| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Mar 2021 11:09:15 +0200
From: Jiri Slaby <jslaby@...e.cz>
To: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
linux-kernel@...r.kernel.org, Richard Guenther <rguenther@...e.de>,
"H.J. Lu" <hjl.tools@...il.com>
Subject: Re: perf does not resolve plt symbols from libstdc++ right (.plt.sec
problem)
Any ideas on this?
On 11. 01. 21, 7:31, Jiri Slaby wrote:
> Hi,
>
> this e-mails is a follow-up of my report at:
> https://bugzilla.suse.com/show_bug.cgi?id=1180681
>
> There is a problem with *@plt symbols in some libraries, they are
> unresolved by perf (memcmp@plt in this case):
> > 0.26% main2 /usr/lib64/libstdc++.so.6.0.28 0xa51a0
> l [.] 0x00000000000a51a0
>
> On the other hand, plt symbols in other libraries are fine (memset@plt
> in this case):
> > 0.17% main2 /usr/lib64/libantlr4-runtime.so.4.8 0x4ed10
> l [.] memset@plt
>
> I dumped memcmp's .plt.rela entries in perf:
> /usr/lib64/libantlr4-runtime.so.4.8: 154th addr=4e9d0 plt_off=4e020
> hdr=10 entry=10
> /usr/lib64/libstdc++.so.6.0.28: 772th addr=a1070 plt_off=9e020 hdr=10
> entry=10
>
> The difference (offset) of stdc++'s memcmp is 0xa51a0 (correct) -
> 0xa1070 (perf's computed) = 0x4130.
>
> The problem is perf assumes nth entry of .plt.rela to correspond to nth
> function in .plt, but memcmp is in .plt.sec in libstdc++.so:
>
> > Relocation section '.rela.plt' at offset 0x97900 contains 1018 entries:
> > Offset Info Type Symbol's
> Value Symbol's Name + Addend
> > ...
> > 00000000001dc838 0000007800000007 R_X86_64_JUMP_SLOT
> 0000000000000000 memcmp@...BC_2.2.5 + 0
>
> Perf does this with the rela entries:
> https://github.com/torvalds/linux/blob/f5e6c330254ae691f6d7befe61c786eb5056007e/tools/perf/util/symbol-elf.c#L385
>
>
> It takes a symbol index from sym.r_info. Then it resolves its name from
> .dynsym, appending "@plt" to it. Then this name is added to perf's
> symbol table along with address which is computed as .rela.plt index
> multiplied by entry size (shdr_plt.sh_entsize) plus plt header
> (shdr_plt.sh_entsize on x86_64 too).
>
> And from this comes (almost) the offset above:
> > $ objdump -h /usr/lib64/libstdc++.so.6|grep -E ' .plt(\.sec)? '
> > 12 .plt 00003fb0 000000000009e020 000000000009e020
> 0009e020 2**4
> > 14 .plt.sec 00003fa0 00000000000a2160 00000000000a2160
> 000a2160 2**4
>
> 0xa2160-0x9e020 = 0x4140. I assume the 0x10 difference is that perf adds
> shdr_plt.sh_entsize (0x10) to the offset to skip the first .plt entry
> (header).
>
> Richard writes:
> ======
> .plt.sec is IIRC the "second" (sec) PLT entry - the one that will be
> used on the second call (and on). This is used / emitted for ELF object
> instrumented for Intel CET. The details escape me for the moment but I
> hope the x86 ABI documents this (and the constraints) in detail.
> ======
>
> How should perf find out whether to consider .plt or .plt.sec? Or
> generally, how to properly find an address of *@plt symbols like
> memcmp@plt above?
>
> thanks,
--
js
suse labs
Powered by blists - more mailing lists