Finding the rendezvous (struct r_debug) structure of a process?

Question

I'm trying to access the "rendezvous structure" (struct r_debug *) in order to find the link map of a process. But I keep running into invalid adresses and I really can't figure out what's going on.

Here's how I go on trying to find it:

1. Get the AT_PHDR value from the auxiliary vector
2. Go through the program headers until I find the PT_DYNAMIC segment
3. Try to access the vaddr of that segment (PT_DYNAMIC) to get the dynamic tags
4. Iterate through the dynamic tags until I find DT_DEBUG. If I get here I should be done

The issue is I can't get past step 3 because the vaddr of the PT_DYNAMIC segment always points to an invalid address.

What am I doing wrong ? Do I need to find the relocation of the vaddr ? I have looked at the LLDB sources but I can't figure out how they got the address.

UPDATE: @EmployedRussian was right, I was looking at a position-independent executable. His solution to calculate the relocation worked wonderfully.

Answer 1

What am I doing wrong ?

Most likely you are looking at position-independent executable. If your readelf -Wl a.out looks like this:

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R   0x8
  INTERP         0x000238 0x0000000000000238 0x0000000000000238 0x00001c 0x00001c R   0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x016d28 0x016d28 R E 0x200000
  LOAD           0x017250 0x0000000000217250 0x0000000000217250 0x0010d0 0x001290 RW  0x200000
  DYNAMIC        0x017df8 0x0000000000217df8 0x0000000000217df8 0x0001e0 0x0001e0 RW  0x8

then you need to adjust Phdr_pt_dynamic.p_vaddr by the executable relocation address (the key is that the first Phdr_pt_load.p_vaddr == 0).

You can find this relocation address as the delta between AT_PHDR value in the aux vector and Phdr_pt_phdr.p_vaddr.

(Above I use Phdr_xxx as a shorthand for Phdr[j] with .p_type == xxx).

You are also doing it in much more complicated way than you have to: the address of the dynamic array is trivially available as _DYNAMIC[]. See this answer.