|
|
e7ee69 |
#!/usr/bin/python3
|
|
|
e7ee69 |
|
|
|
e7ee69 |
"""
|
|
|
e7ee69 |
Check debug symbols are present in shared object and can identify
|
|
|
e7ee69 |
code.
|
|
|
e7ee69 |
|
|
|
e7ee69 |
It starts scanning from a directory and recursively scans all ELF
|
|
|
e7ee69 |
files found in it for various symbols to ensure all debuginfo is
|
|
|
e7ee69 |
present and nothing has been stripped.
|
|
|
e7ee69 |
|
|
|
e7ee69 |
Usage:
|
|
|
e7ee69 |
|
|
|
e7ee69 |
./check-debug-symbols /path/of/dir/to/scan/
|
|
|
e7ee69 |
|
|
|
e7ee69 |
|
|
|
e7ee69 |
Example:
|
|
|
e7ee69 |
|
|
|
e7ee69 |
./check-debug-symbols /usr/lib64
|
|
|
e7ee69 |
"""
|
|
|
e7ee69 |
|
|
|
e7ee69 |
# This technique was explained to me by Mark Wielaard (mjw).
|
|
|
e7ee69 |
|
|
|
e7ee69 |
import collections
|
|
|
e7ee69 |
import os
|
|
|
e7ee69 |
import re
|
|
|
e7ee69 |
import subprocess
|
|
|
e7ee69 |
import sys
|
|
|
e7ee69 |
|
|
|
e7ee69 |
ScanResult = collections.namedtuple('ScanResult',
|
|
|
e7ee69 |
'file_name debug_info debug_abbrev file_symbols gnu_debuglink')
|
|
|
e7ee69 |
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def scan_file(file):
|
|
|
e7ee69 |
"Scan the provided file and return a ScanResult containing results of the scan."
|
|
|
e7ee69 |
|
|
|
e7ee69 |
# Test for .debug_* sections in the shared object. This is the main test.
|
|
|
e7ee69 |
# Stripped objects will not contain these.
|
|
|
e7ee69 |
readelf_S_result = subprocess.run(['eu-readelf', '-S', file],
|
|
|
e7ee69 |
stdout=subprocess.PIPE, encoding='utf-8', check=True)
|
|
|
e7ee69 |
has_debug_info = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_info' in line)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
has_debug_abbrev = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_abbrev' in line)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
# Test FILE symbols. These will most likely be removed by anyting that
|
|
|
e7ee69 |
# manipulates symbol tables because it's generally useless. So a nice test
|
|
|
e7ee69 |
# that nothing has messed with symbols.
|
|
|
e7ee69 |
def contains_file_symbols(line):
|
|
|
e7ee69 |
parts = line.split()
|
|
|
e7ee69 |
if len(parts) < 8:
|
|
|
e7ee69 |
return False
|
|
|
e7ee69 |
return \
|
|
|
e7ee69 |
parts[2] == '0' and parts[3] == 'FILE' and parts[4] == 'LOCAL' and parts[5] == 'DEFAULT' and \
|
|
|
e7ee69 |
parts[6] == 'ABS' and re.match(r'((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx))?', parts[7])
|
|
|
e7ee69 |
|
|
|
e7ee69 |
readelf_s_result = subprocess.run(["eu-readelf", '-s', file],
|
|
|
e7ee69 |
stdout=subprocess.PIPE, encoding='utf-8', check=True)
|
|
|
e7ee69 |
has_file_symbols = any(line for line in readelf_s_result.stdout.split('\n') if contains_file_symbols(line))
|
|
|
e7ee69 |
|
|
|
e7ee69 |
# Test that there are no .gnu_debuglink sections pointing to another
|
|
|
e7ee69 |
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
|
|
e7ee69 |
# no sense either.
|
|
|
e7ee69 |
has_gnu_debuglink = any(line for line in readelf_s_result.stdout.split('\n') if '] .gnu_debuglink' in line)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
return ScanResult(file, has_debug_info, has_debug_abbrev, has_file_symbols, has_gnu_debuglink)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def is_elf(file):
|
|
|
e7ee69 |
result = subprocess.run(['file', file], stdout=subprocess.PIPE, encoding='utf-8', check=True)
|
|
|
e7ee69 |
return re.search(r'ELF 64-bit [LM]SB (?:pie )?(?:executable|shared object)', result.stdout)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def scan_file_if_sensible(file):
|
|
|
e7ee69 |
if is_elf(file):
|
|
|
e7ee69 |
return scan_file(file)
|
|
|
e7ee69 |
return None
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def scan_dir(dir):
|
|
|
e7ee69 |
results = []
|
|
|
e7ee69 |
for root, _, files in os.walk(dir):
|
|
|
e7ee69 |
for name in files:
|
|
|
e7ee69 |
result = scan_file_if_sensible(os.path.join(root, name))
|
|
|
e7ee69 |
if result:
|
|
|
e7ee69 |
results.append(result)
|
|
|
e7ee69 |
return results
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def scan(file):
|
|
|
e7ee69 |
file = os.path.abspath(file)
|
|
|
e7ee69 |
if os.path.isdir(file):
|
|
|
e7ee69 |
return scan_dir(file)
|
|
|
e7ee69 |
elif os.path.isfile(file):
|
|
|
e7ee69 |
return [scan_file_if_sensible(file)]
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def is_bad_result(result):
|
|
|
e7ee69 |
return not result.debug_info or not result.debug_abbrev or not result.file_symbols or result.gnu_debuglink
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def print_scan_results(results, verbose):
|
|
|
e7ee69 |
# print(results)
|
|
|
e7ee69 |
for result in results:
|
|
|
e7ee69 |
file_name = result.file_name
|
|
|
e7ee69 |
found_issue = False
|
|
|
e7ee69 |
if not result.debug_info:
|
|
|
e7ee69 |
found_issue = True
|
|
|
e7ee69 |
print('error: missing .debug_info section in', file_name)
|
|
|
e7ee69 |
if not result.debug_abbrev:
|
|
|
e7ee69 |
found_issue = True
|
|
|
e7ee69 |
print('error: missing .debug_abbrev section in', file_name)
|
|
|
e7ee69 |
if not result.file_symbols:
|
|
|
e7ee69 |
found_issue = True
|
|
|
e7ee69 |
print('error: missing FILE symbols in', file_name)
|
|
|
e7ee69 |
if result.gnu_debuglink:
|
|
|
e7ee69 |
found_issue = True
|
|
|
e7ee69 |
print('error: unexpected .gnu_debuglink section in', file_name)
|
|
|
e7ee69 |
if verbose and not found_issue:
|
|
|
e7ee69 |
print('OK: ', file_name)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
def main(args):
|
|
|
e7ee69 |
verbose = False
|
|
|
e7ee69 |
files = []
|
|
|
e7ee69 |
for arg in args:
|
|
|
e7ee69 |
if arg == '--verbose' or arg == '-v':
|
|
|
e7ee69 |
verbose = True
|
|
|
e7ee69 |
else:
|
|
|
e7ee69 |
files.append(arg)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
results = []
|
|
|
e7ee69 |
for file in files:
|
|
|
e7ee69 |
results.extend(scan(file))
|
|
|
e7ee69 |
|
|
|
e7ee69 |
print_scan_results(results, verbose)
|
|
|
e7ee69 |
|
|
|
e7ee69 |
if any(is_bad_result(result) for result in results):
|
|
|
e7ee69 |
return 1
|
|
|
e7ee69 |
return 0
|
|
|
e7ee69 |
|
|
|
e7ee69 |
|
|
|
e7ee69 |
if __name__ == '__main__':
|
|
|
e7ee69 |
sys.exit(main(sys.argv[1:]))
|