14 FILE_RCSID("@(#)$Id: readelf.c,v 1.26 2003/02/25 15:30:00 christos Exp $")
18 static void dophn_core(int, int, int, off_t, int, size_t);
20 static void dophn_exec(int, int, int, off_t, int, size_t);
21 static void doshn(int, int, int, off_t, int, size_t);
23 static uint16_t getu16(int, uint16_t);
24 static uint32_t getu32(int, uint32_t);
25 static uint64_t getu64(int, uint64_t);
28 getu16(int swap, uint16_t value)
38 retval.c[0] = tmpval.c[1];
39 retval.c[1] = tmpval.c[0];
47 getu32(int swap, uint32_t value)
57 retval.c[0] = tmpval.c[3];
58 retval.c[1] = tmpval.c[2];
59 retval.c[2] = tmpval.c[1];
60 retval.c[3] = tmpval.c[0];
68 getu64(int swap, uint64_t value)
78 retval.c[0] = tmpval.c[7];
79 retval.c[1] = tmpval.c[6];
80 retval.c[2] = tmpval.c[5];
81 retval.c[3] = tmpval.c[4];
82 retval.c[4] = tmpval.c[3];
83 retval.c[5] = tmpval.c[2];
84 retval.c[6] = tmpval.c[1];
85 retval.c[7] = tmpval.c[0];
92 #define sh_addr (class == ELFCLASS32 \
95 #define sh_size (class == ELFCLASS32 \
98 #define shs_type (class == ELFCLASS32 \
99 ? getu32(swap, sh32.sh_type) \
100 : getu32(swap, sh64.sh_type))
101 #define ph_addr (class == ELFCLASS32 \
104 #define ph_size (class == ELFCLASS32 \
107 #define ph_type (class == ELFCLASS32 \
108 ? getu32(swap, ph32.p_type) \
109 : getu32(swap, ph64.p_type))
110 #define ph_offset (class == ELFCLASS32 \
111 ? getu32(swap, ph32.p_offset) \
112 : getu64(swap, ph64.p_offset))
113 #define ph_align (class == ELFCLASS32 \
114 ? (ph32.p_align ? getu32(swap, ph32.p_align) : 4) \
115 : (ph64.p_align ? getu64(swap, ph64.p_align) : 4))
116 #define nh_size (class == ELFCLASS32 \
119 #define nh_type (class == ELFCLASS32 \
120 ? getu32(swap, nh32->n_type) \
121 : getu32(swap, nh64->n_type))
122 #define nh_namesz (class == ELFCLASS32 \
123 ? getu32(swap, nh32->n_namesz) \
124 : getu32(swap, nh64->n_namesz))
125 #define nh_descsz (class == ELFCLASS32 \
126 ? getu32(swap, nh32->n_descsz) \
127 : getu32(swap, nh64->n_descsz))
128 #define prpsoffsets(i) (class == ELFCLASS32 \
133 doshn(int class, int swap, int fd, off_t off, int num, size_t size)
139 error("corrupted section header size.\n");
141 if (lseek(fd, off, SEEK_SET) == -1)
142 error("lseek failed (%s).\n", strerror(errno));
144 for ( ; num; num--) {
145 if (read(fd, sh_addr, sh_size) == -1)
146 error("read failed (%s).\n", strerror(errno));
147 if (shs_type == SHT_SYMTAB /* || shs_type == SHT_DYNSYM */) {
148 (void) printf (", not stripped");
152 (void) printf (", stripped");
156 * Look through the program headers of an executable image, searching
157 * for a PT_INTERP section; if one is found, it's dynamically linked,
158 * otherwise it's statically linked.
161 dophn_exec(int class, int swap, int fd, off_t off, int num, size_t size)
164 Elf32_Nhdr *nh32 = NULL;
166 Elf64_Nhdr *nh64 = NULL;
167 char *linking_style = "statically";
168 char *shared_libraries = "";
171 size_t offset, nameoffset;
175 error("corrupted program header size.\n");
176 if (lseek(fd, off, SEEK_SET) == -1)
177 error("lseek failed (%s).\n", strerror(errno));
179 for ( ; num; num--) {
180 if (read(fd, ph_addr, ph_size) == -1)
181 error("read failed (%s).\n", strerror(errno));
182 if ((savedoffset = lseek(fd, 0, SEEK_CUR)) == -1)
183 error("lseek failed (%s).\n", strerror(errno));
187 linking_style = "dynamically";
190 shared_libraries = " (uses shared libs)";
194 * This is a PT_NOTE section; loop through all the notes
197 if (lseek(fd, (off_t) ph_offset, SEEK_SET) == -1)
198 error("lseek failed (%s).\n", strerror(errno));
199 bufsize = read(fd, nbuf, sizeof(nbuf));
201 error(": " "read failed (%s).\n",
205 if (offset >= bufsize)
207 if (class == ELFCLASS32)
208 nh32 = (Elf32_Nhdr *)&nbuf[offset];
210 nh64 = (Elf64_Nhdr *)&nbuf[offset];
213 if (offset + nh_namesz >= bufsize) {
215 * We're past the end of the buffer.
222 offset = ((offset+ph_align-1)/ph_align)*ph_align;
224 if ((nh_namesz == 0) && (nh_descsz == 0)) {
226 * We're out of note headers.
231 if (offset + nh_descsz >= bufsize)
234 if (nh_namesz == 4 &&
235 strcmp(&nbuf[nameoffset], "GNU") == 0 &&
236 nh_type == NT_GNU_VERSION &&
239 (uint32_t *)&nbuf[offset];
241 printf(", for GNU/");
242 switch (getu32(swap, desc[0])) {
256 getu32(swap, desc[1]),
257 getu32(swap, desc[2]),
258 getu32(swap, desc[3]));
261 if (nh_namesz == 7 &&
262 strcmp(&nbuf[nameoffset], "NetBSD") == 0 &&
263 nh_type == NT_NETBSD_VERSION &&
265 printf(", for NetBSD");
267 * Version number is stuck at 199905,
268 * and hence is basically content-free.
272 if (nh_namesz == 8 &&
273 strcmp(&nbuf[nameoffset], "FreeBSD") == 0 &&
274 nh_type == NT_FREEBSD_VERSION &&
276 uint32_t desc = getu32(swap,
277 *(uint32_t *)&nbuf[offset]);
278 printf(", for FreeBSD");
280 * Contents is __FreeBSD_version,
281 * whose relation to OS versions is
282 * defined by a huge table in the
283 * Porters' Handbook. Happily, the
284 * first three digits are the version
285 * number, at least in versions of
286 * FreeBSD that use this note.
289 printf(" %d.%d", desc / 100000,
291 if (desc / 1000 % 10 > 0)
296 if (nh_namesz == 8 &&
297 strcmp(&nbuf[nameoffset], "OpenBSD") == 0 &&
298 nh_type == NT_OPENBSD_VERSION &&
300 printf(", for OpenBSD");
301 /* Content of note is always 0 */
304 if ((lseek(fd, savedoffset + offset, SEEK_SET)) == -1)
305 error("lseek failed (%s).\n", strerror(errno));
309 printf(", %s linked%s", linking_style, shared_libraries);
313 size_t prpsoffsets32[] = {
315 28, /* Linux 2.0.36 */
316 32, /* Linux (I forget which kernel version) */
320 size_t prpsoffsets64[] = {
321 120, /* SunOS 5.x, 64-bit */
324 #define NOFFSETS32 (sizeof prpsoffsets32 / sizeof prpsoffsets32[0])
325 #define NOFFSETS64 (sizeof prpsoffsets64 / sizeof prpsoffsets64[0])
327 #define NOFFSETS (class == ELFCLASS32 ? NOFFSETS32 : NOFFSETS64)
330 * Look through the program headers of an executable image, searching
331 * for a PT_NOTE section of type NT_PRPSINFO, with a name "CORE" or
332 * "FreeBSD"; if one is found, try looking in various places in its
333 * contents for a 16-character string containing only printable
334 * characters - if found, that string should be the name of the program
335 * that dropped core. Note: right after that 16-character string is,
336 * at least in SunOS 5.x (and possibly other SVR4-flavored systems) and
337 * Linux, a longer string (80 characters, in 5.x, probably other
338 * SVR4-flavored systems, and Linux) containing the start of the
339 * command line for that program.
341 * The signal number probably appears in a section of type NT_PRSTATUS,
342 * but that's also rather OS-dependent, in ways that are harder to
343 * dissect with heuristics, so I'm not bothering with the signal number.
344 * (I suppose the signal number could be of interest in situations where
345 * you don't have the binary of the program that dropped core; if you
346 * *do* have that binary, the debugger will probably tell you what
350 #define OS_STYLE_SVR4 0
351 #define OS_STYLE_FREEBSD 1
352 #define OS_STYLE_NETBSD 2
354 static const char *os_style_names[] = {
361 dophn_core(int class, int swap, int fd, off_t off, int num, size_t size)
364 Elf32_Nhdr *nh32 = NULL;
366 Elf64_Nhdr *nh64 = NULL;
367 size_t offset, nameoffset, noffset, reloffset;
375 error("corrupted program header size.\n");
377 * Loop through all the program headers.
379 for ( ; num; num--) {
380 if (lseek(fd, off, SEEK_SET) == -1)
381 error("lseek failed (%s).\n", strerror(errno));
382 if (read(fd, ph_addr, ph_size) == -1)
383 error("read failed (%s).\n", strerror(errno));
385 if (ph_type != PT_NOTE)
389 * This is a PT_NOTE section; loop through all the notes
392 if (lseek(fd, (off_t) ph_offset, SEEK_SET) == -1)
393 error("lseek failed (%s).\n", strerror(errno));
394 bufsize = read(fd, nbuf, BUFSIZ);
396 error(": " "read failed (%s).\n", strerror(errno));
399 if (offset >= bufsize)
401 if (class == ELFCLASS32)
402 nh32 = (Elf32_Nhdr *)&nbuf[offset];
404 nh64 = (Elf64_Nhdr *)&nbuf[offset];
408 * Check whether this note has the name "CORE" or
409 * "FreeBSD", or "NetBSD-CORE".
411 if (offset + nh_namesz >= bufsize) {
413 * We're past the end of the buffer.
420 offset = ((offset + 3)/4)*4;
423 * Sigh. The 2.0.36 kernel in Debian 2.1, at
424 * least, doesn't correctly implement name
425 * sections, in core dumps, as specified by
426 * the "Program Linking" section of "UNIX(R) System
427 * V Release 4 Programmer's Guide: ANSI C and
428 * Programming Support Tools", because my copy
429 * clearly says "The first 'namesz' bytes in 'name'
430 * contain a *null-terminated* [emphasis mine]
431 * character representation of the entry's owner
432 * or originator", but the 2.0.36 kernel code
433 * doesn't include the terminating null in the
436 if (os_style == -1) {
437 if ((nh_namesz == 4 &&
438 strncmp(&nbuf[nameoffset],
441 strcmp(&nbuf[nameoffset],
443 os_style = OS_STYLE_SVR4;
445 if ((nh_namesz == 8 &&
446 strcmp(&nbuf[nameoffset],
448 os_style = OS_STYLE_FREEBSD;
450 if ((nh_namesz >= 11 &&
451 strncmp(&nbuf[nameoffset],
452 "NetBSD-CORE", 11) == 0)) {
453 os_style = OS_STYLE_NETBSD;
456 printf(", %s-style", os_style_names[os_style]);
459 if (os_style == OS_STYLE_NETBSD &&
460 nh_type == NT_NETBSD_CORE_PROCINFO) {
464 * Extract the program name. It is at
465 * offset 0x7c, and is up to 32-bytes,
466 * including the terminating NUL.
468 printf(", from '%.31s'", &nbuf[offset + 0x7c]);
471 * Extract the signal number. It is at
474 memcpy(&signo, &nbuf[offset + 0x08],
476 printf(" (signal %u)", getu32(swap, signo));
478 if (os_style != OS_STYLE_NETBSD &&
479 nh_type == NT_PRPSINFO) {
481 * Extract the program name. We assume
482 * it to be 16 characters (that's what it
483 * is in SunOS 5.x and Linux).
485 * Unfortunately, it's at a different offset
486 * in varous OSes, so try multiple offsets.
487 * If the characters aren't all printable,
490 for (i = 0; i < NOFFSETS; i++) {
491 reloffset = prpsoffsets(i);
492 noffset = offset + reloffset;
494 j++, noffset++, reloffset++) {
496 * Make sure we're not past
497 * the end of the buffer; if
498 * we are, just give up.
500 if (noffset >= bufsize)
504 * Make sure we're not past
505 * the end of the contents;
506 * if we are, this obviously
507 * isn't the right offset.
509 if (reloffset >= nh_descsz)
531 #define isquote(c) (strchr("'\"`", (c)) != NULL)
541 printf(", from '%.16s'",
542 &nbuf[offset + prpsoffsets(i)]);
551 offset = ((offset + 3)/4)*4;
558 tryelf(int fd, unsigned char *buf, int nbytes)
562 char c[sizeof (int32_t)];
568 * If we can't seek, it must be a pipe, socket or fifo.
570 if((lseek(fd, (off_t)0, SEEK_SET) == (off_t)-1) && (errno == ESPIPE))
571 fd = pipe2file(fd, buf, nbytes);
574 * ELF executables have multiple section headers in arbitrary
575 * file locations and thus file(1) cannot determine it from easily.
576 * Instead we traverse thru all section headers until a symbol table
577 * one is found or else the binary is stripped.
579 if (buf[EI_MAG0] != ELFMAG0
580 || (buf[EI_MAG1] != ELFMAG1 && buf[EI_MAG1] != OLFMAG1)
581 || buf[EI_MAG2] != ELFMAG2 || buf[EI_MAG3] != ELFMAG3)
587 if (class == ELFCLASS32) {
589 if (nbytes <= sizeof (Elf32_Ehdr))
594 (void) memcpy(&elfhdr, buf, sizeof elfhdr);
595 swap = (u.c[sizeof(int32_t) - 1] + 1) != elfhdr.e_ident[5];
597 if (getu16(swap, elfhdr.e_type) == ET_CORE)
599 dophn_core(class, swap,
601 getu32(swap, elfhdr.e_phoff),
602 getu16(swap, elfhdr.e_phnum),
603 getu16(swap, elfhdr.e_phentsize));
608 if (getu16(swap, elfhdr.e_type) == ET_EXEC) {
609 dophn_exec(class, swap,
611 getu32(swap, elfhdr.e_phoff),
612 getu16(swap, elfhdr.e_phnum),
613 getu16(swap, elfhdr.e_phentsize));
617 getu32(swap, elfhdr.e_shoff),
618 getu16(swap, elfhdr.e_shnum),
619 getu16(swap, elfhdr.e_shentsize));
624 if (class == ELFCLASS64) {
626 if (nbytes <= sizeof (Elf64_Ehdr))
631 (void) memcpy(&elfhdr, buf, sizeof elfhdr);
632 swap = (u.c[sizeof(int32_t) - 1] + 1) != elfhdr.e_ident[5];
634 if (getu16(swap, elfhdr.e_type) == ET_CORE)
636 dophn_core(class, swap,
638 #ifdef USE_ARRAY_FOR_64BIT_TYPES
639 getu32(swap, elfhdr.e_phoff[1]),
641 getu64(swap, elfhdr.e_phoff),
643 getu16(swap, elfhdr.e_phnum),
644 getu16(swap, elfhdr.e_phentsize));
650 if (getu16(swap, elfhdr.e_type) == ET_EXEC) {
651 dophn_exec(class, swap,
653 #ifdef USE_ARRAY_FOR_64BIT_TYPES
654 getu32(swap, elfhdr.e_phoff[1]),
656 getu64(swap, elfhdr.e_phoff),
658 getu16(swap, elfhdr.e_phnum),
659 getu16(swap, elfhdr.e_phentsize));
663 #ifdef USE_ARRAY_FOR_64BIT_TYPES
664 getu32(swap, elfhdr.e_shoff[1]),
666 getu64(swap, elfhdr.e_shoff),
668 getu16(swap, elfhdr.e_shnum),
669 getu16(swap, elfhdr.e_shentsize));