0

Where are jump tables located in x86 elf code?

progname: file format elf64-x86-64

Disassembly of section .text:

0000000000000000 <main>:
   0:   55                      push   %rbp
   1:   48 89 e5                mov    %rsp,%rbp
   4:   48 83 ec 10             sub    $0x10,%rsp
   8:   c7 45 fc 02 00 00 00    movl   $0x2,-0x4(%rbp)
   f:   83 7d fc 09             cmpl   $0x9,-0x4(%rbp)
  13:   0f 87 ac 00 00 00       ja     c5 <main+0xc5>
  19:   8b 45 fc                mov    -0x4(%rbp),%eax
  1c:   48 8b 04 c5 00 00 00    mov    0x0(,%rax,8),%rax
  23:   00 
            20: R_X86_64_32S    .rodata+0x48
  24:   ff e0                   jmpq   *%rax
  26:   bf 00 00 00 00          mov    $0x0,%edi
            27: R_X86_64_32 .rodata
  2b:   b8 00 00 00 00          mov    $0x0,%eax
  30:   e8 00 00 00 00          callq  35 <main+0x35>
            31: R_X86_64_PLT32  printf-0x4
  35:   e9 9b 00 00 00          jmpq   d5 <main+0xd5>
  3a:   bf 00 00 00 00          mov    $0x0,%edi
            3b: R_X86_64_32 .rodata+0xc
  3f:   b8 00 00 00 00          mov    $0x0,%eax
  44:   e8 00 00 00 00          callq  49 <main+0x49>
            45: R_X86_64_PLT32  printf-0x4
  49:   e9 87 00 00 00          jmpq   d5 <main+0xd5>
  4e:   bf 00 00 00 00          mov    $0x0,%edi
            4f: R_X86_64_32 .rodata+0x18
  53:   b8 00 00 00 00          mov    $0x0,%eax
  58:   e8 00 00 00 00          callq  5d <main+0x5d>
            59: R_X86_64_PLT32  printf-0x4
  5d:   eb 76                   jmp    d5 <main+0xd5>
  5f:   bf 00 00 00 00          mov    $0x0,%edi
            60: R_X86_64_32 .rodata
  64:   b8 00 00 00 00          mov    $0x0,%eax
  69:   e8 00 00 00 00          callq  6e <main+0x6e>
            6a: R_X86_64_PLT32  printf-0x4
  6e:   eb 65                   jmp    d5 <main+0xd5>
  70:   bf 00 00 00 00          mov    $0x0,%edi
            71: R_X86_64_32 .rodata+0xc
  75:   b8 00 00 00 00          mov    $0x0,%eax
  7a:   e8 00 00 00 00          callq  7f <main+0x7f>
            7b: R_X86_64_PLT32  printf-0x4
  7f:   eb 54                   jmp    d5 <main+0xd5>
  81:   bf 00 00 00 00          mov    $0x0,%edi
            82: R_X86_64_32 .rodata+0x18
  86:   b8 00 00 00 00          mov    $0x0,%eax
  8b:   e8 00 00 00 00          callq  90 <main+0x90>
            8c: R_X86_64_PLT32  printf-0x4
  90:   eb 43                   jmp    d5 <main+0xd5>
  92:   bf 00 00 00 00          mov    $0x0,%edi
            93: R_X86_64_32 .rodata
  97:   b8 00 00 00 00          mov    $0x0,%eax
  9c:   e8 00 00 00 00          callq  a1 <main+0xa1>
            9d: R_X86_64_PLT32  printf-0x4
  a1:   eb 32                   jmp    d5 <main+0xd5>
  a3:   bf 00 00 00 00          mov    $0x0,%edi
            a4: R_X86_64_32 .rodata+0xc
  a8:   b8 00 00 00 00          mov    $0x0,%eax
  ad:   e8 00 00 00 00          callq  b2 <main+0xb2>
            ae: R_X86_64_PLT32  printf-0x4
  b2:   eb 21                   jmp    d5 <main+0xd5>
  b4:   bf 00 00 00 00          mov    $0x0,%edi
            b5: R_X86_64_32 .rodata+0x18
  b9:   b8 00 00 00 00          mov    $0x0,%eax
  be:   e8 00 00 00 00          callq  c3 <main+0xc3>
            bf: R_X86_64_PLT32  printf-0x4
  c3:   eb 10                   jmp    d5 <main+0xd5>
  c5:   bf 00 00 00 00          mov    $0x0,%edi
            c6: R_X86_64_32 .rodata+0x24
  ca:   b8 00 00 00 00          mov    $0x0,%eax
  cf:   e8 00 00 00 00          callq  d4 <main+0xd4>
            d0: R_X86_64_PLT32  printf-0x4
  d4:   90                      nop
  d5:   b8 00 00 00 00          mov    $0x0,%eax
  da:   c9                      leaveq 
  db:   c3                      retq

I have a basic switch case with 10 cases (including default case). If x=2, then it goes to 2nd block in switch case code. Need help in understanding where exactly gcc generated jump tables are located in elf files and in which section. I pasted output of objdump -dr progname above.

qwerty
  • 85
  • 2
  • 6
  • Maybe compile the code to an actual binary, and at that point it will be pretty clear. The relocation `R_X86_64_32S` at offset `20` of `main` should already give you a hint (`.rodata+0x48`). – Marco Bonelli Feb 08 '22 at 17:26
  • 1
    Look at the asm as well as the linked executable; the asm will have a label name like `.LC0`. https://godbolt.org/ is good for playing with that; although you'd have to disable filtering of directives to see that it puts the table in `.section .rodata`. (But you can already see that from your disassembly of the addressing mode for the `mov` load from the table.) – Peter Cordes Feb 08 '22 at 18:26
  • You could compile the code first and use a tool called `readelf` to do this command: `readelf -l ` and it should give you all the tables, including the jump table. – BadUsernameIdea Apr 05 '22 at 16:53

0 Answers0