2 * Copyright (c) Christos Zoulas 2003.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice immediately at the beginning of the file, without modification,
10 * this list of conditions, and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
19 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 FILE_RCSID("@(#)$File: readelf.c,v 1.127 2015/11/18 12:29:29 christos Exp $")
45 private int dophn_core(struct magic_set
*, int, int, int, off_t
, int, size_t,
46 off_t
, int *, uint16_t *);
48 private int dophn_exec(struct magic_set
*, int, int, int, off_t
, int, size_t,
49 off_t
, int, int *, uint16_t *);
50 private int doshn(struct magic_set
*, int, int, int, off_t
, int, size_t,
51 off_t
, int, int, int *, uint16_t *);
52 private size_t donote(struct magic_set
*, void *, size_t, size_t, int,
53 int, size_t, int *, uint16_t *, int, off_t
, int, off_t
);
55 #define ELF_ALIGN(a) ((((a) + align - 1) / align) * align)
57 #define isquote(c) (strchr("'\"`", (c)) != NULL)
59 private uint16_t getu16(int, uint16_t);
60 private uint32_t getu32(int, uint32_t);
61 private uint64_t getu64(int, uint64_t);
64 #define MAX_SHNUM 32768
65 #define SIZE_UNKNOWN ((off_t)-1)
68 toomany(struct magic_set
*ms
, const char *name
, uint16_t num
)
70 if (file_printf(ms
, ", too many %s (%u)", name
, num
77 getu16(int swap
, uint16_t value
)
87 retval
.c
[0] = tmpval
.c
[1];
88 retval
.c
[1] = tmpval
.c
[0];
96 getu32(int swap
, uint32_t value
)
106 retval
.c
[0] = tmpval
.c
[3];
107 retval
.c
[1] = tmpval
.c
[2];
108 retval
.c
[2] = tmpval
.c
[1];
109 retval
.c
[3] = tmpval
.c
[0];
117 getu64(int swap
, uint64_t value
)
127 retval
.c
[0] = tmpval
.c
[7];
128 retval
.c
[1] = tmpval
.c
[6];
129 retval
.c
[2] = tmpval
.c
[5];
130 retval
.c
[3] = tmpval
.c
[4];
131 retval
.c
[4] = tmpval
.c
[3];
132 retval
.c
[5] = tmpval
.c
[2];
133 retval
.c
[6] = tmpval
.c
[1];
134 retval
.c
[7] = tmpval
.c
[0];
141 #define elf_getu16(swap, value) getu16(swap, value)
142 #define elf_getu32(swap, value) getu32(swap, value)
143 #define elf_getu64(swap, value) getu64(swap, value)
145 #define xsh_addr (clazz == ELFCLASS32 \
148 #define xsh_sizeof (clazz == ELFCLASS32 \
151 #define xsh_size (size_t)(clazz == ELFCLASS32 \
152 ? elf_getu32(swap, sh32.sh_size) \
153 : elf_getu64(swap, sh64.sh_size))
154 #define xsh_offset (off_t)(clazz == ELFCLASS32 \
155 ? elf_getu32(swap, sh32.sh_offset) \
156 : elf_getu64(swap, sh64.sh_offset))
157 #define xsh_type (clazz == ELFCLASS32 \
158 ? elf_getu32(swap, sh32.sh_type) \
159 : elf_getu32(swap, sh64.sh_type))
160 #define xsh_name (clazz == ELFCLASS32 \
161 ? elf_getu32(swap, sh32.sh_name) \
162 : elf_getu32(swap, sh64.sh_name))
163 #define xph_addr (clazz == ELFCLASS32 \
166 #define xph_sizeof (clazz == ELFCLASS32 \
169 #define xph_type (clazz == ELFCLASS32 \
170 ? elf_getu32(swap, ph32.p_type) \
171 : elf_getu32(swap, ph64.p_type))
172 #define xph_offset (off_t)(clazz == ELFCLASS32 \
173 ? elf_getu32(swap, ph32.p_offset) \
174 : elf_getu64(swap, ph64.p_offset))
175 #define xph_align (size_t)((clazz == ELFCLASS32 \
176 ? (off_t) (ph32.p_align ? \
177 elf_getu32(swap, ph32.p_align) : 4) \
178 : (off_t) (ph64.p_align ? \
179 elf_getu64(swap, ph64.p_align) : 4)))
180 #define xph_vaddr (size_t)((clazz == ELFCLASS32 \
181 ? (off_t) (ph32.p_vaddr ? \
182 elf_getu32(swap, ph32.p_vaddr) : 4) \
183 : (off_t) (ph64.p_vaddr ? \
184 elf_getu64(swap, ph64.p_vaddr) : 4)))
185 #define xph_filesz (size_t)((clazz == ELFCLASS32 \
186 ? elf_getu32(swap, ph32.p_filesz) \
187 : elf_getu64(swap, ph64.p_filesz)))
188 #define xnh_addr (clazz == ELFCLASS32 \
191 #define xph_memsz (size_t)((clazz == ELFCLASS32 \
192 ? elf_getu32(swap, ph32.p_memsz) \
193 : elf_getu64(swap, ph64.p_memsz)))
194 #define xnh_sizeof (clazz == ELFCLASS32 \
197 #define xnh_type (clazz == ELFCLASS32 \
198 ? elf_getu32(swap, nh32.n_type) \
199 : elf_getu32(swap, nh64.n_type))
200 #define xnh_namesz (clazz == ELFCLASS32 \
201 ? elf_getu32(swap, nh32.n_namesz) \
202 : elf_getu32(swap, nh64.n_namesz))
203 #define xnh_descsz (clazz == ELFCLASS32 \
204 ? elf_getu32(swap, nh32.n_descsz) \
205 : elf_getu32(swap, nh64.n_descsz))
206 #define prpsoffsets(i) (clazz == ELFCLASS32 \
209 #define xcap_addr (clazz == ELFCLASS32 \
212 #define xcap_sizeof (clazz == ELFCLASS32 \
215 #define xcap_tag (clazz == ELFCLASS32 \
216 ? elf_getu32(swap, cap32.c_tag) \
217 : elf_getu64(swap, cap64.c_tag))
218 #define xcap_val (clazz == ELFCLASS32 \
219 ? elf_getu32(swap, cap32.c_un.c_val) \
220 : elf_getu64(swap, cap64.c_un.c_val))
221 #define xauxv_addr (clazz == ELFCLASS32 \
224 #define xauxv_sizeof (clazz == ELFCLASS32 \
227 #define xauxv_type (clazz == ELFCLASS32 \
228 ? elf_getu32(swap, auxv32.a_type) \
229 : elf_getu64(swap, auxv64.a_type))
230 #define xauxv_val (clazz == ELFCLASS32 \
231 ? elf_getu32(swap, auxv32.a_v) \
232 : elf_getu64(swap, auxv64.a_v))
236 * Try larger offsets first to avoid false matches
237 * from earlier data that happen to look like strings.
239 static const size_t prpsoffsets32
[] = {
241 104, /* SunOS 5.x (command line) */
242 88, /* SunOS 5.x (short name) */
243 #endif /* USE_NT_PSINFO */
245 100, /* SunOS 5.x (command line) */
246 84, /* SunOS 5.x (short name) */
248 44, /* Linux (command line) */
249 28, /* Linux 2.0.36 (short name) */
254 static const size_t prpsoffsets64
[] = {
256 152, /* SunOS 5.x (command line) */
257 136, /* SunOS 5.x (short name) */
258 #endif /* USE_NT_PSINFO */
260 136, /* SunOS 5.x, 64-bit (command line) */
261 120, /* SunOS 5.x, 64-bit (short name) */
263 56, /* Linux (command line) */
264 40, /* Linux (tested on core from 2.4.x, short name) */
266 16, /* FreeBSD, 64-bit */
269 #define NOFFSETS32 (sizeof prpsoffsets32 / sizeof prpsoffsets32[0])
270 #define NOFFSETS64 (sizeof prpsoffsets64 / sizeof prpsoffsets64[0])
272 #define NOFFSETS (clazz == ELFCLASS32 ? NOFFSETS32 : NOFFSETS64)
275 * Look through the program headers of an executable image, searching
276 * for a PT_NOTE section of type NT_PRPSINFO, with a name "CORE" or
277 * "FreeBSD"; if one is found, try looking in various places in its
278 * contents for a 16-character string containing only printable
279 * characters - if found, that string should be the name of the program
280 * that dropped core. Note: right after that 16-character string is,
281 * at least in SunOS 5.x (and possibly other SVR4-flavored systems) and
282 * Linux, a longer string (80 characters, in 5.x, probably other
283 * SVR4-flavored systems, and Linux) containing the start of the
284 * command line for that program.
286 * SunOS 5.x core files contain two PT_NOTE sections, with the types
287 * NT_PRPSINFO (old) and NT_PSINFO (new). These structs contain the
288 * same info about the command name and command line, so it probably
289 * isn't worthwhile to look for NT_PSINFO, but the offsets are provided
290 * above (see USE_NT_PSINFO), in case we ever decide to do so. The
291 * NT_PRPSINFO and NT_PSINFO sections are always in order and adjacent;
292 * the SunOS 5.x file command relies on this (and prefers the latter).
294 * The signal number probably appears in a section of type NT_PRSTATUS,
295 * but that's also rather OS-dependent, in ways that are harder to
296 * dissect with heuristics, so I'm not bothering with the signal number.
297 * (I suppose the signal number could be of interest in situations where
298 * you don't have the binary of the program that dropped core; if you
299 * *do* have that binary, the debugger will probably tell you what
303 #define OS_STYLE_SVR4 0
304 #define OS_STYLE_FREEBSD 1
305 #define OS_STYLE_NETBSD 2
307 private const char os_style_names
[][8] = {
313 #define FLAGS_DID_CORE 0x001
314 #define FLAGS_DID_OS_NOTE 0x002
315 #define FLAGS_DID_BUILD_ID 0x004
316 #define FLAGS_DID_CORE_STYLE 0x008
317 #define FLAGS_DID_NETBSD_PAX 0x010
318 #define FLAGS_DID_NETBSD_MARCH 0x020
319 #define FLAGS_DID_NETBSD_CMODEL 0x040
320 #define FLAGS_DID_NETBSD_UNKNOWN 0x080
321 #define FLAGS_IS_CORE 0x100
322 #define FLAGS_DID_AUXV 0x200
325 dophn_core(struct magic_set
*ms
, int clazz
, int swap
, int fd
, off_t off
,
326 int num
, size_t size
, off_t fsize
, int *flags
, uint16_t *notecount
)
331 unsigned char nbuf
[BUFSIZ
];
336 if (size
!= xph_sizeof
) {
337 if (file_printf(ms
, ", corrupted program header size") == -1)
343 * Loop through all the program headers.
345 for ( ; num
; num
--) {
346 if (pread(fd
, xph_addr
, xph_sizeof
, off
) < (ssize_t
)xph_sizeof
) {
352 if (fsize
!= SIZE_UNKNOWN
&& xph_offset
> fsize
) {
353 /* Perhaps warn here */
357 if (xph_type
!= PT_NOTE
)
361 * This is a PT_NOTE section; loop through all the notes
364 len
= xph_filesz
< sizeof(nbuf
) ? xph_filesz
: sizeof(nbuf
);
365 if ((bufsize
= pread(fd
, nbuf
, len
, xph_offset
)) == -1) {
371 if (offset
>= (size_t)bufsize
)
373 offset
= donote(ms
, nbuf
, offset
, (size_t)bufsize
,
374 clazz
, swap
, 4, flags
, notecount
, fd
, ph_off
,
386 do_note_netbsd_version(struct magic_set
*ms
, int swap
, void *v
)
389 (void)memcpy(&desc
, v
, sizeof(desc
));
390 desc
= elf_getu32(swap
, desc
);
392 if (file_printf(ms
, ", for NetBSD") == -1)
395 * The version number used to be stuck as 199905, and was thus
396 * basically content-free. Newer versions of NetBSD have fixed
397 * this and now use the encoding of __NetBSD_Version__:
403 * r = release ["",A-Z,Z[A-Z] but numeric]
406 if (desc
> 100000000U) {
407 uint32_t ver_patch
= (desc
/ 100) % 100;
408 uint32_t ver_rel
= (desc
/ 10000) % 100;
409 uint32_t ver_min
= (desc
/ 1000000) % 100;
410 uint32_t ver_maj
= desc
/ 100000000;
412 if (file_printf(ms
, " %u.%u", ver_maj
, ver_min
) == -1)
414 if (ver_rel
== 0 && ver_patch
!= 0) {
415 if (file_printf(ms
, ".%u", ver_patch
) == -1)
417 } else if (ver_rel
!= 0) {
418 while (ver_rel
> 26) {
419 if (file_printf(ms
, "Z") == -1)
423 if (file_printf(ms
, "%c", 'A' + ver_rel
- 1)
431 do_note_freebsd_version(struct magic_set
*ms
, int swap
, void *v
)
435 (void)memcpy(&desc
, v
, sizeof(desc
));
436 desc
= elf_getu32(swap
, desc
);
437 if (file_printf(ms
, ", for FreeBSD") == -1)
441 * Contents is __FreeBSD_version, whose relation to OS
442 * versions is defined by a huge table in the Porter's
443 * Handbook. This is the general scheme:
446 * Mmp000 (before 4.10)
447 * Mmi0p0 (before 5.0)
450 * Development branches:
451 * Mmpxxx (before 4.6)
452 * Mmp1xx (before 4.10)
453 * Mmi1xx (before 5.0)
459 * i = minor version increment (491000 -> 4.10)
463 * The first release of FreeBSD to use ELF by default
466 if (desc
== 460002) {
467 if (file_printf(ms
, " 4.6.2") == -1)
469 } else if (desc
< 460100) {
470 if (file_printf(ms
, " %d.%d", desc
/ 100000,
471 desc
/ 10000 % 10) == -1)
473 if (desc
/ 1000 % 10 > 0)
474 if (file_printf(ms
, ".%d", desc
/ 1000 % 10) == -1)
476 if ((desc
% 1000 > 0) || (desc
% 100000 == 0))
477 if (file_printf(ms
, " (%d)", desc
) == -1)
479 } else if (desc
< 500000) {
480 if (file_printf(ms
, " %d.%d", desc
/ 100000,
481 desc
/ 10000 % 10 + desc
/ 1000 % 10) == -1)
483 if (desc
/ 100 % 10 > 0) {
484 if (file_printf(ms
, " (%d)", desc
) == -1)
486 } else if (desc
/ 10 % 10 > 0) {
487 if (file_printf(ms
, ".%d", desc
/ 10 % 10) == -1)
491 if (file_printf(ms
, " %d.%d", desc
/ 100000,
492 desc
/ 1000 % 100) == -1)
494 if ((desc
/ 100 % 10 > 0) ||
495 (desc
% 100000 / 100 == 0)) {
496 if (file_printf(ms
, " (%d)", desc
) == -1)
498 } else if (desc
/ 10 % 10 > 0) {
499 if (file_printf(ms
, ".%d", desc
/ 10 % 10) == -1)
507 do_bid_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
508 int swap
__attribute__((__unused__
)), uint32_t namesz
, uint32_t descsz
,
509 size_t noff
, size_t doff
, int *flags
)
511 if (namesz
== 4 && strcmp((char *)&nbuf
[noff
], "GNU") == 0 &&
512 type
== NT_GNU_BUILD_ID
&& (descsz
== 16 || descsz
== 20)) {
515 *flags
|= FLAGS_DID_BUILD_ID
;
516 if (file_printf(ms
, ", BuildID[%s]=", descsz
== 16 ? "md5/uuid" :
519 (void)memcpy(desc
, &nbuf
[doff
], descsz
);
520 for (i
= 0; i
< descsz
; i
++)
521 if (file_printf(ms
, "%02x", desc
[i
]) == -1)
529 do_os_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
530 int swap
, uint32_t namesz
, uint32_t descsz
,
531 size_t noff
, size_t doff
, int *flags
)
533 if (namesz
== 5 && strcmp((char *)&nbuf
[noff
], "SuSE") == 0 &&
534 type
== NT_GNU_VERSION
&& descsz
== 2) {
535 *flags
|= FLAGS_DID_OS_NOTE
;
536 file_printf(ms
, ", for SuSE %d.%d", nbuf
[doff
], nbuf
[doff
+ 1]);
540 if (namesz
== 4 && strcmp((char *)&nbuf
[noff
], "GNU") == 0 &&
541 type
== NT_GNU_VERSION
&& descsz
== 16) {
543 (void)memcpy(desc
, &nbuf
[doff
], sizeof(desc
));
545 *flags
|= FLAGS_DID_OS_NOTE
;
546 if (file_printf(ms
, ", for GNU/") == -1)
548 switch (elf_getu32(swap
, desc
[0])) {
550 if (file_printf(ms
, "Linux") == -1)
554 if (file_printf(ms
, "Hurd") == -1)
558 if (file_printf(ms
, "Solaris") == -1)
561 case GNU_OS_KFREEBSD
:
562 if (file_printf(ms
, "kFreeBSD") == -1)
566 if (file_printf(ms
, "kNetBSD") == -1)
570 if (file_printf(ms
, "<unknown>") == -1)
573 if (file_printf(ms
, " %d.%d.%d", elf_getu32(swap
, desc
[1]),
574 elf_getu32(swap
, desc
[2]), elf_getu32(swap
, desc
[3])) == -1)
579 if (namesz
== 7 && strcmp((char *)&nbuf
[noff
], "NetBSD") == 0) {
580 if (type
== NT_NETBSD_VERSION
&& descsz
== 4) {
581 *flags
|= FLAGS_DID_OS_NOTE
;
582 do_note_netbsd_version(ms
, swap
, &nbuf
[doff
]);
587 if (namesz
== 8 && strcmp((char *)&nbuf
[noff
], "FreeBSD") == 0) {
588 if (type
== NT_FREEBSD_VERSION
&& descsz
== 4) {
589 *flags
|= FLAGS_DID_OS_NOTE
;
590 do_note_freebsd_version(ms
, swap
, &nbuf
[doff
]);
595 if (namesz
== 8 && strcmp((char *)&nbuf
[noff
], "OpenBSD") == 0 &&
596 type
== NT_OPENBSD_VERSION
&& descsz
== 4) {
597 *flags
|= FLAGS_DID_OS_NOTE
;
598 if (file_printf(ms
, ", for OpenBSD") == -1)
600 /* Content of note is always 0 */
604 if (namesz
== 10 && strcmp((char *)&nbuf
[noff
], "DragonFly") == 0 &&
605 type
== NT_DRAGONFLY_VERSION
&& descsz
== 4) {
607 *flags
|= FLAGS_DID_OS_NOTE
;
608 if (file_printf(ms
, ", for DragonFly") == -1)
610 (void)memcpy(&desc
, &nbuf
[doff
], sizeof(desc
));
611 desc
= elf_getu32(swap
, desc
);
612 if (file_printf(ms
, " %d.%d.%d", desc
/ 100000,
613 desc
/ 10000 % 10, desc
% 10000) == -1)
621 do_pax_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
622 int swap
, uint32_t namesz
, uint32_t descsz
,
623 size_t noff
, size_t doff
, int *flags
)
625 if (namesz
== 4 && strcmp((char *)&nbuf
[noff
], "PaX") == 0 &&
626 type
== NT_NETBSD_PAX
&& descsz
== 4) {
627 static const char *pax
[] = {
639 *flags
|= FLAGS_DID_NETBSD_PAX
;
640 (void)memcpy(&desc
, &nbuf
[doff
], sizeof(desc
));
641 desc
= elf_getu32(swap
, desc
);
643 if (desc
&& file_printf(ms
, ", PaX: ") == -1)
646 for (i
= 0; i
< __arraycount(pax
); i
++) {
647 if (((1 << (int)i
) & desc
) == 0)
649 if (file_printf(ms
, "%s%s", did
++ ? "," : "",
659 do_core_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
660 int swap
, uint32_t namesz
, uint32_t descsz
,
661 size_t noff
, size_t doff
, int *flags
, size_t size
, int clazz
)
666 * Sigh. The 2.0.36 kernel in Debian 2.1, at
667 * least, doesn't correctly implement name
668 * sections, in core dumps, as specified by
669 * the "Program Linking" section of "UNIX(R) System
670 * V Release 4 Programmer's Guide: ANSI C and
671 * Programming Support Tools", because my copy
672 * clearly says "The first 'namesz' bytes in 'name'
673 * contain a *null-terminated* [emphasis mine]
674 * character representation of the entry's owner
675 * or originator", but the 2.0.36 kernel code
676 * doesn't include the terminating null in the
679 if ((namesz
== 4 && strncmp((char *)&nbuf
[noff
], "CORE", 4) == 0) ||
680 (namesz
== 5 && strcmp((char *)&nbuf
[noff
], "CORE") == 0)) {
681 os_style
= OS_STYLE_SVR4
;
684 if ((namesz
== 8 && strcmp((char *)&nbuf
[noff
], "FreeBSD") == 0)) {
685 os_style
= OS_STYLE_FREEBSD
;
688 if ((namesz
>= 11 && strncmp((char *)&nbuf
[noff
], "NetBSD-CORE", 11)
690 os_style
= OS_STYLE_NETBSD
;
693 if (os_style
!= -1 && (*flags
& FLAGS_DID_CORE_STYLE
) == 0) {
694 if (file_printf(ms
, ", %s-style", os_style_names
[os_style
])
697 *flags
|= FLAGS_DID_CORE_STYLE
;
701 case OS_STYLE_NETBSD
:
702 if (type
== NT_NETBSD_CORE_PROCINFO
) {
706 * Extract the program name. It is at
707 * offset 0x7c, and is up to 32-bytes,
708 * including the terminating NUL.
710 if (file_printf(ms
, ", from '%.31s'",
711 file_printable(sbuf
, sizeof(sbuf
),
712 (const char *)&nbuf
[doff
+ 0x7c])) == -1)
716 * Extract the signal number. It is at
719 (void)memcpy(&signo
, &nbuf
[doff
+ 0x08],
721 if (file_printf(ms
, " (signal %u)",
722 elf_getu32(swap
, signo
)) == -1)
724 *flags
|= FLAGS_DID_CORE
;
730 if (type
== NT_PRPSINFO
&& *flags
& FLAGS_IS_CORE
) {
734 * Extract the program name. We assume
735 * it to be 16 characters (that's what it
736 * is in SunOS 5.x and Linux).
738 * Unfortunately, it's at a different offset
739 * in various OSes, so try multiple offsets.
740 * If the characters aren't all printable,
743 for (i
= 0; i
< NOFFSETS
; i
++) {
744 unsigned char *cname
, *cp
;
745 size_t reloffset
= prpsoffsets(i
);
746 size_t noffset
= doff
+ reloffset
;
748 for (j
= 0; j
< 16; j
++, noffset
++,
751 * Make sure we're not past
752 * the end of the buffer; if
753 * we are, just give up.
759 * Make sure we're not past
760 * the end of the contents;
761 * if we are, this obviously
762 * isn't the right offset.
764 if (reloffset
>= descsz
)
786 if (!isprint(c
) || isquote(c
))
795 * Try next offsets, in case this match is
796 * in the middle of a string.
798 for (k
= i
+ 1 ; k
< NOFFSETS
; k
++) {
801 if (prpsoffsets(k
) >= prpsoffsets(i
))
803 for (no
= doff
+ prpsoffsets(k
);
804 no
< doff
+ prpsoffsets(i
); no
++)
806 && isprint(nbuf
[no
]);
811 cname
= (unsigned char *)
812 &nbuf
[doff
+ prpsoffsets(i
)];
813 for (cp
= cname
; *cp
&& isprint(*cp
); cp
++)
816 * Linux apparently appends a space at the end
817 * of the command line: remove it.
819 while (cp
> cname
&& isspace(cp
[-1]))
821 if (file_printf(ms
, ", from '%.*s'",
822 (int)(cp
- cname
), cname
) == -1)
824 *flags
|= FLAGS_DID_CORE
;
838 get_offset_from_virtaddr(struct magic_set
*ms
, int swap
, int clazz
, int fd
,
839 off_t off
, int num
, off_t fsize
, uint64_t virtaddr
)
845 * Loop through all the program headers and find the header with
846 * virtual address in which the "virtaddr" belongs to.
848 for ( ; num
; num
--) {
849 if (pread(fd
, xph_addr
, xph_sizeof
, off
) < (ssize_t
)xph_sizeof
) {
855 if (fsize
!= SIZE_UNKNOWN
&& xph_offset
> fsize
) {
856 /* Perhaps warn here */
860 if (virtaddr
>= xph_vaddr
&& virtaddr
< xph_vaddr
+ xph_filesz
)
861 return xph_offset
+ (virtaddr
- xph_vaddr
);
867 get_string_on_virtaddr(struct magic_set
*ms
,
868 int swap
, int clazz
, int fd
, off_t ph_off
, int ph_num
,
869 off_t fsize
, uint64_t virtaddr
, char *buf
, ssize_t buflen
)
877 offset
= get_offset_from_virtaddr(ms
, swap
, clazz
, fd
, ph_off
, ph_num
,
879 if ((buflen
= pread(fd
, buf
, buflen
, offset
)) <= 0) {
884 buf
[buflen
- 1] = '\0';
886 /* We expect only printable characters, so return if buffer contains
887 * non-printable character before the '\0' or just '\0'. */
888 for (bptr
= buf
; *bptr
&& isprint((unsigned char)*bptr
); bptr
++)
898 do_auxv_note(struct magic_set
*ms
, unsigned char *nbuf
, uint32_t type
,
899 int swap
, uint32_t namesz
__attribute__((__unused__
)),
900 uint32_t descsz
__attribute__((__unused__
)),
901 size_t noff
__attribute__((__unused__
)), size_t doff
,
902 int *flags
, size_t size
__attribute__((__unused__
)), int clazz
,
903 int fd
, off_t ph_off
, int ph_num
, off_t fsize
)
908 size_t elsize
= xauxv_sizeof
;
913 if (type
!= NT_AUXV
|| (*flags
& FLAGS_IS_CORE
) == 0)
916 *flags
|= FLAGS_DID_AUXV
;
919 for (size_t off
= 0; off
+ elsize
<= descsz
; off
+= elsize
) {
920 (void)memcpy(xauxv_addr
, &nbuf
[doff
+ off
], xauxv_sizeof
);
921 /* Limit processing to 50 vector entries to prevent DoS */
923 file_error(ms
, 0, "Too many ELF Auxv elements");
928 case AT_LINUX_EXECFN
:
932 case AT_LINUX_PLATFORM
:
946 tag
= "effective uid";
950 tag
= "effective gid";
964 buflen
= get_string_on_virtaddr(ms
, swap
, clazz
, fd
,
965 ph_off
, ph_num
, fsize
, xauxv_val
, buf
, sizeof(buf
));
970 if (file_printf(ms
, ", %s: '%s'", tag
, buf
) == -1)
973 if (file_printf(ms
, ", %s: %d", tag
, (int) xauxv_val
)
985 donote(struct magic_set
*ms
, void *vbuf
, size_t offset
, size_t size
,
986 int clazz
, int swap
, size_t align
, int *flags
, uint16_t *notecount
,
987 int fd
, off_t ph_off
, int ph_num
, off_t fsize
)
992 uint32_t namesz
, descsz
;
993 unsigned char *nbuf
= CAST(unsigned char *, vbuf
);
999 if (xnh_sizeof
+ offset
> size
) {
1001 * We're out of note headers.
1003 return xnh_sizeof
+ offset
;
1006 (void)memcpy(xnh_addr
, &nbuf
[offset
], xnh_sizeof
);
1007 offset
+= xnh_sizeof
;
1009 namesz
= xnh_namesz
;
1010 descsz
= xnh_descsz
;
1012 if ((namesz
== 0) && (descsz
== 0)) {
1014 * We're out of note headers.
1016 return (offset
>= size
) ? offset
: size
;
1019 if (namesz
& 0x80000000) {
1020 (void)file_printf(ms
, ", bad note name size 0x%lx",
1021 (unsigned long)namesz
);
1025 if (descsz
& 0x80000000) {
1026 (void)file_printf(ms
, ", bad note description size 0x%lx",
1027 (unsigned long)descsz
);
1032 doff
= ELF_ALIGN(offset
+ namesz
);
1034 if (offset
+ namesz
> size
) {
1036 * We're past the end of the buffer.
1041 offset
= ELF_ALIGN(doff
+ descsz
);
1042 if (doff
+ descsz
> size
) {
1044 * We're past the end of the buffer.
1046 return (offset
>= size
) ? offset
: size
;
1050 if ((*flags
& FLAGS_DID_OS_NOTE
) == 0) {
1051 if (do_os_note(ms
, nbuf
, xnh_type
, swap
,
1052 namesz
, descsz
, noff
, doff
, flags
))
1056 if ((*flags
& FLAGS_DID_BUILD_ID
) == 0) {
1057 if (do_bid_note(ms
, nbuf
, xnh_type
, swap
,
1058 namesz
, descsz
, noff
, doff
, flags
))
1062 if ((*flags
& FLAGS_DID_NETBSD_PAX
) == 0) {
1063 if (do_pax_note(ms
, nbuf
, xnh_type
, swap
,
1064 namesz
, descsz
, noff
, doff
, flags
))
1068 if ((*flags
& FLAGS_DID_CORE
) == 0) {
1069 if (do_core_note(ms
, nbuf
, xnh_type
, swap
,
1070 namesz
, descsz
, noff
, doff
, flags
, size
, clazz
))
1074 if ((*flags
& FLAGS_DID_AUXV
) == 0) {
1075 if (do_auxv_note(ms
, nbuf
, xnh_type
, swap
,
1076 namesz
, descsz
, noff
, doff
, flags
, size
, clazz
,
1077 fd
, ph_off
, ph_num
, fsize
))
1081 if (namesz
== 7 && strcmp((char *)&nbuf
[noff
], "NetBSD") == 0) {
1085 case NT_NETBSD_VERSION
:
1087 case NT_NETBSD_MARCH
:
1088 if (*flags
& FLAGS_DID_NETBSD_MARCH
)
1090 *flags
|= FLAGS_DID_NETBSD_MARCH
;
1091 if (file_printf(ms
, ", compiled for: %.*s",
1092 (int)descsz
, (const char *)&nbuf
[doff
]) == -1)
1095 case NT_NETBSD_CMODEL
:
1096 if (*flags
& FLAGS_DID_NETBSD_CMODEL
)
1098 *flags
|= FLAGS_DID_NETBSD_CMODEL
;
1099 if (file_printf(ms
, ", compiler model: %.*s",
1100 (int)descsz
, (const char *)&nbuf
[doff
]) == -1)
1104 if (*flags
& FLAGS_DID_NETBSD_UNKNOWN
)
1106 *flags
|= FLAGS_DID_NETBSD_UNKNOWN
;
1107 if (file_printf(ms
, ", note=%u", xnh_type
) == -1)
1117 /* SunOS 5.x hardware capability descriptions */
1118 typedef struct cap_desc
{
1120 const char *cd_name
;
1123 static const cap_desc_t cap_desc_sparc
[] = {
1124 { AV_SPARC_MUL32
, "MUL32" },
1125 { AV_SPARC_DIV32
, "DIV32" },
1126 { AV_SPARC_FSMULD
, "FSMULD" },
1127 { AV_SPARC_V8PLUS
, "V8PLUS" },
1128 { AV_SPARC_POPC
, "POPC" },
1129 { AV_SPARC_VIS
, "VIS" },
1130 { AV_SPARC_VIS2
, "VIS2" },
1131 { AV_SPARC_ASI_BLK_INIT
, "ASI_BLK_INIT" },
1132 { AV_SPARC_FMAF
, "FMAF" },
1133 { AV_SPARC_FJFMAU
, "FJFMAU" },
1134 { AV_SPARC_IMA
, "IMA" },
1138 static const cap_desc_t cap_desc_386
[] = {
1139 { AV_386_FPU
, "FPU" },
1140 { AV_386_TSC
, "TSC" },
1141 { AV_386_CX8
, "CX8" },
1142 { AV_386_SEP
, "SEP" },
1143 { AV_386_AMD_SYSC
, "AMD_SYSC" },
1144 { AV_386_CMOV
, "CMOV" },
1145 { AV_386_MMX
, "MMX" },
1146 { AV_386_AMD_MMX
, "AMD_MMX" },
1147 { AV_386_AMD_3DNow
, "AMD_3DNow" },
1148 { AV_386_AMD_3DNowx
, "AMD_3DNowx" },
1149 { AV_386_FXSR
, "FXSR" },
1150 { AV_386_SSE
, "SSE" },
1151 { AV_386_SSE2
, "SSE2" },
1152 { AV_386_PAUSE
, "PAUSE" },
1153 { AV_386_SSE3
, "SSE3" },
1154 { AV_386_MON
, "MON" },
1155 { AV_386_CX16
, "CX16" },
1156 { AV_386_AHF
, "AHF" },
1157 { AV_386_TSCP
, "TSCP" },
1158 { AV_386_AMD_SSE4A
, "AMD_SSE4A" },
1159 { AV_386_POPCNT
, "POPCNT" },
1160 { AV_386_AMD_LZCNT
, "AMD_LZCNT" },
1161 { AV_386_SSSE3
, "SSSE3" },
1162 { AV_386_SSE4_1
, "SSE4.1" },
1163 { AV_386_SSE4_2
, "SSE4.2" },
1168 doshn(struct magic_set
*ms
, int clazz
, int swap
, int fd
, off_t off
, int num
,
1169 size_t size
, off_t fsize
, int mach
, int strtab
, int *flags
,
1170 uint16_t *notecount
)
1177 off_t noff
, coff
, name_off
;
1178 uint64_t cap_hw1
= 0; /* SunOS 5.x hardware capabilites */
1179 uint64_t cap_sf1
= 0; /* SunOS 5.x software capabilites */
1183 if (size
!= xsh_sizeof
) {
1184 if (file_printf(ms
, ", corrupted section header size") == -1)
1189 /* Read offset of name section to be able to read section names later */
1190 if (pread(fd
, xsh_addr
, xsh_sizeof
, CAST(off_t
, (off
+ size
* strtab
)))
1191 < (ssize_t
)xsh_sizeof
) {
1195 name_off
= xsh_offset
;
1197 for ( ; num
; num
--) {
1198 /* Read the name of this section. */
1199 if ((namesize
= pread(fd
, name
, sizeof(name
) - 1, name_off
+ xsh_name
)) == -1) {
1203 name
[namesize
] = '\0';
1204 if (strcmp(name
, ".debug_info") == 0)
1207 if (pread(fd
, xsh_addr
, xsh_sizeof
, off
) < (ssize_t
)xsh_sizeof
) {
1213 /* Things we can determine before we seek */
1222 if (fsize
!= SIZE_UNKNOWN
&& xsh_offset
> fsize
) {
1223 /* Perhaps warn here */
1230 /* Things we can determine when we seek */
1233 if ((uintmax_t)(xsh_size
+ xsh_offset
) >
1236 ", note offset/size 0x%" INTMAX_T_FORMAT
1237 "x+0x%" INTMAX_T_FORMAT
"x exceeds"
1238 " file size 0x%" INTMAX_T_FORMAT
"x",
1239 (uintmax_t)xsh_offset
, (uintmax_t)xsh_size
,
1240 (uintmax_t)fsize
) == -1)
1244 if ((nbuf
= malloc(xsh_size
)) == NULL
) {
1245 file_error(ms
, errno
, "Cannot allocate memory"
1249 if (pread(fd
, nbuf
, xsh_size
, xsh_offset
) <
1250 (ssize_t
)xsh_size
) {
1258 if (noff
>= (off_t
)xsh_size
)
1260 noff
= donote(ms
, nbuf
, (size_t)noff
,
1261 xsh_size
, clazz
, swap
, 4, flags
, notecount
,
1282 if (lseek(fd
, xsh_offset
, SEEK_SET
) == (off_t
)-1) {
1290 char cbuf
[/*CONSTCOND*/
1291 MAX(sizeof cap32
, sizeof cap64
)];
1292 if ((coff
+= xcap_sizeof
) > (off_t
)xsh_size
)
1294 if (read(fd
, cbuf
, (size_t)xcap_sizeof
) !=
1295 (ssize_t
)xcap_sizeof
) {
1299 if (cbuf
[0] == 'A') {
1303 memcpy(&len
, p
, sizeof(len
));
1305 len
= getu32(swap
, len
);
1306 if (memcmp("gnu", p
, 3) != 0) {
1308 ", unknown capability %.3s", p
)
1315 memcpy(&len
, p
, sizeof(len
));
1317 len
= getu32(swap
, len
);
1319 if (file_printf(ms
, ", unknown gnu"
1320 " capability tag %d", tag
)
1329 (void)memcpy(xcap_addr
, cbuf
, xcap_sizeof
);
1334 cap_hw1
|= xcap_val
;
1337 cap_sf1
|= xcap_val
;
1341 ", with unknown capability "
1342 "0x%" INT64_T_FORMAT
"x = 0x%"
1344 (unsigned long long)xcap_tag
,
1345 (unsigned long long)xcap_val
) == -1)
1359 if (file_printf(ms
, ", %sstripped", stripped
? "" : "not ") == -1)
1362 const cap_desc_t
*cdp
;
1365 case EM_SPARC32PLUS
:
1367 cdp
= cap_desc_sparc
;
1378 if (file_printf(ms
, ", uses") == -1)
1381 while (cdp
->cd_name
) {
1382 if (cap_hw1
& cdp
->cd_mask
) {
1384 " %s", cdp
->cd_name
) == -1)
1386 cap_hw1
&= ~cdp
->cd_mask
;
1392 " unknown hardware capability 0x%"
1394 (unsigned long long)cap_hw1
) == -1)
1398 " hardware capability 0x%" INT64_T_FORMAT
"x",
1399 (unsigned long long)cap_hw1
) == -1)
1404 if (cap_sf1
& SF1_SUNW_FPUSED
) {
1406 (cap_sf1
& SF1_SUNW_FPKNWN
)
1407 ? ", uses frame pointer"
1408 : ", not known to use frame pointer") == -1)
1411 cap_sf1
&= ~SF1_SUNW_MASK
;
1414 ", with unknown software capability 0x%"
1416 (unsigned long long)cap_sf1
) == -1)
1423 * Look through the program headers of an executable image, searching
1424 * for a PT_INTERP section; if one is found, it's dynamically linked,
1425 * otherwise it's statically linked.
1428 dophn_exec(struct magic_set
*ms
, int clazz
, int swap
, int fd
, off_t off
,
1429 int num
, size_t size
, off_t fsize
, int sh_num
, int *flags
,
1430 uint16_t *notecount
)
1434 const char *linking_style
= "statically";
1435 const char *interp
= "";
1436 unsigned char nbuf
[BUFSIZ
];
1439 size_t offset
, align
, len
;
1441 if (size
!= xph_sizeof
) {
1442 if (file_printf(ms
, ", corrupted program header size") == -1)
1447 for ( ; num
; num
--) {
1448 if (pread(fd
, xph_addr
, xph_sizeof
, off
) < (ssize_t
)xph_sizeof
) {
1457 /* Things we can determine before we seek */
1460 linking_style
= "dynamically";
1463 if (sh_num
) /* Did this through section headers */
1465 if (((align
= xph_align
) & 0x80000000UL
) != 0 ||
1468 ", invalid note alignment 0x%lx",
1469 (unsigned long)align
) == -1)
1475 len
= xph_filesz
< sizeof(nbuf
) ? xph_filesz
1477 bufsize
= pread(fd
, nbuf
, len
, xph_offset
);
1478 if (bufsize
== -1) {
1484 if (fsize
!= SIZE_UNKNOWN
&& xph_offset
> fsize
) {
1485 /* Maybe warn here? */
1491 /* Things we can determine when we seek */
1494 if (bufsize
&& nbuf
[0]) {
1495 nbuf
[bufsize
- 1] = '\0';
1496 interp
= (const char *)nbuf
;
1502 * This is a PT_NOTE section; loop through all the notes
1507 if (offset
>= (size_t)bufsize
)
1509 offset
= donote(ms
, nbuf
, offset
,
1510 (size_t)bufsize
, clazz
, swap
, align
,
1511 flags
, notecount
, fd
, 0, 0, 0);
1520 if (file_printf(ms
, ", %s linked", linking_style
)
1524 if (file_printf(ms
, ", interpreter %s",
1525 file_printable(ibuf
, sizeof(ibuf
), interp
)) == -1)
1532 file_tryelf(struct magic_set
*ms
, int fd
, const unsigned char *buf
,
1537 char c
[sizeof (int32_t)];
1544 Elf32_Ehdr elf32hdr
;
1545 Elf64_Ehdr elf64hdr
;
1546 uint16_t type
, phnum
, shnum
, notecount
;
1548 if (ms
->flags
& (MAGIC_MIME
|MAGIC_APPLE
|MAGIC_EXTENSION
))
1551 * ELF executables have multiple section headers in arbitrary
1552 * file locations and thus file(1) cannot determine it from easily.
1553 * Instead we traverse thru all section headers until a symbol table
1554 * one is found or else the binary is stripped.
1555 * Return immediately if it's not ELF (so we avoid pipe2file unless needed).
1557 if (buf
[EI_MAG0
] != ELFMAG0
1558 || (buf
[EI_MAG1
] != ELFMAG1
&& buf
[EI_MAG1
] != OLFMAG1
)
1559 || buf
[EI_MAG2
] != ELFMAG2
|| buf
[EI_MAG3
] != ELFMAG3
)
1563 * If we cannot seek, it must be a pipe, socket or fifo.
1565 if((lseek(fd
, (off_t
)0, SEEK_SET
) == (off_t
)-1) && (errno
== ESPIPE
))
1566 fd
= file_pipe2file(ms
, fd
, buf
, nbytes
);
1568 if (fstat(fd
, &st
) == -1) {
1572 if (S_ISREG(st
.st_mode
) || st
.st_size
!= 0)
1575 fsize
= SIZE_UNKNOWN
;
1577 clazz
= buf
[EI_CLASS
];
1582 #define elf_getu(a, b) elf_getu32(a, b)
1584 #define elfhdr elf32hdr
1585 #include "elfclass.h"
1588 #define elf_getu(a, b) elf_getu64(a, b)
1590 #define elfhdr elf64hdr
1591 #include "elfclass.h"
1593 if (file_printf(ms
, ", unknown class %d", clazz
) == -1)