1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
Box64 Seems Failing to Handle `.init_array`
### Description
These days, I tried to run my simple x64 applications with box64 on rv64gc platform. Box64 did run my simple hello-world program with all used libraries wrapped (e.g. libc), but failed to run my hash program with some libraries emulated (e.g. libcrypto). Here is my hash program:
```c
/* test.c */
#include <stdio.h>
#include <openssl/sha.h>
const char *hello = "Hello World";
int main() {
unsigned char hash[SHA_DIGEST_LENGTH];
SHA1((unsigned char *)hello, sizeof(hello) - 1, hash);
for (int i = 0; i < SHA_DIGEST_LENGTH; i++) {
printf("%02x", hash[i]);
}
return 0;
}
```
I compiled this program with `gcc test.c -o test -lssl -lcrypto`, and run `BOX64_PREFER_EMULATED=1 ./box64 ./test`. It emited the log:
<details>
<summary>the log</summary>
<pre>
Dynarec for RISC-V With extension: I M A F D C Zba Zbb Zbc Zbs Vector PageSize:4096 Running on Unknown CPU with 16 Cores
Will use Hardware counter measured at 2.3 GHz
Params database has 14 entries
Box64 with Dynarec v0.2.9 cb064f9e built on Jun 29 2024 21:39:07
BOX64: Didn't detect 48bits of address space, considering it's 39bits
Counted 119 Env var
BOX64 LIB PATH: /usr/riscv64-linux-gnu/lib/:/lib/:./:lib/:lib64/:x86_64/:bin64/:libs64/
BOX64 BIN PATH: (( omitted ))
Looking for test
Rename process to "test"
Error initializing native libssl.so.3 (last dlerror is libssl.so.3: cannot open shared object file: No such file or directory)
Using emulated /lib/libssl.so.3
Error initializing native libcrypto.so.3 (last dlerror is libcrypto.so.3: cannot open shared object file: No such file or directory)
Using emulated /lib/libcrypto.so.3
Using native(wrapped) libc.so.6
Using native(wrapped) ld-linux-x86-64.so.2
Using native(wrapped) libpthread.so.0
Using native(wrapped) libdl.so.2
Using native(wrapped) libutil.so.1
Using native(wrapped) libresolv.so.2
Using native(wrapped) librt.so.1
Using native(wrapped) libbsd.so.0
FillBlock triggered a segfault at 0x4d100 from 0x3528682a
FillBlock at 0x4d100 triggered a segfault, canceling
393292|SIGSEGV @0x351b2a96 (???(test+0x9b2a96)) (x64pc=0x4d100/???:"???", rsp=0x7470313fe1f8, stack=0x747030c00000:0x747031400000 own=(nil) fp=0x7470313fe200), for accessing 0x4d100 (code=1/prot=87), db=(nil)((nil):(nil)/(nil):(nil)/???:clean, hash:0/0) handler=(nil)
RSP-0x20:0x00007470313fe200 RSP-0x18:0x0000000000000000 RSP-0x10:0x0000003f0104c01b RSP-0x08:0x0000000000000000
RSP+0x00:0x0000000000010080 RSP+0x08:0x0000000000000000 RSP+0x10:0x0000000000000001 RSP+0x18:0x00007470313fe6e1
RAX:0x0000000002d82203 RCX:0x0000000000000000 RDX:0x00007470313fe220 RBX:0x0000000000000000
RSP:0x00007470313fe1f8 RBP:0x00007470313fe200 RSI:0x00007470313fe210 RDI:0x0000000000000001
R8:0x0000000000000000 R9:0x02d8220300000000 R10:0x0000000047888915 R11:0x000000000000000f
R12:0x0000000000000000 R13:0x0000000000000000 R14:0x0000000000000000 R15:0x0000000000000000
ES:0x002b CS:0x0033 SS:0x002b DS:0x002b FS:0x0043 GS:0x0053
</pre>
</details>
<details>
<summary>the log (with `BOX64_LOG=2`)</summary>
<pre>
Debug level is 2
Dynarec for RISC-V With extension: I M A F D C Zba Zbb Zbc Zbs Vector PageSize:4096 Running on Unknown CPU with 16 Cores
Will use Hardware counter measured at 2.3 GHz
Params database has 14 entries
Box64 with Dynarec v0.2.9 cb064f9e built on Jun 29 2024 21:39:07
BOX64: Didn't detect 48bits of address space, considering it's 39bits
Setting up canary (for Stack protector) at FS:0x28, value:91314800
Counted 119 Env var
Env... (( omitted ))
BOX64 LIB PATH: /usr/riscv64-linux-gnu/lib/:/lib/:./:lib/:lib64/:x86_64/:bin64/:libs64/
BOX64 BIN PATH: (( omitted ))
Looking for ./test
Read 30 Section header
Read 13 Program header
Loading Sections Table String (idx = 29)
Loading SymTab Strings (idx = 28)
Loading SymTab (idx = 27)
Loading Dynamic (idx = 21)
The DT_INIT is at address 0x1000
The DT_FINI is at address 0x11dc
The DT_INIT_ARRAY is at address 0x3db0
The DT_INIT_ARRAYSZ is 1
The DT_FINI_ARRAY is at address 0x3db8
The DT_FINI_ARRAYSZ is 1
The DT_GNU_HASH is at address 0x3c0
The DT_VERNEED is at address 0x5a8
The DT_VERNEEDNUM is 2
RelA Table @0x608 (0xd8/0x18)
PLT Table @0x6e0 (type=7 0x48/0x18)
The GOT.PLT Table is at address 0x3fe8
The GOT Table is at address 0x3fc0..0x3fe8
The PLT Table is at address 0x1020..0x1060
The .gnu.version is at address 0x590
The .text is at address 0x1060, and is 377 big
The .eh_frame section is at address 0x2040..0x20bc
The .eh_frame_hdr section is at address 0x2018
Loading DynSym Strings (idx = 7)
Loading DynSym (idx = 6)
Adding "(( omitted ))/test" as #0 in elf collection
Elf Addr(v/p)=(nil)/(nil) Memsize=0x4038 (align=0x1000)
Elf Stack Memsize=1048576 (align=16)
Elf TLS Memsize=0 (align=0)
Pre-allocated 0x4038 byte at 0x100000000 for (( omitted ))/test
Delta of 0x100000000 (vaddr=(nil)) for Elf "(( omitted ))/test"
Mmaping 0x728(0x1000) bytes @0x100000000 for Elf "(( omitted ))/test"
Mmaping 0x1e9(0x1000) bytes @0x100001000 for Elf "(( omitted ))/test"
Mmaping 0xbc(0x1000) bytes @0x100002000 for Elf "(( omitted ))/test"
Allocating 0x3000 (0x100003000/0x288) bytes @0x100003000, will read 0x280 @0x100003db0 for Elf "(( omitted ))/test"
Rename process to "test"
Program linked with GLIBC 2.34+
Calc stack size, based on 1 elf(s)
Stack is @0x765a8b800000 size=0x800000 align=0x10
Allocate a new X86_64 Emu, with EIP=(nil) and Stack=0x765a8b800000/0x800000
Setup X86_64 Emu
Grabbing R_X86_64_COPY Relocation(s) in advance for (( omitted ))/test
Trying to add "libssl.so.3" to maplib
Trying to load "libssl.so.3"
Simplified name is "libssl.so.3"
Error initializing native libssl.so.3 (last dlerror is libssl.so.3: cannot open shared object file: No such file or directory)
Read 27 Section header
Read 11 Program header
Loading Sections Table String (idx = 26)
Loading SymTab Strings (idx = 0)
Loading SymTab (idx = 0)
Loading Dynamic (idx = 20)
The DT_INIT is at address 0x13000
The DT_FINI is at address 0xa0da4
The DT_INIT_ARRAY is at address 0xca730
The DT_INIT_ARRAYSZ is 1
The DT_FINI_ARRAY is at address 0xca738
The DT_FINI_ARRAYSZ is 1
The DT_GNU_HASH is at address 0x310
The DT_VERDEF is at address 0xf138
The DT_VERDEFNUM is 4
The DT_FLAGS is 0xa
The DT_VERNEED is at address 0xf1b8
The DT_VERNEEDNUM is 2
RelA Table @0xf2a8 (0x3768/0x18)
The GOT Table is at address 0xd3e50..0xd5000
The .gnu.version is at address 0xe82e
The .text is at address 0x13020, and is 580995 big
The .eh_frame section is at address 0xb7668..0xc9600
The .eh_frame_hdr section is at address 0xb4548
Loading DynSym Strings (idx = 5)
Loading DynSym (idx = 4)
Elf Addr(v/p)=(nil)/(nil) Memsize=0xd8770 (align=0x1000)
Elf Stack Memsize=1048576 (align=16)
Elf TLS Memsize=0 (align=0)
Pre-allocated 0xd8770 byte at 0x3f00000000 for /lib/libssl.so.3
Delta of 0x3f00000000 (vaddr=(nil)) for Elf "/lib/libssl.so.3"
Mmaping 0x12d68(0x13000) bytes @0x3f00000000 for Elf "/lib/libssl.so.3"
Mmaping 0x8ddb1(0x8e000) bytes @0x3f00013000 for Elf "/lib/libssl.so.3"
Mmaping 0x28600(0x29000) bytes @0x3f000a1000 for Elf "/lib/libssl.so.3"
Allocating 0x10000 (0x3f000ca000/0xe040) bytes @0x3f000ca000, will read 0xe000 @0x3f000ca730 for Elf "/lib/libssl.so.3"
Adding "/lib/libssl.so.3" as #1 in elf collection
Using emulated /lib/libssl.so.3
Trying to add "libcrypto.so.3" to maplib
Trying to load "libcrypto.so.3"
Simplified name is "libcrypto.so.3"
Error initializing native libcrypto.so.3 (last dlerror is libcrypto.so.3: cannot open shared object file: No such file or directory)
Read 27 Section header
Read 11 Program header
Loading Sections Table String (idx = 26)
Loading SymTab Strings (idx = 0)
Loading SymTab (idx = 0)
Loading Dynamic (idx = 20)
The DT_INIT is at address 0x4c000
The DT_FINI is at address 0x388d24
The DT_INIT_ARRAY is at address 0x465b90
The DT_INIT_ARRAYSZ is 1
The DT_FINI_ARRAY is at address 0x465b98
The DT_FINI_ARRAYSZ is 1
The DT_GNU_HASH is at address 0x310
The DT_VERDEF is at address 0x48da0
The DT_VERDEFNUM is 8
The DT_FLAGS is 0xa
The DT_VERNEED is at address 0x48eb0
The DT_VERNEEDNUM is 1
RelA Table @0x48fc0 (0xee8/0x18)
The GOT Table is at address 0x4c49f0..0x4c5000
The .gnu.version is at address 0x46156
The .text is at address 0x4d000, and is 3390755 big
The .eh_frame section is at address 0x3faa68..0x464a10
The .eh_frame_hdr section is at address 0x3e670c
Loading DynSym Strings (idx = 5)
Loading DynSym (idx = 4)
Elf Addr(v/p)=(nil)/(nil) Memsize=0x4cacc0 (align=0x1000)
Elf Stack Memsize=1048576 (align=16)
Elf TLS Memsize=0 (align=0)
Pre-allocated 0x4cacc0 byte at 0x3f01000000 for /lib/libcrypto.so.3
Delta of 0x3f01000000 (vaddr=(nil)) for Elf "/lib/libcrypto.so.3"
Mmaping 0x4b770(0x4c000) bytes @0x3f01000000 for Elf "/lib/libcrypto.so.3"
Mmaping 0x33cd31(0x33d000) bytes @0x3f0104c000 for Elf "/lib/libcrypto.so.3"
Mmaping 0xdba10(0xdc000) bytes @0x3f01389000 for Elf "/lib/libcrypto.so.3"
Allocating 0x67000 (0x3f01465000/0x65130) bytes @0x3f01465000, will read 0x61ff8 @0x3f01465b90 for Elf "/lib/libcrypto.so.3"
Adding "/lib/libcrypto.so.3" as #2 in elf collection
Using emulated /lib/libcrypto.so.3
Trying to add "libc.so.6" to maplib
Trying to load "libc.so.6"
Simplified name is "libc.so.6"
Using native(wrapped) libc.so.6
Trying to add "ld-linux-x86-64.so.2" to maplib
Trying to load "ld-linux-x86-64.so.2"
Simplified name is "ld-linux-x86-64.so.2"
Using native(wrapped) ld-linux-x86-64.so.2
Trying to add "libpthread.so.0" to maplib
Trying to load "libpthread.so.0"
Simplified name is "libpthread.so.0"
Using native(wrapped) libpthread.so.0
Trying to add "libdl.so.2" to maplib
Trying to load "libdl.so.2"
Simplified name is "libdl.so.2"
Using native(wrapped) libdl.so.2
Trying to add "libutil.so.1" to maplib
Trying to load "libutil.so.1"
Simplified name is "libutil.so.1"
Using native(wrapped) libutil.so.1
Trying to add "libresolv.so.2" to maplib
Trying to load "libresolv.so.2"
Simplified name is "libresolv.so.2"
Using native(wrapped) libresolv.so.2
Trying to add "librt.so.1" to maplib
Trying to load "librt.so.1"
Simplified name is "librt.so.1"
Using native(wrapped) librt.so.1
Trying to add "libbsd.so.0" to maplib
Trying to load "libbsd.so.0"
Simplified name is "libbsd.so.0"
Using native(wrapped) libbsd.so.0
Created lib and added to maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Trying to add "libc.so.6" to maplib
Already present in maplib => success
Created lib and added to maplib => success
Forcing /lib/libcrypto.so.3 to Bind Now
Applying 159 Relocation(s) with Addend for /lib/libcrypto.so.3 bindnow=1, deepbind=0
Forcing /lib/libcrypto.so.3 to Bind Now
Created lib and added to maplib => success
Trying to add "libcrypto.so.3" to maplib
Already present in maplib => success
Trying to add "libc.so.6" to maplib
Already present in maplib => success
Created lib and added to maplib => success
Created lib and added to maplib => success
Forcing /lib/libssl.so.3 to Bind Now
Applying 591 Relocation(s) with Addend for /lib/libssl.so.3 bindnow=1, deepbind=0
Forcing /lib/libssl.so.3 to Bind Now
Created lib and added to maplib => success
And now export symbols / relocation for (( omitted ))/test...
Applying 9 Relocation(s) with Addend for (( omitted ))/test bindnow=0, deepbind=0
Applying 3 PLT Relocation(s) with Addend for (( omitted ))/test bindnow=0, deepbind=0
PLT Resolver injected in plt.got at 0x100003ff8
Calling Init for /lib/libcrypto.so.3 @0x3f0104c000
394474|0x3f011654eb: Calling getenv("OPENSSL_ia32cap") => return 0x0(nil)
Run X86 (0x36ecab30), RIP=0x3f011655aa, Stack=0x765a8bffe1d0 is32bits=0
Done Init for /lib/libcrypto.so.3
Calling Init[0] for /lib/libcrypto.so.3 @0x4d100
FillBlock triggered a segfault at 0x4d100 from 0x3528682a
FillBlock at 0x4d100 triggered a segfault, canceling
Run X86 (0x36ecab30), RIP=0x4d100, Stack=0x765a8bffe1f8 is32bits=0
394474|SIGSEGV @0x351b2a96 (???(./test+0x9b2a96)) (x64pc=0x4d100/???:"???", rsp=0x765a8bffe1f8, stack=0x765a8b800000:0x765a8c000000 own=(nil) fp=0x765a8bffe200), for accessing 0x4d100 (code=1/prot=87), db=(nil)((nil):(nil)/(nil):(nil)/???:clean, hash:0/0) handler=(nil)
RSP-0x20:0x0000765a8bffe200 RSP-0x18:0x0000000000000000 RSP-0x10:0x0000003f0104c01b RSP-0x08:0x0000000000000000
RSP+0x00:0x0000000000010080 RSP+0x08:0x0000000000000000 RSP+0x10:0x0000000000000001 RSP+0x18:0x0000765a8bffe6e1
RAX:0x0000000002d82203 RCX:0x0000000000000000 RDX:0x0000765a8bffe220 RBX:0x0000000000000000
RSP:0x0000765a8bffe1f8 RBP:0x0000765a8bffe200 RSI:0x0000765a8bffe210 RDI:0x0000000000000001
R8:0x0000000000000000 R9:0x02d8220300000000 R10:0x0000000047888915 R11:0x000000000000000f
R12:0x0000000000000000 R13:0x0000000000000000 R14:0x0000000000000000 R15:0x0000000000000000
ES:0x002b CS:0x0033 SS:0x002b DS:0x002b FS:0x0043 GS:0x0053
</pre>
</details>
### Investigation
I investigated the code via gdb, and found that the function `RunElfInit` in `src/elfs/elfloader.c` called `RunFunctionWithEmu` for `.init` and functions in `.init_array`:
https://github.com/ptitSeb/box64/blob/f9b74642a24afc78b9acb41ec8440cd98421849e/src/elfs/elfloader.c#L1108-L1118
When this issue happened, the pointer `p` is `0x0000003f0104c000` and `addr[i]` is `0x4d100` (**SEEMS TOO LOW???**)
I read `/proc/(( the pid ))/maps` and saw
```
... (( omitted ))
3f00000000-3f000ca000 r--p 00000000 103:09 39607298 /usr/lib/libssl.so.3
3f000ca000-3f000da000 rw-p 00000000 00:00 0
3f01000000-3f01465000 r--p 00000000 103:09 39607296 /usr/lib/libcrypto.so.3
3f01465000-3f014cc000 rw-p 00000000 00:00 0
... (( omitted ))
```
**Here is the problem**. The pointer `p` was ok because `0x3f0104c000 - 0x3f01000000` is `0x4c000` and `objdump -alDS /usr/libcrypto.so.3` told me:
```
Disassembly of section .init:
000000000004c000 <.init>:
4c000: f3 0f 1e fa endbr64
4c004: 48 83 ec 08 sub $0x8,%rsp
(( omitted ))
```
However, `addr[i]` (value = `0x4d100`) seemed too low! `objdump -alDS /usr/libcrypto.so.3` told me:
```
Disassembly of section .init_array:
0000000000465b90 <.init_array>:
465b90: 00 d1 add %dl,%cl
465b92: 04 00 add $0x0,%al
465b94: 00 00 add %al,(%rax)
...
```
Here was why `addr[i]` is `0x4d100` (actually a 4 bytes value: `0x0004d100`).
### Possible Fixes
I think box64 should handle `.init_array` properly, for example, relocating the entries in `.init_array`.
By the way, I can help to fix it if this is ok.
It is my first time to fix something for box64, so I would appreciate it if you tell me the proper way to fix this bug and guide me how to contribute for box64. Thanks!
|