[Git][reproducible-builds/diffoscope][master] Detect whether the GNU_BUILD_ID field has been modified
Roland Clobus (@rclobus-guest)
gitlab at salsa.debian.org
Sun Oct 31 12:07:09 UTC 2021
Roland Clobus pushed to branch master at Reproducible Builds / diffoscope
Commits:
4cbae2d1 by Roland Clobus at 2021-10-31T13:03:00+01:00
Detect whether the GNU_BUILD_ID field has been modified
- - - - -
1 changed file:
- diffoscope/comparators/elf.py
Changes:
=====================================
diffoscope/comparators/elf.py
=====================================
@@ -22,6 +22,7 @@ import re
import logging
import subprocess
import collections
+import hashlib
from diffoscope.exc import OutputParsingError
from diffoscope.tools import get_tool_name, tool_required
@@ -460,6 +461,7 @@ class ElfContainer(DecompilableContainer):
]
output = our_check_output(cmd, shell=False, stderr=subprocess.DEVNULL)
has_debug_symbols = False
+ has_build_id = False
try:
output = output.decode("utf-8").split("\n")
@@ -481,6 +483,9 @@ class ElfContainer(DecompilableContainer):
if name.startswith(".debug") or name.startswith(".zdebug"):
has_debug_symbols = True
+ if name == '.note.gnu.build-id' and type == "NOTE":
+ has_build_id = True
+
if _should_skip_section(name, type):
continue
@@ -515,6 +520,13 @@ class ElfContainer(DecompilableContainer):
if not has_debug_symbols:
self._install_debug_symbols()
+ if has_build_id:
+ try:
+ self._verify_build_id()
+ except Exception:
+ # It is fine to skip the verification of the build_id
+ pass
+
@tool_required("objcopy")
def _install_debug_symbols(self):
if Config().use_dbgsym == "no":
@@ -632,6 +644,30 @@ class ElfContainer(DecompilableContainer):
logger.debug("Installed debug symbols at %s", dest_path)
+ def _verify_build_id(self):
+ """
+ Verify whether the NT_GNU_BUILD_ID field contains a sha1 checksum
+ that matches the binary. (#260)
+ """
+
+ with open(self.source.path, 'rb') as f:
+ blob = f.read()
+
+ # Magic valid: section ID=0x14 NT_GNU_BUILD_ID, Owner='GNU', followed by the sha1 checksum
+ m = re.search(b'\x14\x00\x00\x00\x03\x00\x00\x00\x47\x4e\x55\x00.{20}', blob)
+ build_id = blob[m.end()-20:m.end()].hex()
+ blob_with_reset_build_id = blob[:m.end()-20] + b'\x00' * 20 + blob[m.end():]
+
+ if hashlib.sha1(blob_with_reset_build_id).hexdigest() != build_id:
+ logger.warning(
+ 'The file (%s) has been modified after NT_GNU_BUILD_ID has been applied',
+ self.source.path)
+ logger.debug(
+ 'Expected value: %s Current value: %s',
+ hashlib.sha1(blob_with_reset_build_id).hexdigest(),
+ build_id)
+ return
+
def get_member_names(self):
decompiled_members = super().get_member_names()
return list(decompiled_members) + list(self._sections.keys())
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/4cbae2d16c4c7d0427f4e20ecd6239d5054d5171
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/4cbae2d16c4c7d0427f4e20ecd6239d5054d5171
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20211031/fdd36d48/attachment.htm>
More information about the rb-commits
mailing list