[File] [PATCH] Support ARM64 Linux vmlinux files

John Villalovos john at sodarock.com
Thu Oct 17 16:27:44 UTC 2019


Any feedback on this patch? Is there something else I should do?

Thanks,
John

On Fri, Oct 4, 2019 at 1:45 PM John Villalovos <john at sodarock.com> wrote:
>
> Support ARM64 Linux vmlinux files
>
> Currently 'file' says that the ARM64 Linux vmlinux files are MS-DOS
> executables.  They are in fact PE files that are used to boot via
> UEFI.
>
> Here is a before and after showing the difference with and without the patch.
> $ file vmlinux
> linux: MS-DOS executable
> $ file -m msdos vmlinux
> linux: MS-DOS executable PE PE32+ executable (EFI application) ARM64
> (stripped to external PDB), for MS Windows
>
> Info of the vmlinux file:
> $ head -c 256 vmlinux | xxd
> 00000000: 4d5a 0091 ffbf 2d14 0000 0800 0000 0000  MZ....-.........
> 00000010: 0020 2601 0000 0000 0a00 0000 0000 0000  . &.............
> 00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 00000030: 0000 0000 0000 0000 4152 4d64 4000 0000  ........ARMd at ...
> 00000040: 5045 0000 64aa 0200 0000 0000 0000 0000  PE..d...........
> 00000050: 0000 0000 a000 0602 0b02 0214 0010 c300  ................
> 00000060: 0000 6300 0000 0000 e85a b700 0010 0000  ..c......Z......
> 00000070: 0000 0000 0000 0000 0010 0000 0002 0000  ................
> 00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 00000090: 0020 2601 0010 0000 23a2 1d01 0a00 0000  . &.....#.......
> 000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 000000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 000000c0: 0000 0000 0600 0000 0000 0000 0000 0000  ................
> 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 000000e0: 0000 0000 0000 0000 0032 1d01 7005 0000  .........2..p...
> 000000f0: 0000 0000 0000 0000 2e74 6578 7400 0000  .........text...
>
> In the patch I duplicated the check for PE\0\0 twice as removing the
> old check and then having to de-dent everything by one '<' seemed very
> intrusive of a patch.
>
> Also added the code to identify ARM64 CPU code.
>
> $ git diff
> diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos
> index 5ed6d633..70f835a4 100644
> --- a/magic/Magdir/msdos
> +++ b/magic/Magdir/msdos
> @@ -61,11 +61,8 @@
>  #>>0x18        leshort 0x1c    (Borland compiler)
>  #>>0x18        leshort 0x1e    (MS compiler)
>
> -# If the relocation table is 0x40 or more bytes into the file, it's definitely
> -# not a DOS EXE.
> ->0x18  leshort >0x3f
> -
>  # Maybe it's a PE?
> +>(0x3c.l) string PE\0\0 PE
>  >>(0x3c.l) string PE\0\0 PE
>  !:mime application/x-dosexec
>  >>>(0x3c.l+24) leshort         0x010b  \b32 executable
> @@ -129,6 +126,7 @@
>  >>>(0x3c.l+4)  leshort         0x466   MIPS16 with FPU
>  >>>(0x3c.l+4)  leshort         0xebc   EFI byte code
>  >>>(0x3c.l+4)  leshort         0x8664  x86-64
> +>>>(0x3c.l+4)  leshort         0xaa64  ARM64
>  >>>(0x3c.l+4)  leshort         0xc0ee  MSIL
>  >>>(0x3c.l+4)  default         x       Unknown processor type
>  >>>>&0         leshort         x       0x%x


More information about the File mailing list