2 * Copyright (c) Christos Zoulas 2003.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice immediately at the beginning of the file, without modification,
10 * this list of conditions, and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
19 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 FILE_RCSID("@(#)$File: readelf.c,v 1.117 2014/12/16 23:29:42 christos Exp $")
45 private int dophn_core(struct magic_set
*, int, int, int, off_t
, int, size_t,
46 off_t
, int *, uint16_t *);
48 private int dophn_exec(struct magic_set
*, int, int, int, off_t
, int, size_t,
49 off_t
, int, int *, uint16_t *);
50 private int doshn(struct magic_set
*, int, int, int, off_t
, int, size_t,
51 off_t
, int, int, int *, uint16_t *);
52 private size_t donote(struct magic_set
*, void *, size_t, size_t, int,
53 int, size_t, int *, uint16_t *);
55 #define ELF_ALIGN(a) ((((a) + align - 1) / align) * align)
57 #define isquote(c) (strchr("'\"`", (c)) != NULL)
59 private uint16_t getu16(int, uint16_t);
60 private uint32_t getu32(int, uint32_t);
61 private uint64_t getu64(int, uint64_t);
64 #define MAX_SHNUM 32768
65 #define SIZE_UNKNOWN ((off_t)-1)
68 toomany(struct magic_set
*ms
, const char *name
, uint16_t num
)
70 if (file_printf(ms
, ", too many %s (%u)", name
, num
77 getu16(int swap
, uint16_t value
)
87 retval
.c
[0] = tmpval
.c
[1];
88 retval
.c
[1] = tmpval
.c
[0];
96 getu32(int swap
, uint32_t value
)
106 retval
.c
[0] = tmpval
.c
[3];
107 retval
.c
[1] = tmpval
.c
[2];
108 retval
.c
[2] = tmpval
.c
[1];
109 retval
.c
[3] = tmpval
.c
[0];
117 getu64(int swap
, uint64_t value
)
127 retval
.c
[0] = tmpval
.c
[7];
128 retval
.c
[1] = tmpval
.c
[6];
129 retval
.c
[2] = tmpval
.c
[5];
130 retval
.c
[3] = tmpval
.c
[4];
131 retval
.c
[4] = tmpval
.c
[3];
132 retval
.c
[5] = tmpval
.c
[2];
133 retval
.c
[6] = tmpval
.c
[1];
134 retval
.c
[7] = tmpval
.c
[0];
141 #define elf_getu16(swap, value) getu16(swap, value)
142 #define elf_getu32(swap, value) getu32(swap, value)
143 #define elf_getu64(swap, value) getu64(swap, value)
145 #define xsh_addr (clazz == ELFCLASS32 \
148 #define xsh_sizeof (clazz == ELFCLASS32 \
151 #define xsh_size (size_t)(clazz == ELFCLASS32 \
152 ? elf_getu32(swap, sh32.sh_size) \
153 : elf_getu64(swap, sh64.sh_size))
154 #define xsh_offset (off_t)(clazz == ELFCLASS32 \
155 ? elf_getu32(swap, sh32.sh_offset) \
156 : elf_getu64(swap, sh64.sh_offset))
157 #define xsh_type (clazz == ELFCLASS32 \
158 ? elf_getu32(swap, sh32.sh_type) \
159 : elf_getu32(swap, sh64.sh_type))
160 #define xsh_name (clazz == ELFCLASS32 \
161 ? elf_getu32(swap, sh32.sh_name) \
162 : elf_getu32(swap, sh64.sh_name))
163 #define xph_addr (clazz == ELFCLASS32 \
166 #define xph_sizeof (clazz == ELFCLASS32 \
169 #define xph_type (clazz == ELFCLASS32 \
170 ? elf_getu32(swap, ph32.p_type) \
171 : elf_getu32(swap, ph64.p_type))
172 #define xph_offset (off_t)(clazz == ELFCLASS32 \
173 ? elf_getu32(swap, ph32.p_offset) \
174 : elf_getu64(swap, ph64.p_offset))
175 #define xph_align (size_t)((clazz == ELFCLASS32 \
176 ? (off_t) (ph32.p_align ? \
177 elf_getu32(swap, ph32.p_align) : 4) \
178 : (off_t) (ph64.p_align ? \
179 elf_getu64(swap, ph64.p_align) : 4)))
180 #define xph_filesz (size_t)((clazz == ELFCLASS32 \
181 ? elf_getu32(swap, ph32.p_filesz) \
182 : elf_getu64(swap, ph64.p_filesz)))
183 #define xnh_addr (clazz == ELFCLASS32 \
186 #define xph_memsz (size_t)((clazz == ELFCLASS32 \
187 ? elf_getu32(swap, ph32.p_memsz) \
188 : elf_getu64(swap, ph64.p_memsz)))
189 #define xnh_sizeof (clazz == ELFCLASS32 \
192 #define xnh_type (clazz == ELFCLASS32 \
193 ? elf_getu32(swap, nh32.n_type) \
194 : elf_getu32(swap, nh64.n_type))
195 #define xnh_namesz (clazz == ELFCLASS32 \
196 ? elf_getu32(swap, nh32.n_namesz) \
197 : elf_getu32(swap, nh64.n_namesz))
198 #define xnh_descsz (clazz == ELFCLASS32 \
199 ? elf_getu32(swap, nh32.n_descsz) \
200 : elf_getu32(swap, nh64.n_descsz))
201 #define prpsoffsets(i) (clazz == ELFCLASS32 \
204 #define xcap_addr (clazz == ELFCLASS32 \
207 #define xcap_sizeof (clazz == ELFCLASS32 \
210 #define xcap_tag (clazz == ELFCLASS32 \
211 ? elf_getu32(swap, cap32.c_tag) \
212 : elf_getu64(swap, cap64.c_tag))
213 #define xcap_val (clazz == ELFCLASS32 \
214 ? elf_getu32(swap, cap32.c_un.c_val) \
215 : elf_getu64(swap, cap64.c_un.c_val))
219 * Try larger offsets first to avoid false matches
220 * from earlier data that happen to look like strings.
222 static const size_t prpsoffsets32
[] = {
224 104, /* SunOS 5.x (command line) */
225 88, /* SunOS 5.x (short name) */
226 #endif /* USE_NT_PSINFO */
228 100, /* SunOS 5.x (command line) */
229 84, /* SunOS 5.x (short name) */
231 44, /* Linux (command line) */
232 28, /* Linux 2.0.36 (short name) */
237 static const size_t prpsoffsets64
[] = {
239 152, /* SunOS 5.x (command line) */
240 136, /* SunOS 5.x (short name) */
241 #endif /* USE_NT_PSINFO */
243 136, /* SunOS 5.x, 64-bit (command line) */
244 120, /* SunOS 5.x, 64-bit (short name) */
246 56, /* Linux (command line) */
247 40, /* Linux (tested on core from 2.4.x, short name) */
249 16, /* FreeBSD, 64-bit */
252 #define NOFFSETS32 (sizeof prpsoffsets32 / sizeof prpsoffsets32[0])
253 #define NOFFSETS64 (sizeof prpsoffsets64 / sizeof prpsoffsets64[0])
255 #define NOFFSETS (clazz == ELFCLASS32 ? NOFFSETS32 : NOFFSETS64)
258 * Look through the program headers of an executable image, searching
259 * for a PT_NOTE section of type NT_PRPSINFO, with a name "CORE" or
260 * "FreeBSD"; if one is found, try looking in various places in its
261 * contents for a 16-character string containing only printable
262 * characters - if found, that string should be the name of the program
263 * that dropped core. Note: right after that 16-character string is,
264 * at least in SunOS 5.x (and possibly other SVR4-flavored systems) and
265 * Linux, a longer string (80 characters, in 5.x, probably other
266 * SVR4-flavored systems, and Linux) containing the start of the
267 * command line for that program.
269 * SunOS 5.x core files contain two PT_NOTE sections, with the types
270 * NT_PRPSINFO (old) and NT_PSINFO (new). These structs contain the
271 * same info about the command name and command line, so it probably
272 * isn't worthwhile to look for NT_PSINFO, but the offsets are provided
273 * above (see USE_NT_PSINFO), in case we ever decide to do so. The
274 * NT_PRPSINFO and NT_PSINFO sections are always in order and adjacent;
275 * the SunOS 5.x file command relies on this (and prefers the latter).
277 * The signal number probably appears in a section of type NT_PRSTATUS,
278 * but that's also rather OS-dependent, in ways that are harder to
279 * dissect with heuristics, so I'm not bothering with the signal number.
280 * (I suppose the signal number could be of interest in situations where
281 * you don't have the binary of the program that dropped core; if you
282 * *do* have that binary, the debugger will probably tell you what
286 #define OS_STYLE_SVR4 0
287 #define OS_STYLE_FREEBSD 1
288 #define OS_STYLE_NETBSD 2
290 private const char os_style_names
[][8] = {
296 #define FLAGS_DID_CORE 0x001
297 #define FLAGS_DID_OS_NOTE 0x002
298 #define FLAGS_DID_BUILD_ID 0x004
299 #define FLAGS_DID_CORE_STYLE 0x008
300 #define FLAGS_DID_NETBSD_PAX 0x010
301 #define FLAGS_DID_NETBSD_MARCH 0x020
302 #define FLAGS_DID_NETBSD_CMODEL 0x040
303 #define FLAGS_DID_NETBSD_UNKNOWN 0x080
304 #define FLAGS_IS_CORE 0x100
307 dophn_core(struct magic_set
*ms
, int clazz
, int swap
, int fd
, off_t off
,
308 int num
, size_t size
, off_t fsize
, int *flags
, uint16_t *notecount
)
313 unsigned char nbuf
[BUFSIZ
];
316 if (size
!= xph_sizeof
) {
317 if (file_printf(ms
, ", corrupted program header size") == -1)
323 * Loop through all the program headers.
325 for ( ; num
; num
--) {
326 if (pread(fd
, xph_addr
, xph_sizeof
, off
) < (ssize_t
)xph_sizeof
) {
332 if (fsize
!= SIZE_UNKNOWN
&& xph_offset
> fsize
) {
333 /* Perhaps warn here */
337 if (xph_type
!= PT_NOTE
)
341 * This is a PT_NOTE section; loop through all the notes
344 len
= xph_filesz
< sizeof(nbuf
) ? xph_filesz
: sizeof(nbuf
);
345 if ((bufsize
= pread(fd
, nbuf
, len
, xph_offset
)) == -1) {
351 if (offset
>= (size_t)bufsize
)
353 offset
= donote(ms
, nbuf
, offset
, (size_t)bufsize
,
354 clazz
, swap
, 4, flags
, notecount
);
365 do_note_netbsd_version(struct magic_set
*ms
, int swap
, void *v
)
368 (void)memcpy(&desc
, v
, sizeof(desc
));
369 desc
= elf_getu32(swap
, desc
);
371 if (file_printf(ms
, ", for NetBSD") == -1)
374 * The version number used to be stuck as 199905, and was thus
375 * basically content-free. Newer versions of NetBSD have fixed
376 * this and now use the encoding of __NetBSD_Version__:
382 * r = release ["",A-Z,Z[A-Z] but numeric]
385 if (desc
> 100000000U) {
386 uint32_t ver_patch
= (desc
/ 100) % 100;
387 uint32_t ver_rel
= (desc
/ 10000) % 100;
388 uint32_t ver_min
= (desc
/ 1000000) % 100;
389 uint32_t ver_maj
= desc
/ 100000000;
391 if (file_printf(ms
, " %u.%u", ver_maj
, ver_min
) == -1)
393 if (ver_rel
== 0 && ver_patch
!= 0) {
394 if (file_printf(ms
, ".%u", ver_patch
) == -1)
396 } else if (ver_rel
!= 0) {
397 while (ver_rel
> 26) {
398 if (file_printf(ms
, "Z") == -1)
402 if (file_printf(ms
, "%c", 'A' + ver_rel
- 1)
410 do_note_freebsd_version(struct magic_set
*ms
, int swap
, void *v
)
414 (void)memcpy(&desc
, v
, sizeof(desc
));
415 desc
= elf_getu32(swap
, desc
);
416 if (file_printf(ms
, ", for FreeBSD") == -1)
420 * Contents is __FreeBSD_version, whose relation to OS
421 * versions is defined by a huge table in the Porter's
422 * Handbook. This is the general scheme:
425 * Mmp000 (before 4.10)
426 * Mmi0p0 (before 5.0)
429 * Development branches:
430 * Mmpxxx (before 4.6)
431 * Mmp1xx (before 4.10)
432 * Mmi1xx (before 5.0)
438 * i = minor version increment (491000 -> 4.10)
442 * The first release of FreeBSD to use ELF by default
445 if (desc
== 460002) {
446 if (file_printf(ms
, " 4.6.2") == -1)
448 } else if (desc
< 460100) {
449 if (file_printf(ms
, " %d.%d", desc
/ 100000,
450 desc
/ 10000 % 10) == -1)
452 if (desc
/ 1000 % 10 > 0)
453 if (file_printf(ms
, ".%d", desc
/ 1000 % 10) == -1)
455 if ((desc
% 1000 > 0) || (desc
% 100000 == 0))
456 if (file_printf(ms
, " (%d)", desc
) == -1)
458 } else if (desc
< 500000) {
459 if (file_printf(ms
, " %d.%d", desc
/ 100000,
460 desc
/ 10000 % 10 + desc
/ 1000 % 10) == -1)
462 if (desc
/ 100 % 10 > 0) {
463 if (file_printf(ms
, " (%d)", desc
) == -1)
465 } else if (desc
/ 10 % 10 > 0) {
466 if (file_printf(ms
, ".%d", desc
/ 10 % 10) == -1)
470 if (file_printf(ms
, " %d.%d", desc
/ 100000,
471 desc
/ 1000 % 100) == -1)
473 if ((desc
/ 100 % 10 > 0) ||
474 (desc
% 100000 / 100 == 0)) {
475 if (file_printf(ms
, " (%d)", desc
) == -1)
477 } else if (desc
/ 10 % 10 > 0) {
478 if (file_printf(ms
, ".%d", desc
/ 10 % 10) == -1)
485 do_bid_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
486 int swap
__attribute__((__unused__
)), uint32_t namesz
, uint32_t descsz
,
487 size_t noff
, size_t doff
, int *flags
)
489 if (namesz
== 4 && strcmp((char *)&nbuf
[noff
], "GNU") == 0 &&
490 type
== NT_GNU_BUILD_ID
&& (descsz
== 16 || descsz
== 20)) {
493 *flags
|= FLAGS_DID_BUILD_ID
;
494 if (file_printf(ms
, ", BuildID[%s]=", descsz
== 16 ? "md5/uuid" :
497 (void)memcpy(desc
, &nbuf
[doff
], descsz
);
498 for (i
= 0; i
< descsz
; i
++)
499 if (file_printf(ms
, "%02x", desc
[i
]) == -1)
507 do_os_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
508 int swap
, uint32_t namesz
, uint32_t descsz
,
509 size_t noff
, size_t doff
, int *flags
)
511 if (namesz
== 5 && strcmp((char *)&nbuf
[noff
], "SuSE") == 0 &&
512 type
== NT_GNU_VERSION
&& descsz
== 2) {
513 *flags
|= FLAGS_DID_OS_NOTE
;
514 file_printf(ms
, ", for SuSE %d.%d", nbuf
[doff
], nbuf
[doff
+ 1]);
518 if (namesz
== 4 && strcmp((char *)&nbuf
[noff
], "GNU") == 0 &&
519 type
== NT_GNU_VERSION
&& descsz
== 16) {
521 (void)memcpy(desc
, &nbuf
[doff
], sizeof(desc
));
523 *flags
|= FLAGS_DID_OS_NOTE
;
524 if (file_printf(ms
, ", for GNU/") == -1)
526 switch (elf_getu32(swap
, desc
[0])) {
528 if (file_printf(ms
, "Linux") == -1)
532 if (file_printf(ms
, "Hurd") == -1)
536 if (file_printf(ms
, "Solaris") == -1)
539 case GNU_OS_KFREEBSD
:
540 if (file_printf(ms
, "kFreeBSD") == -1)
544 if (file_printf(ms
, "kNetBSD") == -1)
548 if (file_printf(ms
, "<unknown>") == -1)
551 if (file_printf(ms
, " %d.%d.%d", elf_getu32(swap
, desc
[1]),
552 elf_getu32(swap
, desc
[2]), elf_getu32(swap
, desc
[3])) == -1)
557 if (namesz
== 7 && strcmp((char *)&nbuf
[noff
], "NetBSD") == 0) {
558 if (type
== NT_NETBSD_VERSION
&& descsz
== 4) {
559 *flags
|= FLAGS_DID_OS_NOTE
;
560 do_note_netbsd_version(ms
, swap
, &nbuf
[doff
]);
565 if (namesz
== 8 && strcmp((char *)&nbuf
[noff
], "FreeBSD") == 0) {
566 if (type
== NT_FREEBSD_VERSION
&& descsz
== 4) {
567 *flags
|= FLAGS_DID_OS_NOTE
;
568 do_note_freebsd_version(ms
, swap
, &nbuf
[doff
]);
573 if (namesz
== 8 && strcmp((char *)&nbuf
[noff
], "OpenBSD") == 0 &&
574 type
== NT_OPENBSD_VERSION
&& descsz
== 4) {
575 *flags
|= FLAGS_DID_OS_NOTE
;
576 if (file_printf(ms
, ", for OpenBSD") == -1)
578 /* Content of note is always 0 */
582 if (namesz
== 10 && strcmp((char *)&nbuf
[noff
], "DragonFly") == 0 &&
583 type
== NT_DRAGONFLY_VERSION
&& descsz
== 4) {
585 *flags
|= FLAGS_DID_OS_NOTE
;
586 if (file_printf(ms
, ", for DragonFly") == -1)
588 (void)memcpy(&desc
, &nbuf
[doff
], sizeof(desc
));
589 desc
= elf_getu32(swap
, desc
);
590 if (file_printf(ms
, " %d.%d.%d", desc
/ 100000,
591 desc
/ 10000 % 10, desc
% 10000) == -1)
599 do_pax_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
600 int swap
, uint32_t namesz
, uint32_t descsz
,
601 size_t noff
, size_t doff
, int *flags
)
603 if (namesz
== 4 && strcmp((char *)&nbuf
[noff
], "PaX") == 0 &&
604 type
== NT_NETBSD_PAX
&& descsz
== 4) {
605 static const char *pax
[] = {
617 *flags
|= FLAGS_DID_NETBSD_PAX
;
618 (void)memcpy(&desc
, &nbuf
[doff
], sizeof(desc
));
619 desc
= elf_getu32(swap
, desc
);
621 if (desc
&& file_printf(ms
, ", PaX: ") == -1)
624 for (i
= 0; i
< __arraycount(pax
); i
++) {
625 if (((1 << i
) & desc
) == 0)
627 if (file_printf(ms
, "%s%s", did
++ ? "," : "",
637 do_core_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
638 int swap
, uint32_t namesz
, uint32_t descsz
,
639 size_t noff
, size_t doff
, int *flags
, size_t size
, int clazz
)
644 * Sigh. The 2.0.36 kernel in Debian 2.1, at
645 * least, doesn't correctly implement name
646 * sections, in core dumps, as specified by
647 * the "Program Linking" section of "UNIX(R) System
648 * V Release 4 Programmer's Guide: ANSI C and
649 * Programming Support Tools", because my copy
650 * clearly says "The first 'namesz' bytes in 'name'
651 * contain a *null-terminated* [emphasis mine]
652 * character representation of the entry's owner
653 * or originator", but the 2.0.36 kernel code
654 * doesn't include the terminating null in the
657 if ((namesz
== 4 && strncmp((char *)&nbuf
[noff
], "CORE", 4) == 0) ||
658 (namesz
== 5 && strcmp((char *)&nbuf
[noff
], "CORE") == 0)) {
659 os_style
= OS_STYLE_SVR4
;
662 if ((namesz
== 8 && strcmp((char *)&nbuf
[noff
], "FreeBSD") == 0)) {
663 os_style
= OS_STYLE_FREEBSD
;
666 if ((namesz
>= 11 && strncmp((char *)&nbuf
[noff
], "NetBSD-CORE", 11)
668 os_style
= OS_STYLE_NETBSD
;
671 if (os_style
!= -1 && (*flags
& FLAGS_DID_CORE_STYLE
) == 0) {
672 if (file_printf(ms
, ", %s-style", os_style_names
[os_style
])
675 *flags
|= FLAGS_DID_CORE_STYLE
;
679 case OS_STYLE_NETBSD
:
680 if (type
== NT_NETBSD_CORE_PROCINFO
) {
684 * Extract the program name. It is at
685 * offset 0x7c, and is up to 32-bytes,
686 * including the terminating NUL.
688 if (file_printf(ms
, ", from '%.31s'",
689 file_printable(sbuf
, sizeof(sbuf
),
690 (const char *)&nbuf
[doff
+ 0x7c])) == -1)
694 * Extract the signal number. It is at
697 (void)memcpy(&signo
, &nbuf
[doff
+ 0x08],
699 if (file_printf(ms
, " (signal %u)",
700 elf_getu32(swap
, signo
)) == -1)
702 *flags
|= FLAGS_DID_CORE
;
708 if (type
== NT_PRPSINFO
&& *flags
& FLAGS_IS_CORE
) {
712 * Extract the program name. We assume
713 * it to be 16 characters (that's what it
714 * is in SunOS 5.x and Linux).
716 * Unfortunately, it's at a different offset
717 * in various OSes, so try multiple offsets.
718 * If the characters aren't all printable,
721 for (i
= 0; i
< NOFFSETS
; i
++) {
722 unsigned char *cname
, *cp
;
723 size_t reloffset
= prpsoffsets(i
);
724 size_t noffset
= doff
+ reloffset
;
726 for (j
= 0; j
< 16; j
++, noffset
++,
729 * Make sure we're not past
730 * the end of the buffer; if
731 * we are, just give up.
737 * Make sure we're not past
738 * the end of the contents;
739 * if we are, this obviously
740 * isn't the right offset.
742 if (reloffset
>= descsz
)
764 if (!isprint(c
) || isquote(c
))
773 * Try next offsets, in case this match is
774 * in the middle of a string.
776 for (k
= i
+ 1 ; k
< NOFFSETS
; k
++) {
779 if (prpsoffsets(k
) >= prpsoffsets(i
))
781 for (no
= doff
+ prpsoffsets(k
);
782 no
< doff
+ prpsoffsets(i
); no
++)
784 && isprint(nbuf
[no
]);
789 cname
= (unsigned char *)
790 &nbuf
[doff
+ prpsoffsets(i
)];
791 for (cp
= cname
; *cp
&& isprint(*cp
); cp
++)
794 * Linux apparently appends a space at the end
795 * of the command line: remove it.
797 while (cp
> cname
&& isspace(cp
[-1]))
799 if (file_printf(ms
, ", from '%.*s'",
800 (int)(cp
- cname
), cname
) == -1)
802 *flags
|= FLAGS_DID_CORE
;
816 donote(struct magic_set
*ms
, void *vbuf
, size_t offset
, size_t size
,
817 int clazz
, int swap
, size_t align
, int *flags
, uint16_t *notecount
)
822 uint32_t namesz
, descsz
;
823 unsigned char *nbuf
= CAST(unsigned char *, vbuf
);
829 if (xnh_sizeof
+ offset
> size
) {
831 * We're out of note headers.
833 return xnh_sizeof
+ offset
;
836 (void)memcpy(xnh_addr
, &nbuf
[offset
], xnh_sizeof
);
837 offset
+= xnh_sizeof
;
841 if ((namesz
== 0) && (descsz
== 0)) {
843 * We're out of note headers.
845 return (offset
>= size
) ? offset
: size
;
848 if (namesz
& 0x80000000) {
849 (void)file_printf(ms
, ", bad note name size 0x%lx",
850 (unsigned long)namesz
);
854 if (descsz
& 0x80000000) {
855 (void)file_printf(ms
, ", bad note description size 0x%lx",
856 (unsigned long)descsz
);
861 doff
= ELF_ALIGN(offset
+ namesz
);
863 if (offset
+ namesz
> size
) {
865 * We're past the end of the buffer.
870 offset
= ELF_ALIGN(doff
+ descsz
);
871 if (doff
+ descsz
> size
) {
873 * We're past the end of the buffer.
875 return (offset
>= size
) ? offset
: size
;
878 if ((*flags
& FLAGS_DID_OS_NOTE
) == 0) {
879 if (do_os_note(ms
, nbuf
, xnh_type
, swap
,
880 namesz
, descsz
, noff
, doff
, flags
))
884 if ((*flags
& FLAGS_DID_BUILD_ID
) == 0) {
885 if (do_bid_note(ms
, nbuf
, xnh_type
, swap
,
886 namesz
, descsz
, noff
, doff
, flags
))
890 if ((*flags
& FLAGS_DID_NETBSD_PAX
) == 0) {
891 if (do_pax_note(ms
, nbuf
, xnh_type
, swap
,
892 namesz
, descsz
, noff
, doff
, flags
))
896 if ((*flags
& FLAGS_DID_CORE
) == 0) {
897 if (do_core_note(ms
, nbuf
, xnh_type
, swap
,
898 namesz
, descsz
, noff
, doff
, flags
, size
, clazz
))
902 if (namesz
== 7 && strcmp((char *)&nbuf
[noff
], "NetBSD") == 0) {
906 case NT_NETBSD_VERSION
:
908 case NT_NETBSD_MARCH
:
909 if (*flags
& FLAGS_DID_NETBSD_MARCH
)
911 *flags
|= FLAGS_DID_NETBSD_MARCH
;
912 if (file_printf(ms
, ", compiled for: %.*s",
913 (int)descsz
, (const char *)&nbuf
[doff
]) == -1)
916 case NT_NETBSD_CMODEL
:
917 if (*flags
& FLAGS_DID_NETBSD_CMODEL
)
919 *flags
|= FLAGS_DID_NETBSD_CMODEL
;
920 if (file_printf(ms
, ", compiler model: %.*s",
921 (int)descsz
, (const char *)&nbuf
[doff
]) == -1)
925 if (*flags
& FLAGS_DID_NETBSD_UNKNOWN
)
927 *flags
|= FLAGS_DID_NETBSD_UNKNOWN
;
928 if (file_printf(ms
, ", note=%u", xnh_type
) == -1)
938 /* SunOS 5.x hardware capability descriptions */
939 typedef struct cap_desc
{
944 static const cap_desc_t cap_desc_sparc
[] = {
945 { AV_SPARC_MUL32
, "MUL32" },
946 { AV_SPARC_DIV32
, "DIV32" },
947 { AV_SPARC_FSMULD
, "FSMULD" },
948 { AV_SPARC_V8PLUS
, "V8PLUS" },
949 { AV_SPARC_POPC
, "POPC" },
950 { AV_SPARC_VIS
, "VIS" },
951 { AV_SPARC_VIS2
, "VIS2" },
952 { AV_SPARC_ASI_BLK_INIT
, "ASI_BLK_INIT" },
953 { AV_SPARC_FMAF
, "FMAF" },
954 { AV_SPARC_FJFMAU
, "FJFMAU" },
955 { AV_SPARC_IMA
, "IMA" },
959 static const cap_desc_t cap_desc_386
[] = {
960 { AV_386_FPU
, "FPU" },
961 { AV_386_TSC
, "TSC" },
962 { AV_386_CX8
, "CX8" },
963 { AV_386_SEP
, "SEP" },
964 { AV_386_AMD_SYSC
, "AMD_SYSC" },
965 { AV_386_CMOV
, "CMOV" },
966 { AV_386_MMX
, "MMX" },
967 { AV_386_AMD_MMX
, "AMD_MMX" },
968 { AV_386_AMD_3DNow
, "AMD_3DNow" },
969 { AV_386_AMD_3DNowx
, "AMD_3DNowx" },
970 { AV_386_FXSR
, "FXSR" },
971 { AV_386_SSE
, "SSE" },
972 { AV_386_SSE2
, "SSE2" },
973 { AV_386_PAUSE
, "PAUSE" },
974 { AV_386_SSE3
, "SSE3" },
975 { AV_386_MON
, "MON" },
976 { AV_386_CX16
, "CX16" },
977 { AV_386_AHF
, "AHF" },
978 { AV_386_TSCP
, "TSCP" },
979 { AV_386_AMD_SSE4A
, "AMD_SSE4A" },
980 { AV_386_POPCNT
, "POPCNT" },
981 { AV_386_AMD_LZCNT
, "AMD_LZCNT" },
982 { AV_386_SSSE3
, "SSSE3" },
983 { AV_386_SSE4_1
, "SSE4.1" },
984 { AV_386_SSE4_2
, "SSE4.2" },
989 doshn(struct magic_set
*ms
, int clazz
, int swap
, int fd
, off_t off
, int num
,
990 size_t size
, off_t fsize
, int mach
, int strtab
, int *flags
,
998 off_t noff
, coff
, name_off
;
999 uint64_t cap_hw1
= 0; /* SunOS 5.x hardware capabilites */
1000 uint64_t cap_sf1
= 0; /* SunOS 5.x software capabilites */
1004 if (size
!= xsh_sizeof
) {
1005 if (file_printf(ms
, ", corrupted section header size") == -1)
1010 /* Read offset of name section to be able to read section names later */
1011 if (pread(fd
, xsh_addr
, xsh_sizeof
, off
+ size
* strtab
) < (ssize_t
)xsh_sizeof
) {
1015 name_off
= xsh_offset
;
1017 for ( ; num
; num
--) {
1018 /* Read the name of this section. */
1019 if ((namesize
= pread(fd
, name
, sizeof(name
) - 1, name_off
+ xsh_name
)) == -1) {
1023 name
[namesize
] = '\0';
1024 if (strcmp(name
, ".debug_info") == 0)
1027 if (pread(fd
, xsh_addr
, xsh_sizeof
, off
) < (ssize_t
)xsh_sizeof
) {
1033 /* Things we can determine before we seek */
1042 if (fsize
!= SIZE_UNKNOWN
&& xsh_offset
> fsize
) {
1043 /* Perhaps warn here */
1049 /* Things we can determine when we seek */
1052 if ((nbuf
= malloc(xsh_size
)) == NULL
) {
1053 file_error(ms
, errno
, "Cannot allocate memory"
1057 if (pread(fd
, nbuf
, xsh_size
, xsh_offset
) < (ssize_t
)xsh_size
) {
1065 if (noff
>= (off_t
)xsh_size
)
1067 noff
= donote(ms
, nbuf
, (size_t)noff
,
1068 xsh_size
, clazz
, swap
, 4, flags
, notecount
);
1088 if (lseek(fd
, xsh_offset
, SEEK_SET
) == (off_t
)-1) {
1096 char cbuf
[/*CONSTCOND*/
1097 MAX(sizeof cap32
, sizeof cap64
)];
1098 if ((coff
+= xcap_sizeof
) > (off_t
)xsh_size
)
1100 if (read(fd
, cbuf
, (size_t)xcap_sizeof
) !=
1101 (ssize_t
)xcap_sizeof
) {
1105 if (cbuf
[0] == 'A') {
1109 memcpy(&len
, p
, sizeof(len
));
1111 len
= getu32(swap
, len
);
1112 if (memcmp("gnu", p
, 3) != 0) {
1114 ", unknown capability %.3s", p
)
1121 memcpy(&len
, p
, sizeof(len
));
1123 len
= getu32(swap
, len
);
1125 if (file_printf(ms
, ", unknown gnu"
1126 " capability tag %d", tag
)
1135 (void)memcpy(xcap_addr
, cbuf
, xcap_sizeof
);
1140 cap_hw1
|= xcap_val
;
1143 cap_sf1
|= xcap_val
;
1147 ", with unknown capability "
1148 "0x%" INT64_T_FORMAT
"x = 0x%"
1150 (unsigned long long)xcap_tag
,
1151 (unsigned long long)xcap_val
) == -1)
1165 if (file_printf(ms
, ", %sstripped", stripped
? "" : "not ") == -1)
1168 const cap_desc_t
*cdp
;
1171 case EM_SPARC32PLUS
:
1173 cdp
= cap_desc_sparc
;
1184 if (file_printf(ms
, ", uses") == -1)
1187 while (cdp
->cd_name
) {
1188 if (cap_hw1
& cdp
->cd_mask
) {
1190 " %s", cdp
->cd_name
) == -1)
1192 cap_hw1
&= ~cdp
->cd_mask
;
1198 " unknown hardware capability 0x%"
1200 (unsigned long long)cap_hw1
) == -1)
1204 " hardware capability 0x%" INT64_T_FORMAT
"x",
1205 (unsigned long long)cap_hw1
) == -1)
1210 if (cap_sf1
& SF1_SUNW_FPUSED
) {
1212 (cap_sf1
& SF1_SUNW_FPKNWN
)
1213 ? ", uses frame pointer"
1214 : ", not known to use frame pointer") == -1)
1217 cap_sf1
&= ~SF1_SUNW_MASK
;
1220 ", with unknown software capability 0x%"
1222 (unsigned long long)cap_sf1
) == -1)
1229 * Look through the program headers of an executable image, searching
1230 * for a PT_INTERP section; if one is found, it's dynamically linked,
1231 * otherwise it's statically linked.
1234 dophn_exec(struct magic_set
*ms
, int clazz
, int swap
, int fd
, off_t off
,
1235 int num
, size_t size
, off_t fsize
, int sh_num
, int *flags
,
1236 uint16_t *notecount
)
1240 const char *linking_style
= "statically";
1241 const char *interp
= "";
1242 unsigned char nbuf
[BUFSIZ
];
1245 size_t offset
, align
, len
;
1247 if (size
!= xph_sizeof
) {
1248 if (file_printf(ms
, ", corrupted program header size") == -1)
1253 for ( ; num
; num
--) {
1254 if (pread(fd
, xph_addr
, xph_sizeof
, off
) < (ssize_t
)xph_sizeof
) {
1263 /* Things we can determine before we seek */
1266 linking_style
= "dynamically";
1269 if (sh_num
) /* Did this through section headers */
1271 if (((align
= xph_align
) & 0x80000000UL
) != 0 ||
1274 ", invalid note alignment 0x%lx",
1275 (unsigned long)align
) == -1)
1281 len
= xph_filesz
< sizeof(nbuf
) ? xph_filesz
1283 bufsize
= pread(fd
, nbuf
, len
, xph_offset
);
1284 if (bufsize
== -1) {
1290 if (fsize
!= SIZE_UNKNOWN
&& xph_offset
> fsize
) {
1291 /* Maybe warn here? */
1297 /* Things we can determine when we seek */
1300 if (bufsize
&& nbuf
[0]) {
1301 nbuf
[bufsize
- 1] = '\0';
1302 interp
= (const char *)nbuf
;
1308 * This is a PT_NOTE section; loop through all the notes
1313 if (offset
>= (size_t)bufsize
)
1315 offset
= donote(ms
, nbuf
, offset
,
1316 (size_t)bufsize
, clazz
, swap
, align
,
1326 if (file_printf(ms
, ", %s linked", linking_style
)
1330 if (file_printf(ms
, ", interpreter %s",
1331 file_printable(ibuf
, sizeof(ibuf
), interp
)) == -1)
1338 file_tryelf(struct magic_set
*ms
, int fd
, const unsigned char *buf
,
1343 char c
[sizeof (int32_t)];
1350 Elf32_Ehdr elf32hdr
;
1351 Elf64_Ehdr elf64hdr
;
1352 uint16_t type
, phnum
, shnum
, notecount
;
1354 if (ms
->flags
& (MAGIC_MIME
|MAGIC_APPLE
))
1357 * ELF executables have multiple section headers in arbitrary
1358 * file locations and thus file(1) cannot determine it from easily.
1359 * Instead we traverse thru all section headers until a symbol table
1360 * one is found or else the binary is stripped.
1361 * Return immediately if it's not ELF (so we avoid pipe2file unless needed).
1363 if (buf
[EI_MAG0
] != ELFMAG0
1364 || (buf
[EI_MAG1
] != ELFMAG1
&& buf
[EI_MAG1
] != OLFMAG1
)
1365 || buf
[EI_MAG2
] != ELFMAG2
|| buf
[EI_MAG3
] != ELFMAG3
)
1369 * If we cannot seek, it must be a pipe, socket or fifo.
1371 if((lseek(fd
, (off_t
)0, SEEK_SET
) == (off_t
)-1) && (errno
== ESPIPE
))
1372 fd
= file_pipe2file(ms
, fd
, buf
, nbytes
);
1374 if (fstat(fd
, &st
) == -1) {
1378 if (S_ISREG(st
.st_mode
) || st
.st_size
!= 0)
1381 fsize
= SIZE_UNKNOWN
;
1383 clazz
= buf
[EI_CLASS
];
1388 #define elf_getu(a, b) elf_getu32(a, b)
1390 #define elfhdr elf32hdr
1391 #include "elfclass.h"
1394 #define elf_getu(a, b) elf_getu64(a, b)
1396 #define elfhdr elf64hdr
1397 #include "elfclass.h"
1399 if (file_printf(ms
, ", unknown class %d", clazz
) == -1)