search

Rtoax / ulpatch

ULPatch is open source user space live patch tool.
https://rtoax.github.io/ulpatch/
GNU General Public License v2.0
4 stars 2 forks source link

overflow in relocation type R_X86_64_32S(11) val 556ddb198110 #5

Open Rtoax opened 4 months ago

Rtoax commented 4 months ago

When i running tests/hello/hello-pie:

rongtao@rtoax:~/Git/ulpatch/tests/hello$ ./hello-pie
print_hello                     : 0x0000004248f1e8
puts                            : 0x0000007c1fc390
Hello World. 0, 255
Hello World. 1, 255
Hello World. 2, 255
Hello World. 3, 255
Hello World. 4, 255

found the error:

rongtao@rtoax:~/Git/ulpatch/tests/hello$ ./test.sh -u patch-pthread.ulp
Already install ulpatch
make: Nothing to be done for 'build'.
Wrong ELF magic
overflow in relocation type R_X86_64_32S(11) val 556ddb198110
likely not compiled with -mcmodel=kernel.
Rtoax commented 4 months ago

The same one overflow in relocation type R_X86_64_32S(11) val 557a42493168

Rtoax commented 4 months ago

Check the patch-pthread.ulp relocations, found R_X86_64_32 and R_X86_64_32S,

rongtao@rtoax:~/Git/ulpatch/tests/hello$ readelf -r patch-pthread.ulp

Relocation section '.rela.text' at offset 0xaf0 contains 11 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
00000000000d  00040000000a R_X86_64_32       0000000000000000 .rodata + 0
000000000012  001600000004 R_X86_64_PLT32    0000000000000000 puts - 4
00000000001c  001700000004 R_X86_64_PLT32    0000000000000000 sleep - 4
000000000030  001400000002 R_X86_64_PC32     0000000000000000 not_created - 4
000000000039  00040000000a R_X86_64_32       0000000000000000 .rodata + 19
00000000003e  001600000004 R_X86_64_PLT32    0000000000000000 puts - 4
000000000044  001400000002 R_X86_64_PC32     0000000000000000 not_created - 8
000000000052  00190000000a R_X86_64_32       0000000000000000 routine + 0
00000000005c  00180000000a R_X86_64_32       0000000000000008 thread + 0
000000000061  001300000004 R_X86_64_PLT32    0000000000000000 pthread_create - 4
00000000006d  001a00000004 R_X86_64_PLT32    0000000000000000 internal_print_hello - 4

Relocation section '.rela.eh_frame' at offset 0xbf8 contains 2 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000020  000300000002 R_X86_64_PC32     0000000000000000 .text + 0
00000000003c  000300000002 R_X86_64_PC32     0000000000000000 .text + 22

Relocation section '.rela.debug_aranges' at offset 0xc28 contains 2 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000006  000d0000000a R_X86_64_32       0000000000000000 .debug_info + 0
000000000010  000300000001 R_X86_64_64       0000000000000000 .text + 0

Relocation section '.rela.debug_info' at offset 0xc58 contains 32 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000008  000e0000000a R_X86_64_32       0000000000000000 .debug_abbrev + 0
00000000000d  00100000000a R_X86_64_32       0000000000000000 .debug_str + e
000000000012  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 26
000000000016  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 0
00000000001a  000300000001 R_X86_64_64       0000000000000000 .text + 0
00000000002a  000f0000000a R_X86_64_32       0000000000000000 .debug_line + 0
000000000031  00100000000a R_X86_64_32       0000000000000000 .debug_str + 8b
000000000038  00100000000a R_X86_64_32       0000000000000000 .debug_str + 63
000000000046  00100000000a R_X86_64_32       0000000000000000 .debug_str + cf
00000000004d  00100000000a R_X86_64_32       0000000000000000 .debug_str + 100
000000000054  00100000000a R_X86_64_32       0000000000000000 .debug_str + 113
00000000005b  00100000000a R_X86_64_32       0000000000000000 .debug_str + 127
000000000069  00100000000a R_X86_64_32       0000000000000000 .debug_str + e8
000000000070  00100000000a R_X86_64_32       0000000000000000 .debug_str + dd
000000000077  00100000000a R_X86_64_32       0000000000000000 .debug_str + 9d
00000000007c  00100000000a R_X86_64_32       0000000000000000 .debug_str + 14d
000000000087  00100000000a R_X86_64_32       0000000000000000 .debug_str + 70
000000000094  00100000000a R_X86_64_32       0000000000000000 .debug_str + f9
00000000009f  00100000000a R_X86_64_32       0000000000000000 .debug_str + 11f
0000000000bb  00100000000a R_X86_64_32       0000000000000000 .debug_str + 70
0000000000cd  00100000000a R_X86_64_32       0000000000000000 .debug_str + 0
0000000000d2  00100000000a R_X86_64_32       0000000000000000 .debug_str + 7f
0000000000de  001400000001 R_X86_64_64       0000000000000000 not_created + 0
0000000000e7  00100000000a R_X86_64_32       0000000000000000 .debug_str + 131
0000000000f3  001800000001 R_X86_64_64       0000000000000008 thread + 0
0000000000fc  00100000000a R_X86_64_32       0000000000000000 .debug_str + 138
00000000010e  00100000000a R_X86_64_32       0000000000000000 .debug_str + c0
00000000015b  00100000000a R_X86_64_32       0000000000000000 .debug_str + e2
000000000172  00100000000a R_X86_64_32       0000000000000000 .debug_str + b4
000000000179  000300000001 R_X86_64_64       0000000000000000 .text + 22
00000000019e  00100000000a R_X86_64_32       0000000000000000 .debug_str + f1
0000000001a9  000300000001 R_X86_64_64       0000000000000000 .text + 0

Relocation section '.rela.debug_line' at offset 0xf58 contains 9 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000022  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 36
000000000026  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 5c
00000000002a  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 6e
000000000034  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 7b
000000000039  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 8b
00000000003e  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + 9b
000000000043  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + aa
000000000048  00110000000a R_X86_64_32       0000000000000000 .debug_line_str + b4
000000000052  000300000001 R_X86_64_64       0000000000000000 .text + 0

Because the address value bigger than 32bit, thus overflow.

If i compile the ulpatch ELF file without -g -ggdb, relocations like:

rongtao@rtoax:~/Git/ulpatch/tests/hello$ readelf -r patch-pthread.ulp

Relocation section '.rela.text' at offset 0x490 contains 11 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
00000000000d  00040000000a R_X86_64_32       0000000000000000 .rodata + 0
000000000012  001000000004 R_X86_64_PLT32    0000000000000000 puts - 4
00000000001c  001100000004 R_X86_64_PLT32    0000000000000000 sleep - 4
000000000030  000e00000002 R_X86_64_PC32     0000000000000000 not_created - 4
000000000039  00040000000a R_X86_64_32       0000000000000000 .rodata + 19
00000000003e  001000000004 R_X86_64_PLT32    0000000000000000 puts - 4
000000000044  000e00000002 R_X86_64_PC32     0000000000000000 not_created - 8
000000000052  00130000000a R_X86_64_32       0000000000000000 routine + 0
00000000005c  00120000000a R_X86_64_32       0000000000000008 thread + 0
000000000061  000d00000004 R_X86_64_PLT32    0000000000000000 pthread_create - 4
00000000006d  001400000004 R_X86_64_PLT32    0000000000000000 internal_print_hello - 4

Relocation section '.rela.eh_frame' at offset 0x598 contains 2 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000020  000300000002 R_X86_64_PC32     0000000000000000 .text + 0
00000000003c  000300000002 R_X86_64_PC32     0000000000000000 .text + 22
Rtoax commented 4 months ago

libcare/libcareplus seems work fine!!

Rtoax commented 4 months ago

libcare/libcareplus seems work fine!!

Figure it out there is no R_X86_64_32S

Rtoax commented 4 months ago

You can see this:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "common.h"

int local_i = 123;
static long __unused static_i = 1024;
static char __unused *static_s = "you";

void init(void)
{
    local_i++;
    static_i++;
    static_s++;
    printf("\n");
    debug();
}

void done(void)
{
    debug();
}
Compile  libhello.c to libhello.o
gcc -Werror -Wall -Wstrict-prototypes -DDEBUG -O0 -g -I../../  -o libhello.o -c libhello.c
Compile  libhello.o to libhello.so
gcc -Werror -Wall -Wstrict-prototypes -DDEBUG -O0 -g -I../../  -o libhello.so libhello.o -shared -fpic
/usr/bin/ld: libhello.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status
make: *** [Makefile:49: libhello.so] Error 1
rm libhello.o
Rtoax commented 4 months ago

You can see this, it's could give you some advise:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "common.h"

int local_i = 123;
static long __unused static_i = 1024;
static char __unused *static_s = "you";

void init(void)
{
    local_i++;
    static_i++;
    static_s++;
    printf("\n");
    debug();
}

void done(void)
{
    debug();
}
Compile  libhello.c to libhello.o
gcc -Werror -Wall -Wstrict-prototypes -DDEBUG -O0 -g -I../../  -o libhello.o -c libhello.c
Compile  libhello.o to libhello.so
gcc -Werror -Wall -Wstrict-prototypes -DDEBUG -O0 -g -I../../  -o libhello.so libhello.o -shared -fpic
/usr/bin/ld: libhello.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status
make: *** [Makefile:49: libhello.so] Error 1
rm libhello.o
Rtoax commented 4 months ago

Some useful informations:

The ulpatch file compile without -fpic:

rongtao@RT-NUC:~/Git/ulpatch/tests/hello$ readelf -r patch-add-vars.ulp.1 

Relocation section '.rela.text' at offset 0x498 contains 16 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000015  001100000002 R_X86_64_PC32     0000000000000000 local_i - 4
00000000001e  001100000002 R_X86_64_PC32     0000000000000000 local_i - 4
000000000025  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000030  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000037  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000042  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000049  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
00000000004f  001100000002 R_X86_64_PC32     0000000000000000 local_i - 4
000000000061  00040000000a R_X86_64_32       0000000000000000 .rodata + 10
00000000006b  000f00000004 R_X86_64_PLT32    0000000000000000 printf - 4
000000000072  000700000002 R_X86_64_PC32     0000000000000000 .data + 14
000000000079  001200000002 R_X86_64_PC32     0000000000000010 local_s - 4
000000000081  00040000000a R_X86_64_32       0000000000000000 .rodata + 35
00000000008b  000f00000004 R_X86_64_PLT32    0000000000000000 printf - 4
00000000009e  00040000000a R_X86_64_32       0000000000000000 .rodata + 3c
0000000000a8  000f00000004 R_X86_64_PLT32    0000000000000000 printf - 4

Relocation section '.rela.eh_frame' at offset 0x618 contains 1 entry:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000020  000300000002 R_X86_64_PC32     0000000000000000 .text + 0

Relocation section '.rela.data' at offset 0x630 contains 2 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000010  000400000001 R_X86_64_64       0000000000000000 .rodata + 0
000000000018  000400000001 R_X86_64_64       0000000000000000 .rodata + 5

The ulpatch file compile with -fpic:

rongtao@RT-NUC:~/Git/ulpatch/tests/hello$ readelf -r patch-add-vars.ulp.2 

Relocation section '.rela.text' at offset 0x500 contains 16 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000016  00120000002a R_X86_64_REX_GOTP 0000000000000000 local_i - 4
000000000022  00120000002a R_X86_64_REX_GOTP 0000000000000000 local_i - 4
00000000002b  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000036  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
00000000003d  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000048  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
00000000004f  000700000002 R_X86_64_PC32     0000000000000000 .data + 4
000000000056  00120000002a R_X86_64_REX_GOTP 0000000000000000 local_i - 4
00000000006c  000400000002 R_X86_64_PC32     0000000000000000 .rodata + c
000000000079  001000000004 R_X86_64_PLT32    0000000000000000 printf - 4
000000000080  000800000002 R_X86_64_PC32     0000000000000000 .data.rel.local + 4
000000000087  00130000002a R_X86_64_REX_GOTP 0000000000000000 local_s - 4
000000000094  000400000002 R_X86_64_PC32     0000000000000000 .rodata + 31
0000000000a1  001000000004 R_X86_64_PLT32    0000000000000000 printf - 4
0000000000b6  000400000002 R_X86_64_PC32     0000000000000000 .rodata + 38
0000000000c3  001000000004 R_X86_64_PLT32    0000000000000000 printf - 4

Relocation section '.rela.eh_frame' at offset 0x680 contains 1 entry:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000020  000300000002 R_X86_64_PC32     0000000000000000 .text + 0

Relocation section '.rela.data.rel.local' at offset 0x698 contains 2 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000000  000400000001 R_X86_64_64       0000000000000000 .rodata + 0
000000000008  000400000001 R_X86_64_64       0000000000000000 .rodata + 5
Rtoax commented 2 months ago

See https://github.com/Rtoax/test-linux/issues/6, Like kernel Makefile KBUILD_CFLAGS:

$(info KBUILD_CFLAGS:${KBUILD_CFLAGS})
-Wall -Wundef -Werror=strict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -fshort-wchar -fno-PIE -Werror=implicit-function-declaration -Werror=implicit-int -Werror=return-type -Wno-format-security -std=gnu89 -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -fcf-protection=none -m64 -falign-jumps=1 -falign-loops=1 -mno-80387 -mno-fp-ret-in-387 -mpreferred-stack-boundary=3 -mskip-rax-setup -mtune=generic -mno-red-zone -mcmodel=kernel -Wno-sign-compare -fno-asynchronous-unwind-tables -mindirect-branch=thunk-extern -mindirect-branch-register -mindirect-branch-cs-prefix -mfunction-return=thunk-extern -fno-jump-tables -fno-delete-null-pointer-checks -Wno-frame-address -Wno-format-truncation -Wno-format-overflow -Wno-address-of-packed-member -O2 -fno-allow-store-data-races -Wframe-larger-than=2048 -fstack-protector-strong -Wimplicit-fallthrough=5 -Wno-main -Wno-unused-but-set-variable -Wno-unused-const-variable  -fno-stack-clash-protection -g -pg -mrecord-mcount -mfentry -DCC_USING_FENTRY -fno-inline-functions-called-once -Wdeclaration-after-statement -Wvla -Wno-pointer-sign -Wno-stringop-truncation -Wno-zero-length-bounds -Wno-array-bounds -Wno-stringop-overflow -Wno-restrict -Wno-maybe-uninitialized -Wno-alloc-size-larger-than -fno-strict-overflow -fno-stack-check -fconserve-stack -Werror=date-time -Werror=incompatible-pointer-types -Werror=designated-init -Wno-packed-not-aligned
Rtoax commented 2 months ago

rongtao@rtoax:~/Git/ulpatch/tests/hello$ ./test.sh -u patch-pthread.ulp Already install ulpatch make: Nothing to be done for 'build'. Wrong ELF magic overflow in relocation type R_X86_64_32S(11) val 556ddb198110

Maybe https://github.com/Rtoax/ulpatch/commit/8cd1f73d931d384a5db63e1332c69df0804ca5d2 could resolve this problem. and i'm sure kernel module address is smaller than 0xFFFFFFFFUL (see https://github.com/Rtoax/test-linux/commit/76a2208a5b0c04e7c4c8414c2de8cedd752c1763)