In kldxref.c:read_kld() we have a 33-byte cval buffer: char ... cval[MAXMODNAME + 1] ... into which we read a string: check(EF_SEG_READ(&ef, (Elf_Off)md.md_cval, sizeof(cval), cval)); This requires that a 33-byte read is successful, however it may fail if the string is shorter than 32 characters (plus the NUL) and is located near the highest allocated address. It appears this has never been an issue with ld.bfd, which places a loadable .comment section after other sections of interest, so kldxref is free to read unrelated data beyond the end of the cval string. ld.lld however places .comment early in the section list, and so the cval may be in a .data or .rodata section that comes at the end of the section list. (CTF data may also be after .data/.rodata and would mitigate this issue; it may happen only with CTF disabled)
Created attachment 189412 [details] Reproduction case for kldxref issue
Created attachment 189413 [details] Module that demonstrates the issue
Create a directory and uncompress pty.ko.gz there. Then % cd <dir> % kldxref -v . volta% kldxref -v . ./lhint.YF8PCY kldxref: elf_open(./lhint.YF8PCY): Inappropriate file type or format ./pty.ko kldxref: ef_seg_read_rel(./pty.ko): bad offset/len (552:33) kldxref: error while reading ./pty.ko: Bad address The "bad offset/len" is the issue described here.
A commit references this bug: Author: emaste Date: Tue Jan 16 18:20:12 UTC 2018 New revision: 328052 URL: https://svnweb.freebsd.org/changeset/base/328052 Log: kldxref: handle modules with md_cval at the end of allocated sections Attempting to retrieve an md_cval string from a kernel module with kldxref would throw a offset error for modules created using lld, since this value would be placed at the end of all allocated sections. Add an ef_read_seg_string method to the ef interface, to allow reading strings of varying size without attempting to read beyond the segment's bounds. PR: 224875 Submitted by: Mitchell Horne <mhorne063@gmail.com> Reviewed by: cem, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D13923 Changes: head/usr.sbin/kldxref/ef.c head/usr.sbin/kldxref/ef.h head/usr.sbin/kldxref/ef_obj.c head/usr.sbin/kldxref/kldxref.c
A commit references this bug: Author: emaste Date: Tue Feb 13 22:40:33 UTC 2018 New revision: 329247 URL: https://svnweb.freebsd.org/changeset/base/329247 Log: MFC r328052: kldxref: handle modules with md_cval at end of allocated secs Attempting to retrieve an md_cval string from a kernel module with kldxref would throw a offset error for modules created using lld, since this value would be placed at the end of all allocated sections. Add an ef_read_seg_string method to the ef interface, to allow reading strings of varying size without attempting to read beyond the segment's bounds. PR: 224875 Submitted by: Mitchell Horne <mhorne063@gmail.com> Sponsored by: The FreeBSD Foundation Changes: _U stable/11/ stable/11/usr.sbin/kldxref/ef.c stable/11/usr.sbin/kldxref/ef.h stable/11/usr.sbin/kldxref/ef_obj.c stable/11/usr.sbin/kldxref/kldxref.c