1 /* Pedantic checking of ELF files compliance with gABI/psABI spec.
2    Copyright (C) 2001-2015, 2017, 2018 Red Hat, Inc.
3    This file is part of elfutils.
4    Written by Ulrich Drepper <drepper@redhat.com>, 2001.
5 
6    This file is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10 
11    elfutils is distributed in the hope that it will be useful, but
12    WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15 
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
18 
19 #ifdef HAVE_CONFIG_H
20 # include <config.h>
21 #endif
22 
23 #include <argp.h>
24 #include <assert.h>
25 #include <byteswap.h>
26 #include <endian.h>
27 #include <fcntl.h>
28 #include <gelf.h>
29 #include <inttypes.h>
30 #include <libintl.h>
31 #include <locale.h>
32 #include <stdbool.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #include <sys/stat.h>
37 
38 #include <elf-knowledge.h>
39 #include <libeu.h>
40 #include <system.h>
41 #include <printversion.h>
42 #include "../libelf/libelfP.h"
43 #include "../libelf/common.h"
44 #include "../libebl/libeblP.h"
45 #include "../libdw/libdwP.h"
46 #include "../libdwfl/libdwflP.h"
47 #include "../libdw/memory-access.h"
48 
49 
50 /* Name and version of program.  */
51 ARGP_PROGRAM_VERSION_HOOK_DEF = print_version;
52 
53 /* Bug report address.  */
54 ARGP_PROGRAM_BUG_ADDRESS_DEF = PACKAGE_BUGREPORT;
55 
56 #define ARGP_strict	300
57 #define ARGP_gnuld	301
58 
59 /* Definitions of arguments for argp functions.  */
60 static const struct argp_option options[] =
61 {
62   { "strict", ARGP_strict, NULL, 0,
63     N_("Be extremely strict, flag level 2 features."), 0 },
64   { "quiet", 'q', NULL, 0, N_("Do not print anything if successful"), 0 },
65   { "debuginfo", 'd', NULL, 0, N_("Binary is a separate debuginfo file"), 0 },
66   { "gnu-ld", ARGP_gnuld, NULL, 0,
67     N_("Binary has been created with GNU ld and is therefore known to be \
68 broken in certain ways"), 0 },
69   { NULL, 0, NULL, 0, NULL, 0 }
70 };
71 
72 /* Short description of program.  */
73 static const char doc[] = N_("\
74 Pedantic checking of ELF files compliance with gABI/psABI spec.");
75 
76 /* Strings for arguments in help texts.  */
77 static const char args_doc[] = N_("FILE...");
78 
79 /* Prototype for option handler.  */
80 static error_t parse_opt (int key, char *arg, struct argp_state *state);
81 
82 /* Data structure to communicate with argp functions.  */
83 static struct argp argp =
84 {
85   options, parse_opt, args_doc, doc, NULL, NULL, NULL
86 };
87 
88 
89 /* Declarations of local functions.  */
90 static void process_file (int fd, Elf *elf, const char *prefix,
91 			  const char *suffix, const char *fname, size_t size,
92 			  bool only_one);
93 static void process_elf_file (Elf *elf, const char *prefix, const char *suffix,
94 			      const char *fname, size_t size, bool only_one);
95 static void check_note_section (Ebl *ebl, GElf_Ehdr *ehdr,
96 				GElf_Shdr *shdr, int idx);
97 
98 
99 /* Report an error.  */
100 #define ERROR(str, args...) \
101   do {									      \
102     printf (str, ##args);						      \
103     ++error_count;							      \
104   } while (0)
105 static unsigned int error_count;
106 
107 /* True if we should perform very strict testing.  */
108 static bool be_strict;
109 
110 /* True if no message is to be printed if the run is successful.  */
111 static bool be_quiet;
112 
113 /* True if binary is from strip -f, not a normal ELF file.  */
114 static bool is_debuginfo;
115 
116 /* True if binary is assumed to be generated with GNU ld.  */
117 static bool gnuld;
118 
119 /* Index of section header string table.  */
120 static uint32_t shstrndx;
121 
122 /* Array to count references in section groups.  */
123 static int *scnref;
124 
125 /* Numbers of sections and program headers.  */
126 static unsigned int shnum;
127 static unsigned int phnum;
128 
129 
130 int
main(int argc,char * argv[])131 main (int argc, char *argv[])
132 {
133   /* Set locale.  */
134   setlocale (LC_ALL, "");
135 
136   /* Initialize the message catalog.  */
137   textdomain (PACKAGE_TARNAME);
138 
139   /* Parse and process arguments.  */
140   int remaining;
141   argp_parse (&argp, argc, argv, 0, &remaining, NULL);
142 
143   /* Before we start tell the ELF library which version we are using.  */
144   elf_version (EV_CURRENT);
145 
146   /* Now process all the files given at the command line.  */
147   bool only_one = remaining + 1 == argc;
148   do
149     {
150       /* Open the file.  */
151       int fd = open (argv[remaining], O_RDONLY);
152       if (fd == -1)
153 	{
154 	  error (0, errno, _("cannot open input file '%s'"), argv[remaining]);
155 	  continue;
156 	}
157 
158       /* Create an `Elf' descriptor.  */
159       Elf *elf = elf_begin (fd, ELF_C_READ_MMAP, NULL);
160       if (elf == NULL)
161 	ERROR (_("cannot generate Elf descriptor for '%s': %s\n"),
162 	       argv[remaining], elf_errmsg (-1));
163       else
164 	{
165 	  unsigned int prev_error_count = error_count;
166 	  struct stat st;
167 
168 	  if (fstat (fd, &st) != 0)
169 	    {
170 	      printf ("cannot stat '%s': %m\n", argv[remaining]);
171 	      close (fd);
172 	      continue;
173 	    }
174 
175 	  process_file (fd, elf, NULL, NULL, argv[remaining], st.st_size,
176 			only_one);
177 
178 	  /* Now we can close the descriptor.  */
179 	  if (elf_end (elf) != 0)
180 	    ERROR (_("error while closing Elf descriptor: %s\n"),
181 		   elf_errmsg (-1));
182 
183 	  if (prev_error_count == error_count && !be_quiet)
184 	    puts (_("No errors"));
185 	}
186 
187       close (fd);
188     }
189   while (++remaining < argc);
190 
191   return error_count != 0;
192 }
193 
194 
195 /* Handle program arguments.  */
196 static error_t
parse_opt(int key,char * arg,struct argp_state * state)197 parse_opt (int key, char *arg __attribute__ ((unused)),
198 	   struct argp_state *state __attribute__ ((unused)))
199 {
200   switch (key)
201     {
202     case ARGP_strict:
203       be_strict = true;
204       break;
205 
206     case 'q':
207       be_quiet = true;
208       break;
209 
210     case 'd':
211       is_debuginfo = true;
212       break;
213 
214     case ARGP_gnuld:
215       gnuld = true;
216       break;
217 
218     case ARGP_KEY_NO_ARGS:
219       fputs (_("Missing file name.\n"), stderr);
220       argp_help (&argp, stderr, ARGP_HELP_SEE, program_invocation_short_name);
221       exit (EXIT_FAILURE);
222 
223     default:
224       return ARGP_ERR_UNKNOWN;
225     }
226   return 0;
227 }
228 
229 
230 /* Process one file.  */
231 static void
process_file(int fd,Elf * elf,const char * prefix,const char * suffix,const char * fname,size_t size,bool only_one)232 process_file (int fd, Elf *elf, const char *prefix, const char *suffix,
233 	      const char *fname, size_t size, bool only_one)
234 {
235   /* We can handle two types of files: ELF files and archives.  */
236   Elf_Kind kind = elf_kind (elf);
237 
238   switch (kind)
239     {
240     case ELF_K_ELF:
241       /* Yes!  It's an ELF file.  */
242       process_elf_file (elf, prefix, suffix, fname, size, only_one);
243       break;
244 
245     case ELF_K_AR:
246       {
247 	Elf *subelf;
248 	Elf_Cmd cmd = ELF_C_READ_MMAP;
249 	size_t prefix_len = prefix == NULL ? 0 : strlen (prefix);
250 	size_t fname_len = strlen (fname) + 1;
251 	char new_prefix[prefix_len + 1 + fname_len];
252 	char new_suffix[(suffix == NULL ? 0 : strlen (suffix)) + 2];
253 	char *cp = new_prefix;
254 
255 	/* Create the full name of the file.  */
256 	if (prefix != NULL)
257 	  {
258 	    cp = mempcpy (cp, prefix, prefix_len);
259 	    *cp++ = '(';
260 	    strcpy (stpcpy (new_suffix, suffix), ")");
261 	  }
262 	else
263 	  new_suffix[0] = '\0';
264 	memcpy (cp, fname, fname_len);
265 
266 	/* It's an archive.  We process each file in it.  */
267 	while ((subelf = elf_begin (fd, cmd, elf)) != NULL)
268 	  {
269 	    kind = elf_kind (subelf);
270 
271 	    /* Call this function recursively.  */
272 	    if (kind == ELF_K_ELF || kind == ELF_K_AR)
273 	      {
274 		Elf_Arhdr *arhdr = elf_getarhdr (subelf);
275 		assert (arhdr != NULL);
276 
277 		process_file (fd, subelf, new_prefix, new_suffix,
278 			      arhdr->ar_name, arhdr->ar_size, false);
279 	      }
280 
281 	    /* Get next archive element.  */
282 	    cmd = elf_next (subelf);
283 	    if (elf_end (subelf) != 0)
284 	      ERROR (_(" error while freeing sub-ELF descriptor: %s\n"),
285 		     elf_errmsg (-1));
286 	  }
287       }
288       break;
289 
290     default:
291       /* We cannot do anything.  */
292       ERROR (_("\
293 Not an ELF file - it has the wrong magic bytes at the start\n"));
294       break;
295     }
296 }
297 
298 
299 static const char *
section_name(Ebl * ebl,int idx)300 section_name (Ebl *ebl, int idx)
301 {
302   GElf_Shdr shdr_mem;
303   GElf_Shdr *shdr;
304   const char *ret;
305 
306   if ((unsigned int) idx > shnum)
307     return "<invalid>";
308 
309   shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
310   if (shdr == NULL)
311     return "<invalid>";
312 
313   ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
314   if (ret == NULL)
315     return "<invalid>";
316   return ret;
317 }
318 
319 
320 static const int valid_e_machine[] =
321   {
322     EM_M32, EM_SPARC, EM_386, EM_68K, EM_88K, EM_860, EM_MIPS, EM_S370,
323     EM_MIPS_RS3_LE, EM_PARISC, EM_VPP500, EM_SPARC32PLUS, EM_960, EM_PPC,
324     EM_PPC64, EM_S390, EM_V800, EM_FR20, EM_RH32, EM_RCE, EM_ARM,
325     EM_FAKE_ALPHA, EM_SH, EM_SPARCV9, EM_TRICORE, EM_ARC, EM_H8_300,
326     EM_H8_300H, EM_H8S, EM_H8_500, EM_IA_64, EM_MIPS_X, EM_COLDFIRE,
327     EM_68HC12, EM_MMA, EM_PCP, EM_NCPU, EM_NDR1, EM_STARCORE, EM_ME16,
328     EM_ST100, EM_TINYJ, EM_X86_64, EM_PDSP, EM_FX66, EM_ST9PLUS, EM_ST7,
329     EM_68HC16, EM_68HC11, EM_68HC08, EM_68HC05, EM_SVX, EM_ST19, EM_VAX,
330     EM_CRIS, EM_JAVELIN, EM_FIREPATH, EM_ZSP, EM_MMIX, EM_HUANY, EM_PRISM,
331     EM_AVR, EM_FR30, EM_D10V, EM_D30V, EM_V850, EM_M32R, EM_MN10300,
332     EM_MN10200, EM_PJ, EM_OPENRISC, EM_ARC_A5, EM_XTENSA, EM_ALPHA,
333     EM_TILEGX, EM_TILEPRO, EM_AARCH64, EM_BPF, EM_RISCV, EM_CSKY
334   };
335 #define nvalid_e_machine \
336   (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
337 
338 
339 static void
check_elf_header(Ebl * ebl,GElf_Ehdr * ehdr,size_t size)340 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
341 {
342   char buf[512];
343   size_t cnt;
344 
345   /* Check e_ident field.  */
346   if (ehdr->e_ident[EI_MAG0] != ELFMAG0)
347     ERROR ("e_ident[%d] != '%c'\n", EI_MAG0, ELFMAG0);
348   if (ehdr->e_ident[EI_MAG1] != ELFMAG1)
349     ERROR ("e_ident[%d] != '%c'\n", EI_MAG1, ELFMAG1);
350   if (ehdr->e_ident[EI_MAG2] != ELFMAG2)
351     ERROR ("e_ident[%d] != '%c'\n", EI_MAG2, ELFMAG2);
352   if (ehdr->e_ident[EI_MAG3] != ELFMAG3)
353     ERROR ("e_ident[%d] != '%c'\n", EI_MAG3, ELFMAG3);
354 
355   if (ehdr->e_ident[EI_CLASS] != ELFCLASS32
356       && ehdr->e_ident[EI_CLASS] != ELFCLASS64)
357     ERROR (_("e_ident[%d] == %d is no known class\n"),
358 	   EI_CLASS, ehdr->e_ident[EI_CLASS]);
359 
360   if (ehdr->e_ident[EI_DATA] != ELFDATA2LSB
361       && ehdr->e_ident[EI_DATA] != ELFDATA2MSB)
362     ERROR (_("e_ident[%d] == %d is no known data encoding\n"),
363 	   EI_DATA, ehdr->e_ident[EI_DATA]);
364 
365   if (ehdr->e_ident[EI_VERSION] != EV_CURRENT)
366     ERROR (_("unknown ELF header version number e_ident[%d] == %d\n"),
367 	   EI_VERSION, ehdr->e_ident[EI_VERSION]);
368 
369   /* We currently don't handle any OS ABIs other than Linux and the
370      kFreeBSD variant of Debian.  */
371   if (ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE
372       && ehdr->e_ident[EI_OSABI] != ELFOSABI_LINUX
373       && ehdr->e_ident[EI_OSABI] != ELFOSABI_FREEBSD)
374     ERROR (_("unsupported OS ABI e_ident[%d] == '%s'\n"),
375 	   EI_OSABI,
376 	   ebl_osabi_name (ebl, ehdr->e_ident[EI_OSABI], buf, sizeof (buf)));
377 
378   /* No ABI versions other than zero are supported either.  */
379   if (ehdr->e_ident[EI_ABIVERSION] != 0)
380     ERROR (_("unsupported ABI version e_ident[%d] == %d\n"),
381 	   EI_ABIVERSION, ehdr->e_ident[EI_ABIVERSION]);
382 
383   for (cnt = EI_PAD; cnt < EI_NIDENT; ++cnt)
384     if (ehdr->e_ident[cnt] != 0)
385       ERROR (_("e_ident[%zu] is not zero\n"), cnt);
386 
387   /* Check the e_type field.  */
388   if (ehdr->e_type != ET_REL && ehdr->e_type != ET_EXEC
389       && ehdr->e_type != ET_DYN && ehdr->e_type != ET_CORE)
390     ERROR (_("unknown object file type %d\n"), ehdr->e_type);
391 
392   /* Check the e_machine field.  */
393   for (cnt = 0; cnt < nvalid_e_machine; ++cnt)
394     if (valid_e_machine[cnt] == ehdr->e_machine)
395       break;
396   if (cnt == nvalid_e_machine)
397     ERROR (_("unknown machine type %d\n"), ehdr->e_machine);
398 
399   /* Check the e_version field.  */
400   if (ehdr->e_version != EV_CURRENT)
401     ERROR (_("unknown object file version\n"));
402 
403   /* Check the e_phoff and e_phnum fields.  */
404   if (ehdr->e_phoff == 0)
405     {
406       if (ehdr->e_phnum != 0)
407 	ERROR (_("invalid program header offset\n"));
408       else if (ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN)
409 	ERROR (_("\
410 executables and DSOs cannot have zero program header offset\n"));
411     }
412   else if (ehdr->e_phnum == 0)
413     ERROR (_("invalid number of program header entries\n"));
414 
415   /* Check the e_shoff field.  */
416   shnum = ehdr->e_shnum;
417   shstrndx = ehdr->e_shstrndx;
418   if (ehdr->e_shoff == 0)
419     {
420       if (ehdr->e_shnum != 0)
421 	ERROR (_("invalid section header table offset\n"));
422       else if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN
423 	       && ehdr->e_type != ET_CORE)
424 	ERROR (_("section header table must be present\n"));
425     }
426   else
427     {
428       if (ehdr->e_shnum == 0)
429 	{
430 	  /* Get the header of the zeroth section.  The sh_size field
431 	     might contain the section number.  */
432 	  GElf_Shdr shdr_mem;
433 	  GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
434 	  if (shdr != NULL)
435 	    {
436 	      /* The error will be reported later.  */
437 	      if (shdr->sh_size == 0)
438 		ERROR (_("\
439 invalid number of section header table entries\n"));
440 	      else
441 		shnum = shdr->sh_size;
442 	    }
443 	}
444 
445       if (ehdr->e_shstrndx == SHN_XINDEX)
446 	{
447 	  /* Get the header of the zeroth section.  The sh_size field
448 	     might contain the section number.  */
449 	  GElf_Shdr shdr_mem;
450 	  GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
451 	  if (shdr != NULL && shdr->sh_link < shnum)
452 	    shstrndx = shdr->sh_link;
453 	}
454       else if (shstrndx >= shnum)
455 	ERROR (_("invalid section header index\n"));
456     }
457 
458   /* Check the shdrs actually exist.  And uncompress them before
459      further checking.  Indexes between sections reference the
460      uncompressed data.  */
461   unsigned int scnt;
462   Elf_Scn *scn = NULL;
463   for (scnt = 1; scnt < shnum; ++scnt)
464      {
465 	scn = elf_nextscn (ebl->elf, scn);
466 	if (scn == NULL)
467 	  break;
468 	/* If the section wasn't compressed this does nothing, but
469 	   returns an error.  We don't care.  */
470 	if (elf_compress (scn, 0, 0) < 0) { ; }
471      }
472   if (scnt < shnum)
473     ERROR (_("Can only check %u headers, shnum was %u\n"), scnt, shnum);
474   shnum = scnt;
475 
476   phnum = ehdr->e_phnum;
477   if (ehdr->e_phnum == PN_XNUM)
478     {
479       /* Get the header of the zeroth section.  The sh_info field
480 	 might contain the phnum count.  */
481       GElf_Shdr shdr_mem;
482       GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
483       if (shdr != NULL)
484 	{
485 	  /* The error will be reported later.  */
486 	  if (shdr->sh_info < PN_XNUM)
487 	    ERROR (_("\
488 invalid number of program header table entries\n"));
489 	  else
490 	    phnum = shdr->sh_info;
491 	}
492     }
493 
494   /* Check the phdrs actually exist. */
495   unsigned int pcnt;
496   for (pcnt = 0; pcnt < phnum; ++pcnt)
497      {
498 	GElf_Phdr phdr_mem;
499 	GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
500 	if (phdr == NULL)
501 	  break;
502      }
503   if (pcnt < phnum)
504     ERROR (_("Can only check %u headers, phnum was %u\n"), pcnt, phnum);
505   phnum = pcnt;
506 
507   /* Check the e_flags field.  */
508   if (!ebl_machine_flag_check (ebl, ehdr->e_flags))
509     ERROR (_("invalid machine flags: %s\n"),
510 	   ebl_machine_flag_name (ebl, ehdr->e_flags, buf, sizeof (buf)));
511 
512   /* Check e_ehsize, e_phentsize, and e_shentsize fields.  */
513   if (gelf_getclass (ebl->elf) == ELFCLASS32)
514     {
515       if (ehdr->e_ehsize != 0 && ehdr->e_ehsize != sizeof (Elf32_Ehdr))
516 	ERROR (_("invalid ELF header size: %hd\n"), ehdr->e_ehsize);
517 
518       if (ehdr->e_phentsize != 0 && ehdr->e_phentsize != sizeof (Elf32_Phdr))
519 	ERROR (_("invalid program header size: %hd\n"),
520 	       ehdr->e_phentsize);
521       else if (ehdr->e_phoff + phnum * ehdr->e_phentsize > size)
522 	ERROR (_("invalid program header position or size\n"));
523 
524       if (ehdr->e_shentsize != 0 && ehdr->e_shentsize != sizeof (Elf32_Shdr))
525 	ERROR (_("invalid section header size: %hd\n"),
526 	       ehdr->e_shentsize);
527       else if (ehdr->e_shoff + shnum * ehdr->e_shentsize > size)
528 	ERROR (_("invalid section header position or size\n"));
529     }
530   else if (gelf_getclass (ebl->elf) == ELFCLASS64)
531     {
532       if (ehdr->e_ehsize != 0 && ehdr->e_ehsize != sizeof (Elf64_Ehdr))
533 	ERROR (_("invalid ELF header size: %hd\n"), ehdr->e_ehsize);
534 
535       if (ehdr->e_phentsize != 0 && ehdr->e_phentsize != sizeof (Elf64_Phdr))
536 	ERROR (_("invalid program header size: %hd\n"),
537 	       ehdr->e_phentsize);
538       else if (ehdr->e_phoff + phnum * ehdr->e_phentsize > size)
539 	ERROR (_("invalid program header position or size\n"));
540 
541       if (ehdr->e_shentsize != 0 && ehdr->e_shentsize != sizeof (Elf64_Shdr))
542 	ERROR (_("invalid section header size: %hd\n"),
543 	       ehdr->e_shentsize);
544       else if (ehdr->e_shoff + shnum * ehdr->e_shentsize > size)
545 	ERROR (_("invalid section header position or size\n"));
546     }
547 }
548 
549 
550 /* Check that there is a section group section with index < IDX which
551    contains section IDX and that there is exactly one.  */
552 static void
check_scn_group(Ebl * ebl,int idx)553 check_scn_group (Ebl *ebl, int idx)
554 {
555   if (scnref[idx] == 0)
556     {
557       /* No reference so far.  Search following sections, maybe the
558 	 order is wrong.  */
559       size_t cnt;
560 
561       for (cnt = idx + 1; cnt < shnum; ++cnt)
562 	{
563 	  Elf_Scn *scn = elf_getscn (ebl->elf, cnt);
564 	  GElf_Shdr shdr_mem;
565 	  GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
566 	  if (shdr == NULL)
567 	    /* We cannot get the section header so we cannot check it.
568 	       The error to get the section header will be shown
569 	       somewhere else.  */
570 	    continue;
571 
572 	  if (shdr->sh_type != SHT_GROUP)
573 	    continue;
574 
575 	  Elf_Data *data = elf_getdata (scn, NULL);
576 	  if (data == NULL || data->d_buf == NULL
577 	      || data->d_size < sizeof (Elf32_Word))
578 	    /* Cannot check the section.  */
579 	    continue;
580 
581 	  Elf32_Word *grpdata = (Elf32_Word *) data->d_buf;
582 	  for (size_t inner = 1; inner < data->d_size / sizeof (Elf32_Word);
583 	       ++inner)
584 	    if (grpdata[inner] == (Elf32_Word) idx)
585 	      goto out;
586 	}
587 
588     out:
589       if (cnt == shnum)
590 	ERROR (_("\
591 section [%2d] '%s': section with SHF_GROUP flag set not part of a section group\n"),
592 	       idx, section_name (ebl, idx));
593       else
594 	ERROR (_("\
595 section [%2d] '%s': section group [%2zu] '%s' does not precede group member\n"),
596 	       idx, section_name (ebl, idx),
597 	       cnt, section_name (ebl, cnt));
598     }
599 }
600 
601 
602 static void
check_symtab(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)603 check_symtab (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
604 {
605   bool no_xndx_warned = false;
606   int no_pt_tls = 0;
607   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
608   if (data == NULL)
609     {
610       ERROR (_("section [%2d] '%s': cannot get section data\n"),
611 	     idx, section_name (ebl, idx));
612       return;
613     }
614 
615   GElf_Shdr strshdr_mem;
616   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
617 				     &strshdr_mem);
618   if (strshdr == NULL)
619     return;
620 
621   if (strshdr->sh_type != SHT_STRTAB)
622     {
623       ERROR (_("section [%2d] '%s': referenced as string table for section [%2d] '%s' but type is not SHT_STRTAB\n"),
624 	     shdr->sh_link, section_name (ebl, shdr->sh_link),
625 	     idx, section_name (ebl, idx));
626       strshdr = NULL;
627     }
628 
629   /* Search for an extended section index table section.  */
630   Elf_Data *xndxdata = NULL;
631   Elf32_Word xndxscnidx = 0;
632   bool found_xndx = false;
633   for (size_t cnt = 1; cnt < shnum; ++cnt)
634     if (cnt != (size_t) idx)
635       {
636 	Elf_Scn *xndxscn = elf_getscn (ebl->elf, cnt);
637 	GElf_Shdr xndxshdr_mem;
638 	GElf_Shdr *xndxshdr = gelf_getshdr (xndxscn, &xndxshdr_mem);
639 	if (xndxshdr == NULL)
640 	  continue;
641 
642 	if (xndxshdr->sh_type == SHT_SYMTAB_SHNDX
643 	    && xndxshdr->sh_link == (GElf_Word) idx)
644 	  {
645 	    if (found_xndx)
646 	      ERROR (_("\
647 section [%2d] '%s': symbol table cannot have more than one extended index section\n"),
648 		     idx, section_name (ebl, idx));
649 
650 	    xndxdata = elf_getdata (xndxscn, NULL);
651 	    xndxscnidx = elf_ndxscn (xndxscn);
652 	    found_xndx = true;
653 	  }
654       }
655 
656   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
657   if (shdr->sh_entsize != sh_entsize)
658     ERROR (_("\
659 section [%2u] '%s': entry size is does not match ElfXX_Sym\n"),
660 	   idx, section_name (ebl, idx));
661   else if (shdr->sh_info > shdr->sh_size / sh_entsize)
662     ERROR (_("\
663 section [%2u] '%s': number of local entries in 'st_info' larger than table size\n"),
664 	   idx, section_name (ebl, idx));
665 
666   /* Test the zeroth entry.  */
667   GElf_Sym sym_mem;
668   Elf32_Word xndx;
669   GElf_Sym *sym = gelf_getsymshndx (data, xndxdata, 0, &sym_mem, &xndx);
670   if (sym == NULL)
671       ERROR (_("section [%2d] '%s': cannot get symbol %d: %s\n"),
672 	     idx, section_name (ebl, idx), 0, elf_errmsg (-1));
673   else
674     {
675       if (sym->st_name != 0)
676 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
677 	       idx, section_name (ebl, idx), "st_name");
678       if (sym->st_value != 0)
679 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
680 	       idx, section_name (ebl, idx), "st_value");
681       if (sym->st_size != 0)
682 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
683 	       idx, section_name (ebl, idx), "st_size");
684       if (sym->st_info != 0)
685 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
686 	       idx, section_name (ebl, idx), "st_info");
687       if (sym->st_other != 0)
688 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
689 	       idx, section_name (ebl, idx), "st_other");
690       if (sym->st_shndx != 0)
691 	ERROR (_("section [%2d] '%s': '%s' in zeroth entry not zero\n"),
692 	       idx, section_name (ebl, idx), "st_shndx");
693       if (xndxdata != NULL && xndx != 0)
694 	ERROR (_("\
695 section [%2d] '%s': XINDEX for zeroth entry not zero\n"),
696 	       xndxscnidx, section_name (ebl, xndxscnidx));
697     }
698 
699   for (size_t cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
700     {
701       sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
702       if (sym == NULL)
703 	{
704 	  ERROR (_("section [%2d] '%s': cannot get symbol %zu: %s\n"),
705 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
706 	  continue;
707 	}
708 
709       const char *name = "<invalid>";
710       if (strshdr == NULL)
711 	name = "";
712       else if (sym->st_name >= strshdr->sh_size)
713 	ERROR (_("\
714 section [%2d] '%s': symbol %zu: invalid name value\n"),
715 	       idx, section_name (ebl, idx), cnt);
716       else
717 	{
718 	  name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
719 	  if (name == NULL)
720 	    name = "";
721 	}
722 
723       if (sym->st_shndx == SHN_XINDEX)
724 	{
725 	  if (xndxdata == NULL)
726 	    {
727 	      if (!no_xndx_warned)
728 		ERROR (_("\
729 section [%2d] '%s': symbol %zu (%s): too large section index but no extended section index section\n"),
730 		       idx, section_name (ebl, idx), cnt, name);
731 	      no_xndx_warned = true;
732 	    }
733 	  else if (xndx < SHN_LORESERVE)
734 	    ERROR (_("\
735 section [%2d] '%s': symbol %zu (%s): XINDEX used for index which would fit in st_shndx (%" PRIu32 ")\n"),
736 		   xndxscnidx, section_name (ebl, xndxscnidx), cnt, name,
737 		   xndx);
738 	}
739       else if ((sym->st_shndx >= SHN_LORESERVE
740 		// && sym->st_shndx <= SHN_HIRESERVE    always true
741 		&& sym->st_shndx != SHN_ABS
742 		&& sym->st_shndx != SHN_COMMON)
743 	       || (sym->st_shndx >= shnum
744 		   && (sym->st_shndx < SHN_LORESERVE
745 		       /* || sym->st_shndx > SHN_HIRESERVE  always false */)))
746 	ERROR (_("\
747 section [%2d] '%s': symbol %zu (%s): invalid section index\n"),
748 	       idx, section_name (ebl, idx), cnt, name);
749       else
750 	xndx = sym->st_shndx;
751 
752       if (GELF_ST_TYPE (sym->st_info) >= STT_NUM
753 	  && !ebl_symbol_type_name (ebl, GELF_ST_TYPE (sym->st_info), NULL, 0))
754 	ERROR (_("section [%2d] '%s': symbol %zu (%s): unknown type\n"),
755 	       idx, section_name (ebl, idx), cnt, name);
756 
757       if (GELF_ST_BIND (sym->st_info) >= STB_NUM
758 	  && !ebl_symbol_binding_name (ebl, GELF_ST_BIND (sym->st_info), NULL,
759 				       0))
760 	ERROR (_("\
761 section [%2d] '%s': symbol %zu (%s): unknown symbol binding\n"),
762 	       idx, section_name (ebl, idx), cnt, name);
763       if (GELF_ST_BIND (sym->st_info) == STB_GNU_UNIQUE
764 	  && GELF_ST_TYPE (sym->st_info) != STT_OBJECT)
765 	ERROR (_("\
766 section [%2d] '%s': symbol %zu (%s): unique symbol not of object type\n"),
767 	       idx, section_name (ebl, idx), cnt, name);
768 
769       if (xndx == SHN_COMMON)
770 	{
771 	  /* Common symbols can only appear in relocatable files.  */
772 	  if (ehdr->e_type != ET_REL)
773 	    ERROR (_("\
774 section [%2d] '%s': symbol %zu (%s): COMMON only allowed in relocatable files\n"),
775 		   idx, section_name (ebl, idx), cnt, name);
776 	  if (cnt < shdr->sh_info)
777 	    ERROR (_("\
778 section [%2d] '%s': symbol %zu (%s): local COMMON symbols are nonsense\n"),
779 		   idx, section_name (ebl, idx), cnt, name);
780 	  if (GELF_R_TYPE (sym->st_info) == STT_FUNC)
781 	    ERROR (_("\
782 section [%2d] '%s': symbol %zu (%s): function in COMMON section is nonsense\n"),
783 		   idx, section_name (ebl, idx), cnt, name);
784 	}
785       else if (xndx > 0 && xndx < shnum)
786 	{
787 	  GElf_Shdr destshdr_mem;
788 	  GElf_Shdr *destshdr;
789 
790 	  destshdr = gelf_getshdr (elf_getscn (ebl->elf, xndx), &destshdr_mem);
791 	  if (destshdr != NULL)
792 	    {
793 	      GElf_Addr sh_addr = (ehdr->e_type == ET_REL ? 0
794 				   : destshdr->sh_addr);
795 	      GElf_Addr st_value;
796 	      if (GELF_ST_TYPE (sym->st_info) == STT_FUNC
797 		  || (GELF_ST_TYPE (sym->st_info) == STT_GNU_IFUNC))
798 		st_value = sym->st_value & ebl_func_addr_mask (ebl);
799 	      else
800 		st_value = sym->st_value;
801 	      if (GELF_ST_TYPE (sym->st_info) != STT_TLS)
802 		{
803 		  if (! ebl_check_special_symbol (ebl, sym, name,
804 						  destshdr))
805 		    {
806 		      if (st_value - sh_addr > destshdr->sh_size)
807 			{
808 			  /* GNU ld has severe bugs.  When it decides to remove
809 			     empty sections it leaves symbols referencing them
810 			     behind.  These are symbols in .symtab or .dynsym
811 			     and for the named symbols have zero size.  See
812 			     sourceware PR13621.  */
813 			  if (!gnuld
814 			      || (strcmp (section_name (ebl, idx), ".symtab")
815 			          && strcmp (section_name (ebl, idx),
816 					     ".dynsym"))
817 			      || sym->st_size != 0
818 			      || (strcmp (name, "__preinit_array_start") != 0
819 				  && strcmp (name, "__preinit_array_end") != 0
820 				  && strcmp (name, "__init_array_start") != 0
821 				  && strcmp (name, "__init_array_end") != 0
822 				  && strcmp (name, "__fini_array_start") != 0
823 				  && strcmp (name, "__fini_array_end") != 0
824 				  && strcmp (name, "__bss_start") != 0
825 				  && strcmp (name, "__bss_start__") != 0
826 				  && strcmp (name, "__TMC_END__") != 0
827 				  && strcmp (name, ".TOC.") != 0
828 				  && strcmp (name, "_edata") != 0
829 				  && strcmp (name, "__edata") != 0
830 				  && strcmp (name, "_end") != 0
831 				  && strcmp (name, "__end") != 0))
832 			    ERROR (_("\
833 section [%2d] '%s': symbol %zu (%s): st_value out of bounds\n"),
834 				   idx, section_name (ebl, idx), cnt, name);
835 			}
836 		      else if ((st_value - sh_addr
837 				+ sym->st_size) > destshdr->sh_size)
838 			ERROR (_("\
839 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
840 			       idx, section_name (ebl, idx), cnt, name,
841 			       (int) xndx, section_name (ebl, xndx));
842 		    }
843 		}
844 	      else
845 		{
846 		  if ((destshdr->sh_flags & SHF_TLS) == 0)
847 		    ERROR (_("\
848 section [%2d] '%s': symbol %zu (%s): referenced section [%2d] '%s' does not have SHF_TLS flag set\n"),
849 			   idx, section_name (ebl, idx), cnt, name,
850 			   (int) xndx, section_name (ebl, xndx));
851 
852 		  if (ehdr->e_type == ET_REL)
853 		    {
854 		      /* For object files the symbol value must fall
855 			 into the section.  */
856 		      if (st_value > destshdr->sh_size)
857 			ERROR (_("\
858 section [%2d] '%s': symbol %zu (%s): st_value out of bounds of referenced section [%2d] '%s'\n"),
859 			       idx, section_name (ebl, idx), cnt, name,
860 			       (int) xndx, section_name (ebl, xndx));
861 		      else if (st_value + sym->st_size
862 			       > destshdr->sh_size)
863 			ERROR (_("\
864 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
865 			       idx, section_name (ebl, idx), cnt, name,
866 			       (int) xndx, section_name (ebl, xndx));
867 		    }
868 		  else
869 		    {
870 		      GElf_Phdr phdr_mem;
871 		      GElf_Phdr *phdr = NULL;
872 		      unsigned int pcnt;
873 
874 		      for (pcnt = 0; pcnt < phnum; ++pcnt)
875 			{
876 			  phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
877 			  if (phdr != NULL && phdr->p_type == PT_TLS)
878 			    break;
879 			}
880 
881 		      if (pcnt == phnum)
882 			{
883 			  if (no_pt_tls++ == 0)
884 			    ERROR (_("\
885 section [%2d] '%s': symbol %zu (%s): TLS symbol but no TLS program header entry\n"),
886 				   idx, section_name (ebl, idx), cnt, name);
887 			}
888 		      else if (phdr == NULL)
889 			{
890 			    ERROR (_("\
891 section [%2d] '%s': symbol %zu (%s): TLS symbol but couldn't get TLS program header entry\n"),
892 				   idx, section_name (ebl, idx), cnt, name);
893 			}
894 		      else if (!is_debuginfo)
895 			{
896 			  if (st_value
897 			      < destshdr->sh_offset - phdr->p_offset)
898 			    ERROR (_("\
899 section [%2d] '%s': symbol %zu (%s): st_value short of referenced section [%2d] '%s'\n"),
900 				   idx, section_name (ebl, idx), cnt, name,
901 				   (int) xndx, section_name (ebl, xndx));
902 			  else if (st_value
903 				   > (destshdr->sh_offset - phdr->p_offset
904 				      + destshdr->sh_size))
905 			    ERROR (_("\
906 section [%2d] '%s': symbol %zu (%s): st_value out of bounds of referenced section [%2d] '%s'\n"),
907 				   idx, section_name (ebl, idx), cnt, name,
908 				   (int) xndx, section_name (ebl, xndx));
909 			  else if (st_value + sym->st_size
910 				   > (destshdr->sh_offset - phdr->p_offset
911 				      + destshdr->sh_size))
912 			    ERROR (_("\
913 section [%2d] '%s': symbol %zu (%s) does not fit completely in referenced section [%2d] '%s'\n"),
914 				   idx, section_name (ebl, idx), cnt, name,
915 				   (int) xndx, section_name (ebl, xndx));
916 			}
917 		    }
918 		}
919 	    }
920 	}
921 
922       if (GELF_ST_BIND (sym->st_info) == STB_LOCAL)
923 	{
924 	  if (cnt >= shdr->sh_info)
925 	    ERROR (_("\
926 section [%2d] '%s': symbol %zu (%s): local symbol outside range described in sh_info\n"),
927 		   idx, section_name (ebl, idx), cnt, name);
928 	}
929       else
930 	{
931 	  if (cnt < shdr->sh_info)
932 	    ERROR (_("\
933 section [%2d] '%s': symbol %zu (%s): non-local symbol outside range described in sh_info\n"),
934 		   idx, section_name (ebl, idx), cnt, name);
935 	}
936 
937       if (GELF_ST_TYPE (sym->st_info) == STT_SECTION
938 	  && GELF_ST_BIND (sym->st_info) != STB_LOCAL)
939 	ERROR (_("\
940 section [%2d] '%s': symbol %zu (%s): non-local section symbol\n"),
941 	       idx, section_name (ebl, idx), cnt, name);
942 
943       if (name != NULL)
944 	{
945 	  if (strcmp (name, "_GLOBAL_OFFSET_TABLE_") == 0)
946 	    {
947 	      /* Check that address and size match the global offset table.  */
948 
949 	      GElf_Shdr destshdr_mem;
950 	      GElf_Shdr *destshdr = gelf_getshdr (elf_getscn (ebl->elf, xndx),
951 						  &destshdr_mem);
952 
953 	      if (destshdr == NULL && xndx == SHN_ABS)
954 		{
955 		  /* In a DSO, we have to find the GOT section by name.  */
956 		  Elf_Scn *gotscn = NULL;
957 		  Elf_Scn *gscn = NULL;
958 		  while ((gscn = elf_nextscn (ebl->elf, gscn)) != NULL)
959 		    {
960 		      destshdr = gelf_getshdr (gscn, &destshdr_mem);
961 		      assert (destshdr != NULL);
962 		      const char *sname = elf_strptr (ebl->elf,
963 						      shstrndx,
964 						      destshdr->sh_name);
965 		      if (sname != NULL)
966 			{
967 			  if (strcmp (sname, ".got.plt") == 0)
968 			    break;
969 			  if (strcmp (sname, ".got") == 0)
970 			    /* Do not stop looking.
971 			       There might be a .got.plt section.  */
972 			    gotscn = gscn;
973 			}
974 
975 		      destshdr = NULL;
976 		    }
977 
978 		  if (destshdr == NULL && gotscn != NULL)
979 		    destshdr = gelf_getshdr (gotscn, &destshdr_mem);
980 		}
981 
982 	      const char *sname = ((destshdr == NULL || xndx == SHN_UNDEF)
983 				   ? NULL
984 				   : elf_strptr (ebl->elf, shstrndx,
985 						 destshdr->sh_name));
986 	      if (sname == NULL)
987 		{
988 		  if (xndx != SHN_UNDEF || ehdr->e_type != ET_REL)
989 		    ERROR (_("\
990 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol refers to \
991 bad section [%2d]\n"),
992 			   idx, section_name (ebl, idx), xndx);
993 		}
994 	      else if (strcmp (sname, ".got.plt") != 0
995 		       && strcmp (sname, ".got") != 0)
996 		ERROR (_("\
997 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol refers to \
998 section [%2d] '%s'\n"),
999 		       idx, section_name (ebl, idx), xndx, sname);
1000 
1001 	      if (destshdr != NULL)
1002 		{
1003 		  /* Found it.  */
1004 		  if (!ebl_check_special_symbol (ebl, sym, name,
1005 						 destshdr))
1006 		    {
1007 		      if (ehdr->e_type != ET_REL
1008 			  && sym->st_value != destshdr->sh_addr)
1009 			/* This test is more strict than the psABIs which
1010 			   usually allow the symbol to be in the middle of
1011 			   the .got section, allowing negative offsets.  */
1012 			ERROR (_("\
1013 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol value %#" PRIx64 " does not match %s section address %#" PRIx64 "\n"),
1014 			       idx, section_name (ebl, idx),
1015 			       (uint64_t) sym->st_value,
1016 			       sname, (uint64_t) destshdr->sh_addr);
1017 
1018 		      if (!gnuld && sym->st_size != destshdr->sh_size)
1019 			ERROR (_("\
1020 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol size %" PRIu64 " does not match %s section size %" PRIu64 "\n"),
1021 			       idx, section_name (ebl, idx),
1022 			       (uint64_t) sym->st_size,
1023 			       sname, (uint64_t) destshdr->sh_size);
1024 		    }
1025 		}
1026 	      else
1027 		ERROR (_("\
1028 section [%2d] '%s': _GLOBAL_OFFSET_TABLE_ symbol present, but no .got section\n"),
1029 		       idx, section_name (ebl, idx));
1030 	    }
1031 	  else if (strcmp (name, "_DYNAMIC") == 0)
1032 	    /* Check that address and size match the dynamic section.
1033 	       We locate the dynamic section via the program header
1034 	       entry.  */
1035 	    for (unsigned int pcnt = 0; pcnt < phnum; ++pcnt)
1036 	      {
1037 		GElf_Phdr phdr_mem;
1038 		GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
1039 
1040 		if (phdr != NULL && phdr->p_type == PT_DYNAMIC)
1041 		  {
1042 		    if (sym->st_value != phdr->p_vaddr)
1043 		      ERROR (_("\
1044 section [%2d] '%s': _DYNAMIC_ symbol value %#" PRIx64 " does not match dynamic segment address %#" PRIx64 "\n"),
1045 			     idx, section_name (ebl, idx),
1046 			     (uint64_t) sym->st_value,
1047 			     (uint64_t) phdr->p_vaddr);
1048 
1049 		    if (!gnuld && sym->st_size != phdr->p_memsz)
1050 		      ERROR (_("\
1051 section [%2d] '%s': _DYNAMIC symbol size %" PRIu64 " does not match dynamic segment size %" PRIu64 "\n"),
1052 			     idx, section_name (ebl, idx),
1053 			     (uint64_t) sym->st_size,
1054 			     (uint64_t) phdr->p_memsz);
1055 
1056 		    break;
1057 		  }
1058 	    }
1059 	}
1060 
1061       if (GELF_ST_VISIBILITY (sym->st_other) != STV_DEFAULT
1062 	  && shdr->sh_type == SHT_DYNSYM)
1063 	ERROR (_("\
1064 section [%2d] '%s': symbol %zu (%s): symbol in dynamic symbol table with non-default visibility\n"),
1065 	       idx, section_name (ebl, idx), cnt, name);
1066       if (! ebl_check_st_other_bits (ebl, sym->st_other))
1067 	ERROR (_("\
1068 section [%2d] '%s': symbol %zu (%s): unknown bit set in st_other\n"),
1069 	       idx, section_name (ebl, idx), cnt, name);
1070 
1071     }
1072 }
1073 
1074 
1075 static bool
is_rel_dyn(Ebl * ebl,const GElf_Ehdr * ehdr,int idx,const GElf_Shdr * shdr,bool is_rela)1076 is_rel_dyn (Ebl *ebl, const GElf_Ehdr *ehdr, int idx, const GElf_Shdr *shdr,
1077 	    bool is_rela)
1078 {
1079   /* If this is no executable or DSO it cannot be a .rel.dyn section.  */
1080   if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1081     return false;
1082 
1083   /* Check the section name.  Unfortunately necessary.  */
1084   if (strcmp (section_name (ebl, idx), is_rela ? ".rela.dyn" : ".rel.dyn"))
1085     return false;
1086 
1087   /* When a .rel.dyn section is used a DT_RELCOUNT dynamic section
1088      entry can be present as well.  */
1089   Elf_Scn *scn = NULL;
1090   while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
1091     {
1092       GElf_Shdr rcshdr_mem;
1093       const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
1094 
1095       if (rcshdr == NULL)
1096 	break;
1097 
1098       if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize != 0)
1099 	{
1100 	  /* Found the dynamic section.  Look through it.  */
1101 	  Elf_Data *d = elf_getdata (scn, NULL);
1102 	  size_t cnt;
1103 
1104 	  if (d == NULL)
1105 	    ERROR (_("\
1106 section [%2d] '%s': cannot get section data.\n"),
1107 		   idx, section_name (ebl, idx));
1108 
1109 	  for (cnt = 1; cnt < rcshdr->sh_size / rcshdr->sh_entsize; ++cnt)
1110 	    {
1111 	      GElf_Dyn dyn_mem;
1112 	      GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
1113 
1114 	      if (dyn == NULL)
1115 		break;
1116 
1117 	      if (dyn->d_tag == DT_RELCOUNT)
1118 		{
1119 		  /* Found it.  Does the type match.  */
1120 		  if (is_rela)
1121 		    ERROR (_("\
1122 section [%2d] '%s': DT_RELCOUNT used for this RELA section\n"),
1123 			   idx, section_name (ebl, idx));
1124 		  else
1125 		    {
1126 		      /* Does the number specified number of relative
1127 			 relocations exceed the total number of
1128 			 relocations?  */
1129 		      if (shdr->sh_entsize != 0
1130 			  && dyn->d_un.d_val > (shdr->sh_size
1131 						/ shdr->sh_entsize))
1132 			ERROR (_("\
1133 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1134 			       idx, section_name (ebl, idx),
1135 			       (int) dyn->d_un.d_val);
1136 
1137 		      /* Make sure the specified number of relocations are
1138 			 relative.  */
1139 		      Elf_Data *reldata = elf_getdata (elf_getscn (ebl->elf,
1140 								   idx), NULL);
1141 		      if (reldata != NULL && shdr->sh_entsize != 0)
1142 			for (size_t inner = 0;
1143 			     inner < shdr->sh_size / shdr->sh_entsize;
1144 			     ++inner)
1145 			  {
1146 			    GElf_Rel rel_mem;
1147 			    GElf_Rel *rel = gelf_getrel (reldata, inner,
1148 							 &rel_mem);
1149 			    if (rel == NULL)
1150 			      /* The problem will be reported elsewhere.  */
1151 			      break;
1152 
1153 			    if (ebl_relative_reloc_p (ebl,
1154 						      GELF_R_TYPE (rel->r_info)))
1155 			      {
1156 				if (inner >= dyn->d_un.d_val)
1157 				  ERROR (_("\
1158 section [%2d] '%s': relative relocations after index %d as specified by DT_RELCOUNT\n"),
1159 					 idx, section_name (ebl, idx),
1160 					 (int) dyn->d_un.d_val);
1161 			      }
1162 			    else if (inner < dyn->d_un.d_val)
1163 			      ERROR (_("\
1164 section [%2d] '%s': non-relative relocation at index %zu; DT_RELCOUNT specified %d relative relocations\n"),
1165 				     idx, section_name (ebl, idx),
1166 				     inner, (int) dyn->d_un.d_val);
1167 			  }
1168 		    }
1169 		}
1170 
1171 	      if (dyn->d_tag == DT_RELACOUNT)
1172 		{
1173 		  /* Found it.  Does the type match.  */
1174 		  if (!is_rela)
1175 		    ERROR (_("\
1176 section [%2d] '%s': DT_RELACOUNT used for this REL section\n"),
1177 			   idx, section_name (ebl, idx));
1178 		  else
1179 		    {
1180 		      /* Does the number specified number of relative
1181 			 relocations exceed the total number of
1182 			 relocations?  */
1183 		      if (shdr->sh_entsize != 0
1184 			  && dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1185 			ERROR (_("\
1186 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1187 			       idx, section_name (ebl, idx),
1188 			       (int) dyn->d_un.d_val);
1189 
1190 		      /* Make sure the specified number of relocations are
1191 			 relative.  */
1192 		      Elf_Data *reldata = elf_getdata (elf_getscn (ebl->elf,
1193 								   idx), NULL);
1194 		      if (reldata != NULL && shdr->sh_entsize != 0)
1195 			for (size_t inner = 0;
1196 			     inner < shdr->sh_size / shdr->sh_entsize;
1197 			     ++inner)
1198 			  {
1199 			    GElf_Rela rela_mem;
1200 			    GElf_Rela *rela = gelf_getrela (reldata, inner,
1201 							    &rela_mem);
1202 			    if (rela == NULL)
1203 			      /* The problem will be reported elsewhere.  */
1204 			      break;
1205 
1206 			    if (ebl_relative_reloc_p (ebl,
1207 						      GELF_R_TYPE (rela->r_info)))
1208 			      {
1209 				if (inner >= dyn->d_un.d_val)
1210 				  ERROR (_("\
1211 section [%2d] '%s': relative relocations after index %d as specified by DT_RELCOUNT\n"),
1212 					 idx, section_name (ebl, idx),
1213 					 (int) dyn->d_un.d_val);
1214 			      }
1215 			    else if (inner < dyn->d_un.d_val)
1216 			      ERROR (_("\
1217 section [%2d] '%s': non-relative relocation at index %zu; DT_RELCOUNT specified %d relative relocations\n"),
1218 				     idx, section_name (ebl, idx),
1219 				     inner, (int) dyn->d_un.d_val);
1220 			  }
1221 		    }
1222 		}
1223 	    }
1224 
1225 	  break;
1226 	}
1227     }
1228 
1229   return true;
1230 }
1231 
1232 
1233 struct loaded_segment
1234 {
1235   GElf_Addr from;
1236   GElf_Addr to;
1237   bool read_only;
1238   struct loaded_segment *next;
1239 };
1240 
1241 
1242 /* Check whether binary has text relocation flag set.  */
1243 static bool textrel;
1244 
1245 /* Keep track of whether text relocation flag is needed.  */
1246 static bool needed_textrel;
1247 
1248 
1249 static bool
check_reloc_shdr(Ebl * ebl,const GElf_Ehdr * ehdr,const GElf_Shdr * shdr,int idx,int reltype,GElf_Shdr ** destshdrp,GElf_Shdr * destshdr_memp,struct loaded_segment ** loadedp)1250 check_reloc_shdr (Ebl *ebl, const GElf_Ehdr *ehdr, const GElf_Shdr *shdr,
1251 		  int idx, int reltype, GElf_Shdr **destshdrp,
1252 		  GElf_Shdr *destshdr_memp, struct loaded_segment **loadedp)
1253 {
1254   bool reldyn = false;
1255 
1256   /* Check whether the link to the section we relocate is reasonable.  */
1257   if (shdr->sh_info >= shnum)
1258     ERROR (_("section [%2d] '%s': invalid destination section index\n"),
1259 	   idx, section_name (ebl, idx));
1260   else if (shdr->sh_info != 0)
1261     {
1262       *destshdrp = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_info),
1263 				 destshdr_memp);
1264       if (*destshdrp != NULL)
1265 	{
1266 	  if(! ebl_check_reloc_target_type (ebl, (*destshdrp)->sh_type))
1267 	    {
1268 	      reldyn = is_rel_dyn (ebl, ehdr, idx, shdr, true);
1269 	      if (!reldyn)
1270 		ERROR (_("\
1271 section [%2d] '%s': invalid destination section type\n"),
1272 		       idx, section_name (ebl, idx));
1273 	      else
1274 		{
1275 		  /* There is no standard, but we require that .rel{,a}.dyn
1276 		     sections have a sh_info value of zero.  */
1277 		  if (shdr->sh_info != 0)
1278 		    ERROR (_("\
1279 section [%2d] '%s': sh_info should be zero\n"),
1280 			   idx, section_name (ebl, idx));
1281 		}
1282 	    }
1283 
1284 	  if ((((*destshdrp)->sh_flags & SHF_MERGE) != 0)
1285 	      && ((*destshdrp)->sh_flags & SHF_STRINGS) != 0)
1286 	    ERROR (_("\
1287 section [%2d] '%s': no relocations for merge-able string sections possible\n"),
1288 		   idx, section_name (ebl, idx));
1289 	}
1290     }
1291 
1292   size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
1293   if (shdr->sh_entsize != sh_entsize)
1294     ERROR (_(reltype == ELF_T_RELA ? "\
1295 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
1296 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
1297 	   idx, section_name (ebl, idx));
1298 
1299   /* In preparation of checking whether relocations are text
1300      relocations or not we need to determine whether the file is
1301      flagged to have text relocation and we need to determine a) what
1302      the loaded segments are and b) which are read-only.  This will
1303      also allow us to determine whether the same reloc section is
1304      modifying loaded and not loaded segments.  */
1305   for (unsigned int i = 0; i < phnum; ++i)
1306     {
1307       GElf_Phdr phdr_mem;
1308       GElf_Phdr *phdr = gelf_getphdr (ebl->elf, i, &phdr_mem);
1309       if (phdr == NULL)
1310 	continue;
1311 
1312       if (phdr->p_type == PT_LOAD)
1313 	{
1314 	  struct loaded_segment *newp = xmalloc (sizeof (*newp));
1315 	  newp->from = phdr->p_vaddr;
1316 	  newp->to = phdr->p_vaddr + phdr->p_memsz;
1317 	  newp->read_only = (phdr->p_flags & PF_W) == 0;
1318 	  newp->next = *loadedp;
1319 	  *loadedp = newp;
1320 	}
1321       else if (phdr->p_type == PT_DYNAMIC)
1322 	{
1323 	  Elf_Scn *dynscn = gelf_offscn (ebl->elf, phdr->p_offset);
1324 	  GElf_Shdr dynshdr_mem;
1325 	  GElf_Shdr *dynshdr = gelf_getshdr (dynscn, &dynshdr_mem);
1326 	  Elf_Data *dyndata = elf_getdata (dynscn, NULL);
1327 	  if (dynshdr != NULL && dynshdr->sh_type == SHT_DYNAMIC
1328 	      && dyndata != NULL && dynshdr->sh_entsize != 0)
1329 	    for (size_t j = 0; j < dynshdr->sh_size / dynshdr->sh_entsize; ++j)
1330 	      {
1331 		GElf_Dyn dyn_mem;
1332 		GElf_Dyn *dyn = gelf_getdyn (dyndata, j, &dyn_mem);
1333 		if (dyn != NULL
1334 		    && (dyn->d_tag == DT_TEXTREL
1335 			|| (dyn->d_tag == DT_FLAGS
1336 			    && (dyn->d_un.d_val & DF_TEXTREL) != 0)))
1337 		  {
1338 		    textrel = true;
1339 		    break;
1340 		  }
1341 	      }
1342 	}
1343     }
1344 
1345   /* A quick test which can be easily done here (although it is a bit
1346      out of place): the text relocation flag makes only sense if there
1347      is a segment which is not writable.  */
1348   if (textrel)
1349     {
1350       struct loaded_segment *seg = *loadedp;
1351       while (seg != NULL && !seg->read_only)
1352 	seg = seg->next;
1353       if (seg == NULL)
1354 	ERROR (_("\
1355 text relocation flag set but there is no read-only segment\n"));
1356     }
1357 
1358   return reldyn;
1359 }
1360 
1361 
1362 enum load_state
1363   {
1364     state_undecided,
1365     state_loaded,
1366     state_unloaded,
1367     state_error
1368   };
1369 
1370 
1371 static void
check_one_reloc(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * relshdr,int idx,size_t cnt,const GElf_Shdr * symshdr,Elf_Data * symdata,GElf_Addr r_offset,GElf_Xword r_info,const GElf_Shdr * destshdr,bool reldyn,struct loaded_segment * loaded,enum load_state * statep)1372 check_one_reloc (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *relshdr, int idx,
1373 		 size_t cnt, const GElf_Shdr *symshdr, Elf_Data *symdata,
1374 		 GElf_Addr r_offset, GElf_Xword r_info,
1375 		 const GElf_Shdr *destshdr, bool reldyn,
1376 		 struct loaded_segment *loaded, enum load_state *statep)
1377 {
1378   bool known_broken = gnuld;
1379 
1380   if (!ebl_reloc_type_check (ebl, GELF_R_TYPE (r_info)))
1381     ERROR (_("section [%2d] '%s': relocation %zu: invalid type\n"),
1382 	   idx, section_name (ebl, idx), cnt);
1383   else if (((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1384 	    /* The executable/DSO can contain relocation sections with
1385 	       all the relocations the linker has applied.  Those sections
1386 	       are marked non-loaded, though.  */
1387 	    || (relshdr->sh_flags & SHF_ALLOC) != 0)
1388 	   && !ebl_reloc_valid_use (ebl, GELF_R_TYPE (r_info)))
1389     ERROR (_("\
1390 section [%2d] '%s': relocation %zu: relocation type invalid for the file type\n"),
1391 	   idx, section_name (ebl, idx), cnt);
1392 
1393   if (symshdr != NULL
1394       && ((GELF_R_SYM (r_info) + 1)
1395 	  * gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT)
1396 	  > symshdr->sh_size))
1397     ERROR (_("\
1398 section [%2d] '%s': relocation %zu: invalid symbol index\n"),
1399 	   idx, section_name (ebl, idx), cnt);
1400 
1401   /* No more tests if this is a no-op relocation.  */
1402   if (ebl_none_reloc_p (ebl, GELF_R_TYPE (r_info)))
1403     return;
1404 
1405   if (ebl_gotpc_reloc_check (ebl, GELF_R_TYPE (r_info)))
1406     {
1407       const char *name;
1408       char buf[64];
1409       GElf_Sym sym_mem;
1410       GElf_Sym *sym = gelf_getsym (symdata, GELF_R_SYM (r_info), &sym_mem);
1411       if (sym != NULL
1412 	  /* Get the name for the symbol.  */
1413 	  && (name = elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1414 	  && strcmp (name, "_GLOBAL_OFFSET_TABLE_") !=0 )
1415 	ERROR (_("\
1416 section [%2d] '%s': relocation %zu: only symbol '_GLOBAL_OFFSET_TABLE_' can be used with %s\n"),
1417 	       idx, section_name (ebl, idx), cnt,
1418 	       ebl_reloc_type_name (ebl, GELF_R_SYM (r_info),
1419 				    buf, sizeof (buf)));
1420     }
1421 
1422   if (reldyn)
1423     {
1424       // XXX TODO Check .rel.dyn section addresses.
1425     }
1426   else if (!known_broken)
1427     {
1428       if (destshdr != NULL
1429 	  && GELF_R_TYPE (r_info) != 0
1430 	  && (r_offset - (ehdr->e_type == ET_REL ? 0
1431 			  : destshdr->sh_addr)) >= destshdr->sh_size)
1432 	ERROR (_("\
1433 section [%2d] '%s': relocation %zu: offset out of bounds\n"),
1434 	       idx, section_name (ebl, idx), cnt);
1435     }
1436 
1437   GElf_Sym sym_mem;
1438   GElf_Sym *sym = gelf_getsym (symdata, GELF_R_SYM (r_info), &sym_mem);
1439 
1440   if (ebl_copy_reloc_p (ebl, GELF_R_TYPE (r_info))
1441       /* Make sure the referenced symbol is an object or unspecified.  */
1442       && sym != NULL
1443       && GELF_ST_TYPE (sym->st_info) != STT_NOTYPE
1444       && GELF_ST_TYPE (sym->st_info) != STT_OBJECT)
1445     {
1446       char buf[64];
1447       ERROR (_("section [%2d] '%s': relocation %zu: copy relocation against symbol of type %s\n"),
1448 	     idx, section_name (ebl, idx), cnt,
1449 	     ebl_symbol_type_name (ebl, GELF_ST_TYPE (sym->st_info),
1450 				   buf, sizeof (buf)));
1451     }
1452 
1453   if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
1454       || (relshdr->sh_flags & SHF_ALLOC) != 0)
1455     {
1456       bool in_loaded_seg = false;
1457       while (loaded != NULL)
1458 	{
1459 	  if (r_offset < loaded->to
1460 	      && r_offset + (sym == NULL ? 0 : sym->st_size) >= loaded->from)
1461 	    {
1462 	      /* The symbol is in this segment.  */
1463 	      if  (loaded->read_only)
1464 		{
1465 		  if (textrel)
1466 		    needed_textrel = true;
1467 		  else
1468 		    ERROR (_("section [%2d] '%s': relocation %zu: read-only section modified but text relocation flag not set\n"),
1469 			   idx, section_name (ebl, idx), cnt);
1470 		}
1471 
1472 	      in_loaded_seg = true;
1473 	    }
1474 
1475 	  loaded = loaded->next;
1476 	}
1477 
1478       if (*statep == state_undecided)
1479 	*statep = in_loaded_seg ? state_loaded : state_unloaded;
1480       else if ((*statep == state_unloaded && in_loaded_seg)
1481 	       || (*statep == state_loaded && !in_loaded_seg))
1482 	{
1483 	  ERROR (_("\
1484 section [%2d] '%s': relocations are against loaded and unloaded data\n"),
1485 		 idx, section_name (ebl, idx));
1486 	  *statep = state_error;
1487 	}
1488     }
1489 }
1490 
1491 
1492 static void
check_rela(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1493 check_rela (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1494 {
1495   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1496   if (data == NULL)
1497     {
1498       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1499 	     idx, section_name (ebl, idx));
1500       return;
1501     }
1502 
1503   /* Check the fields of the section header.  */
1504   GElf_Shdr destshdr_mem;
1505   GElf_Shdr *destshdr = NULL;
1506   struct loaded_segment *loaded = NULL;
1507   bool reldyn = check_reloc_shdr (ebl, ehdr, shdr, idx, ELF_T_RELA, &destshdr,
1508 				  &destshdr_mem, &loaded);
1509 
1510   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1511   GElf_Shdr symshdr_mem;
1512   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1513   Elf_Data *symdata = elf_getdata (symscn, NULL);
1514   enum load_state state = state_undecided;
1515 
1516   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1517   for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1518     {
1519       GElf_Rela rela_mem;
1520       GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
1521       if (rela == NULL)
1522 	{
1523 	  ERROR (_("\
1524 section [%2d] '%s': cannot get relocation %zu: %s\n"),
1525 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1526 	  continue;
1527 	}
1528 
1529       check_one_reloc (ebl, ehdr, shdr, idx, cnt, symshdr, symdata,
1530 		       rela->r_offset, rela->r_info, destshdr, reldyn, loaded,
1531 		       &state);
1532     }
1533 
1534   while (loaded != NULL)
1535     {
1536       struct loaded_segment *old = loaded;
1537       loaded = loaded->next;
1538       free (old);
1539     }
1540 }
1541 
1542 
1543 static void
check_rel(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1544 check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1545 {
1546   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1547   if (data == NULL)
1548     {
1549       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1550 	     idx, section_name (ebl, idx));
1551       return;
1552     }
1553 
1554   /* Check the fields of the section header.  */
1555   GElf_Shdr destshdr_mem;
1556   GElf_Shdr *destshdr = NULL;
1557   struct loaded_segment *loaded = NULL;
1558   bool reldyn = check_reloc_shdr (ebl, ehdr, shdr, idx, ELF_T_REL, &destshdr,
1559 				  &destshdr_mem, &loaded);
1560 
1561   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1562   GElf_Shdr symshdr_mem;
1563   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1564   Elf_Data *symdata = elf_getdata (symscn, NULL);
1565   enum load_state state = state_undecided;
1566 
1567   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1568   for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1569     {
1570       GElf_Rel rel_mem;
1571       GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
1572       if (rel == NULL)
1573 	{
1574 	  ERROR (_("\
1575 section [%2d] '%s': cannot get relocation %zu: %s\n"),
1576 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1577 	  continue;
1578 	}
1579 
1580       check_one_reloc (ebl, ehdr, shdr, idx, cnt, symshdr, symdata,
1581 		       rel->r_offset, rel->r_info, destshdr, reldyn, loaded,
1582 		       &state);
1583     }
1584 
1585   while (loaded != NULL)
1586     {
1587       struct loaded_segment *old = loaded;
1588       loaded = loaded->next;
1589       free (old);
1590     }
1591 }
1592 
1593 
1594 /* Number of dynamic sections.  */
1595 static int ndynamic;
1596 
1597 
1598 static void
check_dynamic(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1599 check_dynamic (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1600 {
1601   Elf_Data *data;
1602   GElf_Shdr strshdr_mem;
1603   GElf_Shdr *strshdr;
1604   size_t cnt;
1605   static const bool dependencies[DT_NUM][DT_NUM] =
1606     {
1607       [DT_NEEDED] = { [DT_STRTAB] = true },
1608       [DT_PLTRELSZ] = { [DT_JMPREL] = true },
1609       [DT_HASH] = { [DT_SYMTAB] = true },
1610       [DT_STRTAB] = { [DT_STRSZ] = true },
1611       [DT_SYMTAB] = { [DT_STRTAB] = true, [DT_SYMENT] = true },
1612       [DT_RELA] = { [DT_RELASZ] = true, [DT_RELAENT] = true },
1613       [DT_RELASZ] = { [DT_RELA] = true },
1614       [DT_RELAENT] = { [DT_RELA] = true },
1615       [DT_STRSZ] = { [DT_STRTAB] = true },
1616       [DT_SYMENT] = { [DT_SYMTAB] = true },
1617       [DT_SONAME] = { [DT_STRTAB] = true },
1618       [DT_RPATH] = { [DT_STRTAB] = true },
1619       [DT_REL] = { [DT_RELSZ] = true, [DT_RELENT] = true },
1620       [DT_RELSZ] = { [DT_REL] = true },
1621       [DT_RELENT] = { [DT_REL] = true },
1622       [DT_JMPREL] = { [DT_PLTRELSZ] = true, [DT_PLTREL] = true },
1623       [DT_RUNPATH] = { [DT_STRTAB] = true },
1624       [DT_PLTREL] = { [DT_JMPREL] = true },
1625     };
1626   bool has_dt[DT_NUM];
1627   bool has_val_dt[DT_VALNUM];
1628   bool has_addr_dt[DT_ADDRNUM];
1629   static const bool level2[DT_NUM] =
1630     {
1631       [DT_RPATH] = true,
1632       [DT_SYMBOLIC] = true,
1633       [DT_TEXTREL] = true,
1634       [DT_BIND_NOW] = true
1635     };
1636   static const bool mandatory[DT_NUM] =
1637     {
1638       [DT_NULL] = true,
1639       [DT_STRTAB] = true,
1640       [DT_SYMTAB] = true,
1641       [DT_STRSZ] = true,
1642       [DT_SYMENT] = true
1643     };
1644 
1645   memset (has_dt, '\0', sizeof (has_dt));
1646   memset (has_val_dt, '\0', sizeof (has_val_dt));
1647   memset (has_addr_dt, '\0', sizeof (has_addr_dt));
1648 
1649   if (++ndynamic == 2)
1650     ERROR (_("more than one dynamic section present\n"));
1651 
1652   data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1653   if (data == NULL)
1654     {
1655       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1656 	     idx, section_name (ebl, idx));
1657       return;
1658     }
1659 
1660   strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &strshdr_mem);
1661   if (strshdr != NULL && strshdr->sh_type != SHT_STRTAB)
1662     ERROR (_("\
1663 section [%2d] '%s': referenced as string table for section [%2d] '%s' but type is not SHT_STRTAB\n"),
1664 	   shdr->sh_link, section_name (ebl, shdr->sh_link),
1665 	   idx, section_name (ebl, idx));
1666   else if (strshdr == NULL)
1667     {
1668       ERROR (_("\
1669 section [%2d]: referenced as string table for section [%2d] '%s' but section link value is invalid\n"),
1670 	   shdr->sh_link, idx, section_name (ebl, idx));
1671       return;
1672     }
1673 
1674   size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1675   if (shdr->sh_entsize != sh_entsize)
1676     ERROR (_("\
1677 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1678 	   idx, section_name (ebl, idx));
1679 
1680   if (shdr->sh_info != 0)
1681     ERROR (_("section [%2d] '%s': sh_info not zero\n"),
1682 	   idx, section_name (ebl, idx));
1683 
1684   bool non_null_warned = false;
1685   for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1686     {
1687       GElf_Dyn dyn_mem;
1688       GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
1689       if (dyn == NULL)
1690 	{
1691 	  ERROR (_("\
1692 section [%2d] '%s': cannot get dynamic section entry %zu: %s\n"),
1693 		 idx, section_name (ebl, idx), cnt, elf_errmsg (-1));
1694 	  continue;
1695 	}
1696 
1697       if (has_dt[DT_NULL] && dyn->d_tag != DT_NULL && ! non_null_warned)
1698 	{
1699 	  ERROR (_("\
1700 section [%2d] '%s': non-DT_NULL entries follow DT_NULL entry\n"),
1701 		 idx, section_name (ebl, idx));
1702 	  non_null_warned = true;
1703 	}
1704 
1705       if (!ebl_dynamic_tag_check (ebl, dyn->d_tag))
1706 	ERROR (_("section [%2d] '%s': entry %zu: unknown tag\n"),
1707 	       idx, section_name (ebl, idx), cnt);
1708 
1709       if (dyn->d_tag >= 0 && dyn->d_tag < DT_NUM)
1710 	{
1711 	  if (has_dt[dyn->d_tag]
1712 	      && dyn->d_tag != DT_NEEDED
1713 	      && dyn->d_tag != DT_NULL
1714 	      && dyn->d_tag != DT_POSFLAG_1)
1715 	    {
1716 	      char buf[50];
1717 	      ERROR (_("\
1718 section [%2d] '%s': entry %zu: more than one entry with tag %s\n"),
1719 		     idx, section_name (ebl, idx), cnt,
1720 		     ebl_dynamic_tag_name (ebl, dyn->d_tag,
1721 					   buf, sizeof (buf)));
1722 	    }
1723 
1724 	  if (be_strict && level2[dyn->d_tag])
1725 	    {
1726 	      char buf[50];
1727 	      ERROR (_("\
1728 section [%2d] '%s': entry %zu: level 2 tag %s used\n"),
1729 		     idx, section_name (ebl, idx), cnt,
1730 		     ebl_dynamic_tag_name (ebl, dyn->d_tag,
1731 					   buf, sizeof (buf)));
1732 	    }
1733 
1734 	  has_dt[dyn->d_tag] = true;
1735 	}
1736       else if (dyn->d_tag >= 0 && dyn->d_tag <= DT_VALRNGHI
1737 	       && DT_VALTAGIDX (dyn->d_tag) < DT_VALNUM)
1738 	has_val_dt[DT_VALTAGIDX (dyn->d_tag)] = true;
1739       else if (dyn->d_tag >= 0 && dyn->d_tag <= DT_ADDRRNGHI
1740 	       && DT_ADDRTAGIDX (dyn->d_tag) < DT_ADDRNUM)
1741 	has_addr_dt[DT_ADDRTAGIDX (dyn->d_tag)] = true;
1742 
1743       if (dyn->d_tag == DT_PLTREL && dyn->d_un.d_val != DT_REL
1744 	  && dyn->d_un.d_val != DT_RELA)
1745 	ERROR (_("\
1746 section [%2d] '%s': entry %zu: DT_PLTREL value must be DT_REL or DT_RELA\n"),
1747 	       idx, section_name (ebl, idx), cnt);
1748 
1749       /* Check that addresses for entries are in loaded segments.  */
1750       switch (dyn->d_tag)
1751 	{
1752 	  size_t n;
1753 	case DT_STRTAB:
1754 	  /* We require the referenced section is the same as the one
1755 	     specified in sh_link.  */
1756 	  if (strshdr->sh_addr != dyn->d_un.d_val)
1757 	    {
1758 	      ERROR (_("\
1759 section [%2d] '%s': entry %zu: pointer does not match address of section [%2d] '%s' referenced by sh_link\n"),
1760 		     idx, section_name (ebl, idx), cnt,
1761 		     shdr->sh_link, section_name (ebl, shdr->sh_link));
1762 	      break;
1763 	    }
1764 	  goto check_addr;
1765 
1766 	default:
1767 	  if (dyn->d_tag < DT_ADDRRNGLO || dyn->d_tag > DT_ADDRRNGHI)
1768 	    /* Value is no pointer.  */
1769 	    break;
1770 	  FALLTHROUGH;
1771 
1772 	case DT_AUXILIARY:
1773 	case DT_FILTER:
1774 	case DT_FINI:
1775 	case DT_FINI_ARRAY:
1776 	case DT_HASH:
1777 	case DT_INIT:
1778 	case DT_INIT_ARRAY:
1779 	case DT_JMPREL:
1780 	case DT_PLTGOT:
1781 	case DT_REL:
1782 	case DT_RELA:
1783 	case DT_SYMBOLIC:
1784 	case DT_SYMTAB:
1785 	case DT_VERDEF:
1786 	case DT_VERNEED:
1787 	case DT_VERSYM:
1788 	check_addr:
1789 	  for (n = 0; n < phnum; ++n)
1790 	    {
1791 	      GElf_Phdr phdr_mem;
1792 	      GElf_Phdr *phdr = gelf_getphdr (ebl->elf, n, &phdr_mem);
1793 	      if (phdr != NULL && phdr->p_type == PT_LOAD
1794 		  && phdr->p_vaddr <= dyn->d_un.d_ptr
1795 		  && phdr->p_vaddr + phdr->p_memsz > dyn->d_un.d_ptr)
1796 		break;
1797 	    }
1798 	  if (unlikely (n >= phnum))
1799 	    {
1800 	      char buf[50];
1801 	      ERROR (_("\
1802 section [%2d] '%s': entry %zu: %s value must point into loaded segment\n"),
1803 		     idx, section_name (ebl, idx), cnt,
1804 		     ebl_dynamic_tag_name (ebl, dyn->d_tag, buf,
1805 					   sizeof (buf)));
1806 	    }
1807 	  break;
1808 
1809 	case DT_NEEDED:
1810 	case DT_RPATH:
1811 	case DT_RUNPATH:
1812 	case DT_SONAME:
1813 	  if (dyn->d_un.d_ptr >= strshdr->sh_size)
1814 	    {
1815 	      char buf[50];
1816 	      ERROR (_("\
1817 section [%2d] '%s': entry %zu: %s value must be valid offset in section [%2d] '%s'\n"),
1818 		     idx, section_name (ebl, idx), cnt,
1819 		     ebl_dynamic_tag_name (ebl, dyn->d_tag, buf,
1820 					   sizeof (buf)),
1821 		     shdr->sh_link, section_name (ebl, shdr->sh_link));
1822 	    }
1823 	  break;
1824 	}
1825     }
1826 
1827   for (cnt = 1; cnt < DT_NUM; ++cnt)
1828     if (has_dt[cnt])
1829       {
1830 	for (int inner = 0; inner < DT_NUM; ++inner)
1831 	  if (dependencies[cnt][inner] && ! has_dt[inner])
1832 	    {
1833 	      char buf1[50];
1834 	      char buf2[50];
1835 
1836 	      ERROR (_("\
1837 section [%2d] '%s': contains %s entry but not %s\n"),
1838 		     idx, section_name (ebl, idx),
1839 		     ebl_dynamic_tag_name (ebl, cnt, buf1, sizeof (buf1)),
1840 		     ebl_dynamic_tag_name (ebl, inner, buf2, sizeof (buf2)));
1841 	    }
1842       }
1843     else
1844       {
1845 	if (mandatory[cnt])
1846 	  {
1847 	    char buf[50];
1848 	    ERROR (_("\
1849 section [%2d] '%s': mandatory tag %s not present\n"),
1850 		   idx, section_name (ebl, idx),
1851 		   ebl_dynamic_tag_name (ebl, cnt, buf, sizeof (buf)));
1852 	  }
1853       }
1854 
1855   /* Make sure we have an hash table.  */
1856   if (!has_dt[DT_HASH] && !has_addr_dt[DT_ADDRTAGIDX (DT_GNU_HASH)])
1857     ERROR (_("\
1858 section [%2d] '%s': no hash section present\n"),
1859 	   idx, section_name (ebl, idx));
1860 
1861   /* The GNU-style hash table also needs a symbol table.  */
1862   if (!has_dt[DT_HASH] && has_addr_dt[DT_ADDRTAGIDX (DT_GNU_HASH)]
1863       && !has_dt[DT_SYMTAB])
1864     ERROR (_("\
1865 section [%2d] '%s': contains %s entry but not %s\n"),
1866 	   idx, section_name (ebl, idx),
1867 	   "DT_GNU_HASH", "DT_SYMTAB");
1868 
1869   /* Check the rel/rela tags.  At least one group must be available.  */
1870   if ((has_dt[DT_RELA] || has_dt[DT_RELASZ] || has_dt[DT_RELAENT])
1871       && (!has_dt[DT_RELA] || !has_dt[DT_RELASZ] || !has_dt[DT_RELAENT]))
1872     ERROR (_("\
1873 section [%2d] '%s': not all of %s, %s, and %s are present\n"),
1874 	   idx, section_name (ebl, idx),
1875 	   "DT_RELA", "DT_RELASZ", "DT_RELAENT");
1876 
1877   if ((has_dt[DT_REL] || has_dt[DT_RELSZ] || has_dt[DT_RELENT])
1878       && (!has_dt[DT_REL] || !has_dt[DT_RELSZ] || !has_dt[DT_RELENT]))
1879     ERROR (_("\
1880 section [%2d] '%s': not all of %s, %s, and %s are present\n"),
1881 	   idx, section_name (ebl, idx),
1882 	   "DT_REL", "DT_RELSZ", "DT_RELENT");
1883 
1884   /* Check that all prelink sections are present if any of them is.  */
1885   if (has_val_dt[DT_VALTAGIDX (DT_GNU_PRELINKED)]
1886       || has_val_dt[DT_VALTAGIDX (DT_CHECKSUM)])
1887     {
1888       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_PRELINKED)])
1889 	ERROR (_("\
1890 section [%2d] '%s': %s tag missing in DSO marked during prelinking\n"),
1891 	       idx, section_name (ebl, idx), "DT_GNU_PRELINKED");
1892       if (!has_val_dt[DT_VALTAGIDX (DT_CHECKSUM)])
1893 	ERROR (_("\
1894 section [%2d] '%s': %s tag missing in DSO marked during prelinking\n"),
1895 	       idx, section_name (ebl, idx), "DT_CHECKSUM");
1896 
1897       /* Only DSOs can be marked like this.  */
1898       if (ehdr->e_type != ET_DYN)
1899 	ERROR (_("\
1900 section [%2d] '%s': non-DSO file marked as dependency during prelink\n"),
1901 	       idx, section_name (ebl, idx));
1902     }
1903 
1904   if (has_val_dt[DT_VALTAGIDX (DT_GNU_CONFLICTSZ)]
1905       || has_val_dt[DT_VALTAGIDX (DT_GNU_LIBLISTSZ)]
1906       || has_addr_dt[DT_ADDRTAGIDX (DT_GNU_CONFLICT)]
1907       || has_addr_dt[DT_ADDRTAGIDX (DT_GNU_LIBLIST)])
1908     {
1909       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_CONFLICTSZ)])
1910 	ERROR (_("\
1911 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1912 	       idx, section_name (ebl, idx), "DT_GNU_CONFLICTSZ");
1913       if (!has_val_dt[DT_VALTAGIDX (DT_GNU_LIBLISTSZ)])
1914 	ERROR (_("\
1915 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1916 	       idx, section_name (ebl, idx), "DT_GNU_LIBLISTSZ");
1917       if (!has_addr_dt[DT_ADDRTAGIDX (DT_GNU_CONFLICT)])
1918 	ERROR (_("\
1919 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1920 	       idx, section_name (ebl, idx), "DT_GNU_CONFLICT");
1921       if (!has_addr_dt[DT_ADDRTAGIDX (DT_GNU_LIBLIST)])
1922 	ERROR (_("\
1923 section [%2d] '%s': %s tag missing in prelinked executable\n"),
1924 	       idx, section_name (ebl, idx), "DT_GNU_LIBLIST");
1925     }
1926 }
1927 
1928 
1929 static void
check_symtab_shndx(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)1930 check_symtab_shndx (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
1931 {
1932   if (ehdr->e_type != ET_REL)
1933     {
1934       ERROR (_("\
1935 section [%2d] '%s': only relocatable files can have extended section index\n"),
1936 	     idx, section_name (ebl, idx));
1937       return;
1938     }
1939 
1940   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
1941   GElf_Shdr symshdr_mem;
1942   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
1943   if (symshdr != NULL && symshdr->sh_type != SHT_SYMTAB)
1944     ERROR (_("\
1945 section [%2d] '%s': extended section index section not for symbol table\n"),
1946 	   idx, section_name (ebl, idx));
1947   else if (symshdr == NULL)
1948     ERROR (_("\
1949 section [%2d] '%s': sh_link extended section index [%2d] is invalid\n"),
1950 	   idx, section_name (ebl, idx), shdr->sh_link);
1951   Elf_Data *symdata = elf_getdata (symscn, NULL);
1952   if (symdata == NULL)
1953     ERROR (_("cannot get data for symbol section\n"));
1954 
1955   if (shdr->sh_entsize != sizeof (Elf32_Word))
1956     ERROR (_("\
1957 section [%2d] '%s': entry size does not match Elf32_Word\n"),
1958 	   idx, section_name (ebl, idx));
1959 
1960   if (symshdr != NULL
1961       && shdr->sh_entsize != 0
1962       && symshdr->sh_entsize != 0
1963       && (shdr->sh_size / shdr->sh_entsize
1964 	  < symshdr->sh_size / symshdr->sh_entsize))
1965     ERROR (_("\
1966 section [%2d] '%s': extended index table too small for symbol table\n"),
1967 	   idx, section_name (ebl, idx));
1968 
1969   if (shdr->sh_info != 0)
1970     ERROR (_("section [%2d] '%s': sh_info not zero\n"),
1971 	   idx, section_name (ebl, idx));
1972 
1973   for (size_t cnt = idx + 1; cnt < shnum; ++cnt)
1974     {
1975       GElf_Shdr rshdr_mem;
1976       GElf_Shdr *rshdr = gelf_getshdr (elf_getscn (ebl->elf, cnt), &rshdr_mem);
1977       if (rshdr != NULL && rshdr->sh_type == SHT_SYMTAB_SHNDX
1978 	  && rshdr->sh_link == shdr->sh_link)
1979 	{
1980 	  ERROR (_("\
1981 section [%2d] '%s': extended section index in section [%2zu] '%s' refers to same symbol table\n"),
1982 		 idx, section_name (ebl, idx),
1983 		 cnt, section_name (ebl, cnt));
1984 	  break;
1985 	}
1986     }
1987 
1988   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1989   if (data == NULL || data->d_buf == NULL)
1990     {
1991       ERROR (_("section [%2d] '%s': cannot get section data\n"),
1992 	     idx, section_name (ebl, idx));
1993       return;
1994     }
1995 
1996   if (data->d_size < sizeof (Elf32_Word)
1997       || *((Elf32_Word *) data->d_buf) != 0)
1998     ERROR (_("symbol 0 should have zero extended section index\n"));
1999 
2000   for (size_t cnt = 1; cnt < data->d_size / sizeof (Elf32_Word); ++cnt)
2001     {
2002       Elf32_Word xndx = ((Elf32_Word *) data->d_buf)[cnt];
2003 
2004       if (xndx != 0)
2005 	{
2006 	  GElf_Sym sym_data;
2007 	  GElf_Sym *sym = gelf_getsym (symdata, cnt, &sym_data);
2008 	  if (sym == NULL)
2009 	    {
2010 	      ERROR (_("cannot get data for symbol %zu\n"), cnt);
2011 	      continue;
2012 	    }
2013 
2014 	  if (sym->st_shndx != SHN_XINDEX)
2015 	    ERROR (_("\
2016 extended section index is %" PRIu32 " but symbol index is not XINDEX\n"),
2017 		   (uint32_t) xndx);
2018 	}
2019     }
2020 }
2021 
2022 
2023 static void
check_sysv_hash(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2024 check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2025 		 GElf_Shdr *symshdr)
2026 {
2027   Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
2028   Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
2029 
2030   if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
2031     {
2032       ERROR (_("\
2033 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
2034 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2035 	     (long int) ((2 + nbucket + nchain) * sizeof (Elf32_Word)));
2036       return;
2037     }
2038 
2039   size_t maxidx = nchain;
2040 
2041   if (symshdr != NULL && symshdr->sh_entsize != 0)
2042     {
2043       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
2044 
2045       if (nchain > symshdr->sh_size / symshdr->sh_entsize)
2046 	ERROR (_("section [%2d] '%s': chain array too large\n"),
2047 	       idx, section_name (ebl, idx));
2048 
2049       maxidx = symsize;
2050     }
2051 
2052   Elf32_Word *buf = (Elf32_Word *) data->d_buf;
2053   Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
2054   size_t cnt;
2055   for (cnt = 2; cnt < 2 + nbucket; ++cnt)
2056     {
2057       if (buf + cnt >= end)
2058 	break;
2059       else if (buf[cnt] >= maxidx)
2060       ERROR (_("\
2061 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
2062 	     idx, section_name (ebl, idx), cnt - 2);
2063     }
2064 
2065   for (; cnt < 2 + nbucket + nchain; ++cnt)
2066     {
2067       if (buf + cnt >= end)
2068 	break;
2069       else if (buf[cnt] >= maxidx)
2070       ERROR (_("\
2071 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
2072 	     idx, section_name (ebl, idx), cnt - 2 - nbucket);
2073     }
2074 }
2075 
2076 
2077 static void
check_sysv_hash64(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2078 check_sysv_hash64 (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2079 		 GElf_Shdr *symshdr)
2080 {
2081   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
2082   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
2083 
2084   uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword);
2085   if (maxwords < 2
2086       || maxwords - 2 < nbucket
2087       || maxwords - 2 - nbucket < nchain)
2088     {
2089       ERROR (_("\
2090 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
2091 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2092 	     (long int) ((2 + nbucket + nchain) * sizeof (Elf64_Xword)));
2093       return;
2094     }
2095 
2096   size_t maxidx = nchain;
2097 
2098   if (symshdr != NULL && symshdr->sh_entsize != 0)
2099     {
2100       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
2101 
2102       if (nchain > symshdr->sh_size / symshdr->sh_entsize)
2103 	ERROR (_("section [%2d] '%s': chain array too large\n"),
2104 	       idx, section_name (ebl, idx));
2105 
2106       maxidx = symsize;
2107     }
2108 
2109   Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
2110   Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
2111   size_t cnt;
2112   for (cnt = 2; cnt < 2 + nbucket; ++cnt)
2113     {
2114       if (buf + cnt >= end)
2115 	break;
2116       else if (buf[cnt] >= maxidx)
2117       ERROR (_("\
2118 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
2119 	     idx, section_name (ebl, idx), cnt - 2);
2120     }
2121 
2122   for (; cnt < 2 + nbucket + nchain; ++cnt)
2123     {
2124       if (buf + cnt >= end)
2125 	break;
2126       else if (buf[cnt] >= maxidx)
2127       ERROR (_("\
2128 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
2129 	       idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
2130     }
2131 }
2132 
2133 
2134 static void
check_gnu_hash(Ebl * ebl,GElf_Shdr * shdr,Elf_Data * data,int idx,GElf_Shdr * symshdr)2135 check_gnu_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
2136 		GElf_Shdr *symshdr)
2137 {
2138   if (data->d_size < 4 * sizeof (Elf32_Word))
2139     {
2140       ERROR (_("\
2141 section [%2d] '%s': not enough data\n"),
2142 	     idx, section_name (ebl, idx));
2143       return;
2144     }
2145 
2146   Elf32_Word nbuckets = ((Elf32_Word *) data->d_buf)[0];
2147   Elf32_Word symbias = ((Elf32_Word *) data->d_buf)[1];
2148   Elf32_Word bitmask_words = ((Elf32_Word *) data->d_buf)[2];
2149 
2150   if (bitmask_words == 0 || !powerof2 (bitmask_words))
2151     {
2152       ERROR (_("\
2153 section [%2d] '%s': bitmask size zero or not power of 2: %u\n"),
2154 	     idx, section_name (ebl, idx), bitmask_words);
2155       return;
2156     }
2157 
2158   size_t bitmask_idxmask = bitmask_words - 1;
2159   if (gelf_getclass (ebl->elf) == ELFCLASS64)
2160     bitmask_words *= 2;
2161   Elf32_Word shift = ((Elf32_Word *) data->d_buf)[3];
2162 
2163   /* Is there still room for the sym chain?
2164      Use uint64_t calculation to prevent 32bit overflow.  */
2165   uint64_t used_buf = (4ULL + bitmask_words + nbuckets) * sizeof (Elf32_Word);
2166   if (used_buf > data->d_size)
2167     {
2168       ERROR (_("\
2169 section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
2170 	     idx, section_name (ebl, idx), (long int) shdr->sh_size,
2171 	     (long int) used_buf);
2172       return;
2173     }
2174 
2175   if (shift > 31)
2176     {
2177       ERROR (_("\
2178 section [%2d] '%s': 2nd hash function shift too big: %u\n"),
2179 	     idx, section_name (ebl, idx), shift);
2180       return;
2181     }
2182 
2183   size_t maxidx = shdr->sh_size / sizeof (Elf32_Word) - (4 + bitmask_words
2184 							 + nbuckets);
2185 
2186   if (symshdr != NULL && symshdr->sh_entsize != 0)
2187     maxidx = MIN (maxidx, symshdr->sh_size / symshdr->sh_entsize);
2188 
2189   /* We need the symbol section data.  */
2190   Elf_Data *symdata = elf_getdata (elf_getscn (ebl->elf, shdr->sh_link), NULL);
2191 
2192   union
2193   {
2194     Elf32_Word *p32;
2195     Elf64_Xword *p64;
2196   } bitmask = { .p32 = &((Elf32_Word *) data->d_buf)[4] },
2197       collected = { .p32 = xcalloc (bitmask_words, sizeof (Elf32_Word)) };
2198 
2199   size_t classbits = gelf_getclass (ebl->elf) == ELFCLASS32 ? 32 : 64;
2200 
2201   size_t cnt;
2202   for (cnt = 4 + bitmask_words; cnt < 4 + bitmask_words + nbuckets; ++cnt)
2203     {
2204       Elf32_Word symidx = ((Elf32_Word *) data->d_buf)[cnt];
2205 
2206       if (symidx == 0)
2207 	continue;
2208 
2209       if (symidx < symbias)
2210 	{
2211 	  ERROR (_("\
2212 section [%2d] '%s': hash chain for bucket %zu lower than symbol index bias\n"),
2213 		 idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2214 	  continue;
2215 	}
2216 
2217       while (symidx - symbias < maxidx)
2218 	{
2219 	  Elf32_Word chainhash = ((Elf32_Word *) data->d_buf)[4
2220 							      + bitmask_words
2221 							      + nbuckets
2222 							      + symidx
2223 							      - symbias];
2224 
2225 	  if (symdata != NULL)
2226 	    {
2227 	      /* Check that the referenced symbol is not undefined.  */
2228 	      GElf_Sym sym_mem;
2229 	      GElf_Sym *sym = gelf_getsym (symdata, symidx, &sym_mem);
2230 	      if (sym != NULL && sym->st_shndx == SHN_UNDEF
2231 		  && GELF_ST_TYPE (sym->st_info) != STT_FUNC)
2232 		ERROR (_("\
2233 section [%2d] '%s': symbol %u referenced in chain for bucket %zu is undefined\n"),
2234 		       idx, section_name (ebl, idx), symidx,
2235 		       cnt - (4 + bitmask_words));
2236 
2237 	      const char *symname = (sym != NULL
2238 				     ? elf_strptr (ebl->elf, symshdr->sh_link,
2239 						   sym->st_name)
2240 				     : NULL);
2241 	      if (symname != NULL)
2242 		{
2243 		  Elf32_Word hval = elf_gnu_hash (symname);
2244 		  if ((hval & ~1u) != (chainhash & ~1u))
2245 		    ERROR (_("\
2246 section [%2d] '%s': hash value for symbol %u in chain for bucket %zu wrong\n"),
2247 			   idx, section_name (ebl, idx), symidx,
2248 			   cnt - (4 + bitmask_words));
2249 
2250 		  /* Set the bits in the bitmask.  */
2251 		  size_t maskidx = (hval / classbits) & bitmask_idxmask;
2252 		  if (maskidx >= bitmask_words)
2253 		    {
2254 		      ERROR (_("\
2255 section [%2d] '%s': mask index for symbol %u in chain for bucket %zu wrong\n"),
2256 			     idx, section_name (ebl, idx), symidx,
2257 			     cnt - (4 + bitmask_words));
2258 		      return;
2259 		    }
2260 		  if (classbits == 32)
2261 		    {
2262 		      collected.p32[maskidx]
2263 			|= UINT32_C (1) << (hval & (classbits - 1));
2264 		      collected.p32[maskidx]
2265 			|= UINT32_C (1) << ((hval >> shift) & (classbits - 1));
2266 		    }
2267 		  else
2268 		    {
2269 		      collected.p64[maskidx]
2270 			|= UINT64_C (1) << (hval & (classbits - 1));
2271 		      collected.p64[maskidx]
2272 			|= UINT64_C (1) << ((hval >> shift) & (classbits - 1));
2273 		    }
2274 		}
2275 	    }
2276 
2277 	  if ((chainhash & 1) != 0)
2278 	    break;
2279 
2280 	  ++symidx;
2281 	}
2282 
2283       if (symidx - symbias >= maxidx)
2284 	ERROR (_("\
2285 section [%2d] '%s': hash chain for bucket %zu out of bounds\n"),
2286 	       idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2287       else if (symshdr != NULL && symshdr->sh_entsize != 0
2288 	       && symidx > symshdr->sh_size / symshdr->sh_entsize)
2289 	ERROR (_("\
2290 section [%2d] '%s': symbol reference in chain for bucket %zu out of bounds\n"),
2291 	       idx, section_name (ebl, idx), cnt - (4 + bitmask_words));
2292     }
2293 
2294   if (memcmp (collected.p32, bitmask.p32, bitmask_words * sizeof (Elf32_Word)))
2295     ERROR (_("\
2296 section [%2d] '%s': bitmask does not match names in the hash table\n"),
2297 	   idx, section_name (ebl, idx));
2298 
2299   free (collected.p32);
2300 }
2301 
2302 
2303 static void
check_hash(int tag,Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)2304 check_hash (int tag, Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
2305 {
2306   if (ehdr->e_type == ET_REL)
2307     {
2308       ERROR (_("\
2309 section [%2d] '%s': relocatable files cannot have hash tables\n"),
2310 	     idx, section_name (ebl, idx));
2311       return;
2312     }
2313 
2314   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
2315   if (data == NULL || data->d_buf == NULL)
2316     {
2317       ERROR (_("section [%2d] '%s': cannot get section data\n"),
2318 	     idx, section_name (ebl, idx));
2319       return;
2320     }
2321 
2322   GElf_Shdr symshdr_mem;
2323   GElf_Shdr *symshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
2324 				     &symshdr_mem);
2325   if (symshdr != NULL && symshdr->sh_type != SHT_DYNSYM)
2326     ERROR (_("\
2327 section [%2d] '%s': hash table not for dynamic symbol table\n"),
2328 	   idx, section_name (ebl, idx));
2329   else if (symshdr == NULL)
2330     ERROR (_("\
2331 section [%2d] '%s': invalid sh_link symbol table section index [%2d]\n"),
2332 	   idx, section_name (ebl, idx), shdr->sh_link);
2333 
2334   size_t expect_entsize = (tag == SHT_GNU_HASH
2335 			   ? (gelf_getclass (ebl->elf) == ELFCLASS32
2336 			      ? sizeof (Elf32_Word) : 0)
2337 			   : (size_t) ebl_sysvhash_entrysize (ebl));
2338 
2339   if (shdr->sh_entsize != expect_entsize)
2340     ERROR (_("\
2341 section [%2d] '%s': hash table entry size incorrect\n"),
2342 	   idx, section_name (ebl, idx));
2343 
2344   if ((shdr->sh_flags & SHF_ALLOC) == 0)
2345     ERROR (_("section [%2d] '%s': not marked to be allocated\n"),
2346 	   idx, section_name (ebl, idx));
2347 
2348   if (shdr->sh_size < (tag == SHT_GNU_HASH ? 4 : 2) * (expect_entsize ?: 4))
2349     {
2350       ERROR (_("\
2351 section [%2d] '%s': hash table has not even room for initial administrative entries\n"),
2352 	     idx, section_name (ebl, idx));
2353       return;
2354     }
2355 
2356   switch (tag)
2357     {
2358     case SHT_HASH:
2359       if (ebl_sysvhash_entrysize (ebl) == sizeof (Elf64_Xword))
2360 	check_sysv_hash64 (ebl, shdr, data, idx, symshdr);
2361       else
2362 	check_sysv_hash (ebl, shdr, data, idx, symshdr);
2363       break;
2364 
2365     case SHT_GNU_HASH:
2366       check_gnu_hash (ebl, shdr, data, idx, symshdr);
2367       break;
2368 
2369     default:
2370       assert (! "should not happen");
2371     }
2372 }
2373 
2374 
2375 /* Compare content of both hash tables, it must be identical.  */
2376 static void
compare_hash_gnu_hash(Ebl * ebl,GElf_Ehdr * ehdr,size_t hash_idx,size_t gnu_hash_idx)2377 compare_hash_gnu_hash (Ebl *ebl, GElf_Ehdr *ehdr, size_t hash_idx,
2378 		       size_t gnu_hash_idx)
2379 {
2380   Elf_Scn *hash_scn = elf_getscn (ebl->elf, hash_idx);
2381   Elf_Data *hash_data = elf_getdata (hash_scn, NULL);
2382   GElf_Shdr hash_shdr_mem;
2383   GElf_Shdr *hash_shdr = gelf_getshdr (hash_scn, &hash_shdr_mem);
2384   Elf_Scn *gnu_hash_scn = elf_getscn (ebl->elf, gnu_hash_idx);
2385   Elf_Data *gnu_hash_data = elf_getdata (gnu_hash_scn, NULL);
2386   GElf_Shdr gnu_hash_shdr_mem;
2387   GElf_Shdr *gnu_hash_shdr = gelf_getshdr (gnu_hash_scn, &gnu_hash_shdr_mem);
2388 
2389   if (hash_shdr == NULL || gnu_hash_shdr == NULL
2390       || hash_data == NULL || hash_data->d_buf == NULL
2391       || gnu_hash_data == NULL || gnu_hash_data->d_buf == NULL)
2392     /* None of these pointers should be NULL since we used the
2393        sections already.  We are careful nonetheless.  */
2394     return;
2395 
2396   /* The link must point to the same symbol table.  */
2397   if (hash_shdr->sh_link != gnu_hash_shdr->sh_link)
2398     {
2399       ERROR (_("\
2400 sh_link in hash sections [%2zu] '%s' and [%2zu] '%s' not identical\n"),
2401 	     hash_idx, elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name),
2402 	     gnu_hash_idx,
2403 	     elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2404       return;
2405     }
2406 
2407   Elf_Scn *sym_scn = elf_getscn (ebl->elf, hash_shdr->sh_link);
2408   Elf_Data *sym_data = elf_getdata (sym_scn, NULL);
2409   GElf_Shdr sym_shdr_mem;
2410   GElf_Shdr *sym_shdr = gelf_getshdr (sym_scn, &sym_shdr_mem);
2411 
2412   if (sym_data == NULL || sym_data->d_buf == NULL
2413       || sym_shdr == NULL || sym_shdr->sh_entsize == 0)
2414     return;
2415 
2416   const char *hash_name;
2417   const char *gnu_hash_name;
2418   hash_name  = elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name);
2419   gnu_hash_name  = elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name);
2420 
2421   if (gnu_hash_data->d_size < 4 * sizeof (Elf32_Word))
2422     {
2423       ERROR (_("\
2424 hash section [%2zu] '%s' does not contain enough data\n"),
2425 	     gnu_hash_idx, gnu_hash_name);
2426       return;
2427     }
2428 
2429   uint32_t nentries = sym_shdr->sh_size / sym_shdr->sh_entsize;
2430   char *used = alloca (nentries);
2431   memset (used, '\0', nentries);
2432 
2433   /* First go over the GNU_HASH table and mark the entries as used.  */
2434   const Elf32_Word *gnu_hasharr = (Elf32_Word *) gnu_hash_data->d_buf;
2435   Elf32_Word gnu_nbucket = gnu_hasharr[0];
2436   Elf32_Word gnu_symbias = gnu_hasharr[1];
2437   const int bitmap_factor = ehdr->e_ident[EI_CLASS] == ELFCLASS32 ? 1 : 2;
2438   const Elf32_Word *gnu_bucket = (gnu_hasharr
2439 				  + (4 + gnu_hasharr[2] * bitmap_factor));
2440   const Elf32_Word *gnu_chain = gnu_bucket + gnu_hasharr[0];
2441 
2442   if (gnu_hasharr[2] == 0)
2443     {
2444       ERROR (_("\
2445 hash section [%2zu] '%s' has zero bit mask words\n"),
2446 	     gnu_hash_idx, gnu_hash_name);
2447       return;
2448     }
2449 
2450   uint64_t used_buf = ((4ULL + gnu_hasharr[2] * bitmap_factor + gnu_nbucket)
2451 		       * sizeof (Elf32_Word));
2452   uint32_t max_nsyms = (gnu_hash_data->d_size - used_buf) / sizeof (Elf32_Word);
2453   if (used_buf > gnu_hash_data->d_size)
2454     {
2455       ERROR (_("\
2456 hash section [%2zu] '%s' uses too much data\n"),
2457 	     gnu_hash_idx, gnu_hash_name);
2458       return;
2459     }
2460 
2461   for (Elf32_Word cnt = 0; cnt < gnu_nbucket; ++cnt)
2462     {
2463       if (gnu_bucket[cnt] != STN_UNDEF)
2464 	{
2465 	  Elf32_Word symidx = gnu_bucket[cnt] - gnu_symbias;
2466 	  do
2467 	    {
2468 	      if (symidx >= max_nsyms || symidx + gnu_symbias >= nentries)
2469 		{
2470 		  ERROR (_("\
2471 hash section [%2zu] '%s' invalid symbol index %" PRIu32 " (max_nsyms: %" PRIu32 ", nentries: %" PRIu32 "\n"),
2472 			 gnu_hash_idx, gnu_hash_name, symidx, max_nsyms, nentries);
2473 		  return;
2474 		}
2475 	      used[symidx + gnu_symbias] |= 1;
2476 	    }
2477 	  while ((gnu_chain[symidx++] & 1u) == 0);
2478 	}
2479     }
2480 
2481   /* Now go over the old hash table and check that we cover the same
2482      entries.  */
2483   if (hash_shdr->sh_entsize == sizeof (Elf32_Word))
2484     {
2485       const Elf32_Word *hasharr = (Elf32_Word *) hash_data->d_buf;
2486       if (hash_data->d_size < 2 * sizeof (Elf32_Word))
2487 	{
2488 	  ERROR (_("\
2489 hash section [%2zu] '%s' does not contain enough data\n"),
2490 		 hash_idx, hash_name);
2491 	  return;
2492 	}
2493 
2494       Elf32_Word nbucket = hasharr[0];
2495       Elf32_Word nchain = hasharr[1];
2496       uint64_t hash_used = (2ULL + nchain + nbucket) * sizeof (Elf32_Word);
2497       if (hash_used > hash_data->d_size)
2498 	{
2499 	  ERROR (_("\
2500 hash section [%2zu] '%s' uses too much data\n"),
2501 		 hash_idx, hash_name);
2502 	  return;
2503 	}
2504 
2505       const Elf32_Word *bucket = &hasharr[2];
2506       const Elf32_Word *chain = &hasharr[2 + nbucket];
2507 
2508       for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
2509 	{
2510 	  Elf32_Word symidx = bucket[cnt];
2511 	  while (symidx != STN_UNDEF && symidx < nentries && symidx < nchain)
2512 	    {
2513 	      used[symidx] |= 2;
2514 	      symidx = chain[symidx];
2515 	    }
2516 	}
2517     }
2518   else if (hash_shdr->sh_entsize == sizeof (Elf64_Xword))
2519     {
2520       const Elf64_Xword *hasharr = (Elf64_Xword *) hash_data->d_buf;
2521       if (hash_data->d_size < 2 * sizeof (Elf32_Word))
2522 	{
2523 	  ERROR (_("\
2524 hash section [%2zu] '%s' does not contain enough data\n"),
2525 		 hash_idx, hash_name);
2526 	  return;
2527 	}
2528 
2529       Elf64_Xword nbucket = hasharr[0];
2530       Elf64_Xword nchain = hasharr[1];
2531       uint64_t maxwords = hash_data->d_size / sizeof (Elf64_Xword);
2532       if (maxwords < 2
2533 	  || maxwords - 2 < nbucket
2534 	  || maxwords - 2 - nbucket < nchain)
2535 	{
2536 	  ERROR (_("\
2537 hash section [%2zu] '%s' uses too much data\n"),
2538 		 hash_idx, hash_name);
2539 	  return;
2540 	}
2541 
2542       const Elf64_Xword *bucket = &hasharr[2];
2543       const Elf64_Xword *chain = &hasharr[2 + nbucket];
2544 
2545       for (Elf64_Xword cnt = 0; cnt < nbucket; ++cnt)
2546 	{
2547 	  Elf64_Xword symidx = bucket[cnt];
2548 	  while (symidx != STN_UNDEF && symidx < nentries && symidx < nchain)
2549 	    {
2550 	      used[symidx] |= 2;
2551 	      symidx = chain[symidx];
2552 	    }
2553 	}
2554     }
2555   else
2556     {
2557       ERROR (_("\
2558 hash section [%2zu] '%s' invalid sh_entsize\n"),
2559 	     hash_idx, hash_name);
2560       return;
2561     }
2562 
2563   /* Now see which entries are not set in one or both hash tables
2564      (unless the symbol is undefined in which case it can be omitted
2565      in the new table format).  */
2566   if ((used[0] & 1) != 0)
2567     ERROR (_("section [%2zu] '%s': reference to symbol index 0\n"),
2568 	   gnu_hash_idx,
2569 	   elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2570   if ((used[0] & 2) != 0)
2571     ERROR (_("section [%2zu] '%s': reference to symbol index 0\n"),
2572 	   hash_idx, elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name));
2573 
2574   for (uint32_t cnt = 1; cnt < nentries; ++cnt)
2575     if (used[cnt] != 0 && used[cnt] != 3)
2576       {
2577 	if (used[cnt] == 1)
2578 	  ERROR (_("\
2579 symbol %d referenced in new hash table in [%2zu] '%s' but not in old hash table in [%2zu] '%s'\n"),
2580 		 cnt, gnu_hash_idx,
2581 		 elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name),
2582 		 hash_idx,
2583 		 elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name));
2584 	else
2585 	  {
2586 	    GElf_Sym sym_mem;
2587 	    GElf_Sym *sym = gelf_getsym (sym_data, cnt, &sym_mem);
2588 
2589 	    if (sym != NULL && sym->st_shndx != STN_UNDEF)
2590 	      ERROR (_("\
2591 symbol %d referenced in old hash table in [%2zu] '%s' but not in new hash table in [%2zu] '%s'\n"),
2592 		     cnt, hash_idx,
2593 		     elf_strptr (ebl->elf, shstrndx, hash_shdr->sh_name),
2594 		     gnu_hash_idx,
2595 		     elf_strptr (ebl->elf, shstrndx, gnu_hash_shdr->sh_name));
2596 	  }
2597       }
2598 }
2599 
2600 
2601 static void
check_null(Ebl * ebl,GElf_Shdr * shdr,int idx)2602 check_null (Ebl *ebl, GElf_Shdr *shdr, int idx)
2603 {
2604 #define TEST(name, extra) \
2605   if (extra && shdr->sh_##name != 0)					      \
2606     ERROR (_("section [%2d] '%s': nonzero sh_%s for NULL section\n"),  \
2607 	   idx, section_name (ebl, idx), #name)
2608 
2609   TEST (name, 1);
2610   TEST (flags, 1);
2611   TEST (addr, 1);
2612   TEST (offset, 1);
2613   TEST (size, idx != 0);
2614   TEST (link, idx != 0);
2615   TEST (info, 1);
2616   TEST (addralign, 1);
2617   TEST (entsize, 1);
2618 }
2619 
2620 
2621 static void
check_group(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)2622 check_group (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
2623 {
2624   if (ehdr->e_type != ET_REL)
2625     {
2626       ERROR (_("\
2627 section [%2d] '%s': section groups only allowed in relocatable object files\n"),
2628 	     idx, section_name (ebl, idx));
2629       return;
2630     }
2631 
2632   /* Check that sh_link is an index of a symbol table.  */
2633   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
2634   GElf_Shdr symshdr_mem;
2635   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
2636   if (symshdr == NULL)
2637     ERROR (_("section [%2d] '%s': cannot get symbol table: %s\n"),
2638 	   idx, section_name (ebl, idx), elf_errmsg (-1));
2639   else
2640     {
2641       if (symshdr->sh_type != SHT_SYMTAB)
2642 	ERROR (_("\
2643 section [%2d] '%s': section reference in sh_link is no symbol table\n"),
2644 	       idx, section_name (ebl, idx));
2645 
2646       if (shdr->sh_info >= symshdr->sh_size / gelf_fsize (ebl->elf, ELF_T_SYM,
2647 							  1, EV_CURRENT))
2648 	ERROR (_("\
2649 section [%2d] '%s': invalid symbol index in sh_info\n"),
2650 	       idx, section_name (ebl, idx));
2651 
2652       if (shdr->sh_flags != 0)
2653 	ERROR (_("section [%2d] '%s': sh_flags not zero\n"),
2654 	       idx, section_name (ebl, idx));
2655 
2656       GElf_Sym sym_data;
2657       GElf_Sym *sym = gelf_getsym (elf_getdata (symscn, NULL), shdr->sh_info,
2658 				   &sym_data);
2659       if (sym == NULL)
2660 	ERROR (_("\
2661 section [%2d] '%s': cannot get symbol for signature\n"),
2662 	       idx, section_name (ebl, idx));
2663       else if (elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name) == NULL)
2664 	ERROR (_("\
2665 section [%2d] '%s': cannot get symbol name for signature\n"),
2666 	       idx, section_name (ebl, idx));
2667       else if (strcmp (elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name),
2668 		       "") == 0)
2669 	ERROR (_("\
2670 section [%2d] '%s': signature symbol cannot be empty string\n"),
2671 	       idx, section_name (ebl, idx));
2672 
2673       if (be_strict
2674 	  && shdr->sh_entsize != elf32_fsize (ELF_T_WORD, 1, EV_CURRENT))
2675 	ERROR (_("section [%2d] '%s': sh_flags not set correctly\n"),
2676 	       idx, section_name (ebl, idx));
2677     }
2678 
2679   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
2680   if (data == NULL || data->d_buf == NULL)
2681     ERROR (_("section [%2d] '%s': cannot get data: %s\n"),
2682 	   idx, section_name (ebl, idx), elf_errmsg (-1));
2683   else
2684     {
2685       size_t elsize = elf32_fsize (ELF_T_WORD, 1, EV_CURRENT);
2686       size_t cnt;
2687       Elf32_Word val;
2688 
2689       if (data->d_size % elsize != 0)
2690 	ERROR (_("\
2691 section [%2d] '%s': section size not multiple of sizeof(Elf32_Word)\n"),
2692 	       idx, section_name (ebl, idx));
2693 
2694       if (data->d_size < elsize)
2695 	{
2696 	  ERROR (_("\
2697 section [%2d] '%s': section group without flags word\n"),
2698 	       idx, section_name (ebl, idx));
2699 	  return;
2700 	}
2701       else if (be_strict)
2702 	{
2703 	  if (data->d_size < 2 * elsize)
2704 	    ERROR (_("\
2705 section [%2d] '%s': section group without member\n"),
2706 		   idx, section_name (ebl, idx));
2707 	  else if (data->d_size < 3 * elsize)
2708 	    ERROR (_("\
2709 section [%2d] '%s': section group with only one member\n"),
2710 		   idx, section_name (ebl, idx));
2711 	}
2712 
2713 #if ALLOW_UNALIGNED
2714       val = *((Elf32_Word *) data->d_buf);
2715 #else
2716       memcpy (&val, data->d_buf, elsize);
2717 #endif
2718       if ((val & ~GRP_COMDAT) != 0)
2719 	ERROR (_("section [%2d] '%s': unknown section group flags\n"),
2720 	       idx, section_name (ebl, idx));
2721 
2722       for (cnt = elsize; cnt + elsize <= data->d_size; cnt += elsize)
2723 	{
2724 #if ALLOW_UNALIGNED
2725 	  val = *((Elf32_Word *) ((char *) data->d_buf + cnt));
2726 #else
2727 	  memcpy (&val, (char *) data->d_buf + cnt, elsize);
2728 #endif
2729 
2730 	  if (val > shnum)
2731 	    ERROR (_("\
2732 section [%2d] '%s': section index %zu out of range\n"),
2733 		   idx, section_name (ebl, idx), cnt / elsize);
2734 	  else
2735 	    {
2736 	      GElf_Shdr refshdr_mem;
2737 	      GElf_Shdr *refshdr = gelf_getshdr (elf_getscn (ebl->elf, val),
2738 						 &refshdr_mem);
2739 	      if (refshdr == NULL)
2740 		ERROR (_("\
2741 section [%2d] '%s': cannot get section header for element %zu: %s\n"),
2742 		       idx, section_name (ebl, idx), cnt / elsize,
2743 		       elf_errmsg (-1));
2744 	      else
2745 		{
2746 		  if (refshdr->sh_type == SHT_GROUP)
2747 		    ERROR (_("\
2748 section [%2d] '%s': section group contains another group [%2d] '%s'\n"),
2749 			   idx, section_name (ebl, idx),
2750 			   val, section_name (ebl, val));
2751 
2752 		  if ((refshdr->sh_flags & SHF_GROUP) == 0)
2753 		    ERROR (_("\
2754 section [%2d] '%s': element %zu references section [%2d] '%s' without SHF_GROUP flag set\n"),
2755 			   idx, section_name (ebl, idx), cnt / elsize,
2756 			   val, section_name (ebl, val));
2757 		}
2758 
2759 	      if (val < shnum && ++scnref[val] == 2)
2760 		ERROR (_("\
2761 section [%2d] '%s' is contained in more than one section group\n"),
2762 		       val, section_name (ebl, val));
2763 	    }
2764 	}
2765     }
2766 }
2767 
2768 
2769 static const char *
section_flags_string(GElf_Word flags,char * buf,size_t len)2770 section_flags_string (GElf_Word flags, char *buf, size_t len)
2771 {
2772   if (flags == 0)
2773     return "none";
2774 
2775   static const struct
2776   {
2777     GElf_Word flag;
2778     const char *name;
2779   } known_flags[] =
2780     {
2781 #define NEWFLAG(name) { SHF_##name, #name }
2782       NEWFLAG (WRITE),
2783       NEWFLAG (ALLOC),
2784       NEWFLAG (EXECINSTR),
2785       NEWFLAG (MERGE),
2786       NEWFLAG (STRINGS),
2787       NEWFLAG (INFO_LINK),
2788       NEWFLAG (LINK_ORDER),
2789       NEWFLAG (OS_NONCONFORMING),
2790       NEWFLAG (GROUP),
2791       NEWFLAG (TLS),
2792       NEWFLAG (COMPRESSED),
2793       NEWFLAG (GNU_RETAIN),
2794       NEWFLAG (ORDERED),
2795       NEWFLAG (EXCLUDE)
2796     };
2797 #undef NEWFLAG
2798   const size_t nknown_flags = sizeof (known_flags) / sizeof (known_flags[0]);
2799 
2800   char *cp = buf;
2801 
2802   for (size_t cnt = 0; cnt < nknown_flags; ++cnt)
2803     if (flags & known_flags[cnt].flag)
2804       {
2805 	if (cp != buf && len > 1)
2806 	  {
2807 	    *cp++ = '|';
2808 	    --len;
2809 	  }
2810 
2811 	size_t ncopy = MIN (len - 1, strlen (known_flags[cnt].name));
2812 	cp = mempcpy (cp, known_flags[cnt].name, ncopy);
2813 	len -= ncopy;
2814 
2815 	flags ^= known_flags[cnt].flag;
2816       }
2817 
2818   if (flags != 0 || cp == buf)
2819     {
2820       int r = snprintf (cp, len - 1, "%s%" PRIx64,
2821 			(cp == buf) ? "" : "|", (uint64_t) flags);
2822       if (r > 0)
2823 	cp += r;
2824     }
2825   *cp = '\0';
2826 
2827   return buf;
2828 }
2829 
2830 
2831 static int
has_copy_reloc(Ebl * ebl,unsigned int symscnndx,unsigned int symndx)2832 has_copy_reloc (Ebl *ebl, unsigned int symscnndx, unsigned int symndx)
2833 {
2834   /* First find the relocation section for the symbol table.  */
2835   Elf_Scn *scn = NULL;
2836   GElf_Shdr shdr_mem;
2837   GElf_Shdr *shdr = NULL;
2838   while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
2839     {
2840       shdr = gelf_getshdr (scn, &shdr_mem);
2841       if (shdr != NULL
2842 	  && (shdr->sh_type == SHT_REL || shdr->sh_type == SHT_RELA)
2843 	  && shdr->sh_link == symscnndx)
2844 	/* Found the section.  */
2845 	break;
2846     }
2847 
2848   if (scn == NULL)
2849     return 0;
2850 
2851   Elf_Data *data = elf_getdata (scn, NULL);
2852   if (data == NULL || shdr->sh_entsize == 0)
2853     return 0;
2854 
2855   if (shdr->sh_type == SHT_REL)
2856     for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize; ++i)
2857       {
2858 	GElf_Rel rel_mem;
2859 	GElf_Rel *rel = gelf_getrel (data, i, &rel_mem);
2860 	if (rel == NULL)
2861 	  continue;
2862 
2863 	if (GELF_R_SYM (rel->r_info) == symndx
2864 	    && ebl_copy_reloc_p (ebl, GELF_R_TYPE (rel->r_info)))
2865 	  return 1;
2866       }
2867   else
2868     for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize; ++i)
2869       {
2870 	GElf_Rela rela_mem;
2871 	GElf_Rela *rela = gelf_getrela (data, i, &rela_mem);
2872 	if (rela == NULL)
2873 	  continue;
2874 
2875 	if (GELF_R_SYM (rela->r_info) == symndx
2876 	    && ebl_copy_reloc_p (ebl, GELF_R_TYPE (rela->r_info)))
2877 	  return 1;
2878       }
2879 
2880   return 0;
2881 }
2882 
2883 
2884 static int
in_nobits_scn(Ebl * ebl,unsigned int shndx)2885 in_nobits_scn (Ebl *ebl, unsigned int shndx)
2886 {
2887   GElf_Shdr shdr_mem;
2888   GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, shndx), &shdr_mem);
2889   return shdr != NULL && shdr->sh_type == SHT_NOBITS;
2890 }
2891 
2892 
2893 static struct version_namelist
2894 {
2895   const char *objname;
2896   const char *name;
2897   GElf_Versym ndx;
2898   enum { ver_def, ver_need } type;
2899   struct version_namelist *next;
2900 } *version_namelist;
2901 
2902 
2903 static int
add_version(const char * objname,const char * name,GElf_Versym ndx,int type)2904 add_version (const char *objname, const char *name, GElf_Versym ndx, int type)
2905 {
2906   /* Check that there are no duplications.  */
2907   struct version_namelist *nlp = version_namelist;
2908   while (nlp != NULL)
2909     {
2910       if (((nlp->objname == NULL && objname == NULL)
2911 	   || (nlp->objname != NULL && objname != NULL
2912 	       && strcmp (nlp->objname, objname) == 0))
2913 	  && strcmp (nlp->name, name) == 0)
2914 	return nlp->type == ver_def ? 1 : -1;
2915       nlp = nlp->next;
2916     }
2917 
2918   nlp = xmalloc (sizeof (*nlp));
2919   nlp->objname = objname;
2920   nlp->name = name;
2921   nlp->ndx = ndx;
2922   nlp->type = type;
2923   nlp->next = version_namelist;
2924   version_namelist = nlp;
2925 
2926   return 0;
2927 }
2928 
2929 
2930 static void
check_versym(Ebl * ebl,int idx)2931 check_versym (Ebl *ebl, int idx)
2932 {
2933   Elf_Scn *scn = elf_getscn (ebl->elf, idx);
2934   GElf_Shdr shdr_mem;
2935   GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
2936   if (shdr == NULL)
2937     /* The error has already been reported.  */
2938     return;
2939 
2940   Elf_Data *data = elf_getdata (scn, NULL);
2941   if (data == NULL)
2942     {
2943       ERROR (_("section [%2d] '%s': cannot get section data\n"),
2944 	     idx, section_name (ebl, idx));
2945       return;
2946     }
2947 
2948   Elf_Scn *symscn = elf_getscn (ebl->elf, shdr->sh_link);
2949   GElf_Shdr symshdr_mem;
2950   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
2951   if (symshdr == NULL)
2952     /* The error has already been reported.  */
2953     return;
2954 
2955   if (symshdr->sh_type != SHT_DYNSYM)
2956     {
2957       ERROR (_("\
2958 section [%2d] '%s' refers in sh_link to section [%2d] '%s' which is no dynamic symbol table\n"),
2959 	     idx, section_name (ebl, idx),
2960 	     shdr->sh_link, section_name (ebl, shdr->sh_link));
2961       return;
2962     }
2963 
2964   /* The number of elements in the version symbol table must be the
2965      same as the number of symbols.  */
2966   if (shdr->sh_entsize != 0 && symshdr->sh_entsize != 0
2967       && (shdr->sh_size / shdr->sh_entsize
2968 	  != symshdr->sh_size / symshdr->sh_entsize))
2969     ERROR (_("\
2970 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
2971 	   idx, section_name (ebl, idx),
2972 	   shdr->sh_link, section_name (ebl, shdr->sh_link));
2973 
2974   Elf_Data *symdata = elf_getdata (symscn, NULL);
2975   if (symdata == NULL || shdr->sh_entsize == 0)
2976     /* The error has already been reported.  */
2977     return;
2978 
2979   for (int cnt = 1; (size_t) cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
2980     {
2981       GElf_Versym versym_mem;
2982       GElf_Versym *versym = gelf_getversym (data, cnt, &versym_mem);
2983       if (versym == NULL)
2984 	{
2985 	  ERROR (_("\
2986 section [%2d] '%s': symbol %d: cannot read version data\n"),
2987 		 idx, section_name (ebl, idx), cnt);
2988 	  break;
2989 	}
2990 
2991       GElf_Sym sym_mem;
2992       GElf_Sym *sym = gelf_getsym (symdata, cnt, &sym_mem);
2993       if (sym == NULL)
2994 	/* Already reported elsewhere.  */
2995 	continue;
2996 
2997       if (*versym == VER_NDX_GLOBAL)
2998 	{
2999 	  /* Global symbol.  Make sure it is not defined as local.  */
3000 	  if (GELF_ST_BIND (sym->st_info) == STB_LOCAL)
3001 	    ERROR (_("\
3002 section [%2d] '%s': symbol %d: local symbol with global scope\n"),
3003 		   idx, section_name (ebl, idx), cnt);
3004 	}
3005       else if (*versym != VER_NDX_LOCAL)
3006 	{
3007 	  /* Versioned symbol.  Make sure it is not defined as local.  */
3008 	  if (!gnuld && GELF_ST_BIND (sym->st_info) == STB_LOCAL)
3009 	    ERROR (_("\
3010 section [%2d] '%s': symbol %d: local symbol with version\n"),
3011 		   idx, section_name (ebl, idx), cnt);
3012 
3013 	  /* Look through the list of defined versions and locate the
3014 	     index we need for this symbol.  */
3015 	  struct version_namelist *runp = version_namelist;
3016 	  while (runp != NULL)
3017 	    if (runp->ndx == (*versym & (GElf_Versym) 0x7fff))
3018 	      break;
3019 	    else
3020 	      runp = runp->next;
3021 
3022 	  if (runp == NULL)
3023 	    ERROR (_("\
3024 section [%2d] '%s': symbol %d: invalid version index %d\n"),
3025 		   idx, section_name (ebl, idx), cnt, (int) *versym);
3026 	  else if (sym->st_shndx == SHN_UNDEF
3027 		   && runp->type == ver_def)
3028 	    ERROR (_("\
3029 section [%2d] '%s': symbol %d: version index %d is for defined version\n"),
3030 		   idx, section_name (ebl, idx), cnt, (int) *versym);
3031 	  else if (sym->st_shndx != SHN_UNDEF
3032 		   && runp->type == ver_need)
3033 	    {
3034 	      /* Unless this symbol has a copy relocation associated
3035 		 this must not happen.  */
3036 	      if (!has_copy_reloc (ebl, shdr->sh_link, cnt)
3037 		  && !in_nobits_scn (ebl, sym->st_shndx))
3038 		ERROR (_("\
3039 section [%2d] '%s': symbol %d: version index %d is for requested version\n"),
3040 		       idx, section_name (ebl, idx), cnt, (int) *versym);
3041 	    }
3042 	}
3043     }
3044 }
3045 
3046 
3047 static int
unknown_dependency_p(Elf * elf,const char * fname)3048 unknown_dependency_p (Elf *elf, const char *fname)
3049 {
3050   GElf_Phdr phdr_mem;
3051   GElf_Phdr *phdr = NULL;
3052 
3053   unsigned int i;
3054   for (i = 0; i < phnum; ++i)
3055     if ((phdr = gelf_getphdr (elf, i, &phdr_mem)) != NULL
3056 	&& phdr->p_type == PT_DYNAMIC)
3057       break;
3058 
3059   if (i == phnum)
3060     return 1;
3061   assert (phdr != NULL);
3062   Elf_Scn *scn = gelf_offscn (elf, phdr->p_offset);
3063   GElf_Shdr shdr_mem;
3064   GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
3065   Elf_Data *data = elf_getdata (scn, NULL);
3066   if (shdr != NULL && shdr->sh_type == SHT_DYNAMIC
3067       && data != NULL && shdr->sh_entsize != 0)
3068     for (size_t j = 0; j < shdr->sh_size / shdr->sh_entsize; ++j)
3069       {
3070 	GElf_Dyn dyn_mem;
3071 	GElf_Dyn *dyn = gelf_getdyn (data, j, &dyn_mem);
3072 	if (dyn != NULL && dyn->d_tag == DT_NEEDED)
3073 	  {
3074 	    const char *str = elf_strptr (elf, shdr->sh_link, dyn->d_un.d_val);
3075 	    if (str != NULL && strcmp (str, fname) == 0)
3076 	      /* Found it.  */
3077 	      return 0;
3078 	  }
3079       }
3080 
3081   return 1;
3082 }
3083 
3084 
3085 static unsigned int nverneed;
3086 
3087 static void
check_verneed(Ebl * ebl,GElf_Shdr * shdr,int idx)3088 check_verneed (Ebl *ebl, GElf_Shdr *shdr, int idx)
3089 {
3090   if (++nverneed == 2)
3091     ERROR (_("more than one version reference section present\n"));
3092 
3093   GElf_Shdr strshdr_mem;
3094   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
3095 				     &strshdr_mem);
3096   if (strshdr == NULL)
3097     return;
3098   if (strshdr->sh_type != SHT_STRTAB)
3099     ERROR (_("\
3100 section [%2d] '%s': sh_link does not link to string table\n"),
3101 	   idx, section_name (ebl, idx));
3102 
3103   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
3104   if (data == NULL)
3105     {
3106       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3107 	     idx, section_name (ebl, idx));
3108       return;
3109     }
3110   unsigned int offset = 0;
3111   for (Elf64_Word cnt = shdr->sh_info; cnt > 0; )
3112     {
3113       cnt--;
3114 
3115       /* Get the data at the next offset.  */
3116       GElf_Verneed needmem;
3117       GElf_Verneed *need = gelf_getverneed (data, offset, &needmem);
3118       if (need == NULL)
3119 	break;
3120 
3121       unsigned int auxoffset = offset + need->vn_aux;
3122 
3123       if (need->vn_version != EV_CURRENT)
3124 	ERROR (_("\
3125 section [%2d] '%s': entry %d has wrong version %d\n"),
3126 	       idx, section_name (ebl, idx), cnt, (int) need->vn_version);
3127 
3128       if (need->vn_cnt > 0 && need->vn_aux < gelf_fsize (ebl->elf, ELF_T_VNEED,
3129 							 1, EV_CURRENT))
3130 	{
3131 	  ERROR (_("\
3132 section [%2d] '%s': entry %d has wrong offset of auxiliary data\n"),
3133 	         idx, section_name (ebl, idx), cnt);
3134 	  break;
3135 	}
3136 
3137       const char *libname = elf_strptr (ebl->elf, shdr->sh_link,
3138 					need->vn_file);
3139       if (libname == NULL)
3140 	{
3141 	  ERROR (_("\
3142 section [%2d] '%s': entry %d has invalid file reference\n"),
3143 		 idx, section_name (ebl, idx), cnt);
3144 	  goto next_need;
3145 	}
3146 
3147       /* Check that there is a DT_NEEDED entry for the referenced library.  */
3148       if (unknown_dependency_p (ebl->elf, libname))
3149 	ERROR (_("\
3150 section [%2d] '%s': entry %d references unknown dependency\n"),
3151 	       idx, section_name (ebl, idx), cnt);
3152 
3153       for (int cnt2 = need->vn_cnt; --cnt2 >= 0; )
3154 	{
3155 	  GElf_Vernaux auxmem;
3156 	  GElf_Vernaux *aux = gelf_getvernaux (data, auxoffset, &auxmem);
3157 	  if (aux == NULL)
3158 	    break;
3159 
3160 	  if ((aux->vna_flags & ~VER_FLG_WEAK) != 0)
3161 	    ERROR (_("\
3162 section [%2d] '%s': auxiliary entry %d of entry %d has unknown flag\n"),
3163 		   idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3164 
3165 	  const char *verstr = elf_strptr (ebl->elf, shdr->sh_link,
3166 					   aux->vna_name);
3167 	  if (verstr == NULL)
3168 	    {
3169 	      ERROR (_("\
3170 section [%2d] '%s': auxiliary entry %d of entry %d has invalid name reference\n"),
3171 		     idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3172 	      break;
3173 	    }
3174 	  else
3175 	    {
3176 	      GElf_Word hashval = elf_hash (verstr);
3177 	      if (hashval != aux->vna_hash)
3178 		ERROR (_("\
3179 section [%2d] '%s': auxiliary entry %d of entry %d has wrong hash value: %#x, expected %#x\n"),
3180 		       idx, section_name (ebl, idx), need->vn_cnt - cnt2,
3181 		       cnt, (int) hashval, (int) aux->vna_hash);
3182 
3183 	      int res = add_version (libname, verstr, aux->vna_other,
3184 				     ver_need);
3185 	      if (unlikely (res !=0))
3186 		{
3187 		  ERROR (_("\
3188 section [%2d] '%s': auxiliary entry %d of entry %d has duplicate version name '%s'\n"),
3189 			 idx, section_name (ebl, idx), need->vn_cnt - cnt2,
3190 			 cnt, verstr);
3191 		}
3192 	    }
3193 
3194 	  if ((aux->vna_next != 0 || cnt2 > 0)
3195 	      && aux->vna_next < gelf_fsize (ebl->elf, ELF_T_VNAUX, 1,
3196 					     EV_CURRENT))
3197 	    {
3198 	      ERROR (_("\
3199 section [%2d] '%s': auxiliary entry %d of entry %d has wrong next field\n"),
3200 		     idx, section_name (ebl, idx), need->vn_cnt - cnt2, cnt);
3201 	      break;
3202 	    }
3203 
3204 	  auxoffset += MAX (aux->vna_next,
3205 			    gelf_fsize (ebl->elf, ELF_T_VNAUX, 1, EV_CURRENT));
3206 	}
3207 
3208       /* Find the next offset.  */
3209     next_need:
3210       offset += need->vn_next;
3211 
3212       if ((need->vn_next != 0 || cnt > 0)
3213 	  && offset < auxoffset)
3214 	{
3215 	  ERROR (_("\
3216 section [%2d] '%s': entry %d has invalid offset to next entry\n"),
3217 	         idx, section_name (ebl, idx), cnt);
3218 	  break;
3219 	}
3220 
3221       if (need->vn_next == 0 && cnt > 0)
3222 	{
3223 	  ERROR (_("\
3224 section [%2d] '%s': entry %d has zero offset to next entry, but sh_info says there are more entries\n"),
3225 	         idx, section_name (ebl, idx), cnt);
3226 	  break;
3227 	}
3228     }
3229 }
3230 
3231 
3232 static unsigned int nverdef;
3233 
3234 static void
check_verdef(Ebl * ebl,GElf_Shdr * shdr,int idx)3235 check_verdef (Ebl *ebl, GElf_Shdr *shdr, int idx)
3236 {
3237   if (++nverdef == 2)
3238     ERROR (_("more than one version definition section present\n"));
3239 
3240   GElf_Shdr strshdr_mem;
3241   GElf_Shdr *strshdr = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
3242 				     &strshdr_mem);
3243   if (strshdr == NULL)
3244     return;
3245   if (strshdr->sh_type != SHT_STRTAB)
3246     ERROR (_("\
3247 section [%2d] '%s': sh_link does not link to string table\n"),
3248 	   idx, section_name (ebl, idx));
3249 
3250   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
3251   if (data == NULL)
3252     {
3253     no_data:
3254       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3255 	     idx, section_name (ebl, idx));
3256       return;
3257     }
3258 
3259   /* Iterate over all version definition entries.  We check that there
3260      is a BASE entry and that each index is unique.  To do the later
3261      we collection the information in a list which is later
3262      examined.  */
3263   struct namelist
3264   {
3265     const char *name;
3266     struct namelist *next;
3267   } *namelist = NULL;
3268   struct namelist *refnamelist = NULL;
3269 
3270   bool has_base = false;
3271   unsigned int offset = 0;
3272   for (Elf64_Word cnt = shdr->sh_info; cnt > 0; )
3273     {
3274       cnt--;
3275 
3276       /* Get the data at the next offset.  */
3277       GElf_Verdef defmem;
3278       GElf_Verdef *def = gelf_getverdef (data, offset, &defmem);
3279       if (def == NULL)
3280 	goto no_data;
3281 
3282       if ((def->vd_flags & VER_FLG_BASE) != 0)
3283 	{
3284 	  if (has_base)
3285 	    ERROR (_("\
3286 section [%2d] '%s': more than one BASE definition\n"),
3287 		   idx, section_name (ebl, idx));
3288 	  if (def->vd_ndx != VER_NDX_GLOBAL)
3289 	    ERROR (_("\
3290 section [%2d] '%s': BASE definition must have index VER_NDX_GLOBAL\n"),
3291 		   idx, section_name (ebl, idx));
3292 	  has_base = true;
3293 	}
3294       if ((def->vd_flags & ~(VER_FLG_BASE|VER_FLG_WEAK)) != 0)
3295 	ERROR (_("\
3296 section [%2d] '%s': entry %d has unknown flag\n"),
3297 	       idx, section_name (ebl, idx), cnt);
3298 
3299       if (def->vd_version != EV_CURRENT)
3300 	ERROR (_("\
3301 section [%2d] '%s': entry %d has wrong version %d\n"),
3302 	       idx, section_name (ebl, idx), cnt, (int) def->vd_version);
3303 
3304       if (def->vd_cnt > 0 && def->vd_aux < gelf_fsize (ebl->elf, ELF_T_VDEF,
3305 						       1, EV_CURRENT))
3306 	{
3307 	  ERROR (_("\
3308 section [%2d] '%s': entry %d has wrong offset of auxiliary data\n"),
3309 	         idx, section_name (ebl, idx), cnt);
3310 	  break;
3311 	}
3312 
3313       unsigned int auxoffset = offset + def->vd_aux;
3314       GElf_Verdaux auxmem;
3315       GElf_Verdaux *aux = gelf_getverdaux (data, auxoffset, &auxmem);
3316       if (aux == NULL)
3317 	goto no_data;
3318 
3319       const char *name = elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name);
3320       if (name == NULL)
3321 	{
3322 	  ERROR (_("\
3323 section [%2d] '%s': entry %d has invalid name reference\n"),
3324 		 idx, section_name (ebl, idx), cnt);
3325 	  goto next_def;
3326 	}
3327       GElf_Word hashval = elf_hash (name);
3328       if (def->vd_hash != hashval)
3329 	ERROR (_("\
3330 section [%2d] '%s': entry %d has wrong hash value: %#x, expected %#x\n"),
3331 	       idx, section_name (ebl, idx), cnt, (int) hashval,
3332 	       (int) def->vd_hash);
3333 
3334       int res = add_version (NULL, name, def->vd_ndx, ver_def);
3335       if (unlikely (res !=0))
3336 	{
3337 	  ERROR (_("\
3338 section [%2d] '%s': entry %d has duplicate version name '%s'\n"),
3339 		 idx, section_name (ebl, idx), cnt, name);
3340 	}
3341 
3342       struct namelist *newname = alloca (sizeof (*newname));
3343       newname->name = name;
3344       newname->next = namelist;
3345       namelist = newname;
3346 
3347       auxoffset += aux->vda_next;
3348       for (int cnt2 = 1; cnt2 < def->vd_cnt; ++cnt2)
3349 	{
3350 	  aux = gelf_getverdaux (data, auxoffset, &auxmem);
3351 	  if (aux == NULL)
3352 	    goto no_data;
3353 
3354 	  name = elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name);
3355 	  if (name == NULL)
3356 	    {
3357 	      ERROR (_("\
3358 section [%2d] '%s': entry %d has invalid name reference in auxiliary data\n"),
3359 		     idx, section_name (ebl, idx), cnt);
3360 	      break;
3361 	    }
3362 	  else
3363 	    {
3364 	      newname = alloca (sizeof (*newname));
3365 	      newname->name = name;
3366 	      newname->next = refnamelist;
3367 	      refnamelist = newname;
3368 	    }
3369 
3370 	  if ((aux->vda_next != 0 || cnt2 + 1 < def->vd_cnt)
3371 	      && aux->vda_next < gelf_fsize (ebl->elf, ELF_T_VDAUX, 1,
3372 					     EV_CURRENT))
3373 	    {
3374 	      ERROR (_("\
3375 section [%2d] '%s': entry %d has wrong next field in auxiliary data\n"),
3376 		     idx, section_name (ebl, idx), cnt);
3377 	      break;
3378 	    }
3379 
3380 	  auxoffset += MAX (aux->vda_next,
3381 			    gelf_fsize (ebl->elf, ELF_T_VDAUX, 1, EV_CURRENT));
3382 	}
3383 
3384       /* Find the next offset.  */
3385     next_def:
3386       offset += def->vd_next;
3387 
3388       if ((def->vd_next != 0 || cnt > 0)
3389 	  && offset < auxoffset)
3390 	{
3391 	  ERROR (_("\
3392 section [%2d] '%s': entry %d has invalid offset to next entry\n"),
3393 	         idx, section_name (ebl, idx), cnt);
3394 	  break;
3395 	}
3396 
3397       if (def->vd_next == 0 && cnt > 0)
3398 	{
3399 	  ERROR (_("\
3400 section [%2d] '%s': entry %d has zero offset to next entry, but sh_info says there are more entries\n"),
3401 	         idx, section_name (ebl, idx), cnt);
3402 	  break;
3403 	}
3404     }
3405 
3406   if (!has_base)
3407     ERROR (_("section [%2d] '%s': no BASE definition\n"),
3408 	   idx, section_name (ebl, idx));
3409 
3410   /* Check whether the referenced names are available.  */
3411   while (namelist != NULL)
3412     {
3413       struct version_namelist *runp = version_namelist;
3414       while (runp != NULL)
3415 	{
3416 	  if (runp->type == ver_def
3417 	      && strcmp (runp->name, namelist->name) == 0)
3418 	    break;
3419 	  runp = runp->next;
3420 	}
3421 
3422       if (runp == NULL)
3423 	ERROR (_("\
3424 section [%2d] '%s': unknown parent version '%s'\n"),
3425 	       idx, section_name (ebl, idx), namelist->name);
3426 
3427       namelist = namelist->next;
3428     }
3429 }
3430 
3431 static void
check_attributes(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)3432 check_attributes (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
3433 {
3434   if (shdr->sh_size == 0)
3435     {
3436       ERROR (_("section [%2d] '%s': empty object attributes section\n"),
3437 	     idx, section_name (ebl, idx));
3438       return;
3439     }
3440 
3441   Elf_Data *data = elf_rawdata (elf_getscn (ebl->elf, idx), NULL);
3442   if (data == NULL || data->d_size == 0 || data->d_buf == NULL)
3443     {
3444       ERROR (_("section [%2d] '%s': cannot get section data\n"),
3445 	     idx, section_name (ebl, idx));
3446       return;
3447     }
3448 
3449   inline size_t pos (const unsigned char *p)
3450   {
3451     return p - (const unsigned char *) data->d_buf;
3452   }
3453 
3454   const unsigned char *p = data->d_buf;
3455   if (*p++ != 'A')
3456     {
3457       ERROR (_("section [%2d] '%s': unrecognized attribute format\n"),
3458 	     idx, section_name (ebl, idx));
3459       return;
3460     }
3461 
3462   inline size_t left (void)
3463   {
3464     return (const unsigned char *) data->d_buf + data->d_size - p;
3465   }
3466 
3467   while (left () >= 4)
3468     {
3469       uint32_t len;
3470       memcpy (&len, p, sizeof len);
3471 
3472       if (len == 0)
3473 	ERROR (_("\
3474 section [%2d] '%s': offset %zu: zero length field in attribute section\n"),
3475 	       idx, section_name (ebl, idx), pos (p));
3476 
3477       if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
3478 	CONVERT (len);
3479 
3480       if (len > left ())
3481 	{
3482 	  ERROR (_("\
3483 section [%2d] '%s': offset %zu: invalid length in attribute section\n"),
3484 		 idx, section_name (ebl, idx), pos (p));
3485 	  break;
3486 	}
3487 
3488       const unsigned char *name = p + sizeof len;
3489       p += len;
3490 
3491       unsigned const char *q = memchr (name, '\0', len);
3492       if (q == NULL)
3493 	{
3494 	  ERROR (_("\
3495 section [%2d] '%s': offset %zu: unterminated vendor name string\n"),
3496 		 idx, section_name (ebl, idx), pos (p));
3497 	  break;
3498 	}
3499       ++q;
3500 
3501       if (q - name == sizeof "gnu" && !memcmp (name, "gnu", sizeof "gnu"))
3502 	while (q < p)
3503 	  {
3504 	    unsigned const char *chunk = q;
3505 
3506 	    unsigned int subsection_tag;
3507 	    get_uleb128 (subsection_tag, q, p);
3508 
3509 	    if (q >= p)
3510 	      {
3511 		ERROR (_("\
3512 section [%2d] '%s': offset %zu: endless ULEB128 in attribute subsection tag\n"),
3513 		       idx, section_name (ebl, idx), pos (chunk));
3514 		break;
3515 	      }
3516 
3517 	    uint32_t subsection_len;
3518 	    if (p - q < (ptrdiff_t) sizeof subsection_len)
3519 	      {
3520 		ERROR (_("\
3521 section [%2d] '%s': offset %zu: truncated attribute section\n"),
3522 		       idx, section_name (ebl, idx), pos (q));
3523 		break;
3524 	      }
3525 
3526 	    memcpy (&subsection_len, q, sizeof subsection_len);
3527 	    if (subsection_len == 0)
3528 	      {
3529 		ERROR (_("\
3530 section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"),
3531 		       idx, section_name (ebl, idx), pos (q));
3532 
3533 		q += sizeof subsection_len;
3534 		continue;
3535 	      }
3536 
3537 	    if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
3538 	      CONVERT (subsection_len);
3539 
3540 	    /* Don't overflow, ptrdiff_t might be 32bits, but signed.  */
3541 	    if (p - chunk < (ptrdiff_t) subsection_len
3542 	        || subsection_len >= (uint32_t) PTRDIFF_MAX)
3543 	      {
3544 		ERROR (_("\
3545 section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"),
3546 		       idx, section_name (ebl, idx), pos (q));
3547 		break;
3548 	      }
3549 
3550 	    const unsigned char *subsection_end = chunk + subsection_len;
3551 	    chunk = q;
3552 	    q = subsection_end;
3553 
3554 	    if (subsection_tag != 1) /* Tag_File */
3555 	      ERROR (_("\
3556 section [%2d] '%s': offset %zu: attribute subsection has unexpected tag %u\n"),
3557 		     idx, section_name (ebl, idx), pos (chunk), subsection_tag);
3558 	    else
3559 	      {
3560 		chunk += sizeof subsection_len;
3561 		while (chunk < q)
3562 		  {
3563 		    unsigned int tag;
3564 		    get_uleb128 (tag, chunk, q);
3565 
3566 		    uint64_t value = 0;
3567 		    const unsigned char *r = chunk;
3568 		    if (tag == 32 || (tag & 1) == 0)
3569 		      {
3570 			get_uleb128 (value, r, q);
3571 			if (r > q)
3572 			  {
3573 			    ERROR (_("\
3574 section [%2d] '%s': offset %zu: endless ULEB128 in attribute tag\n"),
3575 				   idx, section_name (ebl, idx), pos (chunk));
3576 			    break;
3577 			  }
3578 		      }
3579 		    if (tag == 32 || (tag & 1) != 0)
3580 		      {
3581 			r = memchr (r, '\0', q - r);
3582 			if (r == NULL)
3583 			  {
3584 			    ERROR (_("\
3585 section [%2d] '%s': offset %zu: unterminated string in attribute\n"),
3586 				   idx, section_name (ebl, idx), pos (chunk));
3587 			    break;
3588 			  }
3589 			++r;
3590 		      }
3591 
3592 		    const char *tag_name = NULL;
3593 		    const char *value_name = NULL;
3594 		    if (!ebl_check_object_attribute (ebl, (const char *) name,
3595 						     tag, value,
3596 						     &tag_name, &value_name))
3597 		      ERROR (_("\
3598 section [%2d] '%s': offset %zu: unrecognized attribute tag %u\n"),
3599 			     idx, section_name (ebl, idx), pos (chunk), tag);
3600 		    else if ((tag & 1) == 0 && value_name == NULL)
3601 		      ERROR (_("\
3602 section [%2d] '%s': offset %zu: unrecognized %s attribute value %" PRIu64 "\n"),
3603 			     idx, section_name (ebl, idx), pos (chunk),
3604 			     tag_name, value);
3605 
3606 		    chunk = r;
3607 		  }
3608 	      }
3609 	  }
3610       else
3611 	ERROR (_("\
3612 section [%2d] '%s': offset %zu: vendor '%s' unknown\n"),
3613 	       idx, section_name (ebl, idx), pos (p), name);
3614     }
3615 
3616   if (left () != 0)
3617     ERROR (_("\
3618 section [%2d] '%s': offset %zu: extra bytes after last attribute section\n"),
3619 	   idx, section_name (ebl, idx), pos (p));
3620 }
3621 
3622 static bool has_loadable_segment;
3623 static bool has_interp_segment;
3624 
3625 static const struct
3626 {
3627   const char *name;
3628   size_t namelen;
3629   GElf_Word type;
3630   enum { unused, exact, atleast, exact_or_gnuld } attrflag;
3631   GElf_Word attr;
3632   GElf_Word attr2;
3633 } special_sections[] =
3634   {
3635     /* See figure 4-14 in the gABI.  */
3636     { ".bss", 5, SHT_NOBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3637     { ".comment", 8, SHT_PROGBITS, atleast, 0, SHF_MERGE | SHF_STRINGS },
3638     { ".data", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3639     { ".data1", 7, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE, 0 },
3640     { ".debug_str", 11, SHT_PROGBITS, exact_or_gnuld, SHF_MERGE | SHF_STRINGS, 0 },
3641     { ".debug_line_str", 16, SHT_PROGBITS, exact_or_gnuld, SHF_MERGE | SHF_STRINGS, 0 },
3642     { ".debug", 6, SHT_PROGBITS, exact, 0, 0 },
3643     { ".dynamic", 9, SHT_DYNAMIC, atleast, SHF_ALLOC, SHF_WRITE },
3644     { ".dynstr", 8, SHT_STRTAB, exact, SHF_ALLOC, 0 },
3645     { ".dynsym", 8, SHT_DYNSYM, exact, SHF_ALLOC, 0 },
3646     { ".fini", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3647     { ".fini_array", 12, SHT_FINI_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3648     { ".got", 5, SHT_PROGBITS, unused, 0, 0 }, // XXX more info?
3649     { ".hash", 6, SHT_HASH, exact, SHF_ALLOC, 0 },
3650     { ".init", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3651     { ".init_array", 12, SHT_INIT_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3652     { ".interp", 8, SHT_PROGBITS, atleast, 0, SHF_ALLOC }, // XXX more tests?
3653     { ".line", 6, SHT_PROGBITS, exact, 0, 0 },
3654     { ".note", 6, SHT_NOTE, atleast, 0, SHF_ALLOC },
3655     { ".plt", 5, SHT_PROGBITS, unused, 0, 0 }, // XXX more tests
3656     { ".preinit_array", 15, SHT_PREINIT_ARRAY, exact, SHF_ALLOC | SHF_WRITE, 0 },
3657     { ".rela", 5, SHT_RELA, atleast, 0, SHF_ALLOC | SHF_INFO_LINK }, // XXX more tests
3658     { ".rel", 4, SHT_REL, atleast, 0, SHF_ALLOC | SHF_INFO_LINK }, // XXX more tests
3659     { ".rodata", 8, SHT_PROGBITS, atleast, SHF_ALLOC, SHF_MERGE | SHF_STRINGS },
3660     { ".rodata1", 9, SHT_PROGBITS, atleast, SHF_ALLOC, SHF_MERGE | SHF_STRINGS },
3661     { ".shstrtab", 10, SHT_STRTAB, exact, 0, 0 },
3662     { ".strtab", 8, SHT_STRTAB, atleast, 0, SHF_ALLOC }, // XXX more tests
3663     { ".symtab", 8, SHT_SYMTAB, atleast, 0, SHF_ALLOC }, // XXX more tests
3664     { ".symtab_shndx", 14, SHT_SYMTAB_SHNDX, atleast, 0, SHF_ALLOC }, // XXX more tests
3665     { ".tbss", 6, SHT_NOBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3666     { ".tdata", 7, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3667     { ".tdata1", 8, SHT_PROGBITS, exact, SHF_ALLOC | SHF_WRITE | SHF_TLS, 0 },
3668     { ".text", 6, SHT_PROGBITS, exact, SHF_ALLOC | SHF_EXECINSTR, 0 },
3669 
3670     /* The following are GNU extensions.  */
3671     { ".gnu.version", 13, SHT_GNU_versym, exact, SHF_ALLOC, 0 },
3672     { ".gnu.version_d", 15, SHT_GNU_verdef, exact, SHF_ALLOC, 0 },
3673     { ".gnu.version_r", 15, SHT_GNU_verneed, exact, SHF_ALLOC, 0 },
3674     { ".gnu.attributes", 16, SHT_GNU_ATTRIBUTES, exact, 0, 0 },
3675   };
3676 #define nspecial_sections \
3677   (sizeof (special_sections) / sizeof (special_sections[0]))
3678 
3679 #define IS_KNOWN_SPECIAL(idx, string, prefix)			      \
3680   (special_sections[idx].namelen == sizeof string - (prefix ? 1 : 0)  \
3681    && !memcmp (special_sections[idx].name, string, \
3682 	       sizeof string - (prefix ? 1 : 0)))
3683 
3684 /* Extra section flags that might or might not be added to the section
3685    and have to be ignored.  */
3686 #define EXTRA_SHFLAGS (SHF_LINK_ORDER \
3687 		       | SHF_GNU_RETAIN \
3688 		       | SHF_GROUP \
3689 		       | SHF_COMPRESSED)
3690 
3691 
3692 /* Indices of some sections we need later.  */
3693 static size_t eh_frame_hdr_scnndx;
3694 static size_t eh_frame_scnndx;
3695 static size_t gcc_except_table_scnndx;
3696 
3697 
3698 static void
check_sections(Ebl * ebl,GElf_Ehdr * ehdr)3699 check_sections (Ebl *ebl, GElf_Ehdr *ehdr)
3700 {
3701   if (ehdr->e_shoff == 0)
3702     /* No section header.  */
3703     return;
3704 
3705   /* Allocate array to count references in section groups.  */
3706   scnref = (int *) xcalloc (shnum, sizeof (int));
3707 
3708   /* Check the zeroth section first.  It must not have any contents
3709      and the section header must contain nonzero value at most in the
3710      sh_size and sh_link fields.  */
3711   GElf_Shdr shdr_mem;
3712   GElf_Shdr *shdr = gelf_getshdr (elf_getscn (ebl->elf, 0), &shdr_mem);
3713   if (shdr == NULL)
3714     ERROR (_("cannot get section header of zeroth section\n"));
3715   else
3716     {
3717       if (shdr->sh_name != 0)
3718 	ERROR (_("zeroth section has nonzero name\n"));
3719       if (shdr->sh_type != 0)
3720 	ERROR (_("zeroth section has nonzero type\n"));
3721       if (shdr->sh_flags != 0)
3722 	ERROR (_("zeroth section has nonzero flags\n"));
3723       if (shdr->sh_addr != 0)
3724 	ERROR (_("zeroth section has nonzero address\n"));
3725       if (shdr->sh_offset != 0)
3726 	ERROR (_("zeroth section has nonzero offset\n"));
3727       if (shdr->sh_addralign != 0)
3728 	ERROR (_("zeroth section has nonzero align value\n"));
3729       if (shdr->sh_entsize != 0)
3730 	ERROR (_("zeroth section has nonzero entry size value\n"));
3731 
3732       if (shdr->sh_size != 0 && ehdr->e_shnum != 0)
3733 	ERROR (_("\
3734 zeroth section has nonzero size value while ELF header has nonzero shnum value\n"));
3735 
3736       if (shdr->sh_link != 0 && ehdr->e_shstrndx != SHN_XINDEX)
3737 	ERROR (_("\
3738 zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx\n"));
3739 
3740       if (shdr->sh_info != 0 && ehdr->e_phnum != PN_XNUM)
3741 	ERROR (_("\
3742 zeroth section has nonzero link value while ELF header does not signal overflow in phnum\n"));
3743     }
3744 
3745   int *segment_flags = xcalloc (phnum, sizeof segment_flags[0]);
3746 
3747   bool dot_interp_section = false;
3748 
3749   size_t hash_idx = 0;
3750   size_t gnu_hash_idx = 0;
3751 
3752   size_t versym_scnndx = 0;
3753   for (size_t cnt = 1; cnt < shnum; ++cnt)
3754     {
3755       Elf_Scn *scn = elf_getscn (ebl->elf, cnt);
3756       shdr = gelf_getshdr (scn, &shdr_mem);
3757       if (shdr == NULL)
3758 	{
3759 	  ERROR (_("\
3760 cannot get section header for section [%2zu] '%s': %s\n"),
3761 		 cnt, section_name (ebl, cnt), elf_errmsg (-1));
3762 	  continue;
3763 	}
3764 
3765       const char *scnname = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
3766 
3767       if (scnname == NULL)
3768 	ERROR (_("section [%2zu]: invalid name\n"), cnt);
3769       else
3770 	{
3771 	  /* Check whether it is one of the special sections defined in
3772 	     the gABI.  */
3773 	  size_t s;
3774 	  for (s = 0; s < nspecial_sections; ++s)
3775 	    if (strncmp (scnname, special_sections[s].name,
3776 			 special_sections[s].namelen) == 0)
3777 	      {
3778 		char stbuf1[100];
3779 		char stbuf2[100];
3780 		char stbuf3[100];
3781 
3782 		GElf_Word good_type = special_sections[s].type;
3783 		if (IS_KNOWN_SPECIAL (s, ".plt", false)
3784 		    && ebl_bss_plt_p (ebl))
3785 		  good_type = SHT_NOBITS;
3786 
3787 		/* In a debuginfo file, any normal section can be SHT_NOBITS.
3788 		   This is only invalid for DWARF sections and .shstrtab.  */
3789 		if (shdr->sh_type != good_type
3790 		    && (shdr->sh_type != SHT_NOBITS
3791 			|| !is_debuginfo
3792 			|| IS_KNOWN_SPECIAL (s, ".debug_str", false)
3793 			|| IS_KNOWN_SPECIAL (s, ".debug", true)
3794 			|| IS_KNOWN_SPECIAL (s, ".shstrtab", false)))
3795 		  ERROR (_("\
3796 section [%2d] '%s' has wrong type: expected %s, is %s\n"),
3797 			 (int) cnt, scnname,
3798 			 ebl_section_type_name (ebl, special_sections[s].type,
3799 						stbuf1, sizeof (stbuf1)),
3800 			 ebl_section_type_name (ebl, shdr->sh_type,
3801 						stbuf2, sizeof (stbuf2)));
3802 
3803 		if (special_sections[s].attrflag == exact
3804 		    || special_sections[s].attrflag == exact_or_gnuld)
3805 		  {
3806 		    /* Except for the link order, retain, group bit and
3807 		       compression flag all the other bits should
3808 		       match exactly.  */
3809 		    if ((shdr->sh_flags & ~EXTRA_SHFLAGS)
3810 			!= special_sections[s].attr
3811 			&& (special_sections[s].attrflag == exact || !gnuld))
3812 		      ERROR (_("\
3813 section [%2zu] '%s' has wrong flags: expected %s, is %s\n"),
3814 			     cnt, scnname,
3815 			     section_flags_string (special_sections[s].attr,
3816 						   stbuf1, sizeof (stbuf1)),
3817 			     section_flags_string (shdr->sh_flags
3818 						   & ~EXTRA_SHFLAGS,
3819 						   stbuf2, sizeof (stbuf2)));
3820 		  }
3821 		else if (special_sections[s].attrflag == atleast)
3822 		  {
3823 		    if ((shdr->sh_flags & special_sections[s].attr)
3824 			!= special_sections[s].attr
3825 			|| ((shdr->sh_flags
3826 			     & ~(EXTRA_SHFLAGS
3827 				 | special_sections[s].attr
3828 				 | special_sections[s].attr2))
3829 			    != 0))
3830 		      ERROR (_("\
3831 section [%2zu] '%s' has wrong flags: expected %s and possibly %s, is %s\n"),
3832 			     cnt, scnname,
3833 			     section_flags_string (special_sections[s].attr,
3834 						   stbuf1, sizeof (stbuf1)),
3835 			     section_flags_string (special_sections[s].attr2,
3836 						   stbuf2, sizeof (stbuf2)),
3837 			     section_flags_string (shdr->sh_flags
3838 						   & ~EXTRA_SHFLAGS,
3839 						   stbuf3, sizeof (stbuf3)));
3840 		  }
3841 
3842 		if (strcmp (scnname, ".interp") == 0)
3843 		  {
3844 		    dot_interp_section = true;
3845 
3846 		    if (ehdr->e_type == ET_REL)
3847 		      ERROR (_("\
3848 section [%2zu] '%s' present in object file\n"),
3849 			     cnt, scnname);
3850 
3851 		    if ((shdr->sh_flags & SHF_ALLOC) != 0
3852 			&& !has_loadable_segment)
3853 		      ERROR (_("\
3854 section [%2zu] '%s' has SHF_ALLOC flag set but there is no loadable segment\n"),
3855 			     cnt, scnname);
3856 		    else if ((shdr->sh_flags & SHF_ALLOC) == 0
3857 			     && has_loadable_segment)
3858 		      ERROR (_("\
3859 section [%2zu] '%s' has SHF_ALLOC flag not set but there are loadable segments\n"),
3860 			     cnt, scnname);
3861 		  }
3862 		else
3863 		  {
3864 		    if (strcmp (scnname, ".symtab_shndx") == 0
3865 			&& ehdr->e_type != ET_REL)
3866 		      ERROR (_("\
3867 section [%2zu] '%s' is extension section index table in non-object file\n"),
3868 			     cnt, scnname);
3869 
3870 		    /* These sections must have the SHF_ALLOC flag set iff
3871 		       a loadable segment is available.
3872 
3873 		       .relxxx
3874 		       .strtab
3875 		       .symtab
3876 		       .symtab_shndx
3877 
3878 		       Check that if there is a reference from the
3879 		       loaded section these sections also have the
3880 		       ALLOC flag set.  */
3881 #if 0
3882 		    // XXX TODO
3883 		    if ((shdr->sh_flags & SHF_ALLOC) != 0
3884 			&& !has_loadable_segment)
3885 		      ERROR (_("\
3886 section [%2zu] '%s' has SHF_ALLOC flag set but there is no loadable segment\n"),
3887 			     cnt, scnname);
3888 		    else if ((shdr->sh_flags & SHF_ALLOC) == 0
3889 			     && has_loadable_segment)
3890 		      ERROR (_("\
3891 section [%2zu] '%s' has SHF_ALLOC flag not set but there are loadable segments\n"),
3892 			     cnt, scnname);
3893 #endif
3894 		  }
3895 
3896 		break;
3897 	      }
3898 
3899 	  /* Remember a few special sections for later.  */
3900 	  if (strcmp (scnname, ".eh_frame_hdr") == 0)
3901 	    eh_frame_hdr_scnndx = cnt;
3902 	  else if (strcmp (scnname, ".eh_frame") == 0)
3903 	    eh_frame_scnndx = cnt;
3904 	  else if (strcmp (scnname, ".gcc_except_table") == 0)
3905 	    gcc_except_table_scnndx = cnt;
3906 	}
3907 
3908       if (shdr->sh_entsize != 0 && shdr->sh_size % shdr->sh_entsize)
3909 	ERROR (_("\
3910 section [%2zu] '%s': size not multiple of entry size\n"),
3911 	       cnt, section_name (ebl, cnt));
3912 
3913       if (elf_strptr (ebl->elf, shstrndx, shdr->sh_name) == NULL)
3914 	ERROR (_("cannot get section header\n"));
3915 
3916       if (shdr->sh_type >= SHT_NUM
3917 	  && shdr->sh_type != SHT_GNU_ATTRIBUTES
3918 	  && shdr->sh_type != SHT_GNU_LIBLIST
3919 	  && shdr->sh_type != SHT_CHECKSUM
3920 	  && shdr->sh_type != SHT_GNU_verdef
3921 	  && shdr->sh_type != SHT_GNU_verneed
3922 	  && shdr->sh_type != SHT_GNU_versym
3923 	  && ebl_section_type_name (ebl, shdr->sh_type, NULL, 0) == NULL)
3924 	ERROR (_("section [%2zu] '%s' has unsupported type %d\n"),
3925 	       cnt, section_name (ebl, cnt),
3926 	       (int) shdr->sh_type);
3927 
3928 #define ALL_SH_FLAGS (SHF_WRITE | SHF_ALLOC | SHF_EXECINSTR | SHF_MERGE \
3929 		      | SHF_STRINGS | SHF_INFO_LINK | SHF_LINK_ORDER \
3930 		      | SHF_OS_NONCONFORMING | SHF_GROUP | SHF_TLS \
3931 		      | SHF_COMPRESSED | SHF_GNU_RETAIN)
3932       if (shdr->sh_flags & ~(GElf_Xword) ALL_SH_FLAGS)
3933 	{
3934 	  GElf_Xword sh_flags = shdr->sh_flags & ~(GElf_Xword) ALL_SH_FLAGS;
3935 	  if (sh_flags & SHF_MASKPROC)
3936 	    {
3937 	      /* Strictly speaking SHF_EXCLUDE is a processor specific
3938 		 section flag, but it is used generically in the GNU
3939 		 toolchain.  */
3940 	      if (gnuld)
3941 		sh_flags &= ~(GElf_Xword) SHF_EXCLUDE;
3942 	      if (!ebl_machine_section_flag_check (ebl,
3943 						   sh_flags & SHF_MASKPROC))
3944 		ERROR (_("section [%2zu] '%s'"
3945 				" contains invalid processor-specific flag(s)"
3946 				" %#" PRIx64 "\n"),
3947 		       cnt, section_name (ebl, cnt), sh_flags & SHF_MASKPROC);
3948 	      sh_flags &= ~(GElf_Xword) SHF_MASKPROC;
3949 	    }
3950 	  if (sh_flags & SHF_MASKOS)
3951 	    if (gnuld)
3952 	      sh_flags &= ~(GElf_Xword) SHF_GNU_RETAIN;
3953 	  if (sh_flags != 0)
3954 	    ERROR (_("section [%2zu] '%s' contains unknown flag(s)"
3955 			    " %#" PRIx64 "\n"),
3956 		   cnt, section_name (ebl, cnt), sh_flags);
3957 	}
3958       if (shdr->sh_flags & SHF_TLS)
3959 	{
3960 	  // XXX Correct?
3961 	  if (shdr->sh_addr != 0 && !gnuld)
3962 	    ERROR (_("\
3963 section [%2zu] '%s': thread-local data sections address not zero\n"),
3964 		   cnt, section_name (ebl, cnt));
3965 
3966 	  // XXX TODO more tests!?
3967 	}
3968 
3969       if (shdr->sh_flags & SHF_COMPRESSED)
3970 	{
3971 	  if (shdr->sh_flags & SHF_ALLOC)
3972 	    ERROR (_("\
3973 section [%2zu] '%s': allocated section cannot be compressed\n"),
3974 		   cnt, section_name (ebl, cnt));
3975 
3976 	  if (shdr->sh_type == SHT_NOBITS)
3977 	    ERROR (_("\
3978 section [%2zu] '%s': nobits section cannot be compressed\n"),
3979 		   cnt, section_name (ebl, cnt));
3980 
3981 	  GElf_Chdr chdr;
3982 	  if (gelf_getchdr (scn, &chdr) == NULL)
3983 	    ERROR (_("\
3984 section [%2zu] '%s': compressed section with no compression header: %s\n"),
3985 		   cnt, section_name (ebl, cnt), elf_errmsg (-1));
3986 	}
3987 
3988       if (shdr->sh_link >= shnum)
3989 	ERROR (_("\
3990 section [%2zu] '%s': invalid section reference in link value\n"),
3991 	       cnt, section_name (ebl, cnt));
3992 
3993       if (SH_INFO_LINK_P (shdr) && shdr->sh_info >= shnum)
3994 	ERROR (_("\
3995 section [%2zu] '%s': invalid section reference in info value\n"),
3996 	       cnt, section_name (ebl, cnt));
3997 
3998       if ((shdr->sh_flags & SHF_MERGE) == 0
3999 	  && (shdr->sh_flags & SHF_STRINGS) != 0
4000 	  && be_strict)
4001 	ERROR (_("\
4002 section [%2zu] '%s': strings flag set without merge flag\n"),
4003 	       cnt, section_name (ebl, cnt));
4004 
4005       if ((shdr->sh_flags & SHF_MERGE) != 0 && shdr->sh_entsize == 0)
4006 	ERROR (_("\
4007 section [%2zu] '%s': merge flag set but entry size is zero\n"),
4008 	       cnt, section_name (ebl, cnt));
4009 
4010       if (shdr->sh_flags & SHF_GROUP)
4011 	check_scn_group (ebl, cnt);
4012 
4013       if (shdr->sh_flags & SHF_EXECINSTR)
4014 	{
4015 	  switch (shdr->sh_type)
4016 	    {
4017 	    case SHT_PROGBITS:
4018 	      break;
4019 
4020 	    case SHT_NOBITS:
4021 	      if (is_debuginfo)
4022 		break;
4023 	      FALLTHROUGH;
4024 	    default:
4025 	      ERROR (_("\
4026 section [%2zu] '%s' has unexpected type %d for an executable section\n"),
4027 		     cnt, section_name (ebl, cnt), shdr->sh_type);
4028 	      break;
4029 	    }
4030 
4031 	  if (shdr->sh_flags & SHF_WRITE)
4032 	    {
4033 	      if (is_debuginfo && shdr->sh_type != SHT_NOBITS)
4034 		ERROR (_("\
4035 section [%2zu] '%s' must be of type NOBITS in debuginfo files\n"),
4036 		       cnt, section_name (ebl, cnt));
4037 
4038 	      if (!is_debuginfo
4039 		  && !ebl_check_special_section (ebl, cnt, shdr,
4040 						 section_name (ebl, cnt)))
4041 		ERROR (_("\
4042 section [%2zu] '%s' is both executable and writable\n"),
4043 		       cnt, section_name (ebl, cnt));
4044 	    }
4045 	}
4046 
4047       if (ehdr->e_type != ET_REL && (shdr->sh_flags & SHF_ALLOC) != 0
4048 	  && !is_debuginfo)
4049 	{
4050 	  /* Make sure the section is contained in a loaded segment
4051 	     and that the initialization part matches NOBITS sections.  */
4052 	  unsigned int pcnt;
4053 	  GElf_Phdr phdr_mem;
4054 	  GElf_Phdr *phdr;
4055 
4056 	  for (pcnt = 0; pcnt < phnum; ++pcnt)
4057 	    if ((phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem)) != NULL
4058 		&& ((phdr->p_type == PT_LOAD
4059 		     && (shdr->sh_flags & SHF_TLS) == 0)
4060 		    || (phdr->p_type == PT_TLS
4061 			&& (shdr->sh_flags & SHF_TLS) != 0))
4062 		&& phdr->p_offset <= shdr->sh_offset
4063 		&& ((shdr->sh_offset - phdr->p_offset <= phdr->p_filesz
4064 		     && (shdr->sh_offset - phdr->p_offset < phdr->p_filesz
4065 			 || shdr->sh_size == 0))
4066 		    || (shdr->sh_offset - phdr->p_offset < phdr->p_memsz
4067 			&& shdr->sh_type == SHT_NOBITS)))
4068 	      {
4069 		/* Found the segment.  */
4070 		if (phdr->p_offset + phdr->p_memsz
4071 		    < shdr->sh_offset + shdr->sh_size)
4072 		  ERROR (_("\
4073 section [%2zu] '%s' not fully contained in segment of program header entry %d\n"),
4074 			 cnt, section_name (ebl, cnt), pcnt);
4075 
4076 		if (shdr->sh_type == SHT_NOBITS)
4077 		  {
4078 		    if (shdr->sh_offset < phdr->p_offset + phdr->p_filesz
4079 			&& !is_debuginfo)
4080 		      {
4081 			if (!gnuld)
4082 			  ERROR (_("\
4083 section [%2zu] '%s' has type NOBITS but is read from the file in segment of program header entry %d\n"),
4084 				 cnt, section_name (ebl, cnt), pcnt);
4085 			else
4086 			  {
4087 			    /* This is truly horrible. GNU ld might put a
4088 			       NOBITS section in the middle of a PT_LOAD
4089 			       segment, assuming the next gap in the file
4090 			       actually consists of zero bits...
4091 			       So it really is like a PROGBITS section
4092 			       where the data is all zeros.  Check those
4093 			       zero bytes are really there.  */
4094 			    bool bad;
4095 			    Elf_Data *databits;
4096 			    databits = elf_getdata_rawchunk (ebl->elf,
4097 							     shdr->sh_offset,
4098 							     shdr->sh_size,
4099 							     ELF_T_BYTE);
4100 			    bad = (databits == NULL
4101 				   || databits->d_size != shdr->sh_size);
4102 			    for (size_t idx = 0;
4103 				 idx < databits->d_size && ! bad;
4104 				 idx++)
4105 			      bad = ((char *) databits->d_buf)[idx] != 0;
4106 
4107 			    if (bad)
4108 			      ERROR (_("\
4109 section [%2zu] '%s' has type NOBITS but is read from the file in segment of program header entry %d and file contents is non-zero\n"),
4110 				     cnt, section_name (ebl, cnt), pcnt);
4111 			  }
4112 		      }
4113 		  }
4114 		else
4115 		  {
4116 		    const GElf_Off end = phdr->p_offset + phdr->p_filesz;
4117 		    if (shdr->sh_offset > end ||
4118 			(shdr->sh_offset == end && shdr->sh_size != 0))
4119 		      ERROR (_("\
4120 section [%2zu] '%s' has not type NOBITS but is not read from the file in segment of program header entry %d\n"),
4121 			 cnt, section_name (ebl, cnt), pcnt);
4122 		  }
4123 
4124 		if (shdr->sh_type != SHT_NOBITS)
4125 		  {
4126 		    if ((shdr->sh_flags & SHF_EXECINSTR) != 0)
4127 		      {
4128 			segment_flags[pcnt] |= PF_X;
4129 			if ((phdr->p_flags & PF_X) == 0)
4130 			  ERROR (_("\
4131 section [%2zu] '%s' is executable in nonexecutable segment %d\n"),
4132 				 cnt, section_name (ebl, cnt), pcnt);
4133 		      }
4134 
4135 		    if ((shdr->sh_flags & SHF_WRITE) != 0)
4136 		      {
4137 			segment_flags[pcnt] |= PF_W;
4138 			if (0	/* XXX vdso images have this */
4139 			    && (phdr->p_flags & PF_W) == 0)
4140 			  ERROR (_("\
4141 section [%2zu] '%s' is writable in unwritable segment %d\n"),
4142 				 cnt, section_name (ebl, cnt), pcnt);
4143 		      }
4144 		  }
4145 
4146 		break;
4147 	      }
4148 
4149 	  if (pcnt == phnum)
4150 	    ERROR (_("\
4151 section [%2zu] '%s': alloc flag set but section not in any loaded segment\n"),
4152 		   cnt, section_name (ebl, cnt));
4153 	}
4154 
4155       if (cnt == shstrndx && shdr->sh_type != SHT_STRTAB)
4156 	ERROR (_("\
4157 section [%2zu] '%s': ELF header says this is the section header string table but type is not SHT_TYPE\n"),
4158 	       cnt, section_name (ebl, cnt));
4159 
4160       switch (shdr->sh_type)
4161 	{
4162 	case SHT_DYNSYM:
4163 	  if (ehdr->e_type == ET_REL)
4164 	    ERROR (_("\
4165 section [%2zu] '%s': relocatable files cannot have dynamic symbol tables\n"),
4166 		   cnt, section_name (ebl, cnt));
4167 	  FALLTHROUGH;
4168 	case SHT_SYMTAB:
4169 	  check_symtab (ebl, ehdr, shdr, cnt);
4170 	  break;
4171 
4172 	case SHT_RELA:
4173 	  check_rela (ebl, ehdr, shdr, cnt);
4174 	  break;
4175 
4176 	case SHT_REL:
4177 	  check_rel (ebl, ehdr, shdr, cnt);
4178 	  break;
4179 
4180 	case SHT_DYNAMIC:
4181 	  check_dynamic (ebl, ehdr, shdr, cnt);
4182 	  break;
4183 
4184 	case SHT_SYMTAB_SHNDX:
4185 	  check_symtab_shndx (ebl, ehdr, shdr, cnt);
4186 	  break;
4187 
4188 	case SHT_HASH:
4189 	  check_hash (shdr->sh_type, ebl, ehdr, shdr, cnt);
4190 	  hash_idx = cnt;
4191 	  break;
4192 
4193 	case SHT_GNU_HASH:
4194 	  check_hash (shdr->sh_type, ebl, ehdr, shdr, cnt);
4195 	  gnu_hash_idx = cnt;
4196 	  break;
4197 
4198 	case SHT_NULL:
4199 	  check_null (ebl, shdr, cnt);
4200 	  break;
4201 
4202 	case SHT_GROUP:
4203 	  check_group (ebl, ehdr, shdr, cnt);
4204 	  break;
4205 
4206 	case SHT_NOTE:
4207 	  check_note_section (ebl, ehdr, shdr, cnt);
4208 	  break;
4209 
4210 	case SHT_GNU_versym:
4211 	  /* We cannot process this section now since we have no guarantee
4212 	     that the verneed and verdef sections have already been read.
4213 	     Just remember the section index.  */
4214 	  if (versym_scnndx != 0)
4215 	    ERROR (_("more than one version symbol table present\n"));
4216 	  versym_scnndx = cnt;
4217 	  break;
4218 
4219 	case SHT_GNU_verneed:
4220 	  check_verneed (ebl, shdr, cnt);
4221 	  break;
4222 
4223 	case SHT_GNU_verdef:
4224 	  check_verdef (ebl, shdr, cnt);
4225 	  break;
4226 
4227 	case SHT_GNU_ATTRIBUTES:
4228 	  check_attributes (ebl, ehdr, shdr, cnt);
4229 	  break;
4230 
4231 	default:
4232 	  /* Nothing.  */
4233 	  break;
4234 	}
4235     }
4236 
4237   if (has_interp_segment && !dot_interp_section)
4238     ERROR (_("INTERP program header entry but no .interp section\n"));
4239 
4240   if (!is_debuginfo)
4241     for (unsigned int pcnt = 0; pcnt < phnum; ++pcnt)
4242       {
4243 	GElf_Phdr phdr_mem;
4244 	GElf_Phdr *phdr = gelf_getphdr (ebl->elf, pcnt, &phdr_mem);
4245 	if (phdr != NULL && (phdr->p_type == PT_LOAD || phdr->p_type == PT_TLS))
4246 	  {
4247 	    if ((phdr->p_flags & PF_X) != 0
4248 		&& (segment_flags[pcnt] & PF_X) == 0)
4249 	      ERROR (_("\
4250 loadable segment [%u] is executable but contains no executable sections\n"),
4251 		     pcnt);
4252 
4253 	    if ((phdr->p_flags & PF_W) != 0
4254 		&& (segment_flags[pcnt] & PF_W) == 0)
4255 	      ERROR (_("\
4256 loadable segment [%u] is writable but contains no writable sections\n"),
4257 		     pcnt);
4258 	  }
4259       }
4260 
4261   free (segment_flags);
4262 
4263   if (version_namelist != NULL)
4264     {
4265       if (versym_scnndx == 0)
4266     ERROR (_("\
4267 no .gnu.versym section present but .gnu.versym_d or .gnu.versym_r section exist\n"));
4268       else
4269 	check_versym (ebl, versym_scnndx);
4270 
4271       /* Check for duplicate index numbers.  */
4272       do
4273 	{
4274 	  struct version_namelist *runp = version_namelist->next;
4275 	  while (runp != NULL)
4276 	    {
4277 	      if (version_namelist->ndx == runp->ndx)
4278 		{
4279 		  ERROR (_("duplicate version index %d\n"),
4280 			 (int) version_namelist->ndx);
4281 		  break;
4282 		}
4283 	      runp = runp->next;
4284 	    }
4285 
4286 	  struct version_namelist *old = version_namelist;
4287 	  version_namelist = version_namelist->next;
4288 	  free (old);
4289 	}
4290       while (version_namelist != NULL);
4291     }
4292   else if (versym_scnndx != 0)
4293     ERROR (_("\
4294 .gnu.versym section present without .gnu.versym_d or .gnu.versym_r\n"));
4295 
4296   if (hash_idx != 0 && gnu_hash_idx != 0)
4297     compare_hash_gnu_hash (ebl, ehdr, hash_idx, gnu_hash_idx);
4298 
4299   free (scnref);
4300 }
4301 
4302 
4303 static GElf_Off
check_note_data(Ebl * ebl,const GElf_Ehdr * ehdr,Elf_Data * data,int shndx,int phndx,GElf_Off start)4304 check_note_data (Ebl *ebl, const GElf_Ehdr *ehdr,
4305 		 Elf_Data *data, int shndx, int phndx, GElf_Off start)
4306 {
4307   size_t offset = 0;
4308   size_t last_offset = 0;
4309   GElf_Nhdr nhdr;
4310   size_t name_offset;
4311   size_t desc_offset;
4312   while (offset < data->d_size
4313 	 && (offset = gelf_getnote (data, offset,
4314 				    &nhdr, &name_offset, &desc_offset)) > 0)
4315     {
4316       last_offset = offset;
4317 
4318       /* Make sure it is one of the note types we know about.  */
4319       if (ehdr->e_type == ET_CORE)
4320 	switch (nhdr.n_type)
4321 	  {
4322 	  case NT_PRSTATUS:
4323 	  case NT_FPREGSET:
4324 	  case NT_PRPSINFO:
4325 	  case NT_TASKSTRUCT:		/* NT_PRXREG on Solaris.  */
4326 	  case NT_PLATFORM:
4327 	  case NT_AUXV:
4328 	  case NT_GWINDOWS:
4329 	  case NT_ASRS:
4330 	  case NT_PSTATUS:
4331 	  case NT_PSINFO:
4332 	  case NT_PRCRED:
4333 	  case NT_UTSNAME:
4334 	  case NT_LWPSTATUS:
4335 	  case NT_LWPSINFO:
4336 	  case NT_PRFPXREG:
4337 	    /* Known type.  */
4338 	    break;
4339 
4340 	  default:
4341 	    if (shndx == 0)
4342 	      ERROR (_("\
4343 phdr[%d]: unknown core file note type %" PRIu32 " at offset %" PRIu64 "\n"),
4344 		     phndx, (uint32_t) nhdr.n_type, start + offset);
4345 	    else
4346 	      ERROR (_("\
4347 section [%2d] '%s': unknown core file note type %" PRIu32
4348 			      " at offset %zu\n"),
4349 		     shndx, section_name (ebl, shndx),
4350 		     (uint32_t) nhdr.n_type, offset);
4351 	  }
4352       else
4353 	switch (nhdr.n_type)
4354 	  {
4355 	  case NT_GNU_ABI_TAG:
4356 	  case NT_GNU_HWCAP:
4357 	  case NT_GNU_BUILD_ID:
4358 	  case NT_GNU_GOLD_VERSION:
4359 	  case NT_GNU_PROPERTY_TYPE_0:
4360 	    if (nhdr.n_namesz == sizeof ELF_NOTE_GNU
4361 		&& strcmp (data->d_buf + name_offset, ELF_NOTE_GNU) == 0)
4362 	      break;
4363 	    else
4364 	      {
4365 		/* NT_VERSION is 1, same as NT_GNU_ABI_TAG.  It has no
4366 		   descriptor and (ab)uses the name as version string.  */
4367 		if (nhdr.n_descsz == 0 && nhdr.n_type == NT_VERSION)
4368 		  break;
4369 	      }
4370 	      goto unknown_note;
4371 
4372 	  case NT_GNU_BUILD_ATTRIBUTE_OPEN:
4373 	  case NT_GNU_BUILD_ATTRIBUTE_FUNC:
4374 	    /* GNU Build Attributes store most data in the owner
4375 	       name, which must start with the
4376 	       ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX "GA".  */
4377 	    if (nhdr.n_namesz >= sizeof ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX
4378 		&& strncmp (data->d_buf + name_offset,
4379 			    ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX,
4380 			    strlen (ELF_NOTE_GNU_BUILD_ATTRIBUTE_PREFIX)) == 0)
4381 	      break;
4382 	    else
4383 	      goto unknown_note;
4384 
4385 	  case 0:
4386 	    /* Linux vDSOs use a type 0 note for the kernel version word.  */
4387 	    if (nhdr.n_namesz == sizeof "Linux"
4388 		&& !memcmp (data->d_buf + name_offset, "Linux", sizeof "Linux"))
4389 	      break;
4390 	    FALLTHROUGH;
4391 	  default:
4392 	    {
4393 	    unknown_note:
4394 	    if (shndx == 0)
4395 	      ERROR (_("\
4396 phdr[%d]: unknown object file note type %" PRIu32 " with owner name '%s' at offset %zu\n"),
4397 		     phndx, (uint32_t) nhdr.n_type,
4398 		     (char *) data->d_buf + name_offset, offset);
4399 	    else
4400 	      ERROR (_("\
4401 section [%2d] '%s': unknown object file note type %" PRIu32
4402 			      " with owner name '%s' at offset %zu\n"),
4403 		     shndx, section_name (ebl, shndx),
4404 		     (uint32_t) nhdr.n_type,
4405 		     (char *) data->d_buf + name_offset, offset);
4406 	    }
4407 	  }
4408     }
4409 
4410   return last_offset;
4411 }
4412 
4413 
4414 static void
check_note(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Phdr * phdr,int cnt)4415 check_note (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Phdr *phdr, int cnt)
4416 {
4417   if (ehdr->e_type != ET_CORE && ehdr->e_type != ET_REL
4418       && ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
4419     ERROR (_("\
4420 phdr[%d]: no note entries defined for the type of file\n"),
4421 	   cnt);
4422 
4423   if (is_debuginfo)
4424     /* The p_offset values in a separate debug file are bogus.  */
4425     return;
4426 
4427   if (phdr->p_filesz == 0)
4428     return;
4429 
4430   GElf_Off notes_size = 0;
4431   Elf_Data *data = elf_getdata_rawchunk (ebl->elf,
4432 					 phdr->p_offset, phdr->p_filesz,
4433 					 (phdr->p_align == 8
4434 					  ? ELF_T_NHDR8 : ELF_T_NHDR));
4435   if (data != NULL && data->d_buf != NULL)
4436     notes_size = check_note_data (ebl, ehdr, data, 0, cnt, phdr->p_offset);
4437 
4438   if (notes_size == 0)
4439     ERROR (_("phdr[%d]: cannot get content of note section: %s\n"),
4440 	   cnt, elf_errmsg (-1));
4441   else if (notes_size != phdr->p_filesz)
4442     ERROR (_("phdr[%d]: extra %" PRIu64 " bytes after last note\n"),
4443 	   cnt, phdr->p_filesz - notes_size);
4444 }
4445 
4446 
4447 static void
check_note_section(Ebl * ebl,GElf_Ehdr * ehdr,GElf_Shdr * shdr,int idx)4448 check_note_section (Ebl *ebl, GElf_Ehdr *ehdr, GElf_Shdr *shdr, int idx)
4449 {
4450   if (shdr->sh_size == 0)
4451     return;
4452 
4453   Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
4454   if (data == NULL || data->d_buf == NULL)
4455     {
4456       ERROR (_("section [%2d] '%s': cannot get section data\n"),
4457 	     idx, section_name (ebl, idx));
4458       return;
4459     }
4460 
4461   if (ehdr->e_type != ET_CORE && ehdr->e_type != ET_REL
4462       && ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
4463     ERROR (_("\
4464 section [%2d] '%s': no note entries defined for the type of file\n"),
4465 	     idx, section_name (ebl, idx));
4466 
4467   GElf_Off notes_size = check_note_data (ebl, ehdr, data, idx, 0, 0);
4468 
4469   if (notes_size == 0)
4470     ERROR (_("section [%2d] '%s': cannot get content of note section\n"),
4471 	   idx, section_name (ebl, idx));
4472   else if (notes_size != shdr->sh_size)
4473     ERROR (_("section [%2d] '%s': extra %" PRIu64
4474 		    " bytes after last note\n"),
4475 	   idx, section_name (ebl, idx), shdr->sh_size - notes_size);
4476 }
4477 
4478 
4479 /* Index of the PT_GNU_EH_FRAME program eader entry.  */
4480 static int pt_gnu_eh_frame_pndx;
4481 
4482 
4483 static void
check_program_header(Ebl * ebl,GElf_Ehdr * ehdr)4484 check_program_header (Ebl *ebl, GElf_Ehdr *ehdr)
4485 {
4486   if (ehdr->e_phoff == 0)
4487     return;
4488 
4489   if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN
4490       && ehdr->e_type != ET_CORE)
4491     ERROR (_("\
4492 only executables, shared objects, and core files can have program headers\n"));
4493 
4494   int num_pt_interp = 0;
4495   int num_pt_tls = 0;
4496   int num_pt_relro = 0;
4497 
4498   for (unsigned int cnt = 0; cnt < phnum; ++cnt)
4499     {
4500       GElf_Phdr phdr_mem;
4501       GElf_Phdr *phdr;
4502 
4503       phdr = gelf_getphdr (ebl->elf, cnt, &phdr_mem);
4504       if (phdr == NULL)
4505 	{
4506 	  ERROR (_("cannot get program header entry %d: %s\n"),
4507 		 cnt, elf_errmsg (-1));
4508 	  continue;
4509 	}
4510 
4511       if (phdr->p_type >= PT_NUM && phdr->p_type != PT_GNU_EH_FRAME
4512 	  && phdr->p_type != PT_GNU_STACK && phdr->p_type != PT_GNU_RELRO
4513 	  && phdr->p_type != PT_GNU_PROPERTY
4514 	  /* Check for a known machine-specific type.  */
4515 	  && ebl_segment_type_name (ebl, phdr->p_type, NULL, 0) == NULL)
4516 	ERROR (_("\
4517 program header entry %d: unknown program header entry type %#" PRIx64 "\n"),
4518 	       cnt, (uint64_t) phdr->p_type);
4519 
4520       if (phdr->p_type == PT_LOAD)
4521 	has_loadable_segment = true;
4522       else if (phdr->p_type == PT_INTERP)
4523 	{
4524 	  if (++num_pt_interp != 1)
4525 	    {
4526 	      if (num_pt_interp == 2)
4527 		ERROR (_("\
4528 more than one INTERP entry in program header\n"));
4529 	    }
4530 	  has_interp_segment = true;
4531 	}
4532       else if (phdr->p_type == PT_TLS)
4533 	{
4534 	  if (++num_pt_tls == 2)
4535 	    ERROR (_("more than one TLS entry in program header\n"));
4536 	}
4537       else if (phdr->p_type == PT_NOTE)
4538 	check_note (ebl, ehdr, phdr, cnt);
4539       else if (phdr->p_type == PT_DYNAMIC)
4540 	{
4541 	  if (ehdr->e_type == ET_EXEC && ! has_interp_segment)
4542 	    ERROR (_("\
4543 static executable cannot have dynamic sections\n"));
4544 	  else
4545 	    {
4546 	      /* Check that the .dynamic section, if it exists, has
4547 		 the same address.  */
4548 	      Elf_Scn *scn = NULL;
4549 	      while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
4550 		{
4551 		  GElf_Shdr shdr_mem;
4552 		  GElf_Shdr *shdr = gelf_getshdr (scn, &shdr_mem);
4553 		  if (shdr != NULL && shdr->sh_type == SHT_DYNAMIC)
4554 		    {
4555 		      if (phdr->p_offset != shdr->sh_offset)
4556 			ERROR (_("\
4557 dynamic section reference in program header has wrong offset\n"));
4558 		      if (phdr->p_memsz != shdr->sh_size)
4559 			ERROR (_("\
4560 dynamic section size mismatch in program and section header\n"));
4561 		      break;
4562 		    }
4563 		}
4564 	    }
4565 	}
4566       else if (phdr->p_type == PT_GNU_RELRO)
4567 	{
4568 	  if (++num_pt_relro == 2)
4569 	    ERROR (_("\
4570 more than one GNU_RELRO entry in program header\n"));
4571 	  else
4572 	    {
4573 	      /* Check that the region is in a writable segment.  */
4574 	      unsigned int inner;
4575 	      for (inner = 0; inner < phnum; ++inner)
4576 		{
4577 		  GElf_Phdr phdr2_mem;
4578 		  GElf_Phdr *phdr2;
4579 
4580 		  phdr2 = gelf_getphdr (ebl->elf, inner, &phdr2_mem);
4581 		  if (phdr2 == NULL)
4582 		    continue;
4583 
4584 		  if (phdr2->p_type == PT_LOAD
4585 		      && phdr->p_vaddr >= phdr2->p_vaddr
4586 		      && (phdr->p_vaddr + phdr->p_memsz
4587 			  <= phdr2->p_vaddr + phdr2->p_memsz))
4588 		    {
4589 		      if ((phdr2->p_flags & PF_W) == 0)
4590 			ERROR (_("\
4591 loadable segment GNU_RELRO applies to is not writable\n"));
4592 		      /* Unless fully covered, relro flags could be a
4593 			 subset of the phdrs2 flags.  For example the load
4594 			 segment could also have PF_X set.  */
4595 		      if (phdr->p_vaddr == phdr2->p_vaddr
4596 			  && (phdr->p_vaddr + phdr->p_memsz
4597 			      == phdr2->p_vaddr + phdr2->p_memsz))
4598 			{
4599 			  if ((phdr2->p_flags & ~PF_W)
4600 			      != (phdr->p_flags & ~PF_W))
4601 			    ERROR (_("\
4602 loadable segment [%u] flags do not match GNU_RELRO [%u] flags\n"),
4603 				   cnt, inner);
4604 			}
4605 		      else
4606 			{
4607 			  if ((phdr->p_flags & ~phdr2->p_flags) != 0)
4608 			    ERROR (_("\
4609 GNU_RELRO [%u] flags are not a subset of the loadable segment [%u] flags\n"),
4610 				   inner, cnt);
4611 			}
4612 		      break;
4613 		    }
4614 		}
4615 
4616 	      if (inner >= phnum)
4617 		ERROR (_("\
4618 %s segment not contained in a loaded segment\n"), "GNU_RELRO");
4619 	    }
4620 	}
4621       else if (phdr->p_type == PT_PHDR)
4622 	{
4623 	  /* Check that the region is in a writable segment.  */
4624 	  unsigned int inner;
4625 	  for (inner = 0; inner < phnum; ++inner)
4626 	    {
4627 	      GElf_Phdr phdr2_mem;
4628 	      GElf_Phdr *phdr2;
4629 
4630 	      phdr2 = gelf_getphdr (ebl->elf, inner, &phdr2_mem);
4631 	      if (phdr2 != NULL
4632 		  && phdr2->p_type == PT_LOAD
4633 		  && phdr->p_vaddr >= phdr2->p_vaddr
4634 		  && (phdr->p_vaddr + phdr->p_memsz
4635 		      <= phdr2->p_vaddr + phdr2->p_memsz))
4636 		break;
4637 	    }
4638 
4639 	  if (inner >= phnum)
4640 	    ERROR (_("\
4641 %s segment not contained in a loaded segment\n"), "PHDR");
4642 
4643 	  /* Check that offset in segment corresponds to offset in ELF
4644 	     header.  */
4645 	  if (phdr->p_offset != ehdr->e_phoff)
4646 	    ERROR (_("\
4647 program header offset in ELF header and PHDR entry do not match"));
4648 	}
4649       else if (phdr->p_type == PT_GNU_EH_FRAME)
4650 	{
4651 	  /* If there is an .eh_frame_hdr section it must be
4652 	     referenced by this program header entry.  */
4653 	  Elf_Scn *scn = NULL;
4654 	  GElf_Shdr shdr_mem;
4655 	  GElf_Shdr *shdr = NULL;
4656 	  bool any = false;
4657 	  while ((scn = elf_nextscn (ebl->elf, scn)) != NULL)
4658 	    {
4659 	      any = true;
4660 	      shdr = gelf_getshdr (scn, &shdr_mem);
4661 	      if (shdr != NULL
4662 		  && ((is_debuginfo && shdr->sh_type == SHT_NOBITS)
4663 		      || (! is_debuginfo
4664 			  && (shdr->sh_type == SHT_PROGBITS
4665 			      || shdr->sh_type == SHT_X86_64_UNWIND)))
4666 		  && elf_strptr (ebl->elf, shstrndx, shdr->sh_name) != NULL
4667 		  && ! strcmp (".eh_frame_hdr",
4668 			       elf_strptr (ebl->elf, shstrndx, shdr->sh_name)))
4669 		{
4670 		  if (! is_debuginfo)
4671 		    {
4672 		      if (phdr->p_offset != shdr->sh_offset)
4673 			ERROR (_("\
4674 call frame search table reference in program header has wrong offset\n"));
4675 		      if (phdr->p_memsz != shdr->sh_size)
4676 			ERROR (_("\
4677 call frame search table size mismatch in program and section header\n"));
4678 		    }
4679 		  break;
4680 		}
4681 	    }
4682 
4683 	  if (scn == NULL)
4684 	    {
4685 	      /* If there is no section header table we don't
4686 		 complain.  But if there is one there should be an
4687 		 entry for .eh_frame_hdr.  */
4688 	      if (any)
4689 		ERROR (_("\
4690 PT_GNU_EH_FRAME present but no .eh_frame_hdr section\n"));
4691 	    }
4692 	  else
4693 	    {
4694 	      /* The section must be allocated and not be writable and
4695 		 executable.  */
4696 	      if ((phdr->p_flags & PF_R) == 0)
4697 		ERROR (_("\
4698 call frame search table must be allocated\n"));
4699 	      else if (shdr != NULL && (shdr->sh_flags & SHF_ALLOC) == 0)
4700 		ERROR (_("\
4701 section [%2zu] '%s' must be allocated\n"), elf_ndxscn (scn), ".eh_frame_hdr");
4702 
4703 	      if ((phdr->p_flags & PF_W) != 0)
4704 		ERROR (_("\
4705 call frame search table must not be writable\n"));
4706 	      else if (shdr != NULL && (shdr->sh_flags & SHF_WRITE) != 0)
4707 		ERROR (_("\
4708 section [%2zu] '%s' must not be writable\n"),
4709 		       elf_ndxscn (scn), ".eh_frame_hdr");
4710 
4711 	      if ((phdr->p_flags & PF_X) != 0)
4712 		ERROR (_("\
4713 call frame search table must not be executable\n"));
4714 	      else if (shdr != NULL && (shdr->sh_flags & SHF_EXECINSTR) != 0)
4715 		ERROR (_("\
4716 section [%2zu] '%s' must not be executable\n"),
4717 		       elf_ndxscn (scn), ".eh_frame_hdr");
4718 	    }
4719 
4720 	  /* Remember which entry this is.  */
4721 	  pt_gnu_eh_frame_pndx = cnt;
4722 	}
4723 
4724       if (phdr->p_filesz > phdr->p_memsz
4725 	  && (phdr->p_memsz != 0 || phdr->p_type != PT_NOTE))
4726 	ERROR (_("\
4727 program header entry %d: file size greater than memory size\n"),
4728 	       cnt);
4729 
4730       if (phdr->p_align > 1)
4731 	{
4732 	  if (!powerof2 (phdr->p_align))
4733 	    ERROR (_("\
4734 program header entry %d: alignment not a power of 2\n"), cnt);
4735 	  else if ((phdr->p_vaddr - phdr->p_offset) % phdr->p_align != 0)
4736 	    ERROR (_("\
4737 program header entry %d: file offset and virtual address not module of alignment\n"), cnt);
4738 	}
4739     }
4740 }
4741 
4742 
4743 static void
check_exception_data(Ebl * ebl,GElf_Ehdr * ehdr)4744 check_exception_data (Ebl *ebl __attribute__ ((unused)),
4745 		      GElf_Ehdr *ehdr __attribute__ ((unused)))
4746 {
4747   if ((ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN)
4748       && pt_gnu_eh_frame_pndx == 0 && eh_frame_hdr_scnndx != 0)
4749     ERROR (_("executable/DSO with .eh_frame_hdr section does not have "
4750 		    "a PT_GNU_EH_FRAME program header entry"));
4751 }
4752 
4753 
4754 /* Process one file.  */
4755 static void
process_elf_file(Elf * elf,const char * prefix,const char * suffix,const char * fname,size_t size,bool only_one)4756 process_elf_file (Elf *elf, const char *prefix, const char *suffix,
4757 		  const char *fname, size_t size, bool only_one)
4758 {
4759   /* Reset variables.  */
4760   ndynamic = 0;
4761   nverneed = 0;
4762   nverdef = 0;
4763   textrel = false;
4764   needed_textrel = false;
4765   has_loadable_segment = false;
4766   has_interp_segment = false;
4767 
4768   GElf_Ehdr ehdr_mem;
4769   GElf_Ehdr *ehdr = gelf_getehdr (elf, &ehdr_mem);
4770   Ebl *ebl;
4771 
4772   /* Print the file name.  */
4773   if (!only_one)
4774     {
4775       if (prefix != NULL)
4776 	printf ("\n%s(%s)%s:\n", prefix, fname, suffix);
4777       else
4778 	printf ("\n%s:\n", fname);
4779     }
4780 
4781   if (ehdr == NULL)
4782     {
4783       ERROR (_("cannot read ELF header: %s\n"), elf_errmsg (-1));
4784       return;
4785     }
4786 
4787   ebl = ebl_openbackend (elf);
4788   /* If there is no appropriate backend library we cannot test
4789      architecture and OS specific features.  Any encountered extension
4790      is an error.  Often we'll get a "dummy" ebl, except if something
4791      really bad happen, like a totally corrupted ELF file or out of
4792      memory situation.  */
4793   if (ebl == NULL)
4794     {
4795       ERROR (_("cannot create backend for ELF file\n"));
4796       return;
4797     }
4798 
4799   /* Go straight by the gABI, check all the parts in turn.  */
4800   check_elf_header (ebl, ehdr, size);
4801 
4802   /* Check the program header.  */
4803   check_program_header (ebl, ehdr);
4804 
4805   /* Next the section headers.  It is OK if there are no section
4806      headers at all.  */
4807   check_sections (ebl, ehdr);
4808 
4809   /* Check the exception handling data, if it exists.  */
4810   if (pt_gnu_eh_frame_pndx != 0 || eh_frame_hdr_scnndx != 0
4811       || eh_frame_scnndx != 0 || gcc_except_table_scnndx != 0)
4812     check_exception_data (ebl, ehdr);
4813 
4814   /* Report if no relocation section needed the text relocation flag.  */
4815   if (textrel && !needed_textrel)
4816     ERROR (_("text relocation flag set but not needed\n"));
4817 
4818   /* Free the resources.  */
4819   ebl_closebackend (ebl);
4820 }
4821 
4822 
4823 #include "debugpred.h"
4824