xref: /onnv-gate/usr/src/cmd/sgs/elfdump/common/fake_shdr.c (revision 11827:d7ef53deac3f)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * Generate a cache of section header information for an ELF
 * object from the information found in its program headers.
 *
 * Malicious code can remove or corrupt section headers. The
 * resulting program will be difficult to analyze, but is still
 * runnable. Hence, scribbling on the section headers or removing
 * them is an effective form of obfuscation. On the other hand,
 * program headers must be accurate or the program will not run.
 * Section headers derived from them will necessarily lack information
 * found in the originals (particularly for non-allocable sections),
 * but will provide essential symbol information. The focus is on
 * recovering information that elfdump knows how to display, and that
 * might be interesting in a forensic situation.
 *
 * There are some things we don't attempt to create sections for:
 *
 *	plt, got
 *		We have no way to determine the length of either of
 *		these sections from the information available via
 *		the program headers or dynamic section. The data in
 *		the PLT is of little use to elfdump. The data in the
 *		GOT might be somewhat more interesting, especially as
 *		it pertains to relocations. However, the sizing issue
 *		remains.
 *
 *	text, data, bss
 *		Although we could create these, there is little value
 *		to doing so. elfdump cannot display the arbitrary
 *		data in these sections, so this would amount to a
 *		simple repetition of the information already displayed
 *		in the program headers, with no additional benefit.
 */



#include	<sys/elf_amd64.h>
#include	<stdio.h>
#include	<unistd.h>
#include	<errno.h>
#include	<string.h>
#include	<strings.h>
#include	<conv.h>
#include	<msg.h>
#include	<_elfdump.h>



/*
 * Common information about the object that is needed by
 * all the routines in this module.
 */
typedef struct {
	const char	*file;
	int		fd;
	Ehdr		*ehdr;
	Phdr		*phdr;
	size_t		phnum;
} FSTATE;



/*
 * These values uniquely identify the sections that we know
 * how to recover.
 *
 * Note: We write the sections to the cache array in this same order.
 * It simplifies this code if the dynamic, dynstr, dynsym, and ldynsym
 * sections occupy known slots in the cache array. Other sections reference
 * them by index, and if they are at a known spot, there is no need
 * for a fixup pass. Putting them in positions [1-4] solves this.
 *
 * The order they are in was chosen such that if any one of them exists,
 * all of the ones before it must also exist. This means that if the
 * desired section exists, it will end up in the desired index in the
 * cache array.
 *
 * The order of the other sections is arbitrary. I've arranged them
 * in roughly related groups.
 */
typedef enum {
	SINFO_T_NULL =		0,
	SINFO_T_DYN =		1,
	SINFO_T_DYNSTR = 	2,
	SINFO_T_DYNSYM =	3,
	SINFO_T_LDYNSYM =	4,

	SINFO_T_HASH =		5,
	SINFO_T_SYMINFO =	6,
	SINFO_T_SYMSORT =	7,
	SINFO_T_TLSSORT =	8,
	SINFO_T_VERNEED =	9,
	SINFO_T_VERDEF =	10,
	SINFO_T_VERSYM =	11,
	SINFO_T_INTERP =	12,
	SINFO_T_CAP =		13,
	SINFO_T_CAPINFO =	14,
	SINFO_T_CAPCHAIN =	15,
	SINFO_T_UNWIND =	16,
	SINFO_T_MOVE =		17,
	SINFO_T_REL =		18,
	SINFO_T_RELA =		19,
	SINFO_T_PREINITARR =	20,
	SINFO_T_INITARR =	21,
	SINFO_T_FINIARR =	22,
	SINFO_T_NOTE =		23,

	SINFO_T_NUM =		24 /* Count of items. Must come last */
} SINFO_TYPE;



/*
 * Table of per-section constant data used to set up the section
 * header cache and the various sub-parts it references. Indexed by
 * SINFO_T value.
 *
 * note: The sh_flags value should be either SHF_ALLOC, or 0.
 *	get_data() sets SHF_WRITE if the program header containing the
 *	section is writable. The other flags require information that
 *	the program headers don't contain (i.e. SHF_STRINGS, etc) so
 *	we don't set them.
 */
typedef struct {
	const char	*name;
	Word		sh_type;
	Word		sh_flags;
	Word		sh_addralign;
	Word		sh_entsize;
	Elf_Type	libelf_type;
} SINFO_DATA;

/*
 * Many of these sections use an alignment given by M_WORD_ALIGN, a
 * value that varies depending on the object target machine. Since we
 * don't know that value at compile time, we settle for a value of
 * 4 for ELFCLASS32 objects, and 8 for ELFCLASS64. This matches the
 * platforms we current support (sparc and x86), and is good enough for
 * a fake section header in any event, as the resulting object is only
 * analyzed, and is not executed.
 */
#ifdef _ELF64
#define	FAKE_M_WORD_ALIGN 8
#else
#define	FAKE_M_WORD_ALIGN 4
#endif

static SINFO_DATA sinfo_data[SINFO_T_NUM] = {
	/* SINFO_T_NULL */
	{ 0 },

	/* SINFO_T_DYN */
	{ MSG_ORIG(MSG_PHDRNAM_DYN), SHT_DYNAMIC, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Dyn), ELF_T_DYN },

	/* SINFO_T_DYNSTR */
	{ MSG_ORIG(MSG_PHDRNAM_DYNSTR), SHT_STRTAB, SHF_ALLOC,
	    1, 0, ELF_T_BYTE },

	/* SINFO_T_DYNSYM */
	{ MSG_ORIG(MSG_PHDRNAM_DYNSYM), SHT_DYNSYM, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Sym), ELF_T_SYM },

	/* SINFO_T_LDYNSYM */
	{ MSG_ORIG(MSG_PHDRNAM_LDYNSYM), SHT_SUNW_LDYNSYM, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Sym), ELF_T_SYM },

	/* SINFO_T_HASH */
	{ MSG_ORIG(MSG_PHDRNAM_HASH), SHT_HASH, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Word), ELF_T_WORD },

	/* SINFO_T_SYMINFO */
	{ MSG_ORIG(MSG_PHDRNAM_SYMINFO),  SHT_SUNW_syminfo, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Syminfo), ELF_T_SYMINFO },

	/* SINFO_T_SYMSORT */
	{ MSG_ORIG(MSG_PHDRNAM_SYMSORT), SHT_SUNW_symsort, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Word), ELF_T_WORD },

	/* SINFO_T_TLSSORT */
	{ MSG_ORIG(MSG_PHDRNAM_TLSSORT), SHT_SUNW_tlssort, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Word), ELF_T_WORD },

	/* SINFO_T_VERNEED */
	{ MSG_ORIG(MSG_PHDRNAM_VER), SHT_SUNW_verneed, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, 1, ELF_T_VNEED },

	/* SINFO_T_VERDEF */
	{ MSG_ORIG(MSG_PHDRNAM_VER), SHT_SUNW_verdef, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, 1, ELF_T_VDEF },

	/* SINFO_T_VERSYM */
	{ MSG_ORIG(MSG_PHDRNAM_VER), SHT_SUNW_versym, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Versym), ELF_T_HALF },

	/* SINFO_T_INTERP */
	{ MSG_ORIG(MSG_PHDRNAM_INTERP), SHT_PROGBITS, SHF_ALLOC,
	    1, 0, ELF_T_BYTE },

	/* SINFO_T_CAP */
	{ MSG_ORIG(MSG_PHDRNAM_CAP), SHT_SUNW_cap, SHF_ALLOC,
	    sizeof (Addr), sizeof (Cap), ELF_T_CAP },

	/* SINFO_T_CAPINFO */
	{ MSG_ORIG(MSG_PHDRNAM_CAPINFO), SHT_SUNW_capinfo, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Capinfo), ELF_T_WORD },

	/* SINFO_T_CAPCHAIN */
	{ MSG_ORIG(MSG_PHDRNAM_CAPCHAIN), SHT_SUNW_capchain, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Capchain), ELF_T_WORD },

	/* SINFO_T_UNWIND */
	{ MSG_ORIG(MSG_PHDRNAM_UNWIND), SHT_AMD64_UNWIND, SHF_ALLOC,
	    sizeof (Addr), 0, ELF_T_BYTE },

	/* SINFO_T_MOVE */
	{ MSG_ORIG(MSG_PHDRNAM_MOVE), SHT_SUNW_move, SHF_ALLOC,
	    sizeof (Lword), sizeof (Move), ELF_T_MOVE },

	/* SINFO_T_REL */
	{ MSG_ORIG(MSG_PHDRNAM_REL), SHT_REL, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Rel), ELF_T_REL },

	/* SINFO_T_RELA */
	{ MSG_ORIG(MSG_PHDRNAM_RELA), SHT_RELA, SHF_ALLOC,
	    FAKE_M_WORD_ALIGN, sizeof (Rela), ELF_T_RELA },

	/* SINFO_T_PREINITARR */
	{ MSG_ORIG(MSG_PHDRNAM_PREINITARR), SHT_PREINIT_ARRAY, SHF_ALLOC,
	    sizeof (Addr), sizeof (Addr), ELF_T_ADDR },

	/* SINFO_T_INITARR */
	{ MSG_ORIG(MSG_PHDRNAM_INITARR), SHT_INIT_ARRAY, SHF_ALLOC,
	    sizeof (Addr), sizeof (Addr),  ELF_T_ADDR },

	/* SINFO_T_FINIARR */
	{ MSG_ORIG(MSG_PHDRNAM_FINIARR), SHT_FINI_ARRAY, SHF_ALLOC,
	    sizeof (Addr), sizeof (Addr), ELF_T_ADDR },

	/* SINFO_T_NOTE */
	{ MSG_ORIG(MSG_PHDRNAM_NOTE), SHT_NOTE, 0,
	    FAKE_M_WORD_ALIGN, 1, ELF_T_NOTE }
};





/*
 * As we read program headers and dynamic elements, we build up
 * the data for our fake section headers in variables of the
 * SINFO type. SINFO is used to track the sections that can only
 * appear a fixed number of times (usually once).
 *
 * SINFO_LISTELT is used for sections that can occur an arbitrary
 * number of times. They are kept in a doubly linked circular
 * buffer.
 */
typedef struct {
	SINFO_TYPE	type;	/* Our type code for the section */
	Addr		vaddr;	/* Virtual memory address */
	Off		offset;	/* File offset of data. Ignored unless */
				/*	vaddr is 0. Used by program headers */
	size_t		size;	/* # bytes in section */
	size_t		vercnt;	/* Used by verdef and verneed to hold count */
	Shdr		*shdr;	/* Constructed shdr */
	Elf_Data	*data;	/* Constructed data descriptor */
} SINFO;

typedef struct _sinfo_listelt {
	struct _sinfo_listelt	*next;
	struct _sinfo_listelt	*prev;
	SINFO			sinfo;
} SINFO_LISTELT;



/*
 * Free dynamic memory used by SINFO structures.
 *
 * entry:
 *	sinfo - Address of first SINFO structure to free
 *	n - # of structures to clear
 *
 * exit:
 *	For each SINFO struct, the section header, data descriptor,
 *	and data buffer are freed if non-NULL. The relevant
 *	fields are set to NULL, and the type is set to SINFO_T_NULL.
 */
static void
sinfo_free(SINFO *sinfo, size_t n)
{
	for (; n-- > 0; sinfo++) {
		if (sinfo->data != NULL) {
			if (sinfo->data->d_buf != NULL)
				free(sinfo->data->d_buf);
			free(sinfo->data);
			sinfo->data = NULL;
		}

		if (sinfo->shdr) {
			free(sinfo->shdr);
			sinfo->shdr = NULL;
		}
		sinfo->type = SINFO_T_NULL;
	}
}



/*
 * Allocate a new SINFO_LISTELT and put it at the end of the
 * doubly linked list anchored by the given list root node.
 *
 * On success, a new node has been put at the end of the circular
 * doubly linked list, and a pointer to the SINFO sub-structure is
 * returned. On failure, an error is printed, and NULL is returned.
 */

static SINFO *
sinfo_list_alloc(FSTATE *fstate, SINFO_LISTELT *root)
{
	SINFO_LISTELT *elt;

	if ((elt = malloc(sizeof (*elt))) == NULL) {
		int err = errno;
		(void) fprintf(stderr, MSG_INTL(MSG_ERR_MALLOC),
		    fstate->file, strerror(err));
		return (0);
	}

	elt->next = root;
	elt->prev = root->prev;

	root->prev = elt;
	elt->prev->next = elt;

	bzero(&elt->sinfo, sizeof (elt->sinfo));
	return (&elt->sinfo);
}



/*
 * Release the memory used by the given list, restoring it to
 * an empty list.
 */
static void
sinfo_list_free_all(SINFO_LISTELT *root)
{
	SINFO_LISTELT *elt;

	for (elt = root->next; elt != root; elt = elt->next)
		sinfo_free(&elt->sinfo, 1);

	root->next = root->prev = root;
}



/*
 * Given a virtual address and desired size of the data to be found
 * at that address, look through the program headers for the PT_LOAD
 * segment that contains it and return the offset within the ELF file
 * at which it resides.
 *
 * entry:
 *	fstate - Object state
 *	addr - virtual address to be translated
 *	size - Size of the data to be found at that address, in bytes
 *	zero_bytes - NULL, or address to receive the number of data
 *		bytes at the end of the data that are not contained
 *		in the file, and which must be zero filled by the caller.
 *		If zero_bytes is NULL, the file must contain all of the
 *		desired data. If zero_bytes is not NULL, then the program
 *		header must reserve the space for all of the data (p_memsz)
 *		but it is acceptable for only part of the data to be in
 *		the file (p_filesz). *zero_bytes is set to the difference
 *		in size, and is the number of bytes the caller must
 *		set to 0 rather than reading from the file.
 *	phdr_ret - NULL, or address of variable to receive pointer
 *		to program header that contains offset.
 * exit:
 *	On success: If zero_bytes is non-NULL, it is updated. If phdr_ret
 *	is non-NULL, it is updated. The file offset is returned.
 *
 *	On failure, 0 is returned. Since any ELF file we can understand
 *	must start with an ELF magic number, 0 cannot be a valid file
 *	offset for a virtual address, and is therefore unambiguous as
 *	a failure indication.
 */
static Off
map_addr_to_offset(FSTATE *fstate, Addr addr, size_t size, size_t *zero_bytes,
    Phdr **phdr_ret)
{
	Off	offset;
	Addr	end_addr = addr + size;
	size_t	avail_file;
	Phdr	*phdr = fstate->phdr;
	size_t	phnum = fstate->phnum;

	for (; phnum--; phdr++) {
		if (phdr->p_type != PT_LOAD)
			continue;

		if ((addr >= phdr->p_vaddr) &&
		    (end_addr <= (phdr->p_vaddr + phdr->p_memsz))) {
			/*
			 * Subtract segment virtual address, leaving the
			 * offset relative to the segment (not the file).
			 */
			offset = addr - phdr->p_vaddr;
			avail_file = phdr->p_filesz - offset;

			/*
			 * The addr/size are in bounds for this segment.
			 * Is there enough data in the file to satisfy
			 * the request? If zero_bytes is NULL, it must
			 * all be in the file. Otherwise it can be
			 * zero filled.
			 */
			if (zero_bytes == NULL) {
				if (size > avail_file)
					continue;
			} else {
				*zero_bytes = (size > avail_file) ?
				    (size - avail_file) : 0;
			}

			if (phdr_ret != NULL)
				*phdr_ret = phdr;

			/* Add segment file offset, giving overall offset */
			return (phdr->p_offset + offset);
		}
	}

	/* If we get here, the mapping failed */
	return (0);
}



/*
 * This routine is the same thing as map_addr_to_offset(), except that
 * it goes the other way, mapping from offset to virtual address.
 *
 * The comments for map_addr_to_offset() are applicable if you
 * reverse offset and address.
 */

static Addr
map_offset_to_addr(FSTATE *fstate, Off offset, size_t size, size_t *zero_bytes,
    Phdr **phdr_ret)
{
	Off	end_offset = offset + size;
	size_t	avail_file;
	Phdr	*phdr = fstate->phdr;
	size_t	phnum = fstate->phnum;

	for (; phnum--; phdr++) {
		if (phdr->p_type != PT_LOAD)
			continue;

		if ((offset >= phdr->p_offset) &&
		    (end_offset <= (phdr->p_offset + phdr->p_memsz))) {
			/*
			 * Subtract segment offset, leaving the
			 * offset relative to the segment (not the file).
			 */
			offset -= phdr->p_offset;
			avail_file = phdr->p_filesz - offset;

			/*
			 * The offset/size are in bounds for this segment.
			 * Is there enough data in the file to satisfy
			 * the request? If zero_bytes is NULL, it must
			 * all be in the file. Otherwise it can be
			 * zero filled.
			 */
			if (zero_bytes == NULL) {
				if (size > avail_file)
					continue;
			} else {
				*zero_bytes = (size > avail_file) ?
				    (size - avail_file) : 0;
			}

			if (phdr_ret != NULL)
				*phdr_ret = phdr;

			/* Add segment virtual address, giving overall addr */
			return (phdr->p_vaddr + offset);
		}
	}

	/* If we get here, the mapping failed */
	return (0);
}



/*
 * Use elf_xlatetom() to convert the bytes in buf from their
 * in-file representation to their in-memory representation.
 *
 * Returns True(1) for success. On failure, an error message is printed
 * and False(0) is returned.
 */
static int
xlate_data(FSTATE *fstate, void *buf, size_t nbyte, Elf_Type xlate_type)
{
	Elf_Data	data;

	data.d_type = xlate_type;
	data.d_size = nbyte;
	data.d_off = 0;
	data.d_align = 0;
	data.d_version = fstate->ehdr->e_version;
	data.d_buf = buf;

	if (elf_xlatetom(&data, &data,
	    fstate->ehdr->e_ident[EI_DATA]) == NULL) {
		failure(fstate->file, MSG_ORIG(MSG_ELF_XLATETOM));
		return (0);
	}

	return (1);
}


/*
 * Read nbytes of data into buf, starting at the specified offset
 * within the ELF file.
 *
 * entry:
 *	fstate - Object state
 *	offset - Offset within the file at which desired data resides.
 *	buf - Buffer to receive the data
 *	nbyte - # of bytes to read into buf
 *	xlate_type - An ELF xlate type, specifying the type of data
 *		being input. If xlate_type is ELF_T_BYTE, xlate is not
 *		done. Otherwise, xlate_data() is called to convert the
 *		data into its in-memory representation.
 * exit:
 *	On success, the data has been written into buf, xlate_data()
 *	called on it if required, and True(1) is returned. Otherwise
 *	False(0) is returned.
 *
 * note:
 *	This routine does not move the file pointer.
 */
static int
read_data(FSTATE *fstate, Off offset, void *buf, size_t nbyte,
    Elf_Type xlate_type)
{
	if (pread(fstate->fd, buf, nbyte, offset) != nbyte) {
		int err = errno;

		(void) fprintf(stderr, MSG_INTL(MSG_ERR_READ),
		    fstate->file, strerror(err));
		return (0);
	}

	if (xlate_type != ELF_T_BYTE)
		return (xlate_data(fstate, buf, nbyte, xlate_type));

	return (1);
}



/*
 * Read the hash nbucket/nchain values from the start of the hash
 * table found at the given virtual address in the mapped ELF object.
 *
 * On success, *nbucket, and *nchain have been filled in with their
 * values, *total contains the number of elements in the hash table,
 * and this routine returns True (1).
 *
 * On failure, False (0) is returned.
 */
static int
hash_size(FSTATE *fstate, SINFO *hash_sinfo,
    Word *nbucket, Word *nchain, size_t *total)
{
	Off		offset;
	Word		buf[2];

	offset = map_addr_to_offset(fstate, hash_sinfo->vaddr,
	    sizeof (buf), NULL, NULL);
	if (offset == 0)
		return (0);

	if (read_data(fstate, offset, buf, sizeof (buf), ELF_T_WORD) == 0)
		return (0);

	*nbucket = buf[0];
	*nchain = buf[1];
	*total = 2 + *nbucket + *nchain;
	return (1);
}



/*
 * Read a Verdef structure at the specified file offset and return
 * its vd_cnt, vd_aux, and vd_next fields.
 */
static int
read_verdef(FSTATE *fstate, Off offset, Half *cnt, Word *aux, Word *next)
{
	Verdef		verdef;

	if (read_data(fstate, offset, &verdef, sizeof (verdef),
	    ELF_T_BYTE) == 0)
		return (0);

	/* xlate vd_cnt */
	if (xlate_data(fstate, &verdef.vd_cnt, sizeof (verdef.vd_cnt),
	    ELF_T_HALF) == 0)
		return (0);

	/*
	 * xlate vd_aux and vd_next. These items are adjacent and are
	 * both Words, so they can be handled in a single operation.
	 */
	if (xlate_data(fstate, &verdef.vd_aux,
	    2 * sizeof (Word), ELF_T_WORD) == 0)
		return (0);

	*cnt = verdef.vd_cnt;
	*aux = verdef.vd_aux;
	*next = verdef.vd_next;

	return (1);
}



/*
 * Read a Verdaux structure at the specified file offset and return
 * its vda_next field.
 */
static int
read_verdaux(FSTATE *fstate, Off offset, Word *next)
{
	Verdaux		verdaux;

	if (read_data(fstate, offset, &verdaux, sizeof (verdaux),
	    ELF_T_BYTE) == 0)
		return (0);

	/* xlate vda_next */
	if (xlate_data(fstate, &verdaux.vda_next, sizeof (verdaux.vda_next),
	    ELF_T_WORD) == 0)
		return (0);

	*next = verdaux.vda_next;

	return (1);
}



/*
 * Read a Verneed structure at the specified file offset and return
 * its vn_cnt, vn_aux, and vn_next fields.
 */
static int
read_verneed(FSTATE *fstate, Off offset, Half *cnt, Word *aux, Word *next)
{
	Verneed		verneed;

	if (read_data(fstate, offset, &verneed, sizeof (verneed),
	    ELF_T_BYTE) == 0)
		return (0);

	/* xlate vn_cnt */
	if (xlate_data(fstate, &verneed.vn_cnt, sizeof (verneed.vn_cnt),
	    ELF_T_HALF) == 0)
		return (0);

	/*
	 * xlate vn_aux and vn_next. These items are adjacent and are
	 * both Words, so they can be handled in a single operation.
	 */
	if (xlate_data(fstate, &verneed.vn_aux,
	    2 * sizeof (Word), ELF_T_WORD) == 0)
		return (0);

	*cnt = verneed.vn_cnt;
	*aux = verneed.vn_aux;
	*next = verneed.vn_next;

	return (1);
}



/*
 * Read a Vernaux structure at the specified file offset and return
 * its vna_next field.
 */
static int
read_vernaux(FSTATE *fstate, Off offset, Word *next)
{
	Vernaux		vernaux;

	if (read_data(fstate, offset, &vernaux, sizeof (vernaux),
	    ELF_T_BYTE) == 0)
		return (0);

	/* xlate vna_next */
	if (xlate_data(fstate, &vernaux.vna_next, sizeof (vernaux.vna_next),
	    ELF_T_WORD) == 0)
		return (0);

	*next = vernaux.vna_next;

	return (1);
}



/*
 * Compute the size of Verdef and Verneed sections. Both of these
 * sections are made up of interleaved main nodes (Verdef and Verneed)
 * and auxiliary blocks (Verdaux and Vernaux). These nodes refer to
 * each other by relative offsets. The linker has a lot of flexibility
 * in how it lays out these items, and we cannot assume a standard
 * layout. To determine the size of the section, we must read each
 * main node and compute the high water mark of the memory it and its
 * auxiliary structs access.
 *
 * Although Verdef/Verdaux and Verneed/Vernaux are different types,
 * their logical organization is the same. Each main block has
 * a cnt field that tells how many auxiliary blocks it has, an
 * aux field that gives the offset of the first auxiliary block, and
 * an offset to the next main block. Each auxiliary block contains
 * an offset to the next auxiliary block. By breaking the type specific
 * code into separate sub-functions, we can process both Verdef and
 * sections Verdaux from a single routine.
 *
 * entry:
 *	fstate - Object state
 *	sec - Section to be processed (SINFO_T_VERDEF or SINFO_T_VERNEED).
 *
 * exit:
 *	On success, sec->size is set to the section size in bytes, and
 *	True (1) is returned. On failure, False (0) is returned.
 */
static int
verdefneed_size(FSTATE *fstate, SINFO *sec)
{
	int (* read_main)(FSTATE *, Off, Half *, Word *, Word *);
	int (* read_aux)(FSTATE *, Off, Word *);
	size_t	size_main, size_aux;

	Off	offset, aux_offset;
	Off	highwater, extent;
	size_t	num_main = sec->vercnt;
	Half	v_cnt;
	Word	v_aux, v_next, va_next;


	/*
	 * Set up the function pointers to the type-specific code
	 * for fetching data from the main and auxiliary blocks.
	 */
	if (sec->type == SINFO_T_VERDEF) {
		read_main = read_verdef;
		read_aux = read_verdaux;
		size_main = sizeof (Verdef);
		size_aux = sizeof (Verdaux);
	} else {			/* SINFO_T_VERNEED */
		read_main = read_verneed;
		read_aux = read_vernaux;
		size_main = sizeof (Verneed);
		size_aux = sizeof (Vernaux);
	}

	/*
	 * Map starting address to file offset. Save the starting offset
	 * in the SINFO size field. Once we have the high water offset, we
	 * can subtract this from it to get the size.
	 *
	 * Note: The size argument set here is a lower bound --- the
	 * size of the main blocks without any auxiliary ones. It's
	 * the best we can do until the size has been determined for real.
	 */
	offset = highwater = map_addr_to_offset(fstate, sec->vaddr,
	    size_main * num_main, NULL, NULL);
	if (offset == 0)
		return (0);
	sec->size = offset;

	for (; num_main-- > 0; offset += v_next) {
		/* Does this move the high water mark up? */
		extent = offset + size_main;
		if (extent > highwater)
			highwater = extent;

		if ((*read_main)(fstate, offset, &v_cnt, &v_aux, &v_next) == 0)
			return (0);

		/*
		 * If there are auxiliary structures referenced,
		 * check their position to see if it pushes
		 * the high water mark.
		 */
		aux_offset = offset + v_aux;
		for (; v_cnt-- > 0; aux_offset += va_next) {
			extent = aux_offset + size_aux;
			if (extent > highwater)
				highwater = extent;

			if ((*read_aux)(fstate, aux_offset, &va_next) == 0)
				return (0);
		}
	}

	sec->size = highwater - sec->size;
	return (1);
}


/*
 * Allocate and fill in a fake section header, data descriptor,
 * and data buffer for the given section. Fill them in and read
 * the associated data into the buffer.
 *
 * entry:
 *	fstate - Object state
 *	sec - Section information
 *
 * exit:
 *	On success, the actions described above are complete, and
 *	True (1) is returned.
 *
 *	On failure, an error is reported, all resources used by sec
 *	are released, and sec->type is set to SINFO_T_NULL, effectively
 *	eliminating its contents from any further use. False (0) is
 *	returned.
 */
static int
get_data(FSTATE *fstate, SINFO *sec)
{

	SINFO_DATA	*tinfo;
	size_t		read_bytes, zero_bytes;
	Phdr		*phdr = NULL;

	/*
	 * If this is a NULL section, or if we've already processed
	 * this item, then we are already done.
	 */
	if ((sec->type == SINFO_T_NULL) || (sec->shdr != NULL))
		return (1);

	if (((sec->shdr = malloc(sizeof (*sec->shdr))) == NULL) ||
	    ((sec->data = malloc(sizeof (*sec->data))) == NULL)) {
		int err = errno;
		sinfo_free(sec, 1);
		(void) fprintf(stderr, MSG_INTL(MSG_ERR_MALLOC),
		    fstate->file, strerror(err));
		return (0);
	}
	tinfo = &sinfo_data[sec->type];



	/*
	 * Fill in fake section header
	 *
	 * sh_name should be the offset of the name in the shstrtab
	 * section referenced by the ELF header. There is no
	 * value to elfdump in creating shstrtab, so we set
	 * sh_name to 0, knowing that elfdump doesn't look at it.
	 */
	sec->shdr->sh_name = 0;
	sec->shdr->sh_type = tinfo->sh_type;
	sec->shdr->sh_flags = tinfo->sh_flags;
	if ((tinfo->sh_flags & SHF_ALLOC) == 0) {
		/*
		 * Non-allocable section: Pass the addr (which is probably
		 * 0) and offset through without inspection.
		 */
		sec->shdr->sh_addr = sec->vaddr;
		sec->shdr->sh_offset = sec->offset;
		zero_bytes = 0;
	} else if (sec->vaddr == 0) {
		/*
		 * Allocable section with a 0 vaddr. Figure out the
		 * real address by mapping the offset to it using the
		 * program headers.
		 */
		sec->shdr->sh_addr = map_offset_to_addr(fstate, sec->offset,
		    sec->size, &zero_bytes, &phdr);
		sec->shdr->sh_offset = sec->offset;
	} else {
		/*
		 * Allocable section with non-0 vaddr. Use the vaddr
		 * to derive the offset.
		 */
		sec->shdr->sh_addr = sec->vaddr;
		sec->shdr->sh_offset = map_addr_to_offset(fstate,
		    sec->vaddr, sec->size, &zero_bytes, &phdr);
	}
	if (sec->shdr->sh_offset == 0) {
		sinfo_free(sec, 1);
		return (0);
	}
	/*
	 * If the program header has its write flags set, then set
	 * the section write flag.
	 */
	if (phdr && ((phdr->p_flags & PF_W) != 0))
		sec->shdr->sh_flags |= SHF_WRITE;
	sec->shdr->sh_size = sec->size;
	sec->shdr->sh_link = 0;
	sec->shdr->sh_info = 0;
	sec->shdr->sh_addralign = tinfo->sh_addralign;
	sec->shdr->sh_entsize = tinfo->sh_entsize;

	/*
	 * Some sections define special meanings for sh_link and sh_info.
	 */
	switch (tinfo->sh_type) {
	case SHT_DYNAMIC:
		sec->shdr->sh_link = SINFO_T_DYNSTR;
		break;

	case SHT_DYNSYM:
		sec->shdr->sh_link = SINFO_T_DYNSTR;
		sec->shdr->sh_info = 1;	/* First global symbol */
		break;

	case SHT_SUNW_LDYNSYM:
		sec->shdr->sh_link = SINFO_T_DYNSTR;
		/*
		 * ldynsym is all local symbols, so the index of the
		 * first global is equivalent to the number of symbols.
		 */
		sec->shdr->sh_info = sec->shdr->sh_size / sizeof (Sym);
		break;

	case SHT_HASH:
	case SHT_SUNW_move:
	case SHT_REL:
	case SHT_RELA:
	case SHT_SUNW_versym:
		sec->shdr->sh_link = SINFO_T_DYNSYM;
		break;

	case SHT_SUNW_verdef:
	case SHT_SUNW_verneed:
		sec->shdr->sh_link = SINFO_T_DYNSTR;
		sec->shdr->sh_info = sec->vercnt;
		break;

	case SHT_SUNW_syminfo:
		sec->shdr->sh_link = SINFO_T_DYNSYM;
		sec->shdr->sh_info = SINFO_T_DYN;
		break;

	case SHT_SUNW_symsort:
	case SHT_SUNW_tlssort:
		sec->shdr->sh_link = SINFO_T_LDYNSYM;
		break;
	}



	/* Fill in fake Elf_Data descriptor */
	sec->data->d_type = tinfo->libelf_type;
	sec->data->d_size = sec->size;
	sec->data->d_off = 0;
	sec->data->d_align = tinfo->sh_addralign;
	sec->data->d_version = fstate->ehdr->e_version;

	if (sec->size == 0) {
		sec->data->d_buf = NULL;
		return (1);
	}

	if ((sec->data->d_buf = malloc(sec->size)) == NULL) {
		int err = errno;

		sinfo_free(sec, 1);
		(void) fprintf(stderr, MSG_INTL(MSG_ERR_MALLOC),
		    fstate->file, strerror(err));
		return (0);
	}

	read_bytes = sec->size - zero_bytes;
	if ((read_bytes > 0) &&
	    (read_data(fstate, sec->shdr->sh_offset, sec->data->d_buf,
	    read_bytes, ELF_T_BYTE) == 0)) {
		sinfo_free(sec, 1);
		return (0);
	}
	if (zero_bytes > 0)
		bzero(read_bytes + (char *)sec->data->d_buf, zero_bytes);

	if ((tinfo->libelf_type != ELF_T_BYTE) &&
	    (elf_xlatetom(sec->data, sec->data,
	    fstate->ehdr->e_ident[EI_DATA]) == NULL)) {
		sinfo_free(sec, 1);
		failure(fstate->file, MSG_ORIG(MSG_ELF_XLATETOM));
		return (0);
	}

	return (1);
}



/*
 * Generate a section header cache made up of information derived
 * from the program headers.
 *
 * entry:
 *	file - Name of object
 *	fd - Open file handle for object
 *	elf - ELF descriptor
 *	ehdr - Elf header
 *	cache, shnum - Addresses of variables to receive resulting
 *		cache and number of sections.
 *
 * exit:
 *	On success, *cache and *shnum are set, and True (1) is returned.
 *	On failure, False (0) is returned.
 *
 * note:
 *	The cache returned by this routine must be freed using
 *	fake_shdr_cache_free(), and not by a direct call to free().
 *	Otherwise, memory will leak.
 */
int
fake_shdr_cache(const char *file, int fd, Elf *elf, Ehdr *ehdr,
    Cache **cache, size_t *shnum)
{
	/*
	 * The C language guarantees that a structure of homogeneous
	 * items will receive exactly the same layout in a structure
	 * as a plain array of the same type. Hence, this structure, which
	 * gives us by-name or by-index access to the various section
	 * info descriptors we maintain.
	 *
	 * We use this for sections where
	 *	- Only one instance is allowed
	 *	- We need to be able to access them easily by
	 *		name (for instance, when mining the .dynamic
	 *		section for information to build them up.
	 *
	 * NOTE: These fields must be in the same order as the
	 * SINFO_T_ type codes that correspond to them. Otherwise,
	 * they will end up in the wrong order in the cache array,
	 * and the sh_link/sh_info fields may be wrong.
	 */
	struct {
		/* Note: No entry is needed for SINFO_T_NULL */
		SINFO	dyn;
		SINFO	dynstr;
		SINFO	dynsym;
		SINFO	ldynsym;

		SINFO	hash;
		SINFO	syminfo;
		SINFO	symsort;
		SINFO	tlssort;
		SINFO	verneed;
		SINFO	verdef;
		SINFO	versym;
		SINFO	interp;
		SINFO	cap;
		SINFO	capinfo;
		SINFO	capchain;
		SINFO	unwind;
		SINFO	move;
		SINFO	rel;
		SINFO	rela;
		SINFO	preinitarr;
		SINFO	initarr;
		SINFO	finiarr;
	} sec;
	static const size_t sinfo_n = sizeof (sec) / sizeof (sec.dyn);
	SINFO *secarr = (SINFO *) &sec;

	/*
	 * Doubly linked circular list, used to track sections
	 * where multiple sections of a given type can exist.
	 * seclist is the root of the list. Its sinfo field is not
	 * used --- it serves to anchor the root of the list, allowing
	 * rapid access to the first and last element in the list.
	 */
	SINFO_LISTELT	seclist;

	FSTATE		fstate;
	size_t		ndx;
	size_t		num_sinfo, num_list_sinfo;
	SINFO		*sinfo;
	SINFO_LISTELT	*sinfo_list;
	Cache		*_cache;


	fstate.file = file;
	fstate.fd = fd;
	fstate.ehdr = ehdr;
	if (elf_getphdrnum(elf, &fstate.phnum) == -1) {
		failure(file, MSG_ORIG(MSG_ELF_GETPHDRNUM));
		return (0);
	}
	if ((fstate.phdr = elf_getphdr(elf)) == NULL) {
		failure(file, MSG_ORIG(MSG_ELF_GETPHDR));
		return (0);
	}

	bzero(&sec, sizeof (sec));	/* Initialize "by-name" sec info */
	seclist.next = seclist.prev = &seclist;	  /* Empty circular list */

	/*
	 * Go through the program headers and look for information
	 * we can use to synthesize section headers. By far the most
	 * valuable thing is a dynamic section, the contents of
	 * which point at all sections used by ld.so.1.
	 */
	for (ndx = 0; ndx < fstate.phnum; ndx++) {
		/*
		 * A program header with no file size does
		 * not have a backing section.
		 */
		if (fstate.phdr[ndx].p_filesz == 0)
			continue;


		switch (fstate.phdr[ndx].p_type) {
		default:
			/* Header we can't use. Move on to next one */
			continue;

		case PT_DYNAMIC:
			sec.dyn.type = SINFO_T_DYN;
			sinfo = &sec.dyn;
			break;

		case PT_INTERP:
			sec.interp.type = SINFO_T_INTERP;
			sinfo = &sec.interp;
			break;

		case PT_NOTE:
			if ((sinfo = sinfo_list_alloc(&fstate, &seclist)) ==
			    NULL)
				continue;
			sinfo->type = SINFO_T_NOTE;
			break;

		case PT_SUNW_UNWIND:
		case PT_SUNW_EH_FRAME:
			sec.unwind.type = SINFO_T_UNWIND;
			sinfo = &sec.unwind;
			break;

		case PT_SUNWCAP:
			sec.cap.type = SINFO_T_CAP;
			sinfo = &sec.cap;
			break;
		}

		/*
		 * Capture the position/extent information for
		 * the header in the SINFO struct set up by the
		 * switch statement above.
		 */
		sinfo->vaddr = fstate.phdr[ndx].p_vaddr;
		sinfo->offset = fstate.phdr[ndx].p_offset;
		sinfo->size = fstate.phdr[ndx].p_filesz;
	}

	/*
	 * If we found a dynamic section, look through it and
	 * gather information about the sections it references.
	 */
	if (sec.dyn.type == SINFO_T_DYN)
		(void) get_data(&fstate, &sec.dyn);
	if ((sec.dyn.type == SINFO_T_DYN) && (sec.dyn.data->d_buf != NULL)) {
		Dyn *dyn;
		for (dyn = sec.dyn.data->d_buf; dyn->d_tag != DT_NULL; dyn++) {
			switch (dyn->d_tag) {
			case DT_HASH:
				sec.hash.type = SINFO_T_HASH;
				sec.hash.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_STRTAB:
				sec.dynstr.type = SINFO_T_DYNSTR;
				sec.dynstr.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SYMTAB:
				sec.dynsym.type = SINFO_T_DYNSYM;
				sec.dynsym.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_RELA:
				sec.rela.type = SINFO_T_RELA;
				sec.rela.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_RELASZ:
				sec.rela.size = dyn->d_un.d_val;
				break;

			case DT_STRSZ:
				sec.dynstr.size = dyn->d_un.d_val;
				break;

			case DT_REL:
				sec.rel.type = SINFO_T_REL;
				sec.rel.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_RELSZ:
				sec.rel.size = dyn->d_un.d_val;
				break;

			case DT_INIT_ARRAY:
				sec.initarr.type = SINFO_T_INITARR;
				sec.initarr.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_INIT_ARRAYSZ:
				sec.initarr.size = dyn->d_un.d_val;
				break;

			case DT_FINI_ARRAY:
				sec.finiarr.type = SINFO_T_FINIARR;
				sec.finiarr.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_FINI_ARRAYSZ:
				sec.finiarr.size = dyn->d_un.d_val;
				break;

			case DT_PREINIT_ARRAY:
				sec.preinitarr.type = SINFO_T_PREINITARR;
				sec.preinitarr.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_PREINIT_ARRAYSZ:
				sec.preinitarr.size = dyn->d_un.d_val;
				break;

			case DT_SUNW_CAPINFO:
				sec.capinfo.type = SINFO_T_CAPINFO;
				sec.capinfo.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SUNW_CAPCHAIN:
				sec.capchain.type = SINFO_T_CAPCHAIN;
				sec.capchain.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SUNW_SYMTAB:
				sec.ldynsym.type = SINFO_T_LDYNSYM;
				sec.ldynsym.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SUNW_SYMSZ:
				sec.ldynsym.size = dyn->d_un.d_val;
				break;

			case DT_SUNW_SYMSORT:
				sec.symsort.type = SINFO_T_SYMSORT;
				sec.symsort.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SUNW_SYMSORTSZ:
				sec.symsort.size = dyn->d_un.d_val;
				break;

			case DT_SUNW_TLSSORT:
				sec.tlssort.type = SINFO_T_TLSSORT;
				sec.tlssort.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SUNW_TLSSORTSZ:
				sec.tlssort.size = dyn->d_un.d_val;
				break;

			case DT_MOVETAB:
				sec.move.type = SINFO_T_MOVE;
				sec.move.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_MOVESZ:
				sec.move.size = dyn->d_un.d_val;
				break;

			case DT_SYMINFO:
				sec.syminfo.type = SINFO_T_SYMINFO;
				sec.syminfo.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_SYMINSZ:
				sec.syminfo.size = dyn->d_un.d_val;
				break;

			case DT_VERSYM:
				sec.versym.type = SINFO_T_VERSYM;
				sec.versym.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_VERDEF:
				sec.verdef.type = SINFO_T_VERDEF;
				sec.verdef.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_VERDEFNUM:
				sec.verdef.vercnt = dyn->d_un.d_val;
				sec.verdef.size = sizeof (Verdef) *
				    dyn->d_un.d_val;
				break;

			case DT_VERNEED:
				sec.verneed.type = SINFO_T_VERNEED;
				sec.verneed.vaddr = dyn->d_un.d_ptr;
				break;

			case DT_VERNEEDNUM:
				sec.verneed.vercnt = dyn->d_un.d_val;
				sec.verneed.size = sizeof (Verneed) *
				    dyn->d_un.d_val;
				break;
			}
		}
	}

	/*
	 * Different sections depend on each other, and are meaningless
	 * without them. For instance, even if a .dynsym exists,
	 * no use can be made of it without a dynstr. These relationships
	 * fan out: Disqualifying the .dynsym will disqualify the hash
	 * section, and so forth.
	 *
	 * Disqualify sections that don't have the necessary prerequisites.
	 */

	/* Things that need the dynamic string table */
	if (sec.dynstr.size == 0)
		sec.dynstr.type = SINFO_T_NULL;
	if (sec.dynstr.type != SINFO_T_DYNSTR) {
		sinfo_free(&sec.dyn, 1);	/* Data already fetched */
		sec.dynsym.type =  SINFO_T_NULL;
		sec.dynsym.type =  SINFO_T_NULL;
		sec.verdef.type =  SINFO_T_NULL;
		sec.verneed.type =  SINFO_T_NULL;
	}

	/*
	 * The length of the hash section is encoded in its first two
	 * elements (nbucket, and nchain). The length of the dynsym,
	 * ldynsym, and versym are not given in the dynamic section,
	 * but are known to be the same as nchain.
	 *
	 * If we don't have a hash table, or cannot read nbuckets and
	 * nchain, we have to invalidate all of these.
	 */
	if (sec.hash.type == SINFO_T_HASH) {
		Word nbucket;
		Word nchain;
		size_t total;

		if (hash_size(&fstate, &sec.hash,
		    &nbucket, &nchain, &total) == 0) {
			sec.hash.type = SINFO_T_NULL;
		} else {
			/* Use these counts to set sizes for related sections */
			sec.hash.size = total * sizeof (Word);
			sec.dynsym.size = nchain * sizeof (Sym);
			sec.versym.size = nchain * sizeof (Versym);

			/*
			 * The ldynsym size received the DT_SUNW_SYMSZ
			 * value, which is the combined size of .dynsym
			 * and .ldynsym. Now that we have the dynsym size,
			 * use it to lower the ldynsym size to its real size.
			 */
			if (sec.ldynsym.size > sec.dynsym.size)
				sec.ldynsym.size  -= sec.dynsym.size;
		}
	}
	/*
	 * If the hash table is not present, or if the call to
	 * hash_size() failed, then discard the sections that
	 * need it to determine their length.
	 */
	if (sec.hash.type != SINFO_T_HASH) {
		sec.dynsym.type = SINFO_T_NULL;
		sec.ldynsym.type = SINFO_T_NULL;
		sec.versym.type = SINFO_T_NULL;
	}

	/*
	 * The runtime linker does not receive size information for
	 * Verdef and Verneed sections. We have to read their data
	 * in pieces and calculate it.
	 */
	if ((sec.verdef.type == SINFO_T_VERDEF) &&
	    (verdefneed_size(&fstate, &sec.verdef) == 0))
		sec.verdef.type = SINFO_T_NULL;
	if ((sec.verneed.type == SINFO_T_VERNEED) &&
	    (verdefneed_size(&fstate, &sec.verneed) == 0))
		sec.verneed.type = SINFO_T_NULL;

	/* Discard any section with a zero length */
	ndx = sinfo_n;
	for (sinfo = secarr; ndx-- > 0; sinfo++)
		if ((sinfo->type != SINFO_T_NULL) && (sinfo->size == 0))
			sinfo->type = SINFO_T_NULL;

	/* Things that need the dynamic symbol table */
	if (sec.dynsym.type != SINFO_T_DYNSYM) {
		sec.ldynsym.type = SINFO_T_NULL;
		sec.hash.type = SINFO_T_NULL;
		sec.syminfo.type = SINFO_T_NULL;
		sec.versym.type = SINFO_T_NULL;
		sec.move.type = SINFO_T_NULL;
		sec.rel.type = SINFO_T_NULL;
		sec.rela.type = SINFO_T_NULL;
	}

	/* Things that need the dynamic local symbol table */
	if (sec.ldynsym.type != SINFO_T_DYNSYM) {
		sec.symsort.type = SINFO_T_NULL;
		sec.tlssort.type = SINFO_T_NULL;
	}

	/*
	 * Look through the results and fetch the data for any sections
	 * we have found. At the same time, count the number.
	 */
	num_sinfo = num_list_sinfo = 0;
	ndx = sinfo_n;
	for (sinfo = secarr; ndx-- > 0; sinfo++) {
		if ((sinfo->type != SINFO_T_NULL) && (sinfo->data == NULL))
			(void) get_data(&fstate, sinfo);
		if (sinfo->data != NULL)
			num_sinfo++;
	}
	for (sinfo_list = seclist.next; sinfo_list != &seclist;
	    sinfo_list = sinfo_list->next) {
		sinfo = &sinfo_list->sinfo;
		if ((sinfo->type != SINFO_T_NULL) && (sinfo->data == NULL))
			(void) get_data(&fstate, sinfo);
		if (sinfo->data != NULL)
			num_list_sinfo++;
	}

	/*
	 * Allocate the cache array and fill it in. The cache array
	 * ends up taking all the dynamic memory we've allocated
	 * to build up sec and seclist, so on success, we have nothing
	 * left to clean up. If we can't allocate the cache array
	 * though, we have to free up everything else.
	 */
	*shnum = num_sinfo + num_list_sinfo + 1; /* Extra for 1st NULL sec. */
	if ((*cache = _cache = malloc((*shnum) * sizeof (Cache))) == NULL) {
		int err = errno;
		(void) fprintf(stderr, MSG_INTL(MSG_ERR_MALLOC),
		    file, strerror(err));
		sinfo_free(secarr, num_sinfo);
		sinfo_list_free_all(&seclist);
		return (0);
	}
	*_cache = cache_init;
	_cache++;
	ndx = 1;
	for (sinfo = secarr; num_sinfo > 0; sinfo++) {
		if (sinfo->data != NULL) {
			_cache->c_scn = NULL;
			_cache->c_shdr = sinfo->shdr;
			_cache->c_data = sinfo->data;
			_cache->c_name = (char *)sinfo_data[sinfo->type].name;
			_cache->c_ndx = ndx++;
			_cache++;
			num_sinfo--;
		}
	}
	for (sinfo_list = seclist.next; num_list_sinfo > 0;
	    sinfo_list = sinfo_list->next) {
		sinfo = &sinfo_list->sinfo;
		if (sinfo->data != NULL) {
			_cache->c_scn = NULL;
			_cache->c_shdr = sinfo->shdr;
			_cache->c_data = sinfo->data;
			_cache->c_name = (char *)sinfo_data[sinfo->type].name;
			_cache->c_ndx = ndx++;
			_cache++;
			num_list_sinfo--;
		}
	}

	return (1);
}





/*
 * Release all the memory referenced by a cache array allocated
 * by fake_shdr_cache().
 */
void
fake_shdr_cache_free(Cache *cache, size_t shnum)
{
	Cache *_cache;

	for (_cache = cache; shnum--; _cache++) {
		if (_cache->c_data != NULL) {
			if (_cache->c_data->d_buf != NULL)
				free(_cache->c_data->d_buf);
			free(_cache->c_data);
		}
		if (_cache->c_shdr)
			free(_cache->c_shdr);
	}

	free(cache);
}