Fix: crash loading non-PIC MIPS ELF images (#1196)

Author: uxmal

src/Environments/SysV/ArchSpecific/TrampolineFinder.cs

@@ -212,6 +212,20 @@ load.Dst is Identifier ptrGotSlot &&
             return null;
         }
 
+
+        public static Expression? Mips32(IProcessorArchitecture arch, Address addrInstr, IEnumerable<RtlInstruction> instrs, IRewriterHost host)
+        {
+            var stubInstrs = instrs.Take(4).ToArray();
+
+            var dst = Mips32_Variant1(arch, host, stubInstrs);
+            if (dst is not null)
+                return dst;
+            dst = Mips32_Variant2(arch, host, stubInstrs);
+            if (dst is not null)
+                return dst;
+            return null;
+        }
+
         /// <summary>
         /// Find the destination of a MIPS32 plt stub.
         /// </summary>
@@ -221,9 +235,8 @@ load.Dst is Identifier ptrGotSlot &&
         /// jalr ra,r25
         /// addiu r24,r0,+00000010
         /// </code>
-        public static Expression? Mips32(IProcessorArchitecture arch, Address addrInstr, IEnumerable<RtlInstruction> instrs, IRewriterHost host)
+        public static Expression? Mips32_Variant1(IProcessorArchitecture arch, IRewriterHost host, RtlInstruction[] stubInstrs)
         {
-            var stubInstrs = instrs.Take(4).ToArray();
             if (stubInstrs.Length != 4)
                 return null;
 
@@ -263,6 +276,47 @@ init.Src is Constant &&
             return null;
         }
 
+        /// <summary>
+        /// Find the destination of a MIPS32 plt stub.
+        /// </summary>
+        /// r15 = 0x00410000
+        /// r25 = Mem0[r15 + 0x111C:word32]
+        /// r24 = r15 + 0x0000111C
+        /// call r25 (retsize: 0;)
+        public static Expression? Mips32_Variant2(IProcessorArchitecture arch, IRewriterHost host, RtlInstruction[] stubInstrs)
+        {
+            if (stubInstrs.Length < 3)
+                return null;
+
+            if (stubInstrs[0] is RtlAssignment ass &&
+                ass.Dst is Identifier idBase &&
+                ass.Src is Constant imm)
+            {
+            }
+            else return null;
+
+            if (stubInstrs[1] is RtlAssignment load &&
+                load.Dst is Identifier idDst &&
+                idDst.Name == "r25" &&
+                load.Src is MemoryAccess mem &&
+                mem.EffectiveAddress is BinaryExpression bin &&
+                bin.Left == idBase && 
+                bin.Right is Constant immOffset)
+            {
+            }
+            else return null;
+
+            if (stubInstrs[2] is RtlGoto jmp &&
+                jmp.Class.HasFlag(InstrClass.Delay) &&
+                jmp.Target is Identifier idTarget &&
+                idTarget == idDst)
+            { }
+            else return null;
+
+            var sAddrGotSlot = imm.ToInt32() + immOffset.ToInt32();
+            return Address.Ptr32((uint) sAddrGotSlot);
+        }
+
         /// <summary>
         /// Find the destination of a Risc-V PLT stub.
         /// </summary>

src/Environments/Windows/Win_x86_64_Platform.cs

@@ -159,7 +159,7 @@ public override int GetBitSizeFromCBasicType(CBasicType cb)
         public override ProcedureBase? GetTrampolineDestination(Address addrInstr, IEnumerable<RtlInstruction> rw, IRewriterHost host)
         {
             var instr = rw.FirstOrDefault();
-            if (instr == null)
+            if (instr is null)
                 return null;
             if (instr is not RtlGoto jump)
                 return null;
@@ -188,7 +188,7 @@ public override int GetBitSizeFromCBasicType(CBasicType cb)
 
         public override ExternalProcedure? LookupProcedureByName(string? moduleName, string procName)
         {
-            if (moduleName == null || !Metadata!.Modules.TryGetValue(moduleName.ToUpper(), out ModuleDescriptor? mod))
+            if (moduleName is null || !Metadata!.Modules.TryGetValue(moduleName.ToUpper(), out ModuleDescriptor? mod))
                 return null;
             if (mod.ServicesByName.TryGetValue(procName, out SystemService? svc))
             {

src/ImageLoaders/Elf/ElfLoader.cs

@@ -88,7 +88,6 @@ public abstract class ElfLoader
         public const uint PF_W = 2;
         public const uint PF_X = 1;
 
-        protected ElfMachine machine;
         protected uint flags;
         protected EndianServices endianness;
         protected IPlatform? platform;
@@ -103,7 +102,7 @@ protected ElfLoader(
             byte[] rawImage) : this()
         {
             this.Services = services;
-            this.machine = machine;
+            this.Machine = machine;
             this.flags = flags;
             this.endianness = endianness;
             this.rawImage = rawImage;
@@ -123,6 +122,7 @@ protected ElfLoader()
             this.rawImage = null!;
         }
 
+        public ElfMachine Machine { get; }
         public IProcessorArchitecture Architecture { get; private set; }
         public IServiceProvider Services { get; }
         public abstract Address DefaultAddress { get; }
@@ -239,7 +239,7 @@ public void LoadArchitectureFromHeader()
             options[ProcessorOption.Endianness] = endianness == EndianServices.Little ? "le" : "be";
 
             string? stackRegName = null;
-            switch (this.machine)
+            switch (this.Machine)
             {
             case ElfMachine.EM_NONE: return null; // No machine
             case ElfMachine.EM_SPARC:
@@ -304,7 +304,7 @@ public void LoadArchitectureFromHeader()
                 arch = "loongaArch";
                 break;
             default:
-                throw new NotImplementedException($"ELF machine type {machine} is not implemented yet.");
+                throw new NotImplementedException($"ELF machine type {Machine} is not implemented yet.");
             }
             var a = cfgSvc.GetArchitecture(arch, options);
             if (a is null)
@@ -405,7 +405,7 @@ public ulong GuessAreaEnd(ulong addrStart, ElfSegment dynSeg)
             {
                 if (de.UValue <= addrStart)
                     continue;
-                var tagInfo = de.GetTagInfo(machine);
+                var tagInfo = de.GetTagInfo(Machine);
                 if (tagInfo?.Format == DtFormat.Address)
                 {
                     // This might be a pointer.
@@ -814,7 +814,7 @@ public string ReadAsciiString(ulong fileOffset)
         public void Relocate(Program program, Address addrLoad)
         {
             var symbols = CreateSymbolDictionaries(IsExecutableFile);
-            var relocator = CreateRelocator(this.machine, symbols);
+            var relocator = CreateRelocator(this.Machine, symbols);
             relocator.Relocate(program);
             relocator.LocateGotPointers(program, symbols);
             symbols = symbols.Values.Select(relocator.AdjustImageSymbol).ToSortedList(s => s.Address!);

src/ImageLoaders/Elf/ElfLoader32.cs

@@ -88,7 +88,7 @@ public override Address CreateAddress(ulong uAddr)
             var options = new Dictionary<string, object>();
             string? stackRegName = null;
             options[ProcessorOption.Endianness] = endianness == EndianServices.Little ? "le" : "be";
-            switch (machine)
+            switch (Machine)
             {
             case ElfMachine.EM_MIPS:
                 //$TODO: detect release 6 of the MIPS architecture. 
@@ -378,7 +378,7 @@ public override SegmentMap LoadImageBytes(IPlatform platform, byte[] rawImage, A
                         {
                             Size = (uint) section.Size
                         });
-                        seg.Designer = CreateRenderer(section, machine);
+                        seg.Designer = CreateRenderer(section, Machine);
                     }
                     else
                     {

src/ImageLoaders/Elf/ElfLoader64.cs

@@ -78,7 +78,7 @@ public override Address CreateAddress(ulong uAddr)
             var options = new Dictionary<string, object>();
             options[ProcessorOption.Endianness] = endianness == EndianServices.Little ? "le" : "be";
             string archName;
-            switch (machine)
+            switch (Machine)
             {
             case ElfMachine.EM_IA_64:
                 archName = "ia64";
@@ -127,7 +127,7 @@ public override ElfObjectLinker CreateLinker()
             switch (shdr.Type)
             {
             case SectionHeaderType.SHT_DYNAMIC:
-                return new DynamicSectionRenderer64(this, shdr, machine);
+                return new DynamicSectionRenderer64(this, shdr, Machine);
             case SectionHeaderType.SHT_RELA:
                 return new RelaSegmentRenderer64(this, shdr);
             case SectionHeaderType.SHT_SYMTAB:

src/ImageLoaders/Elf/Relocators/ElfRelocator.cs

@@ -169,54 +169,56 @@ public List<ElfSymbol> RelocateDynamicSymbols(Program program)
                 Loader.DynamicEntries.TryGetValue(ElfDynamicEntry.DT_RELENT, out var relent);
 
                 Loader.DynamicEntries.TryGetValue(ElfDynamicEntry.DT_SYMENT, out var syment);
-                if (symtab == null || (rela == null && rel == null))
+                if (symtab is null)
                     continue;
-                if (strtab == null)
+                if (strtab is null)
                     throw new BadImageFormatException("ELF dynamic segment lacks a string table.");
-                if (syment == null)
+                if (syment is null)
                     throw new BadImageFormatException("ELF dynamic segment lacks the size of symbol table entries.");
-                RelocationTable relTable;
-                if (rela != null)
+                var offStrtab = Loader.AddressToFileOffset(strtab.UValue);
+                var offSymtab = Loader.AddressToFileOffset(symtab.UValue);
+
+                RelocationTable? relTable = null;
+                if (rela is { })
                 {
-                    if (relasz == null)
+                    if (relasz is null)
                         throw new BadImageFormatException("ELF dynamic segment lacks the size of the relocation table.");
-                    if (relaent == null)
+                    if (relaent is null)
                         throw new BadImageFormatException("ELF dynamic segment lacks the size of relocation table entries.");
                     relTable = new RelaTable(this, rela.UValue, relasz.UValue);
                 }
-                else
+                else if (rel != null)
                 {
-                    Debug.Assert(rel != null);
-                    if (relsz == null)
+                    if (relsz is null)
                         throw new BadImageFormatException("ELF dynamic segment lacks the size of the relocation table.");
-                    if (relent == null)
+                    if (relent is null)
                         throw new BadImageFormatException("ELF dynamic segment lacks the size of relocation table entries.");
                     relTable = new RelTable(this, rel.UValue, relsz.UValue);
                 }
 
-                var offStrtab = Loader.AddressToFileOffset(strtab.UValue);
-                var offSymtab = Loader.AddressToFileOffset(symtab.UValue);
-
-                LoadSymbolsFromDynamicSegment(dynSeg, symtab, syment, offStrtab, offSymtab);
-
-                // Generate a symbol for each relocation.
-                ElfImageLoader.trace.Inform("Relocating entries in .dynamic:");
-                foreach (var (_, elfSym, _) in relTable.RelocateEntries(program, offStrtab, offSymtab, syment.UValue))
+                if (relTable is { })
                 {
-                    symbols.Add(elfSym);
-                    var imgSym = Loader.CreateImageSymbol(elfSym, true);
-                    // Symbols need to refer to the loaded image, if their value is 0,
-                    // they are imported symbols.
-                    if (imgSym == null || imgSym.Address!.ToLinear() == 0)
-                        continue;
-                    imageSymbols[imgSym.Address] = imgSym;
+                    LoadSymbolsFromDynamicSegment(dynSeg, symtab, syment, offStrtab, offSymtab);
+
+                    // Generate a symbol for each relocation.
+                    ElfImageLoader.trace.Inform("Relocating entries in .dynamic:");
+                    foreach (var (_, elfSym, _) in relTable.RelocateEntries(program, offStrtab, offSymtab, syment.UValue))
+                    {
+                        symbols.Add(elfSym);
+                        var imgSym = Loader.CreateImageSymbol(elfSym, true);
+                        // Symbols need to refer to the loaded image, if their value is 0,
+                        // they are imported symbols.
+                        if (imgSym == null || imgSym.Address!.ToLinear() == 0)
+                            continue;
+                        imageSymbols[imgSym.Address] = imgSym;
+                    }
                 }
 
                 // Relocate the DT_JMPREL table.
                 Loader.DynamicEntries.TryGetValue(ElfDynamicEntry.DT_JMPREL, out var jmprel);
                 Loader.DynamicEntries.TryGetValue(ElfDynamicEntry.DT_PLTRELSZ, out var pltrelsz);
                 Loader.DynamicEntries.TryGetValue(ElfDynamicEntry.DT_PLTREL, out var pltrel);
-                if (jmprel != null && pltrelsz != null && pltrel != null)
+                if (jmprel is { } && pltrelsz is { } && pltrel is { })
                 {
                     if (pltrel.SValue == ElfDynamicEntry.DT_RELA) // entries are in RELA format.
                     {
@@ -228,7 +230,8 @@ public List<ElfSymbol> RelocateDynamicSymbols(Program program)
                     }
                     else
                     {
-                        //$REVIEW: bad elf format!
+                        var listener = Loader.Services.RequireService<DecompilerEventListener>();
+                        listener.Warn("Invalid value for DT_PLTREL: {0}", pltrel.UValue);
                         continue;
                     }
 
@@ -411,7 +414,7 @@ public ElfRelocator32(ElfLoader32 loader, SortedList<Address, ImageSymbol> image
 
         protected override void DumpDynamicSegment(ElfSegment dynSeg)
         {
-            var renderer = new DynamicSectionRenderer32(Loader, null!, ElfMachine.EM_NONE);
+            var renderer = new DynamicSectionRenderer32(Loader, null!, loader.Machine);
             var sw = new StringWriter();
             renderer.Render(dynSeg.p_offset, new TextFormatter(sw));
             Debug.WriteLine(sw.ToString());
@@ -462,7 +465,7 @@ protected void DumpRel32(ElfLoader32 loader)
         {
             foreach (var section in loader.Sections.Where(s => s.Type == SectionHeaderType.SHT_REL))
             {
-                ElfImageLoader.trace.Inform("REL: offset {0:X} symbol section {1}, relocating in section {2}",
+                ElfImageLoader.trace.Inform("REL: Offset {0:X} symbol section {1}, relocating in section {2}",
                     section.FileOffset,
                     section.LinkedSection?.Name ?? "?",
                     section.RelocatedSection?.Name ?? "?");
@@ -487,7 +490,7 @@ protected void DumpRela32(ElfLoader32 loader)
             foreach (var section in loader.Sections.Where(s => s.Type == SectionHeaderType.SHT_RELA))
             {
                 ElfImageLoader.trace.Inform(
-                    "RELA: offset {0:X} symbol section {1}, relocating in section {2}",
+                    "RELA: Offset {0:X} symbol section {1}, relocating in section {2}",
                     section.FileOffset,
                     section.LinkedSection!.Name,
                     section.RelocatedSection!.Name);
@@ -573,7 +576,7 @@ protected void DumpRel64(ElfLoader64 loader)
         {
             foreach (var section in loader.Sections.Where(s => s.Type == SectionHeaderType.SHT_REL))
             {
-                ElfImageLoader.trace.Inform("REL: offset {0:X} symbol section {1}, relocating in section {2}",
+                ElfImageLoader.trace.Inform("REL: Offset {0:X} symbol section {1}, relocating in section {2}",
                     section.FileOffset,
                     section.LinkedSection?.Name ?? "?",
                     section.RelocatedSection?.Name ?? "?");
@@ -600,7 +603,7 @@ protected void DumpRela64(ElfLoader64 loader)
                 s.LinkedSection != null && 
                 s.LinkedSection.FileOffset != 0))
             {
-                Debug.Print("RELA: offset {0:X} symbol section {1}, relocating in section {2}",
+                Debug.Print("RELA: Offset {0:X} symbol section {1}, relocating in section {2}",
                     section.FileOffset,
                     section.LinkedSection?.Name ?? "?",
                     section.RelocatedSection?.Name ?? "?");