[Git][reproducible-builds/diffoscope][master] Detect whether the GNU_BUILD_ID field has been modified

Roland Clobus (@rclobus-guest) gitlab at salsa.debian.org
Sun Oct 31 12:07:09 UTC 2021



Roland Clobus pushed to branch master at Reproducible Builds / diffoscope


Commits:
4cbae2d1 by Roland Clobus at 2021-10-31T13:03:00+01:00
Detect whether the GNU_BUILD_ID field has been modified

- - - - -


1 changed file:

- diffoscope/comparators/elf.py


Changes:

=====================================
diffoscope/comparators/elf.py
=====================================
@@ -22,6 +22,7 @@ import re
 import logging
 import subprocess
 import collections
+import hashlib
 
 from diffoscope.exc import OutputParsingError
 from diffoscope.tools import get_tool_name, tool_required
@@ -460,6 +461,7 @@ class ElfContainer(DecompilableContainer):
         ]
         output = our_check_output(cmd, shell=False, stderr=subprocess.DEVNULL)
         has_debug_symbols = False
+        has_build_id = False
 
         try:
             output = output.decode("utf-8").split("\n")
@@ -481,6 +483,9 @@ class ElfContainer(DecompilableContainer):
                 if name.startswith(".debug") or name.startswith(".zdebug"):
                     has_debug_symbols = True
 
+                if name == '.note.gnu.build-id' and type == "NOTE":
+                    has_build_id = True
+
                 if _should_skip_section(name, type):
                     continue
 
@@ -515,6 +520,13 @@ class ElfContainer(DecompilableContainer):
         if not has_debug_symbols:
             self._install_debug_symbols()
 
+        if has_build_id:
+            try:
+                self._verify_build_id()
+            except Exception:
+                # It is fine to skip the verification of the build_id
+                pass
+
     @tool_required("objcopy")
     def _install_debug_symbols(self):
         if Config().use_dbgsym == "no":
@@ -632,6 +644,30 @@ class ElfContainer(DecompilableContainer):
 
         logger.debug("Installed debug symbols at %s", dest_path)
 
+    def _verify_build_id(self):
+        """
+        Verify whether the NT_GNU_BUILD_ID field contains a sha1 checksum
+        that matches the binary. (#260)
+        """
+
+        with open(self.source.path, 'rb') as f:
+            blob = f.read()
+
+        # Magic valid: section ID=0x14 NT_GNU_BUILD_ID, Owner='GNU', followed by the sha1 checksum
+        m = re.search(b'\x14\x00\x00\x00\x03\x00\x00\x00\x47\x4e\x55\x00.{20}', blob)
+        build_id = blob[m.end()-20:m.end()].hex()
+        blob_with_reset_build_id = blob[:m.end()-20] + b'\x00' * 20 + blob[m.end():]
+
+        if hashlib.sha1(blob_with_reset_build_id).hexdigest() != build_id:
+            logger.warning(
+                'The file (%s) has been modified after NT_GNU_BUILD_ID has been applied',
+                self.source.path)
+            logger.debug(
+                'Expected value: %s Current value: %s',
+                hashlib.sha1(blob_with_reset_build_id).hexdigest(),
+                build_id)
+        return
+
     def get_member_names(self):
         decompiled_members = super().get_member_names()
         return list(decompiled_members) + list(self._sections.keys())



View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/4cbae2d16c4c7d0427f4e20ecd6239d5054d5171

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/4cbae2d16c4c7d0427f4e20ecd6239d5054d5171
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20211031/fdd36d48/attachment.htm>


More information about the rb-commits mailing list