1 /* Create descriptor for processing file.
2    Copyright (C) 1998-2010, 2012, 2014, 2015, 2016 Red Hat, Inc.
3    This file is part of elfutils.
4    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
5 
6    This file is free software; you can redistribute it and/or modify
7    it under the terms of either
8 
9      * the GNU Lesser General Public License as published by the Free
10        Software Foundation; either version 3 of the License, or (at
11        your option) any later version
12 
13    or
14 
15      * the GNU General Public License as published by the Free
16        Software Foundation; either version 2 of the License, or (at
17        your option) any later version
18 
19    or both in parallel, as here.
20 
21    elfutils is distributed in the hope that it will be useful, but
22    WITHOUT ANY WARRANTY; without even the implied warranty of
23    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
24    General Public License for more details.
25 
26    You should have received copies of the GNU General Public License and
27    the GNU Lesser General Public License along with this program.  If
28    not, see <http://www.gnu.org/licenses/>.  */
29 
30 #ifdef HAVE_CONFIG_H
31 # include <config.h>
32 #endif
33 
34 #include <assert.h>
35 #include <ctype.h>
36 #include <errno.h>
37 #include <fcntl.h>
38 #include <stdbool.h>
39 #include <stddef.h>
40 #include <string.h>
41 #include <unistd.h>
42 #include <sys/mman.h>
43 #include <sys/stat.h>
44 
45 #include <system.h>
46 #include "libelfP.h"
47 #include "common.h"
48 
49 
50 /* Create descriptor for archive in memory.  */
51 static inline Elf *
file_read_ar(int fildes,void * map_address,off_t offset,size_t maxsize,Elf_Cmd cmd,Elf * parent)52 file_read_ar (int fildes, void *map_address, off_t offset, size_t maxsize,
53 	      Elf_Cmd cmd, Elf *parent)
54 {
55   Elf *elf;
56 
57   /* Create a descriptor.  */
58   elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
59                       ELF_K_AR, 0);
60   if (elf != NULL)
61     {
62       /* We don't read all the symbol tables in advance.  All this will
63 	 happen on demand.  */
64       elf->state.ar.offset = offset + SARMAG;
65 
66       elf->state.ar.elf_ar_hdr.ar_rawname = elf->state.ar.raw_name;
67     }
68 
69   return elf;
70 }
71 
72 
73 static size_t
get_shnum(void * map_address,unsigned char * e_ident,int fildes,off_t offset,size_t maxsize)74 get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
75 	   size_t maxsize)
76 {
77   size_t result;
78   union
79   {
80     Elf32_Ehdr *e32;
81     Elf64_Ehdr *e64;
82     void *p;
83   } ehdr;
84   union
85   {
86     Elf32_Ehdr e32;
87     Elf64_Ehdr e64;
88   } ehdr_mem;
89   bool is32 = e_ident[EI_CLASS] == ELFCLASS32;
90 
91   /* Make the ELF header available.  */
92   if (e_ident[EI_DATA] == MY_ELFDATA
93       && (ALLOW_UNALIGNED
94 	  || (((size_t) e_ident
95 	       & ((is32 ? __alignof__ (Elf32_Ehdr) : __alignof__ (Elf64_Ehdr))
96 		  - 1)) == 0)))
97     ehdr.p = e_ident;
98   else
99     {
100       /* We already read the ELF header.  We have to copy the header
101 	 since we possibly modify the data here and the caller
102 	 expects the memory it passes in to be preserved.  */
103       ehdr.p = &ehdr_mem;
104 
105       if (is32)
106 	{
107 	  if (ALLOW_UNALIGNED)
108 	    {
109 	      ehdr_mem.e32.e_shnum = ((Elf32_Ehdr *) e_ident)->e_shnum;
110 	      ehdr_mem.e32.e_shoff = ((Elf32_Ehdr *) e_ident)->e_shoff;
111 	    }
112 	  else
113 	    memcpy (&ehdr_mem, e_ident, sizeof (Elf32_Ehdr));
114 
115 	  if (e_ident[EI_DATA] != MY_ELFDATA)
116 	    {
117 	      CONVERT (ehdr_mem.e32.e_shnum);
118 	      CONVERT (ehdr_mem.e32.e_shoff);
119 	    }
120 	}
121       else
122 	{
123 	  if (ALLOW_UNALIGNED)
124 	    {
125 	      ehdr_mem.e64.e_shnum = ((Elf64_Ehdr *) e_ident)->e_shnum;
126 	      ehdr_mem.e64.e_shoff = ((Elf64_Ehdr *) e_ident)->e_shoff;
127 	    }
128 	  else
129 	    memcpy (&ehdr_mem, e_ident, sizeof (Elf64_Ehdr));
130 
131 	  if (e_ident[EI_DATA] != MY_ELFDATA)
132 	    {
133 	      CONVERT (ehdr_mem.e64.e_shnum);
134 	      CONVERT (ehdr_mem.e64.e_shoff);
135 	    }
136 	}
137     }
138 
139   if (is32)
140     {
141       /* Get the number of sections from the ELF header.  */
142       result = ehdr.e32->e_shnum;
143 
144       if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
145 	{
146 	  if (unlikely (ehdr.e32->e_shoff >= maxsize)
147 	      || unlikely (maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr)))
148 	    /* Cannot read the first section header.  */
149 	    return 0;
150 
151 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
152 	      && (ALLOW_UNALIGNED
153 		  || (((size_t) ((char *) map_address + ehdr.e32->e_shoff))
154 		      & (__alignof__ (Elf32_Shdr) - 1)) == 0))
155 	    /* We can directly access the memory.  */
156 	    result = ((Elf32_Shdr *) ((char *) map_address + ehdr.e32->e_shoff
157 				      + offset))->sh_size;
158 	  else
159 	    {
160 	      Elf32_Word size;
161 	      ssize_t r;
162 
163 	      if (likely (map_address != NULL))
164 		/* gcc will optimize the memcpy to a simple memory
165 		   access while taking care of alignment issues.  */
166 		memcpy (&size, &((Elf32_Shdr *) ((char *) map_address
167 						 + ehdr.e32->e_shoff
168 						 + offset))->sh_size,
169 			sizeof (Elf32_Word));
170 	      else
171 		if (unlikely ((r = pread_retry (fildes, &size,
172 						sizeof (Elf32_Word),
173 						offset + ehdr.e32->e_shoff
174 						+ offsetof (Elf32_Shdr,
175 							    sh_size)))
176 			      != sizeof (Elf32_Word)))
177 		  {
178 		    if (r < 0)
179 		      __libelf_seterrno (ELF_E_INVALID_FILE);
180 		    else
181 		      __libelf_seterrno (ELF_E_INVALID_ELF);
182 		    return (size_t) -1l;
183 		  }
184 
185 	      if (e_ident[EI_DATA] != MY_ELFDATA)
186 		CONVERT (size);
187 
188 	      result = size;
189 	    }
190 	}
191 
192       /* If the section headers were truncated, pretend none were there.  */
193       if (ehdr.e32->e_shoff > maxsize
194 	  || maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr) * result)
195 	result = 0;
196     }
197   else
198     {
199       /* Get the number of sections from the ELF header.  */
200       result = ehdr.e64->e_shnum;
201 
202       if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
203 	{
204 	  if (unlikely (ehdr.e64->e_shoff >= maxsize)
205 	      || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
206 	    /* Cannot read the first section header.  */
207 	    return 0;
208 
209 	  Elf64_Xword size;
210 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
211 	      && (ALLOW_UNALIGNED
212 		  || (((size_t) ((char *) map_address + ehdr.e64->e_shoff))
213 		      & (__alignof__ (Elf64_Shdr) - 1)) == 0))
214 	    /* We can directly access the memory.  */
215 	    size = ((Elf64_Shdr *) ((char *) map_address + ehdr.e64->e_shoff
216 				    + offset))->sh_size;
217 	  else
218 	    {
219 	      ssize_t r;
220 	      if (likely (map_address != NULL))
221 		/* gcc will optimize the memcpy to a simple memory
222 		   access while taking care of alignment issues.  */
223 		memcpy (&size, &((Elf64_Shdr *) ((char *) map_address
224 						 + ehdr.e64->e_shoff
225 						 + offset))->sh_size,
226 			sizeof (Elf64_Xword));
227 	      else
228 		if (unlikely ((r = pread_retry (fildes, &size,
229 						sizeof (Elf64_Xword),
230 						offset + ehdr.e64->e_shoff
231 						+ offsetof (Elf64_Shdr,
232 							    sh_size)))
233 			      != sizeof (Elf64_Xword)))
234 		  {
235 		    if (r < 0)
236 		      __libelf_seterrno (ELF_E_INVALID_FILE);
237 		    else
238 		      __libelf_seterrno (ELF_E_INVALID_ELF);
239 		    return (size_t) -1l;
240 		  }
241 
242 	      if (e_ident[EI_DATA] != MY_ELFDATA)
243 		CONVERT (size);
244 	    }
245 
246 	  if (size > ~((GElf_Word) 0))
247 	    {
248 	      /* Invalid value, it is too large.  */
249 	      __libelf_seterrno (ELF_E_INVALID_ELF);
250 	      return (size_t) -1l;
251 	    }
252 
253 	  result = size;
254 	}
255 
256       /* If the section headers were truncated, pretend none were there.  */
257       if (ehdr.e64->e_shoff > maxsize
258 	  || maxsize - ehdr.e64->e_shoff < sizeof (Elf64_Shdr) * result)
259 	result = 0;
260     }
261 
262   return result;
263 }
264 
265 
266 /* Create descriptor for ELF file in memory.  */
267 static Elf *
file_read_elf(int fildes,void * map_address,unsigned char * e_ident,off_t offset,size_t maxsize,Elf_Cmd cmd,Elf * parent)268 file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
269 	       off_t offset, size_t maxsize, Elf_Cmd cmd, Elf *parent)
270 {
271   /* Verify the binary is of the class we can handle.  */
272   if (unlikely ((e_ident[EI_CLASS] != ELFCLASS32
273 		 && e_ident[EI_CLASS] != ELFCLASS64)
274 		/* We also can only handle two encodings.  */
275 		|| (e_ident[EI_DATA] != ELFDATA2LSB
276 		    && e_ident[EI_DATA] != ELFDATA2MSB)))
277     {
278       /* Cannot handle this.  */
279       __libelf_seterrno (ELF_E_INVALID_ELF);
280       return NULL;
281     }
282 
283   /* Determine the number of sections.  Returns -1 and sets libelf errno
284      if the file handle or elf file is invalid.  Returns zero if there
285      are no section headers (or they cannot be read).  */
286   size_t scncnt = get_shnum (map_address, e_ident, fildes, offset, maxsize);
287   if (scncnt == (size_t) -1l)
288     /* Could not determine the number of sections.  */
289     return NULL;
290 
291   /* Check for too many sections.  */
292   if (e_ident[EI_CLASS] == ELFCLASS32)
293     {
294       if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
295 	{
296 	  __libelf_seterrno (ELF_E_INVALID_ELF);
297 	  return NULL;
298 	}
299     }
300   else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
301     {
302       __libelf_seterrno (ELF_E_INVALID_ELF);
303       return NULL;
304     }
305 
306   /* We can now allocate the memory.  Even if there are no section headers,
307      we allocate space for a zeroth section in case we need it later.  */
308   const size_t scnmax = (scncnt ?: (cmd == ELF_C_RDWR || cmd == ELF_C_RDWR_MMAP)
309 			 ? 1 : 0);
310   Elf *elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
311 			   ELF_K_ELF, scnmax * sizeof (Elf_Scn));
312   if (elf == NULL)
313     /* Not enough memory.  allocate_elf will have set libelf errno.  */
314     return NULL;
315 
316   assert ((unsigned int) scncnt == scncnt);
317   assert (offsetof (struct Elf, state.elf32.scns)
318 	  == offsetof (struct Elf, state.elf64.scns));
319   elf->state.elf32.scns.cnt = scncnt;
320   elf->state.elf32.scns.max = scnmax;
321 
322   /* Some more or less arbitrary value.  */
323   elf->state.elf.scnincr = 10;
324 
325   /* Make the class easily available.  */
326   elf->class = e_ident[EI_CLASS];
327 
328   if (e_ident[EI_CLASS] == ELFCLASS32)
329     {
330       /* This pointer might not be directly usable if the alignment is
331 	 not sufficient for the architecture.  */
332       Elf32_Ehdr *ehdr = (Elf32_Ehdr *) ((char *) map_address + offset);
333 
334       /* This is a 32-bit binary.  */
335       if (map_address != NULL && e_ident[EI_DATA] == MY_ELFDATA
336 	  && (ALLOW_UNALIGNED
337 	      || (((uintptr_t) ehdr) & (__alignof__ (Elf32_Ehdr) - 1)) == 0))
338 	{
339 	  /* We can use the mmapped memory.  */
340 	  elf->state.elf32.ehdr = ehdr;
341 	}
342       else
343 	{
344 	  /* Copy the ELF header.  */
345 	  elf->state.elf32.ehdr = memcpy (&elf->state.elf32.ehdr_mem, e_ident,
346 					  sizeof (Elf32_Ehdr));
347 
348 	  if (e_ident[EI_DATA] != MY_ELFDATA)
349 	    {
350 	      CONVERT (elf->state.elf32.ehdr_mem.e_type);
351 	      CONVERT (elf->state.elf32.ehdr_mem.e_machine);
352 	      CONVERT (elf->state.elf32.ehdr_mem.e_version);
353 	      CONVERT (elf->state.elf32.ehdr_mem.e_entry);
354 	      CONVERT (elf->state.elf32.ehdr_mem.e_phoff);
355 	      CONVERT (elf->state.elf32.ehdr_mem.e_shoff);
356 	      CONVERT (elf->state.elf32.ehdr_mem.e_flags);
357 	      CONVERT (elf->state.elf32.ehdr_mem.e_ehsize);
358 	      CONVERT (elf->state.elf32.ehdr_mem.e_phentsize);
359 	      CONVERT (elf->state.elf32.ehdr_mem.e_phnum);
360 	      CONVERT (elf->state.elf32.ehdr_mem.e_shentsize);
361 	      CONVERT (elf->state.elf32.ehdr_mem.e_shnum);
362 	      CONVERT (elf->state.elf32.ehdr_mem.e_shstrndx);
363 	    }
364 	}
365 
366       /* Don't precache the phdr pointer here.
367 	 elf32_getphdr will validate it against the size when asked.  */
368 
369       Elf32_Off e_shoff = elf->state.elf32.ehdr->e_shoff;
370       if (map_address != NULL && e_ident[EI_DATA] == MY_ELFDATA
371 	  && cmd != ELF_C_READ_MMAP /* We need a copy to be able to write.  */
372 	  && (ALLOW_UNALIGNED
373 	      || (((uintptr_t) ((char *) ehdr + e_shoff)
374 		   & (__alignof__ (Elf32_Shdr) - 1)) == 0)))
375 	{
376 	  if (unlikely (scncnt > 0 && e_shoff >= maxsize)
377 	      || unlikely (maxsize - e_shoff
378 			   < scncnt * sizeof (Elf32_Shdr)))
379 	    {
380 	    free_and_out:
381 	      free (elf);
382 	      __libelf_seterrno (ELF_E_INVALID_ELF);
383 	      return NULL;
384 	    }
385 	  elf->state.elf32.shdr
386 	    = (Elf32_Shdr *) ((char *) ehdr + e_shoff);
387 
388 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)
389 	    {
390 	      elf->state.elf32.scns.data[cnt].index = cnt;
391 	      elf->state.elf32.scns.data[cnt].elf = elf;
392 	      elf->state.elf32.scns.data[cnt].shdr.e32 =
393 		&elf->state.elf32.shdr[cnt];
394 	      if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
395 		  && likely (elf->state.elf32.shdr[cnt].sh_size
396 			     <= maxsize - elf->state.elf32.shdr[cnt].sh_offset))
397 		elf->state.elf32.scns.data[cnt].rawdata_base =
398 		  elf->state.elf32.scns.data[cnt].data_base =
399 		  ((char *) map_address + offset
400 		   + elf->state.elf32.shdr[cnt].sh_offset);
401 	      elf->state.elf32.scns.data[cnt].list = &elf->state.elf32.scns;
402 
403 	      /* If this is a section with an extended index add a
404 		 reference in the section which uses the extended
405 		 index.  */
406 	      if (elf->state.elf32.shdr[cnt].sh_type == SHT_SYMTAB_SHNDX
407 		  && elf->state.elf32.shdr[cnt].sh_link < scncnt)
408 		elf->state.elf32.scns.data[elf->state.elf32.shdr[cnt].sh_link].shndx_index
409 		  = cnt;
410 
411 	      /* Set the own shndx_index field in case it has not yet
412 		 been set.  */
413 	      if (elf->state.elf32.scns.data[cnt].shndx_index == 0)
414 		elf->state.elf32.scns.data[cnt].shndx_index = -1;
415 	    }
416 	}
417       else
418 	{
419 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)
420 	    {
421 	      elf->state.elf32.scns.data[cnt].index = cnt;
422 	      elf->state.elf32.scns.data[cnt].elf = elf;
423 	      elf->state.elf32.scns.data[cnt].list = &elf->state.elf32.scns;
424 	    }
425 	}
426 
427       /* So far only one block with sections.  */
428       elf->state.elf32.scns_last = &elf->state.elf32.scns;
429     }
430   else
431     {
432       /* This pointer might not be directly usable if the alignment is
433 	 not sufficient for the architecture.  */
434       Elf64_Ehdr *ehdr = (Elf64_Ehdr *) ((char *) map_address + offset);
435 
436       /* This is a 64-bit binary.  */
437       if (map_address != NULL && e_ident[EI_DATA] == MY_ELFDATA
438 	  && (ALLOW_UNALIGNED
439 	      || (((uintptr_t) ehdr) & (__alignof__ (Elf64_Ehdr) - 1)) == 0))
440 	{
441 	  /* We can use the mmapped memory.  */
442 	  elf->state.elf64.ehdr = ehdr;
443 	}
444       else
445 	{
446 	  /* Copy the ELF header.  */
447 	  elf->state.elf64.ehdr = memcpy (&elf->state.elf64.ehdr_mem, e_ident,
448 					  sizeof (Elf64_Ehdr));
449 
450 	  if (e_ident[EI_DATA] != MY_ELFDATA)
451 	    {
452 	      CONVERT (elf->state.elf64.ehdr_mem.e_type);
453 	      CONVERT (elf->state.elf64.ehdr_mem.e_machine);
454 	      CONVERT (elf->state.elf64.ehdr_mem.e_version);
455 	      CONVERT (elf->state.elf64.ehdr_mem.e_entry);
456 	      CONVERT (elf->state.elf64.ehdr_mem.e_phoff);
457 	      CONVERT (elf->state.elf64.ehdr_mem.e_shoff);
458 	      CONVERT (elf->state.elf64.ehdr_mem.e_flags);
459 	      CONVERT (elf->state.elf64.ehdr_mem.e_ehsize);
460 	      CONVERT (elf->state.elf64.ehdr_mem.e_phentsize);
461 	      CONVERT (elf->state.elf64.ehdr_mem.e_phnum);
462 	      CONVERT (elf->state.elf64.ehdr_mem.e_shentsize);
463 	      CONVERT (elf->state.elf64.ehdr_mem.e_shnum);
464 	      CONVERT (elf->state.elf64.ehdr_mem.e_shstrndx);
465 	    }
466 	}
467 
468       /* Don't precache the phdr pointer here.
469 	 elf64_getphdr will validate it against the size when asked.  */
470 
471       Elf64_Off e_shoff = elf->state.elf64.ehdr->e_shoff;
472       if (map_address != NULL && e_ident[EI_DATA] == MY_ELFDATA
473 	  && cmd != ELF_C_READ_MMAP /* We need a copy to be able to write.  */
474 	  && (ALLOW_UNALIGNED
475 	      || (((uintptr_t) ((char *) ehdr + e_shoff)
476 		   & (__alignof__ (Elf64_Shdr) - 1)) == 0)))
477 	{
478 	  if (unlikely (scncnt > 0 && e_shoff >= maxsize)
479 	      || unlikely (maxsize - e_shoff
480 			   < scncnt * sizeof (Elf64_Shdr)))
481 	    goto free_and_out;
482 	  elf->state.elf64.shdr
483 	    = (Elf64_Shdr *) ((char *) ehdr + e_shoff);
484 
485 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)
486 	    {
487 	      elf->state.elf64.scns.data[cnt].index = cnt;
488 	      elf->state.elf64.scns.data[cnt].elf = elf;
489 	      elf->state.elf64.scns.data[cnt].shdr.e64 =
490 		&elf->state.elf64.shdr[cnt];
491 	      if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
492 		  && likely (elf->state.elf64.shdr[cnt].sh_size
493 			     <= maxsize - elf->state.elf64.shdr[cnt].sh_offset))
494 		elf->state.elf64.scns.data[cnt].rawdata_base =
495 		  elf->state.elf64.scns.data[cnt].data_base =
496 		  ((char *) map_address + offset
497 		   + elf->state.elf64.shdr[cnt].sh_offset);
498 	      elf->state.elf64.scns.data[cnt].list = &elf->state.elf64.scns;
499 
500 	      /* If this is a section with an extended index add a
501 		 reference in the section which uses the extended
502 		 index.  */
503 	      if (elf->state.elf64.shdr[cnt].sh_type == SHT_SYMTAB_SHNDX
504 		  && elf->state.elf64.shdr[cnt].sh_link < scncnt)
505 		elf->state.elf64.scns.data[elf->state.elf64.shdr[cnt].sh_link].shndx_index
506 		  = cnt;
507 
508 	      /* Set the own shndx_index field in case it has not yet
509 		 been set.  */
510 	      if (elf->state.elf64.scns.data[cnt].shndx_index == 0)
511 		elf->state.elf64.scns.data[cnt].shndx_index = -1;
512 	    }
513 	}
514       else
515 	{
516 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)
517 	    {
518 	      elf->state.elf64.scns.data[cnt].index = cnt;
519 	      elf->state.elf64.scns.data[cnt].elf = elf;
520 	      elf->state.elf64.scns.data[cnt].list = &elf->state.elf64.scns;
521 	    }
522 	}
523 
524       /* So far only one block with sections.  */
525       elf->state.elf64.scns_last = &elf->state.elf64.scns;
526     }
527 
528   return elf;
529 }
530 
531 
532 Elf *
533 internal_function
__libelf_read_mmaped_file(int fildes,void * map_address,off_t offset,size_t maxsize,Elf_Cmd cmd,Elf * parent)534 __libelf_read_mmaped_file (int fildes, void *map_address,  off_t offset,
535 			   size_t maxsize, Elf_Cmd cmd, Elf *parent)
536 {
537   /* We have to find out what kind of file this is.  We handle ELF
538      files and archives.  To find out what we have we must look at the
539      header.  The header for an ELF file is EI_NIDENT bytes in size,
540      the header for an archive file SARMAG bytes long.  */
541   unsigned char *e_ident = (unsigned char *) map_address + offset;
542 
543   /* See what kind of object we have here.  */
544   Elf_Kind kind = determine_kind (e_ident, maxsize);
545 
546   switch (kind)
547     {
548     case ELF_K_ELF:
549       return file_read_elf (fildes, map_address, e_ident, offset, maxsize,
550 			    cmd, parent);
551 
552     case ELF_K_AR:
553       return file_read_ar (fildes, map_address, offset, maxsize, cmd, parent);
554 
555     default:
556       break;
557     }
558 
559   /* This case is easy.  Since we cannot do anything with this file
560      create a dummy descriptor.  */
561   return allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
562 		       ELF_K_NONE, 0);
563 }
564 
565 
566 static Elf *
read_unmmaped_file(int fildes,off_t offset,size_t maxsize,Elf_Cmd cmd,Elf * parent)567 read_unmmaped_file (int fildes, off_t offset, size_t maxsize, Elf_Cmd cmd,
568 		    Elf *parent)
569 {
570   /* We have to find out what kind of file this is.  We handle ELF
571      files and archives.  To find out what we have we must read the
572      header.  The identification header for an ELF file is EI_NIDENT
573      bytes in size, but we read the whole ELF header since we will
574      need it anyway later.  For archives the header in SARMAG bytes
575      long.  Read the maximum of these numbers.
576 
577      XXX We have to change this for the extended `ar' format some day.
578 
579      Use a union to ensure alignment.  We might later access the
580      memory as a ElfXX_Ehdr.  */
581   union
582   {
583     Elf64_Ehdr ehdr;
584     unsigned char header[MAX (sizeof (Elf64_Ehdr), SARMAG)];
585   } mem;
586 
587   /* Read the head of the file.  */
588   ssize_t nread = pread_retry (fildes, mem.header,
589 			       MIN (MAX (sizeof (Elf64_Ehdr), SARMAG),
590 				    maxsize),
591 			       offset);
592   if (unlikely (nread == -1))
593     {
594       /* We cannot even read the head of the file.  Maybe FILDES is associated
595 	 with an unseekable device.  This is nothing we can handle.  */
596       __libelf_seterrno (ELF_E_INVALID_FILE);
597       return NULL;
598     }
599 
600   /* See what kind of object we have here.  */
601   Elf_Kind kind = determine_kind (mem.header, nread);
602 
603   switch (kind)
604     {
605     case ELF_K_AR:
606       return file_read_ar (fildes, NULL, offset, maxsize, cmd, parent);
607 
608     case ELF_K_ELF:
609       /* Make sure at least the ELF header is contained in the file.  */
610       if ((size_t) nread >= (mem.header[EI_CLASS] == ELFCLASS32
611 			     ? sizeof (Elf32_Ehdr) : sizeof (Elf64_Ehdr)))
612 	return file_read_elf (fildes, NULL, mem.header, offset, maxsize, cmd,
613 			      parent);
614       FALLTHROUGH;
615 
616     default:
617       break;
618     }
619 
620   /* This case is easy.  Since we cannot do anything with this file
621      create a dummy descriptor.  */
622   return allocate_elf (fildes, NULL, offset, maxsize, cmd, parent,
623 		       ELF_K_NONE, 0);
624 }
625 
626 
627 /* Open a file for reading.  If possible we will try to mmap() the file.  */
628 static struct Elf *
read_file(int fildes,off_t offset,size_t maxsize,Elf_Cmd cmd,Elf * parent)629 read_file (int fildes, off_t offset, size_t maxsize,
630 	   Elf_Cmd cmd, Elf *parent)
631 {
632   void *map_address = NULL;
633   int use_mmap = (cmd == ELF_C_READ_MMAP || cmd == ELF_C_RDWR_MMAP
634 		  || cmd == ELF_C_WRITE_MMAP
635 		  || cmd == ELF_C_READ_MMAP_PRIVATE);
636 
637   if (parent == NULL)
638     {
639       if (maxsize == ~((size_t) 0))
640 	{
641 	  /* We don't know in the moment how large the file is.
642 	     Determine it now.  */
643 	  struct stat st;
644 
645 	  if (fstat (fildes, &st) == 0
646 	      && (sizeof (size_t) >= sizeof (st.st_size)
647 		  || st.st_size <= ~((size_t) 0)))
648 	    maxsize = (size_t) st.st_size;
649 	}
650     }
651   else
652     {
653       /* The parent is already loaded.  Use it.  */
654       assert (maxsize != ~((size_t) 0));
655     }
656 
657   if (use_mmap)
658     {
659       if (parent == NULL)
660 	{
661 	  /* We try to map the file ourself.  */
662 	  map_address = mmap (NULL, maxsize, (cmd == ELF_C_READ_MMAP
663 					      ? PROT_READ
664 					      : PROT_READ|PROT_WRITE),
665 			      cmd == ELF_C_READ_MMAP_PRIVATE
666 			      || cmd == ELF_C_READ_MMAP
667 			      ? MAP_PRIVATE : MAP_SHARED,
668 			      fildes, offset);
669 
670 	  if (map_address == MAP_FAILED)
671 	    map_address = NULL;
672 	}
673       else
674 	{
675 	  map_address = parent->map_address;
676 	}
677     }
678 
679   /* If we have the file in memory optimize the access.  */
680   if (map_address != NULL)
681     {
682       assert (map_address != MAP_FAILED);
683 
684       struct Elf *result = __libelf_read_mmaped_file (fildes, map_address,
685 						      offset, maxsize, cmd,
686 						      parent);
687 
688       /* If something went wrong during the initialization unmap the
689 	 memory if we mmaped here.  */
690       if (result == NULL
691 	  && (parent == NULL
692 	      || parent->map_address != map_address))
693 	munmap (map_address, maxsize);
694       else if (parent == NULL)
695 	/* Remember that we mmap()ed the memory.  */
696 	result->flags |= ELF_F_MMAPPED;
697 
698       return result;
699     }
700 
701   /* Otherwise we have to do it the hard way.  We read as much as necessary
702      from the file whenever we need information which is not available.  */
703   return read_unmmaped_file (fildes, offset, maxsize, cmd, parent);
704 }
705 
706 
707 /* Find the entry with the long names for the content of this archive.  */
708 static const char *
read_long_names(Elf * elf)709 read_long_names (Elf *elf)
710 {
711   off_t offset = SARMAG;	/* This is the first entry.  */
712   struct ar_hdr hdrm;
713   struct ar_hdr *hdr;
714   char *newp;
715   size_t len;
716 
717   while (1)
718     {
719       if (elf->map_address != NULL)
720 	{
721 	  if ((size_t) offset > elf->maximum_size
722 	      || elf->maximum_size - offset < sizeof (struct ar_hdr))
723 	    return NULL;
724 
725 	  /* The data is mapped.  */
726 	  hdr = (struct ar_hdr *) (elf->map_address + offset);
727 	}
728       else
729 	{
730 	  /* Read the header from the file.  */
731 	  if (unlikely (pread_retry (elf->fildes, &hdrm, sizeof (hdrm),
732 				     elf->start_offset + offset)
733 			!= sizeof (hdrm)))
734 	    return NULL;
735 
736 	  hdr = &hdrm;
737 	}
738 
739       /* The ar_size is given as a fixed size decimal string, right
740 	 padded with spaces.  Make sure we read it properly even if
741 	 there is no terminating space.  */
742       char buf[sizeof (hdr->ar_size) + 1];
743       const char *string = hdr->ar_size;
744       if (hdr->ar_size[sizeof (hdr->ar_size) - 1] != ' ')
745 	{
746 	  *((char *) mempcpy (buf, hdr->ar_size, sizeof (hdr->ar_size))) = '\0';
747 	  string = buf;
748 	}
749       len = atol (string);
750 
751       if (memcmp (hdr->ar_name, "//              ", 16) == 0)
752 	break;
753 
754       offset += sizeof (struct ar_hdr) + ((len + 1) & ~1l);
755     }
756 
757   /* Sanity check len early if we can.  */
758   if (elf->map_address != NULL)
759     {
760       if (len > elf->maximum_size - offset - sizeof (struct ar_hdr))
761 	return NULL;
762     }
763 
764   /* Due to the stupid format of the long name table entry (which are not
765      NUL terminted) we have to provide an appropriate representation anyhow.
766      Therefore we always make a copy which has the appropriate form.  */
767   newp = (char *) malloc (len);
768   if (newp != NULL)
769     {
770       char *runp;
771 
772       if (elf->map_address != NULL)
773 	{
774 	  /* Simply copy it over.  */
775 	  elf->state.ar.long_names = (char *) memcpy (newp,
776 						      elf->map_address + offset
777 						      + sizeof (struct ar_hdr),
778 						      len);
779 	}
780       else
781 	{
782 	  if (unlikely ((size_t) pread_retry (elf->fildes, newp, len,
783 					      elf->start_offset + offset
784 					      + sizeof (struct ar_hdr))
785 			!= len))
786 	    {
787 	      /* We were not able to read all data.  */
788 	      free (newp);
789 	      elf->state.ar.long_names = NULL;
790 	      return NULL;
791 	    }
792 	  elf->state.ar.long_names = newp;
793 	}
794 
795       elf->state.ar.long_names_len = len;
796 
797       /* Now NUL-terminate the strings.  */
798       runp = newp;
799       while (1)
800         {
801 	  char *startp = runp;
802 	  runp = (char *) memchr (runp, '/', newp + len - runp);
803 	  if (runp == NULL)
804 	    {
805 	      /* This was the last entry.  Clear any left overs.  */
806 	      memset (startp, '\0', newp + len - startp);
807 	      break;
808 	    }
809 
810 	  /* NUL-terminate the string.  */
811 	  *runp++ = '\0';
812 
813 	  /* A sanity check.  Somebody might have generated invalid
814 	     archive.  */
815 	  if (runp >= newp + len)
816 	    break;
817 	}
818     }
819 
820   return newp;
821 }
822 
823 
824 /* Read the next archive header.  */
825 int
826 internal_function
__libelf_next_arhdr_wrlock(Elf * elf)827 __libelf_next_arhdr_wrlock (Elf *elf)
828 {
829   struct ar_hdr *ar_hdr;
830   Elf_Arhdr *elf_ar_hdr;
831 
832   if (elf->map_address != NULL)
833     {
834       /* See whether this entry is in the file.  */
835       if (unlikely ((size_t) elf->state.ar.offset
836 		    > elf->start_offset + elf->maximum_size
837 		    || (elf->start_offset + elf->maximum_size
838 			- elf->state.ar.offset) < sizeof (struct ar_hdr)))
839 	{
840 	  /* This record is not anymore in the file.  */
841 	  __libelf_seterrno (ELF_E_RANGE);
842 	  return -1;
843 	}
844       ar_hdr = (struct ar_hdr *) (elf->map_address + elf->state.ar.offset);
845     }
846   else
847     {
848       ar_hdr = &elf->state.ar.ar_hdr;
849 
850       if (unlikely (pread_retry (elf->fildes, ar_hdr, sizeof (struct ar_hdr),
851 				 elf->state.ar.offset)
852 		    != sizeof (struct ar_hdr)))
853 	{
854 	  /* Something went wrong while reading the file.  */
855 	  __libelf_seterrno (ELF_E_RANGE);
856 	  return -1;
857 	}
858     }
859 
860   /* One little consistency check.  */
861   if (unlikely (memcmp (ar_hdr->ar_fmag, ARFMAG, 2) != 0))
862     {
863       /* This is no valid archive.  */
864       __libelf_seterrno (ELF_E_ARCHIVE_FMAG);
865       return -1;
866     }
867 
868   /* Copy the raw name over to a NUL terminated buffer.  */
869   *((char *) mempcpy (elf->state.ar.raw_name, ar_hdr->ar_name, 16)) = '\0';
870 
871   elf_ar_hdr = &elf->state.ar.elf_ar_hdr;
872 
873   /* Now convert the `struct ar_hdr' into `Elf_Arhdr'.
874      Determine whether this is a special entry.  */
875   if (ar_hdr->ar_name[0] == '/')
876     {
877       if (ar_hdr->ar_name[1] == ' '
878 	  && memcmp (ar_hdr->ar_name, "/               ", 16) == 0)
879 	/* This is the index.  */
880 	elf_ar_hdr->ar_name = memcpy (elf->state.ar.ar_name, "/", 2);
881       else if (ar_hdr->ar_name[1] == 'S'
882 	       && memcmp (ar_hdr->ar_name, "/SYM64/         ", 16) == 0)
883 	/* 64-bit index.  */
884 	elf_ar_hdr->ar_name = memcpy (elf->state.ar.ar_name, "/SYM64/", 8);
885       else if (ar_hdr->ar_name[1] == '/'
886 	       && memcmp (ar_hdr->ar_name, "//              ", 16) == 0)
887 	/* This is the array with the long names.  */
888 	elf_ar_hdr->ar_name = memcpy (elf->state.ar.ar_name, "//", 3);
889       else if (likely  (isdigit (ar_hdr->ar_name[1])))
890 	{
891 	  size_t offset;
892 
893 	  /* This is a long name.  First we have to read the long name
894 	     table, if this hasn't happened already.  */
895 	  if (unlikely (elf->state.ar.long_names == NULL
896 			&& read_long_names (elf) == NULL))
897 	    {
898 	      /* No long name table although it is reference.  The archive is
899 		 broken.  */
900 	      __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
901 	      return -1;
902 	    }
903 
904 	  offset = atol (ar_hdr->ar_name + 1);
905 	  if (unlikely (offset >= elf->state.ar.long_names_len))
906 	    {
907 	      /* The index in the long name table is larger than the table.  */
908 	      __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
909 	      return -1;
910 	    }
911 	  elf_ar_hdr->ar_name = elf->state.ar.long_names + offset;
912 	}
913       else
914 	{
915 	  /* This is none of the known special entries.  */
916 	  __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
917 	  return -1;
918 	}
919     }
920   else
921     {
922       char *endp;
923 
924       /* It is a normal entry.  Copy over the name.  */
925       endp = (char *) memccpy (elf->state.ar.ar_name, ar_hdr->ar_name,
926 			       '/', 16);
927       if (endp != NULL)
928 	endp[-1] = '\0';
929       else
930 	{
931 	  /* In the old BSD style of archive, there is no / terminator.
932 	     Instead, there is space padding at the end of the name.  */
933 	  size_t i = 15;
934 	  do
935 	    elf->state.ar.ar_name[i] = '\0';
936 	  while (i > 0 && elf->state.ar.ar_name[--i] == ' ');
937 	}
938 
939       elf_ar_hdr->ar_name = elf->state.ar.ar_name;
940     }
941 
942   if (unlikely (ar_hdr->ar_size[0] == ' '))
943     /* Something is really wrong.  We cannot live without a size for
944        the member since it will not be possible to find the next
945        archive member.  */
946     {
947       __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
948       return -1;
949     }
950 
951   /* Since there are no specialized functions to convert ASCII to
952      time_t, uid_t, gid_t, mode_t, and off_t we use either atol or
953      atoll depending on the size of the types.  We are also prepared
954      for the case where the whole field in the `struct ar_hdr' is
955      filled in which case we cannot simply use atol/l but instead have
956      to create a temporary copy.  */
957 
958 #define INT_FIELD(FIELD)						      \
959   do									      \
960     {									      \
961       char buf[sizeof (ar_hdr->FIELD) + 1];				      \
962       const char *string = ar_hdr->FIELD;				      \
963       if (ar_hdr->FIELD[sizeof (ar_hdr->FIELD) - 1] != ' ')		      \
964 	{								      \
965 	  *((char *) mempcpy (buf, ar_hdr->FIELD, sizeof (ar_hdr->FIELD)))  \
966 	    = '\0';							      \
967 	  string = buf;							      \
968 	}								      \
969       if (sizeof (elf_ar_hdr->FIELD) <= sizeof (long int))		      \
970 	elf_ar_hdr->FIELD = (__typeof (elf_ar_hdr->FIELD)) atol (string);     \
971       else								      \
972 	elf_ar_hdr->FIELD = (__typeof (elf_ar_hdr->FIELD)) atoll (string);    \
973     }									      \
974   while (0)
975 
976   INT_FIELD (ar_date);
977   INT_FIELD (ar_uid);
978   INT_FIELD (ar_gid);
979   INT_FIELD (ar_mode);
980   INT_FIELD (ar_size);
981 
982   if (elf_ar_hdr->ar_size < 0)
983     {
984       __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
985       return -1;
986     }
987 
988   /* Truncated file?  */
989   size_t maxsize;
990   maxsize = (elf->start_offset + elf->maximum_size
991 	     - elf->state.ar.offset - sizeof (struct ar_hdr));
992   if ((size_t) elf_ar_hdr->ar_size > maxsize)
993     elf_ar_hdr->ar_size = maxsize;
994 
995   return 0;
996 }
997 
998 
999 /* We were asked to return a clone of an existing descriptor.  This
1000    function must be called with the lock on the parent descriptor
1001    being held. */
1002 static Elf *
dup_elf(int fildes,Elf_Cmd cmd,Elf * ref)1003 dup_elf (int fildes, Elf_Cmd cmd, Elf *ref)
1004 {
1005   struct Elf *result;
1006 
1007   if (fildes == -1)
1008     /* Allow the user to pass -1 as the file descriptor for the new file.  */
1009     fildes = ref->fildes;
1010   /* The file descriptor better should be the same.  If it was disconnected
1011      already (using `elf_cntl') we do not test it.  */
1012   else if (unlikely (ref->fildes != -1 && fildes != ref->fildes))
1013     {
1014       __libelf_seterrno (ELF_E_FD_MISMATCH);
1015       return NULL;
1016     }
1017 
1018   /* The mode must allow reading.  I.e., a descriptor creating with a
1019      command different then ELF_C_READ, ELF_C_WRITE and ELF_C_RDWR is
1020      not allowed.  */
1021   if (unlikely (ref->cmd != ELF_C_READ && ref->cmd != ELF_C_READ_MMAP
1022 		&& ref->cmd != ELF_C_WRITE && ref->cmd != ELF_C_WRITE_MMAP
1023 		&& ref->cmd != ELF_C_RDWR && ref->cmd != ELF_C_RDWR_MMAP
1024 		&& ref->cmd != ELF_C_READ_MMAP_PRIVATE))
1025     {
1026       __libelf_seterrno (ELF_E_INVALID_OP);
1027       return NULL;
1028     }
1029 
1030   /* Now it is time to distinguish between reading normal files and
1031      archives.  Normal files can easily be handled be incrementing the
1032      reference counter and return the same descriptor.  */
1033   if (ref->kind != ELF_K_AR)
1034     {
1035       ++ref->ref_count;
1036       return ref;
1037     }
1038 
1039   /* This is an archive.  We must create a descriptor for the archive
1040      member the internal pointer of the archive file desriptor is
1041      pointing to.  First read the header of the next member if this
1042      has not happened already.  */
1043   if (ref->state.ar.elf_ar_hdr.ar_name == NULL
1044       && __libelf_next_arhdr_wrlock (ref) != 0)
1045     /* Something went wrong.  Maybe there is no member left.  */
1046     return NULL;
1047 
1048   /* We have all the information we need about the next archive member.
1049      Now create a descriptor for it.  */
1050   result = read_file (fildes, ref->state.ar.offset + sizeof (struct ar_hdr),
1051 		      ref->state.ar.elf_ar_hdr.ar_size, cmd, ref);
1052 
1053   /* Enlist this new descriptor in the list of children.  */
1054   if (result != NULL)
1055     {
1056       result->next = ref->state.ar.children;
1057       ref->state.ar.children = result;
1058     }
1059 
1060   return result;
1061 }
1062 
1063 
1064 /* Return desriptor for empty file ready for writing.  */
1065 static struct Elf *
write_file(int fd,Elf_Cmd cmd)1066 write_file (int fd, Elf_Cmd cmd)
1067 {
1068   /* We simply create an empty `Elf' structure.  */
1069 #define NSCNSALLOC	10
1070   Elf *result = allocate_elf (fd, NULL, 0, 0, cmd, NULL, ELF_K_ELF,
1071 			      NSCNSALLOC * sizeof (Elf_Scn));
1072 
1073   if (result != NULL)
1074     {
1075       /* We have to write to the file in any case.  */
1076       result->flags = ELF_F_DIRTY;
1077 
1078       /* Some more or less arbitrary value.  */
1079       result->state.elf.scnincr = NSCNSALLOC;
1080 
1081       /* We have allocated room for some sections.  */
1082       assert (offsetof (struct Elf, state.elf32.scns)
1083 	      == offsetof (struct Elf, state.elf64.scns));
1084       result->state.elf.scns_last = &result->state.elf32.scns;
1085       result->state.elf32.scns.max = NSCNSALLOC;
1086     }
1087 
1088   return result;
1089 }
1090 
1091 /* Lock if necessary before dup an archive.  */
1092 static inline Elf *
lock_dup_elf(int fildes,Elf_Cmd cmd,Elf * ref)1093 lock_dup_elf (int fildes, Elf_Cmd cmd, Elf *ref)
1094 {
1095   /* We need wrlock to dup an archive.  */
1096   if (ref->kind == ELF_K_AR)
1097     {
1098       rwlock_unlock (ref->lock);
1099       rwlock_wrlock (ref->lock);
1100     }
1101     /* Duplicate the descriptor.  */
1102   return dup_elf (fildes, cmd, ref);
1103 }
1104 
1105 /* Return a descriptor for the file belonging to FILDES.  */
1106 Elf *
elf_begin(int fildes,Elf_Cmd cmd,Elf * ref)1107 elf_begin (int fildes, Elf_Cmd cmd, Elf *ref)
1108 {
1109   Elf *retval;
1110 
1111   if (unlikely (__libelf_version != EV_CURRENT))
1112     {
1113       /* Version wasn't set so far.  */
1114       __libelf_seterrno (ELF_E_NO_VERSION);
1115       return NULL;
1116     }
1117 
1118   if (ref != NULL)
1119     /* Make sure the descriptor is not suddenly going away.  */
1120     rwlock_rdlock (ref->lock);
1121   else if (unlikely (fcntl (fildes, F_GETFD) == -1 && errno == EBADF))
1122     {
1123       /* We cannot do anything productive without a file descriptor.  */
1124       __libelf_seterrno (ELF_E_INVALID_FILE);
1125       return NULL;
1126     }
1127 
1128   switch (cmd)
1129     {
1130     case ELF_C_NULL:
1131       /* We simply return a NULL pointer.  */
1132       retval = NULL;
1133       break;
1134 
1135     case ELF_C_READ_MMAP_PRIVATE:
1136       /* If we have a reference it must also be opened this way.  */
1137       if (unlikely (ref != NULL && ref->cmd != ELF_C_READ_MMAP_PRIVATE))
1138 	{
1139 	  __libelf_seterrno (ELF_E_INVALID_CMD);
1140 	  retval = NULL;
1141 	  break;
1142 	}
1143       FALLTHROUGH;
1144 
1145     case ELF_C_READ:
1146     case ELF_C_READ_MMAP:
1147       if (ref != NULL)
1148 	retval = lock_dup_elf (fildes, cmd, ref);
1149       else
1150 	/* Create descriptor for existing file.  */
1151 	retval = read_file (fildes, 0, ~((size_t) 0), cmd, NULL);
1152       break;
1153 
1154     case ELF_C_RDWR:
1155     case ELF_C_RDWR_MMAP:
1156       /* If we have a REF object it must also be opened using this
1157 	 command.  */
1158       if (ref != NULL)
1159 	{
1160 	  if (unlikely (ref->cmd != ELF_C_RDWR && ref->cmd != ELF_C_RDWR_MMAP
1161 			&& ref->cmd != ELF_C_WRITE
1162 			&& ref->cmd != ELF_C_WRITE_MMAP))
1163 	    {
1164 	      /* This is not ok.  REF must also be opened for writing.  */
1165 	      __libelf_seterrno (ELF_E_INVALID_CMD);
1166 	      retval = NULL;
1167 	    }
1168 	  else
1169 	    retval = lock_dup_elf (fildes, cmd, ref);
1170 	}
1171       else
1172 	/* Create descriptor for existing file.  */
1173 	retval = read_file (fildes, 0, ~((size_t) 0), cmd, NULL);
1174       break;
1175 
1176     case ELF_C_WRITE:
1177     case ELF_C_WRITE_MMAP:
1178       /* We ignore REF and prepare a descriptor to write a new file.  */
1179       retval = write_file (fildes, cmd);
1180       break;
1181 
1182     default:
1183       __libelf_seterrno (ELF_E_INVALID_CMD);
1184       retval = NULL;
1185       break;
1186     }
1187 
1188   /* Release the lock.  */
1189   if (ref != NULL)
1190     rwlock_unlock (ref->lock);
1191 
1192   return retval;
1193 }
1194 INTDEF(elf_begin)
1195