Harden map file parsing and document PE vs ELF asymmetry

justsmth · justsmth · commit 1dfd2667af71 · 2026-05-11T09:55:06.000-04:00
ParseMapFile:
- Anchor parsing to the Publics by Value column header so a same-named
  entry in the Static symbols section can't shadow or collide with a
  public BORINGSSL_bcm_* marker.
- Fail fast with a descriptive error if the map file does not contain
  a Publics by Value section, instead of producing a downstream
  'symbol not found in map file' error.
- Expand the function doc with the expected map-file grammar.

break-hash.go:
- Add a comment on doPE explaining why it does not need the 256-byte
  prefix uniqueness check that doELF performs: the linker map plus the
  PE section table already yield an exact on-disk offset for
  BORINGSSL_bcm_text_start, so the ELF-era workaround is unnecessary.
diff --git a/util/fipstools/break-hash.go b/util/fipstools/break-hash.go
@@ -104,6 +104,13 @@ func doELF(objectBytes []byte) (int, []byte, error) {
 }
 
 func doPE(objectBytes []byte, mapPath string) (int, []byte, error) {
+	// Unlike doELF, we do not need to search the raw file for a unique
+	// 256-byte prefix of the module text to find its file offset: the map
+	// file gives us the exact virtual address of BORINGSSL_bcm_text_start,
+	// and the PE section table lets us translate that directly to a file
+	// offset. The uniqueness check doELF performs is a workaround for the
+	// fact that ELF symbol values alone do not pinpoint the on-disk location
+	// of the module; the PE path does not have that limitation.
 	symbolAddrs, err := fipscommon.ParseMapFile(mapPath)
 	if err != nil {
 		return 0, nil, err
diff --git a/util/fipstools/fipscommon/pe.go b/util/fipstools/fipscommon/pe.go
@@ -21,15 +21,50 @@ type PEInfo struct {
 
 // ParseMapFile reads a Windows linker map file and returns a map of
 // BORINGSSL_bcm_* symbol names to their Rva+Base addresses.
+//
+// MSVC-style map files (also produced by lld-link with /MAP:) contain several
+// sections. Symbol addresses we care about live under a column-header line of
+// the form:
+//
+//	 Address         Publics by Value              Rva+Base               Lib:Object
+//
+// followed by rows of the form:
+//
+//	 SSSS:OOOOOOOO  name  RRRRRRRRRRRRRRRR  [f]  Lib:Object
+//
+// A later "Static symbols" heading begins a section that reuses the row format,
+// so anchoring parsing to the Publics header avoids accidentally picking up a
+// same-named static symbol from some other translation unit. The
+// BORINGSSL_bcm_* markers are `extern` and therefore only ever appear in
+// Publics by Value in practice, but the anchor makes the intent explicit and
+// the parser less fragile.
 func ParseMapFile(mapPath string) (map[string]uint64, error) {
 	data, err := os.ReadFile(mapPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read map file: %s", err.Error())
 	}
 
 	symbols := make(map[string]uint64)
-	// Symbol lines have format: SSSS:OOOOOOOO  name  RRRRRRRRRRRRRRRR  Lib:Object
+	inPublics := false
+	sawPublicsHeading := false
 	for _, line := range strings.Split(string(data), "\n") {
+		trimmed := strings.TrimSpace(line)
+		// Section headings are column-header / label lines with no leading
+		// address column. Detect the Publics by Value column-header line
+		// (which also contains the word "Address") and the Static symbols
+		// label that terminates the public section.
+		if strings.Contains(trimmed, "Publics by Value") {
+			inPublics = true
+			sawPublicsHeading = true
+			continue
+		}
+		if trimmed == "Static symbols" {
+			inPublics = false
+			continue
+		}
+		if !inPublics {
+			continue
+		}
 		fields := strings.Fields(line)
 		if len(fields) < 3 || !strings.Contains(fields[0], ":") {
 			continue
@@ -48,6 +83,13 @@ func ParseMapFile(mapPath string) (map[string]uint64, error) {
 		symbols[name] = rvaBase
 	}
 
+	// Guard against silently-malformed map files: if we never saw the
+	// expected heading the caller will get confusing "symbol not found"
+	// errors downstream. Surface the real problem here instead.
+	if !sawPublicsHeading {
+		return nil, fmt.Errorf("map file %q does not contain a \"Publics by Value\" section; is this an MSVC-style linker map?", mapPath)
+	}
+
 	return symbols, nil
 }
 
@@ -85,7 +127,11 @@ func (p *PEInfo) ResolveSymbolFileOffset(symbolAddrs map[string]uint64, name str
 	for _, s := range p.File.Sections {
 		start := uint64(s.VirtualAddress)
 		if rva >= start && rva < start+uint64(s.VirtualSize) {
-			return rva - start + uint64(s.Offset), nil
+			offsetInSection := rva - start
+			if offsetInSection >= uint64(s.Size) {
+				return 0, fmt.Errorf("RVA 0x%x for %q is in zero-fill/BSS region of section %s (offset 0x%x exceeds raw data size 0x%x)", rva, name, s.Name, offsetInSection, s.Size)
+			}
+			return offsetInSection + uint64(s.Offset), nil
 		}
 	}
 	return 0, fmt.Errorf("RVA 0x%x for %q not found in any PE section", rva, name)
diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go
@@ -354,6 +354,10 @@ func do(outPath, oInput string, arInput string, appleOS bool, windowsOS bool, ma
 	var isStatic bool
 	var perm os.FileMode
 
+	if appleOS && windowsOS {
+		return fmt.Errorf("-apple and -windows are mutually exclusive")
+	}
+
 	if windowsOS && len(mapFile) == 0 {
 		return fmt.Errorf("-map is required when -windows is set")
 	}
