2 * Copyright (c) Christos Zoulas 2003.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice immediately at the beginning of the file, without modification,
10 * this list of conditions, and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
19 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 FILE_RCSID("@(#)$File: readelf.c,v 1.178 2021/06/30 10:08:48 christos Exp $")
45 private int dophn_core(struct magic_set *, int, int, int, off_t, int, size_t,
46 off_t, int *, uint16_t *);
48 private int dophn_exec(struct magic_set *, int, int, int, off_t, int, size_t,
49 off_t, int, int *, uint16_t *);
50 private int doshn(struct magic_set *, int, int, int, off_t, int, size_t,
51 off_t, int, int, int *, uint16_t *);
52 private size_t donote(struct magic_set *, void *, size_t, size_t, int,
53 int, size_t, int *, uint16_t *, int, off_t, int, off_t);
55 #define ELF_ALIGN(a) ((((a) + align - 1) / align) * align)
57 #define isquote(c) (strchr("'\"`", (c)) != NULL)
59 private uint16_t getu16(int, uint16_t);
60 private uint32_t getu32(int, uint32_t);
61 private uint64_t getu64(int, uint64_t);
64 #define MAX_SHNUM 32768
65 #define SIZE_UNKNOWN CAST(off_t, -1)
68 toomany(struct magic_set *ms, const char *name, uint16_t num)
70 if (ms->flags & MAGIC_MIME)
72 if (file_printf(ms, ", too many %s (%u)", name, num) == -1)
78 getu16(int swap, uint16_t value)
88 retval.c[0] = tmpval.c[1];
89 retval.c[1] = tmpval.c[0];
97 getu32(int swap, uint32_t value)
107 retval.c[0] = tmpval.c[3];
108 retval.c[1] = tmpval.c[2];
109 retval.c[2] = tmpval.c[1];
110 retval.c[3] = tmpval.c[0];
118 getu64(int swap, uint64_t value)
128 retval.c[0] = tmpval.c[7];
129 retval.c[1] = tmpval.c[6];
130 retval.c[2] = tmpval.c[5];
131 retval.c[3] = tmpval.c[4];
132 retval.c[4] = tmpval.c[3];
133 retval.c[5] = tmpval.c[2];
134 retval.c[6] = tmpval.c[1];
135 retval.c[7] = tmpval.c[0];
142 #define elf_getu16(swap, value) getu16(swap, value)
143 #define elf_getu32(swap, value) getu32(swap, value)
144 #define elf_getu64(swap, value) getu64(swap, value)
146 #define xsh_addr (clazz == ELFCLASS32 \
147 ? CAST(void *, &sh32) \
148 : CAST(void *, &sh64))
149 #define xsh_sizeof (clazz == ELFCLASS32 \
152 #define xsh_size CAST(size_t, (clazz == ELFCLASS32 \
153 ? elf_getu32(swap, sh32.sh_size) \
154 : elf_getu64(swap, sh64.sh_size)))
155 #define xsh_offset CAST(off_t, (clazz == ELFCLASS32 \
156 ? elf_getu32(swap, sh32.sh_offset) \
157 : elf_getu64(swap, sh64.sh_offset)))
158 #define xsh_type (clazz == ELFCLASS32 \
159 ? elf_getu32(swap, sh32.sh_type) \
160 : elf_getu32(swap, sh64.sh_type))
161 #define xsh_name (clazz == ELFCLASS32 \
162 ? elf_getu32(swap, sh32.sh_name) \
163 : elf_getu32(swap, sh64.sh_name))
165 #define xph_addr (clazz == ELFCLASS32 \
166 ? CAST(void *, &ph32) \
167 : CAST(void *, &ph64))
168 #define xph_sizeof (clazz == ELFCLASS32 \
171 #define xph_type (clazz == ELFCLASS32 \
172 ? elf_getu32(swap, ph32.p_type) \
173 : elf_getu32(swap, ph64.p_type))
174 #define xph_offset CAST(off_t, (clazz == ELFCLASS32 \
175 ? elf_getu32(swap, ph32.p_offset) \
176 : elf_getu64(swap, ph64.p_offset)))
177 #define xph_align CAST(size_t, (clazz == ELFCLASS32 \
178 ? CAST(off_t, (ph32.p_align ? \
179 elf_getu32(swap, ph32.p_align) : 4))\
180 : CAST(off_t, (ph64.p_align ? \
181 elf_getu64(swap, ph64.p_align) : 4))))
182 #define xph_vaddr CAST(size_t, (clazz == ELFCLASS32 \
183 ? CAST(off_t, (ph32.p_vaddr ? \
184 elf_getu32(swap, ph32.p_vaddr) : 4))\
185 : CAST(off_t, (ph64.p_vaddr ? \
186 elf_getu64(swap, ph64.p_vaddr) : 4))))
187 #define xph_filesz CAST(size_t, (clazz == ELFCLASS32 \
188 ? elf_getu32(swap, ph32.p_filesz) \
189 : elf_getu64(swap, ph64.p_filesz)))
190 #define xph_memsz CAST(size_t, ((clazz == ELFCLASS32 \
191 ? elf_getu32(swap, ph32.p_memsz) \
192 : elf_getu64(swap, ph64.p_memsz))))
193 #define xnh_addr (clazz == ELFCLASS32 \
194 ? CAST(void *, &nh32) \
195 : CAST(void *, &nh64))
196 #define xnh_sizeof (clazz == ELFCLASS32 \
199 #define xnh_type (clazz == ELFCLASS32 \
200 ? elf_getu32(swap, nh32.n_type) \
201 : elf_getu32(swap, nh64.n_type))
202 #define xnh_namesz (clazz == ELFCLASS32 \
203 ? elf_getu32(swap, nh32.n_namesz) \
204 : elf_getu32(swap, nh64.n_namesz))
205 #define xnh_descsz (clazz == ELFCLASS32 \
206 ? elf_getu32(swap, nh32.n_descsz) \
207 : elf_getu32(swap, nh64.n_descsz))
209 #define xdh_addr (clazz == ELFCLASS32 \
210 ? CAST(void *, &dh32) \
211 : CAST(void *, &dh64))
212 #define xdh_sizeof (clazz == ELFCLASS32 \
215 #define xdh_tag (clazz == ELFCLASS32 \
216 ? elf_getu32(swap, dh32.d_tag) \
217 : elf_getu64(swap, dh64.d_tag))
218 #define xdh_val (clazz == ELFCLASS32 \
219 ? elf_getu32(swap, dh32.d_un.d_val) \
220 : elf_getu64(swap, dh64.d_un.d_val))
222 #define xcap_addr (clazz == ELFCLASS32 \
223 ? CAST(void *, &cap32) \
224 : CAST(void *, &cap64))
225 #define xcap_sizeof (clazz == ELFCLASS32 \
228 #define xcap_tag (clazz == ELFCLASS32 \
229 ? elf_getu32(swap, cap32.c_tag) \
230 : elf_getu64(swap, cap64.c_tag))
231 #define xcap_val (clazz == ELFCLASS32 \
232 ? elf_getu32(swap, cap32.c_un.c_val) \
233 : elf_getu64(swap, cap64.c_un.c_val))
235 #define xauxv_addr (clazz == ELFCLASS32 \
236 ? CAST(void *, &auxv32) \
237 : CAST(void *, &auxv64))
238 #define xauxv_sizeof (clazz == ELFCLASS32 \
241 #define xauxv_type (clazz == ELFCLASS32 \
242 ? elf_getu32(swap, auxv32.a_type) \
243 : elf_getu64(swap, auxv64.a_type))
244 #define xauxv_val (clazz == ELFCLASS32 \
245 ? elf_getu32(swap, auxv32.a_v) \
246 : elf_getu64(swap, auxv64.a_v))
248 #define prpsoffsets(i) (clazz == ELFCLASS32 \
254 * Try larger offsets first to avoid false matches
255 * from earlier data that happen to look like strings.
257 static const size_t prpsoffsets32[] = {
259 104, /* SunOS 5.x (command line) */
260 88, /* SunOS 5.x (short name) */
261 #endif /* USE_NT_PSINFO */
263 100, /* SunOS 5.x (command line) */
264 84, /* SunOS 5.x (short name) */
266 44, /* Linux (command line) */
267 28, /* Linux (short name) */
269 48, /* Linux PowerPC (command line) */
270 32, /* Linux PowerPC (short name) */
275 static const size_t prpsoffsets64[] = {
277 152, /* SunOS 5.x (command line) */
278 136, /* SunOS 5.x (short name) */
279 #endif /* USE_NT_PSINFO */
281 136, /* SunOS 5.x, 64-bit (command line) */
282 120, /* SunOS 5.x, 64-bit (short name) */
284 56, /* Linux (command line) */
285 40, /* Linux (tested on core from 2.4.x, short name) */
287 16, /* FreeBSD, 64-bit */
290 #define NOFFSETS32 __arraycount(prpsoffsets32)
291 #define NOFFSETS64 __arraycount(prpsoffsets64)
293 #define NOFFSETS (clazz == ELFCLASS32 ? NOFFSETS32 : NOFFSETS64)
296 * Look through the program headers of an executable image, searching
297 * for a PT_NOTE section of type NT_PRPSINFO, with a name "CORE" or
298 * "FreeBSD"; if one is found, try looking in various places in its
299 * contents for a 16-character string containing only printable
300 * characters - if found, that string should be the name of the program
301 * that dropped core. Note: right after that 16-character string is,
302 * at least in SunOS 5.x (and possibly other SVR4-flavored systems) and
303 * Linux, a longer string (80 characters, in 5.x, probably other
304 * SVR4-flavored systems, and Linux) containing the start of the
305 * command line for that program.
307 * SunOS 5.x core files contain two PT_NOTE sections, with the types
308 * NT_PRPSINFO (old) and NT_PSINFO (new). These structs contain the
309 * same info about the command name and command line, so it probably
310 * isn't worthwhile to look for NT_PSINFO, but the offsets are provided
311 * above (see USE_NT_PSINFO), in case we ever decide to do so. The
312 * NT_PRPSINFO and NT_PSINFO sections are always in order and adjacent;
313 * the SunOS 5.x file command relies on this (and prefers the latter).
315 * The signal number probably appears in a section of type NT_PRSTATUS,
316 * but that's also rather OS-dependent, in ways that are harder to
317 * dissect with heuristics, so I'm not bothering with the signal number.
318 * (I suppose the signal number could be of interest in situations where
319 * you don't have the binary of the program that dropped core; if you
320 * *do* have that binary, the debugger will probably tell you what
324 #define OS_STYLE_SVR4 0
325 #define OS_STYLE_FREEBSD 1
326 #define OS_STYLE_NETBSD 2
328 private const char os_style_names[][8] = {
334 #define FLAGS_CORE_STYLE 0x0003
336 #define FLAGS_DID_CORE 0x0004
337 #define FLAGS_DID_OS_NOTE 0x0008
338 #define FLAGS_DID_BUILD_ID 0x0010
339 #define FLAGS_DID_CORE_STYLE 0x0020
340 #define FLAGS_DID_NETBSD_PAX 0x0040
341 #define FLAGS_DID_NETBSD_MARCH 0x0080
342 #define FLAGS_DID_NETBSD_CMODEL 0x0100
343 #define FLAGS_DID_NETBSD_EMULATION 0x0200
344 #define FLAGS_DID_NETBSD_UNKNOWN 0x0400
345 #define FLAGS_IS_CORE 0x0800
346 #define FLAGS_DID_AUXV 0x1000
349 dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
350 int num, size_t size, off_t fsize, int *flags, uint16_t *notecount)
355 unsigned char nbuf[BUFSIZ];
357 off_t ph_off = off, offs;
360 if (ms->flags & MAGIC_MIME)
364 if (file_printf(ms, ", no program header") == -1)
368 if (size != xph_sizeof) {
369 if (file_printf(ms, ", corrupted program header size") == -1)
375 * Loop through all the program headers.
377 for ( ; num; num--) {
378 if (pread(fd, xph_addr, xph_sizeof, off) <
379 CAST(ssize_t, xph_sizeof)) {
381 ", can't read elf program headers at %jd",
382 (intmax_t)off) == -1)
388 if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
389 /* Perhaps warn here */
393 if (xph_type != PT_NOTE)
397 * This is a PT_NOTE section; loop through all the notes
400 len = xph_filesz < sizeof(nbuf) ? xph_filesz : sizeof(nbuf);
402 if ((bufsize = pread(fd, nbuf, len, offs)) == -1) {
403 if (file_printf(ms, " can't read note section at %jd",
404 (intmax_t)offs) == -1)
410 if (offset >= CAST(size_t, bufsize))
412 offset = donote(ms, nbuf, offset, CAST(size_t, bufsize),
413 clazz, swap, 4, flags, notecount, fd, ph_off,
425 do_note_netbsd_version(struct magic_set *ms, int swap, void *v)
428 memcpy(&desc, v, sizeof(desc));
429 desc = elf_getu32(swap, desc);
431 if (file_printf(ms, ", for NetBSD") == -1)
434 * The version number used to be stuck as 199905, and was thus
435 * basically content-free. Newer versions of NetBSD have fixed
436 * this and now use the encoding of __NetBSD_Version__:
442 * r = release ["",A-Z,Z[A-Z] but numeric]
445 if (desc > 100000000U) {
446 uint32_t ver_patch = (desc / 100) % 100;
447 uint32_t ver_rel = (desc / 10000) % 100;
448 uint32_t ver_min = (desc / 1000000) % 100;
449 uint32_t ver_maj = desc / 100000000;
451 if (file_printf(ms, " %u.%u", ver_maj, ver_min) == -1)
453 if (ver_rel == 0 && ver_patch != 0) {
454 if (file_printf(ms, ".%u", ver_patch) == -1)
456 } else if (ver_rel != 0) {
457 while (ver_rel > 26) {
458 if (file_printf(ms, "Z") == -1)
462 if (file_printf(ms, "%c", 'A' + ver_rel - 1)
471 do_note_freebsd_version(struct magic_set *ms, int swap, void *v)
475 memcpy(&desc, v, sizeof(desc));
476 desc = elf_getu32(swap, desc);
477 if (file_printf(ms, ", for FreeBSD") == -1)
481 * Contents is __FreeBSD_version, whose relation to OS
482 * versions is defined by a huge table in the Porter's
483 * Handbook. This is the general scheme:
486 * Mmp000 (before 4.10)
487 * Mmi0p0 (before 5.0)
490 * Development branches:
491 * Mmpxxx (before 4.6)
492 * Mmp1xx (before 4.10)
493 * Mmi1xx (before 5.0)
499 * i = minor version increment (491000 -> 4.10)
503 * The first release of FreeBSD to use ELF by default
506 if (desc == 460002) {
507 if (file_printf(ms, " 4.6.2") == -1)
509 } else if (desc < 460100) {
510 if (file_printf(ms, " %d.%d", desc / 100000,
511 desc / 10000 % 10) == -1)
513 if (desc / 1000 % 10 > 0)
514 if (file_printf(ms, ".%d", desc / 1000 % 10) == -1)
516 if ((desc % 1000 > 0) || (desc % 100000 == 0))
517 if (file_printf(ms, " (%d)", desc) == -1)
519 } else if (desc < 500000) {
520 if (file_printf(ms, " %d.%d", desc / 100000,
521 desc / 10000 % 10 + desc / 1000 % 10) == -1)
523 if (desc / 100 % 10 > 0) {
524 if (file_printf(ms, " (%d)", desc) == -1)
526 } else if (desc / 10 % 10 > 0) {
527 if (file_printf(ms, ".%d", desc / 10 % 10) == -1)
531 if (file_printf(ms, " %d.%d", desc / 100000,
532 desc / 1000 % 100) == -1)
534 if ((desc / 100 % 10 > 0) ||
535 (desc % 100000 / 100 == 0)) {
536 if (file_printf(ms, " (%d)", desc) == -1)
538 } else if (desc / 10 % 10 > 0) {
539 if (file_printf(ms, ".%d", desc / 10 % 10) == -1)
548 do_bid_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
549 int swap __attribute__((__unused__)), uint32_t namesz, uint32_t descsz,
550 size_t noff, size_t doff, int *flags)
552 if (namesz == 4 && strcmp(RCAST(char *, &nbuf[noff]), "GNU") == 0 &&
553 type == NT_GNU_BUILD_ID && (descsz >= 4 && descsz <= 20)) {
557 *flags |= FLAGS_DID_BUILD_ID;
572 if (file_printf(ms, ", BuildID[%s]=", btype) == -1)
574 memcpy(desc, &nbuf[doff], descsz);
575 for (i = 0; i < descsz; i++)
576 if (file_printf(ms, "%02x", desc[i]) == -1)
580 if (namesz == 4 && strcmp(RCAST(char *, &nbuf[noff]), "Go") == 0 &&
581 type == NT_GO_BUILD_ID && descsz < 128) {
583 if (file_printf(ms, ", Go BuildID=%s",
584 file_copystr(buf, sizeof(buf), descsz,
585 RCAST(const char *, &nbuf[doff]))) == -1)
593 do_os_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
594 int swap, uint32_t namesz, uint32_t descsz,
595 size_t noff, size_t doff, int *flags)
597 const char *name = RCAST(const char *, &nbuf[noff]);
599 if (namesz == 5 && strcmp(name, "SuSE") == 0 &&
600 type == NT_GNU_VERSION && descsz == 2) {
601 *flags |= FLAGS_DID_OS_NOTE;
602 if (file_printf(ms, ", for SuSE %d.%d", nbuf[doff],
603 nbuf[doff + 1]) == -1)
608 if (namesz == 4 && strcmp(name, "GNU") == 0 &&
609 type == NT_GNU_VERSION && descsz == 16) {
611 memcpy(desc, &nbuf[doff], sizeof(desc));
613 *flags |= FLAGS_DID_OS_NOTE;
614 if (file_printf(ms, ", for GNU/") == -1)
616 switch (elf_getu32(swap, desc[0])) {
618 if (file_printf(ms, "Linux") == -1)
622 if (file_printf(ms, "Hurd") == -1)
626 if (file_printf(ms, "Solaris") == -1)
629 case GNU_OS_KFREEBSD:
630 if (file_printf(ms, "kFreeBSD") == -1)
634 if (file_printf(ms, "kNetBSD") == -1)
638 if (file_printf(ms, "<unknown>") == -1)
641 if (file_printf(ms, " %d.%d.%d", elf_getu32(swap, desc[1]),
642 elf_getu32(swap, desc[2]), elf_getu32(swap, desc[3])) == -1)
647 if (namesz == 7 && strcmp(name, "NetBSD") == 0) {
648 if (type == NT_NETBSD_VERSION && descsz == 4) {
649 *flags |= FLAGS_DID_OS_NOTE;
650 if (do_note_netbsd_version(ms, swap, &nbuf[doff]) == -1)
656 if (namesz == 8 && strcmp(name, "FreeBSD") == 0) {
657 if (type == NT_FREEBSD_VERSION && descsz == 4) {
658 *flags |= FLAGS_DID_OS_NOTE;
659 if (do_note_freebsd_version(ms, swap, &nbuf[doff])
666 if (namesz == 8 && strcmp(name, "OpenBSD") == 0 &&
667 type == NT_OPENBSD_VERSION && descsz == 4) {
668 *flags |= FLAGS_DID_OS_NOTE;
669 if (file_printf(ms, ", for OpenBSD") == -1)
671 /* Content of note is always 0 */
675 if (namesz == 10 && strcmp(name, "DragonFly") == 0 &&
676 type == NT_DRAGONFLY_VERSION && descsz == 4) {
678 *flags |= FLAGS_DID_OS_NOTE;
679 if (file_printf(ms, ", for DragonFly") == -1)
681 memcpy(&desc, &nbuf[doff], sizeof(desc));
682 desc = elf_getu32(swap, desc);
683 if (file_printf(ms, " %d.%d.%d", desc / 100000,
684 desc / 10000 % 10, desc % 10000) == -1)
692 do_pax_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
693 int swap, uint32_t namesz, uint32_t descsz,
694 size_t noff, size_t doff, int *flags)
696 const char *name = RCAST(const char *, &nbuf[noff]);
698 if (namesz == 4 && strcmp(name, "PaX") == 0 &&
699 type == NT_NETBSD_PAX && descsz == 4) {
700 static const char *pax[] = {
712 *flags |= FLAGS_DID_NETBSD_PAX;
713 memcpy(&desc, &nbuf[doff], sizeof(desc));
714 desc = elf_getu32(swap, desc);
716 if (desc && file_printf(ms, ", PaX: ") == -1)
719 for (i = 0; i < __arraycount(pax); i++) {
720 if (((1 << CAST(int, i)) & desc) == 0)
722 if (file_printf(ms, "%s%s", did++ ? "," : "",
732 do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
733 int swap, uint32_t namesz, uint32_t descsz,
734 size_t noff, size_t doff, int *flags, size_t size, int clazz)
738 const char *name = RCAST(const char *, &nbuf[noff]);
742 * Sigh. The 2.0.36 kernel in Debian 2.1, at
743 * least, doesn't correctly implement name
744 * sections, in core dumps, as specified by
745 * the "Program Linking" section of "UNIX(R) System
746 * V Release 4 Programmer's Guide: ANSI C and
747 * Programming Support Tools", because my copy
748 * clearly says "The first 'namesz' bytes in 'name'
749 * contain a *null-terminated* [emphasis mine]
750 * character representation of the entry's owner
751 * or originator", but the 2.0.36 kernel code
752 * doesn't include the terminating null in the
755 if ((namesz == 4 && strncmp(name, "CORE", 4) == 0) ||
756 (namesz == 5 && strcmp(name, "CORE") == 0)) {
757 os_style = OS_STYLE_SVR4;
760 if ((namesz == 8 && strcmp(name, "FreeBSD") == 0)) {
761 os_style = OS_STYLE_FREEBSD;
764 if ((namesz >= 11 && strncmp(name, "NetBSD-CORE", 11)
766 os_style = OS_STYLE_NETBSD;
769 if (os_style != -1 && (*flags & FLAGS_DID_CORE_STYLE) == 0) {
770 if (file_printf(ms, ", %s-style", os_style_names[os_style])
773 *flags |= FLAGS_DID_CORE_STYLE;
778 case OS_STYLE_NETBSD:
779 if (type == NT_NETBSD_CORE_PROCINFO) {
781 struct NetBSD_elfcore_procinfo pi;
782 memset(&pi, 0, sizeof(pi));
783 memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
785 if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
786 "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
787 file_printable(ms, sbuf, sizeof(sbuf),
788 RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
789 elf_getu32(swap, CAST(uint32_t, pi.cpi_pid)),
790 elf_getu32(swap, pi.cpi_euid),
791 elf_getu32(swap, pi.cpi_egid),
792 elf_getu32(swap, pi.cpi_nlwps),
793 elf_getu32(swap, CAST(uint32_t, pi.cpi_siglwp)),
794 elf_getu32(swap, pi.cpi_signo),
795 elf_getu32(swap, pi.cpi_sigcode)) == -1)
798 *flags |= FLAGS_DID_CORE;
803 case OS_STYLE_FREEBSD:
804 if (type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
805 size_t argoff, pidoff;
807 if (clazz == ELFCLASS32)
810 argoff = 4 + 4 + 8 + 17;
811 if (file_printf(ms, ", from '%.80s'", nbuf + doff +
814 pidoff = argoff + 81 + 2;
815 if (doff + pidoff + 4 <= size) {
816 if (file_printf(ms, ", pid=%u",
817 elf_getu32(swap, *RCAST(uint32_t *, (nbuf +
818 doff + pidoff)))) == -1)
821 *flags |= FLAGS_DID_CORE;
826 if (type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
830 * Extract the program name. We assume
831 * it to be 16 characters (that's what it
832 * is in SunOS 5.x and Linux).
834 * Unfortunately, it's at a different offset
835 * in various OSes, so try multiple offsets.
836 * If the characters aren't all printable,
839 for (i = 0; i < NOFFSETS; i++) {
840 unsigned char *cname, *cp;
841 size_t reloffset = prpsoffsets(i);
842 size_t noffset = doff + reloffset;
844 for (j = 0; j < 16; j++, noffset++,
847 * Make sure we're not past
848 * the end of the buffer; if
849 * we are, just give up.
855 * Make sure we're not past
856 * the end of the contents;
857 * if we are, this obviously
858 * isn't the right offset.
860 if (reloffset >= descsz)
882 if (!isprint(c) || isquote(c))
891 * Try next offsets, in case this match is
892 * in the middle of a string.
894 for (k = i + 1 ; k < NOFFSETS; k++) {
897 if (prpsoffsets(k) >= prpsoffsets(i))
899 for (no = doff + prpsoffsets(k);
900 no < doff + prpsoffsets(i); no++)
902 && isprint(nbuf[no]);
907 cname = CAST(unsigned char *,
908 &nbuf[doff + prpsoffsets(i)]);
909 for (cp = cname; cp < nbuf + size && *cp
910 && isprint(*cp); cp++)
913 * Linux apparently appends a space at the end
914 * of the command line: remove it.
916 while (cp > cname && isspace(cp[-1]))
918 if (file_printf(ms, ", from '%s'",
919 file_copystr(buf, sizeof(buf),
920 CAST(size_t, cp - cname),
921 RCAST(char *, cname))) == -1)
923 *flags |= FLAGS_DID_CORE;
937 get_offset_from_virtaddr(struct magic_set *ms, int swap, int clazz, int fd,
938 off_t off, int num, off_t fsize, uint64_t virtaddr)
944 * Loop through all the program headers and find the header with
945 * virtual address in which the "virtaddr" belongs to.
947 for ( ; num; num--) {
948 if (pread(fd, xph_addr, xph_sizeof, off) <
949 CAST(ssize_t, xph_sizeof)) {
951 ", can't read elf program header at %jd",
952 (intmax_t)off) == -1)
959 if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
960 /* Perhaps warn here */
964 if (virtaddr >= xph_vaddr && virtaddr < xph_vaddr + xph_filesz)
965 return xph_offset + (virtaddr - xph_vaddr);
971 get_string_on_virtaddr(struct magic_set *ms,
972 int swap, int clazz, int fd, off_t ph_off, int ph_num,
973 off_t fsize, uint64_t virtaddr, char *buf, ssize_t buflen)
981 offset = get_offset_from_virtaddr(ms, swap, clazz, fd, ph_off, ph_num,
984 (buflen = pread(fd, buf, CAST(size_t, buflen), offset)) <= 0) {
985 (void)file_printf(ms, ", can't read elf string at %jd",
990 buf[buflen - 1] = '\0';
992 /* We expect only printable characters, so return if buffer contains
993 * non-printable character before the '\0' or just '\0'. */
994 for (bptr = buf; *bptr && isprint(CAST(unsigned char, *bptr)); bptr++)
1005 do_auxv_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
1006 int swap, uint32_t namesz __attribute__((__unused__)),
1007 uint32_t descsz __attribute__((__unused__)),
1008 size_t noff __attribute__((__unused__)), size_t doff,
1009 int *flags, size_t size __attribute__((__unused__)), int clazz,
1010 int fd, off_t ph_off, int ph_num, off_t fsize)
1015 size_t elsize = xauxv_sizeof;
1020 if ((*flags & (FLAGS_IS_CORE|FLAGS_DID_CORE_STYLE)) !=
1021 (FLAGS_IS_CORE|FLAGS_DID_CORE_STYLE))
1024 switch (*flags & FLAGS_CORE_STYLE) {
1026 if (type != NT_AUXV)
1030 case OS_STYLE_NETBSD:
1031 if (type != NT_NETBSD_CORE_AUXV)
1034 case OS_STYLE_FREEBSD:
1035 if (type != NT_FREEBSD_PROCSTAT_AUXV)
1043 *flags |= FLAGS_DID_AUXV;
1046 for (size_t off = 0; off + elsize <= descsz; off += elsize) {
1047 memcpy(xauxv_addr, &nbuf[doff + off], xauxv_sizeof);
1048 /* Limit processing to 50 vector entries to prevent DoS */
1050 file_error(ms, 0, "Too many ELF Auxv elements");
1054 switch(xauxv_type) {
1055 case AT_LINUX_EXECFN:
1059 case AT_LINUX_PLATFORM:
1073 tag = "effective uid";
1077 tag = "effective gid";
1091 buflen = get_string_on_virtaddr(ms, swap, clazz, fd,
1092 ph_off, ph_num, fsize, xauxv_val, buf, sizeof(buf));
1097 if (file_printf(ms, ", %s: '%s'", tag, buf) == -1)
1100 if (file_printf(ms, ", %s: %d", tag,
1101 CAST(int, xauxv_val)) == -1)
1112 dodynamic(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
1113 int clazz, int swap, int *pie, size_t *need)
1117 unsigned char *dbuf = CAST(unsigned char *, vbuf);
1119 if (xdh_sizeof + offset > size) {
1121 * We're out of note headers.
1123 return xdh_sizeof + offset;
1126 memcpy(xdh_addr, &dbuf[offset], xdh_sizeof);
1127 offset += xdh_sizeof;
1132 if (xdh_val & DF_1_PIE)
1148 donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
1149 int clazz, int swap, size_t align, int *flags, uint16_t *notecount,
1150 int fd, off_t ph_off, int ph_num, off_t fsize)
1155 uint32_t namesz, descsz;
1157 unsigned char *nbuf = CAST(unsigned char *, vbuf);
1159 if (*notecount == 0)
1163 if (xnh_sizeof + offset > size) {
1165 * We're out of note headers.
1167 return xnh_sizeof + offset;
1170 memset(&nh32, 0, sizeof(nh32));
1171 memset(&nh64, 0, sizeof(nh64));
1173 memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
1174 offset += xnh_sizeof;
1176 namesz = xnh_namesz;
1177 descsz = xnh_descsz;
1179 if ((namesz == 0) && (descsz == 0)) {
1181 * We're out of note headers.
1183 return (offset >= size) ? offset : size;
1186 if (namesz & 0x80000000) {
1187 (void)file_printf(ms, ", bad note name size %#lx",
1188 CAST(unsigned long, namesz));
1192 if (descsz & 0x80000000) {
1193 (void)file_printf(ms, ", bad note description size %#lx",
1194 CAST(unsigned long, descsz));
1199 doff = ELF_ALIGN(offset + namesz);
1201 if (offset + namesz > size) {
1203 * We're past the end of the buffer.
1208 offset = ELF_ALIGN(doff + descsz);
1209 if (doff + descsz > size) {
1211 * We're past the end of the buffer.
1213 return (offset >= size) ? offset : size;
1217 if ((*flags & FLAGS_DID_OS_NOTE) == 0) {
1218 if (do_os_note(ms, nbuf, xnh_type, swap,
1219 namesz, descsz, noff, doff, flags))
1223 if ((*flags & FLAGS_DID_BUILD_ID) == 0) {
1224 if (do_bid_note(ms, nbuf, xnh_type, swap,
1225 namesz, descsz, noff, doff, flags))
1229 if ((*flags & FLAGS_DID_NETBSD_PAX) == 0) {
1230 if (do_pax_note(ms, nbuf, xnh_type, swap,
1231 namesz, descsz, noff, doff, flags))
1235 if ((*flags & FLAGS_DID_CORE) == 0) {
1236 if (do_core_note(ms, nbuf, xnh_type, swap,
1237 namesz, descsz, noff, doff, flags, size, clazz))
1241 if ((*flags & FLAGS_DID_AUXV) == 0) {
1242 if (do_auxv_note(ms, nbuf, xnh_type, swap,
1243 namesz, descsz, noff, doff, flags, size, clazz,
1244 fd, ph_off, ph_num, fsize))
1248 if (namesz == 7 && strcmp(RCAST(char *, &nbuf[noff]), "NetBSD") == 0) {
1250 const char *str, *tag;
1254 case NT_NETBSD_VERSION:
1256 case NT_NETBSD_MARCH:
1257 flag = FLAGS_DID_NETBSD_MARCH;
1258 tag = "compiled for";
1260 case NT_NETBSD_CMODEL:
1261 flag = FLAGS_DID_NETBSD_CMODEL;
1262 tag = "compiler model";
1264 case NT_NETBSD_EMULATION:
1265 flag = FLAGS_DID_NETBSD_EMULATION;
1269 if (*flags & FLAGS_DID_NETBSD_UNKNOWN)
1271 *flags |= FLAGS_DID_NETBSD_UNKNOWN;
1272 if (file_printf(ms, ", note=%u", xnh_type) == -1)
1279 str = RCAST(const char *, &nbuf[doff]);
1280 descw = CAST(int, descsz);
1282 file_printf(ms, ", %s: %s", tag,
1283 file_copystr(buf, sizeof(buf), descw, str));
1290 /* SunOS 5.x hardware capability descriptions */
1291 typedef struct cap_desc {
1293 const char *cd_name;
1296 static const cap_desc_t cap_desc_sparc[] = {
1297 { AV_SPARC_MUL32, "MUL32" },
1298 { AV_SPARC_DIV32, "DIV32" },
1299 { AV_SPARC_FSMULD, "FSMULD" },
1300 { AV_SPARC_V8PLUS, "V8PLUS" },
1301 { AV_SPARC_POPC, "POPC" },
1302 { AV_SPARC_VIS, "VIS" },
1303 { AV_SPARC_VIS2, "VIS2" },
1304 { AV_SPARC_ASI_BLK_INIT, "ASI_BLK_INIT" },
1305 { AV_SPARC_FMAF, "FMAF" },
1306 { AV_SPARC_FJFMAU, "FJFMAU" },
1307 { AV_SPARC_IMA, "IMA" },
1311 static const cap_desc_t cap_desc_386[] = {
1312 { AV_386_FPU, "FPU" },
1313 { AV_386_TSC, "TSC" },
1314 { AV_386_CX8, "CX8" },
1315 { AV_386_SEP, "SEP" },
1316 { AV_386_AMD_SYSC, "AMD_SYSC" },
1317 { AV_386_CMOV, "CMOV" },
1318 { AV_386_MMX, "MMX" },
1319 { AV_386_AMD_MMX, "AMD_MMX" },
1320 { AV_386_AMD_3DNow, "AMD_3DNow" },
1321 { AV_386_AMD_3DNowx, "AMD_3DNowx" },
1322 { AV_386_FXSR, "FXSR" },
1323 { AV_386_SSE, "SSE" },
1324 { AV_386_SSE2, "SSE2" },
1325 { AV_386_PAUSE, "PAUSE" },
1326 { AV_386_SSE3, "SSE3" },
1327 { AV_386_MON, "MON" },
1328 { AV_386_CX16, "CX16" },
1329 { AV_386_AHF, "AHF" },
1330 { AV_386_TSCP, "TSCP" },
1331 { AV_386_AMD_SSE4A, "AMD_SSE4A" },
1332 { AV_386_POPCNT, "POPCNT" },
1333 { AV_386_AMD_LZCNT, "AMD_LZCNT" },
1334 { AV_386_SSSE3, "SSSE3" },
1335 { AV_386_SSE4_1, "SSE4.1" },
1336 { AV_386_SSE4_2, "SSE4.2" },
1341 doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
1342 size_t size, off_t fsize, int mach, int strtab, int *flags,
1343 uint16_t *notecount)
1347 int stripped = 1, has_debug_info = 0;
1350 off_t noff, coff, name_off, offs;
1351 uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilities */
1352 uint64_t cap_sf1 = 0; /* SunOS 5.x software capabilities */
1356 if (ms->flags & MAGIC_MIME)
1360 if (file_printf(ms, ", no section header") == -1)
1364 if (size != xsh_sizeof) {
1365 if (file_printf(ms, ", corrupted section header size") == -1)
1370 /* Read offset of name section to be able to read section names later */
1371 offs = CAST(off_t, (off + size * strtab));
1372 if (pread(fd, xsh_addr, xsh_sizeof, offs) < CAST(ssize_t, xsh_sizeof)) {
1373 if (file_printf(ms, ", missing section headers at %jd",
1374 (intmax_t)offs) == -1)
1378 name_off = xsh_offset;
1380 if (fsize != SIZE_UNKNOWN && fsize < name_off) {
1381 if (file_printf(ms, ", too large section header offset %jd",
1382 (intmax_t)name_off) == -1)
1387 for ( ; num; num--) {
1388 /* Read the name of this section. */
1389 offs = name_off + xsh_name;
1390 if ((namesize = pread(fd, name, sizeof(name) - 1, offs))
1393 ", can't read name of elf section at %jd",
1394 (intmax_t)offs) == -1)
1398 name[namesize] = '\0';
1399 if (strcmp(name, ".debug_info") == 0) {
1404 if (pread(fd, xsh_addr, xsh_sizeof, off) <
1405 CAST(ssize_t, xsh_sizeof)) {
1406 if (file_printf(ms, ", can't read elf section at %jd",
1407 (intmax_t)off) == -1)
1413 /* Things we can determine before we seek */
1422 if (fsize != SIZE_UNKNOWN && xsh_offset > fsize) {
1423 /* Perhaps warn here */
1430 /* Things we can determine when we seek */
1433 if (CAST(uintmax_t, (xsh_size + xsh_offset)) >
1434 CAST(uintmax_t, fsize)) {
1436 ", note offset/size %#" INTMAX_T_FORMAT
1437 "x+%#" INTMAX_T_FORMAT "x exceeds"
1438 " file size %#" INTMAX_T_FORMAT "x",
1439 CAST(uintmax_t, xsh_offset),
1440 CAST(uintmax_t, xsh_size),
1441 CAST(uintmax_t, fsize)) == -1)
1445 if ((nbuf = malloc(xsh_size)) == NULL) {
1446 file_error(ms, errno, "Cannot allocate memory"
1451 if (pread(fd, nbuf, xsh_size, offs) <
1452 CAST(ssize_t, xsh_size)) {
1455 ", can't read elf note at %jd",
1456 (intmax_t)offs) == -1)
1463 if (noff >= CAST(off_t, xsh_size))
1465 noff = donote(ms, nbuf, CAST(size_t, noff),
1466 xsh_size, clazz, swap, 4, flags, notecount,
1487 if (lseek(fd, xsh_offset, SEEK_SET)
1488 == CAST(off_t, -1)) {
1496 char cbuf[/*CONSTCOND*/
1497 MAX(sizeof(cap32), sizeof(cap64))];
1498 if ((coff += xcap_sizeof) >
1499 CAST(off_t, xsh_size))
1501 if (read(fd, cbuf, CAST(size_t, xcap_sizeof)) !=
1502 CAST(ssize_t, xcap_sizeof)) {
1506 if (cbuf[0] == 'A') {
1510 memcpy(&len, p, sizeof(len));
1512 len = getu32(swap, len);
1513 if (memcmp("gnu", p, 3) != 0) {
1515 ", unknown capability %.3s", p)
1522 memcpy(&len, p, sizeof(len));
1524 len = getu32(swap, len);
1526 if (file_printf(ms, ", unknown gnu"
1527 " capability tag %d", tag)
1536 memcpy(xcap_addr, cbuf, xcap_sizeof);
1541 cap_hw1 |= xcap_val;
1544 cap_sf1 |= xcap_val;
1548 ", with unknown capability "
1549 "%#" INT64_T_FORMAT "x = %#"
1551 CAST(unsigned long long, xcap_tag),
1552 CAST(unsigned long long, xcap_val))
1567 if (has_debug_info) {
1568 if (file_printf(ms, ", with debug_info") == -1)
1571 if (file_printf(ms, ", %sstripped", stripped ? "" : "not ") == -1)
1574 const cap_desc_t *cdp;
1577 case EM_SPARC32PLUS:
1579 cdp = cap_desc_sparc;
1590 if (file_printf(ms, ", uses") == -1)
1593 while (cdp->cd_name) {
1594 if (cap_hw1 & cdp->cd_mask) {
1596 " %s", cdp->cd_name) == -1)
1598 cap_hw1 &= ~cdp->cd_mask;
1604 " unknown hardware capability %#"
1606 CAST(unsigned long long, cap_hw1)) == -1)
1610 " hardware capability %#" INT64_T_FORMAT "x",
1611 CAST(unsigned long long, cap_hw1)) == -1)
1616 if (cap_sf1 & SF1_SUNW_FPUSED) {
1618 (cap_sf1 & SF1_SUNW_FPKNWN)
1619 ? ", uses frame pointer"
1620 : ", not known to use frame pointer") == -1)
1623 cap_sf1 &= ~SF1_SUNW_MASK;
1626 ", with unknown software capability %#"
1628 CAST(unsigned long long, cap_sf1)) == -1)
1635 * Look through the program headers of an executable image, to determine
1636 * if it is statically or dynamically linked. If it has a dynamic section,
1637 * it is pie, and does not have an interpreter or needed libraries, we
1638 * call it static pie.
1641 dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
1642 int num, size_t size, off_t fsize, int sh_num, int *flags,
1643 uint16_t *notecount)
1647 const char *linking_style;
1648 unsigned char nbuf[BUFSIZ];
1650 char interp[BUFSIZ];
1652 size_t offset, align, len, need = 0;
1653 int pie = 0, dynamic = 0;
1656 if (file_printf(ms, ", no program header") == -1)
1660 if (size != xph_sizeof) {
1661 if (file_printf(ms, ", corrupted program header size") == -1)
1667 for ( ; num; num--) {
1669 if (pread(fd, xph_addr, xph_sizeof, off) <
1670 CAST(ssize_t, xph_sizeof)) {
1672 ", can't read elf program headers at %jd",
1673 (intmax_t)off) == -1)
1682 /* Things we can determine before we seek */
1688 if (sh_num) /* Did this through section headers */
1690 if (((align = xph_align) & 0x80000000UL) != 0 ||
1693 ", invalid note alignment %#lx",
1694 CAST(unsigned long, align)) == -1)
1704 if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
1705 /* Maybe warn here? */
1712 len = xph_filesz < sizeof(nbuf) ? xph_filesz
1714 off_t offs = xph_offset;
1715 bufsize = pread(fd, nbuf, len, offs);
1716 if (bufsize == -1) {
1718 ", can't read section at %jd",
1719 (intmax_t)offs) == -1)
1726 /* Things we can determine when we seek */
1731 // Let DF_1 determine if we are PIE or not.
1734 if (offset >= CAST(size_t, bufsize))
1736 offset = dodynamic(ms, nbuf, offset,
1737 CAST(size_t, bufsize), clazz, swap,
1742 if (ms->flags & MAGIC_MIME)
1748 if (ms->flags & MAGIC_MIME)
1750 if (bufsize && nbuf[0]) {
1751 nbuf[bufsize - 1] = '\0';
1752 memcpy(interp, nbuf, CAST(size_t, bufsize));
1754 strlcpy(interp, "*empty*", sizeof(interp));
1757 if (ms->flags & MAGIC_MIME)
1760 * This is a PT_NOTE section; loop through all the notes
1765 if (offset >= CAST(size_t, bufsize))
1767 offset = donote(ms, nbuf, offset,
1768 CAST(size_t, bufsize), clazz, swap, align,
1769 flags, notecount, fd, 0, 0, 0);
1775 if (ms->flags & MAGIC_MIME)
1780 if (ms->flags & MAGIC_MIME)
1783 if (pie && need == 0)
1784 linking_style = "static-pie";
1786 linking_style = "dynamically";
1788 linking_style = "statically";
1790 if (file_printf(ms, ", %s linked", linking_style) == -1)
1793 if (file_printf(ms, ", interpreter %s", file_printable(ms,
1794 ibuf, sizeof(ibuf), interp, sizeof(interp))) == -1)
1801 file_tryelf(struct magic_set *ms, const struct buffer *b)
1804 const unsigned char *buf = CAST(const unsigned char *, b->fbuf);
1805 size_t nbytes = b->flen;
1808 char c[sizeof(int32_t)];
1813 const struct stat *stp;
1816 Elf32_Ehdr elf32hdr;
1817 Elf64_Ehdr elf64hdr;
1818 uint16_t type, phnum, shnum, notecount;
1820 if (ms->flags & (MAGIC_APPLE|MAGIC_EXTENSION))
1823 * ELF executables have multiple section headers in arbitrary
1824 * file locations and thus file(1) cannot determine it from easily.
1825 * Instead we traverse thru all section headers until a symbol table
1826 * one is found or else the binary is stripped.
1827 * Return immediately if it's not ELF (so we avoid pipe2file unless
1830 if (buf[EI_MAG0] != ELFMAG0
1831 || (buf[EI_MAG1] != ELFMAG1 && buf[EI_MAG1] != OLFMAG1)
1832 || buf[EI_MAG2] != ELFMAG2 || buf[EI_MAG3] != ELFMAG3)
1836 * If we cannot seek, it must be a pipe, socket or fifo.
1838 if((lseek(fd, CAST(off_t, 0), SEEK_SET) == CAST(off_t, -1))
1839 && (errno == ESPIPE))
1840 fd = file_pipe2file(ms, fd, buf, nbytes);
1849 * b->st.st_size != 0 if previous fstat() succeeded,
1850 * which is likely, we can avoid extra stat() call.
1852 if (b->st.st_size == 0) {
1854 if (fstat(fd, &st) == -1) {
1859 if (S_ISREG(stp->st_mode) || stp->st_size != 0)
1860 fsize = stp->st_size;
1862 fsize = SIZE_UNKNOWN;
1864 clazz = buf[EI_CLASS];
1869 #define elf_getu(a, b) elf_getu32(a, b)
1871 #define elfhdr elf32hdr
1872 #include "elfclass.h"
1875 #define elf_getu(a, b) elf_getu64(a, b)
1877 #define elfhdr elf64hdr
1878 #include "elfclass.h"
1880 if (file_printf(ms, ", unknown class %d", clazz) == -1)