Detect system GNU ld script pretending to be system libraries (#9296)

daniel-grumberg · web-flow · commit 257ad9bf342a · 2025-10-29T15:02:45.000Z
When a system library is shimmed with a GNU ld script, pull in the
required libraries when auditing binary artifacts

### Motivation:

Basic C runtime libraries appear to sometimes be replaced by a GNU ld
script that pulls it some other libraries as a backwards compatibility
mechanism on certain Linux distros. This makes it difficult for the
binary auditing tool to find all required libraries. The only previously
known case of this was libgcc_s so we used to just special case for it,
but now that Ubuntu does this for splitting up libm, a more general
solution is required.

### Modifications:

Add basic support for detecting such GNU ld script and parsing out
libraries they pull in. The subset of features supported is consistent
with how we have seen libraries being repackaged.

### Result:

Binary auditing tool will be more resilient.
diff --git a/Sources/BinarySymbols/ClangHostDefaultObjectsDetector.swift b/Sources/BinarySymbols/ClangHostDefaultObjectsDetector.swift
@@ -14,7 +14,8 @@ import Foundation
 import protocol TSCBasic.WritableByteStream
 
 package func detectDefaultObjects(
-    clang: AbsolutePath, fileSystem: any FileSystem, hostTriple: Triple
+    clang: AbsolutePath, fileSystem: any FileSystem, hostTriple: Triple,
+    observabilityScope: ObservabilityScope
 ) async throws -> [AbsolutePath] {
     let clangProcess = AsyncProcess(args: clang.pathString, "-###", "-x", "c", "-")
     let stdinStream = try clangProcess.launch()
@@ -56,25 +57,71 @@ package func detectDefaultObjects(
         linkerArguments.append(contentsOf: ["-lm", "-lpthread", "-ldl"])
     }
 
-    for argument in linkerArguments {
+    func handleArgument(_ argument: String) throws {
         if argument.hasPrefix("-L") {
             searchPaths.append(try AbsolutePath(validating: String(argument.dropFirst(2))))
         } else if argument.hasPrefix("-l") && !argument.hasSuffix("lto_library") {
             let libraryName = argument.dropFirst(2)
             let potentialLibraries = searchPaths.flatMap { path in
-                if libraryName == "gcc_s" && hostTriple.isLinux() {
-                    // Try and pick this up first as libgcc_s tends to be either this or a GNU ld script that pulls this in.
-                    return [path.appending("libgcc_s.so.1")]
-                } else {
-                    return libraryExtensions.map { ext in path.appending("\(hostTriple.dynamicLibraryPrefix)\(libraryName)\(ext)") }
+                return libraryExtensions.map { ext in
+                    path.appending("\(hostTriple.dynamicLibraryPrefix)\(libraryName)\(ext)")
                 }
             }
 
             guard let library = potentialLibraries.first(where: { fileSystem.isFile($0) }) else {
-                throw StringError("Couldn't find library: \(libraryName)")
+                observabilityScope.emit(warning: "Could not find library: \(libraryName)")
+                return
+            }
+
+            // Try and detect if this a GNU ld linker script.
+            if let fileContents = try fileSystem.readFileContents(library).validDescription {
+                let lines = fileContents.split(whereSeparator: \.isNewline)
+                guard lines.contains(where: { $0.contains("GNU ld script") }) else {
+                    objects.insert(library)
+                    return
+                }
+
+                // If it is try and parse GROUP/INPUT commands as documented in https://sourceware.org/binutils/docs/ld/File-Commands.html
+                // Empirically it seems like GROUP is the only used such directive for libraries of interest.
+                // Empirically it looks like packaging linker scripts use spaces around parenthesis which greatly simplifies parsing.
+                let inputs = lines.filter { $0.hasPrefix("GROUP") || $0.hasPrefix("INPUT") }
+                let words = inputs.flatMap { $0.split(whereSeparator: \.isWhitespace) }
+                let newArguments = words.filter {
+                    !["GROUP", "AS_NEEDED", "INPUT"].contains($0) && $0 != "(" && $0 != ")"
+                }.map(String.init)
+
+                for arg in newArguments {
+                    if arg.hasPrefix("-l") {
+                        try handleArgument(arg)
+                    } else {
+                        // First try and locate the file relative to the linker script.
+                        let siblingPath = try AbsolutePath(
+                            validating: arg,
+                            relativeTo: try AbsolutePath(validating: library.dirname))
+                        if fileSystem.isFile(siblingPath) {
+                            try handleArgument(siblingPath.pathString)
+                        } else {
+                            // If this fails the file needs to be resolved relative to the search paths.
+                            guard
+                                let library = searchPaths.map({ $0.appending(arg) }).first(where: {
+                                    fileSystem.isFile($0)
+                                })
+                            else {
+                                observabilityScope.emit(
+                                    warning:
+                                        "Malformed linker script at \(library): found no library named \(arg)"
+                                )
+                                continue
+                            }
+                            try handleArgument(library.pathString)
+                        }
+                    }
+                }
+
+            } else {
+                objects.insert(library)
             }
 
-            objects.insert(library)
         } else if try argument.hasSuffix(".o")
             && fileSystem.isFile(AbsolutePath(validating: argument))
         {
@@ -86,5 +133,9 @@ package func detectDefaultObjects(
         }
     }
 
+    for argument in linkerArguments {
+        try handleArgument(argument)
+    }
+
     return objects.compactMap { $0 }
 }
diff --git a/Sources/Commands/PackageCommands/AuditBinaryArtifact.swift b/Sources/Commands/PackageCommands/AuditBinaryArtifact.swift
@@ -50,7 +50,10 @@ struct AuditBinaryArtifact: AsyncSwiftCommand {
         var hostDefaultSymbols = ReferencedSymbols()
         let symbolProvider = LLVMObjdumpSymbolProvider(objdumpPath: objdump)
         for binary in try await detectDefaultObjects(
-            clang: clang, fileSystem: fileSystem, hostTriple: hostTriple)
+            clang: clang, fileSystem: fileSystem, hostTriple: hostTriple,
+            observabilityScope:
+                swiftCommandState.observabilityScope.makeChildScope(
+                    description: "DefaultObjectsDetector"))
         {
             try await symbolProvider.symbols(
                 for: binary, symbols: &hostDefaultSymbols, recordUndefined: false)
