lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 21 May 2019 12:50:57 +0000
From:   Raphael Gault <>
To:     Josh Poimboeuf <>
CC:     "" 
        "" <>,
        "" <>,
        Catalin Marinas <>,
        Will Deacon <>,
        Julien Thierry <>
Subject: Re: [RFC V2 00/16] objtool: Add support for Arm64

Hi Josh,

Thanks for offering your help and sorry for the late answer.

My understanding is that a table of offsets is built by GCC, those
offsets being scaled by 4 before adding them to the base label.
I believe the offsets are stored in the .rodata section. To find the
size of that table, it is needed to find a comparison, which can be
optimized out apprently. In that case the end of the array can be found
by locating labels pointing to data behind it (which is not 100% safe).

On 5/16/19 3:29 PM, Josh Poimboeuf wrote:
> On Thu, May 16, 2019 at 11:36:39AM +0100, Raphael Gault wrote:
>> Noteworthy points:
>> * I still haven't figured out how to detect switch-tables on arm64. I
>> have a better understanding of them but still haven't implemented checks
>> as it doesn't look trivial at all.
> Switch tables were tricky to get right on x86.  If you share an example
> (or even just a .o file) I can take a look.  Hopefully they're somewhat
> similar to x86 switch tables.  Otherwise we may want to consider a
> different approach (for example maybe a GCC plugin could help annotate
> them).

The case which made me realize the issue is the one of

What seems to happen in the case of module.o is:
  334:   90000015        adrp    x21, 0 <do_reloc>
which retrieves the location of an offset in the rodata section, and a
bit later we do some extra computation with it in order to compute the
jump destination:
  3e0:   78625aa0        ldrh    w0, [x21, w2, uxtw #1]
  3e4:   10000061        adr     x1, 3f0 <apply_relocate_add+0xf8>
  3e8:   8b20a820        add     x0, x1, w0, sxth #2
  3ec:   d61f0000        br      x0

Please keep in mind that the actual offsets might vary.

I'm happy to provide more details about what I have identified if you
want me to.


Raphael Gault
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Powered by blists - more mailing lists