Re: [PATCH] elfclassify tool

Fri, 19 Jul 2019 07:22:17 -0700 

On Fri, 2019-07-19 at 16:43 +0300, Dmitry V. Levin wrote:
> On Fri, Jul 19, 2019 at 02:47:09PM +0200, Mark Wielaard wrote:
> [...]
> > +static bool
> > +is_shared (void)
> > +{
> > +  if (!is_loadable ())
> > +    return false;
> > +
> > +  /* The ELF type is very clear: this is an executable.  */
> > +  if (elf_type == ET_EXEC)
> > +    return false;
> > +
> > +  /* If the object is marked as PIE, it is definitely an
> > executable,
> > +     and not a loadlable shared object.  */
> > +  if (has_pie_flag)
> > +    return false;
> > +
> > +  /* Treat a DT_SONAME tag as a strong indicator that this is a
> > shared
> > +     object.  */
> > +  if (has_soname)
> > +    return true;
> 
> I'm not sure DT_SONAME is a reliable indicator.
> 
> I've seen many cases of DT_SONAME being erroneously applied to 
> non-libraries, e.g. lib.so was used as soname in openjdk executables.

I didn't know. Is this really common?
I did find one java binary on my system that indeed has this problem.
$ eu-readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-
0.el7_6.x86_64/jre/bin/policytool

Dynamic segment contains 39 entries:
 Addr: 0x0000000000600d88  Offset: 0x000d88  Link to section: [ 7]
'.dynstr'
  Type              Value
  NEEDED            Shared library: [libpthread.so.0]
  NEEDED            Shared library: [libz.so.1]
  NEEDED            Shared library: [libX11.so.6]
  NEEDED            Shared library: [libjli.so]
  NEEDED            Shared library: [libdl.so.2]
  NEEDED            Shared library: [libc.so.6]
  SONAME            Library soname: [lib.so]
  RPATH             Library rpath:
[$ORIGIN/../lib/amd64/jli:$ORIGIN/../lib/amd64]
[...]

But even so eu-elfclassify still doesn't treat it as a shared library,
because:
$ eu-elfclassify -v --shared policytool; echo $?
info: policytool: ELF kind: ELF_K_ELF (0x3)
info: policytool: ELF type: ET_EXEC (0x2)
info: policytool: PT_LOAD found
info: policytool: allocated PROGBITS section found
info: policytool: program interpreter found
info: policytool: dynamic segment found
info: policytool: soname found
info: policytool: DT_DEBUG found
1

So other characteristics like it being ET_EXEC mark it as an
executable. And I assume if it was PIE (ET_DYN) the PIE DT_FLAGS would
have caught it.

So, I don't think the code is wrong. We might want to tweak the comment
a bit though, to make it less definitive?

Cheers,

Mark

Reply via email to