blazesym 0.2.5

blazesym is a library for address symbolization and related tasks.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302

use std::fs::File;
use std::mem::size_of;
use std::path::Path;
use std::str;

use crate::elf;
use crate::elf::types::ElfN_Nhdr;
use crate::elf::BackendImpl;
use crate::elf::ElfParser;
use crate::inspect::FindAddrOpts;
use crate::inspect::Inspect;
use crate::log;
use crate::util::align_up_u32;
use crate::util::from_radix_16;
use crate::util::split_bytes;
use crate::ErrorExt as _;
use crate::ErrorKind;
use crate::IntoError as _;
use crate::Result;


/// The absolute path to the `kcore` `proc` node.
const PROC_KCORE: &str = "/proc/kcore";
/// The name of the `VMCOREINFO` ELF note.
///
/// See <https://www.kernel.org/doc/html/latest/admin-guide/kdump/vmcoreinfo.html>
const VMCOREINFO_NAME: &[u8] = b"VMCOREINFO\0";


/// "Parse" the VMCOREINFO descriptor.
///
/// This underspecified blob roughly has the following format:
/// ```text
/// OSRELEASE=6.2.15-100.fc36.x86_64
/// BUILD-ID=d3d01c80278f8927486b7f01d0ab6be77784dceb
/// PAGESIZE=4096
/// SYMBOL(init_uts_ns)=ffffffffb72b8160
/// OFFSET(uts_namespace.name)=0
/// [...]
/// ```
fn parse_vmcoreinfo_desc(desc: &[u8]) -> impl Iterator<Item = (&[u8], &[u8])> {
    desc.split(|&b| b == b'\n')
        .filter_map(|line| split_bytes(line, |b| b == b'='))
}

/// Find and read the `KERNELOFFSET` note in a "kcore" file represented by
/// `parser` (i.e., already opened as an ELF).
fn read_kcore_kaslr_offset(parser: &ElfParser<File>) -> Result<Option<u64>> {
    let phdrs = parser.program_headers()?;
    for phdr in phdrs.iter(0) {
        if phdr.type_() != elf::types::PT_NOTE {
            continue
        }

        let file = parser.backend();
        let mut offset = phdr.offset();

        // Iterate through all available notes. See `elf(5)` for
        // details.
        while offset + (size_of::<ElfN_Nhdr>() as u64) <= phdr.file_size() {
            let nhdr = file
                .read_pod_obj::<ElfN_Nhdr>(offset)
                .context("failed to read kcore note header")?;
            offset += size_of::<ElfN_Nhdr>() as u64;

            let name = if nhdr.n_namesz > 0 {
                let name = file.read_pod_slice::<u8>(offset, nhdr.n_namesz as _)?;
                offset += u64::from(align_up_u32(nhdr.n_namesz, 4));
                Some(name)
            } else {
                None
            };

            // We are looking for the note named `VMCOREINFO`.
            if name.as_deref() == Some(VMCOREINFO_NAME) {
                if nhdr.n_descsz > 0 {
                    let desc = file.read_pod_slice::<u8>(offset, nhdr.n_descsz as _)?;
                    let offset = parse_vmcoreinfo_desc(&desc)
                        .find(|(key, _value)| key == b"KERNELOFFSET")
                        // The value is in hexadecimal format. Go figure.
                        .map(|(_key, value)| {
                            from_radix_16(value).ok_or_invalid_data(|| {
                                format!("failed to parse KERNELOFFSET value `{value:x?}`")
                            })
                        })
                        .transpose();
                    return offset
                }

                // There shouldn't be multiple notes with that name,
                // but I suppose it can't hurt to keep checking...?
            }

            offset += u64::from(align_up_u32(nhdr.n_descsz, 4));
        }
    }
    Ok(None)
}

fn find_kcore_kaslr_offset() -> Result<Option<u64>> {
    // Note that we cannot use the regular mmap based ELF parser
    // backend for this file, as it cannot be mmap'ed. We have to
    // fall back to using regular I/O instead.
    let parser = match ElfParser::open_file_io(Path::new(PROC_KCORE)) {
        Ok(parser) => parser,
        Err(err) if err.kind() == ErrorKind::NotFound => return Ok(None),
        Err(err) => return Err(err),
    };
    let offset = read_kcore_kaslr_offset(&parser)?.inspect(|offset| {
        log::debug!("determined KASLR offset to be {offset:#x} based on {PROC_KCORE} contents");
    });
    Ok(offset)
}

/// Look up the address of an exact-named symbol through an [`Inspect`]
/// resolver, returning the first match.
fn inspect_sym_addr(resolver: &dyn Inspect, name: &str) -> Result<Option<u64>> {
    let syms = resolver.find_addr(name, &FindAddrOpts::default())?;
    // `KsymResolver::find_addr` reports symbols from a lower bound onward
    // rather than exact matches, so filter to the exact name.
    let sym = syms
        .into_iter()
        .find(|sym| sym.name.as_ref() == name)
        .map(|sym| sym.addr);
    Ok(sym)
}

/// Derive the KASLR offset by comparing the address of `_stext` as reported
/// by `kallsyms` (already KASLR-relocated) against its address in the
/// `vmlinux` image (link-time addresses).
///
/// `_stext` is documented by the kernel as indicating its start
/// address:
/// <https://www.kernel.org/doc/html/latest/admin-guide/kdump/vmcoreinfo.html#stext>
fn find_stext_kaslr_offset(
    ksym_resolver: &dyn Inspect,
    vmlinux_resolver: &dyn Inspect,
) -> Result<Option<u64>> {
    let stext_kallsyms = inspect_sym_addr(ksym_resolver, "_stext")?;
    let stext_vmlinux = inspect_sym_addr(vmlinux_resolver, "_stext")?;

    let offset = match (stext_kallsyms, stext_vmlinux) {
        (Some(stext_kallsyms), Some(stext_vmlinux)) => {
            stext_kallsyms.checked_sub(stext_vmlinux).inspect(|offset| {
                log::debug!("derived KASLR offset {offset:#x} from _stext symbol subtraction")
            })
        }
        _ => None,
    };
    Ok(offset)
}

pub(crate) fn find_kaslr_offset(
    ksym_resolver: Option<&dyn Inspect>,
    vmlinux_resolver: Option<&dyn Inspect>,
) -> Result<Option<u64>> {
    // TODO: Try other methods of determining KASLR offset, including
    //       comparisons between `/proc/kallsyms` values to
    //       `System.map-*` contents or parsing `dmesg` (no, really...)

    let result = find_kcore_kaslr_offset();
    let () = match result {
        Err(ref err)
            if matches!(
                err.kind(),
                ErrorKind::PermissionDenied | ErrorKind::NotFound
            ) =>
        {
            // For "expected" errors (e.g., `kcore` may not be available for
            // various reasons), keep trying other methods.
        }
        result => return result,
    };

    if let (Some(ksym), Some(vmlinux)) = (ksym_resolver, vmlinux_resolver) {
        return find_stext_kaslr_offset(ksym, vmlinux)
    }
    result
}


#[cfg(test)]
mod tests {
    use super::*;

    use std::ops::Deref as _;
    use std::path::PathBuf;
    use std::rc::Rc;

    use test_log::test;

    use crate::kernel::cache::KernelCache;
    use crate::kernel::ksym::KsymResolver;


    /// Path to a small ELF fixture that does *not* contain `_stext`.
    fn stextless_path() -> PathBuf {
        Path::new(env!("CARGO_MANIFEST_DIR"))
            .join("data")
            .join("test-stable-addrs.bin")
    }

    fn ksym_from_bytes(content: &[u8]) -> KsymResolver {
        KsymResolver::load_from_reader(&mut &*content, Path::new("<dummy>")).unwrap()
    }

    /// Stand-in for a vmlinux inspector able to resolve the `_stext`
    /// symbol.
    fn vmlinux_inspector() -> Box<dyn Inspect> {
        let inspector = ksym_from_bytes(
            b"ffffffff81000000 T _stext
ffffffff81000f60 T do_one_initcall
",
        );
        Box::new(inspector)
    }


    /// Check that we can parse a dummy VMCOREINFO descriptor.
    #[test]
    fn vmcoreinfo_desc_parsing() {
        let desc = b"OSRELEASE=6.2.15-100.fc36.x86_64
BUILD-ID=d3d01c80278f8927486b7f01d0ab6be77784dceb
SYMBOL(init_uts_ns)=ffffffffb72b8160
OFFSET(uts_namespace.name)=0
PAGESIZE=4096
";

        let page_size = parse_vmcoreinfo_desc(desc)
            .find(|(key, _value)| key == b"PAGESIZE")
            .map(|(_key, value)| value)
            .unwrap();
        assert_eq!(page_size, b"4096");
    }

    /// Check that we can determine the system's KASLR state.
    #[test]
    fn kaslr_offset_reading() {
        // Always attempt reading the KASLR offset to exercise the
        // VMCOREINFO parsing path.
        // Also, we care about the parsing logic, but can't make any
        // claims about the expected offset at this point.
        let _offset = find_kcore_kaslr_offset().unwrap();
    }

    /// Check that we correctly derive the KASLR offset via `_stext` method.
    #[test]
    fn stext_kaslr_offset_derived() {
        let ksym = ksym_from_bytes(
            b"ffffffff81abc000 T _stext
ffffffff81abf000 T do_one_initcall
",
        );
        let vmlinux = vmlinux_inspector();
        let offset = find_stext_kaslr_offset(&ksym, vmlinux.deref()).unwrap();
        assert_eq!(offset, Some(0xabc000));
    }

    /// Check that a kallsyms `_stext` exactly equal to vmlinux's `_stext`
    /// yields a zero KASLR offset.
    #[test]
    fn stext_kaslr_offset_zero() {
        let ksym = ksym_from_bytes(b"ffffffff81000000 T _stext\n");
        let vmlinux = vmlinux_inspector();

        let offset = find_stext_kaslr_offset(&ksym, vmlinux.deref()).unwrap();
        assert_eq!(offset, Some(0));
    }

    /// Check that a missing `_stext` in kallsyms surfaces as no KASLR
    /// offset.
    #[test]
    fn stext_kaslr_offset_no_kallsyms_stext() {
        let ksym = ksym_from_bytes(b"ffffffff81abf000 T do_one_initcall\n");
        let vmlinux = vmlinux_inspector();

        let offset = find_stext_kaslr_offset(&ksym, vmlinux.deref()).unwrap();
        assert_eq!(offset, None);
    }

    /// Check that a missing `_stext` in vmlinux surfaces as `None`.
    #[test]
    fn stext_kaslr_offset_no_vmlinux_stext() {
        let ksym = ksym_from_bytes(b"ffffffff81abc000 T _stext\n");
        let cache = KernelCache::new(Rc::new([]));
        let vmlinux = cache.elf_resolver(&stextless_path(), false).unwrap();

        let offset = find_stext_kaslr_offset(&ksym, &**vmlinux).unwrap();
        assert_eq!(offset, None);
    }

    /// Check that a kallsyms `_stext` below vmlinux's `_stext` yields
    /// no KASLR offset.
    #[test]
    fn stext_kaslr_offset_underflow() {
        let ksym = ksym_from_bytes(b"ffffffff80000000 T _stext\n");
        let vmlinux = vmlinux_inspector();

        let offset = find_stext_kaslr_offset(&ksym, vmlinux.deref()).unwrap();
        assert_eq!(offset, None);
    }
}