BOLT icon indicating copy to clipboard operation
BOLT copied to clipboard
verified publisher icon facebookarchive

Support for injected functions without relocations

Open timower opened this issue 4 years ago • 1 comments

I tried creating a dummy pass that injects a binary function. The AssignSection pass will put these functions in the injected code section. But without relocations I could not find these functions in the binary, they all had address zero.

I was able to get it working by patching the mapCodeSections function of the RewriteInstance. In the non-relocation mode it will allocate a new section only if the text section has a valid ID (see here). But the main text section will never get a valid ID as far as I can tell because the ID is assigned by the ORC layer when emitting code. As each function gets emitted in its own local section, the main text section never has an ID. So I changed the code from line 3336 to line 3353 to use the injected text section instead, which works.

My question is, is this just untested or am I injecting functions incorrectly?

timower avatar Feb 10 '21 07:02 timower

Hi @timower, thanks for reporting this. I think you are correct in assuming this is untested. Function injection support was added to support "-insert-retpolines", which is used to mitigate security attack. In such scenarios, if we lack relocations, we won't be able to cover the entire binary, so the feature becomes less effective and that's why I think it was never well tested in non-relocations mode. To make it clear, BOLT can't always rewrite a function in non-relocation mode: if the transformations render the function larger than its original size and BOLT lacks profile data to split this function into separate "hot/cold" fragments, it will be unable to rewrite the function. That's because BOLT without relocs can't modify the layout of the functions succeeding the rewritten function to make more space for it in case we need, so the transformed function needs to be smaller than the original.

For this reason, if you are planning on making a change that requires the whole binary to be processed, it is a good idea to use relocations.

Regardless of the merits of reloc vs nonreloc mode, however, this sounds like a bug to me, so if you submit your changes for code review, I will be happy to review them and incorporate them into the main repo.

rafaelauler avatar Mar 01 '21 23:03 rafaelauler