Is the Program Header of ELF file position sensitive?

Question

I'm learning the ELF file format and want to know how to patch an ELF file. This bookELF_Format.pdf says:

Although the figure shows the program header table immediately after the ELF header, and the section header table following the sections, actual files may differ. Moreover, sections and segments have no specified order. Only the ELF header has a fixed position in the file at page 8.

Out of curiosity, I copied the Program Header and append it to the end of the ELF, like this:

1. dd if=test.elf skip=64 bs=1 count=504 of=program_header.bin // copy origin program header(PH offset=64, PH entry size=56, PH entry num=9)
2. cat program_header.bin >> test.elf // Append program header to the end of the elf file
3. Modify e_phoff of ELF header, point to the copied program header at step 2.

After that, readelf -l test.elf could see the Program Header changed successfully:

But when I try to execute the modified elf, `Segmentation fault` happens:

[root@localhost 1]# ./test.elf 
Segmentation fault (core dumped)
[root@localhost 1]# ls
program_header.bin test.elf  test.elf.54214.core
[root@localhost 1]#
[root@localhost 1]# gdb test.elf -c test.elf.54214.core 
GNU gdb (GDB) Rocky Linux 10.2-13.el9
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test.elf...
(No debugging symbols found in test.elf)
[New LWP 54214]

warning: Section `.reg-xstate/54214' in core file too small.
Core was generated by `./test.elf'.
Program terminated with signal SIGSEGV, Segmentation fault.

warning: Section `.reg-xstate/54214' in core file too small.
#0  0x00007fad7fcc2b38 in ?? ()
(gdb) bt
#0  0x00007fad7fcc2b38 in ?? ()
#1  0x0000000000000000 in ?? ()
(gdb) 

I want to know is there something position sensitive about the Program Header, what cause the core dump?

I trying to find from the elf format manual and googled, could not find the answer.

Answer 1

To figure out which segment holds the program header table, the loader uses e_phoff:

         /*
         * Figure out which segment in the file contains the Program
         * Header table, and map to the associated memory address.
         */
        if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
            elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
            phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
                    elf_ppnt->p_vaddr;
        }

You can lookup the src code here.

But as you said, the appended phdr table is not defined within one of the program header's boundaries; therefore the loader is not able to correctly detect the corresponding virtual address for the program header, cos no segment will hold the copied table.

The solution is to either add a new program header which describes a loadable segment holding the appended phdr table, nor append the phdr table to the last loadable section and then edit headers accordingly.

Answer 2

I found descriptions about PT_PHDR in ELF_format.pdf at page 34:

Moreover, it may occur only if the program header table is part of the memory image of the program.

Maybe this is the reason. After my modifies to the ELF file, the program header no longer belongs to any segment(of course NOT part of the memory image of the program).

But the original program header table is still there, I still wonder why the crash happens..