Parsing custom note from core file using libdwfl APIs

Luca Boccassi
Wed Mar 24 18:58:20 GMT 2021


I am trying to use libdwfl parse a core file and extract a custom note
added at link time via a script to the executable that crashes.

I am having issues, as it seems the API to iterate over the PT_NOTE
entries only returns the ones added by the kernel (ie: 6 CORE and 1
LINUX notes).

The note is clearly present in the core, just after the build-id note,
it is visible when opening the core with an hex editor.

The note is also visible in memory after the build-id note when
stepping through the dwfl_segment_report_module() function via gdb, in
the bit where it parses the build-id note. I can see my note just after

I have tried several variations of the following (much shortened for
brevity) snippet, called after dwfl_core_file_report(dwfl, elfl, NULL),
without any luck:

size_t n_program_headers;
elf_getphdrnum(elf, &n_program_headers);
for (size_t i = 0; i < n_program_headers; ++i) {
        GElf_Phdr mem;
        GElf_Phdr *header = gelf_getphdr(elf, i, &mem);

        if (header == NULL || header->p_type != PT_NOTE)

        Elf_Data *data = elf_getdata_rawchunk(elf,
                                              header->p_align == 8 ? ELF_T_NHDR8 : ELF_T_NHDR);
        GElf_Nhdr note_header;
        size_t offset = 0;
        size_t name_offset, desc_offset;
        while (offset < data->d_size && (offset = gelf_getnote(data, offset, &note_header, &name_offset, &desc_offset)) > 0) {
                if (note_header.n_namesz == 0)
                const char *nname = (const char *)data->d_buf + name_offset;
                const char *desc = (const char *)data->d_buf + desc_offset;
                if (memcmp(nname, "TBD", 3) == 0)

Any idea what I am doing wrong or what I am missing?

The note is added via the following linker script:

    .note.package ALIGN(8): {
        BYTE(0x04) BYTE(0x00) BYTE(0x00) BYTE(0x00) /* Length of Owner including NUL */
        BYTE(0x4a) BYTE(0x00) BYTE(0x00) BYTE(0x00) /* Length of Value including NUL */
        BYTE(0x00) BYTE(0x33) BYTE(0xdd) BYTE(0x7a) /* Note ID */
        BYTE(0x54) BYTE(0x42) BYTE(0x44) BYTE(0x00) /* Owner: 'TBD\x00' */
        BYTE(0x7b) BYTE(0x22) BYTE(0x70) BYTE(0x61) /* Value: '{"packageType":"deb","package":"fsverity-utils","packageVersion":"1.3-1"}\x00\x00\x00' */
        BYTE(0x63) BYTE(0x6b) BYTE(0x61) BYTE(0x67)
        BYTE(0x65) BYTE(0x54) BYTE(0x79) BYTE(0x70)
        BYTE(0x65) BYTE(0x22) BYTE(0x3a) BYTE(0x22)
        BYTE(0x64) BYTE(0x65) BYTE(0x62) BYTE(0x22)
        BYTE(0x2c) BYTE(0x22) BYTE(0x70) BYTE(0x61)
        BYTE(0x63) BYTE(0x6b) BYTE(0x61) BYTE(0x67)
        BYTE(0x65) BYTE(0x22) BYTE(0x3a) BYTE(0x22)
        BYTE(0x66) BYTE(0x73) BYTE(0x76) BYTE(0x65)
        BYTE(0x72) BYTE(0x69) BYTE(0x74) BYTE(0x79)
        BYTE(0x2d) BYTE(0x75) BYTE(0x74) BYTE(0x69)
        BYTE(0x6c) BYTE(0x73) BYTE(0x22) BYTE(0x2c)
        BYTE(0x22) BYTE(0x70) BYTE(0x61) BYTE(0x63)
        BYTE(0x6b) BYTE(0x61) BYTE(0x67) BYTE(0x65)
        BYTE(0x56) BYTE(0x65) BYTE(0x72) BYTE(0x73)
        BYTE(0x69) BYTE(0x6f) BYTE(0x6e) BYTE(0x22)
        BYTE(0x3a) BYTE(0x22) BYTE(0x31) BYTE(0x2e)
        BYTE(0x33) BYTE(0x2d) BYTE(0x31) BYTE(0x22)
        BYTE(0x7d) BYTE(0x00) BYTE(0x00) BYTE(0x00)

Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Elfutils-devel mailing list