search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
49.06k stars 5.65k forks source link

Error importing eBPF programs #6621

Closed amitschendel closed 2 weeks ago

amitschendel commented 3 weeks ago

Describe the bug When importing eBPF program in ghidra it errors out with the following trace:

Cannot invoke "ghidra.program.model.symbol.Symbol.getAddress()" because the return value of "ghidra.program.model.symbol.SymbolIterator.next()" is null
java.lang.NullPointerException: Cannot invoke "ghidra.program.model.symbol.Symbol.getAddress()" because the return value of "ghidra.program.model.symbol.SymbolIterator.next()" is null
    at ghidra.app.util.bin.format.elf.relocation.eBPF_ElfRelocationHandler.relocate(eBPF_ElfRelocationHandler.java:59)
    at ghidra.app.util.bin.format.elf.relocation.ElfRelocationContext.processRelocation(ElfRelocationContext.java:112)
    at ghidra.app.util.opinion.ElfProgramBuilder.processRelocationTableEntries(ElfProgramBuilder.java:1054)
    at ghidra.app.util.opinion.ElfProgramBuilder.processRelocationTable(ElfProgramBuilder.java:953)
    at ghidra.app.util.opinion.ElfProgramBuilder.processRelocations(ElfProgramBuilder.java:888)
    at ghidra.app.util.opinion.ElfProgramBuilder.load(ElfProgramBuilder.java:173)
    at ghidra.app.util.opinion.ElfProgramBuilder.loadElf(ElfProgramBuilder.java:110)
    at ghidra.app.util.opinion.ElfLoader.load(ElfLoader.java:148)
    at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:887)
    at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:98)
    at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:131)
    at ghidra.plugin.importer.ImporterUtilities.importSingleFile(ImporterUtilities.java:395)
    at ghidra.plugin.importer.ImporterDialog.lambda$okCallback$7(ImporterDialog.java:336)
    at ghidra.util.task.TaskBuilder$TaskBuilderTask.run(TaskBuilder.java:306)
    at ghidra.util.task.Task.monitoredRun(Task.java:134)
    at ghidra.util.task.TaskRunner.lambda$startTaskThread$0(TaskRunner.java:106)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1570)

---------------------------------------------------
Build Date: 2024-Apr-10 1518 EDT
Ghidra Version: 11.0.3
Java Home: /Library/Java/JavaVirtualMachines/jdk-22.jdk/Contents/Home
JVM Version: Oracle Corporation 22.0.1
OS: Mac OS X 14.4.1 aarch64

To Reproduce Steps to reproduce the behavior: Install Ghidra Run Ghidra load any ebpf object file

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Attachments If applicable, please attach any files that caused problems or log files generated by the software.

Environment (please complete the following information):

Additional context Add any other context about the problem here.

ryanmkurtz commented 3 weeks ago

Can you attach a failing sample?

amitschendel commented 3 weeks ago

Attached a program, unzip it. (Github doesn't allow object files). opensnoop_bpfel.o.zip

ghidra1 commented 2 weeks ago

I do not get an exception when importing the supplied *.o file with Ghidra 11.1. Although, I am need to look into how the relocations are being processed.

amitschendel commented 2 weeks ago

On windows it works well for me. Perhaps the issue persist only on Mac?

ryanmkurtz commented 2 weeks ago

I just tried it on my mac...worked fine.

ryanmkurtz commented 2 weeks ago

at ghidra.app.util.bin.format.elf.relocation.eBPF_ElfRelocationHandler.relocate(eBPF_ElfRelocationHandler.java:59)

My line 59 is blank. I am thinking you are running modified code here.

GhidorahRex commented 2 weeks ago

at ghidra.app.util.bin.format.elf.relocation.eBPF_ElfRelocationHandler.relocate(eBPF_ElfRelocationHandler.java:59)

My line 59 is blank. I am thinking you are running modified code here.

Not modified, just not the latest. This was updated in February.

ghidra1 commented 2 weeks ago

I am going to close this ticket. We will write-off to OBE due to the big refactor of all ELF relocation handlers a few months back. If you can reproduce with Ghidra 11.1 feel free to update with more details and we can reopen.

ryanmkurtz commented 2 weeks ago

I can confirm that this is reproducible in 11.0.3, and fixed in 11.1.