF_ST_BIND (sym->st_info), NULL,
758 				       0))
759 	ERROR (_("\
760 section [%2d] '%s': symbol %zu (%s): unknown symbol binding\n"),
761 	       idx, section_name (ebl, idx), cnt, name);
762       if (GELF_ST_BIND (sym->st_info) == STB_GNU_UNIQUE
763 	  && GELF_ST_TYPE (sym->st_info) != STT_OBJECT)
764 	ERROR (_("\
765 section [%2d] '%s': symbol %zu (%s): unique symbol not of object type\n"),
766 	       idx, section_name (ebl, idx), cnt, name);
767 
768       if (xndx == SHN_COMMON)
769 	{
770 	  /* Common symbols can only appear in relocatable files.  */
771 	  if (ehdr->e_type != ET_REL)
772 	    ERROR (_("\
773 section [%2d] '%s': symbol %zu (%s): COMMON only allowed in relocatable files\n"),
774 		   idx, section_name (ebl, idx), cnt, name);
775 	  if (cnt < shdr->sh_info)
776 	    ERROR (_("\
777 section [%2d] '%s': symbol %zu (%s): local COMMON symbols are nonsense\n"),
778 		   idx, section_name (ebl, idx), cnt, name);
779 	  if (GELF_R_TYPE (sym->st_info) == STT_FUNC)
780 	    ERROR (_("\
781 section [%2d] '%s': symbol %zu (%s): function in COMMON section is nonsense\n"),
782 		   idx, section_name (ebl, idx), cnt, name);
783 	}
784       else if (xndx > 0 && xndx < shnum)
785 	{
786 	  GElf_Shdr destshdr_mem;
787 	  GElf_Shdr *destshdr;
788 
789 	  destshdr = gelf_getshdr (elf_getscn (ebl->elf, xndx), &destshdr_mem);
790 	  if (destshdr != NULL)
791 	    {
792 	      GElf_Addr sh_addr = (ehdr->e_type == ET_REL ? 0
793 				   : destshdr->sh_addr);
794 	      GElf_Addr st_value;
795 	      if (GELF_ST_TYPE (sym->st_info) == STT_FUNC
796 		  || (GELF_ST_TYPE (sym->st_info) == STT_GNU_IFUNC))
797 		st_value = sym->st_value & ebl_func_addr_mask (ebl);
798 	      else
799 		st_value = sym->st_value;
800 	      if (GELF_ST_TYPE (sym->st_info) != STT_TLS)
801 		{
802 		  if (! ebl_check_special_symbol (ebl, sym, name,
803 						  destshdr))
804 		    {
805 		      if (st_value - sh_addr > destshdr->sh_size)
806 			{
807 			  /* GNU ld has severe bugs.  When it decides to remove
808 			     empty sections it leaves symbols referencing them
809 			     behind.  These are symbols in .symtab or .dynsym
810 			     and for the named symbols have zero size.  See
811 			     sourceware PR13621.  */
812 			  if (!gnuld
813 			      || (strcmp (section_name (ebl, idx), ".symtab")
814 			          && strcmp (section_name (ebl, idx),
815 					     ".dynsym"))
816 			      || sym->st_size != 0
817 			      || (strcmp (name, "__preinit_array_start") != 0
818 				  && strcmp (name, "__preinit_array_end") != 0
819 				  && strcmp (name, "__init_array_start") != 0
820 				  && strcmp (name, "__init_array_end") != 0
821 				  && strcmp (name, "__fini_array_start") != 0
822 				  && strcmp (name, "__fini_array_end") != 0
823 				  && strcmp (name, "__bss_start") != 0
824 				  && strcmp (name, "__bss_start__") != 0
825 				  && strcmp (name, "__TMC_END__") != 0
826 				  && strcmp (name, ".TOC.") != 0
827 				  && strcmp (name, "_edata") != 0
828 				  && strcmp (name, "__edata") != 0
829 				  && strcmp (name, "_end") != 0
830 				  && strcmp (name, "__end") != 0))
831 			    ERROR (_("\
832 section [%2d] '%s': symbol %zu (%s): st_value out of bounds\n"),
833 				   idx, section_name (ebl, idx), cnt, name);
834 			}
835 		      else if ((st_value - sh_addr
836 				+ sym->st_size) > destshdr->sh_size)
837 			ERROR (_("\
838 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
839 			       idx, section_name (ebl, idx), cnt, name,
840 			       (int) xndx, section_name (ebl, xndx));
841 		    }
842 		}
843 	      else
844 		{
845 		  if ((destshdr->sh_flags & SHF_TLS) == 0)
846 		    ERROR (_("\
847 section [%2d] '%s': symbol %zu (%s): referenced section [%2d] '%s' does not have SHF_TLS flag set\n"),
848 			   idx, section_name (ebl, idx), cnt, name,
849 			   (int) xndx, section_name (ebl, xndx));
850 
851 		  if (ehdr->e_type == ET_REL)
852 		    {
853 		      /* For object files the symbol value must fall
854 			 into the section.  */
855 		      if (st_value > destshdr->sh_size)
856 			ERROR (_("\
857 section [%2d] '%s': symbol %zu (%s): st_value out of bounds of referenced section [%2d] '%s'\n"),
858 			       idx, section_name (ebl, idx), cnt, name,
859 			       (int) xndx, section_name (ebl, xndx));
860 		      else if (st_value + sym->st_size
861 			       > destshdr->sh_size)
862 			ERROR (_("\
863 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
864 			       idx, section_name (ebl, idx), cnt, name,
865 			       (int) xndx, section_name (ebl, xndx));
866 		    }
867 		  else
868 		    {
869 		      GElf_Phdr phdr_mem;
870 		      GElf_Phdr *phdr = NULL;
871 		      unsigned int pcnt;
872 
873 		      for (pcnt = 0; pcnt < phnum; ++pcnt)
874 			{
875 			  phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
876 			  if (phdr != NULL && phdr->p_type == PT_TLS)
877 			    break;
878 			}
879 
880 		      if (pcnt == phnum)
881 			{
882 			  if (no_pt_tls++ == 0)
883 			    ERROR (_("\
884 section [%2d] '%s': symbol %zu (%s): TLS symbol but no TLS program header entry\n"),
885 				   idx, section_name (ebl, idx), cnt, name);
886 			}
887 		      else if (phdr == NULL)
888 			{
889 			    ERROR (_("\
890 section [%2d] '%s': symbol %zu (%s): TLS symbol but couldn't get TLS program header entry\n"),
891 				   idx, section_name (ebl, idx), cnt, name);
892 			}
893 		      else if (!is_debuginfo)
894 			{
895 			  if (st_value
896 			      < destshdr->sh_offset - phdr->p_offset)
897 			    ERROR (_("\
898 section [%2d] '%s': symbol %zu (%s): st_value short of referenced section [%2d] '%s'\n"),
899 				   idx, section_name (ebl, idx), cnt, name,
900 				   (int) xndx, section_name (ebl, xndx));
901 			  else if (st_value
902 				   > (destshdr->sh_offset - phdr->p_offset
903 				      + destshdr->sh_size))
904 			    ERROR (_("\
905 section [%2d] '%s': symbol %zu (%s): st_value out of bounds of referenced section [%2d] '%s'\n"),
906 				   idx, section_name (ebl, idx), cnt, name,
907 				   (int) xndx, section_name (ebl, xndx));
908 			  else if (st_value + sym->st_size
909 				   > (destshdr->sh_offset - phdr->p_offset
910 				      + destshdr->sh_size))
911 			    ERROR (_("\
912 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
913 				   idx, section_name (ebl, idx), cnt, name,
914 				   (int) xndx, section_name (ebl, xndx));
915 			}
916 		    }
917 		}
918 	    }
919 	}
920 
921       if (GELF_ST_BIND (sym->st_info) == STB_LOCAL)
922 	{
923 	  if (cnt >= shdr->sh_info)
924 	    ERROR (_("\
925 section [%2d] '%s': symbol %zu (%s): local symbol outside range described in sh_info\n"),
926 		   idx, section_name (ebl, idx), cnt, name);
927 	}
928       else
929 	{
930 	  if (cnt < shdr->sh_info)
931 	    ERROR (_("\
932 section [%2d] '%s': symbol %zu (%s): non-local symbol outside range described in sh_info\n"),
933 		   idx, section_name (ebl, idx), cnt, name);
934 	}
935 
936       if (GELF_ST_TYPE (sym->st_info) == STT_SECTION
937 	  && GELF_ST_BIND (sym->st_info) != STB_LOCAL)
938 	ERROR (_("\
939 section [%2d] '%s': symbol %zu (%s): non-local section symbol\n"),
940 	       idx, section_name (ebl, idx), cnt, name);
941 
942       if (name != NULL)
943 	{
944 	  if (strcmp (name, "_GLOBAL_OFFSET_TABLE_") == 0)
945 	    {
946 	      /* Check that address and size match the global offset table.  */
947 
948 	      GElf_Shdr destshdr_mem;
949 	      GElf_Shdr *destshdr = gelf_getshdr (elf_getscn (ebl->elf, xndx),
950 						  &destshdr_mem);
951 
952 	      if (destshdr == NULL && xndx == SHN_ABS)
953 		{
954 		  /* In a DSO, we have to find the GOT section by name.  */
955 		  Elf_Scn *gotscn = NULL;
956 		  Elf_Scn *gscn = NULL;
957 		  while ((gscn = elf_nextscn (ebl->elf, gscn)) != NULL)
958 		    {
959 		      destshdr = gelf_getshdr (gscn, &destshdr_mem);
960 		      assert (destshdr != NULL);
961 		      const char *sname = elf_strptr (ebl->elf,
962 						      shstrndx,
963 						      destshdr->sh_name);
964 		      if (sname != NULL)
965 			{
966 			  if (strcmp (sname, ".got.plt") == 0)
967 			    break;
968 			  if (strcmp (sname, ".got") == 0)
969 			    /* Do not stop looking.
970 			       There might be a .got.plt section.  */
971 			    gotscn = gscn;
972 			}
973 
974 		      destshdr = NULL;
975 		    }
976 
977 		  if (destshdr == NULL && gotscn != NULL)
978 		    destshdr = gelf_getshdr (gotscn, &destshdr_mem);
979 		}
980 
981 	      const char *sname = ((destshdr == NULL || xndx == SHN_UNDEF)
982 				   ? NULL
983 				   : elf_strptr (ebl->elf, shstrndx,
984 						 destshdr->sh_name));
985 	      if (sname == NULL)
986 		{
987 		  if (xndx != SHN_UNDEF || ehdr->e_type != ET_REL)
988 		    ERROR (_("\
989 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol refers to \
990 bad section [%2d]\n"),
991 			   idx, section_name (ebl, idx), xndx);
992 		}
993 	      else if (strcmp (sname, ".got.plt") != 0
994 		       && strcmp (sname, ".got") != 0)
995 		ERROR (_("\
996 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol refers to \
997 section [%2d] '%s'\n"),
998 		       idx, section_name (ebl, idx), xndx, sname);
999 
1000 	      if (destshdr != NULL)
1001 		{
1002 		  /* Found it.  */
1003 		  if (!ebl_check_special_symbol (ebl, sym, name,
1004 						 destshdr))
1005 		    {
1006 		      if (ehdr->e_type != ET_REL
1007 			  && sym->st_value != destshdr->sh_addr)
1008 			/* This test is more strict than the psABIs which
1009 			   usually allow the symbol to be in the middle of
1010 			   the .got section, allowing negative offsets.  */
1011 			ERROR (_("\
1012 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol value %#" PRIx64 " does not match %s section address %#" PRIx64 "\n"),
1013 			       idx, section_name (ebl, idx),
1014 			       (uint64_t) sym->st_value,
1015 			       sname, (uint64_t) destshdr->sh_addr);
1016 
1017 		      if (!gnuld && sym->st_size != destshdr->sh_size)
1018 			ERROR (_("\
1019 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol size %" PRIu64 " does not match %s section size %" PRIu64 "\n"),
1020 			       idx, section_name (ebl, idx),
1021 			       (uint64_t) sym->st_size,
1022 			       sname, (uint64_t) destshdr->sh_size);
1023 		    }
1024 		}
1025 	      else
1026 		ERROR (_("\
1027 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol present, but no .got section\n"),
1028 		       idx, section_name (ebl, idx));
1029 	    }
1030 	  else if (strcmp (name, "_DYNAMIC") == 0)
1031 	    /* Check that address and size match the dynamic section.
1032 	       We locate the dynamic section via the program header
1033 	       entry.  */
1034 	    for (unsigned int pcnt = 0; pcnt < phnum; ++pcnt)
1035 	      {
1036 		GElf_Phdr phdr_mem;
1037 		GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
1038 
1039 		if (phdr != NULL && phdr->p_type == PT_DYNAMIC)
1040 		  {
1041 		    if (sym->st_value != phdr->p_vaddr)
1042 		      ERROR (_("\
1043 section [%2d] '%s': _DYNAMIC_ symbol value %#" PRIx64 " does not match dynamic segment address %#" PRIx64 "\n"),
1044 			     idx, section_name (ebl, idx),
1045 			     (uint64_t) sym->st_value,
1046 			     (uint64_t) phdr->p_vaddr);
1047 
1048 		    if (!gnuld && sym->st_size != phdr->p_memsz)
1049 		      ERROR (_("\
1050 section [%2d] '%s': _DYNAMIC symbol size %" PRIu64 " does not match dynamic segment size %" PRIu64 "\n"),
1051 			     idx, section_name (ebl, idx),
1052 			     (uint64_t) sym->st_size,
1053 			     (uint64_t) phdr->p_memsz);
1054 
1055 		    break;
1056 		  }
1057 	    }
1058 	}
1059 
1060       if (GELF_ST_VISIBILITY (sym->st_other) != STV_DEFAULT
1061 	  && shdr->sh_type == SHT_DYNSYM)
1062 	ERROR (_("\
1063 section [%2d] '%s': symbol %zu (%s): symbol in dynamic symbol table with non-default visibility\n"),
1064 	       idx, section_name (ebl, idx), cnt, name);
1065       if (! ebl_check_st_other_bits (ebl, sym->st_other))
1066 	ERROR (_("\
1067 section [%2d] '%s': symbol %zu (%s): unknown bit set in st_other\n"),
1068 	       idx, section_name (ebl, idx), cnt, name);
1069 
1070     }
1071 }
1072 
1073 
1074 static bool
is_rel_dyn(Ebl * ebl,const GElf_Ehdr * ehdr,int idx,const GElf_Shdr * shdr,bool is_rela)1075 is_rel_dyn (Ebl *ebl, const GElf_Ehdr *ehdr, int idx, const GElf_Shdr *shdr,
1076 	    bool is_rela)
1077 {
1078   /* If this is no executable or DSO it cannot be a .rel.dyn section.  */
1079   if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1080     return false;
1081 
1082   /* Check the section name.  Unfortunately necessary.  */
1083   if (strcmp (section_name (ebl, idx), is_rela ? ".rela.dyn" : ".rel.dyn"))
1084     return false;
1085 
1086   /* When a .rel.dyn section is used a DT_RELCOUNT dynamic section
1087      entry can be present as well.  */
1088   Elf_Scn *scn = NULL;
1089   while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
1090     {
1091       GElf_Shdr rcshdr_mem;
1092       const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
1093 
1094       if (rcshdr == NULL)
1095 	break;
1096 
1097       if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize != 0)
1098 	{
1099 	  /* Found the dynamic section.  Look through it.  */
1100 	  Elf_Data *d = elf_getdata (scn, NULL);
1101 	  size_t cnt;
1102 
1103 	  if (d == NULL)
1104 	    ERROR (_("\
1105 section [%2d] '%s': cannot get section data.\n"),
1106 		   idx, section_name (ebl, idx));
1107 
1108 	  for (cnt = 1; cnt < rcshdr->sh_size / rcshdr->sh_entsize; ++cnt)
1109 	    {
1110 	      GElf_Dyn dyn_mem;
1111 	      GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
1112 
1113 	      if (dyn == NULL)
1114 		break;
1115 
1116 	      if (dyn->d_tag == DT_RELCOUNT)
1117 		{
1118 		  /* Found it.  Does the type match.  */
1119 		  if (is_rela)
1120 		    ERROR (_("\
1121 section [%2d] '%s': DT_RELCOUNT used for this RELA section\n"),
1122 			   idx, section_name (ebl, idx));
1123 		  else
1124 		    {
1125 		      /* Does the number specified number of relative
1126 			 relocations exceed the total number of
1127 			 relocations?  */
1128 		      if (shdr->sh_entsize != 0
1129 			  && dyn->d_un.d_val > (shdr->sh_size
1130 						/ shdr->sh_entsize))
1131 			ERROR (_("\
1132 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1133 			       idx, section_name (ebl, idx),
1134 			       (int) dyn->d_un.d_val);
1135 
1136 		      /* Make sure the specified number of relocations are
1137 			 relative.  */
1138 		      Elf_Data *reldata = elf_getdata (elf_getscn (ebl->elf,
1139 								   idx), NULL);
1140 		      if (reldata != NULL && shdr->sh_entsize != 0)
1141 			for (size_t inner = 0;
1142 			     inner < shdr->sh_size / shdr->sh_entsize;
1143 			     ++inner)
1144 			  {
1145 			    GElf_Rel rel_mem;
1146 			    GElf_Rel *rel = gelf_getrel (reldata, inner,
1147 							 &rel_mem);
1148 			    if (rel == NULL)
1149 			      /* The problem will be reported elsewhere.  */
1150 			      break;
1151 
1152 			    if (ebl_relative_reloc_p (ebl,
1153 						      GELF_R_TYPE (rel->r_info)))
1154 			      {
1155 				if (inner >= dyn->d_un.d_val)
1156 				  ERROR (_("\
1157 section [%2d] '%s': relative relocations after index %d as specified by DT_RELCOUNT\n"),
1158 					 idx, section_name (ebl, idx),
1159 					 (int) dyn->d_un.d_val);
1160 			      }
1161 			    else if (inner < dyn->d_un.d_val)
1162 			      ERROR (_("\
1163 section [%2d] '%s': non-relative relocation at index %zu; DT_RELCOUNT specified %d relative relocations\n"),
1164 				     idx, section_name (ebl, idx),
1165 				     inner, (int) dyn->d_un.d_val);
1166 			  }
1167 		    }
1168 		}
1169 
1170 	      if (dyn->d_tag == DT_RELACOUNT)
1171 		{
1172 		  /* Found it.  Does the type match.  */
1173 		  if (!is_rela)
1174 		    ERROR (_("\
1175 section [%2d] '%s': DT_RELACOUNT used for this REL section\n"),
1176 			   idx, section_name (ebl, idx));
1177 		  else
1178 		    {
1179 		      /* Does the number specified number of relative
1180 			 relocations exceed the total number of
1181 			 relocations?  */
1182 		      if (shdr->sh_entsize != 0
1183 			  && dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1184 			ERROR (_("\
1185 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1186 			       idx, section_name (ebl, idx),
1187 			       (int) dyn->d_un.d_val);
1188 
1189 		      /* Make sure the specified number of relocations are
1190 			 relative.  */
1191 		      Elf_Data *reldata = elf_getdata (elf_getscn (ebl->elf,
1192 								   idx), NULL);
1193 		      if (reldata != NULL && shdr->sh_entsize != 0)
1194 			for (size_t inner = 0;
1195 			     inner < shdr->sh_size / shdr->sh_entsize;
1196 			     ++inner)
1197 			  {
1198 			    GElf_Rela rela_mem;
1199 			    GElf_Rela *rela = gelf_getrela (reldata, inner,
1200 							    &rela_mem);
1201 			    if (rela == NULL)
1202 			      /* The problem will be reported elsewhere.  */
1203 			      break;
1204 
1205 			    if (ebl_relative_reloc_p (ebl,
1206 						      GELF_R_TYPE (rela->r_info)))
1207 			      {
1208 				if (inner >= dyn->d_un.d_val)
1209 				  ERROR (_("\
1210 section [%2d] '%s': relative relocations after index %d as specified by DT_RELCOUNT\n"),
1211 					 idx, section_name (ebl, idx),
1212 					 (int) dyn->d_un.d_val);
1213 			      }
1214 			    else if (inner < dyn->d_un.d_val)
1215 			      ERROR (_("\
1216 section [%2d] '%s': non-relative relocation at index %zu; DT_RELCOUNT specified %d relative relocations\n"),
1217 				     idx, section_name (ebl, idx),
1218 				     inner, (int) dyn->d_un.d_val);
1219 			  }
1220 		    }
1221 		}
1222 	    }
1223 
1224 	  break;
1225 	}
1226     }
1227 
1228   return true;
1229 }
1230 
1231 
1232 struct loaded_segment
1233 {
1234   GElf_Addr from;
1235   GElf_Addr to;
1236   bool read_only;
1237   struct loaded_segment *next;
1238 };
1239 
1240 
1241 /* Check whether binary has text relocation flag set.  */
1242 static bool textrel;
1243 
1244 /* Keep track of whether text relocation flag is needed.  */
1245 static bool needed_textrel;
1246 
1247 
1248 static bool
check_reloc_shdr(Ebl * ebl,const GElf_Ehdr * ehdr,const GElf_Shdr * shdr,int idx,int reltype,GElf_Shdr ** destshdrp,GElf_Shdr * destshdr_memp,struct loaded_segment ** loadedp)1249 check_reloc_shdr (Ebl *ebl, const GElf_Ehdr *ehdr, const GElf_Shdr *shdr,
1250 		  int idx, int reltype, GElf_Shdr **destshdrp,
1251 		  GElf_Shdr *destshdr_memp, struct loaded_segment **loadedp)
1252 {
1253   bool reldyn = false;
1254 
1255   /* Check whether the link to the section we relocate is reasonable.  */
1256   if (shdr->sh_info >= shnum)
1257     ERROR (_("section [%2d] '%s': invalid destination section index\n"),
1258 	   idx, section_name (ebl, idx));
1259   else if (shdr->sh_info != 0)
1260     {
1261       *destshdrp = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_info),
1262 				 destshdr_memp);
1263       if (*destshdrp != NULL)
1264 	{
1265 	  if(! ebl_check_reloc_target_type (ebl, (*destshdrp)->sh_type))
1266 	    {
1267 	      reldyn = is_rel_dyn (ebl, ehdr, idx, shdr, true);
1268 	      if (!reldyn)
1269 		ERROR (_("\
1270 section [%2d] '%s': invalid destination section type\n"),
1271 		       idx, section_name (ebl, idx));
1272 	      else
1273 		{
1274 		  /* There is no standard, but we require that .rel{,a}.dyn
1275 		     sections have a sh_info value of zero.  */
1276 		  if (shdr->sh_info != 0)
1277 		    ERROR (_("\
1278 section [%2d] '%s': sh_info should be zero\n"),
1279 			   idx, section_name (ebl, idx));
1280 		}
1281 	    }
1282 
1283 	  if ((((*destshdrp)->sh_flags & SHF_MERGE) != 0)
1284 	      && ((*destshdrp)->sh_flags & SHF_STRINGS) != 0)
1285 	    ERROR (_("\
1286 section [%2d] '%s': no relocations for merge-able string sections possible\n"),
1287 		   idx, section_name (ebl, idx));
1288 	}
1289     }
1290 
1291   size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
1292   if (shdr->sh_entsize != sh_entsize)
1293     ERROR (_(reltype == ELF_T_RELA ? "\
1294 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
1295 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
1296 	   idx, section_name (ebl, idx));
1297 
1298   /* In preparation of checking whether relocations are text
1299      relocations or not we need to determine whether the file is
1300      flagged to have text relocation and we need to determine a) what
1301      the loaded segments are and b) which are read-only.  This will
1302      also allow us to determine whether the same reloc section is
1303      modifying loaded and not loaded segments.  */
1304   for (unsigned int i = 0; i < phnum; ++i)
1305     {
1306       GElf_Phdr phdr_mem;
1307       GElf_Phdr *phdr = gelf_getphdr (ebl->elf, i, &phdr_mem);
1308       if (phdr == NULL)
1309 	continue;
1310 
1311       if (phdr->p_type == PT_LOAD)
1312 	{
1313 	  struct loaded_segment *newp = xmalloc (sizeof (*newp));
1314 	  newp->from = phdr->p_vaddr;
1315 	  newp->to = phdr->p_vaddr + phdr->p_memsz;
1316 	  newp->read_only = (phdr->p_flags & PF_W) == 0;
1317 	  newp->next = *loadedp;
1318 	  *loadedp = newp;
1319 	}
1320       else if (phdr->p_type == PT_DYNAMIC)
1321 	{
1322 	  Elf_Scn *dynscn = gelf_offscn (ebl->elf, phdr->p_offset);
1323 	  GElf_Shdr dynshdr_mem;
1324 	  GElf_Shdr *dynshdr = gelf_getshdr (dynscn, &dynshdr_mem);
1325 	  Elf_Data *dyndata = elf_getdata (dynscn, NULL);
1326 	  if (dynshdr != NULL && dynshdr->sh_type == SHT_DYNAMIC
1327 	      && dyndata != NULL && dynshdr->sh_entsize != 0)
1328 	    for (size_t j = 0; j < dynshdr->sh_size / dynshdr->sh_entsize; ++j)
1329 	      {
1330 		GElf_Dyn dyn_mem;
1331 		GElf_Dyn *dyn = gelf_getdyn (dyndata, j, &dyn_mem);
1332 		if (dyn != NULL
1333 		    && (dyn->d_tag == DT_TEXTREL
1334 			|| (dyn->d_tag == DT_FLAGS
1335 			    && (dyn->d_un.d_val & DF_TEXTREL) != 0)))
1336 		  {
1337 		    textrel = true;
1338 		    break;
1339 		  }
1340 	      }
1341 	}
1342     }
1343 
1344   /* A quick test which can be easily done here (although it is a bit
1345      out of place): the text relocation flag makes only sense if there
1346      is a segment which is not writable.  */
1347   if (textrel)
1348     {
1349       struct loaded_segment *seg = *loadedp;
1350       while (seg != NULL && !seg->read_only)
1351 	seg = seg->next;
1352       if (seg == NULL)
1353 	ERROR (_("\
1354 text relocation flag set but there is no read-only segment\n"));
1355     }
1356 
1357   return reldyn;
1358 }
1359 
1360 
1361 enum load_state
1362   {
1363     state_undecided,
1364     state_loaded,
1365     state_unloaded,
1366     state_error
1367   };
1368 
1369 
1370 static void
check_one_reloc(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * relshdr,int idx,size_t cnt,const GElf_Shdr * symshdr,Elf_Data * symdata,GElf_Addr r_offset,GElf_Xword r_info,const GElf_Shdr * destshdr,bool reldyn,struct loaded_segment * loaded,enum load_state * statep)1371 check_one_reloc (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *relshdr, int idx,
1372 		 size_t cnt, const GElf_Shdr *symshdr, Elf_Data *symdata,
1373 		 GElf_Addr r_offset, GElf_Xword r_info,
1374 		 const GElf_Shdr *destshdr, bool reldyn,
1375 		 struct loaded_segment *loaded, enum load_state *statep)
1376 {
1377   bool known_broken = gnuld;
1378 
1379   if (!ebl_reloc_type_check (ebl, GELF_R_TYPE (r_info)))
1380     ERROR (_("section [%2d] '%s': relocation %zu: invalid type\n"),
1381 	   idx, section_name (ebl, idx), cnt);
1382   else if (((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1383 	    /* The executable/DSO can contain relocation sections with
1384 	       all the relocations the linker has applied.  Those sections
1385 	       are marked non-loaded, though.  */
1386 	    || (relshdr->sh_flags & SHF_ALLOC) != 0)
1387 	   && !ebl_reloc_valid_use (ebl, GELF_R_TYPE (r_info)))
1388     ERROR (_("\
1389 section [%2d] '%s': relocation %zu: relocation type invalid for the file type\n"),
1390 	   idx, section_name (ebl, idx), cnt);
1391 
1392   if (symshdr != NULL
1393       && ((GELF_R_SYM (r_info) + 1)
1394 	  * gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT)
1395 	  > symshdr->sh_size))
1396     ERROR (_("\
1397 section [%2d] '%s': relocation %zu: invalid symbol index\n"),
1398 	   idx, section_name (ebl, idx), cnt);
1399 
1400   /* No more tests if this is a no-op relocation.  */
1401   if (ebl_none_reloc_p (ebl, GELF_R_TYPE (r_info)))
1402     return;
1403 
1404   if (ebl_gotpc_reloc_check (ebl, GELF_R_TYPE (r_info)))
1405     {
1406       const char *name;
1407       char buf[64];
1408       GElf_Sym sym_mem;
1409       GElf_Sym *sym = gelf_getsym (symdata, GELF_R_SYM (r_info), &sym_mem);
1410       if (sym != NULL
1411 	  /* Get the name for the symbol.  */
1412 	  && (name = elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1413 	  && strcmp (name, "_GLOBAL_OFFSET_TABLE_") !=0 )
1414 	ERROR (_("\
1415 section [%2d] '%s': relocation %zu: only symbol '_GLOBAL_OFFSET_TABLE_' can be used with %s\n"),
1416 	       idx, section_name (ebl, idx), cnt,
1417 	       ebl_reloc_type_name (ebl, GELF_R_SYM (r_info),
1418 				    buf, sizeof (buf)));
1419     }
1420 
1421   if (reldyn)
1422     {
1423       // XXX TODO Check .rel.dyn section addresses.
1424     }
1425   else if (!known_broken)
1426     {
1427       if (destshdr != NULL
1428 	  && GELF_R_TYPE (r_info) != 0
1429 	  && (r_offset - (ehdr->e_type == ET_REL ? 0
1430 			  : destshdr->sh_addr)) >= destshdr->sh_size)
1431 	ERROR (_("\
1432 section [%2d] '%s': relocation %zu: offset out of bounds\n"),
1433 	       idx, section_name (ebl, idx), cnt);
1434     }
1435 
1436   GElf_Sym sym_mem;
1437   GElf_Sym *sym = gelf_getsym (symdata, GELF_R_SYM (r_info), &sym_mem);
1438 
1439   if (ebl_copy_reloc_p (ebl, GELF_R_TYPE (r_info))
1440       /* Make sure the referenced symbol is an object or unspecified.  */
1441       && sym != NULL
1442       && GELF_ST_TYPE (sym->st_info) != STT_NOTYPE
1443       && GELF_ST_TYPE (sym->st_info) != STT_OBJECT)
1444     {
1445       char buf[64];
1446       ERROR (_("section [%2d] '%s': relocation %zu: copy relocation against symbol of type %s\n"),
1447 	     idx, section_name (ebl, idx), cnt,
1448 	     ebl_symbol_type_name (ebl, GELF_ST_TYPE (sym->st_info),
1449 				   buf, sizeof (buf)));
1450     }
1451 
1452   if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1453       || (relshdr->sh_flags & SHF_ALLOC) != 0)
1454     {
1455       bool in_loaded_seg = false;
1456       while (loaded != NULL)
1457 	{
1458 	  if (r_offset < loaded->to
1459 	      && r_offset + (sym == NULL ? 0 : sym->st_size) >= loaded->from)
1460 	    {
1461 	      /* The symbol is in this segment.  */
1462 	      if  (loaded->read_only)
1463 		{
1464 		  if (textrel)
1465 		    needed_textrel = true;
1466 		  else
1467 		    ERROR (_("section [%2d] '%s': relocation %zu: read-only section modified but text relocation flag not set\n"),
1468 			   idx, section_name (ebl, idx), cnt);
1469 		}
1470 
1471 	      in_loaded_seg = true;
1472 	    }
1473 
1474 	  loaded = loaded->next;
1475 	}
1476 
1477       if (*statep == state_undecided)
1478 	*statep = in_loaded_seg ? state_loaded : state_unloaded;
1479       else if ((*statep == state_unloaded && in_loaded_seg)
1480 	       || (*statep == state_loaded && !in_loaded_seg))
1481 	{
1482 	  ERROR (_("\
1483 section [%2d] '%s': relocations are against loaded and unloaded data\n"),
1484 		 idx, section_name (ebl, idx));
1485 	  *statep = state_error;
1486 	}
1487     }
1488 }
1489 
1490 
1491 static void
check_rela(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1492 check_rela (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1493 {
1494   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1495   if (data == NULL)
1496     {
1497       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1498 	     idx, section_name (ebl, idx));
1499       return;
1500     }
1501 
1502   /* Check the fields of the section header.  */
1503   GElf_Shdr destshdr_mem;
1504   GElf_Shdr *destshdr = NULL;
1505   struct loaded_segment *loaded = NULL;
1506   bool reldyn = check_reloc_shdr (ebl, ehdr, shdr, idx, ELF_T_RELA, &destshdr,
1507 				  &destshdr_mem, &loaded);
1508 
1509   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1510   GElf_Shdr symshdr_mem;
1511   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1512   Elf_Data *symdata = elf_getdata (symscn, NULL);
1513   enum load_state state = state_undecided;
1514 
1515   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1516   for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1517     {
1518       GElf_Rela rela_mem;
1519       GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
1520       if (rela == NULL)
1521 	{
1522 	  ERROR (_("\
1523 section [%2d] '%s': cannot get relocation %zu: %s\n"),
1524 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1525 	  continue;
1526 	}
1527 
1528       check_one_reloc (ebl, ehdr, shdr, idx, cnt, symshdr, symdata,
1529 		       rela->r_offset, rela->r_info, destshdr, reldyn, loaded,
1530 		       &state);
1531     }
1532 
1533   while (loaded != NULL)
1534     {
1535       struct loaded_segment *old = loaded;
1536       loaded = loaded->next;
1537       free (old);
1538     }
1539 }
1540 
1541 
1542 static void
check_rel(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1543 check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1544 {
1545   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1546   if (data == NULL)
1547     {
1548       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1549 	     idx, section_name (ebl, idx));
1550       return;
1551     }
1552 
1553   /* Check the fields of the section header.  */
1554   GElf_Shdr destshdr_mem;
1555   GElf_Shdr *destshdr = NULL;
1556   struct loaded_segment *loaded = NULL;
1557   bool reldyn = check_reloc_shdr (ebl, ehdr, shdr, idx, ELF_T_REL, &destshdr,
1558 				  &destshdr_mem, &loaded);
1559 
1560   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1561   GElf_Shdr symshdr_mem;
1562   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1563   Elf_Data *symdata = elf_getdata (symscn, NULL);
1564   enum load_state state = state_undecided;
1565 
1566   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1567   for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1568     {
1569       GElf_Rel rel_mem;
1570       GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
1571       if (rel == NULL)
1572 	{
1573 	  ERROR (_("\
1574 section [%2d] '%s': cannot get relocation %zu: %s\n"),
1575 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1576 	  continue;
1577 	}
1578 
1579       check_one_reloc (ebl, ehdr, shdr, idx, cnt, symshdr, symdata,
1580 		       rel->r_offset, rel->r_info, destshdr, reldyn, loaded,
1581 		       &state);
1582     }
1583 
1584   while (loaded != NULL)
1585     {
1586       struct loaded_segment *old = loaded;
1587       loaded = loaded->next;
1588       free (old);
1589     }
1590 }
1591 
1592 
1593 /* Number of dynamic sections.  */
1594 static int ndynamic;
1595 
1596 
1597 static void
check_dynamic(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1598 check_dynamic (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1599 {
1600   Elf_Data *data;
1601   GElf_Shdr strshdr_mem;
1602   GElf_Shdr *strshdr;
1603   size_t cnt;
1604   static const bool dependencies[DT_NUM][DT_NUM] =
1605     {
1606       [DT_NEEDED] = { [DT_STRTAB] = true },
1607       [DT_PLTRELSZ] = { [DT_JMPREL] = true },
1608       [DT_HASH] = { [DT_SYMTAB] = true },
1609       [DT_STRTAB] = { [DT_STRSZ] = true },
1610       [DT_SYMTAB] = { [DT_STRTAB] = true, [DT_SYMENT] = true },
1611       [DT_RELA] = { [DT_RELASZ] = true, [DT_RELAENT] = true },
1612       [DT_RELASZ] = { [DT_RELA] = true },
1613       [DT_RELAENT] = { [DT_RELA] = true },
1614       [DT_STRSZ] = { [DT_STRTAB] = true },
1615       [DT_SYMENT] = { [DT_SYMTAB] = true },
1616       [DT_SONAME] = { [DT_STRTAB] = true },
1617       [DT_RPATH] = { [DT_STRTAB] = true },
1618       [DT_REL] = { [DT_RELSZ] = true, [DT_RELENT] = true },
1619       [DT_RELSZ] = { [DT_REL] = true },
1620       [DT_RELENT] = { [DT_REL] = true },
1621       [DT_JMPREL] = { [DT_PLTRELSZ] = true, [DT_PLTREL] = true },
1622       [DT_RUNPATH] = { [DT_STRTAB] = true },
1623       [DT_PLTREL] = { [DT_JMPREL] = true },
1624     };
1625   bool has_dt[DT_NUM];
1626   bool has_val_dt[DT_VALNUM];
1627   bool has_addr_dt[DT_ADDRNUM];
1628   static const bool level2[DT_NUM] =
1629     {
1630       [DT_RPATH] = true,
1631       [DT_SYMBOLIC] = true,
1632       [DT_TEXTREL] = true,
1633       [DT_BIND_NOW] = true
1634     };
1635   static const bool mandatory[DT_NUM] =
1636     {
1637       [DT_NULL] = true,
1638       [DT_STRTAB] = true,
1639       [DT_SYMTAB] = true,
1640       [DT_STRSZ] = true,
1641       [DT_SYMENT] = true
1642     };
1643 
1644   memset (has_dt, '\0', sizeof (has_dt));
1645   memset (has_val_dt, '\0', sizeof (has_val_dt));
1646   memset (has_addr_dt, '\0', sizeof (has_addr_dt));
1647 
1648   if (++ndynamic == 2)
1649     ERROR (_("more than one dynamic section present\n"));
1650 
1651   data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1652   if (data == NULL)
1653     {
1654       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1655 	     idx, section_name (ebl, idx));
1656       return;
1657     }
1658 
1659   strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &strshdr_mem);
1660   if (strshdr != NULL && strshdr->sh_type != SHT_STRTAB)
1661     ERROR (_("\
1662 section [%2d] '%s': referenced as string table for section [%2d] '%s' but type is not SHT_STRTAB\n"),
1663 	   shdr->sh_link, section_name (ebl, shdr->sh_link),
1664 	   idx, section_name (ebl, idx));
1665   else if (strshdr == NULL)
1666     {
1667       ERROR (_("\
1668 section [%2d]: referenced as string table for section [%2d] '%s' but section link value is invalid\n"),
1669 	   shdr->sh_link, idx, section_name (ebl, idx));
1670       return;
1671     }
1672 
1673   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1674   if (shdr->sh_entsize != sh_entsize)
1675     ERROR (_("\
1676 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1677 	   idx, section_name (ebl, idx));
1678 
1679   if (shdr->sh_info != 0)
1680     ERROR (_("section [%2d] '%s': sh_info not zero\n"),
1681 	   idx, section_name (ebl, idx));
1682 
1683   bool non_null_warned = false;
1684   for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1685     {
1686       GElf_Dyn dyn_mem;
1687       GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
1688       if (dyn == NULL)
1689 	{
1690 	  ERROR (_("\
1691 section [%2d] '%s': cannot get dynamic section entry %zu: %s\n"),
1692 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1693 	  continue;
1694 	}
1695 
1696       if (has_dt[DT_NULL] && dyn->d_tag != DT_NULL && ! non_null_warned)
1697 	{
1698 	  ERROR (_("\
1699 section [%2d] '%s': non-DT_NULL entries follow DT_NULL entry\n"),
1700 		 idx, section_name (ebl, idx));
1701 	  non_null_warned = true;
1702 	}
1703 
1704       if (!ebl_dynamic_tag_check (ebl, dyn->d_tag))
1705 	ERROR (_("section [%2d] '%s': entry %zu: unknown tag\n"),
1706 	       idx, section_name (ebl, idx), cnt);
1707 
1708       if (dyn->d_tag >= 0 && dyn->d_tag < DT_NUM)
1709 	{
1710 	  if (has_dt[dyn->d_tag]
1711 	      && dyn->d_tag != DT_NEEDED
1712 	      && dyn->d_tag != DT_NULL
1713 	      && dyn->d_tag != DT_POSFLAG_1)
1714 	    {
1715 	      char buf[50];
1716 	      ERROR (_("\
1717 section [%2d] '%s': entry %zu: more than one entry with tag %s\n"),
1718 		     idx, section_name (ebl, idx), cnt,
1719 		     ebl_dynamic_tag_name (ebl, dyn->d_tag,
1720 					   buf, sizeof (buf)));
1721 	    }
1722 
1723 	  if (be_strict && level2[dyn->d_tag])
1724 	    {
1725 	      char buf[50];
1726 	      ERROR (_("\
1727 section [%2d] '%s': entry %zu: level 2 tag %s used\n"),
1728 		     idx, section_name (ebl, idx), cnt,
1729 		     ebl_dynamic_tag_name (ebl, dyn->d_tag,
1730 					   buf, sizeof (buf)));
1731 	    }
1732 
1733 	  has_dt[dyn->d_tag] = true;
1734 	}
1735       else if (dyn->d_tag >= 0 && dyn->d_tag <= DT_VALRNGHI
1736 	       && DT_VALTAGIDX (dyn->d_tag) < DT_VALNUM)
1737 	has_val_dt[DT_VALTAGIDX (dyn->d_tag)] = true;
1738       else if (dyn->d_tag >= 0 && dyn->d_tag <= DT_ADDRRNGHI
1739 	       && DT_ADDRTAGIDX (dyn->d_tag) < DT_ADDRNUM)
1740 	has_addr_dt[DT_ADDRTAGIDX (dyn->d_tag)] = true;
1741 
1742       if (dyn->d_tag == DT_PLTREL && dyn->d_un.d_val != DT_REL
1743 	  && dyn->d_un.d_val != DT_RELA)
1744 	ERROR (_("\
1745 section [%2d] '%s': entry %zu: DT_PLTREL value must be DT_REL or DT_RELA\n"),
1746 	       idx, section_name (ebl, idx), cnt);
1747 
1748       /* Check that addresses for entries are in loaded segments.  */
1749       switch (dyn->d_tag)
1750 	{
1751 	  size_t n;
1752 	case DT_STRTAB:
1753 	  /* We require the referenced section is the same as the one
1754 	     specified in sh_link.  */
1755 	  if (strshdr->sh_addr != dyn->d_un.d_val)
1756 	    {
1757 	      ERROR (_("\
1758 section [%2d] '%s': entry %zu: pointer does not match address of section [%2d] '%s' referenced by sh_link\n"),
1759 		     idx, section_name (ebl, idx), cnt,
1760 		     shdr->sh_link, section_name (ebl, shdr->sh_link));
1761 	      break;
1762 	    }
1763 	  goto check_addr;
1764 
1765 	default:
1766 	  if (dyn->d_tag < DT_ADDRRNGLO || dyn->d_tag > DT_ADDRRNGHI)
1767 	    /* Value is no pointer.  */
1768 	    break;
1769 	  FALLTHROUGH;
1770 
1771 	case DT_AUXILIARY:
1772 	case DT_FILTER:
1773 	case DT_FINI:
1774 	case DT_FINI_ARRAY:
1775 	case DT_HASH:
1776 	case DT_INIT:
1777 	case DT_INIT_ARRAY:
1778 	case DT_JMPREL:
1779 	case DT_PLTGOT:
1780 	case DT_REL:
1781 	case DT_RELA:
1782 	case DT_SYMBOLIC:
1783 	case DT_SYMTAB:
1784 	case DT_VERDEF:
1785 	case DT_VERNEED:
1786 	case DT_VERSYM:
1787 	check_addr:
1788 	  for (n = 0; n < phnum; ++n)
1789 	    {
1790 	      GElf_Phdr phdr_mem;
1791 	      GElf_Phdr *phdr = gelf_getphdr (ebl->elf, n, &phdr_mem);
1792 	      if (phdr != NULL && phdr->p_type == PT_LOAD
1793 		  && phdr->p_vaddr <= dyn->d_un.d_ptr
1794 		  && phdr->p_vaddr + phdr->p_memsz > dyn->d_un.d_ptr)
1795 		break;
1796 	    }
1797 	  if (unlikely (n >= phnum))
1798 	    {
1799 	      char buf[50];
1800 	      ERROR (_("\
1801 section [%2d] '%s': entry %zu: %s value must point into loaded segment\n"),
1802 		     idx, section_name (ebl, idx), cnt,
1803 		     ebl_dynamic_tag_name (ebl, dyn->d_tag, buf,
1804 					   sizeof (buf)));
1805 	    }
1806 	  break;
1807 
1808 	case DT_NEEDED:
1809 	case DT_RPATH:
1810 	case DT_RUNPATH:
1811 	case DT_SONAME:
1812 	  if (dyn->d_un.d_ptr >= strshdr->sh_size)
1813 	    {
1814 	      char buf[50];
1815 	      ERROR (_("\
1816 section [%2d] '%s': entry %zu: %s value must be valid offset in section [%2d] '%s'\n"),
1817 		     idx, section_name (ebl, idx), cnt,
1818 		     ebl_dynamic_tag_name (ebl, dyn->d_tag, buf,
1819 					   sizeof (buf)),
1820 		     shdr->sh_link, section_name (ebl, shdr->sh_link));
1821 	    }
1822 	  break;
1823 	}
1824     }
1825 
1826   for (cnt = 1; cnt < DT_NUM; ++cnt)
1827     if (has_dt[cnt])
1828       {
1829 	for (int inner = 0; inner < DT_NUM; ++inner)
1830 	  if (dependencies[cnt][inner] && ! has_dt[inner])
1831 	    {
1832 	      char buf1[50];
1833 	      char buf2[50];
1834 
1835 	      ERROR (_("\
1836 section [%2d] '%s': contains %s entry but not %s\n"),
1837 		     idx, section_name (ebl, idx),
1838 		     ebl_dynamic_tag_name (ebl, cnt, buf1, sizeof (buf1)),
1839 		     ebl_dynamic_tag_name (ebl, inner, buf2, sizeof (buf2)));
1840 	    }
1841       }
1842     else
1843       {
1844 	if (mandatory[cnt])
1845 	  {
1846 	    char buf[50];
1847 	    ERROR (_("\
1848 section [%2d] '%s': mandatory tag %s not present\n"),
1849 		   idx, section_name (ebl, idx),
1850 		   ebl_dynamic_tag_name (ebl, cnt, buf, sizeof (buf)));
1851 	  }
1852       }
1853 
1854   /* Make sure we have an hash table.  */
1855   if (!has_dt[DT_HASH] && !has_addr_dt[DT_ADDRTAGIDX (DT_GNU_HASH)])
1856     ERROR (_("\
1857 section [%2d] '%s': no hash section present\n"),
1858 	   idx, section_name (ebl, idx));
1859 
1860   /* The GNU-style hash table also needs a symbol table.  */
1861   if (!has_dt[DT_HASH] && has_addr_dt[DT_ADDRTAGIDX (DT_GNU_HASH)]
1862       && !has_dt[DT_SYMTAB])
1863     ERROR (_("\
1864 section [%2d] '%s': contains %s entry but not %s\n"),
1865 	   idx, section_name (ebl, idx),
1866 	   "DT_GNU_HASH", "DT_SYMTAB");
1867 
1868   /* Check the rel/rela tags.  At least one group must be available.  */
1869   if ((has_dt[DT_RELA] || has_dt[DT_RELASZ] || has_dt[DT_RELAENT])
1870       && (!has_dt[DT_RELA] || !has_dt[DT_RELASZ] || !has_dt[DT_RELAENT]))
1871     ERROR (_("\
1872 section [%2d] '%s': not all of %s, %s, and %s are present\n"),
1873 	   idx, section_name (ebl, idx),
1874 	   "DT_RELA", "DT_RELASZ", "DT_RELAENT");
1875 
1876   if ((has_dt[DT_REL] || has_dt[DT_RELSZ] || has_dt[DT_RELENT])
1877       && (!has_dt[DT_REL] || !has_dt[DT_RELSZ] || !has_dt[DT_RELENT]))
1878     ERROR (_("\
1879 section [%2d] '%s': not all of %s, %s, and %s are present\n"),
1880 	   idx, section_name (ebl, idx),
1881 	   "DT_REL", "DT_RELSZ", "DT_RELENT");
1882 
1883   /* Check that all prelink sections are present if any of them is.  */
1884   if (has_val_dt[DT_VALTAGIDX (DT_GNU_PRELINKED)]
1885       || has_val_dt[DT_VALTAGIDX (DT_CHECKSUM)])
1886     {
1887       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_PRELINKED)])
1888 	ERROR (_("\
1889 section [%2d] '%s': %s tag missing in DSO marked during prelinking\n"),
1890 	       idx, section_name (ebl, idx), "DT_GNU_PRELINKED");
1891       if (!has_val_dt[DT_VALTAGIDX (DT_CHECKSUM)])
1892 	ERROR (_("\
1893 section [%2d] '%s': %s tag missing in DSO marked during prelinking\n"),
1894 	       idx, section_name (ebl, idx), "DT_CHECKSUM");
1895 
1896       /* Only DSOs can be marked like this.  */
1897       if (ehdr->e_type != ET_DYN)
1898 	ERROR (_("\
1899 section [%2d] '%s': non-DSO file marked as dependency during prelink\n"),
1900 	       idx, section_name (ebl, idx));
1901     }
1902 
1903   if (has_val_dt[DT_VALTAGIDX (DT_GNU_CONFLICTSZ)]
1904       || has_val_dt[DT_VALTAGIDX (DT_GNU_LIBLISTSZ)]
1905       || has_addr_dt[DT_ADDRTAGIDX (DT_GNU_CONFLICT)]
1906       || has_addr_dt[DT_ADDRTAGIDX (DT_GNU_LIBLIST)])
1907     {
1908       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_CONFLICTSZ)])
1909 	ERROR (_("\
1910 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1911 	       idx, section_name (ebl, idx), "DT_GNU_CONFLICTSZ");
1912       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_LIBLISTSZ)])
1913 	ERROR (_("\
1914 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1915 	       idx, section_name (ebl, idx), "DT_GNU_LIBLISTSZ");
1916       if (!has_addr_dt[DT_ADDRTAGIDX (DT_GNU_CONFLICT)])
1917 	ERROR (_("\
1918 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1919 	       idx, section_name (ebl, idx), "DT_GNU_CONFLICT");
1920       if (!has_addr_dt[DT_ADDRTAGIDX (DT_GNU_LIBLIST)])
1921 	ERROR (_("\
1922 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1923 	       idx, section_name (ebl, idx), "DT_GNU_LIBLIST");
1924     }
1925 }
1926 
1927 
1928 static void
check_symtab_shndx(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1929 check_symtab_shndx (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1930 {
1931   if (ehdr->e_type != ET_REL)
1932     {
1933       ERROR (_("\
1934 section [%2d] '%s': only relocatable files can have extended section index\n"),
1935 	     idx, section_name (ebl, idx));
1936       return;
1937     }
1938 
1939   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1940   GElf_Shdr symshdr_mem;
1941   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1942   if (symshdr != NULL && symshdr->sh_type != SHT_SYMTAB)
1943     ERROR (_("\
1944 section [%2d] '%s': extended section index section not for symbol table\n"),
1945 	   idx, section_name (ebl, idx));
1946   else if (symshdr == NULL)
1947     ERROR (_("\
1948 section [%2d] '%s': sh_link extended section index [%2d] is invalid\n"),
1949 	   idx, section_name (ebl, idx), shdr->sh_link);
1950   Elf_Data *symdata = elf_getdata (symscn, NULL);
1951   if (symdata == NULL)
1952     ERROR (_("cannot get data for symbol section\n"));
1953 
1954   if (shdr->sh_entsize != sizeof (Elf32_Word))
1955     ERROR (_("\
1956 section [%2d] '%s': entry size does not match Elf32_Word\n"),
1957 	   idx, section_name (ebl, idx));
1958 
1959   if (symshdr != NULL
1960       && shdr->sh_entsize != 0
1961       && symshdr->sh_entsize != 0
1962       && (shdr->sh_size / shdr->sh_entsize
1963 	  < symshdr->sh_size / symshdr->sh_entsize))
1964     ERROR (_("\
1965 section [%2d] '%s': extended index table too small for symbol table\n"),
1966 	   idx, section_name (ebl, idx));
1967 
1968   if (shdr->sh_info != 0)
1969     ERROR (_("section [%2d] '%s': sh_info not zero\n"),
1970 	   idx, section_name (ebl, idx));
1971 
1972   for (size_t cnt = idx + 1; cnt < shnum; ++cnt)
1973     {
1974       GElf_Shdr rshdr_mem;
1975       GElf_Shdr *rshdr = gelf_getshdr (elf_getscn (ebl->elf, cnt), &rshdr_mem);
1976       if (rshdr != NULL && rshdr->sh_type == SHT_SYMTAB_SHNDX
1977 	  && rshdr->sh_link == shdr->sh_link)
1978 	{
1979 	  ERROR (_("\
1980 section [%2d] '%s': extended section index in section [%2zu] '%s' refers to same symbol table\n"),
1981 		 idx, section_name (ebl, idx),
1982 		 cnt, section_name (ebl, cnt));
1983 	  break;
1984 	}
1985     }
1986 
1987   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1988   if (data == NULL || data->d_buf == NULL)
1989     {
1990       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1991 	     idx, section_name (ebl, idx));
1992       return;
1993     }
1994 
1995   if (data->d_size < sizeof (Elf32_Word)
1996       || *((Elf32_Word *) data->d_buf) != 0)
1997     ERROR (_("symbol 0 should have zero extended section index\n"));
1998 
1999   for (size_t cnt = 1; cnt < data->d_size / sizeof (Elf32_Word); ++cnt)
2000     {
2001       Elf32_Word xndx = ((Elf32_Word *) data->d_buf)[cnt];
2002 
2003       if (xndx != 0)
2004 	{
2005 	  GElf_Sym sym_data;
2006 	  GElf_Sym *sym = gelf_getsym (symdata, cnt, &sym_data);
2007 	  if (sym == NULL)
2008 	    {
2009 	      ERROR (_("cannot get data for symbol %zu\n"), cnt);
2010 	      continue;
2011 	    }
2012 
2013 	  if (sym->st_shndx != SHN_XINDEX)
2014 	    ERROR (_("\
2015 extended section index is %" PRIu32 " but symbol index is not XINDEX\n"),
2016 		   (uint32_t) xndx);
2017 	}
2018     }
2019 }
2020 
2021 
2022 static void
check_sysv_hash(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2023 check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2024 		 GElf_Shdr *symshdr)
2025 {
2026   Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
2027   Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
2028 
2029   if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
2030     {
2031       ERROR (_("\
2032 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
2033 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2034 	     (long int) ((2 + nbucket + nchain) * sizeof (Elf32_Word)));
2035       return;
2036     }
2037 
2038   size_t maxidx = nchain;
2039 
2040   if (symshdr != NULL && symshdr->sh_entsize != 0)
2041     {
2042       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
2043 
2044       if (nchain > symshdr->sh_size / symshdr->sh_entsize)
2045 	ERROR (_("section [%2d] '%s': chain array too large\n"),
2046 	       idx, section_name (ebl, idx));
2047 
2048       maxidx = symsize;
2049     }
2050 
2051   Elf32_Word *buf = (Elf32_Word *) data->d_buf;
2052   Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
2053   size_t cnt;
2054   for (cnt = 2; cnt < 2 + nbucket; ++cnt)
2055     {
2056       if (buf + cnt >= end)
2057 	break;
2058       else if (buf[cnt] >= maxidx)
2059       ERROR (_("\
2060 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
2061 	     idx, section_name (ebl, idx), cnt - 2);
2062     }
2063 
2064   for (; cnt < 2 + nbucket + nchain; ++cnt)
2065     {
2066       if (buf + cnt >= end)
2067 	break;
2068       else if (buf[cnt] >= maxidx)
2069       ERROR (_("\
2070 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
2071 	     idx, section_name (ebl, idx), cnt - 2 - nbucket);
2072     }
2073 }
2074 
2075 
2076 static void
check_sysv_hash64(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2077 check_sysv_hash64 (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2078 		 GElf_Shdr *symshdr)
2079 {
2080   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
2081   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
2082 
2083   uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword);
2084   if (maxwords < 2
2085       || maxwords - 2 < nbucket
2086       || maxwords - 2 - nbucket < nchain)
2087     {
2088       ERROR (_("\
2089 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
2090 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2091 	     (long int) ((2 + nbucket + nchain) * sizeof (Elf64_Xword)));
2092       return;
2093     }
2094 
2095   size_t maxidx = nchain;
2096 
2097   if (symshdr != NULL && symshdr->sh_entsize != 0)
2098     {
2099       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
2100 
2101       if (nchain > symshdr->sh_size / symshdr->sh_entsize)
2102 	ERROR (_("section [%2d] '%s': chain array too large\n"),
2103 	       idx, section_name (ebl, idx));
2104 
2105       maxidx = symsize;
2106     }
2107 
2108   Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
2109   Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
2110   size_t cnt;
2111   for (cnt = 2; cnt < 2 + nbucket; ++cnt)
2112     {
2113       if (buf + cnt >= end)
2114 	break;
2115       else if (buf[cnt] >= maxidx)
2116       ERROR (_("\
2117 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
2118 	     idx, section_name (ebl, idx), cnt - 2);
2119     }
2120 
2121   for (; cnt < 2 + nbucket + nchain; ++cnt)
2122     {
2123       if (buf + cnt >= end)
2124 	break;
2125       else if (buf[cnt] >= maxidx)
2126       ERROR (_("\
2127 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
2128 	       idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
2129     }
2130 }
2131 
2132 
2133 static void
check_gnu_hash(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2134 check_gnu_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2135 		GElf_Shdr *symshdr)
2136 {
2137   if (data->d_size < 4 * sizeof (Elf32_Word))
2138     {
2139       ERROR (_("\
2140 section [%2d] '%s': not enough data\n"),
2141 	     idx, section_name (ebl, idx));
2142       return;
2143     }
2144 
2145   Elf32_Word nbuckets = ((Elf32_Word *) data->d_buf)[0];
2146   Elf32_Word symbias = ((Elf32_Word *) data->d_buf)[1];
2147   Elf32_Word bitmask_words = ((Elf32_Word *) data->d_buf)[2];
2148 
2149   if (bitmask_words == 0 || !powerof2 (bitmask_words))
2150     {
2151       ERROR (_("\
2152 section [%2d] '%s': bitmask size zero or not power of 2: %u\n"),
2153 	     idx, section_name (ebl, idx), bitmask_words);
2154       return;
2155     }
2156 
2157   size_t bitmask_idxmask = bitmask_words - 1;
2158   if (gelf_getclass (ebl->elf) == ELFCLASS64)
2159     bitmask_words *= 2;
2160   Elf32_Word shift = ((Elf32_Word *) data->d_buf)[3];
2161 
2162   /* Is there still room for the sym chain?
2163      Use uint64_t calculation to prevent 32bit overflow.  */
2164   uint64_t used_buf = (4ULL + bitmask_words + nbuckets) * sizeof (Elf32_Word);
2165   if (used_buf > data->d_size)
2166     {
2167       ERROR (_("\
2168 section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
2169 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2170 	     (long int) used_buf);
2171       return;
2172     }
2173 
2174   if (shift > 31)
2175     {
2176       ERROR (_("\
2177 section [%2d] '%s': 2nd hash function shift too big: %u\n"),
2178 	     idx, section_name (ebl, idx), shift);
2179       return;
2180     }
2181 
2182   size_t maxidx = shdr->sh_size / sizeof (Elf32_Word) - (4 + bitmask_words
2183 							 + nbuckets);
2184 
2185   if (symshdr != NULL && symshdr->sh_entsize != 0)
2186     maxidx = MIN (maxidx, symshdr->sh_size / symshdr->sh_entsize);
2187 
2188   /* We need the symbol section data.  */
2189   Elf_Data *symdata = elf_getdata (elf_getscn (ebl->elf, shdr->sh_link), NULL);
2190 
2191   union
2192   {
2193     Elf32_Word *p32;
2194     Elf64_Xword *p64;
2195   } bitmask = { .p32 = &((Elf32_Word *) data->d_buf)[4] },
2196       collected = { .p32 = xcalloc (bitmask_words, sizeof (Elf32_Word)) };
2197 
2198   size_t classbits = gelf_getclass (ebl->elf) == ELFCLASS32 ? 32 : 64;
2199 
2200   size_t cnt;
2201   for (cnt = 4 + bitmask_words; cnt < 4 + bitmask_words + nbuckets; ++cnt)
2202     {
2203       Elf32_Word symidx = ((Elf32_Word *) data->d_buf)[cnt];
2204 
2205       if (symidx == 0)
2206 	continue;
2207 
2208       if (symidx < symbias)
2209 	{
2210 	  ERROR (_("\
2211 section [%2d] '%s': hash chain for bucket %zu lower than symbol index bias\n"),
2212 		 idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2213 	  continue;
2214 	}
2215 
2216       while (symidx - symbias < maxidx)
2217 	{
2218 	  Elf32_Word chainhash = ((Elf32_Word *) data->d_buf)[4
2219 							      + bitmask_words
2220 							      + nbuckets
2221 							      + symidx
2222 							      - symbias];
2223 
2224 	  if (symdata != NULL)
2225 	    {
2226 	      /* Check that the referenced symbol is not undefined.  */
2227 	      GElf_Sym sym_mem;
2228 	      GElf_Sym *sym = gelf_getsym (symdata, symidx, &sym_mem);
2229 	      if (sym != NULL && sym->st_shndx == SHN_UNDEF
2230 		  && GELF_ST_TYPE (sym->st_info) != STT_FUNC)
2231 		ERROR (_("\
2232 section [%2d] '%s': symbol %u referenced in chain for bucket %zu is undefined\n"),
2233 		       idx, section_name (ebl, idx), symidx,
2234 		       cnt - (4 + bitmask_words));
2235 
2236 	      const char *symname = (sym != NULL
2237 				     ? elf_strptr (ebl->elf, symshdr->sh_link,
2238 						   sym->st_name)
2239 				     : NULL);
2240 	      if (symname != NULL)
2241 		{
2242 		  Elf32_Word hval = elf_gnu_hash (symname);
2243 		  if ((hval & ~1u) != (chainhash & ~1u))
2244 		    ERROR (_("\
2245 section [%2d] '%s': hash value for symbol %u in chain for bucket %zu wrong\n"),
2246 			   idx, section_name (ebl, idx), symidx,
2247 			   cnt - (4 + bitmask_words));
2248 
2249 		  /* Set the bits in the bitmask.  */
2250 		  size_t maskidx = (hval / classbits) & bitmask_idxmask;
2251 		  if (maskidx >= bitmask_words)
2252 		    {
2253 		      ERROR (_("\
2254 section [%2d] '%s': mask index for symbol %u in chain for bucket %zu wrong\n"),
2255 			     idx, section_name (ebl, idx), symidx,
2256 			     cnt - (4 + bitmask_words));
2257 		      return;
2258 		    }
2259 		  if (classbits == 32)
2260 		    {
2261 		      collected.p32[maskidx]
2262 			|= UINT32_C (1) << (hval & (classbits - 1));
2263 		      collected.p32[maskidx]
2264 			|= UINT32_C (1) << ((hval >> shift) & (classbits - 1));
2265 		    }
2266 		  else
2267 		    {
2268 		      collected.p64[maskidx]
2269 			|= UINT64_C (1) << (hval & (classbits - 1));
2270 		      collected.p64[maskidx]
2271 			|= UINT64_C (1) << ((hval >> shift) & (classbits - 1));
2272 		    }
2273 		}
2274 	    }
2275 
2276 	  if ((chainhash & 1) != 0)
2277 	    break;
2278 
2279 	  ++symidx;
2280 	}
2281 
2282       if (symidx - symbias >= maxidx)
2283 	ERROR (_("\
2284 section [%2d] '%s': hash chain for bucket %zu out of bounds\n"),
2285 	       idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2286       else if (symshdr != NULL && symshdr->sh_entsize != 0
2287 	       && symidx > symshdr->sh_size / symshdr->sh_entsize)
2288 	ERROR (_("\
2289 section [%2d] '%s': symbol reference in chain for bucket %zu out of bounds\n"),
2290 	       idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2291     }
2292 
2293   if (memcmp (collected.p32, bitmask.p32, bitmask_words * sizeof (Elf32_Word)))
2294     ERROR (_("\
2295 section [%2d] '%s': bitmask does not match names in the hash table\n"),
2296 	   idx, section_name (ebl, idx));
2297 
2298   free (collected.p32);
2299 }
2300 
2301 
2302 static void
check_hash(int tag,Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)2303 check_hash (int tag, Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
2304 {
2305   if (ehdr->e_type == ET_REL)
2306     {
2307       ERROR (_("\
2308 section [%2d] '%s': relocatable files cannot have hash tables\n"),
2309 	     idx, section_name (ebl, idx));
2310       return;
2311     }
2312 
2313   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
2314   if (data == NULL || data->d_buf == NULL)
2315     {
2316       ERROR (_("section [%2d] '%s': cannot get section data\n"),
2317 	     idx, section_name (ebl, idx));
2318       return;
2319     }
2320 
2321   GElf_Shdr symshdr_mem;
2322   GElf_Shdr *symshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
2323 				     &symshdr_mem);
2324   if (symshdr != NULL && symshdr->sh_type != SHT_DYNSYM)
2325     ERROR (_("\
2326 section [%2d] '%s': hash table not for dynamic symbol table\n"),
2327 	   idx, section_name (ebl, idx));
2328   else if (symshdr == NULL)
2329     ERROR (_("\
2330 section [%2d] '%s': invalid sh_link symbol table section index [%2d]\n"),
2331 	   idx, section_name (ebl, idx), shdr->sh_link);
2332 
2333   size_t expect_entsize = (tag == SHT_GNU_HASH
2334 			   ? (gelf_getclass (ebl->elf) == ELFCLASS32
2335 			      ? sizeof (Elf32_Word) : 0)
2336 			   : (size_t) ebl_sysvhash_entrysize (ebl));
2337 
2338   if (shdr->sh_entsize != expect_entsize)
2339     ERROR (_("\
2340 section [%2d] '%s': hash table entry size incorrect\n"),
2341 	   idx, section_name (ebl, idx));
2342 
2343   if ((shdr->sh_flags & SHF_ALLOC) == 0)
2344     ERROR (_("section [%2d] '%s': not marked to be allocated\n"),
2345 	   idx, section_name (ebl, idx));
2346 
2347   if (shdr->sh_size < (tag == SHT_GNU_HASH ? 4 : 2) * (expect_entsize ?: 4))
2348     {
2349       ERROR (_("\
2350 section [%2d] '%s': hash table has not even room for initial administrative entries\n"),
2351 	     idx, section_name (ebl, idx));
2352       return;
2353     }
2354 
2355   switch (tag)
2356     {
2357     case SHT_HASH:
2358       if (ebl_sysvhash_entrysize (ebl) == sizeof (Elf64_Xword))
2359 	check_sysv_hash64 (ebl, shdr, data, idx, symshdr);
2360       else
2361 	check_sysv_hash (ebl, shdr, data, idx, symshdr);
2362       break;
2363 
2364     case SHT_GNU_HASH:
2365       check_gnu_hash (ebl, shdr, data, idx, symshdr);
2366       break;
2367 
2368     default:
2369       assert (! "should not happen");
2370     }
2371 }
2372 
2373 
2374 /* Compare content of both hash tables, it must be identical.  */
2375 static void
compare_hash_gnu_hash(Ebl * ebl,GElf_Ehdr * ehdr,size_t hash_idx,size_t gnu_hash_idx)2376 compare_hash_gnu_hash (Ebl *ebl, GElf_Ehdr *ehdr, size_t hash_idx,
2377 		       size_t gnu_hash_idx)
2378 {
2379   Elf_Scn *hash_scn = elf_getscn (ebl->elf, hash_idx);
2380   Elf_Data *hash_data = elf_getdata (hash_scn, NULL);
2381   GElf_Shdr hash_shdr_mem;
2382   GElf_Shdr *hash_shdr = gelf_getshdr (hash_scn, &hash_shdr_mem);
2383   Elf_Scn *gnu_hash_scn = elf_getscn (ebl->elf, gnu_hash_idx);
2384   Elf_Data *gnu_hash_data = elf_getdata (gnu_hash_scn, NULL);
2385   GElf_Shdr gnu_hash_shdr_mem;
2386   GElf_Shdr *gnu_hash_shdr = gelf_getshdr (gnu_hash_scn, &gnu_hash_shdr_mem);
2387 
2388   if (hash_shdr == NULL || gnu_hash_shdr == NULL
2389       || hash_data == NULL || hash_data->d_buf == NULL
2390       || gnu_hash_data == NULL || gnu_hash_data->d_buf == NULL)
2391     /* None of these pointers should be NULL since we used the
2392        sections already.  We are careful nonetheless.  */
2393     return;
2394 
2395   /* The link must point to the same symbol table.  */
2396   if (hash_shdr->sh_link != gnu_hash_shdr->sh_link)
2397     {
2398       ERROR (_("\
2399 sh_link in hash sections [%2zu] '%s' and [%2zu] '%s' not identical\n"),
2400 	     hash_idx, elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name),
2401 	     gnu_hash_idx,
2402 	     elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2403       return;
2404     }
2405 
2406   Elf_Scn *sym_scn = elf_getscn (ebl->elf, hash_shdr->sh_link);
2407   Elf_Data *sym_data = elf_getdata (sym_scn, NULL);
2408   GElf_Shdr sym_shdr_mem;
2409   GElf_Shdr *sym_shdr = gelf_getshdr (sym_scn, &sym_shdr_mem);
2410 
2411   if (sym_data == NULL || sym_data->d_buf == NULL
2412       || sym_shdr == NULL || sym_shdr->sh_entsize == 0)
2413     return;
2414 
2415   const char *hash_name;
2416   const char *gnu_hash_name;
2417   hash_name  = elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name);
2418   gnu_hash_name  = elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name);
2419 
2420   if (gnu_hash_data->d_size < 4 * sizeof (Elf32_Word))
2421     {
2422       ERROR (_("\
2423 hash section [%2zu] '%s' does not contain enough data\n"),
2424 	     gnu_hash_idx, gnu_hash_name);
2425       return;
2426     }
2427 
2428   uint32_t nentries = sym_shdr->sh_size / sym_shdr->sh_entsize;
2429   char *used = alloca (nentries);
2430   memset (used, '\0', nentries);
2431 
2432   /* First go over the GNU_HASH table and mark the entries as used.  */
2433   const Elf32_Word *gnu_hasharr = (Elf32_Word *) gnu_hash_data->d_buf;
2434   Elf32_Word gnu_nbucket = gnu_hasharr[0];
2435   Elf32_Word gnu_symbias = gnu_hasharr[1];
2436   const int bitmap_factor = ehdr->e_ident[EI_CLASS] == ELFCLASS32 ? 1 : 2;
2437   const Elf32_Word *gnu_bucket = (gnu_hasharr
2438 				  + (4 + gnu_hasharr[2] * bitmap_factor));
2439   const Elf32_Word *gnu_chain = gnu_bucket + gnu_hasharr[0];
2440 
2441   if (gnu_hasharr[2] == 0)
2442     {
2443       ERROR (_("\
2444 hash section [%2zu] '%s' has zero bit mask words\n"),
2445 	     gnu_hash_idx, gnu_hash_name);
2446       return;
2447     }
2448 
2449   uint64_t used_buf = ((4ULL + gnu_hasharr[2] * bitmap_factor + gnu_nbucket)
2450 		       * sizeof (Elf32_Word));
2451   uint32_t max_nsyms = (gnu_hash_data->d_size - used_buf) / sizeof (Elf32_Word);
2452   if (used_buf > gnu_hash_data->d_size)
2453     {
2454       ERROR (_("\
2455 hash section [%2zu] '%s' uses too much data\n"),
2456 	     gnu_hash_idx, gnu_hash_name);
2457       return;
2458     }
2459 
2460   for (Elf32_Word cnt = 0; cnt < gnu_nbucket; ++cnt)
2461     {
2462       if (gnu_bucket[cnt] != STN_UNDEF)
2463 	{
2464 	  Elf32_Word symidx = gnu_bucket[cnt] - gnu_symbias;
2465 	  do
2466 	    {
2467 	      if (symidx >= max_nsyms || symidx + gnu_symbias >= nentries)
2468 		{
2469 		  ERROR (_("\
2470 hash section [%2zu] '%s' invalid symbol index %" PRIu32 " (max_nsyms: %" PRIu32 ", nentries: %" PRIu32 "\n"),
2471 			 gnu_hash_idx, gnu_hash_name, symidx, max_nsyms, nentries);
2472 		  return;
2473 		}
2474 	      used[symidx + gnu_symbias] |= 1;
2475 	    }
2476 	  while ((gnu_chain[symidx++] & 1u) == 0);
2477 	}
2478     }
2479 
2480   /* Now go over the old hash table and check that we cover the same
2481      entries.  */
2482   if (hash_shdr->sh_entsize == sizeof (Elf32_Word))
2483     {
2484       const Elf32_Word *hasharr = (Elf32_Word *) hash_data->d_buf;
2485       if (hash_data->d_size < 2 * sizeof (Elf32_Word))
2486 	{
2487 	  ERROR (_("\
2488 hash section [%2zu] '%s' does not contain enough data\n"),
2489 		 hash_idx, hash_name);
2490 	  return;
2491 	}
2492 
2493       Elf32_Word nbucket = hasharr[0];
2494       Elf32_Word nchain = hasharr[1];
2495       uint64_t hash_used = (2ULL + nchain + nbucket) * sizeof (Elf32_Word);
2496       if (hash_used > hash_data->d_size)
2497 	{
2498 	  ERROR (_("\
2499 hash section [%2zu] '%s' uses too much data\n"),
2500 		 hash_idx, hash_name);
2501 	  return;
2502 	}
2503 
2504       const Elf32_Word *bucket = &hasharr[2];
2505       const Elf32_Word *chain = &hasharr[2 + nbucket];
2506 
2507       for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
2508 	{
2509 	  Elf32_Word symidx = bucket[cnt];
2510 	  while (symidx != STN_UNDEF && symidx < nentries && symidx < nchain)
2511 	    {
2512 	      used[symidx] |= 2;
2513 	      symidx = chain[symidx];
2514 	    }
2515 	}
2516     }
2517   else if (hash_shdr->sh_entsize == sizeof (Elf64_Xword))
2518     {
2519       const Elf64_Xword *hasharr = (Elf64_Xword *) hash_data->d_buf;
2520       if (hash_data->d_size < 2 * sizeof (Elf32_Word))
2521 	{
2522 	  ERROR (_("\
2523 hash section [%2zu] '%s' does not contain enough data\n"),
2524 		 hash_idx, hash_name);
2525 	  return;
2526 	}
2527 
2528       Elf64_Xword nbucket = hasharr[0];
2529       Elf64_Xword nchain = hasharr[1];
2530       uint64_t maxwords = hash_data->d_size / sizeof (Elf64_Xword);
2531       if (maxwords < 2
2532 	  || maxwords - 2 < nbucket
2533 	  || maxwords - 2 - nbucket < nchain)
2534 	{
2535 	  ERROR (_("\
2536 hash section [%2zu] '%s' uses too much data\n"),
2537 		 hash_idx, hash_name);
2538 	  return;
2539 	}
2540 
2541       const Elf64_Xword *bucket = &hasharr[2];
2542       const Elf64_Xword *chain = &hasharr[2 + nbucket];
2543 
2544       for (Elf64_Xword cnt = 0; cnt < nbucket; ++cnt)
2545 	{
2546 	  Elf64_Xword symidx = bucket[cnt];
2547 	  while (symidx != STN_UNDEF && symidx < nentries && symidx < nchain)
2548 	    {
2549 	      used[symidx] |= 2;
2550 	      symidx = chain[symidx];
2551 	    }
2552 	}
2553     }
2554   else
2555     {
2556       ERROR (_("\
2557 hash section [%2zu] '%s' invalid sh_entsize\n"),
2558 	     hash_idx, hash_name);
2559       return;
2560     }
2561 
2562   /* Now see which entries are not set in one or both hash tables
2563      (unless the symbol is undefined in which case it can be omitted
2564      in the new table format).  */
2565   if ((used[0] & 1) != 0)
2566     ERROR (_("section [%2zu] '%s': reference to symbol index 0\n"),
2567 	   gnu_hash_idx,
2568 	   elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2569   if ((used[0] & 2) != 0)
2570     ERROR (_("section [%2zu] '%s': reference to symbol index 0\n"),
2571 	   hash_idx, elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name));
2572 
2573   for (uint32_t cnt = 1; cnt < nentries; ++cnt)
2574     if (used[cnt] != 0 && used[cnt] != 3)
2575       {
2576 	if (used[cnt] == 1)
2577 	  ERROR (_("\
2578 symbol %d referenced in new hash table in [%2zu] '%s' but not in old hash table in [%2zu] '%s'\n"),
2579 		 cnt, gnu_hash_idx,
2580 		 elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name),
2581 		 hash_idx,
2582 		 elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name));
2583 	else
2584 	  {
2585 	    GElf_Sym sym_mem;
2586 	    GElf_Sym *sym = gelf_getsym (sym_data, cnt, &sym_mem);
2587 
2588 	    if (sym != NULL && sym->st_shndx != STN_UNDEF)
2589 	      ERROR (_("\
2590 symbol %d referenced in old hash table in [%2zu] '%s' but not in new hash table in [%2zu] '%s'\n"),
2591 		     cnt, hash_idx,
2592 		     elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name),
2593 		     gnu_hash_idx,
2594 		     elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2595 	  }
2596       }
2597 }
2598 
2599 
2600 static void
check_null(Ebl * ebl,GElf_Shdr * shdr,int idx)2601 check_null (Ebl *ebl, GElf_Shdr *shdr, int idx)
2602 {
2603 #define TEST(name, extra) \
2604   if (extra && shdr->sh_##name != 0)					      \
2605     ERROR (_("section [%2d] '%s': nonzero sh_%s for NULL section\n"),  \
2606 	   idx, section_name (ebl, idx), #name)
2607 
2608   TEST (name, 1);
2609   TEST (flags, 1);
2610   TEST (addr, 1);
2611   TEST (offset, 1);
2612   TEST (size, idx != 0);
2613   TEST (link, idx != 0);
2614   TEST (info, 1);
2615   TEST (addralign, 1);
2616   TEST (entsize, 1);
2617 }
2618 
2619 
2620 static void
check_group(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)2621 check_group (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
2622 {
2623   if (ehdr->e_type != ET_REL)
2624     {
2625       ERROR (_("\
2626 section [%2d] '%s': section groups only allowed in relocatable object files\n"),
2627 	     idx, section_name (ebl, idx));
2628       return;
2629     }
2630 
2631   /* Check that sh_link is an index of a symbol table.  */
2632   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
2633   GElf_Shdr symshdr_mem;
2634   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
2635   if (symshdr == NULL)
2636     ERROR (_("section [%2d] '%s': cannot get symbol table: %s\n"),
2637 	   idx, section_name (ebl, idx), elf_errmsg (-1));
2638   else
2639     {
2640       if (symshdr->sh_type != SHT_SYMTAB)
2641 	ERROR (_("\
2642 section [%2d] '%s': section reference in sh_link is no symbol table\n"),
2643 	       idx, section_name (ebl, idx));
2644 
2645       if (shdr->sh_info >= symshdr->sh_size / gelf_fsize (ebl->elf, ELF_T_SYM,
2646 							  1, EV_CURRENT))
2647 	ERROR (_("\
2648 section [%2d] '%s': invalid symbol index in sh_info\n"),
2649 	       idx, section_name (ebl, idx));
2650 
2651       if (shdr->sh_flags != 0)
2652 	ERROR (_("section [%2d] '%s': sh_flags not zero\n"),
2653 	       idx, section_name (ebl, idx));
2654 
2655       GElf_Sym sym_data;
2656       GElf_Sym *sym = gelf_getsym (elf_getdata (symscn, NULL), shdr->sh_info,
2657 				   &sym_data);
2658       if (sym == NULL)
2659 	ERROR (_("\
2660 section [%2d] '%s': cannot get symbol for signature\n"),
2661 	       idx, section_name (ebl, idx));
2662       else if (elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name) == NULL)
2663 	ERROR (_("\
2664 section [%2d] '%s': cannot get symbol name for signature\n"),
2665 	       idx, section_name (ebl, idx));
2666       else if (strcmp (elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name),
2667 		       "") == 0)
2668 	ERROR (_("\
2669 section [%2d] '%s': signature symbol cannot be empty string\n"),
2670 	       idx, section_name (ebl, idx));
2671 
2672       if (be_strict
2673 	  && shdr->sh_entsize != elf32_fsize (ELF_T_WORD, 1, EV_CURRENT))
2674 	ERROR (_("section [%2d] '%s': sh_flags not set correctly\n"),
2675 	       idx, section_name (ebl, idx));
2676     }
2677 
2678   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
2679   if (data == NULL || data->d_buf == NULL)
2680     ERROR (_("section [%2d] '%s': cannot get data: %s\n"),
2681 	   idx, section_name (ebl, idx), elf_errmsg (-1));
2682   else
2683     {
2684       size_t elsize = elf32_fsize (ELF_T_WORD, 1, EV_CURRENT);
2685       size_t cnt;
2686       Elf32_Word val;
2687 
2688       if (data->d_size % elsize != 0)
2689 	ERROR (_("\
2690 section [%2d] '%s': section size not multiple of sizeof(Elf32_Word)\n"),
2691 	       idx, section_name (ebl, idx));
2692 
2693       if (data->d_size < elsize)
2694 	{
2695 	  ERROR (_("\
2696 section [%2d] '%s': section group without flags word\n"),
2697 	       idx, section_name (ebl, idx));
2698 	  return;
2699 	}
2700       else if (be_strict)
2701 	{
2702 	  if (data->d_size < 2 * elsize)
2703 	    ERROR (_("\
2704 section [%2d] '%s': section group without member\n"),
2705 		   idx, section_name (ebl, idx));
2706 	  else if (data->d_size < 3 * elsize)
2707 	    ERROR (_("\
2708 section [%2d] '%s': section group with only one member\n"),
2709 		   idx, section_name (ebl, idx));
2710 	}
2711 
2712 #if ALLOW_UNALIGNED
2713       val = *((Elf32_Word *) data->d_buf);
2714 #else
2715       memcpy (&val, data->d_buf, elsize);
2716 #endif
2717       if ((val & ~GRP_COMDAT) != 0)
2718 	ERROR (_("section [%2d] '%s': unknown section group flags\n"),
2719 	       idx, section_name (ebl, idx));
2720 
2721       for (cnt = elsize; cnt + elsize <= data->d_size; cnt += elsize)
2722 	{
2723 #if ALLOW_UNALIGNED
2724 	  val = *((Elf32_Word *) ((char *) data->d_buf + cnt));
2725 #else
2726 	  memcpy (&val, (char *) data->d_buf + cnt, elsize);
2727 #endif
2728 
2729 	  if (val > shnum)
2730 	    ERROR (_("\
2731 section [%2d] '%s': section index %zu out of range\n"),
2732 		   idx, section_name (ebl, idx), cnt / elsize);
2733 	  else
2734 	    {
2735 	      GElf_Shdr refshdr_mem;
2736 	      GElf_Shdr *refshdr = gelf_getshdr (elf_getscn (ebl->elf, val),
2737 						 &refshdr_mem);
2738 	      if (refshdr == NULL)
2739 		ERROR (_("\
2740 section [%2d] '%s': cannot get section header for element %zu: %s\n"),
2741 		       idx, section_name (ebl, idx), cnt / elsize,
2742 		       elf_errmsg (-1));
2743 	      else
2744 		{
2745 		  if (refshdr->sh_type == SHT_GROUP)
2746 		    ERROR (_("\
2747 section [%2d] '%s': section group contains another group [%2d] '%s'\n"),
2748 			   idx, section_name (ebl, idx),
2749 			   val, section_name (ebl, val));
2750 
2751 		  if ((refshdr->sh_flags & SHF_GROUP) == 0)
2752 		    ERROR (_("\
2753 section [%2d] '%s': element %zu references section [%2d] '%s' without SHF_GROUP flag set\n"),
2754 			   idx, section_name (ebl, idx), cnt / elsize,
2755 			   val, section_name (ebl, val));
2756 		}
2757 
2758 	      if (val < shnum && ++scnref[val] == 2)
2759 		ERROR (_("\
2760 section [%2d] '%s' is contained in more than one section group\n"),
2761 		       val, section_name (ebl, val));
2762 	    }
2763 	}
2764     }
2765 }
2766 
2767 
2768 static const char *
section_flags_string(GElf_Word flags,char * buf,size_t len)2769 section_flags_string (GElf_Word flags, char *buf, size_t len)
2770 {
2771   if (flags == 0)
2772     return "none";
2773 
2774   static const struct
2775   {
2776     GElf_Word flag;
2777     const char *name;
2778   } known_flags[] =
2779     {
2780 #define NEWFLAG(name) { SHF_##name, #name }
2781       NEWFLAG (WRITE),
2782       NEWFLAG (ALLOC),
2783       NEWFLAG (EXECINSTR),
2784       NEWFLAG (MERGE),
2785       NEWFLAG (STRINGS),
2786       NEWFLAG (INFO_LINK),
2787       NEWFLAG (LINK_ORDER),
2788       NEWFLAG (OS_NONCONFORMING),
2789       NEWFLAG (GROUP),
2790       NEWFLAG (TLS),
2791       NEWFLAG (COMPRESSED),
2792       NEWFLAG (GNU_RETAIN),
2793       NEWFLAG (ORDERED),
2794       NEWFLAG (EXCLUDE)
2795     };
2796 #undef NEWFLAG
2797   const size_t nknown_flags = sizeof (known_flags) / sizeof (known_flags[0]);
2798 
2799   char *cp = buf;
2800 
2801   for (size_t cnt = 0; cnt < nknown_flags; ++cnt)
2802     if (flags & known_flags[cnt].flag)
2803       {
2804 	if (cp != buf && len > 1)
2805 	  {
2806 	    *cp++ = '|';
2807 	    --len;
2808 	  }
2809 
2810 	size_t ncopy = MIN (len - 1, strlen (known_flags[cnt].name));
2811 	cp = mempcpy (cp, known_flags[cnt].name, ncopy);
2812 	len -= ncopy;
2813 
2814 	flags ^= known_flags[cnt].flag;
2815       }
2816 
2817   if (flags != 0 || cp == buf)
2818     {
2819       int r = snprintf (cp, len - 1, "%s%" PRIx64,
2820 			(cp == buf) ? "" : "|", (uint64_t) flags);
2821       if (r > 0)
2822 	cp += r;
2823     }
2824   *cp = '\0';
2825 
2826   return buf;
2827 }
2828 
2829 
2830 static int
has_copy_reloc(Ebl * ebl,unsigned int symscnndx,unsigned int symndx)2831 has_copy_reloc (Ebl *ebl, unsigned int symscnndx, unsigned int symndx)
2832 {
2833   /* First find the relocation section for the symbol table.  */
2834   Elf_Scn *scn = NULL;
2835   GElf_Shdr shdr_mem;
2836   GElf_Shdr *shdr = NULL;
2837   while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
2838     {
2839       shdr = gelf_getshdr (scn, &shdr_mem);
2840       if (shdr != NULL
2841 	  && (shdr->sh_type == SHT_REL || shdr->sh_type == SHT_RELA)
2842 	  && shdr->sh_link == symscnndx)
2843 	/* Found the section.  */
2844 	break;
2845     }
2846 
2847   if (scn == NULL)
2848     return 0;
2849 
2850   Elf_Data *data = elf_getdata (scn, NULL);
2851   if (data == NULL || shdr->sh_entsize == 0)
2852     return 0;
2853 
2854   if (shdr->sh_type == SHT_REL)
2855     for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize; ++i)
2856       {
2857 	GElf_Rel rel_mem;
2858 	GElf_Rel *rel = gelf_getrel (data, i, &rel_mem);
2859 	if (rel == NULL)
2860 	  continue;
2861 
2862 	if (GELF_R_SYM (rel->r_info) == symndx
2863 	    && ebl_copy_reloc_p (ebl, GELF_R_TYPE (rel->r_info)))
2864 	  return 1;
2865       }
2866   else
2867     for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize; ++i)
2868       {
2869 	GElf_Rela rela_mem;
2870 	GElf_Rela *rela = gelf_getrela (data, i, &rela_mem);
2871 	if (rela == NULL)
2872 	  continue;
2873 
2874 	if (GELF_R_SYM (rela->r_info) == symndx
2875 	    && ebl_copy_reloc_p (ebl, GELF_R_TYPE (rela->r_info)))
2876 	  return 1;
2877       }
2878 
2879   return 0;
2880 }
2881 
2882 
2883 static int
in_nobits_scn(Ebl * ebl,unsigned int shndx)2884 in_nobits_scn (Ebl *ebl, unsigned int shndx)
2885 {
2886   GElf_Shdr shdr_mem;
2887   GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, shndx), &shdr_mem);
2888   return shdr != NULL && shdr->sh_type == SHT_NOBITS;
2889 }
2890 
2891 
2892 static struct version_namelist
2893 {
2894   const char *objname;
2895   const char *name;
2896   GElf_Versym ndx;
2897   enum { ver_def, ver_need } type;
2898   struct version_namelist *next;
2899 } *version_namelist;
2900 
2901 
2902 static int
add_version(const char * objname,const char * name,GElf_Versym ndx,int type)2903 add_version (const char *objname, const char *name, GElf_Versym ndx, int type)
2904 {
2905   /* Check that there are no duplications.  */
2906   struct version_namelist *nlp = version_namelist;
2907   while (nlp != NULL)
2908     {
2909       if (((nlp->objname == NULL && objname == NULL)
2910 	   || (nlp->objname != NULL && objname != NULL
2911 	       && strcmp (nlp->objname, objname) == 0))
2912 	  && strcmp (nlp->name, name) == 0)
2913 	return nlp->type == ver_def ? 1 : -1;
2914       nlp = nlp->next;
2915     }
2916 
2917   nlp = xmalloc (sizeof (*nlp));
2918   nlp->objname = objname;
2919   nlp->name = name;
2920   nlp->ndx = ndx;
2921   nlp->type = type;
2922   nlp->next = version_namelist;
2923   version_namelist = nlp;
2924 
2925   return 0;
2926 }
2927 
2928 
2929 static void
check_versym(Ebl * ebl,int idx)2930 check_versym (Ebl *ebl, int idx)
2931 {
2932   Elf_Scn *scn = elf_getscn (ebl->elf, idx);
2933   GElf_Shdr shdr_mem;
2934   GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
2935   if (shdr == NULL)
2936     /* The error has already been reported.  */
2937     return;
2938 
2939   Elf_Data *data = elf_getdata (scn, NULL);
2940   if (data == NULL)
2941     {
2942       ERROR (_("section [%2d] '%s': cannot get section data\n"),
2943 	     idx, section_name (ebl, idx));
2944       return;
2945     }
2946 
2947   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
2948   GElf_Shdr symshdr_mem;
2949   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
2950   if (symshdr == NULL)
2951     /* The error has already been reported.  */
2952     return;
2953 
2954   if (symshdr->sh_type != SHT_DYNSYM)
2955     {
2956       ERROR (_("\
2957 section [%2d] '%s' refers in sh_link to section [%2d] '%s' which is no dynamic symbol table\n"),
2958 	     idx, section_name (ebl, idx),
2959 	     shdr->sh_link, section_name (ebl, shdr->sh_link));
2960       return;
2961     }
2962 
2963   /* The number of elements in the version symbol table must be the
2964      same as the number of symbols.  */
2965   if (shdr->sh_entsize != 0 && symshdr->sh_entsize != 0
2966       && (shdr->sh_size / shdr->sh_entsize
2967 	  != symshdr->sh_size / symshdr->sh_entsize))
2968     ERROR (_("\
2969 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
2970 	   idx, section_name (ebl, idx),
2971 	   shdr->sh_link, section_name (ebl, shdr->sh_link));
2972 
2973   Elf_Data *symdata = elf_getdata (symscn, NULL);
2974   if (symdata == NULL || shdr->sh_entsize == 0)
2975     /* The error has already been reported.  */
2976     return;
2977 
2978   for (int cnt = 1; (size_t) cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
2979     {
2980       GElf_Versym versym_mem;
2981       GElf_Versym *versym = gelf_getversym (data, cnt, &versym_mem);
2982       if (versym == NULL)
2983 	{
2984 	  ERROR (_("\
2985 section [%2d] '%s': symbol %d: cannot read version data\n"),
2986 		 idx, section_name (ebl, idx), cnt);
2987 	  break;
2988 	}
2989 
2990       GElf_Sym sym_mem;
2991       GElf_Sym *sym = gelf_getsym (symdata, cnt, &sym_mem);
2992       if (sym == NULL)
2993 	/* Already reported elsewhere.  */
2994 	continue;
2995 
2996       if (*versym == VER_NDX_GLOBAL)
2997 	{
2998 	  /* Global symbol.  Make sure it is not defined as local.  */
2999 	  if (GELF_ST_BIND (sym->st_info) == STB_LOCAL)
3000 	    ERROR (_("\
3001 section [%2d] '%s': symbol %d: local symbol with global scope\n"),
3002 		   idx, section_name (ebl, idx), cnt);
3003 	}
3004       else if (*versym != VER_NDX_LOCAL)
3005 	{
3006 	  /* Versioned symbol.  Make sure it is not defined as local.  */
3007 	  if (!gnuld && GELF_ST_BIND (sym->st_info) == STB_LOCAL)
3008 	    ERROR (_("\
3009 section [%2d] '%s': symbol %d: local symbol with version\n"),
3010 		   idx, section_name (ebl, idx), cnt);
3011 
3012 	  /* Look through the list of defined versions and locate the
3013 	     index we need for this symbol.  */
3014 	  struct version_namelist *runp = version_namelist;
3015 	  while (runp != NULL)
3016 	    if (runp->ndx == (*versym & (GElf_Versym) 0x7fff))
3017 	      break;
3018 	    else
3019 	      runp = runp->next;
3020 
3021 	  if (runp == NULL)
3022 	    ERROR (_("\
3023 section [%2d] '%s': symbol %d: invalid version index %d\n"),
3024 		   idx, section_name (ebl, idx), cnt, (int) *versym);
3025 	  else if (sym->st_shndx == SHN_UNDEF
3026 		   && runp->type == ver_def)
3027 	    ERROR (_("\
3028 section [%2d] '%s': symbol %d: version index %d is for defined version\n"),
3029 		   idx, section_name (ebl, idx), cnt, (int) *versym);
3030 	  else if (sym->st_shndx != SHN_UNDEF
3031 		   && runp->type == ver_need)
3032 	    {
3033 	      /* Unless this symbol has a copy relocation associated
3034 		 this must not happen.  */
3035 	      if (!has_copy_reloc (ebl, shdr->sh_link, cnt)
3036 		  && !in_nobits_scn (ebl, sym->st_shndx))
3037 		ERROR (_("\
3038 section [%2d] '%s': symbol %d: version index %d is for requested version\n"),
3039 		       idx, section_name (ebl, idx), cnt, (int) *versym);
3040 	    }
3041 	}
3042     }
3043 }
3044 
3045 
3046 static int
unknown_dependency_p(Elf * elf,const char * fname)3047 unknown_dependency_p (Elf *elf, const char *fname)
3048 {
3049   GElf_Phdr phdr_mem;
3050   GElf_Phdr *phdr = NULL;
3051 
3052   unsigned int i;
3053   for (i = 0; i < phnum; ++i)
3054     if ((phdr = gelf_getphdr (elf, i, &phdr_mem)) != NULL
3055 	&& phdr->p_type == PT_DYNAMIC)
3056       break;
3057 
3058   if (i == phnum)
3059     return 1;
3060   assert (phdr != NULL);
3061   Elf_Scn *scn = gelf_offscn (elf, phdr->p_offset);
3062   GElf_Shdr shdr_mem;
3063   GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
3064   Elf_Data *data = elf_getdata (scn, NULL);
3065   if (shdr != NULL && shdr->sh_type == SHT_DYNAMIC
3066       && data != NULL && shdr->sh_entsize != 0)
3067     for (size_t j = 0; j < shdr->sh_size / shdr->sh_entsize; ++j)
3068       {
3069 	GElf_Dyn dyn_mem;
3070 	GElf_Dyn *dyn = gelf_getdyn (data, j, &dyn_mem);
3071 	if (dyn != NULL && dyn->d_tag == DT_NEEDED)
3072 	  {
3073 	    const char *str = elf_strptr (elf, shdr->sh_link, dyn->d_un.d_val);
3074 	    if (str != NULL && strcmp (str, fname) == 0)
3075 	      /* Found it.  */
3076 	      return 0;
3077 	  }
3078       }
3079 
3080   return 1;
3081 }
3082 
3083 
3084 static unsigned int nverneed;
3085 
3086 static void
check_verneed(Ebl * ebl,GElf_Shdr * shdr,int idx)3087 check_verneed (Ebl *ebl, GElf_Shdr *shdr, int idx)
3088 {
3089   if (++nverneed == 2)
3090     ERROR (_("more than one version reference section present\n"));
3091 
3092   GElf_Shdr strshdr_mem;
3093   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
3094 				     &strshdr_mem);
3095   if (strshdr == NULL)
3096     return;
3097   if (strshdr->sh_type != SHT_STRTAB)
3098     ERROR (_("\
3099 section [%2d] '%s': sh_link does not link to string table\n"),
3100 	   idx, section_name (ebl, idx));
3101 
3102   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
3103   if (data == NULL)
3104     {
3105       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3106 	     idx, section_name (ebl, idx));
3107       return;
3108     }
3109   unsigned int offset = 0;
3110   for (Elf64_Word cnt = shdr->sh_info; cnt > 0; )
3111     {
3112       cnt--;
3113 
3114       /* Get the data at the next offset.  */
3115       GElf_Verneed needmem;
3116       GElf_Verneed *need = gelf_getverneed (data, offset, &needmem);
3117       if (need == NULL)
3118 	break;
3119 
3120       unsigned int auxoffset = offset + need->vn_aux;
3121 
3122       if (need->vn_version != EV_CURRENT)
3123 	ERROR (_("\
3124 section [%2d] '%s': entry %d has wrong version %d\n"),
3125 	       idx, section_name (ebl, idx), cnt, (int) need->vn_version);
3126 
3127       if (need->vn_cnt > 0 && need->vn_aux < gelf_fsize (ebl->elf, ELF_T_VNEED,
3128 							 1, EV_CURRENT))
3129 	{
3130 	  ERROR (_("\
3131 section [%2d] '%s': entry %d has wrong offset of auxiliary data\n"),
3132 	         idx, section_name (ebl, idx), cnt);
3133 	  break;
3134 	}
3135 
3136       const char *libname = elf_strptr (ebl->elf, shdr->sh_link,
3137 					need->vn_file);
3138       if (libname == NULL)
3139 	{
3140 	  ERROR (_("\
3141 section [%2d] '%s': entry %d has invalid file reference\n"),
3142 		 idx, section_name (ebl, idx), cnt);
3143 	  goto next_need;
3144 	}
3145 
3146       /* Check that there is a DT_NEEDED entry for the referenced library.  */
3147       if (unknown_dependency_p (ebl->elf, libname))
3148 	ERROR (_("\
3149 section [%2d] '%s': entry %d references unknown dependency\n"),
3150 	       idx, section_name (ebl, idx), cnt);
3151 
3152       for (int cnt2 = need->vn_cnt; --cnt2 >= 0; )
3153 	{
3154 	  GElf_Vernaux auxmem;
3155 	  GElf_Vernaux *aux = gelf_getvernaux (data, auxoffset, &auxmem);
3156 	  if (aux == NULL)
3157 	    break;
3158 
3159 	  if ((aux->vna_flags & ~VER_FLG_WEAK) != 0)
3160 	    ERROR (_("\
3161 section [%2d] '%s': auxiliary entry %d of entry %d has unknown flag\n"),
3162 		   idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3163 
3164 	  const char *verstr = elf_strptr (ebl->elf, shdr->sh_link,
3165 					   aux->vna_name);
3166 	  if (verstr == NULL)
3167 	    {
3168 	      ERROR (_("\
3169 section [%2d] '%s': auxiliary entry %d of entry %d has invalid name reference\n"),
3170 		     idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3171 	      break;
3172 	    }
3173 	  else
3174 	    {
3175 	      GElf_Word hashval = elf_hash (verstr);
3176 	      if (hashval != aux->vna_hash)
3177 		ERROR (_("\
3178 section [%2d] '%s': auxiliary entry %d of entry %d has wrong hash value: %#x, expected %#x\n"),
3179 		       idx, section_name (ebl, idx), need->vn_cnt - cnt2,
3180 		       cnt, (int) hashval, (int) aux->vna_hash);
3181 
3182 	      int res = add_version (libname, verstr, aux->vna_other,
3183 				     ver_need);
3184 	      if (unlikely (res !=0))
3185 		{
3186 		  ERROR (_("\
3187 section [%2d] '%s': auxiliary entry %d of entry %d has duplicate version name '%s'\n"),
3188 			 idx, section_name (ebl, idx), need->vn_cnt - cnt2,
3189 			 cnt, verstr);
3190 		}
3191 	    }
3192 
3193 	  if ((aux->vna_next != 0 || cnt2 > 0)
3194 	      && aux->vna_next < gelf_fsize (ebl->elf, ELF_T_VNAUX, 1,
3195 					     EV_CURRENT))
3196 	    {
3197 	      ERROR (_("\
3198 section [%2d] '%s': auxiliary entry %d of entry %d has wrong next field\n"),
3199 		     idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3200 	      break;
3201 	    }
3202 
3203 	  auxoffset += MAX (aux->vna_next,
3204 			    gelf_fsize (ebl->elf, ELF_T_VNAUX, 1, EV_CURRENT));
3205 	}
3206 
3207       /* Find the next offset.  */
3208     next_need:
3209       offset += need->vn_next;
3210 
3211       if ((need->vn_next != 0 || cnt > 0)
3212 	  && offset < auxoffset)
3213 	{
3214 	  ERROR (_("\
3215 section [%2d] '%s': entry %d has invalid offset to next entry\n"),
3216 	         idx, section_name (ebl, idx), cnt);
3217 	  break;
3218 	}
3219 
3220       if (need->vn_next == 0 && cnt > 0)
3221 	{
3222 	  ERROR (_("\
3223 section [%2d] '%s': entry %d has zero offset to next entry, but sh_info says there are more entries\n"),
3224 	         idx, section_name (ebl, idx), cnt);
3225 	  break;
3226 	}
3227     }
3228 }
3229 
3230 
3231 static unsigned int nverdef;
3232 
3233 static void
check_verdef(Ebl * ebl,GElf_Shdr * shdr,int idx)3234 check_verdef (Ebl *ebl, GElf_Shdr *shdr, int idx)
3235 {
3236   if (++nverdef == 2)
3237     ERROR (_("more than one version definition section present\n"));
3238 
3239   GElf_Shdr strshdr_mem;
3240   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
3241 				     &strshdr_mem);
3242   if (strshdr == NULL)
3243     return;
3244   if (strshdr->sh_type != SHT_STRTAB)
3245     ERROR (_("\
3246 section [%2d] '%s': sh_link does not link to string table\n"),
3247 	   idx, section_name (ebl, idx));
3248 
3249   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
3250   if (data == NULL)
3251     {
3252     no_data:
3253       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3254 	     idx, section_name (ebl, idx));
3255       return;
3256     }
3257 
3258   /* Iterate over all version definition entries.  We check that there
3259      is a BASE entry and that each index is unique.  To do the later
3260      we collection the information in a list which is later
3261      examined.  */
3262   struct namelist
3263   {
3264     const char *name;
3265     struct namelist *next;
3266   } *namelist = NULL;
3267   struct namelist *refnamelist = NULL;
3268 
3269   bool has_base = false;
3270   unsigned int offset = 0;
3271   for (Elf64_Word cnt = shdr->sh_info; cnt > 0; )
3272     {
3273       cnt--;
3274 
3275       /* Get the data at the next offset.  */
3276       GElf_Verdef defmem;
3277       GElf_Verdef *def = gelf_getverdef (data, offset, &defmem);
3278       if (def == NULL)
3279 	goto no_data;
3280 
3281       if ((def->vd_flags & VER_FLG_BASE) != 0)
3282 	{
3283 	  if (has_base)
3284 	    ERROR (_("\
3285 section [%2d] '%s': more than one BASE definition\n"),
3286 		   idx, section_name (ebl, idx));
3287 	  if (def->vd_ndx != VER_NDX_GLOBAL)
3288 	    ERROR (_("\
3289 section [%2d] '%s': BASE definition must have index VER_NDX_GLOBAL\n"),
3290 		   idx, section_name (ebl, idx));
3291 	  has_base = true;
3292 	}
3293       if ((def->vd_flags & ~(VER_FLG_BASE|VER_FLG_WEAK)) != 0)
3294 	ERROR (_("\
3295 section [%2d] '%s': entry %d has unknown flag\n"),
3296 	       idx, section_name (ebl, idx), cnt);
3297 
3298       if (def->vd_version != EV_CURRENT)
3299 	ERROR (_("\
3300 section [%2d] '%s': entry %d has wrong version %d\n"),
3301 	       idx, section_name (ebl, idx), cnt, (int) def->vd_version);
3302 
3303       if (def->vd_cnt > 0 && def->vd_aux < gelf_fsize (ebl->elf, ELF_T_VDEF,
3304 						       1, EV_CURRENT))
3305 	{
3306 	  ERROR (_("\
3307 section [%2d] '%s': entry %d has wrong offset of auxiliary data\n"),
3308 	         idx, section_name (ebl, idx), cnt);
3309 	  break;
3310 	}
3311 
3312       unsigned int auxoffset = offset + def->vd_aux;
3313       GElf_Verdaux auxmem;
3314       GElf_Verdaux *aux = gelf_getverdaux (data, auxoffset, &auxmem);
3315       if (aux == NULL)
3316 	goto no_data;
3317 
3318       const char *name = elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name);
3319       if (name == NULL)
3320 	{
3321 	  ERROR (_("\
3322 section [%2d] '%s': entry %d has invalid name reference\n"),
3323 		 idx, section_name (ebl, idx), cnt);
3324 	  goto next_def;
3325 	}
3326       GElf_Word hashval = elf_hash (name);
3327       if (def->vd_hash != hashval)
3328 	ERROR (_("\
3329 section [%2d] '%s': entry %d has wrong hash value: %#x, expected %#x\n"),
3330 	       idx, section_name (ebl, idx), cnt, (int) hashval,
3331 	       (int) def->vd_hash);
3332 
3333       int res = add_version (NULL, name, def->vd_ndx, ver_def);
3334       if (unlikely (res !=0))
3335 	{
3336 	  ERROR (_("\
3337 section [%2d] '%s': entry %d has duplicate version name '%s'\n"),
3338 		 idx, section_name (ebl, idx), cnt, name);
3339 	}
3340 
3341       struct namelist *newname = alloca (sizeof (*newname));
3342       newname->name = name;
3343       newname->next = namelist;
3344       namelist = newname;
3345 
3346       auxoffset += aux->vda_next;
3347       for (int cnt2 = 1; cnt2 < def->vd_cnt; ++cnt2)
3348 	{
3349 	  aux = gelf_getverdaux (data, auxoffset, &auxmem);
3350 	  if (aux == NULL)
3351 	    goto no_data;
3352 
3353 	  name = elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name);
3354 	  if (name == NULL)
3355 	    {
3356 	      ERROR (_("\
3357 section [%2d] '%s': entry %d has invalid name reference in auxiliary data\n"),
3358 		     idx, section_name (ebl, idx), cnt);
3359 	      break;
3360 	    }
3361 	  else
3362 	    {
3363 	      newname = alloca (sizeof (*newname));
3364 	      newname->name = name;
3365 	      newname->next = refnamelist;
3366 	      refnamelist = newname;
3367 	    }
3368 
3369 	  if ((aux->vda_next != 0 || cnt2 + 1 < def->vd_cnt)
3370 	      && aux->vda_next < gelf_fsize (ebl->elf, ELF_T_VDAUX, 1,
3371 					     EV_CURRENT))
3372 	    {
3373 	      ERROR (_("\
3374 section [%2d] '%s': entry %d has wrong next field in auxiliary data\n"),
3375 		     idx, section_name (ebl, idx), cnt);
3376 	      break;
3377 	    }
3378 
3379 	  auxoffset += MAX (aux->vda_next,
3380 			    gelf_fsize (ebl->elf, ELF_T_VDAUX, 1, EV_CURRENT));
3381 	}
3382 
3383       /* Find the next offset.  */
3384     next_def:
3385       offset += def->vd_next;
3386 
3387       if ((def->vd_next != 0 || cnt > 0)
3388 	  && offset < auxoffset)
3389 	{
3390 	  ERROR (_("\
3391 section [%2d] '%s': entry %d has invalid offset to next entry\n"),
3392 	         idx, section_name (ebl, idx), cnt);
3393 	  break;
3394 	}
3395 
3396       if (def->vd_next == 0 && cnt > 0)
3397 	{
3398 	  ERROR (_("\
3399 section [%2d] '%s': entry %d has zero offset to next entry, but sh_info says there are more entries\n"),
3400 	         idx, section_name (ebl, idx), cnt);
3401 	  break;
3402 	}
3403     }
3404 
3405   if (!has_base)
3406     ERROR (_("section [%2d] '%s': no BASE definition\n"),
3407 	   idx, section_name (ebl, idx));
3408 
3409   /* Check whether the referenced names are available.  */
3410   while (namelist != NULL)
3411     {
3412       struct version_namelist *runp = version_namelist;
3413       while (runp != NULL)
3414 	{
3415 	  if (runp->type == ver_def
3416 	      && strcmp (runp->name, namelist->name) == 0)
3417 	    break;
3418 	  runp = runp->next;
3419 	}
3420 
3421       if (runp == NULL)
3422 	ERROR (_("\
3423 section [%2d] '%s': unknown parent version '%s'\n"),
3424 	       idx, section_name (ebl, idx), namelist->name);
3425 
3426       namelist = namelist->next;
3427     }
3428 }
3429 
3430 static inline size_t
buffer_pos(Elf_Data * data,const unsigned char * p)3431 buffer_pos (Elf_Data *data, const unsigned char *p)
3432 {
3433   return p - (const unsigned char *) data->d_buf;
3434 }
3435 
3436 static inline size_t
buffer_left(Elf_Data * data,const unsigned char * p)3437 buffer_left (Elf_Data *data, const unsigned char *p)
3438 {
3439   return (const unsigned char *) data->d_buf + data->d_size - p;
3440 }
3441 
3442 static void
check_attributes(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)3443 check_attributes (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
3444 {
3445   if (shdr->sh_size == 0)
3446     {
3447       ERROR (_("section [%2d] '%s': empty object attributes section\n"),
3448 	     idx, section_name (ebl, idx));
3449       return;
3450     }
3451 
3452   Elf_Data *data = elf_rawdata (elf_getscn (ebl->elf, idx), NULL);
3453   if (data == NULL || data->d_size == 0 || data->d_buf == NULL)
3454     {
3455       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3456 	     idx, section_name (ebl, idx));
3457       return;
3458     }
3459 
3460   const unsigned char *p = data->d_buf;
3461   if (*p++ != 'A')
3462     {
3463       ERROR (_("section [%2d] '%s': unrecognized attribute format\n"),
3464 	     idx, section_name (ebl, idx));
3465       return;
3466     }
3467 
3468   while (buffer_left (data, p) >= 4)
3469     {
3470       uint32_t len;
3471       memcpy (&len, p, sizeof len);
3472 
3473       if (len == 0)
3474 	ERROR (_("\
3475 section [%2d] '%s': offset %zu: zero length field in attribute section\n"),
3476 	       idx, section_name (ebl, idx), buffer_pos (data, p));
3477 
3478       if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
3479 	CONVERT (len);
3480 
3481       if (len > buffer_left (data, p))
3482 	{
3483 	  ERROR (_("\
3484 section [%2d] '%s': offset %zu: invalid length in attribute section\n"),
3485 		 idx, section_name (ebl, idx), buffer_pos (data, p));
3486 	  break;
3487 	}
3488 
3489       const unsigned char *name = p + sizeof len;
3490       p += len;
3491 
3492       unsigned const char *q = memchr (name, '\0', len);
3493       if (q == NULL)
3494 	{
3495 	  ERROR (_("\
3496 section [%2d] '%s': offset %zu: unterminated vendor name string\n"),
3497 		 idx, section_name (ebl, idx), buffer_pos (data, p));
3498 	  break;
3499 	}
3500       ++q;
3501 
3502       if (q - name == sizeof "gnu" && !memcmp (name, "gnu", sizeof "gnu"))
3503 	while (q < p)
3504 	  {
3505 	    unsigned const char *chunk = q;
3506 
3507 	    unsigned int subsection_tag;
3508 	    get_uleb128 (subsection_tag, q, p);
3509 
3510 	    if (q >= p)
3511 	      {
3512 		ERROR (_("\
3513 section [%2d] '%s': offset %zu: endless ULEB128 in attribute subsection tag\n"),
3514 		       idx, section_name (ebl, idx), buffer_pos (data, chunk));
3515 		break;
3516 	      }
3517 
3518 	    uint32_t subsection_len;
3519 	    if (p - q < (ptrdiff_t) sizeof subsection_len)
3520 	      {
3521 		ERROR (_("\
3522 section [%2d] '%s': offset %zu: truncated attribute section\n"),
3523 		       idx, section_name (ebl, idx), buffer_pos (data, q));
3524 		break;
3525 	      }
3526 
3527 	    memcpy (&subsection_len, q, sizeof subsection_len);
3528 	    if (subsection_len == 0)
3529 	      {
3530 		ERROR (_("\
3531 section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"),
3532 		       idx, section_name (ebl, idx), buffer_pos (data, q));
3533 
3534 		q += sizeof subsection_len;
3535 		continue;
3536 	      }
3537 
3538 	    if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
3539 	      CONVERT (subsection_len);
3540 
3541 	    /* Don't overflow, ptrdiff_t might be 32bits, but signed.  */
3542 	    if (p - chunk < (ptrdiff_t) subsection_len
3543 	        || subsection_len >= (uint32_t) PTRDIFF_MAX)
3544 	      {
3545 		ERROR (_("\
3546 section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"),
3547 		       idx, section_name (ebl, idx), buffer_pos (data, q));
3548 		break;
3549 	      }
3550 
3551 	    const unsigned char *subsection_end = chunk + subsection_len;
3552 	    chunk = q;
3553 	    q = subsection_end;
3554 
3555 	    if (subsection_tag != 1) /* Tag_File */
3556 	      ERROR (_("\
3557 section [%2d] '%s': offset %zu: attribute subsection has unexpected tag %u\n"),
3558 		     idx, section_name (ebl, idx), buffer_pos (data, chunk), subsection_tag);
3559 	    else
3560 	      {
3561 		chunk += sizeof subsection_len;
3562 		while (chunk < q)
3563 		  {
3564 		    unsigned int tag;
3565 		    get_uleb128 (tag, chunk, q);
3566 
3567 		    uint64_t value = 0;
3568 		    const unsigned char *r = chunk;
3569 		    if (tag == 32 || (tag & 1) == 0)
3570 		      {
3571 			get_uleb128 (value, r, q);
3572 			if (r > q)
3573 			  {
3574 			    ERROR (_("\
3575 section [%2d] '%s': offset %zu: endless ULEB128 in attribute tag\n"),
3576 				   idx, section_name (ebl, idx), buffer_pos (data, chunk));
3577 			    break;
3578 			  }
3579 		      }
3580 		    if (tag == 32 || (tag & 1) != 0)
3581 		      {
3582 			r = memchr (r, '\0', q - r);
3583 			if (r == NULL)
3584 			  {
3585 			    ERROR (_("\
3586 section [%2d] '%s': offset %zu: unterminated string in attribute\n"),
3587 				   idx, section_name (ebl, idx), buffer_pos (data, chunk));
3588 			    break;
3589 			  }
3590 			++r;
3591 		      }
3592 
3593 		    const char *tag_name = NULL;
3594 		    const char *value_name = NULL;
3595 		    if (!ebl_check_object_attribute (ebl, (const char *) name,
3596 						     tag, value,
3597 						     &tag_name, &value_name))
3598 		      ERROR (_("\
3599 section [%2d] '%s': offset %zu: unrecognized attribute tag %u\n"),
3600 			     idx, section_name (ebl, idx), buffer_pos (data, chunk), tag);
3601 		    else if ((tag & 1) == 0 && value_name == NULL)
3602 		      ERROR (_("\
3603 section [%2d] '%s': offset %zu: unrecognized %s attribute value %" PRIu64 "\n"),
3604 			     idx, section_name (ebl, idx), buffer_pos (data, chunk),
3605 			     tag_name, value);
3606 
3607 		    chunk = r;
3608 		  }
3609 	      }
3610 	  }
3611       else
3612 	ERROR (_("\
3613 section [%2d] '%s': offset %zu: vendor '%s' unknown\n"),
3614 	       idx, section_name (ebl, idx), buffer_pos (data, p), name);
3615     }
3616 
3617   if (buffer_left (data, p) != 0)
3618     ERROR (_("\
3619 section [%2d] '%s': offset %zu: extra bytes after last attribute section\n"),
3620 	   idx, section_name (ebl, idx), buffer_pos (data, p));
3621 }
3622 
3623 static bool has_loadable_segment;
3624 static bool has_interp_segment;
3625 
3626 static const struct
3627 {
3628   const char *name;
3629   size_t namelen;
3630   GElf_Word type;
3631   enum { unused, exact, atleast, exact_or_gnuld } attrflag;
3632   GElf_Word attr;
3633   GElf_Word attr2;
3634 } special_sections[] =
3635   {
3636     /* See figure 4-14 in the gABI.  */
3637     { ".bss", 5, SHT_NOBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3638     { ".comment", 8, SHT_PROGBITS, atleast, 0, SHF_MERGE | SHF_STRINGS },
3639     { ".data", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3640     { ".data1", 7, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3641     { ".debug_str", 11, SHT_PROGBITS, exact_or_gnuld, SHF_MERGE | SHF_STRINGS, 0 },
3642     { ".debug_line_str", 16, SHT_PROGBITS, exact_or_gnuld, SHF_MERGE | SHF_STRINGS, 0 },
3643     { ".debug", 6, SHT_PROGBITS, exact, 0, 0 },
3644     { ".dynamic", 9, SHT_DYNAMIC, atleast, SHF_ALLOC, SHF_WRITE },
3645     { ".dynstr", 8, SHT_STRTAB, exact, SHF_ALLOC, 0 },
3646     { ".dynsym", 8, SHT_DYNSYM, exact, SHF_ALLOC, 0 },
3647     { ".fini", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3648     { ".fini_array", 12, SHT_FINI_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3649     { ".got", 5, SHT_PROGBITS, unused, 0, 0 }, // XXX more info?
3650     { ".hash", 6, SHT_HASH, exact, SHF_ALLOC, 0 },
3651     { ".init", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3652     { ".init_array", 12, SHT_INIT_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3653     { ".interp", 8, SHT_PROGBITS, atleast, 0, SHF_ALLOC }, // XXX more tests?
3654     { ".line", 6, SHT_PROGBITS, exact, 0, 0 },
3655     { ".note", 6, SHT_NOTE, atleast, 0, SHF_ALLOC },
3656     { ".plt", 5, SHT_PROGBITS, unused, 0, 0 }, // XXX more tests
3657     { ".preinit_array", 15, SHT_PREINIT_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3658     { ".rela", 5, SHT_RELA, atleast, 0, SHF_ALLOC | SHF_INFO_LINK }, // XXX more tests
3659     { ".rel", 4, SHT_REL, atleast, 0, SHF_ALLOC | SHF_INFO_LINK }, // XXX more tests
3660     { ".rodata", 8, SHT_PROGBITS, atleast, SHF_ALLOC, SHF_MERGE | SHF_STRINGS },
3661     { ".rodata1", 9, SHT_PROGBITS, atleast, SHF_ALLOC, SHF_MERGE | SHF_STRINGS },
3662     { ".shstrtab", 10, SHT_STRTAB, exact, 0, 0 },
3663     { ".strtab", 8, SHT_STRTAB, atleast, 0, SHF_ALLOC }, // XXX more tests
3664     { ".symtab", 8, SHT_SYMTAB, atleast, 0, SHF_ALLOC }, // XXX more tests
3665     { ".symtab_shndx", 14, SHT_SYMTAB_SHNDX, atleast, 0, SHF_ALLOC }, // XXX more tests
3666     { ".tbss", 6, SHT_NOBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3667     { ".tdata", 7, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3668     { ".tdata1", 8, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3669     { ".text", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3670 
3671     /* The following are GNU extensions.  */
3672     { ".gnu.version", 13, SHT_GNU_versym, exact, SHF_ALLOC, 0 },
3673     { ".gnu.version_d", 15, SHT_GNU_verdef, exact, SHF_ALLOC, 0 },
3674     { ".gnu.version_r", 15, SHT_GNU_verneed, exact, SHF_ALLOC, 0 },
3675     { ".gnu.attributes", 16, SHT_GNU_ATTRIBUTES, exact, 0, 0 },
3676   };
3677 #define nspecial_sections \
3678   (sizeof (special_sections) / sizeof (special_sections[0]))
3679 
3680 #define IS_KNOWN_SPECIAL(idx, string, prefix)			      \
3681   (special_sections[idx].namelen == sizeof string - (prefix ? 1 : 0)  \
3682    && !memcmp (special_sections[idx].name, string, \
3683 	       sizeof string - (prefix ? 1 : 0)))
3684 
3685 /* Extra section flags that might or might not be added to the section
3686    and have to be ignored.  */
3687 #define EXTRA_SHFLAGS (SHF_LINK_ORDER \
3688 		       | SHF_GNU_RETAIN \
3689 		       | SHF_GROUP \
3690 		       | SHF_COMPRESSED)
3691 
3692 
3693 /* Indices of some sections we need later.  */
3694 static size_t eh_frame_hdr_scnndx;
3695 static size_t eh_frame_scnndx;
3696 static size_t gcc_except_table_scnndx;
3697 
3698 
3699 static void
check_sections(Ebl * ebl,GElf_Ehdr * ehdr)3700 check_sections (Ebl *ebl, GElf_Ehdr *ehdr)
3701 {
3702   if (ehdr->e_shoff == 0)
3703     /* No section header.  */
3704     return;
3705 
3706   /* Allocate array to count references in section groups.  */
3707   scnref = xcalloc (shnum, sizeof (int));
3708 
3709   /* Check the zeroth section first.  It must not have any contents
3710      and the section header must contain nonzero value at most in the
3711      sh_size and sh_link fields.  */
3712   GElf_Shdr shdr_mem;
3713   GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
3714   if (shdr == NULL)
3715     ERROR (_("cannot get section header of zeroth section\n"));
3716   else
3717     {
3718       if (shdr->sh_name != 0)
3719 	ERROR (_("zeroth section has nonzero name\n"));
3720       if (shdr->sh_type != 0)
3721 	ERROR (_("zeroth section has nonzero type\n"));
3722       if (shdr->sh_flags != 0)
3723 	ERROR (_("zeroth section has nonzero flags\n"));
3724       if (shdr->sh_addr != 0)
3725 	ERROR (_("zeroth section has nonzero address\n"));
3726       if (shdr->sh_offset != 0)
3727 	ERROR (_("zeroth section has nonzero offset\n"));
3728       if (shdr->sh_addralign != 0)
3729 	ERROR (_("zeroth section has nonzero align value\n"));
3730       if (shdr->sh_entsize != 0)
3731 	ERROR (_("zeroth section has nonzero entry size value\n"));
3732 
3733       if (shdr->sh_size != 0 && ehdr->e_shnum != 0)
3734 	ERROR (_("\
3735 zeroth section has nonzero size value while ELF header has nonzero shnum value\n"));
3736 
3737       if (shdr->sh_link != 0 && ehdr->e_shstrndx != SHN_XINDEX)
3738 	ERROR (_("\
3739 zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx\n"));
3740 
3741       if (shdr->sh_info != 0 && ehdr->e_phnum != PN_XNUM)
3742 	ERROR (_("\
3743 zeroth section has nonzero link value while ELF header does not signal overflow in phnum\n"));
3744     }
3745 
3746   int *segment_flags = xcalloc (phnum, sizeof segment_flags[0]);
3747 
3748   bool dot_interp_section = false;
3749 
3750   size_t hash_idx = 0;
3751   size_t gnu_hash_idx = 0;
3752 
3753   size_t versym_scnndx = 0;
3754   for (size_t cnt = 1; cnt < shnum; ++cnt)
3755     {
3756       Elf_Scn *scn = elf_getscn (ebl->elf, cnt);
3757       shdr = gelf_getshdr (scn, &shdr_mem);
3758       if (shdr == NULL)
3759 	{
3760 	  ERROR (_("\
3761 cannot get section header for section [%2zu] '%s': %s\n"),
3762 		 cnt, section_name (ebl, cnt), elf_errmsg (-1));
3763 	  continue;
3764 	}
3765 
3766       const char *scnname = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
3767 
3768       if (scnname == NULL)
3769 	ERROR (_("section [%2zu]: invalid name\n"), cnt);
3770       else
3771 	{
3772 	  /* Check whether it is one of the special sections defined in
3773 	     the gABI.  */
3774 	  size_t s;
3775 	  for (s = 0; s < nspecial_sections; ++s)
3776 	    if (strncmp (scnname, special_sections[s].name,
3777 			 special_sections[s].namelen) == 0)
3778 	      {
3779 		char stbuf1[100];
3780 		char stbuf2[100];
3781 		char stbuf3[100];
3782 
3783 		GElf_Word good_type = special_sections[s].type;
3784 		if (IS_KNOWN_SPECIAL (s, ".plt", false)
3785 		    && ebl_bss_plt_p (ebl))
3786 		  good_type = SHT_NOBITS;
3787 
3788 		/* In a debuginfo file, any normal section can be SHT_NOBITS.
3789 		   This is only invalid for DWARF sections and .shstrtab.  */
3790 		if (shdr->sh_type != good_type
3791 		    && (shdr->sh_type != SHT_NOBITS
3792 			|| !is_debuginfo
3793 			|| IS_KNOWN_SPECIAL (s, ".debug_str", false)
3794 			|| IS_KNOWN_SPECIAL (s, ".debug", true)
3795 			|| IS_KNOWN_SPECIAL (s, ".shstrtab", false)))
3796 		  ERROR (_("\
3797 section [%2d] '%s' has wrong type: expected %s, is %s\n"),
3798 			 (int) cnt, scnname,
3799 			 ebl_section_type_name (ebl, special_sections[s].type,
3800 						stbuf1, sizeof (stbuf1)),
3801 			 ebl_section_type_name (ebl, shdr->sh_type,
3802 						stbuf2, sizeof (stbuf2)));
3803 
3804 		if (special_sections[s].attrflag == exact
3805 		    || special_sections[s].attrflag == exact_or_gnuld)
3806 		  {
3807 		    /* Except for the link order, retain, group bit and
3808 		       compression flag all the other bits should
3809 		       match exactly.  */
3810 		    if ((shdr->sh_flags & ~EXTRA_SHFLAGS)
3811 			!= special_sections[s].attr
3812 			&& (special_sections[s].attrflag == exact || !gnuld))
3813 		      ERROR (_("\
3814 section [%2zu] '%s' has wrong flags: expected %s, is %s\n"),
3815 			     cnt, scnname,
3816 			     section_flags_string (special_sections[s].attr,
3817 						   stbuf1, sizeof (stbuf1)),
3818 			     section_flags_string (shdr->sh_flags
3819 						   & ~EXTRA_SHFLAGS,
3820 						   stbuf2, sizeof (stbuf2)));
3821 		  }
3822 		else if (special_sections[s].attrflag == atleast)
3823 		  {
3824 		    if ((shdr->sh_flags & special_sections[s].attr)
3825 			!= special_sections[s].attr
3826 			|| ((shdr->sh_flags
3827 			     & ~(EXTRA_SHFLAGS
3828 				 | special_sections[s].attr
3829 				 | special_sections[s].attr2))
3830 			    != 0))
3831 		      ERROR (_("\
3832 section [%2zu] '%s' has wrong flags: expected %s and possibly %s, is %s\n"),
3833 			     cnt, scnname,
3834 			     section_flags_string (special_sections[s].attr,
3835 						   stbuf1, sizeof (stbuf1)),
3836 			     section_flags_string (special_sections[s].attr2,
3837 						   stbuf2, sizeof (stbuf2)),
3838 			     section_flags_string (shdr->sh_flags
3839 						   & ~EXTRA_SHFLAGS,
3840 						   stbuf3, sizeof (stbuf3)));
3841 		  }
3842 
3843 		if (strcmp (scnname, ".interp") == 0)
3844 		  {
3845 		    dot_interp_section = true;
3846 
3847 		    if (ehdr->e_type == ET_REL)
3848 		      ERROR (_("\
3849 section [%2zu] '%s' present in object file\n"),
3850 			     cnt, scnname);
3851 
3852 		    if ((shdr->sh_flags & SHF_ALLOC) != 0
3853 			&& !has_loadable_segment)
3854 		      ERROR (_("\
3855 section [%2zu] '%s' has SHF_ALLOC flag set but there is no loadable segment\n"),
3856 			     cnt, scnname);
3857 		    else if ((shdr->sh_flags & SHF_ALLOC) == 0
3858 			     && has_loadable_segment)
3859 		      ERROR (_("\
3860 section [%2zu] '%s' has SHF_ALLOC flag not set but there are loadable segments\n"),
3861 			     cnt, scnname);
3862 		  }
3863 		else
3864 		  {
3865 		    if (strcmp (scnname, ".symtab_shndx") == 0
3866 			&& ehdr->e_type != ET_REL)
3867 		      ERROR (_("\
3868 section [%2zu] '%s' is extension section index table in non-object file\n"),
3869 			     cnt, scnname);
3870 
3871 		    /* These sections must have the SHF_ALLOC flag set iff
3872 		       a loadable segment is available.
3873 
3874 		       .relxxx
3875 		       .strtab
3876 		       .symtab
3877 		       .symtab_shndx
3878 
3879 		       Check that if there is a reference from the
3880 		       loaded section these sections also have the
3881 		       ALLOC flag set.  */
3882 #if 0
3883 		    // XXX TODO
3884 		    if ((shdr->sh_flags & SHF_ALLOC) != 0
3885 			&& !has_loadable_segment)
3886 		      ERROR (_("\
3887 section [%2zu] '%s' has SHF_ALLOC flag set but there is no loadable segment\n"),
3888 			     cnt, scnname);
3889 		    else if ((shdr->sh_flags & SHF_ALLOC) == 0
3890 			     && has_loadable_segment)
3891 		      ERROR (_("\
3892 section [%2zu] '%s' has SHF_ALLOC flag not set but there are loadable segments\n"),
3893 			     cnt, scnname);
3894 #endif
3895 		  }
3896 
3897 		break;
3898 	      }
3899 
3900 	  /* Remember a few special sections for later.  */
3901 	  if (strcmp (scnname, ".eh_frame_hdr") == 0)
3902 	    eh_frame_hdr_scnndx = cnt;
3903 	  else if (strcmp (scnname, ".eh_frame") == 0)
3904 	    eh_frame_scnndx = cnt;
3905 	  else if (strcmp (scnname, ".gcc_except_table") == 0)
3906 	    gcc_except_table_scnndx = cnt;
3907 	}
3908 
3909       if (shdr->sh_entsize != 0 && shdr->sh_size % shdr->sh_entsize)
3910 	ERROR (_("\
3911 section [%2zu] '%s': size not multiple of entry size\n"),
3912 	       cnt, section_name (ebl, cnt));
3913 
3914       if (elf_strptr (ebl->elf, shstrndx, shdr->sh_name) == NULL)
3915 	ERROR (_("cannot get section header\n"));
3916 
3917       if (shdr->sh_type >= SHT_NUM
3918 	  && shdr->sh_type != SHT_GNU_ATTRIBUTES
3919 	  && shdr->sh_type != SHT_GNU_LIBLIST
3920 	  && shdr->sh_type != SHT_CHECKSUM
3921 	  && shdr->sh_type != SHT_GNU_verdef
3922 	  && shdr->sh_type != SHT_GNU_verneed
3923 	  && shdr->sh_type != SHT_GNU_versym
3924 	  && ebl_section_type_name (ebl, shdr->sh_type, NULL, 0) == NULL)
3925 	ERROR (_("section [%2zu] '%s' has unsupported type %d\n"),
3926 	       cnt, section_name (ebl, cnt),
3927 	       (int) shdr->sh_type);
3928 
3929 #define ALL_SH_FLAGS (SHF_WRITE | SHF_ALLOC | SHF_EXECINSTR | SHF_MERGE \
3930 		      | SHF_STRINGS | SHF_INFO_LINK | SHF_LINK_ORDER \
3931 		      | SHF_OS_NONCONFORMING | SHF_GROUP | SHF_TLS \
3932 		      | SHF_COMPRESSED | SHF_GNU_RETAIN)
3933       if (shdr->sh_flags & ~(GElf_Xword) ALL_SH_FLAGS)
3934 	{
3935 	  GElf_Xword sh_flags = shdr->sh_flags & ~(GElf_Xword) ALL_SH_FLAGS;
3936 	  if (sh_flags & SHF_MASKPROC)
3937 	    {
3938 	      /* Strictly speaking SHF_EXCLUDE is a processor specific
3939 		 section flag, but it is used generically in the GNU
3940 		 toolchain.  */
3941 	      if (gnuld)
3942 		sh_flags &= ~(GElf_Xword) SHF_EXCLUDE;
3943 	      if (!ebl_machine_section_flag_check (ebl,
3944 						   sh_flags & SHF_MASKPROC))
3945 		ERROR (_("section [%2zu] '%s'"
3946 				" contains invalid processor-specific flag(s)"
3947 				" %#" PRIx64 "\n"),
3948 		       cnt, section_name (ebl, cnt), sh_flags & SHF_MASKPROC);
3949 	      sh_flags &= ~(GElf_Xword) SHF_MASKPROC;
3950 	    }
3951 	  if (sh_flags & SHF_MASKOS)
3952 	    if (gnuld)
3953 	      sh_flags &= ~(GElf_Xword) SHF_GNU_RETAIN;
3954 	  if (sh_flags != 0)
3955 	    ERROR (_("section [%2zu] '%s' contains unknown flag(s)"
3956 			    " %#" PRIx64 "\n"),
3957 		   cnt, section_name (ebl, cnt), sh_flags);
3958 	}
3959       if (shdr->sh_flags & SHF_TLS)
3960 	{
3961 	  // XXX Correct?
3962 	  if (shdr->sh_addr != 0 && !gnuld)
3963 	    ERROR (_("\
3964 section [%2zu] '%s': thread-local data sections address not zero\n"),
3965 		   cnt, section_name (ebl, cnt));
3966 
3967 	  // XXX TODO more tests!?
3968 	}
3969 
3970       if (shdr->sh_flags & SHF_COMPRESSED)
3971 	{
3972 	  if (shdr->sh_flags & SHF_ALLOC)
3973 	    ERROR (_("\
3974 section [%2zu] '%s': allocated section cannot be compressed\n"),
3975 		   cnt, section_name (ebl, cnt));
3976 
3977 	  if (shdr->sh_type == SHT_NOBITS)
3978 	    ERROR (_("\
3979 section [%2zu] '%s': nobits section cannot be compressed\n"),
3980 		   cnt, section_name (ebl, cnt));
3981 
3982 	  GElf_Chdr chdr;
3983 	  if (gelf_getchdr (scn, &chdr) == NULL)
3984 	    ERROR (_("\
3985 section [%2zu] '%s': compressed section with no compression header: %s\n"),
3986 		   cnt, section_name (ebl, cnt), elf_errmsg (-1));
3987 	}
3988 
3989       if (shdr->sh_link >= shnum)
3990 	ERROR (_("\
3991 section [%2zu] '%s': invalid section reference in link value\n"),
3992 	       cnt, section_name (ebl, cnt));
3993 
3994       if (SH_INFO_LINK_P (shdr) && shdr->sh_info >= shnum)
3995 	ERROR (_("\
3996 section [%2zu] '%s': invalid section reference in info value\n"),
3997 	       cnt, section_name (ebl, cnt));
3998 
3999       if ((shdr->sh_flags & SHF_MERGE) == 0
4000 	  && (shdr->sh_flags & SHF_STRINGS) != 0
4001 	  && be_strict)
4002 	ERROR (_("\
4003 section [%2zu] '%s': strings flag set without merge flag\n"),
4004 	       cnt, section_name (ebl, cnt));
4005 
4006       if ((shdr->sh_flags & SHF_MERGE) != 0 && shdr->sh_entsize == 0)
4007 	ERROR (_("\
4008 section [%2zu] '%s': merge flag set but entry size is zero\n"),
4009 	       cnt, section_name (ebl, cnt));
4010 
4011       if (shdr->sh_flags & SHF_GROUP)
4012 	check_scn_group (ebl, cnt);
4013 
4014       if (shdr->sh_flags & SHF_EXECINSTR)
4015 	{
4016 	  switch (shdr->sh_type)
4017 	    {
4018 	    case SHT_PROGBITS:
4019 	      break;
4020 
4021 	    case SHT_NOBITS:
4022 	      if (is_debuginfo)
4023 		break;
4024 	      FALLTHROUGH;
4025 	    default:
4026 	      ERROR (_("\
4027 section [%2zu] '%s' has unexpected type %d for an executable section\n"),
4028 		     cnt, section_name (ebl, cnt), shdr->sh_type);
4029 	      break;
4030 	    }
4031 
4032 	  if (shdr->sh_flags & SHF_WRITE)
4033 	    {
4034 	      if (is_debuginfo && shdr->sh_type != SHT_NOBITS)
4035 		ERROR (_("\
4036 section [%2zu] '%s' must be of type NOBITS in debuginfo files\n"),
4037 		       cnt, section_name (ebl, cnt));
4038 
4039 	      if (!is_debuginfo
4040 		  && !ebl_check_special_section (ebl, cnt, shdr,
4041 						 section_name (ebl, cnt)))
4042 		ERROR (_("\
4043 section [%2zu] '%s' is both executable and writable\n"),
4044 		       cnt, section_name (ebl, cnt));
4045 	    }
4046 	}
4047 
4048       if (ehdr->e_type != ET_REL && (shdr->sh_flags & SHF_ALLOC) != 0
4049 	  && !is_debuginfo)
4050 	{
4051 	  /* Make sure the section is contained in a loaded segment
4052 	     and that the initialization part matches NOBITS sections.  */
4053 	  unsigned int pcnt;
4054 	  GElf_Phdr phdr_mem;
4055 	  GElf_Phdr *phdr;
4056 
4057 	  for (pcnt = 0; pcnt < phnum; ++pcnt)
4058 	    if ((phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem)) != NULL
4059 		&& ((phdr->p_type == PT_LOAD
4060 		     && (shdr->sh_flags & SHF_TLS) == 0)
4061 		    || (phdr->p_type == PT_TLS
4062 			&& (shdr->sh_flags & SHF_TLS) != 0))
4063 		&& phdr->p_offset <= shdr->sh_offset
4064 		&& ((shdr->sh_offset - phdr->p_offset <= phdr->p_filesz
4065 		     && (shdr->sh_offset - phdr->p_offset < phdr->p_filesz
4066 			 || shdr->sh_size == 0))
4067 		    || (shdr->sh_offset - phdr->p_offset < phdr->p_memsz
4068 			&& shdr->sh_type == SHT_NOBITS)))
4069 	      {
4070 		/* Found the segment.  */
4071 		if (phdr->p_offset + phdr->p_memsz
4072 		    < shdr->sh_offset + shdr->sh_size)
4073 		  ERROR (_("\
4074 section [%2zu] '%s' not fully contained in segment of program header entry %d\n"),
4075 			 cnt, section_name (ebl, cnt), pcnt);
4076 
4077 		if (shdr->sh_type == SHT_NOBITS)
4078 		  {
4079 		    if (shdr->sh_offset < phdr->p_offset + phdr->p_filesz
4080 			&& !is_debuginfo)
4081 		      {
4082 			if (!gnuld)
4083 			  ERROR (_("\
4084 section [%2zu] '%s' has type NOBITS but is read from the file in segment of program header entry %d\n"),
4085 				 cnt, section_name (ebl, cnt), pcnt);
4086 			else
4087 			  {
4088 			    /* This is truly horrible. GNU ld might put a
4089 			       NOBITS section in the middle of a PT_LOAD
4090 			       segment, assuming the next gap in the file
4091 			       actually consists of zero bits...
4092 			       So it really is like a PROGBITS section
4093 			       where the data is all zeros.  Check those
4094 			       zero bytes are really there.  */
4095 			    bool bad;
4096 			    Elf_Data *databits;
4097 			    databits = elf_getdata_rawchunk (ebl->elf,
4098 							     shdr->sh_offset,
4099 							     shdr->sh_size,
4100 							     ELF_T_BYTE);
4101 			    bad = (databits == NULL
4102 				   || databits->d_size != shdr->sh_size);
4103 			    for (size_t idx = 0;
4104 				 ! bad && idx < databits->d_size;
4105 				 idx++)
4106 			      bad = ((char *) databits->d_buf)[idx] != 0;
4107 
4108 			    if (bad)
4109 			      ERROR (_("\
4110 section [%2zu] '%s' has type NOBITS but is read from the file in segment of program header entry %d and file contents is non-zero\n"),
4111 				     cnt, section_name (ebl, cnt), pcnt);
4112 			  }
4113 		      }
4114 		  }
4115 		else
4116 		  {
4117 		    const GElf_Off end = phdr->p_offset + phdr->p_filesz;
4118 		    if (shdr->sh_offset > end ||
4119 			(shdr->sh_offset == end && shdr->sh_size != 0))
4120 		      ERROR (_("\
4121 section [%2zu] '%s' has not type NOBITS but is not read from the file in segment of program header entry %d\n"),
4122 			 cnt, section_name (ebl, cnt), pcnt);
4123 		  }
4124 
4125 		if (shdr->sh_type != SHT_NOBITS)
4126 		  {
4127 		    if ((shdr->sh_flags & SHF_EXECINSTR) != 0)
4128 		      {
4129 			segment_flags[pcnt] |= PF_X;
4130 			if ((phdr->p_flags & PF_X) == 0)
4131 			  ERROR (_("\
4132 section [%2zu] '%s' is executable in nonexecutable segment %d\n"),
4133 				 cnt, section_name (ebl, cnt), pcnt);
4134 		      }
4135 
4136 		    if ((shdr->sh_flags & SHF_WRITE) != 0)
4137 		      {
4138 			segment_flags[pcnt] |= PF_W;
4139 			if (0	/* XXX vdso images have this */
4140 			    && (phdr->p_flags & PF_W) == 0)
4141 			  ERROR (_("\
4142 section [%2zu] '%s' is writable in unwritable segment %d\n"),
4143 				 cnt, section_name (ebl, cnt), pcnt);
4144 		      }
4145 		  }
4146 
4147 		break;
4148 	      }
4149 
4150 	  if (pcnt == phnum)
4151 	    ERROR (_("\
4152 section [%2zu] '%s': alloc flag set but section not in any loaded segment\n"),
4153 		   cnt, section_name (ebl, cnt));
4154 	}
4155 
4156       if (cnt == shstrndx && shdr->sh_type != SHT_STRTAB)
4157 	ERROR (_("\
4158 section [%2zu] '%s': ELF header says this is the section header string table but type is not SHT_TYPE\n"),
4159 	       cnt, section_name (ebl, cnt));
4160 
4161       switch (shdr->sh_type)
4162 	{
4163 	case SHT_DYNSYM:
4164 	  if (ehdr->e_type == ET_REL)
4165 	    ERROR (_("\
4166 section [%2zu] '%s': relocatable files cannot have dynamic symbol tables\n"),
4167 		   cnt, section_name (ebl, cnt));
4168 	  FALLTHROUGH;
4169 	case SHT_SYMTAB:
4170 	  check_symtab (ebl, ehdr, shdr, cnt);
4171 	  break;
4172 
4173 	case SHT_RELA:
4174 	  check_rela (ebl, ehdr, shdr, cnt);
4175 	  break;
4176 
4177 	case SHT_REL:
4178 	  check_rel (ebl, ehdr, shdr, cnt);
4179 	  break;
4180 
4181 	case SHT_DYNAMIC:
4182 	  check_dynamic (ebl, ehdr, shdr, cnt);
4183 	  break;
4184 
4185 	case SHT_SYMTAB_SHNDX:
4186 	  check_symtab_shndx (ebl, ehdr, shdr, cnt);
4187 	  break;
4188 
4189 	case SHT_HASH:
4190 	  check_hash (shdr->sh_type, ebl, ehdr, shdr, cnt);
4191 	  hash_idx = cnt;
4192 	  break;
4193 
4194 	case SHT_GNU_HASH:
4195 	  check_hash (shdr->sh_type, ebl, ehdr, shdr, cnt);
4196 	  gnu_hash_idx = cnt;
4197 	  break;
4198 
4199 	case SHT_NULL:
4200 	  check_null (ebl, shdr, cnt);
4201 	  break;
4202 
4203 	case SHT_GROUP:
4204 	  check_group (ebl, ehdr, shdr, cnt);
4205 	  break;
4206 
4207 	case SHT_NOTE:
4208 	  check_note_section (ebl, ehdr, shdr, cnt);
4209 	  break;
4210 
4211 	case SHT_GNU_versym:
4212 	  /* We cannot process this section now since we have no guarantee
4213 	     that the verneed and verdef sections have already been read.
4214 	     Just remember the section index.  */
4215 	  if (versym_scnndx != 0)
4216 	    ERROR (_("more than one version symbol table present\n"));
4217 	  versym_scnndx = cnt;
4218 	  break;
4219 
4220 	case SHT_GNU_verneed:
4221 	  check_verneed (ebl, shdr, cnt);
4222 	  break;
4223 
4224 	case SHT_GNU_verdef:
4225 	  check_verdef (ebl, shdr, cnt);
4226 	  break;
4227 
4228 	case SHT_GNU_ATTRIBUTES:
4229 	  check_attributes (ebl, ehdr, shdr, cnt);
4230 	  break;
4231 
4232 	default:
4233 	  /* Nothing.  */
4234 	  break;
4235 	}
4236     }
4237 
4238   if (has_interp_segment && !dot_interp_section)
4239     ERROR (_("INTERP program header entry but no .interp section\n"));
4240 
4241   if (!is_debuginfo)
4242     for (unsigned int pcnt = 0; pcnt < phnum; ++pcnt)
4243       {
4244 	GElf_Phdr phdr_mem;
4245 	GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
4246 	if (phdr != NULL && (phdr->p_type == PT_LOAD || phdr->p_type == PT_TLS))
4247 	  {
4248 	    if ((phdr->p_flags & PF_X) != 0
4249 		&& (segment_flags[pcnt] & PF_X) == 0)
4250 	      ERROR (_("\
4251 loadable segment [%u] is executable but contains no executable sections\n"),
4252 		     pcnt);
4253 
4254 	    if ((phdr->p_flags & PF_W) != 0
4255 		&& (segment_flags[pcnt] & PF_W) == 0)
4256 	      ERROR (_("\
4257 loadable segment [%u] is writable but contains no writable sections\n"),
4258 		     pcnt);
4259 	  }
4260       }
4261 
4262   free (segment_flags);
4263 
4264   if (version_namelist != NULL)
4265     {
4266       if (versym_scnndx == 0)
4267     ERROR (_("\
4268 no .gnu.versym section present but .gnu.versym_d or .gnu.versym_r section exist\n"));
4269       else
4270 	check_versym (ebl, versym_scnndx);
4271 
4272       /* Check for duplicate index numbers.  */
4273       do
4274 	{
4275 	  struct version_namelist *runp = version_namelist->next;
4276 	  while (runp != NULL)
4277 	    {
4278 	      if (version_namelist->ndx == runp->ndx)
4279 		{
4280 		  ERROR (_("duplicate version index %d\n"),
4281 			 (int) version_namelist->ndx);
4282 		  break;
4283 		}
4284 	      runp = runp->next;
4285 	    }
4286 
4287 	  struct version_namelist *old = version_namelist;
4288 	  version_namelist = version_namelist->next;
4289 	  free (old);
4290 	}
4291       while (version_namelist != NULL);
4292     }
4293   else if (versym_scnndx != 0)
4294     ERROR (_("\
4295 .gnu.versym section present without .gnu.versym_d or .gnu.versym_r\n"));
4296 
4297   if (hash_idx != 0 && gnu_hash_idx != 0)
4298     compare_hash_gnu_hash (ebl, ehdr, hash_idx, gnu_hash_idx);
4299 
4300   free (scnref);
4301 }
4302 
4303 
4304 static GElf_Off
check_note_data(Ebl * ebl,const GElf_Ehdr * ehdr,Elf_Data * data,int shndx,int phndx,GElf_Off start)4305 check_note_data (Ebl *ebl, const GElf_Ehdr *ehdr,
4306 		 Elf_Data *data, int shndx, int phndx, GElf_Off start)
4307 {
4308   size_t offset = 0;
4309   size_t last_offset = 0;
4310   GElf_Nhdr nhdr;
4311   size_t name_offset;
4312   size_t desc_offset;
4313   while (offset < data->d_size
4314 	 && (offset = gelf_getnote (data, offset,
4315 				    &nhdr, &name_offset, &desc_offset)) > 0)
4316     {
4317       last_offset = offset;
4318 
4319       /* Make sure it is one of the note types we know about.  */
4320       if (ehdr->e_type == ET_CORE)
4321 	switch (nhdr.n_type)
4322 	  {
4323 	  case NT_PRSTATUS:
4324 	  case NT_FPREGSET:
4325 	  case NT_PRPSINFO:
4326 	  case NT_TASKSTRUCT:		/* NT_PRXREG on Solaris.  */
4327 	  case NT_PLATFORM:
4328 	  case NT_AUXV:
4329 	  case NT_GWINDOWS:
4330 	  case NT_ASRS:
4331 	  case NT_PSTATUS:
4332 	  case NT_PSINFO:
4333 	  case NT_PRCRED:
4334 	  case NT_UTSNAME:
4335 	  case NT_LWPSTATUS:
4336 	  case NT_LWPSINFO:
4337 	  case NT_PRFPXREG:
4338 	    /* Known type.  */
4339 	    break;
4340 
4341 	  default:
4342 	    if (shndx == 0)
4343 	      ERROR (_("\
4344 phdr[%d]: unknown core file note type %" PRIu32 " at offset %" PRIu64 "\n"),
4345 		     phndx, (uint32_t) nhdr.n_type, start + offset);
4346 	    else
4347 	      ERROR (_("\
4348 section [%2d] '%s': unknown core file note type %" PRIu32
4349 			      " at offset %zu\n"),
4350 		     shndx, section_name (ebl, shndx),
4351 		     (uint32_t) nhdr.n_type, offset);
4352 	  }
4353       else
4354 	switch (nhdr.n_type)
4355 	  {
4356 	  case NT_GNU_ABI_TAG:
4357 	  case NT_GNU_HWCAP:
4358 	  case NT_GNU_BUILD_ID:
4359 	  case NT_GNU_GOLD_VERSION:
4360 	  case NT_GNU_PROPERTY_TYPE_0:
4361 	    if (nhdr.n_namesz == sizeof ELF_NOTE_GNU
4362 		&& strcmp (data->d_buf + name_offset, ELF_NOTE_GNU) == 0)
4363 	      break;
4364 	    else
4365 	      {
4366 		/* NT_VERSION is 1, same as NT_GNU_ABI_TAG.  It has no
4367 		   descriptor and (ab)uses the name as version string.  */
4368 		if (nhdr.n_descsz == 0 && nhdr.n_type == NT_VERSION)
4369 		  break;
4370 	      }
4371 	      goto unknown_note;
4372 
4373 	  case NT_GNU_BUILD_ATTRIBUTE_OPEN:
4374 	  case NT_GNU_BUILD_ATTRIBUTE_FUNC:
4375 	    /* GNU Build Attributes store most data in the owner
4376 	       name, which must start with the
4377 	       ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX "GA".  */
4378 	    if (nhdr.n_namesz >= sizeof ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX
4379 		&& strncmp (data->d_buf + name_offset,
4380 			    ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX,
4381 			    strlen (ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX)) == 0)
4382 	      break;
4383 	    else
4384 	      goto unknown_note;
4385 
4386 	  case NT_FDO_PACKAGING_METADATA:
4387 	    if (nhdr.n_namesz == sizeof ELF_NOTE_FDO
4388 		&& strcmp (data->d_buf + name_offset, ELF_NOTE_FDO) == 0)
4389 	      break;
4390 	    else
4391 	      goto unknown_note;
4392 
4393 	  case 0:
4394 	    /* Linux vDSOs use a type 0 note for the kernel version word.  */
4395 	    if (nhdr.n_namesz == sizeof "Linux"
4396 		&& !memcmp (data->d_buf + name_offset, "Linux", sizeof "Linux"))
4397 	      break;
4398 	    FALLTHROUGH;
4399 	  default:
4400 	    {
4401 	    unknown_note:
4402 	    if (shndx == 0)
4403 	      ERROR (_("\
4404 phdr[%d]: unknown object file note type %" PRIu32 " with owner name '%s' at offset %zu\n"),
4405 		     phndx, (uint32_t) nhdr.n_type,
4406 		     (char *) data->d_buf + name_offset, offset);
4407 	    else
4408 	      ERROR (_("\
4409 section [%2d] '%s': unknown object file note type %" PRIu32
4410 			      " with owner name '%s' at offset %zu\n"),
4411 		     shndx, section_name (ebl, shndx),
4412 		     (uint32_t) nhdr.n_type,
4413 		     (char *) data->d_buf + name_offset, offset);
4414 	    }
4415 	  }
4416     }
4417 
4418   return last_offset;
4419 }
4420 
4421 
4422 static void
check_note(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Phdr * phdr,int cnt)4423 check_note (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Phdr *phdr, int cnt)
4424 {
4425   if (ehdr->e_type != ET_CORE && ehdr->e_type != ET_REL
4426       && ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
4427     ERROR (_("\
4428 phdr[%d]: no note entries defined for the type of file\n"),
4429 	   cnt);
4430 
4431   if (is_debuginfo)
4432     /* The p_offset values in a separate debug file are bogus.  */
4433     return;
4434 
4435   if (phdr->p_filesz == 0)
4436     return;
4437 
4438   GElf_Off notes_size = 0;
4439   Elf_Data *data = elf_getdata_rawchunk (ebl->elf,
4440 					 phdr->p_offset, phdr->p_filesz,
4441 					 (phdr->p_align == 8
4442 					  ? ELF_T_NHDR8 : ELF_T_NHDR));
4443   if (data != NULL && data->d_buf != NULL)
4444     notes_size = check_note_data (ebl, ehdr, data, 0, cnt, phdr->p_offset);
4445 
4446   if (notes_size == 0)
4447     ERROR (_("phdr[%d]: cannot get content of note section: %s\n"),
4448 	   cnt, elf_errmsg (-1));
4449   else if (notes_size != phdr->p_filesz)
4450     ERROR (_("phdr[%d]: extra %" PRIu64 " bytes after last note\n"),
4451 	   cnt, phdr->p_filesz - notes_size);
4452 }
4453 
4454 
4455 static void
check_note_section(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)4456 check_note_section (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
4457 {
4458   if (shdr->sh_size == 0)
4459     return;
4460 
4461   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
4462   if (data == NULL || data->d_buf == NULL)
4463     {
4464       ERROR (_("section [%2d] '%s': cannot get section data\n"),
4465 	     idx, section_name (ebl, idx));
4466       return;
4467     }
4468 
4469   if (ehdr->e_type != ET_CORE && ehdr->e_type != ET_REL
4470       && ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
4471     ERROR (_("\
4472 section [%2d] '%s': no note entries defined for the type of file\n"),
4473 	     idx, section_name (ebl, idx));
4474 
4475   GElf_Off notes_size = check_note_data (ebl, ehdr, data, idx, 0, 0);
4476 
4477   if (notes_size == 0)
4478     ERROR (_("section [%2d] '%s': cannot get content of note section\n"),
4479 	   idx, section_name (ebl, idx));
4480   else if (notes_size != shdr->sh_size)
4481     ERROR (_("section [%2d] '%s': extra %" PRIu64
4482 		    " bytes after last note\n"),
4483 	   idx, section_name (ebl, idx), shdr->sh_size - notes_size);
4484 }
4485 
4486 
4487 /* Index of the PT_GNU_EH_FRAME program eader entry.  */
4488 static int pt_gnu_eh_frame_pndx;
4489 
4490 
4491 static void
check_program_header(Ebl * ebl,GElf_Ehdr * ehdr)4492 check_program_header (Ebl *ebl, GElf_Ehdr *ehdr)
4493 {
4494   if (ehdr->e_phoff == 0)
4495     return;
4496 
4497   if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN
4498       && ehdr->e_type != ET_CORE)
4499     ERROR (_("\
4500 only executables, shared objects, and core files can have program headers\n"));
4501 
4502   int num_pt_interp = 0;
4503   int num_pt_tls = 0;
4504   int num_pt_relro = 0;
4505 
4506   for (unsigned int cnt = 0; cnt < phnum; ++cnt)
4507     {
4508       GElf_Phdr phdr_mem;
4509       GElf_Phdr *phdr;
4510 
4511       phdr = gelf_getphdr (ebl->elf, cnt, &phdr_mem);
4512       if (phdr == NULL)
4513 	{
4514 	  ERROR (_("cannot get program header entry %d: %s\n"),
4515 		 cnt, elf_errmsg (-1));
4516 	  continue;
4517 	}
4518 
4519       if (phdr->p_type >= PT_NUM && phdr->p_type != PT_GNU_EH_FRAME
4520 	  && phdr->p_type != PT_GNU_STACK && phdr->p_type != PT_GNU_RELRO
4521 	  && phdr->p_type != PT_GNU_PROPERTY
4522 	  /* Check for a known machine-specific type.  */
4523 	  && ebl_segment_type_name (ebl, phdr->p_type, NULL, 0) == NULL)
4524 	ERROR (_("\
4525 program header entry %d: unknown program header entry type %#" PRIx64 "\n"),
4526 	       cnt, (uint64_t) phdr->p_type);
4527 
4528       if (phdr->p_type == PT_LOAD)
4529 	has_loadable_segment = true;
4530       else if (phdr->p_type == PT_INTERP)
4531 	{
4532 	  if (++num_pt_interp != 1)
4533 	    {
4534 	      if (num_pt_interp == 2)
4535 		ERROR (_("\
4536 more than one INTERP entry in program header\n"));
4537 	    }
4538 	  has_interp_segment = true;
4539 	}
4540       else if (phdr->p_type == PT_TLS)
4541 	{
4542 	  if (++num_pt_tls == 2)
4543 	    ERROR (_("more than one TLS entry in program header\n"));
4544 	}
4545       else if (phdr->p_type == PT_NOTE)
4546 	check_note (ebl, ehdr, phdr, cnt);
4547       else if (phdr->p_type == PT_DYNAMIC)
4548 	{
4549 	  if (ehdr->e_type == ET_EXEC && ! has_interp_segment)
4550 	    ERROR (_("\
4551 static executable cannot have dynamic sections\n"));
4552 	  else
4553 	    {
4554 	      /* Check that the .dynamic section, if it exists, has
4555 		 the same address.  */
4556 	      Elf_Scn *scn = NULL;
4557 	      while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
4558 		{
4559 		  GElf_Shdr shdr_mem;
4560 		  GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
4561 		  if (shdr != NULL && shdr->sh_type == SHT_DYNAMIC)
4562 		    {
4563 		      if (phdr->p_offset != shdr->sh_offset)
4564 			ERROR (_("\
4565 dynamic section reference in program header has wrong offset\n"));
4566 		      if (phdr->p_memsz != shdr->sh_size)
4567 			ERROR (_("\
4568 dynamic section size mismatch in program and section header\n"));
4569 		      break;
4570 		    }
4571 		}
4572 	    }
4573 	}
4574       else if (phdr->p_type == PT_GNU_RELRO)
4575 	{
4576 	  if (++num_pt_relro == 2)
4577 	    ERROR (_("\
4578 more than one GNU_RELRO entry in program header\n"));
4579 	  else
4580 	    {
4581 	      /* Check that the region is in a writable segment.  */
4582 	      unsigned int inner;
4583 	      for (inner = 0; inner < phnum; ++inner)
4584 		{
4585 		  GElf_Phdr phdr2_mem;
4586 		  GElf_Phdr *phdr2;
4587 
4588 		  phdr2 = gelf_getphdr (ebl->elf, inner, &phdr2_mem);
4589 		  if (phdr2 == NULL)
4590 		    continue;
4591 
4592 		  if (phdr2->p_type == PT_LOAD
4593 		      && phdr->p_vaddr >= phdr2->p_vaddr
4594 		      && (phdr->p_vaddr + phdr->p_memsz
4595 			  <= phdr2->p_vaddr + phdr2->p_memsz))
4596 		    {
4597 		      if ((phdr2->p_flags & PF_W) == 0)
4598 			ERROR (_("\
4599 loadable segment GNU_RELRO applies to is not writable\n"));
4600 		      /* Unless fully covered, relro flags could be a
4601 			 subset of the phdrs2 flags.  For example the load
4602 			 segment could also have PF_X set.  */
4603 		      if (phdr->p_vaddr == phdr2->p_vaddr
4604 			  && (phdr->p_vaddr + phdr->p_memsz
4605 			      == phdr2->p_vaddr + phdr2->p_memsz))
4606 			{
4607 			  if ((phdr2->p_flags & ~PF_W)
4608 			      != (phdr->p_flags & ~PF_W))
4609 			    ERROR (_("\
4610 loadable segment [%u] flags do not match GNU_RELRO [%u] flags\n"),
4611 				   cnt, inner);
4612 			}
4613 		      else
4614 			{
4615 			  if ((phdr->p_flags & ~phdr2->p_flags) != 0)
4616 			    ERROR (_("\
4617 GNU_RELRO [%u] flags are not a subset of the loadable segment [%u] flags\n"),
4618 				   inner, cnt);
4619 			}
4620 		      break;
4621 		    }
4622 		}
4623 
4624 	      if (inner >= phnum)
4625 		ERROR (_("\
4626 %s segment not contained in a loaded segment\n"), "GNU_RELRO");
4627 	    }
4628 	}
4629       else if (phdr->p_type == PT_PHDR)
4630 	{
4631 	  /* Check that the region is in a writable segment.  */
4632 	  unsigned int inner;
4633 	  for (inner = 0; inner < phnum; ++inner)
4634 	    {
4635 	      GElf_Phdr phdr2_mem;
4636 	      GElf_Phdr *phdr2;
4637 
4638 	      phdr2 = gelf_getphdr (ebl->elf, inner, &phdr2_mem);
4639 	      if (phdr2 != NULL
4640 		  && phdr2->p_type == PT_LOAD
4641 		  && phdr->p_vaddr >= phdr2->p_vaddr
4642 		  && (phdr->p_vaddr + phdr->p_memsz
4643 		      <= phdr2->p_vaddr + phdr2->p_memsz))
4644 		break;
4645 	    }
4646 
4647 	  if (inner >= phnum)
4648 	    ERROR (_("\
4649 %s segment not contained in a loaded segment\n"), "PHDR");
4650 
4651 	  /* Check that offset in segment corresponds to offset in ELF
4652 	     header.  */
4653 	  if (phdr->p_offset != ehdr->e_phoff)
4654 	    ERROR (_("\
4655 program header offset in ELF header and PHDR entry do not match"));
4656 	}
4657       else if (phdr->p_type == PT_GNU_EH_FRAME)
4658 	{
4659 	  /* If there is an .eh_frame_hdr section it must be
4660 	     referenced by this program header entry.  */
4661 	  Elf_Scn *scn = NULL;
4662 	  GElf_Shdr shdr_mem;
4663 	  GElf_Shdr *shdr = NULL;
4664 	  bool any = false;
4665 	  while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
4666 	    {
4667 	      any = true;
4668 	      shdr = gelf_getshdr (scn, &shdr_mem);
4669 	      if (shdr != NULL
4670 		  && ((is_debuginfo && shdr->sh_type == SHT_NOBITS)
4671 		      || (! is_debuginfo
4672 			  && (shdr->sh_type == SHT_PROGBITS
4673 			      || shdr->sh_type == SHT_X86_64_UNWIND)))
4674 		  && elf_strptr (ebl->elf, shstrndx, shdr->sh_name) != NULL
4675 		  && ! strcmp (".eh_frame_hdr",
4676 			       elf_strptr (ebl->elf, shstrndx, shdr->sh_name)))
4677 		{
4678 		  if (! is_debuginfo)
4679 		    {
4680 		      if (phdr->p_offset != shdr->sh_offset)
4681 			ERROR (_("\
4682 call frame search table reference in program header has wrong offset\n"));
4683 		      if (phdr->p_memsz != shdr->sh_size)
4684 			ERROR (_("\
4685 call frame search table size mismatch in program and section header\n"));
4686 		    }
4687 		  break;
4688 		}
4689 	    }
4690 
4691 	  if (scn == NULL)
4692 	    {
4693 	      /* If there is no section header table we don't
4694 		 complain.  But if there is one there should be an
4695 		 entry for .eh_frame_hdr.  */
4696 	      if (any)
4697 		ERROR (_("\
4698 PT_GNU_EH_FRAME present but no .eh_frame_hdr section\n"));
4699 	    }
4700 	  else
4701 	    {
4702 	      /* The section must be allocated and not be writable and
4703 		 executable.  */
4704 	      if ((phdr->p_flags & PF_R) == 0)
4705 		ERROR (_("\
4706 call frame search table must be allocated\n"));
4707 	      else if (shdr != NULL && (shdr->sh_flags & SHF_ALLOC) == 0)
4708 		ERROR (_("\
4709 section [%2zu] '%s' must be allocated\n"), elf_ndxscn (scn), ".eh_frame_hdr");
4710 
4711 	      if ((phdr->p_flags & PF_W) != 0)
4712 		ERROR (_("\
4713 call frame search table must not be writable\n"));
4714 	      else if (shdr != NULL && (shdr->sh_flags & SHF_WRITE) != 0)
4715 		ERROR (_("\
4716 section [%2zu] '%s' must not be writable\n"),
4717 		       elf_ndxscn (scn), ".eh_frame_hdr");
4718 
4719 	      if ((phdr->p_flags & PF_X) != 0)
4720 		ERROR (_("\
4721 call frame search table must not be executable\n"));
4722 	      else if (shdr != NULL && (shdr->sh_flags & SHF_EXECINSTR) != 0)
4723 		ERROR (_("\
4724 section [%2zu] '%s' must not be executable\n"),
4725 		       elf_ndxscn (scn), ".eh_frame_hdr");
4726 	    }
4727 
4728 	  /* Remember which entry this is.  */
4729 	  pt_gnu_eh_frame_pndx = cnt;
4730 	}
4731 
4732       if (phdr->p_filesz > phdr->p_memsz
4733 	  && (phdr->p_memsz != 0
4734 	      || (phdr->p_type != PT_NOTE
4735 		  && !(ehdr->e_machine == EM_RISCV
4736 		       && phdr->p_type == PT_RISCV_ATTRIBUTES))))
4737 	ERROR (_("\
4738 program header entry %d: file size greater than memory size\n"),
4739 	       cnt);
4740 
4741       if (phdr->p_align > 1)
4742 	{
4743 	  if (!powerof2 (phdr->p_align))
4744 	    ERROR (_("\
4745 program header entry %d: alignment not a power of 2\n"), cnt);
4746 	  else if ((phdr->p_vaddr - phdr->p_offset) % phdr->p_align != 0)
4747 	    ERROR (_("\
4748 program header entry %d: file offset and virtual address not module of alignment\n"), cnt);
4749 	}
4750     }
4751 }
4752 
4753 
4754 static void
check_exception_data(Ebl * ebl,GElf_Ehdr * ehdr)4755 check_exception_data (Ebl *ebl __attribute__ ((unused)),
4756 		      GElf_Ehdr *ehdr __attribute__ ((unused)))
4757 {
4758   if ((ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN)
4759       && pt_gnu_eh_frame_pndx == 0 && eh_frame_hdr_scnndx != 0)
4760     ERROR (_("executable/DSO with .eh_frame_hdr section does not have "
4761 		    "a PT_GNU_EH_FRAME program header entry"));
4762 }
4763 
4764 
4765 /* Process one file.  */
4766 static void
process_elf_file(Elf * elf,const char * prefix,const char * suffix,const char * fname,size_t size,bool only_one)4767 process_elf_file (Elf *elf, const char *prefix, const char *suffix,
4768 		  const char *fname, size_t size, bool only_one)
4769 {
4770   /* Reset variables.  */
4771   ndynamic = 0;
4772   nverneed = 0;
4773   nverdef = 0;
4774   textrel = false;
4775   needed_textrel = false;
4776   has_loadable_segment = false;
4777   has_interp_segment = false;
4778 
4779   GElf_Ehdr ehdr_mem;
4780   GElf_Ehdr *ehdr = gelf_getehdr (elf, &ehdr_mem);
4781   Ebl *ebl;
4782 
4783   /* Print the file name.  */
4784   if (!only_one)
4785     {
4786       if (prefix != NULL)
4787 	printf ("\n%s(%s)%s:\n", prefix, fname, suffix);
4788       else
4789 	printf ("\n%s:\n", fname);
4790     }
4791 
4792   if (ehdr == NULL)
4793     {
4794       ERROR (_("cannot read ELF header: %s\n"), elf_errmsg (-1));
4795       return;
4796     }
4797 
4798   ebl = ebl_openbackend (elf);
4799   /* If there is no appropriate backend library we cannot test
4800      architecture and OS specific features.  Any encountered extension
4801      is an error.  Often we'll get a "dummy" ebl, except if something
4802      really bad happen, like a totally corrupted ELF file or out of
4803      memory situation.  */
4804   if (ebl == NULL)
4805     {
4806       ERROR (_("cannot create backend for ELF file\n"));
4807       return;
4808     }
4809 
4810   /* Go straight by the gABI, check all the parts in turn.  */
4811   check_elf_header (ebl, ehdr, size);
4812 
4813   /* Check the program header.  */
4814   check_program_header (ebl, ehdr);
4815 
4816   /* Next the section headers.  It is OK if there are no section
4817      headers at all.  */
4818   check_sections (ebl, ehdr);
4819 
4820   /* Check the exception handling data, if it exists.  */
4821   if (pt_gnu_eh_frame_pndx != 0 || eh_frame_hdr_scnndx != 0
4822       || eh_frame_scnndx != 0 || gcc_except_table_scnndx != 0)
4823     check_exception_data (ebl, ehdr);
4824 
4825   /* Report if no relocation section needed the text relocation flag.  */
4826   if (textrel && !needed_textrel)
4827     ERROR (_("text relocation flag set but not needed\n"));
4828 
4829   /* Free the resources.  */
4830   ebl_closebackend (ebl);
4831 }
4832 
4833 
4834 #include "debugpred.h"
4835