search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
51.84k stars 5.89k forks source link

Error importing eBPF programs #6621

Closed amitschendel closed 5 months ago

amitschendel commented 5 months ago

Describe the bug When importing eBPF program in ghidra it errors out with the following trace:

Cannot invoke "ghidra.program.model.symbol.Symbol.getAddress()" because the return value of "ghidra.program.model.symbol.SymbolIterator.next()" is null
java.lang.NullPointerException: Cannot invoke "ghidra.program.model.symbol.Symbol.getAddress()" because the return value of "ghidra.program.model.symbol.SymbolIterator.next()" is null
    at ghidra.app.util.bin.format.elf.relocation.eBPF_ElfRelocationHandler.relocate(eBPF_ElfRelocationHandler.java:59)
    at ghidra.app.util.bin.format.elf.relocation.ElfRelocationContext.processRelocation(ElfRelocationContext.java:112)
    at ghidra.app.util.opinion.ElfProgramBuilder.processRelocationTableEntries(ElfProgramBuilder.java:1054)
    at ghidra.app.util.opinion.ElfProgramBuilder.processRelocationTable(ElfProgramBuilder.java:953)
    at ghidra.app.util.opinion.ElfProgramBuilder.processRelocations(ElfProgramBuilder.java:888)
    at ghidra.app.util.opinion.ElfProgramBuilder.load(ElfProgramBuilder.java:173)
    at ghidra.app.util.opinion.ElfProgramBuilder.loadElf(ElfProgramBuilder.java:110)
    at ghidra.app.util.opinion.ElfLoader.load(ElfLoader.java:148)
    at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:887)
    at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:98)
    at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:131)
    at ghidra.plugin.importer.ImporterUtilities.importSingleFile(ImporterUtilities.java:395)
    at ghidra.plugin.importer.ImporterDialog.lambda$okCallback$7(ImporterDialog.java:336)
    at ghidra.util.task.TaskBuilder$TaskBuilderTask.run(TaskBuilder.java:306)
    at ghidra.util.task.Task.monitoredRun(Task.java:134)
    at ghidra.util.task.TaskRunner.lambda$startTaskThread$0(TaskRunner.java:106)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1570)

---------------------------------------------------
Build Date: 2024-Apr-10 1518 EDT
Ghidra Version: 11.0.3
Java Home: /Library/Java/JavaVirtualMachines/jdk-22.jdk/Contents/Home
JVM Version: Oracle Corporation 22.0.1
OS: Mac OS X 14.4.1 aarch64

To Reproduce Steps to reproduce the behavior: Install Ghidra Run Ghidra load any ebpf object file

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Attachments If applicable, please attach any files that caused problems or log files generated by the software.

Environment (please complete the following information):

Additional context Add any other context about the problem here.

ryanmkurtz commented 5 months ago

Can you attach a failing sample?

amitschendel commented 5 months ago

Attached a program, unzip it. (Github doesn't allow object files). opensnoop_bpfel.o.zip

ghidra1 commented 5 months ago

I do not get an exception when importing the supplied *.o file with Ghidra 11.1. Although, I am need to look into how the relocations are being processed.

amitschendel commented 5 months ago

On windows it works well for me. Perhaps the issue persist only on Mac?

ryanmkurtz commented 5 months ago

I just tried it on my mac...worked fine.

ryanmkurtz commented 5 months ago

at ghidra.app.util.bin.format.elf.relocation.eBPF_ElfRelocationHandler.relocate(eBPF_ElfRelocationHandler.java:59)

My line 59 is blank. I am thinking you are running modified code here.

GhidorahRex commented 5 months ago

at ghidra.app.util.bin.format.elf.relocation.eBPF_ElfRelocationHandler.relocate(eBPF_ElfRelocationHandler.java:59)

My line 59 is blank. I am thinking you are running modified code here.

Not modified, just not the latest. This was updated in February.

ghidra1 commented 5 months ago

I am going to close this ticket. We will write-off to OBE due to the big refactor of all ELF relocation handlers a few months back. If you can reproduce with Ghidra 11.1 feel free to update with more details and we can reopen.

ryanmkurtz commented 5 months ago

I can confirm that this is reproducible in 11.0.3, and fixed in 11.1.