3

I'm looking at at ELF on linux and I have readelf --segments ./myELF which shows:

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000000400040 0x0000000000400040 0x0001f8 0x0001f8 R   0x8
  INTERP         0x000238 0x0000000000400238 0x0000000000400238 0x00001c 0x00001c R   0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x000000 0x0000000000400000 0x0000000000400000 0x000ad8 0x000ad8 R E 0x200000
  LOAD           0x000e00 0x0000000000600e00 0x0000000000600e00 0x000250 0x000260 RW  0x200000
  DYNAMIC        0x000e10 0x0000000000600e10 0x0000000000600e10 0x0001e0 0x0001e0 RW  0x8
  NOTE           0x000254 0x0000000000400254 0x0000000000400254 0x000044 0x000044 R   0x4
  GNU_EH_FRAME   0x000940 0x0000000000400940 0x0000000000400940 0x00004c 0x00004c R   0x4
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
  GNU_RELRO      0x000e00 0x0000000000600e00 0x0000000000600e00 0x000200 0x000200 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 
   03     .init_array .fini_array .dynamic .got .got.plt .data .bss 
   04     .dynamic 
   05     .note.ABI-tag .note.gnu.build-id 
   06     .eh_frame_hdr 
   07     
   08     .init_array .fini_array .dynamic .got

I am trying to confirm whether or not the segments shown here correspond directly with the segment numbers shown in the section-segment mapping below such that segment 03 which contains .init_array .fini_array .dynamic .got .got.plt .data .bss corresponds with the fourth segment down in the top table which is of type LOAD and will thus definitely RW at runtime? What is another way to learn about the segment/section mapping at runtime? I know for example that I can use vmmap in gdb-gef at runtime to view where things are located in the process' virtual memory, but it seems that output shows a different set of memory spaces than the specific concept of "segments" or "sections".

Improve this question

1 Answer 1

Reset to default
2

What you're seeing in gdb with the vmmap command is the region allocations. To determine which region a section has been loaded in you can use the maintenance info sections command.

For example:

gef➤  vmmap 
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x00000000400000 0x00000000401000 0x00000000000000 r-x /home/...
0x00000000600000 0x00000000601000 0x00000000000000 r-- /home/...
0x00000000601000 0x00000000602000 0x00000000001000 rw- /home/...

The writable region starts at 0x00000000601000.

gef➤  maintenance info sections
Exec file: `/home/...', file type elf64-x86-64.
...
 [23]     0x00601040->0x00601044 at 0x00001040: .data ALLOC LOAD DATA HAS_CONTENTS
 [24]     0x00601044->0x00601048 at 0x00001044: .bss ALLOC
...

Only the .data and .bss sections are within the writable region at runtime.

Improve this answer
2
  • Thanks. So one followup here - my ELF has a situation where the .got shows this when I run maintenance info sections: [21] 0x00600ff8->0x00601000 at 0x00000ff8: .got ALLOC LOAD DATA HAS_CONTENTS, however, in the vm readout, the permission is only r--. So now I'm wondering why the maint info sections listing doesn't also show the READONLY tag? I would expect that tag would be applied since according to vm that memory is in fact only readonly, but it's not. See reference example: 0x00400520->0x00400722 at 0x00000520: .text ALLOC LOAD READONLY CODE HAS_CONTENTS
    – the_endian
    Commented Nov 27, 2022 at 5:18
  • 1
    I'm not sure... just guessing, the GOT is fixed up by the loader so it does need to be writable at least at some point while the process is being started.
    – Mega Tonnage
    Commented Nov 27, 2022 at 11:30

Not the answer you're looking for? Browse other questions tagged or ask your own question.