From c2cfef0557a7297dc945fc29ff4f5d44ca6b1f51 Mon Sep 17 00:00:00 2001
From: Andreas Ziegler <andreas.ziegler@fau.de>
Date: Mon, 14 Feb 2022 14:44:27 +0100
Subject: [PATCH] Add support for DT_RELR/SHT_RELR compressed relocation
 sections (#395)

As more and more tools now support DT_RELR compressed relocations
(most notably, the just released GNU binutils 2.38 [0]), let's add
support for reading these relocations as well.

The original discussion about advantages of packe RELATIVE
relocations can be found at [1]. In a nutshell, the format
exploits the fact that RELATIVE relocations are often placed
next to each other and (for x86_64) stores up to 64 relocations
in two 8-byte words. In a regular .rela.dyn table, these would
take up 24 * 64 = 1536 bytes.

The compressed relocations work as follows:

The first word in the section describes a base address and
contains an offset for a relocation. This offset must always
lie at an even address. Following this entry can be one or
more bitmap(s) which have their least significant bit set to 1.
All other bits describe (in increasing order of significance) if
the following continuous offsets also contain a relocation. The
addends for existing relocations are stored at the corresponding
offsets in the file (that is, they work like REL relocations).
A good description of the history of this feature and its current
adoption is the following blog post [2].

[0]: https://lists.gnu.org/archive/html/info-gnu/2022-02/msg00009.html
[1]: https://groups.google.com/g/generic-abi/c/bX460iggiKg?pli=1
[2]: https://maskray.me/blog/2021-10-31-relative-relocations-and-relr
---
 elftools/elf/descriptions.py                  |   1 +
 elftools/elf/elffile.py                       |   5 +-
 elftools/elf/enums.py                         |   9 ++-
 elftools/elf/relocation.py                    |  75 ++++++++++++++++++
 elftools/elf/structs.py                       |   6 ++
 test/test_relr.py                             |  49 ++++++++++++
 test/testfiles_for_unittests/lib_relro.so.elf | Bin 0 -> 10480 bytes
 7 files changed, 142 insertions(+), 3 deletions(-)
 create mode 100644 test/test_relr.py
 create mode 100755 test/testfiles_for_unittests/lib_relro.so.elf

diff --git a/elftools/elf/descriptions.py b/elftools/elf/descriptions.py
index b14ea3e..0ccc9a1 100644
--- a/elftools/elf/descriptions.py
+++ b/elftools/elf/descriptions.py
@@ -412,6 +412,7 @@ _DESCR_SH_TYPE = dict(
     SHT_GNU_HASH='GNU_HASH',
     SHT_GROUP='GROUP',
     SHT_SYMTAB_SHNDX='SYMTAB SECTION INDICIES',
+    SHT_RELR='RELR',
     SHT_GNU_verdef='VERDEF',
     SHT_GNU_verneed='VERNEED',
     SHT_GNU_versym='VERSYM',
diff --git a/elftools/elf/elffile.py b/elftools/elf/elffile.py
index e864a16..244841a 100644
--- a/elftools/elf/elffile.py
+++ b/elftools/elf/elffile.py
@@ -31,7 +31,8 @@ from .sections import (
         SymbolTableIndexSection, SUNWSyminfoTableSection, NullSection,
         NoteSection, StabSection, ARMAttributesSection)
 from .dynamic import DynamicSection, DynamicSegment
-from .relocation import RelocationSection, RelocationHandler
+from .relocation import (RelocationSection, RelocationHandler,
+        RelrRelocationSection)
 from .gnuversions import (
         GNUVerNeedSection, GNUVerDefSection,
         GNUVerSymSection)
@@ -595,6 +596,8 @@ class ELFFile(object):
             return self._make_elf_hash_section(section_header, name)
         elif sectype == 'SHT_GNU_HASH':
             return self._make_gnu_hash_section(section_header, name)
+        elif sectype == 'SHT_RELR':
+            return RelrRelocationSection(section_header, name, self)
         else:
             return Section(section_header, name, self)
 
diff --git a/elftools/elf/enums.py b/elftools/elf/enums.py
index 61c3d42..8519f4e 100644
--- a/elftools/elf/enums.py
+++ b/elftools/elf/enums.py
@@ -295,7 +295,8 @@ ENUM_SH_TYPE_BASE = dict(
     SHT_PREINIT_ARRAY=16,
     SHT_GROUP=17,
     SHT_SYMTAB_SHNDX=18,
-    SHT_NUM=19,
+    SHT_RELR=19,
+    SHT_NUM=20,
     SHT_LOOS=0x60000000,
     SHT_GNU_ATTRIBUTES=0x6ffffff5,
     SHT_GNU_HASH=0x6ffffff6,
@@ -513,7 +514,11 @@ ENUM_D_TAG_COMMON = dict(
     DT_ENCODING=32,
     DT_PREINIT_ARRAY=32,
     DT_PREINIT_ARRAYSZ=33,
-    DT_NUM=34,
+    DT_SYMTAB_SHNDX=34,
+    DT_RELRSZ=35,
+    DT_RELR=36,
+    DT_RELRENT=37,
+    DT_NUM=38,
     DT_LOOS=0x6000000d,
     DT_ANDROID_REL=0x6000000f,
     DT_ANDROID_RELSZ=0x60000010,
diff --git a/elftools/elf/relocation.py b/elftools/elf/relocation.py
index 8ca4ca1..4008e28 100644
--- a/elftools/elf/relocation.py
+++ b/elftools/elf/relocation.py
@@ -15,6 +15,7 @@ from .enums import (
     ENUM_RELOC_TYPE_i386, ENUM_RELOC_TYPE_x64, ENUM_RELOC_TYPE_MIPS,
     ENUM_RELOC_TYPE_ARM, ENUM_RELOC_TYPE_AARCH64, ENUM_RELOC_TYPE_PPC64,
     ENUM_D_TAG)
+from ..construct import Container
 
 
 class Relocation(object):
@@ -106,6 +107,80 @@ class RelocationSection(Section, RelocationTable):
             'Expected sh_entsize of %s section to be %s' % (
                 header['sh_type'], self.entry_size))
 
+class RelrRelocationSection(Section):
+    """ RELR compressed relocation section. This stores relative relocations
+        in a compressed format. An entry with an even value serves as an
+        'anchor' that defines a base address. Following this entry are one or
+        more bitmaps for consecutive addresses after the anchor which determine
+        if the corresponding relocation exists (if the bit is 1) or if it is
+        skipped. Addends are stored at the respective addresses (as in REL
+        relocations).
+    """
+    def __init__(self, header, name, elffile):
+        Section.__init__(self, header, name, elffile)
+        self._offset = self['sh_offset']
+        self._size = self['sh_size']
+        self._relr_struct = self.elffile.structs.Elf_Relr
+        self._entrysize = self._relr_struct.sizeof()
+        self._cached_relocations = None
+
+    def iter_relocations(self):
+        """ Yield all the relocations in the section
+        """
+        limit = self._offset + self._size
+        relr = self._offset
+        # The addresses of relocations in a bitmap are calculated from a base
+        # value provided in an initial 'anchor' relocation.
+        base = None
+        while relr < limit:
+            entry = struct_parse(self._relr_struct,
+                                 self.elffile.stream,
+                                 stream_pos=relr)
+            entry_offset = entry['r_offset']
+            if (entry_offset & 1) == 0:
+                # We found an anchor, take the current value as the base address
+                # for the following bitmaps and move the 'where' pointer to the
+                # beginning of the first bitmap.
+                base = entry_offset
+                base += self._entrysize
+                yield Relocation(entry, self.elffile)
+            else:
+                # We're processing a bitmap.
+                elf_assert(base is not None, 'RELR bitmap without base address')
+                i = 0
+                while True:
+                    # Iterate over all bits except the least significant one.
+                    entry_offset = (entry_offset >> 1)
+                    if entry_offset == 0:
+                        break
+                    # if the current LSB is set, we have a relocation at the
+                    # corresponding address so generate a Relocation with the
+                    # matching offset
+                    if (entry_offset & 1) != 0:
+                        calc_offset = base + i * self._entrysize
+                        yield Relocation(Container(r_offset = calc_offset),
+                                         self.elffile)
+                    i += 1
+                # Advance 'base' past the current bitmap (8 == CHAR_BIT). There
+                # are 63 (or 31 for 32-bit ELFs) entries in each bitmap, and
+                # every bit corresponds to an ELF_addr-sized relocation.
+                base += (8 * self._entrysize - 1) * self.elffile.structs.Elf_addr('').sizeof()
+            # Advance to the next entry
+            relr += self._entrysize
+
+    def num_relocations(self):
+        """ Number of relocations in the section
+        """
+        if self._cached_relocations is None:
+            self._cached_relocations = list(self.iter_relocations())
+        return len(self._cached_relocations)
+
+    def get_relocation(self, n):
+        """ Get the relocation at index #n from the section (Relocation object)
+        """
+        if self._cached_relocations is None:
+            self._cached_relocations = list(self.iter_relocations())
+        return self._cached_relocations[n]
 
 class RelocationHandler(object):
     """ Handles the logic of relocations in ELF files.
diff --git a/elftools/elf/structs.py b/elftools/elf/structs.py
index 6a1d2aa..b437eec 100644
--- a/elftools/elf/structs.py
+++ b/elftools/elf/structs.py
@@ -270,6 +270,12 @@ class ELFStructs(object):
                                *fields_and_addend
         )
 
+        # Elf32_Relr is typedef'd as Elf32_Word, Elf64_Relr as Elf64_Xword
+        # (see the glibc patch, for example:
+        # https://sourceware.org/pipermail/libc-alpha/2021-October/132029.html)
+        # For us, this is the same as self.Elf_addr (or self.Elf_xword).
+        self.Elf_Relr = Struct('Elf_Relr', self.Elf_addr('r_offset'))
+
     def _create_dyn(self):
         d_tag_dict = dict(ENUM_D_TAG_COMMON)
         if self.e_machine in ENUMMAP_EXTRA_D_TAG_MACHINE:
diff --git a/test/test_relr.py b/test/test_relr.py
new file mode 100644
index 0000000..69e39d6
--- /dev/null
+++ b/test/test_relr.py
@@ -0,0 +1,49 @@
+#-------------------------------------------------------------------------------
+# elftools tests
+#
+# Andreas Ziegler (andreas.ziegler@fau.de)
+# This code is in the public domain
+#-------------------------------------------------------------------------------
+# The lib_relro.so.elf file was generated as follows (on Debian 11):
+# $ cat lib_relro.c
+# int retfunc(){ return 1; }
+# int (*ptr1)() = retfunc;
+# int (*ptr2)() = retfunc;
+# <...>
+# int (*ptr100)() = retfunc;
+# $ clang-12 -c -o lib_relro.o -fPIC lib_relro.c
+# $ ld.lld-12 -o lib_relro.so.elf --pack-dyn-relocs=relr --shared -Bsymbolic-functions lib_relro.o
+
+import unittest
+import os
+
+from elftools.elf.elffile import ELFFile
+
+class TestRelr(unittest.TestCase):
+
+    def test_num_relocations(self):
+        """ Verify we can get the number of relocations in a RELR relocation
+            section.
+        """
+        path = os.path.join('test', 'testfiles_for_unittests',
+                            'lib_relro.so.elf')
+        with open(path, 'rb') as f:
+            elf = ELFFile(f)
+            relr_section = elf.get_section_by_name('.relr.dyn')
+            self.assertIsNotNone(relr_section)
+            self.assertEqual(relr_section.num_relocations(), 100)
+
+    def test_get_relocation(self):
+        """ Verify we can get a specific relocation in a RELR relocation
+            section.
+        """
+        path = os.path.join('test', 'testfiles_for_unittests',
+                            'lib_relro.so.elf')
+        with open(path, 'rb') as f:
+            elf = ELFFile(f)
+            relr_section = elf.get_section_by_name('.relr.dyn')
+            self.assertIsNotNone(relr_section)
+            reloc = relr_section.get_relocation(n=0)
+            self.assertEqual(reloc['r_offset'], 0x4540)
+            reloc = relr_section.get_relocation(n=65)
+            self.assertEqual(reloc['r_offset'], 0x4748)
diff --git a/test/testfiles_for_unittests/lib_relro.so.elf b/test/testfiles_for_unittests/lib_relro.so.elf
new file mode 100755
index 0000000000000000000000000000000000000000..16b8587c816bb8f00aeabac03c84a9dc4db2d8ac
GIT binary patch
literal 10480
zcmeI2e{7Xk8OIL=O4$I*99tE(T^MYgmAm`1_ul>DG75CAU}55l3beGhD@sdKI?|bi
zH49nl{?MCDO?4)AMjcU?VD^VyqFEy$GWUly@dwfU(M*|Dm!+C%nq^YI&+|SHxqL@6
ze{BD8lIK0=e9v<}=e_T}@6-2vP9NLavaM>tg5YIgxF<-jygpKjHqgJp8mNjPA8K%1
z5tfB&^cSfXjTfT|qfwbKwAVGJi!AfzD<`gvM!XKSQD5dQhLvsH&(rIxBe&pn<vcmp
zF`GA*i5xH1HgC*oo>yEI4HUOtTE`YfeXo6973BYBJ-;ry&kuIVb$Pe*Y_|_+mpAOf
zJX!C(D#rm@8J32+Z4uGW?@OlFlfE4%BL218FZFLTJx2OkTp;B)U+RCt_%Y&t#q<Q}
z`;A{u{9BD5BmUFI$rGo`I0@oxG)_HnmKmpw^k+;j692Qt&l5jw`~-2HHBK{e`i)a0
zPQf^N;yh=ZR^l8pPBU>f8K+2`=l$~%=TYOd5@)M%nu+s*aoUOVxN+Ku^OWg5q~CA+
zR^q>C{2t;@nm$DOi1FKr|25P5Nr$YzTaN=Z=u4@F$?ti@;)CmFOz)?4e`ESE>EE<<
zhiKgontz%2_nF>I`YWc75dS;IA13~X%zu<PPnzCJ`m3gwiT{1$j}ZSR^B*J5%ci%H
zK5hCa@qcLiGVwQ<|4HJ!;p-A-nQ_|5|3{{e62HMXr^x?JUzhkhjMGE@KQVob_(|i8
zlmA=3F7dx;oPP2@ZTd;#|H|}n(sRb2AdWl)$nSZa)?I1(S<+uJ{S@(kVfqm9e`opx
z`QL5lbC&#fntqP-YUj}TTyOd$=~JekrFCm9o(vOzi>*6J`X@}EBK-#ApQCkO^Yfu~
zcVXRY!jg;6TmIbgDdSHQ|7PP%5&v~xm-y|*nIX<?=08oGzdN5e-Nu<E&h6$uL!4RX
z6X&pT0{Lgnf0pzM&L_@*acao_PV*1szsSDdS<+XTUPFIJhKyfJ{LRL%A<k~o>qx)K
z_<{JVO|K<g;xJGl2Kz8<QwUR!g)lJ}!tfjh=J33EVMz#Ye;|Ze1l1Whysu?g>Gt&f
zf2=ffQ$%_fL`=r9nk_gZ*P<GB6>K?dB}^XSuZPL?xe>Mwb}LL`^zE=TOyb&|up&&p
z!WP&rnB2Dy!sPzi2kU^XFE-TP0~>*T3$|o)L+vf5dB2GMw_!^$_Jd7Nt*Y$b3;nyW
zt1(vDZi03awj8>*e`@`0sQ1IZ2RjXGIrfc5-`><vD|$QZ3{3i>d;bFZJJCOgv7f=X
zAE0%?TH*5&YVKD->xS*d_|H-Q0p{8;+M>zWdDM$wYhXPv8T%t_55`2l5%xIjHQ3!h
z&TR7jpU{uNPQd<5?RDrs0sAY=+kZiOF|N&e)N<{|V6U6jjqgQ_3x4up1MD`~MwtBF
z%)s)nyI`APa!WPA?uT)?7lJ%9$={RRusyIg*r#FpVFzLMN{7}vOD80GKdXUBtj2AK
z_#J}09@fED!(y=c${Gx;h1~-C2rLdu!5U$A!0v&`-<<h=!*aVz2>uxC<FE%{pM>p&
zeFk;_)&=9=_yTCvuy$Apwivb)ChswFugUY}bufuPH^44;pRI@few3;TC_>xCBKLe{
zSy9=kXiHr9Ps%!Ss;}sO)Y>;&ov>Qsij-_rX^gREC|E;c4i|Zj`Cm$F#iZ>O?Hv_u
ziDO(Ou4(BX97qN^B%)(fMN&$ov>r2h%<8dGk2yW&^;nRjx~CM7Qa~zF6p&ItN&zVa
zq!f@+KuQ7Xm{veq0ci!KBV7S$1*8>_RzO+-X$7cDMgbWGWE7B5KqeYhKt=%>1!NSE
zQGgC+6_8axRsmTBWEGH&d=!vXKvn@+1*qJpfJOy0DxgsTjS6T~Kx5>ofJOy0DnNyt
z0&)t-DIlkSoC0zR$SEKf`70o&0Bz<KkXJxn0eJ=F6_8gzUIBRp<fB;%hz<%UD4?K#
zf&vN(C@7$yfPw-F3Mdr9Kxwf1;XVm_T8a{UQ06L%#N=yL#k0%jcZUT-wF_1+TT)X-
z(2;m2R*xW~&$gRa)IL$QWqI{BIM|%ZYESbQ&W}s5+IL!Ik2wij!0%6qwNf@jmBwRf
zN{rKDK}FYu;QkW#q)bYHL-821*Zlu+VeW|NWt%9mUdre^!N>ECSL*0GUAYcdu7g|w
z{~fd(>ib-2;Eq^R>ENM`zF133Q!JT^C*sLqO6TE@zK3GRN&`m^9qF^NjSUT{L@Jp~
zq;iQusxez==q`0-lIcvUBcJNtm^@w@>Q5ebmsB#HO6215#6N$Lkg_QJZH_%ka^F|g
z1m6en@#tM+Y4CXGu}YrxE|=$%_#!&zgC#bKUbeXD9En?^kCNVC`WWf*oGbpE-;z%)
z`YH1FJjyufTg-ogbk8Gl-bJ1<h0pm9d2SZHnK<%ZB|7J6+D)G#e|g3if6jAwo`CZf
z1Ln_ph#}KCui*O_oF_P8{``Lbr0I3r&_MC;tBkgsXN>f(n%+vE>uJ;L$^RMC6Qn<D
zdY<&>OfQoDyy?xPzhHVR=`WhzM*11k+ev@f^d8cGX?j2DzjZ!chgVD=BL7!SA0~a;
z^bykEFuhFro2HMF{+8)uq)T!|zQ>cKdmix=>7FMZC;b}ZOpsn@dOKYQ&kLR<f6wPl
zlJ5DrbEJE|ZHjcypG}kQ`LG$%J&!d@y6@w0{><~)ocDUbK5wnPtoZ%1*YqB`4!&Q<
zc{1OBixJ27&FV?_eXs=SzOR)h-S?@Ar2D>8GwHrB)JnSN-P=h2vVZTSf8F$cx(>e2
z(?kBgKhsaT@2d=v?)xFbr29U`2<g86P$u2?4Ms`#y#5&Jp4UG~`mgQto+ADCrVr6|
zm@<8w{5@YjLAvL;&ywzW>q*i*4}Few&nr)n?s?*A(mjtmL%Q!9%#wZ`o+~8IaNc)~
z>BDp#d_SD?(7un&d1Bv}u4_i1L-G60_mg9!`~EQRWBYzD??3zgE$=7$zH5>AvX3F3
zm-l-gG@bWp_d&nhzDJ06J<@mdk=_u0sPEx;Psh=oU`Nph2SR+Hba+6VLcG*-pnIUB
zw-n-orJ+Hc+0lEb6OE3+ju7uW(%W0=gAUwa$3fIR07R{*4u=mNJRrOy@lH*9=t19<
zlZmL(7v`kCFemkeIjJwqNqu2X>I-vHUzn5n!kpBXZFRqrI2jzck~rxM2b%Wo+`QvH
zdGLM@3c{u4QE>Z2#T!<aC8>)dc?<FNxZwE@8UE+o+!3GVc@D2@7Qz8V=1TGTQ7_69
zFGk1bdtSurJk9s~iPw@}78jrIc^I!f5990kd3b*<8j`E_`JNZ@+CQiJ`}un<?^nX~
z`OTJB^7<~HXtmFCS@OU#zuE+U&n+9r(njv?`&bwIvL_{T?J`|_@4Wc`Ugqi7%hyNx
zOiL4vvcAtR+TRiX|FoD7MDFkS{$$@k<|l02t9H9^y)IZSzEZrF{RY2wI$(!Mn?GT{
rKY4$aQ}Ofn??v`m=oFPuUZ+)<Z~bUA+Pk>i{D0Z}J~}x+Z=e5fsE*x;

literal 0
HcmV?d00001

-- 
2.30.2