radareorg
Missing exports for a FreeBSD ELF
Environment
Tue Dec 22 16:06:26 CET 2020
radare2 5.0.0 27723 @ darwin-x86-64 git.
commit: e9494756b4915ad40c514979d08082510801ac8e build: 2020-12-22__13:00:57
Darwin x86_64
Description
Seems like the exports (actually import relocs) from a freebsd elf binary are not loaded as flags, so .iE* is needed
Test
$ r2 freebsd-ls
[0x00203bc0]> iE
[Exports]
nth paddr vaddr bind type size lib name
----------------------------------------------------
77 0x000077d0 0x0020a7d0 GLOBAL OBJ 8 __progname
78 ---------- 0x0020aaa0 GLOBAL OBJ 8 environ
79 ---------- 0x0020acc0 GLOBAL OBJ 4 __isthreaded
80 ---------- 0x0020ace0 GLOBAL OBJ 64 __stack_chk_guard
81 ---------- 0x0020acd0 GLOBAL OBJ 8 __stdoutp
82 ---------- 0x0020acb0 GLOBAL OBJ 8 optarg
83 ---------- 0x0020ad38 GLOBAL OBJ 4 __mb_sb_limit
84 ---------- 0x0020acb8 GLOBAL OBJ 4 optind
85 ---------- 0x0020ad30 GLOBAL OBJ 8 _CurrentRuneLocale
86 ---------- 0x0020ad20 GLOBAL OBJ 8 __stderrp
[0x00203bc0]> iE*
fs exports
"f sym.__progname 8 0x0020a7d0"
"f sym.environ 8 0x0020aaa0"
"f sym.__isthreaded 4 0x0020acc0"
"f sym.__stack_chk_guard 64 0x0020ace0"
"f sym.__stdoutp 8 0x0020acd0"
"f sym.optarg 8 0x0020acb0"
"f sym.__mb_sb_limit 4 0x0020ad38"
"f sym.optind 4 0x0020acb8"
"f sym._CurrentRuneLocale 8 0x0020ad30"
"f sym.__stderrp 8 0x0020ad20"
[0x00203bc0]> s sym.optarg
Cannot seek to unknown address 'sym.optarg'
[0x00203bc0]> .iE*
[0x00203bc0]> s sym.optarg
[0x0020acb0]> pd 4
;-- reloc.optarg, obj.optarg, sym.optarg:
0x0020acb0 .qword 0x0000000000000000 ; RELOC 64 optarg @ 0x0020acb0
;-- reloc.optind, obj.optind, sym.optind:
0x0020acb8 .qword 0x0000000000000000 ; RELOC 64 optind @ 0x0020acb8
;-- reloc.__isthreaded, obj.__isthreaded, sym.__isthreaded:
0x0020acc0 .qword 0x0000000000000000 ; RELOC 64 __isthreaded @ 0x0020acc0
0x0020acc8 add byte [rax], al
[0x0020acb0]>
@trufae This goes a bit the same and AFAIK in quite some time in Linux binaries at radare2 Linux versions too.
After .dynsym in ELF section was loaded and non UND symbols (read: imports) which is defined as "exported symbols" are parsed as export table (iE) in radare2, NOT every symbol will be loaded as flags, and I thought this is a feature or something. So if this happens I always seek to address not flags when occurs.
PoC:
(in Linux, file /bin/ls)
[0x00003d2e]> iE*
fs exports
"f sym._fini 0 0x00015ec4"
"f sym.main 6398 0x00002430"
"f sym._init 0 0x00001d14"
"f sym.__bss_start 0 0x00023324"
"f sym.version_etc_copyright 47 0x0001abe0"
"f sym._IO_stdin_used 4 0x00015ee4"
"f sym.quoting_style_args 44 0x00022e80"
"f sym._end 0 0x00024398"
"f sym._obstack_memory_used 33 0x00013fc0"
"f sym.obstack_alloc_failed_handler 4 0x00023320"
"f sym._obstack_begin 35 0x00013dc0"
"f sym._edata 0 0x00023324"
"f sym._obstack_free 113 0x00013f40"
"f sym._obstack_allocated_p 48 0x00013f10"
"f sym._obstack_begin_1 42 0x00013df0"
"f sym.close_stdout 198 0x0000ae20"
"f sym._obstack_newchunk 227 0x00013e20"
[0x00003d2e]> s sym._edata
Cannot seek to unknown address 'sym._edata'
[0x00003d2e]> s sym.main
[0x00002430]> s sym._edata
Cannot seek to unknown address 'sym._edata'
[0x00002430]>
[0x00002430]> r2 -v
radare2 5.0.0 0 @ linux-x86-32 git.
commit: HEAD build: 2020-12-22__00:22:47
So not it is not only for FreeBSD..
Closing, the reason why this happens is because those symbols are located in the BSS section, so those have no phisical address associated. At the end, those should be improts from libc, but that's not the case because potatos. FreeBSD is also doing the same, and it's actually the runtime linker that fills those symbols using the reloc info (you can check this using the ir command.
That's what "B" means in the nm output. and the output of r2 and objdump/nm make sense, despite they differ