linker.c revision bc3a5c26f1b9cf29da6abfc3e197258ef4c03362
1/* 2 * Copyright (C) 2008 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <linux/auxvec.h> 30 31#include <stdio.h> 32#include <stdlib.h> 33#include <string.h> 34#include <unistd.h> 35#include <fcntl.h> 36#include <errno.h> 37#include <dlfcn.h> 38#include <sys/stat.h> 39 40#include <pthread.h> 41 42#include <sys/mman.h> 43 44#include <sys/atomics.h> 45 46/* special private C library header - see Android.mk */ 47#include <bionic_tls.h> 48 49#include "linker.h" 50#include "linker_debug.h" 51 52#include "ba.h" 53 54#define SO_MAX 96 55 56/* Assume average path length of 64 and max 8 paths */ 57#define LDPATH_BUFSIZE 512 58#define LDPATH_MAX 8 59 60/* >>> IMPORTANT NOTE - READ ME BEFORE MODIFYING <<< 61 * 62 * Do NOT use malloc() and friends or pthread_*() code here. 63 * Don't use printf() either; it's caused mysterious memory 64 * corruption in the past. 65 * The linker runs before we bring up libc and it's easiest 66 * to make sure it does not depend on any complex libc features 67 * 68 * open issues / todo: 69 * 70 * - should we do anything special for STB_WEAK symbols? 71 * - are we doing everything we should for ARM_COPY relocations? 72 * - cleaner error reporting 73 * - after linking, set as much stuff as possible to READONLY 74 * and NOEXEC 75 * - linker hardcodes PAGE_SIZE and PAGE_MASK because the kernel 76 * headers provide versions that are negative... 77 * - allocate space for soinfo structs dynamically instead of 78 * having a hard limit (64) 79 * 80 * features to add someday: 81 * 82 * - dlopen() and friends 83 * 84*/ 85 86 87static int link_image(soinfo *si, unsigned wr_offset); 88 89static int socount = 0; 90static soinfo sopool[SO_MAX]; 91static soinfo *freelist = NULL; 92static soinfo *solist = &libdl_info; 93static soinfo *sonext = &libdl_info; 94 95static char ldpaths_buf[LDPATH_BUFSIZE]; 96static const char *ldpaths[LDPATH_MAX + 1]; 97 98int debug_verbosity; 99static int pid; 100 101#if STATS 102struct _link_stats linker_stats; 103#endif 104 105#if COUNT_PAGES 106unsigned bitmask[4096]; 107#endif 108 109#ifndef PT_ARM_EXIDX 110#define PT_ARM_EXIDX 0x70000001 /* .ARM.exidx segment */ 111#endif 112 113#define HOODLUM(name, ret, ...) \ 114 ret name __VA_ARGS__ \ 115 { \ 116 char errstr[] = "ERROR: " #name " called from the dynamic linker!\n"; \ 117 write(2, errstr, sizeof(errstr)); \ 118 abort(); \ 119 } 120HOODLUM(malloc, void *, (size_t size)); 121HOODLUM(free, void, (void *ptr)); 122HOODLUM(realloc, void *, (void *ptr, size_t size)); 123HOODLUM(calloc, void *, (size_t cnt, size_t size)); 124 125static char tmp_err_buf[768]; 126static char __linker_dl_err_buf[768]; 127#define DL_ERR(fmt, x...) \ 128 do { \ 129 snprintf(__linker_dl_err_buf, sizeof(__linker_dl_err_buf), \ 130 "%s[%d]: " fmt, __func__, __LINE__, ##x); \ 131 ERROR(fmt, ##x); \ 132 } while(0) 133 134const char *linker_get_error(void) 135{ 136 return (const char *)&__linker_dl_err_buf[0]; 137} 138 139/* 140 * This function is an empty stub where GDB locates a breakpoint to get notified 141 * about linker activity. 142 */ 143extern void __attribute__((noinline)) rtld_db_dlactivity(void); 144 145static struct r_debug _r_debug = {1, NULL, &rtld_db_dlactivity, 146 RT_CONSISTENT, 0}; 147static struct link_map *r_debug_tail = 0; 148 149static pthread_mutex_t _r_debug_lock = PTHREAD_MUTEX_INITIALIZER; 150 151static void insert_soinfo_into_debug_map(soinfo * info) 152{ 153 struct link_map * map; 154 155 /* Copy the necessary fields into the debug structure. 156 */ 157 map = &(info->linkmap); 158 map->l_addr = info->base; 159 map->l_name = (char*) info->name; 160 161 /* Stick the new library at the end of the list. 162 * gdb tends to care more about libc than it does 163 * about leaf libraries, and ordering it this way 164 * reduces the back-and-forth over the wire. 165 */ 166 if (r_debug_tail) { 167 r_debug_tail->l_next = map; 168 map->l_prev = r_debug_tail; 169 map->l_next = 0; 170 } else { 171 _r_debug.r_map = map; 172 map->l_prev = 0; 173 map->l_next = 0; 174 } 175 r_debug_tail = map; 176} 177 178static void remove_soinfo_from_debug_map(soinfo * info) 179{ 180 struct link_map * map = &(info->linkmap); 181 182 if (r_debug_tail == map) 183 r_debug_tail = map->l_prev; 184 185 if (map->l_prev) map->l_prev->l_next = map->l_next; 186 if (map->l_next) map->l_next->l_prev = map->l_prev; 187} 188 189void notify_gdb_of_load(soinfo * info) 190{ 191 if (info->flags & FLAG_EXE) { 192 // GDB already knows about the main executable 193 return; 194 } 195 196 pthread_mutex_lock(&_r_debug_lock); 197 198 _r_debug.r_state = RT_ADD; 199 rtld_db_dlactivity(); 200 201 insert_soinfo_into_debug_map(info); 202 203 _r_debug.r_state = RT_CONSISTENT; 204 rtld_db_dlactivity(); 205 206 pthread_mutex_unlock(&_r_debug_lock); 207} 208 209void notify_gdb_of_unload(soinfo * info) 210{ 211 if (info->flags & FLAG_EXE) { 212 // GDB already knows about the main executable 213 return; 214 } 215 216 pthread_mutex_lock(&_r_debug_lock); 217 218 _r_debug.r_state = RT_DELETE; 219 rtld_db_dlactivity(); 220 221 remove_soinfo_from_debug_map(info); 222 223 _r_debug.r_state = RT_CONSISTENT; 224 rtld_db_dlactivity(); 225 226 pthread_mutex_unlock(&_r_debug_lock); 227} 228 229void notify_gdb_of_libraries() 230{ 231 _r_debug.r_state = RT_ADD; 232 rtld_db_dlactivity(); 233 _r_debug.r_state = RT_CONSISTENT; 234 rtld_db_dlactivity(); 235} 236 237static soinfo *alloc_info(const char *name) 238{ 239 soinfo *si; 240 241 if(strlen(name) >= SOINFO_NAME_LEN) { 242 DL_ERR("%5d library name %s too long\n", pid, name); 243 return 0; 244 } 245 246 /* The freelist is populated when we call free_info(), which in turn is 247 done only by dlclose(), which is not likely to be used. 248 */ 249 if (!freelist) { 250 if(socount == SO_MAX) { 251 DL_ERR("%5d too many libraries when loading %s\n", pid, name); 252 return NULL; 253 } 254 freelist = sopool + socount++; 255 freelist->next = NULL; 256 } 257 258 si = freelist; 259 freelist = freelist->next; 260 261 /* Make sure we get a clean block of soinfo */ 262 memset(si, 0, sizeof(soinfo)); 263 strcpy((char*) si->name, name); 264 sonext->next = si; 265 si->ba_index = -1; /* by default, prelinked */ 266 si->next = NULL; 267 si->refcount = 0; 268 sonext = si; 269 270 TRACE("%5d name %s: allocated soinfo @ %p\n", pid, name, si); 271 return si; 272} 273 274static void free_info(soinfo *si) 275{ 276 soinfo *prev = NULL, *trav; 277 278 TRACE("%5d name %s: freeing soinfo @ %p\n", pid, si->name, si); 279 280 for(trav = solist; trav != NULL; trav = trav->next){ 281 if (trav == si) 282 break; 283 prev = trav; 284 } 285 if (trav == NULL) { 286 /* si was not ni solist */ 287 DL_ERR("%5d name %s is not in solist!\n", pid, si->name); 288 return; 289 } 290 291 /* prev will never be NULL, because the first entry in solist is 292 always the static libdl_info. 293 */ 294 prev->next = si->next; 295 if (si == sonext) sonext = prev; 296 si->next = freelist; 297 freelist = si; 298} 299 300#ifndef LINKER_TEXT_BASE 301#error "linker's makefile must define LINKER_TEXT_BASE" 302#endif 303#ifndef LINKER_AREA_SIZE 304#error "linker's makefile must define LINKER_AREA_SIZE" 305#endif 306#define LINKER_BASE ((LINKER_TEXT_BASE) & 0xfff00000) 307#define LINKER_TOP (LINKER_BASE + (LINKER_AREA_SIZE)) 308 309const char *addr_to_name(unsigned addr) 310{ 311 soinfo *si; 312 313 for(si = solist; si != 0; si = si->next){ 314 if((addr >= si->base) && (addr < (si->base + si->size))) { 315 return si->name; 316 } 317 } 318 319 if((addr >= LINKER_BASE) && (addr < LINKER_TOP)){ 320 return "linker"; 321 } 322 323 return ""; 324} 325 326/* For a given PC, find the .so that it belongs to. 327 * Returns the base address of the .ARM.exidx section 328 * for that .so, and the number of 8-byte entries 329 * in that section (via *pcount). 330 * 331 * Intended to be called by libc's __gnu_Unwind_Find_exidx(). 332 * 333 * This function is exposed via dlfcn.c and libdl.so. 334 */ 335#ifdef ANDROID_ARM_LINKER 336_Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int *pcount) 337{ 338 soinfo *si; 339 unsigned addr = (unsigned)pc; 340 341 if ((addr < LINKER_BASE) || (addr >= LINKER_TOP)) { 342 for (si = solist; si != 0; si = si->next){ 343 if ((addr >= si->base) && (addr < (si->base + si->size))) { 344 *pcount = si->ARM_exidx_count; 345 return (_Unwind_Ptr)(si->base + (unsigned long)si->ARM_exidx); 346 } 347 } 348 } 349 *pcount = 0; 350 return NULL; 351} 352#elif defined(ANDROID_X86_LINKER) 353/* Here, we only have to provide a callback to iterate across all the 354 * loaded libraries. gcc_eh does the rest. */ 355int 356dl_iterate_phdr(int (*cb)(struct dl_phdr_info *info, size_t size, void *data), 357 void *data) 358{ 359 soinfo *si; 360 struct dl_phdr_info dl_info; 361 int rv = 0; 362 363 for (si = solist; si != NULL; si = si->next) { 364 dl_info.dlpi_addr = si->linkmap.l_addr; 365 dl_info.dlpi_name = si->linkmap.l_name; 366 dl_info.dlpi_phdr = si->phdr; 367 dl_info.dlpi_phnum = si->phnum; 368 rv = cb(&dl_info, sizeof (struct dl_phdr_info), data); 369 if (rv != 0) 370 break; 371 } 372 return rv; 373} 374#endif 375 376static Elf32_Sym *_elf_lookup(soinfo *si, unsigned hash, const char *name) 377{ 378 Elf32_Sym *s; 379 Elf32_Sym *symtab = si->symtab; 380 const char *strtab = si->strtab; 381 unsigned n; 382 383 TRACE_TYPE(LOOKUP, "%5d SEARCH %s in %s@0x%08x %08x %d\n", pid, 384 name, si->name, si->base, hash, hash % si->nbucket); 385 n = hash % si->nbucket; 386 387 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){ 388 s = symtab + n; 389 if(strcmp(strtab + s->st_name, name)) continue; 390 391 /* only concern ourselves with global symbols */ 392 switch(ELF32_ST_BIND(s->st_info)){ 393 case STB_GLOBAL: 394 /* no section == undefined */ 395 if(s->st_shndx == 0) continue; 396 397 case STB_WEAK: 398 TRACE_TYPE(LOOKUP, "%5d FOUND %s in %s (%08x) %d\n", pid, 399 name, si->name, s->st_value, s->st_size); 400 return s; 401 } 402 } 403 404 return 0; 405} 406 407static unsigned elfhash(const char *_name) 408{ 409 const unsigned char *name = (const unsigned char *) _name; 410 unsigned h = 0, g; 411 412 while(*name) { 413 h = (h << 4) + *name++; 414 g = h & 0xf0000000; 415 h ^= g; 416 h ^= g >> 24; 417 } 418 return h; 419} 420 421static Elf32_Sym * 422_do_lookup_in_so(soinfo *si, const char *name, unsigned *elf_hash) 423{ 424 if (*elf_hash == 0) 425 *elf_hash = elfhash(name); 426 return _elf_lookup (si, *elf_hash, name); 427} 428 429/* This is used by dl_sym() */ 430Elf32_Sym *lookup_in_library(soinfo *si, const char *name) 431{ 432 unsigned unused = 0; 433 return _do_lookup_in_so(si, name, &unused); 434} 435 436static Elf32_Sym * 437_do_lookup(soinfo *user_si, const char *name, unsigned *base) 438{ 439 unsigned elf_hash = 0; 440 Elf32_Sym *s = NULL; 441 soinfo *si; 442 443 /* Look for symbols in the local scope first (the object who is 444 * searching). This happens with C++ templates on i386 for some 445 * reason. */ 446 if (user_si) { 447 s = _do_lookup_in_so(user_si, name, &elf_hash); 448 if (s != NULL) 449 *base = user_si->base; 450 } 451 452 for(si = solist; (s == NULL) && (si != NULL); si = si->next) 453 { 454 if((si->flags & FLAG_ERROR) || (si == user_si)) 455 continue; 456 s = _do_lookup_in_so(si, name, &elf_hash); 457 if (s != NULL) { 458 *base = si->base; 459 break; 460 } 461 } 462 463 if (s != NULL) { 464 TRACE_TYPE(LOOKUP, "%5d %s s->st_value = 0x%08x, " 465 "si->base = 0x%08x\n", pid, name, s->st_value, si->base); 466 return s; 467 } 468 469 return 0; 470} 471 472/* This is used by dl_sym() */ 473Elf32_Sym *lookup(const char *name, unsigned *base) 474{ 475 return _do_lookup(NULL, name, base); 476} 477 478#if 0 479static void dump(soinfo *si) 480{ 481 Elf32_Sym *s = si->symtab; 482 unsigned n; 483 484 for(n = 0; n < si->nchain; n++) { 485 TRACE("%5d %04d> %08x: %02x %04x %08x %08x %s\n", pid, n, s, 486 s->st_info, s->st_shndx, s->st_value, s->st_size, 487 si->strtab + s->st_name); 488 s++; 489 } 490} 491#endif 492 493static const char *sopaths[] = { 494 "/system/lib", 495 "/lib", 496 0 497}; 498 499static int _open_lib(const char *name) 500{ 501 int fd; 502 struct stat filestat; 503 504 if ((stat(name, &filestat) >= 0) && S_ISREG(filestat.st_mode)) { 505 if ((fd = open(name, O_RDONLY)) >= 0) 506 return fd; 507 } 508 509 return -1; 510} 511 512static int open_library(const char *name) 513{ 514 int fd; 515 char buf[512]; 516 const char **path; 517 int n; 518 519 TRACE("[ %5d opening %s ]\n", pid, name); 520 521 if(name == 0) return -1; 522 if(strlen(name) > 256) return -1; 523 524 if ((name[0] == '/') && ((fd = _open_lib(name)) >= 0)) 525 return fd; 526 527 for (path = ldpaths; *path; path++) { 528 n = snprintf(buf, sizeof(buf), "%s/%s", *path, name); 529 if (n < 0 || n >= (int)sizeof(buf)) { 530 WARN("Ignoring very long library path: %s/%s\n", *path, name); 531 continue; 532 } 533 if ((fd = _open_lib(buf)) >= 0) 534 return fd; 535 } 536 for (path = sopaths; *path; path++) { 537 n = snprintf(buf, sizeof(buf), "%s/%s", *path, name); 538 if (n < 0 || n >= (int)sizeof(buf)) { 539 WARN("Ignoring very long library path: %s/%s\n", *path, name); 540 continue; 541 } 542 if ((fd = _open_lib(buf)) >= 0) 543 return fd; 544 } 545 546 return -1; 547} 548 549/* temporary space for holding the first page of the shared lib 550 * which contains the elf header (with the pht). */ 551static unsigned char __header[PAGE_SIZE]; 552 553typedef struct { 554 long mmap_addr; 555 char tag[4]; /* 'P', 'R', 'E', ' ' */ 556} prelink_info_t; 557 558/* Returns the requested base address if the library is prelinked, 559 * and 0 otherwise. */ 560static unsigned long 561is_prelinked(int fd, const char *name) 562{ 563 off_t sz; 564 prelink_info_t info; 565 566 sz = lseek(fd, -sizeof(prelink_info_t), SEEK_END); 567 if (sz < 0) { 568 DL_ERR("lseek() failed!\n"); 569 return 0; 570 } 571 572 if (read(fd, &info, sizeof(info)) != sizeof(info)) { 573 WARN("Could not read prelink_info_t structure for `%s`\n", name); 574 return 0; 575 } 576 577 if (strncmp(info.tag, "PRE ", 4)) { 578 WARN("`%s` is not a prelinked library\n", name); 579 return 0; 580 } 581 582 return (unsigned long)info.mmap_addr; 583} 584 585/* verify_elf_object 586 * Verifies if the object @ base is a valid ELF object 587 * 588 * Args: 589 * 590 * Returns: 591 * 0 on success 592 * -1 if no valid ELF object is found @ base. 593 */ 594static int 595verify_elf_object(void *base, const char *name) 596{ 597 Elf32_Ehdr *hdr = (Elf32_Ehdr *) base; 598 599 if (hdr->e_ident[EI_MAG0] != ELFMAG0) return -1; 600 if (hdr->e_ident[EI_MAG1] != ELFMAG1) return -1; 601 if (hdr->e_ident[EI_MAG2] != ELFMAG2) return -1; 602 if (hdr->e_ident[EI_MAG3] != ELFMAG3) return -1; 603 604 /* TODO: Should we verify anything else in the header? */ 605 606 return 0; 607} 608 609 610/* get_lib_extents 611 * Retrieves the base (*base) address where the ELF object should be 612 * mapped and its overall memory size (*total_sz). 613 * 614 * Args: 615 * fd: Opened file descriptor for the library 616 * name: The name of the library 617 * _hdr: Pointer to the header page of the library 618 * total_sz: Total size of the memory that should be allocated for 619 * this library 620 * 621 * Returns: 622 * -1 if there was an error while trying to get the lib extents. 623 * The possible reasons are: 624 * - Could not determine if the library was prelinked. 625 * - The library provided is not a valid ELF object 626 * 0 if the library did not request a specific base offset (normal 627 * for non-prelinked libs) 628 * > 0 if the library requests a specific address to be mapped to. 629 * This indicates a pre-linked library. 630 */ 631static unsigned 632get_lib_extents(int fd, const char *name, void *__hdr, unsigned *total_sz) 633{ 634 unsigned req_base; 635 unsigned min_vaddr = 0xffffffff; 636 unsigned max_vaddr = 0; 637 unsigned char *_hdr = (unsigned char *)__hdr; 638 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)_hdr; 639 Elf32_Phdr *phdr; 640 int cnt; 641 642 TRACE("[ %5d Computing extents for '%s'. ]\n", pid, name); 643 if (verify_elf_object(_hdr, name) < 0) { 644 DL_ERR("%5d - %s is not a valid ELF object\n", pid, name); 645 return (unsigned)-1; 646 } 647 648 req_base = (unsigned) is_prelinked(fd, name); 649 if (req_base == (unsigned)-1) 650 return -1; 651 else if (req_base != 0) { 652 TRACE("[ %5d - Prelinked library '%s' requesting base @ 0x%08x ]\n", 653 pid, name, req_base); 654 } else { 655 TRACE("[ %5d - Non-prelinked library '%s' found. ]\n", pid, name); 656 } 657 658 phdr = (Elf32_Phdr *)(_hdr + ehdr->e_phoff); 659 660 /* find the min/max p_vaddrs from all the PT_LOAD segments so we can 661 * get the range. */ 662 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) { 663 if (phdr->p_type == PT_LOAD) { 664 if ((phdr->p_vaddr + phdr->p_memsz) > max_vaddr) 665 max_vaddr = phdr->p_vaddr + phdr->p_memsz; 666 if (phdr->p_vaddr < min_vaddr) 667 min_vaddr = phdr->p_vaddr; 668 } 669 } 670 671 if ((min_vaddr == 0xffffffff) && (max_vaddr == 0)) { 672 DL_ERR("%5d - No loadable segments found in %s.\n", pid, name); 673 return (unsigned)-1; 674 } 675 676 /* truncate min_vaddr down to page boundary */ 677 min_vaddr &= ~PAGE_MASK; 678 679 /* round max_vaddr up to the next page */ 680 max_vaddr = (max_vaddr + PAGE_SIZE - 1) & ~PAGE_MASK; 681 682 *total_sz = (max_vaddr - min_vaddr); 683 return (unsigned)req_base; 684} 685 686/* alloc_mem_region 687 * 688 * This function reserves a chunk of memory to be used for mapping in 689 * the shared library. We reserve the entire memory region here, and 690 * then the rest of the linker will relocate the individual loadable 691 * segments into the correct locations within this memory range. 692 * 693 * Args: 694 * si->base: The requested base of the allocation. If 0, a sane one will be 695 * chosen in the range LIBBASE <= base < LIBLAST. 696 * si->size: The size of the allocation. 697 * 698 * Returns: 699 * -1 on failure, and 0 on success. On success, si->base will contain 700 * the virtual address at which the library will be mapped. 701 */ 702 703static int reserve_mem_region(soinfo *si) 704{ 705 void *base = mmap((void *)si->base, si->size, PROT_READ | PROT_EXEC, 706 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 707 if (base == MAP_FAILED) { 708 DL_ERR("%5d can NOT map (%sprelinked) library '%s' at 0x%08x " 709 "as requested, will try general pool: %d (%s)\n", 710 pid, (si->base ? "" : "non-"), si->name, si->base, 711 errno, strerror(errno)); 712 return -1; 713 } else if (base != (void *)si->base) { 714 DL_ERR("OOPS: %5d %sprelinked library '%s' mapped at 0x%08x, " 715 "not at 0x%08x\n", pid, (si->base ? "" : "non-"), 716 si->name, (unsigned)base, si->base); 717 munmap(base, si->size); 718 return -1; 719 } 720 return 0; 721} 722 723static int 724alloc_mem_region(soinfo *si) 725{ 726 if (si->base) { 727 /* Attempt to mmap a prelinked library. */ 728 si->ba_index = -1; 729 return reserve_mem_region(si); 730 } 731 732 /* This is not a prelinked library, so we attempt to allocate space 733 for it from the buddy allocator, which manages the area between 734 LIBBASE and LIBLAST. 735 */ 736 si->ba_index = ba_allocate(si->size); 737 if(si->ba_index >= 0) { 738 si->base = ba_start_addr(si->ba_index); 739 PRINT("%5d mapping library '%s' at %08x (index %d) " \ 740 "through buddy allocator.\n", 741 pid, si->name, si->base, si->ba_index); 742 if (reserve_mem_region(si) < 0) { 743 ba_free(si->ba_index); 744 si->ba_index = -1; 745 si->base = 0; 746 goto err; 747 } 748 return 0; 749 } 750 751err: 752 DL_ERR("OOPS: %5d cannot map library '%s'. no vspace available.\n", 753 pid, si->name); 754 return -1; 755} 756 757#define MAYBE_MAP_FLAG(x,from,to) (((x) & (from)) ? (to) : 0) 758#define PFLAGS_TO_PROT(x) (MAYBE_MAP_FLAG((x), PF_X, PROT_EXEC) | \ 759 MAYBE_MAP_FLAG((x), PF_R, PROT_READ) | \ 760 MAYBE_MAP_FLAG((x), PF_W, PROT_WRITE)) 761/* load_segments 762 * 763 * This function loads all the loadable (PT_LOAD) segments into memory 764 * at their appropriate memory offsets off the base address. 765 * 766 * Args: 767 * fd: Open file descriptor to the library to load. 768 * header: Pointer to a header page that contains the ELF header. 769 * This is needed since we haven't mapped in the real file yet. 770 * si: ptr to soinfo struct describing the shared object. 771 * 772 * Returns: 773 * 0 on success, -1 on failure. 774 */ 775static int 776load_segments(int fd, void *header, soinfo *si) 777{ 778 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)header; 779 Elf32_Phdr *phdr = (Elf32_Phdr *)((unsigned char *)header + ehdr->e_phoff); 780 unsigned char *base = (unsigned char *)si->base; 781 int cnt; 782 unsigned len; 783 unsigned char *tmp; 784 unsigned char *pbase; 785 unsigned char *extra_base; 786 unsigned extra_len; 787 unsigned total_sz = 0; 788 789 si->wrprotect_start = 0xffffffff; 790 si->wrprotect_end = 0; 791 792 TRACE("[ %5d - Begin loading segments for '%s' @ 0x%08x ]\n", 793 pid, si->name, (unsigned)si->base); 794 /* Now go through all the PT_LOAD segments and map them into memory 795 * at the appropriate locations. */ 796 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) { 797 if (phdr->p_type == PT_LOAD) { 798 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid); 799 /* we want to map in the segment on a page boundary */ 800 tmp = base + (phdr->p_vaddr & (~PAGE_MASK)); 801 /* add the # of bytes we masked off above to the total length. */ 802 len = phdr->p_filesz + (phdr->p_vaddr & PAGE_MASK); 803 804 TRACE("[ %d - Trying to load segment from '%s' @ 0x%08x " 805 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x ]\n", pid, si->name, 806 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset); 807 pbase = mmap(tmp, len, PFLAGS_TO_PROT(phdr->p_flags), 808 MAP_PRIVATE | MAP_FIXED, fd, 809 phdr->p_offset & (~PAGE_MASK)); 810 if (pbase == MAP_FAILED) { 811 DL_ERR("%d failed to map segment from '%s' @ 0x%08x (0x%08x). " 812 "p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name, 813 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset); 814 goto fail; 815 } 816 817 /* If 'len' didn't end on page boundary, and it's a writable 818 * segment, zero-fill the rest. */ 819 if ((len & PAGE_MASK) && (phdr->p_flags & PF_W)) 820 memset((void *)(pbase + len), 0, PAGE_SIZE - (len & PAGE_MASK)); 821 822 /* Check to see if we need to extend the map for this segment to 823 * cover the diff between filesz and memsz (i.e. for bss). 824 * 825 * base _+---------------------+ page boundary 826 * . . 827 * | | 828 * . . 829 * pbase _+---------------------+ page boundary 830 * | | 831 * . . 832 * base + p_vaddr _| | 833 * . \ \ . 834 * . | filesz | . 835 * pbase + len _| / | | 836 * <0 pad> . . . 837 * extra_base _+------------|--------+ page boundary 838 * / . . . 839 * | . . . 840 * | +------------|--------+ page boundary 841 * extra_len-> | | | | 842 * | . | memsz . 843 * | . | . 844 * \ _| / | 845 * . . 846 * | | 847 * _+---------------------+ page boundary 848 */ 849 tmp = (unsigned char *)(((unsigned)pbase + len + PAGE_SIZE - 1) & 850 (~PAGE_MASK)); 851 if (tmp < (base + phdr->p_vaddr + phdr->p_memsz)) { 852 extra_len = base + phdr->p_vaddr + phdr->p_memsz - tmp; 853 TRACE("[ %5d - Need to extend segment from '%s' @ 0x%08x " 854 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp, extra_len); 855 /* map in the extra page(s) as anonymous into the range. 856 * This is probably not necessary as we already mapped in 857 * the entire region previously, but we just want to be 858 * sure. This will also set the right flags on the region 859 * (though we can probably accomplish the same thing with 860 * mprotect). 861 */ 862 extra_base = mmap((void *)tmp, extra_len, 863 PFLAGS_TO_PROT(phdr->p_flags), 864 MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, 865 -1, 0); 866 if (extra_base == MAP_FAILED) { 867 DL_ERR("[ %5d - failed to extend segment from '%s' @ 0x%08x" 868 " (0x%08x) ]\n", pid, si->name, (unsigned)tmp, 869 extra_len); 870 goto fail; 871 } 872 /* TODO: Check if we need to memset-0 this region. 873 * Anonymous mappings are zero-filled copy-on-writes, so we 874 * shouldn't need to. */ 875 TRACE("[ %5d - Segment from '%s' extended @ 0x%08x " 876 "(0x%08x)\n", pid, si->name, (unsigned)extra_base, 877 extra_len); 878 } 879 /* set the len here to show the full extent of the segment we 880 * just loaded, mostly for debugging */ 881 len = (((unsigned)base + phdr->p_vaddr + phdr->p_memsz + 882 PAGE_SIZE - 1) & (~PAGE_MASK)) - (unsigned)pbase; 883 TRACE("[ %5d - Successfully loaded segment from '%s' @ 0x%08x " 884 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name, 885 (unsigned)pbase, len, phdr->p_vaddr, phdr->p_offset); 886 total_sz += len; 887 /* Make the section writable just in case we'll have to write to 888 * it during relocation (i.e. text segment). However, we will 889 * remember what range of addresses should be write protected. 890 * 891 */ 892 if (!(phdr->p_flags & PF_W)) { 893 if ((unsigned)pbase < si->wrprotect_start) 894 si->wrprotect_start = (unsigned)pbase; 895 if (((unsigned)pbase + len) > si->wrprotect_end) 896 si->wrprotect_end = (unsigned)pbase + len; 897 mprotect(pbase, len, 898 PFLAGS_TO_PROT(phdr->p_flags) | PROT_WRITE); 899 } 900 } else if (phdr->p_type == PT_DYNAMIC) { 901 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid); 902 /* this segment contains the dynamic linking information */ 903 si->dynamic = (unsigned *)(base + phdr->p_vaddr); 904 } else { 905#ifdef ANDROID_ARM_LINKER 906 if (phdr->p_type == PT_ARM_EXIDX) { 907 DEBUG_DUMP_PHDR(phdr, "PT_ARM_EXIDX", pid); 908 /* exidx entries (used for stack unwinding) are 8 bytes each. 909 */ 910 si->ARM_exidx = (unsigned *)phdr->p_vaddr; 911 si->ARM_exidx_count = phdr->p_memsz / 8; 912 } 913#endif 914 } 915 916 } 917 918 /* Sanity check */ 919 if (total_sz > si->size) { 920 DL_ERR("%5d - Total length (0x%08x) of mapped segments from '%s' is " 921 "greater than what was allocated (0x%08x). THIS IS BAD!\n", 922 pid, total_sz, si->name, si->size); 923 goto fail; 924 } 925 926 TRACE("[ %5d - Finish loading segments for '%s' @ 0x%08x. " 927 "Total memory footprint: 0x%08x bytes ]\n", pid, si->name, 928 (unsigned)si->base, si->size); 929 return 0; 930 931fail: 932 /* We can just blindly unmap the entire region even though some things 933 * were mapped in originally with anonymous and others could have been 934 * been mapped in from the file before we failed. The kernel will unmap 935 * all the pages in the range, irrespective of how they got there. 936 */ 937 munmap((void *)si->base, si->size); 938 si->flags |= FLAG_ERROR; 939 return -1; 940} 941 942/* TODO: Implement this to take care of the fact that Android ARM 943 * ELF objects shove everything into a single loadable segment that has the 944 * write bit set. wr_offset is then used to set non-(data|bss) pages to be 945 * non-writable. 946 */ 947#if 0 948static unsigned 949get_wr_offset(int fd, const char *name, Elf32_Ehdr *ehdr) 950{ 951 Elf32_Shdr *shdr_start; 952 Elf32_Shdr *shdr; 953 int shdr_sz = ehdr->e_shnum * sizeof(Elf32_Shdr); 954 int cnt; 955 unsigned wr_offset = 0xffffffff; 956 957 shdr_start = mmap(0, shdr_sz, PROT_READ, MAP_PRIVATE, fd, 958 ehdr->e_shoff & (~PAGE_MASK)); 959 if (shdr_start == MAP_FAILED) { 960 WARN("%5d - Could not read section header info from '%s'. Will not " 961 "not be able to determine write-protect offset.\n", pid, name); 962 return (unsigned)-1; 963 } 964 965 for(cnt = 0, shdr = shdr_start; cnt < ehdr->e_shnum; ++cnt, ++shdr) { 966 if ((shdr->sh_type != SHT_NULL) && (shdr->sh_flags & SHF_WRITE) && 967 (shdr->sh_addr < wr_offset)) { 968 wr_offset = shdr->sh_addr; 969 } 970 } 971 972 munmap(shdr_start, shdr_sz); 973 return wr_offset; 974} 975#endif 976 977static soinfo * 978load_library(const char *name) 979{ 980 int fd = open_library(name); 981 int cnt; 982 unsigned ext_sz; 983 unsigned req_base; 984 soinfo *si = NULL; 985 Elf32_Ehdr *hdr; 986 987 if(fd == -1) { 988 DL_ERR("Library '%s' not found\n", name); 989 return NULL; 990 } 991 992 /* We have to read the ELF header to figure out what to do with this image 993 */ 994 if (lseek(fd, 0, SEEK_SET) < 0) { 995 DL_ERR("lseek() failed!\n"); 996 goto fail; 997 } 998 999 if ((cnt = read(fd, &__header[0], PAGE_SIZE)) < 0) { 1000 DL_ERR("read() failed!\n"); 1001 goto fail; 1002 } 1003 1004 /* Parse the ELF header and get the size of the memory footprint for 1005 * the library */ 1006 req_base = get_lib_extents(fd, name, &__header[0], &ext_sz); 1007 if (req_base == (unsigned)-1) 1008 goto fail; 1009 TRACE("[ %5d - '%s' (%s) wants base=0x%08x sz=0x%08x ]\n", pid, name, 1010 (req_base ? "prelinked" : "not pre-linked"), req_base, ext_sz); 1011 1012 /* Now configure the soinfo struct where we'll store all of our data 1013 * for the ELF object. If the loading fails, we waste the entry, but 1014 * same thing would happen if we failed during linking. Configuring the 1015 * soinfo struct here is a lot more convenient. 1016 */ 1017 si = alloc_info(name); 1018 if (si == NULL) 1019 goto fail; 1020 1021 /* Carve out a chunk of memory where we will map in the individual 1022 * segments */ 1023 si->base = req_base; 1024 si->size = ext_sz; 1025 si->flags = 0; 1026 si->entry = 0; 1027 si->dynamic = (unsigned *)-1; 1028 if (alloc_mem_region(si) < 0) 1029 goto fail; 1030 1031 TRACE("[ %5d allocated memory for %s @ %p (0x%08x) ]\n", 1032 pid, name, (void *)si->base, (unsigned) ext_sz); 1033 1034 /* Now actually load the library's segments into right places in memory */ 1035 if (load_segments(fd, &__header[0], si) < 0) { 1036 if (si->ba_index >= 0) { 1037 ba_free(si->ba_index); 1038 si->ba_index = -1; 1039 } 1040 goto fail; 1041 } 1042 1043 /* this might not be right. Technically, we don't even need this info 1044 * once we go through 'load_segments'. */ 1045 hdr = (Elf32_Ehdr *)si->base; 1046 si->phdr = (Elf32_Phdr *)((unsigned char *)si->base + hdr->e_phoff); 1047 si->phnum = hdr->e_phnum; 1048 /**/ 1049 1050 close(fd); 1051 return si; 1052 1053fail: 1054 if (si) free_info(si); 1055 close(fd); 1056 return NULL; 1057} 1058 1059static soinfo * 1060init_library(soinfo *si) 1061{ 1062 unsigned wr_offset = 0xffffffff; 1063 1064 /* At this point we know that whatever is loaded @ base is a valid ELF 1065 * shared library whose segments are properly mapped in. */ 1066 TRACE("[ %5d init_library base=0x%08x sz=0x%08x name='%s') ]\n", 1067 pid, si->base, si->size, si->name); 1068 1069 if (si->base < LIBBASE || si->base >= LIBLAST) 1070 si->flags |= FLAG_PRELINKED; 1071 1072 if(link_image(si, wr_offset)) { 1073 /* We failed to link. However, we can only restore libbase 1074 ** if no additional libraries have moved it since we updated it. 1075 */ 1076 munmap((void *)si->base, si->size); 1077 return NULL; 1078 } 1079 1080 return si; 1081} 1082 1083soinfo *find_library(const char *name) 1084{ 1085 soinfo *si; 1086 1087 for(si = solist; si != 0; si = si->next){ 1088 if(!strcmp(name, si->name)) { 1089 if(si->flags & FLAG_ERROR) return 0; 1090 if(si->flags & FLAG_LINKED) return si; 1091 DL_ERR("OOPS: %5d recursive link to '%s'\n", pid, si->name); 1092 return NULL; 1093 } 1094 } 1095 1096 TRACE("[ %5d '%s' has not been loaded yet. Locating...]\n", pid, name); 1097 si = load_library(name); 1098 if(si == NULL) 1099 return NULL; 1100 return init_library(si); 1101} 1102 1103/* TODO: 1104 * notify gdb of unload 1105 * for non-prelinked libraries, find a way to decrement libbase 1106 */ 1107static void call_destructors(soinfo *si); 1108unsigned unload_library(soinfo *si) 1109{ 1110 unsigned *d; 1111 if (si->refcount == 1) { 1112 TRACE("%5d unloading '%s'\n", pid, si->name); 1113 call_destructors(si); 1114 1115 for(d = si->dynamic; *d; d += 2) { 1116 if(d[0] == DT_NEEDED){ 1117 TRACE("%5d %s needs to unload %s\n", pid, 1118 si->name, si->strtab + d[1]); 1119 soinfo *lsi = find_library(si->strtab + d[1]); 1120 if(lsi) 1121 unload_library(lsi); 1122 else 1123 DL_ERR("%5d could not unload '%s'\n", 1124 pid, si->strtab + d[1]); 1125 } 1126 } 1127 1128 munmap((char *)si->base, si->size); 1129 if (si->ba_index >= 0) { 1130 PRINT("%5d releasing library '%s' address space at %08x "\ 1131 "through buddy allocator.\n", 1132 pid, si->name, si->base); 1133 ba_free(si->ba_index); 1134 } 1135 notify_gdb_of_unload(si); 1136 free_info(si); 1137 si->refcount = 0; 1138 } 1139 else { 1140 si->refcount--; 1141 PRINT("%5d not unloading '%s', decrementing refcount to %d\n", 1142 pid, si->name, si->refcount); 1143 } 1144 return si->refcount; 1145} 1146 1147/* TODO: don't use unsigned for addrs below. It works, but is not 1148 * ideal. They should probably be either uint32_t, Elf32_Addr, or unsigned 1149 * long. 1150 */ 1151static int reloc_library(soinfo *si, Elf32_Rel *rel, unsigned count) 1152{ 1153 Elf32_Sym *symtab = si->symtab; 1154 const char *strtab = si->strtab; 1155 Elf32_Sym *s; 1156 unsigned base; 1157 Elf32_Rel *start = rel; 1158 unsigned idx; 1159 1160 for (idx = 0; idx < count; ++idx) { 1161 unsigned type = ELF32_R_TYPE(rel->r_info); 1162 unsigned sym = ELF32_R_SYM(rel->r_info); 1163 unsigned reloc = (unsigned)(rel->r_offset + si->base); 1164 unsigned sym_addr = 0; 1165 char *sym_name = NULL; 1166 1167 DEBUG("%5d Processing '%s' relocation at index %d\n", pid, 1168 si->name, idx); 1169 if(sym != 0) { 1170 sym_name = (char *)(strtab + symtab[sym].st_name); 1171 s = _do_lookup(si, sym_name, &base); 1172 if(s == 0) { 1173 DL_ERR("%5d cannot locate '%s'...\n", pid, sym_name); 1174 return -1; 1175 } 1176#if 0 1177 if((base == 0) && (si->base != 0)){ 1178 /* linking from libraries to main image is bad */ 1179 DL_ERR("%5d cannot locate '%s'...\n", 1180 pid, strtab + symtab[sym].st_name); 1181 return -1; 1182 } 1183#endif 1184 if ((s->st_shndx == SHN_UNDEF) && (s->st_value != 0)) { 1185 DL_ERR("%5d In '%s', shndx=%d && value=0x%08x. We do not " 1186 "handle this yet\n", pid, si->name, s->st_shndx, 1187 s->st_value); 1188 return -1; 1189 } 1190 sym_addr = (unsigned)(s->st_value + base); 1191 COUNT_RELOC(RELOC_SYMBOL); 1192 } else { 1193 s = 0; 1194 } 1195 1196/* TODO: This is ugly. Split up the relocations by arch into 1197 * different files. 1198 */ 1199 switch(type){ 1200#if defined(ANDROID_ARM_LINKER) 1201 case R_ARM_JUMP_SLOT: 1202 COUNT_RELOC(RELOC_ABSOLUTE); 1203 MARK(rel->r_offset); 1204 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1205 reloc, sym_addr, sym_name); 1206 *((unsigned*)reloc) = sym_addr; 1207 break; 1208 case R_ARM_GLOB_DAT: 1209 COUNT_RELOC(RELOC_ABSOLUTE); 1210 MARK(rel->r_offset); 1211 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1212 reloc, sym_addr, sym_name); 1213 *((unsigned*)reloc) = sym_addr; 1214 break; 1215 case R_ARM_ABS32: 1216 COUNT_RELOC(RELOC_ABSOLUTE); 1217 MARK(rel->r_offset); 1218 TRACE_TYPE(RELO, "%5d RELO ABS %08x <- %08x %s\n", pid, 1219 reloc, sym_addr, sym_name); 1220 *((unsigned*)reloc) += sym_addr; 1221 break; 1222#elif defined(ANDROID_X86_LINKER) 1223 case R_386_JUMP_SLOT: 1224 COUNT_RELOC(RELOC_ABSOLUTE); 1225 MARK(rel->r_offset); 1226 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1227 reloc, sym_addr, sym_name); 1228 *((unsigned*)reloc) = sym_addr; 1229 break; 1230 case R_386_GLOB_DAT: 1231 COUNT_RELOC(RELOC_ABSOLUTE); 1232 MARK(rel->r_offset); 1233 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1234 reloc, sym_addr, sym_name); 1235 *((unsigned*)reloc) = sym_addr; 1236 break; 1237#endif /* ANDROID_*_LINKER */ 1238 1239#if defined(ANDROID_ARM_LINKER) 1240 case R_ARM_RELATIVE: 1241#elif defined(ANDROID_X86_LINKER) 1242 case R_386_RELATIVE: 1243#endif /* ANDROID_*_LINKER */ 1244 COUNT_RELOC(RELOC_RELATIVE); 1245 MARK(rel->r_offset); 1246 if(sym){ 1247 DL_ERR("%5d odd RELATIVE form...\n", pid); 1248 return -1; 1249 } 1250 TRACE_TYPE(RELO, "%5d RELO RELATIVE %08x <- +%08x\n", pid, 1251 reloc, si->base); 1252 *((unsigned*)reloc) += si->base; 1253 break; 1254 1255#if defined(ANDROID_X86_LINKER) 1256 case R_386_32: 1257 COUNT_RELOC(RELOC_RELATIVE); 1258 MARK(rel->r_offset); 1259 1260 TRACE_TYPE(RELO, "%5d RELO R_386_32 %08x <- +%08x %s\n", pid, 1261 reloc, sym_addr, sym_name); 1262 *((unsigned *)reloc) += (unsigned)sym_addr; 1263 break; 1264 1265 case R_386_PC32: 1266 COUNT_RELOC(RELOC_RELATIVE); 1267 MARK(rel->r_offset); 1268 TRACE_TYPE(RELO, "%5d RELO R_386_PC32 %08x <- " 1269 "+%08x (%08x - %08x) %s\n", pid, reloc, 1270 (sym_addr - reloc), sym_addr, reloc, sym_name); 1271 *((unsigned *)reloc) += (unsigned)(sym_addr - reloc); 1272 break; 1273#endif /* ANDROID_X86_LINKER */ 1274 1275#ifdef ANDROID_ARM_LINKER 1276 case R_ARM_COPY: 1277 COUNT_RELOC(RELOC_COPY); 1278 MARK(rel->r_offset); 1279 TRACE_TYPE(RELO, "%5d RELO %08x <- %d @ %08x %s\n", pid, 1280 reloc, s->st_size, sym_addr, sym_name); 1281 memcpy((void*)reloc, (void*)sym_addr, s->st_size); 1282 break; 1283 case R_ARM_NONE: 1284 break; 1285#endif /* ANDROID_ARM_LINKER */ 1286 1287 default: 1288 DL_ERR("%5d unknown reloc type %d @ %p (%d)\n", 1289 pid, type, rel, (int) (rel - start)); 1290 return -1; 1291 } 1292 rel++; 1293 } 1294 return 0; 1295} 1296 1297 1298/* Please read the "Initialization and Termination functions" functions. 1299 * of the linker design note in bionic/linker/README.TXT to understand 1300 * what the following code is doing. 1301 * 1302 * The important things to remember are: 1303 * 1304 * DT_PREINIT_ARRAY must be called first for executables, and should 1305 * not appear in shared libraries. 1306 * 1307 * DT_INIT should be called before DT_INIT_ARRAY if both are present 1308 * 1309 * DT_FINI should be called after DT_FINI_ARRAY if both are present 1310 * 1311 * DT_FINI_ARRAY must be parsed in reverse order. 1312 */ 1313 1314static void call_array(unsigned *ctor, int count, int reverse) 1315{ 1316 int n, inc = 1; 1317 1318 if (reverse) { 1319 ctor += (count-1); 1320 inc = -1; 1321 } 1322 1323 for(n = count; n > 0; n--) { 1324 TRACE("[ %5d Looking at %s *0x%08x == 0x%08x ]\n", pid, 1325 reverse ? "dtor" : "ctor", 1326 (unsigned)ctor, (unsigned)*ctor); 1327 void (*func)() = (void (*)()) *ctor; 1328 ctor += inc; 1329 if(((int) func == 0) || ((int) func == -1)) continue; 1330 TRACE("[ %5d Calling func @ 0x%08x ]\n", pid, (unsigned)func); 1331 func(); 1332 } 1333} 1334 1335static void call_constructors(soinfo *si) 1336{ 1337 if (si->flags & FLAG_EXE) { 1338 TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n", 1339 pid, (unsigned)si->preinit_array, si->preinit_array_count, 1340 si->name); 1341 call_array(si->preinit_array, si->preinit_array_count, 0); 1342 TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name); 1343 } else { 1344 if (si->preinit_array) { 1345 DL_ERR("%5d Shared library '%s' has a preinit_array table @ 0x%08x." 1346 " This is INVALID.\n", pid, si->name, 1347 (unsigned)si->preinit_array); 1348 } 1349 } 1350 1351 if (si->init_func) { 1352 TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid, 1353 (unsigned)si->init_func, si->name); 1354 si->init_func(); 1355 TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name); 1356 } 1357 1358 if (si->init_array) { 1359 TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid, 1360 (unsigned)si->init_array, si->init_array_count, si->name); 1361 call_array(si->init_array, si->init_array_count, 0); 1362 TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name); 1363 } 1364} 1365 1366 1367static void call_destructors(soinfo *si) 1368{ 1369 if (si->fini_array) { 1370 TRACE("[ %5d Calling fini_array @ 0x%08x [%d] for '%s' ]\n", pid, 1371 (unsigned)si->fini_array, si->fini_array_count, si->name); 1372 call_array(si->fini_array, si->fini_array_count, 1); 1373 TRACE("[ %5d Done calling fini_array for '%s' ]\n", pid, si->name); 1374 } 1375 1376 if (si->fini_func) { 1377 TRACE("[ %5d Calling fini_func @ 0x%08x for '%s' ]\n", pid, 1378 (unsigned)si->fini_func, si->name); 1379 si->fini_func(); 1380 TRACE("[ %5d Done calling fini_func for '%s' ]\n", pid, si->name); 1381 } 1382} 1383 1384/* Force any of the closed stdin, stdout and stderr to be associated with 1385 /dev/null. */ 1386static int nullify_closed_stdio (void) 1387{ 1388 int dev_null, i, status; 1389 int return_value = 0; 1390 1391 dev_null = open("/dev/null", O_RDWR); 1392 if (dev_null < 0) { 1393 DL_ERR("Cannot open /dev/null.\n"); 1394 return -1; 1395 } 1396 TRACE("[ %5d Opened /dev/null file-descriptor=%d]\n", pid, dev_null); 1397 1398 /* If any of the stdio file descriptors is valid and not associated 1399 with /dev/null, dup /dev/null to it. */ 1400 for (i = 0; i < 3; i++) { 1401 /* If it is /dev/null already, we are done. */ 1402 if (i == dev_null) 1403 continue; 1404 1405 TRACE("[ %5d Nullifying stdio file descriptor %d]\n", pid, i); 1406 /* The man page of fcntl does not say that fcntl(..,F_GETFL) 1407 can be interrupted but we do this just to be safe. */ 1408 do { 1409 status = fcntl(i, F_GETFL); 1410 } while (status < 0 && errno == EINTR); 1411 1412 /* If file is openned, we are good. */ 1413 if (status >= 0) 1414 continue; 1415 1416 /* The only error we allow is that the file descriptor does not 1417 exist, in which case we dup /dev/null to it. */ 1418 if (errno != EBADF) { 1419 DL_ERR("nullify_stdio: unhandled error %s\n", strerror(errno)); 1420 return_value = -1; 1421 continue; 1422 } 1423 1424 /* Try dupping /dev/null to this stdio file descriptor and 1425 repeat if there is a signal. Note that any errors in closing 1426 the stdio descriptor are lost. */ 1427 do { 1428 status = dup2(dev_null, i); 1429 } while (status < 0 && errno == EINTR); 1430 1431 if (status < 0) { 1432 DL_ERR("nullify_stdio: dup2 error %s\n", strerror(errno)); 1433 return_value = -1; 1434 continue; 1435 } 1436 } 1437 1438 /* If /dev/null is not one of the stdio file descriptors, close it. */ 1439 if (dev_null > 2) { 1440 TRACE("[ %5d Closing /dev/null file-descriptor=%d]\n", pid, dev_null); 1441 do { 1442 status = close(dev_null); 1443 } while (status < 0 && errno == EINTR); 1444 1445 if (status < 0) { 1446 DL_ERR("nullify_stdio: close error %s\n", strerror(errno)); 1447 return_value = -1; 1448 } 1449 } 1450 1451 return return_value; 1452} 1453 1454static int link_image(soinfo *si, unsigned wr_offset) 1455{ 1456 unsigned *d; 1457 Elf32_Phdr *phdr = si->phdr; 1458 int phnum = si->phnum; 1459 1460 INFO("[ %5d linking %s ]\n", pid, si->name); 1461 DEBUG("%5d si->base = 0x%08x si->flags = 0x%08x\n", pid, 1462 si->base, si->flags); 1463 1464 if (si->flags & FLAG_EXE) { 1465 /* Locate the needed program segments (DYNAMIC/ARM_EXIDX) for 1466 * linkage info if this is the executable. If this was a 1467 * dynamic lib, that would have been done at load time. 1468 * 1469 * TODO: It's unfortunate that small pieces of this are 1470 * repeated from the load_library routine. Refactor this just 1471 * slightly to reuse these bits. 1472 */ 1473 si->size = 0; 1474 for(; phnum > 0; --phnum, ++phdr) { 1475#ifdef ANDROID_ARM_LINKER 1476 if(phdr->p_type == PT_ARM_EXIDX) { 1477 /* exidx entries (used for stack unwinding) are 8 bytes each. 1478 */ 1479 si->ARM_exidx = (unsigned *)phdr->p_vaddr; 1480 si->ARM_exidx_count = phdr->p_memsz / 8; 1481 } 1482#endif 1483 if (phdr->p_type == PT_LOAD) { 1484 /* For the executable, we use the si->size field only in 1485 dl_unwind_find_exidx(), so the meaning of si->size 1486 is not the size of the executable; it is the last 1487 virtual address of the loadable part of the executable; 1488 since si->base == 0 for an executable, we use the 1489 range [0, si->size) to determine whether a PC value 1490 falls within the executable section. Of course, if 1491 a value is below phdr->p_vaddr, it's not in the 1492 executable section, but a) we shouldn't be asking for 1493 such a value anyway, and b) if we have to provide 1494 an EXIDX for such a value, then the executable's 1495 EXIDX is probably the better choice. 1496 */ 1497 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid); 1498 if (phdr->p_vaddr + phdr->p_memsz > si->size) 1499 si->size = phdr->p_vaddr + phdr->p_memsz; 1500 /* try to remember what range of addresses should be write 1501 * protected */ 1502 if (!(phdr->p_flags & PF_W)) { 1503 unsigned _end; 1504 1505 if (phdr->p_vaddr < si->wrprotect_start) 1506 si->wrprotect_start = phdr->p_vaddr; 1507 _end = (((phdr->p_vaddr + phdr->p_memsz + PAGE_SIZE - 1) & 1508 (~PAGE_MASK))); 1509 if (_end > si->wrprotect_end) 1510 si->wrprotect_end = _end; 1511 } 1512 } else if (phdr->p_type == PT_DYNAMIC) { 1513 if (si->dynamic != (unsigned *)-1) { 1514 DL_ERR("%5d multiple PT_DYNAMIC segments found in '%s'. " 1515 "Segment at 0x%08x, previously one found at 0x%08x\n", 1516 pid, si->name, si->base + phdr->p_vaddr, 1517 (unsigned)si->dynamic); 1518 goto fail; 1519 } 1520 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid); 1521 si->dynamic = (unsigned *) (si->base + phdr->p_vaddr); 1522 } 1523 } 1524 } 1525 1526 if (si->dynamic == (unsigned *)-1) { 1527 DL_ERR("%5d missing PT_DYNAMIC?!\n", pid); 1528 goto fail; 1529 } 1530 1531 DEBUG("%5d dynamic = %p\n", pid, si->dynamic); 1532 1533 /* extract useful information from dynamic section */ 1534 for(d = si->dynamic; *d; d++){ 1535 DEBUG("%5d d = %p, d[0] = 0x%08x d[1] = 0x%08x\n", pid, d, d[0], d[1]); 1536 switch(*d++){ 1537 case DT_HASH: 1538 si->nbucket = ((unsigned *) (si->base + *d))[0]; 1539 si->nchain = ((unsigned *) (si->base + *d))[1]; 1540 si->bucket = (unsigned *) (si->base + *d + 8); 1541 si->chain = (unsigned *) (si->base + *d + 8 + si->nbucket * 4); 1542 break; 1543 case DT_STRTAB: 1544 si->strtab = (const char *) (si->base + *d); 1545 break; 1546 case DT_SYMTAB: 1547 si->symtab = (Elf32_Sym *) (si->base + *d); 1548 break; 1549 case DT_PLTREL: 1550 if(*d != DT_REL) { 1551 DL_ERR("DT_RELA not supported\n"); 1552 goto fail; 1553 } 1554 break; 1555 case DT_JMPREL: 1556 si->plt_rel = (Elf32_Rel*) (si->base + *d); 1557 break; 1558 case DT_PLTRELSZ: 1559 si->plt_rel_count = *d / 8; 1560 break; 1561 case DT_REL: 1562 si->rel = (Elf32_Rel*) (si->base + *d); 1563 break; 1564 case DT_RELSZ: 1565 si->rel_count = *d / 8; 1566 break; 1567 case DT_PLTGOT: 1568 /* Save this in case we decide to do lazy binding. We don't yet. */ 1569 si->plt_got = (unsigned *)(si->base + *d); 1570 break; 1571 case DT_DEBUG: 1572 // Set the DT_DEBUG entry to the addres of _r_debug for GDB 1573 *d = (int) &_r_debug; 1574 break; 1575 case DT_RELA: 1576 DL_ERR("%5d DT_RELA not supported\n", pid); 1577 goto fail; 1578 case DT_INIT: 1579 si->init_func = (void (*)(void))(si->base + *d); 1580 DEBUG("%5d %s constructors (init func) found at %p\n", 1581 pid, si->name, si->init_func); 1582 break; 1583 case DT_FINI: 1584 si->fini_func = (void (*)(void))(si->base + *d); 1585 DEBUG("%5d %s destructors (fini func) found at %p\n", 1586 pid, si->name, si->fini_func); 1587 break; 1588 case DT_INIT_ARRAY: 1589 si->init_array = (unsigned *)(si->base + *d); 1590 DEBUG("%5d %s constructors (init_array) found at %p\n", 1591 pid, si->name, si->init_array); 1592 break; 1593 case DT_INIT_ARRAYSZ: 1594 si->init_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1595 break; 1596 case DT_FINI_ARRAY: 1597 si->fini_array = (unsigned *)(si->base + *d); 1598 DEBUG("%5d %s destructors (fini_array) found at %p\n", 1599 pid, si->name, si->fini_array); 1600 break; 1601 case DT_FINI_ARRAYSZ: 1602 si->fini_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1603 break; 1604 case DT_PREINIT_ARRAY: 1605 si->preinit_array = (unsigned *)(si->base + *d); 1606 DEBUG("%5d %s constructors (preinit_array) found at %p\n", 1607 pid, si->name, si->preinit_array); 1608 break; 1609 case DT_PREINIT_ARRAYSZ: 1610 si->preinit_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1611 break; 1612 case DT_TEXTREL: 1613 /* TODO: make use of this. */ 1614 /* this means that we might have to write into where the text 1615 * segment was loaded during relocation... Do something with 1616 * it. 1617 */ 1618 DEBUG("%5d Text segment should be writable during relocation.\n", 1619 pid); 1620 break; 1621 } 1622 } 1623 1624 DEBUG("%5d si->base = 0x%08x, si->strtab = %p, si->symtab = %p\n", 1625 pid, si->base, si->strtab, si->symtab); 1626 1627 if((si->strtab == 0) || (si->symtab == 0)) { 1628 DL_ERR("%5d missing essential tables\n", pid); 1629 goto fail; 1630 } 1631 1632 for(d = si->dynamic; *d; d += 2) { 1633 if(d[0] == DT_NEEDED){ 1634 DEBUG("%5d %s needs %s\n", pid, si->name, si->strtab + d[1]); 1635 soinfo *lsi = find_library(si->strtab + d[1]); 1636 if(lsi == 0) { 1637 strlcpy(tmp_err_buf, linker_get_error(), sizeof(tmp_err_buf)); 1638 DL_ERR("%5d could not load needed library '%s' for '%s' (%s)\n", 1639 pid, si->strtab + d[1], si->name, tmp_err_buf); 1640 goto fail; 1641 } 1642 lsi->refcount++; 1643 } 1644 } 1645 1646 if(si->plt_rel) { 1647 DEBUG("[ %5d relocating %s plt ]\n", pid, si->name ); 1648 if(reloc_library(si, si->plt_rel, si->plt_rel_count)) 1649 goto fail; 1650 } 1651 if(si->rel) { 1652 DEBUG("[ %5d relocating %s ]\n", pid, si->name ); 1653 if(reloc_library(si, si->rel, si->rel_count)) 1654 goto fail; 1655 } 1656 1657 si->flags |= FLAG_LINKED; 1658 DEBUG("[ %5d finished linking %s ]\n", pid, si->name); 1659 1660#if 0 1661 /* This is the way that the old dynamic linker did protection of 1662 * non-writable areas. It would scan section headers and find where 1663 * .text ended (rather where .data/.bss began) and assume that this is 1664 * the upper range of the non-writable area. This is too coarse, 1665 * and is kept here for reference until we fully move away from single 1666 * segment elf objects. See the code in get_wr_offset (also #if'd 0) 1667 * that made this possible. 1668 */ 1669 if(wr_offset < 0xffffffff){ 1670 mprotect((void*) si->base, wr_offset, PROT_READ | PROT_EXEC); 1671 } 1672#else 1673 /* TODO: Verify that this does the right thing in all cases, as it 1674 * presently probably does not. It is possible that an ELF image will 1675 * come with multiple read-only segments. What we ought to do is scan 1676 * the program headers again and mprotect all the read-only segments. 1677 * To prevent re-scanning the program header, we would have to build a 1678 * list of loadable segments in si, and then scan that instead. */ 1679 if (si->wrprotect_start != 0xffffffff && si->wrprotect_end != 0) { 1680 mprotect((void *)si->wrprotect_start, 1681 si->wrprotect_end - si->wrprotect_start, 1682 PROT_READ | PROT_EXEC); 1683 } 1684#endif 1685 1686 /* If this is a SET?ID program, dup /dev/null to opened stdin, 1687 stdout and stderr to close a security hole described in: 1688 1689 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc 1690 1691 */ 1692 if (getuid() != geteuid() || getgid() != getegid()) 1693 nullify_closed_stdio (); 1694 call_constructors(si); 1695 notify_gdb_of_load(si); 1696 return 0; 1697 1698fail: 1699 ERROR("failed to link %s\n", si->name); 1700 si->flags |= FLAG_ERROR; 1701 return -1; 1702} 1703 1704static void parse_library_path(char *path, char *delim) 1705{ 1706 size_t len; 1707 char *ldpaths_bufp = ldpaths_buf; 1708 int i = 0; 1709 1710 len = strlcpy(ldpaths_buf, path, sizeof(ldpaths_buf)); 1711 1712 while (i < LDPATH_MAX && (ldpaths[i] = strsep(&ldpaths_bufp, delim))) { 1713 if (*ldpaths[i] != '\0') 1714 ++i; 1715 } 1716 1717 /* Forget the last path if we had to truncate; this occurs if the 2nd to 1718 * last char isn't '\0' (i.e. not originally a delim). */ 1719 if (i > 0 && len >= sizeof(ldpaths_buf) && 1720 ldpaths_buf[sizeof(ldpaths_buf) - 2] != '\0') { 1721 ldpaths[i - 1] = NULL; 1722 } else { 1723 ldpaths[i] = NULL; 1724 } 1725} 1726 1727int main(int argc, char **argv) 1728{ 1729 return 0; 1730} 1731 1732#define ANDROID_TLS_SLOTS BIONIC_TLS_SLOTS 1733 1734static void * __tls_area[ANDROID_TLS_SLOTS]; 1735 1736unsigned __linker_init(unsigned **elfdata) 1737{ 1738 static soinfo linker_soinfo; 1739 1740 int argc = (int) *elfdata; 1741 char **argv = (char**) (elfdata + 1); 1742 unsigned *vecs = (unsigned*) (argv + argc + 1); 1743 soinfo *si; 1744 struct link_map * map; 1745 char *ldpath_env = NULL; 1746 1747 pid = getpid(); 1748 1749#if TIMING 1750 struct timeval t0, t1; 1751 gettimeofday(&t0, 0); 1752#endif 1753 1754 __set_tls(__tls_area); 1755 ((unsigned *)__get_tls())[TLS_SLOT_THREAD_ID] = gettid(); 1756 1757 debugger_init(); 1758 1759 /* skip past the environment */ 1760 while(vecs[0] != 0) { 1761 if(!strncmp((char*) vecs[0], "DEBUG=", 6)) { 1762 debug_verbosity = atoi(((char*) vecs[0]) + 6); 1763 } else if(!strncmp((char*) vecs[0], "LD_LIBRARY_PATH=", 16)) { 1764 ldpath_env = (char*) vecs[0] + 16; 1765 } 1766 vecs++; 1767 } 1768 vecs++; 1769 1770 INFO("[ android linker & debugger ]\n"); 1771 DEBUG("%5d elfdata @ 0x%08x\n", pid, (unsigned)elfdata); 1772 1773 si = alloc_info(argv[0]); 1774 if(si == 0) { 1775 exit(-1); 1776 } 1777 1778 /* bootstrap the link map, the main exe always needs to be first */ 1779 si->flags |= FLAG_EXE; 1780 map = &(si->linkmap); 1781 1782 map->l_addr = 0; 1783 map->l_name = argv[0]; 1784 map->l_prev = NULL; 1785 map->l_next = NULL; 1786 1787 _r_debug.r_map = map; 1788 r_debug_tail = map; 1789 1790 /* gdb expects the linker to be in the debug shared object list, 1791 * and we need to make sure that the reported load address is zero. 1792 * Without this, gdb gets the wrong idea of where rtld_db_dlactivity() 1793 * is. Don't use alloc_info(), because the linker shouldn't 1794 * be on the soinfo list. 1795 */ 1796 strcpy((char*) linker_soinfo.name, "/system/bin/linker"); 1797 linker_soinfo.flags = 0; 1798 linker_soinfo.base = 0; // This is the important part; must be zero. 1799 insert_soinfo_into_debug_map(&linker_soinfo); 1800 1801 /* extract information passed from the kernel */ 1802 while(vecs[0] != 0){ 1803 switch(vecs[0]){ 1804 case AT_PHDR: 1805 si->phdr = (Elf32_Phdr*) vecs[1]; 1806 break; 1807 case AT_PHNUM: 1808 si->phnum = (int) vecs[1]; 1809 break; 1810 case AT_ENTRY: 1811 si->entry = vecs[1]; 1812 break; 1813 } 1814 vecs += 2; 1815 } 1816 1817 ba_init(); 1818 1819 si->base = 0; 1820 si->dynamic = (unsigned *)-1; 1821 si->wrprotect_start = 0xffffffff; 1822 si->wrprotect_end = 0; 1823 1824 /* Use LD_LIBRARY_PATH if we aren't setuid/setgid */ 1825 if (ldpath_env && getuid() == geteuid() && getgid() == getegid()) 1826 parse_library_path(ldpath_env, ":"); 1827 1828 if(link_image(si, 0)) { 1829 char errmsg[] = "CANNOT LINK EXECUTABLE\n"; 1830 write(2, __linker_dl_err_buf, strlen(__linker_dl_err_buf)); 1831 write(2, errmsg, sizeof(errmsg)); 1832 exit(-1); 1833 } 1834 1835#if TIMING 1836 gettimeofday(&t1,NULL); 1837 PRINT("LINKER TIME: %s: %d microseconds\n", argv[0], (int) ( 1838 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) - 1839 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec) 1840 )); 1841#endif 1842#if STATS 1843 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol\n", argv[0], 1844 linker_stats.reloc[RELOC_ABSOLUTE], 1845 linker_stats.reloc[RELOC_RELATIVE], 1846 linker_stats.reloc[RELOC_COPY], 1847 linker_stats.reloc[RELOC_SYMBOL]); 1848#endif 1849#if COUNT_PAGES 1850 { 1851 unsigned n; 1852 unsigned i; 1853 unsigned count = 0; 1854 for(n = 0; n < 4096; n++){ 1855 if(bitmask[n]){ 1856 unsigned x = bitmask[n]; 1857 for(i = 0; i < 8; i++){ 1858 if(x & 1) count++; 1859 x >>= 1; 1860 } 1861 } 1862 } 1863 PRINT("PAGES MODIFIED: %s: %d (%dKB)\n", argv[0], count, count * 4); 1864 } 1865#endif 1866 1867#if TIMING || STATS || COUNT_PAGES 1868 fflush(stdout); 1869#endif 1870 1871 TRACE("[ %5d Ready to execute '%s' @ 0x%08x ]\n", pid, si->name, 1872 si->entry); 1873 return si->entry; 1874} 1875