jesstess/ELF_strings

## ELF_strings
Where in an ELF executable do various types of strings live?

Inspired by "How to waste a lot of space without knowing": http://glandium.org/blog/?p=2361

Test file:

$ cat /tmp/test.c
char *ptr_global = "ptr_global_string";
char array_global[] = "array_global_string";

const char *const_ptr_global = "const_ptr_global_string";
const char const_array_global[] = "const_array_global_string";

int main() {
  return 0;
}

Test run on a 32-bit machine running Ubuntu:
$ uname -a
Linux aja 2.6.38-13-generic #53-Ubuntu SMP Mon Nov 28 19:23:39 UTC 2011 i686 i686 i386 GNU/Linux

For each of the strings in test.c, where does the string live, and if applicable where does the pointer to the string live?

ptr_global:
- string lives in .rodata
- ptr lives in .data, 4 bytes

array_global:
- string lives in .data section, 20 bytes ie length of string including NULL terminator

const_ptr_global:
- string lives in .rodata
- ptr lives in .data, 4 bytes

const_array_global:
- string lives in .rodata section, 26 bytes ie length of string including NULL terminator

===

Proof:

array_global_string is in .data:

$ readelf -x .data test

Hex dump of section '.data':
  0x0804a008 00000000 00000000 60840408 61727261 ........`...arra
  0x0804a018 795f676c 6f62616c 5f737472 696e6700 y_global_string.
  0x0804a028 72840408                            r...

All others are in .rodata:

$ readelf -x .rodata test

Hex dump of section '.rodata':
  0x08048458 03000000 01000200 7074725f 676c6f62 ........ptr_glob
  0x08048468 616c5f73 7472696e 6700636f 6e73745f al_string.const_
  0x08048478 7074725f 676c6f62 616c5f73 7472696e ptr_global_strin
  0x08048488 6700636f 6e73745f 61727261 795f676c g.const_array_gl
  0x08048498 6f62616c 5f737472 696e6700          obal_string.

We can see the strings themselves in the disassembly of the .rodata and .data sections for the array_ strings. We can see the pointers to the ptr_ strings in .data. (Note that the pointers are not constant, the strings are -- if we wanted a constant pointer to a constant string we would need `const char * const ptr`, and then the pointers would be in .rodata):

$ objdump -D test
        ...
Disassembly of section .rodata:

0804848a <const_array_global>:
 804848a:       63 6f 6e                arpl   %bp,0x6e(%edi)
 804848d:       73 74                   jae    8048503 <__FRAME_END__+0x5f>
 804848f:       5f                      pop    %edi
 8048490:       61                      popa
 8048491:       72 72                   jb     8048505 <__FRAME_END__+0x61>
 8048493:       61                      popa
 8048494:       79 5f                   jns    80484f5 <__FRAME_END__+0x51>
 8048496:       67 6c                   insb   (%dx),%es:(%di)
 8048498:       6f                      outsl  %ds:(%esi),(%dx)
 8048499:       62 61 6c                bound  %esp,0x6c(%ecx)
 804849c:       5f                      pop    %edi
 804849d:       73 74                   jae    8048513 <__FRAME_END__+0x6f>
 804849f:       72 69                   jb     804850a <__FRAME_END__+0x66>
 80484a1:       6e                      outsb  %ds:(%esi),(%dx)
 80484a2:       67                      addr16
        ...

Disassembly of section .data:
        ...

0804a010 <ptr_global>:
 804a010:       60                      pusha
 804a011:       84 04 08                test   %al,(%eax,%ecx,1)

0804a014 <array_global>:
 804a014:       61                      popa
 804a015:       72 72                   jb     804a089 <_end+0x55>
 804a017:       61                      popa
 804a018:       79 5f                   jns    804a079 <_end+0x45>
 804a01a:       67 6c                   insb   (%dx),%es:(%di)
 804a01c:       6f                      outsl  %ds:(%esi),(%dx)
 804a01d:       62 61 6c                bound  %esp,0x6c(%ecx)
 804a020:       5f                      pop    %edi
 804a021:       73 74                   jae    804a097 <_end+0x63>
 804a023:       72 69                   jb     804a08e <_end+0x5a>
 804a025:       6e                      outsb  %ds:(%esi),(%dx)
 804a026:       67 00 72 84             add    %dh,-0x7c(%bp,%si)

0804a028 <const_ptr_global>:
 804a028:       72 84                   jb     8049fae <_DYNAMIC+0x86>
 804a02a:       04 08                   add    $0x8,%al

The symbols have entries in .symtab:

$ readelf -s test | egrep "ptr|global"
    ...
    47: 0804a028     4 OBJECT  GLOBAL DEFAULT   23 const_ptr_global
    52: 0804848a    26 OBJECT  GLOBAL DEFAULT   15 const_array_global
    56: 0804a014    20 OBJECT  GLOBAL DEFAULT   23 array_global
    62: 0804a010     4 OBJECT  GLOBAL DEFAULT   23 ptr_global

The symbol names have entries in .strtab:

$ readelf -p .strtab test | egrep "ptr|global"
  ...
  [   11d]  const_ptr_global
  [   15e]  const_array_global
  [   1aa]  array_global
  [   1f2]  ptr_global
	Where in an ELF executable do various types of strings live?

	Inspired by "How to waste a lot of space without knowing": http://glandium.org/blog/?p=2361

	Test file:

	$ cat /tmp/test.c
	char *ptr_global = "ptr_global_string";
	char array_global[] = "array_global_string";

	const char *const_ptr_global = "const_ptr_global_string";
	const char const_array_global[] = "const_array_global_string";

	int main() {
	return 0;
	}

	Test run on a 32-bit machine running Ubuntu:
	$ uname -a
	Linux aja 2.6.38-13-generic #53-Ubuntu SMP Mon Nov 28 19:23:39 UTC 2011 i686 i686 i386 GNU/Linux

	For each of the strings in test.c, where does the string live, and if applicable where does the pointer to the string live?

	ptr_global:
	- string lives in .rodata
	- ptr lives in .data, 4 bytes

	array_global:
	- string lives in .data section, 20 bytes ie length of string including NULL terminator

	const_ptr_global:
	- string lives in .rodata
	- ptr lives in .data, 4 bytes

	const_array_global:
	- string lives in .rodata section, 26 bytes ie length of string including NULL terminator

	===

	Proof:

	array_global_string is in .data:

	$ readelf -x .data test

	Hex dump of section '.data':
	0x0804a008 00000000 00000000 60840408 61727261 ........`...arra
	0x0804a018 795f676c 6f62616c 5f737472 696e6700 y_global_string.
	0x0804a028 72840408 r...

	All others are in .rodata:

	$ readelf -x .rodata test

	Hex dump of section '.rodata':
	0x08048458 03000000 01000200 7074725f 676c6f62 ........ptr_glob
	0x08048468 616c5f73 7472696e 6700636f 6e73745f al_string.const_
	0x08048478 7074725f 676c6f62 616c5f73 7472696e ptr_global_strin
	0x08048488 6700636f 6e73745f 61727261 795f676c g.const_array_gl
	0x08048498 6f62616c 5f737472 696e6700 obal_string.

	We can see the strings themselves in the disassembly of the .rodata and .data sections for the array_ strings. We can see the pointers to the ptr_ strings in .data. (Note that the pointers are not constant, the strings are -- if we wanted a constant pointer to a constant string we would need `const char * const ptr`, and then the pointers would be in .rodata):

	$ objdump -D test
	...
	Disassembly of section .rodata:

	0804848a <const_array_global>:
	804848a: 63 6f 6e arpl %bp,0x6e(%edi)
	804848d: 73 74 jae 8048503 <__FRAME_END__+0x5f>
	804848f: 5f pop %edi
	8048490: 61 popa
	8048491: 72 72 jb 8048505 <__FRAME_END__+0x61>
	8048493: 61 popa
	8048494: 79 5f jns 80484f5 <__FRAME_END__+0x51>
	8048496: 67 6c insb (%dx),%es:(%di)
	8048498: 6f outsl %ds:(%esi),(%dx)
	8048499: 62 61 6c bound %esp,0x6c(%ecx)
	804849c: 5f pop %edi
	804849d: 73 74 jae 8048513 <__FRAME_END__+0x6f>
	804849f: 72 69 jb 804850a <__FRAME_END__+0x66>
	80484a1: 6e outsb %ds:(%esi),(%dx)
	80484a2: 67 addr16
	...

	Disassembly of section .data:
	...

	0804a010 <ptr_global>:
	804a010: 60 pusha
	804a011: 84 04 08 test %al,(%eax,%ecx,1)

	0804a014 <array_global>:
	804a014: 61 popa
	804a015: 72 72 jb 804a089 <_end+0x55>
	804a017: 61 popa
	804a018: 79 5f jns 804a079 <_end+0x45>
	804a01a: 67 6c insb (%dx),%es:(%di)
	804a01c: 6f outsl %ds:(%esi),(%dx)
	804a01d: 62 61 6c bound %esp,0x6c(%ecx)
	804a020: 5f pop %edi
	804a021: 73 74 jae 804a097 <_end+0x63>
	804a023: 72 69 jb 804a08e <_end+0x5a>
	804a025: 6e outsb %ds:(%esi),(%dx)
	804a026: 67 00 72 84 add %dh,-0x7c(%bp,%si)

	0804a028 <const_ptr_global>:
	804a028: 72 84 jb 8049fae <_DYNAMIC+0x86>
	804a02a: 04 08 add $0x8,%al

	The symbols have entries in .symtab:

	$ readelf -s test \| egrep "ptr\|global"
	...
	47: 0804a028 4 OBJECT GLOBAL DEFAULT 23 const_ptr_global
	52: 0804848a 26 OBJECT GLOBAL DEFAULT 15 const_array_global
	56: 0804a014 20 OBJECT GLOBAL DEFAULT 23 array_global
	62: 0804a010 4 OBJECT GLOBAL DEFAULT 23 ptr_global

	The symbol names have entries in .strtab:

	$ readelf -p .strtab test \| egrep "ptr\|global"
	...
	[ 11d] const_ptr_global
	[ 15e] const_array_global
	[ 1aa] array_global
	[ 1f2] ptr_global