Binary Ninja fails to process ELF files with corrupted sections

[romainthomas]

The library libshella-2.9.0.2.so in the attachments has corrupted sections such as Binary Ninja fails to load it. Generally speaking, sections are not used by ELF loaders [1] so that tools which only rely on these elements are prone to be broken on the corner cases.

It would be very convenient to have the option to load ELF files by only using segments [2].

While most of the information are available with ELF segments (dynamic symbols, relocations, ...)
the tricky point is the computation of the number of dynamic symbols [3]. An example of solution is available in LIEF: Parser.tcc#L478-L527

[1] Android ELF loader added some checks on the consistency of the section table compared to the Linux ELF loader.
[2] A Linux binary can run without sections (see ls.sectionless in the attachments)
[3] You don't have a DT_XXX entry that provides the dynamic symbol table size

Samples: https://github.com/Vector35/binaryninja-api/files/4654836/samples.zip

[ElykDeer]

I just ran into this as well, actually. Here a super simple repro: test.zip

ELF provided, but you can make it yourself with: arm-none-eabi-as test.S -o test.elf

The most strange part is that hex view is broken under the ELF, though it looks fine under raw.

Remove the .section text at the top and it works fine.

[jeffli678]

I will look into this very soon. It needs to be fixed!

[jvinnedge-novetta]

Hey, was just wondering if there had been any updates on this issue. I'm still seeing on BinaryNinja version 2.1.2263.

I recently ran into this myself when looking at a ELF that appears to have had the section headers removed by sstrip. In some cases, I was observing that the analysis failed to find functions even though they were listed in the symbol table (according to Ida).

I've attached a minimal test case with this comment. The sstrip implementation I used was from the ELFkickers tools, available from https://github.com/BR903/ELFkickers

I can provide more examples if needed. Thanks!

nosections-example.tar.gz

EDIT: I also attached an example where the callback_table is visible in the symbol table (according to Ida) but doesn't appear to be found.

test-mips.gz

[jeffli678]

I have been busy with other tasks so I have to get a chance to fix it. The good news is I already know how to fix it, just need some time to actually write the code.

[bpotchik]

@jvinnedge-novetta, Binary Ninja is up to version 2.1.2419-dev on the dev channel. In early September I have made several updates to better handle parse and handle the ELF dynamic table. Some of the samples posted by the OP appear to be handled fine now. The nosections example you posted appears to be handled. The test-mips example also appears to be handled, you can show exported data symbols in symbols view to see those exports.

[jvinnedge-novetta]

Wow, you guys are fast! I didn't expect a reply this quick, much less on a weekend. Thanks for the pointer, I'll switch over to the dev channel and give that a shot. Thanks!

[bpotchik]

By the way I did find another bug related to the test-mips binary. We were missing all of the imports due to some improper relocation handling. I pushed a fix for that issue in 2.1.2421-dev.