linker.c revision e5cc1f386b167b9f7bfdebc7219e89aa9b71e4b2
146be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <linux/auxvec.h> 246be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 346be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <stdio.h> 446be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <stdlib.h> 546be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <string.h> 646be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <unistd.h> 746be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <fcntl.h> 846be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <errno.h> 946be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <dlfcn.h> 1046be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <sys/stat.h> 1146be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 1246be48730333120a7b939116cef075e61c12c703David 'Digit' Turner//#include <pthread.h> 1346be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 1446be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <sys/mman.h> 1546be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 1646be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <sys/atomics.h> 1746be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 1846be48730333120a7b939116cef075e61c12c703David 'Digit' Turner/* special private C library header - see Android.mk */ 1946be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include <bionic_tls.h> 2046be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 2146be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include "linker.h" 2246be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#include "linker_debug.h" 2346be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 2446be48730333120a7b939116cef075e61c12c703David 'Digit' Turner#define SO_MAX 64 2546be48730333120a7b939116cef075e61c12c703David 'Digit' Turner 2646be48730333120a7b939116cef075e61c12c703David 'Digit' Turner/* >>> IMPORTANT NOTE - READ ME BEFORE MODIFYING <<< 2746be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * 2846be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * Do NOT use malloc() and friends or pthread_*() code here. 2946be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * Don't use printf() either; it's caused mysterious memory 3046be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * corruption in the past. 3146be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * The linker runs before we bring up libc and it's easiest 3246be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * to make sure it does not depend on any complex libc features 3346be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * 3446be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * open issues / todo: 3546be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * 3646be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * - should we do anything special for STB_WEAK symbols? 3746be48730333120a7b939116cef075e61c12c703David 'Digit' Turner * - are we doing everything we should for ARM_COPY relocations? 38 * - cleaner error reporting 39 * - configuration for paths (LD_LIBRARY_PATH?) 40 * - after linking, set as much stuff as possible to READONLY 41 * and NOEXEC 42 * - linker hardcodes PAGE_SIZE and PAGE_MASK because the kernel 43 * headers provide versions that are negative... 44 * - allocate space for soinfo structs dynamically instead of 45 * having a hard limit (64) 46 * 47 * features to add someday: 48 * 49 * - dlopen() and friends 50 * 51*/ 52 53 54static int link_image(soinfo *si, unsigned wr_offset); 55 56static int socount = 0; 57static soinfo sopool[SO_MAX]; 58static soinfo *freelist = NULL; 59static soinfo *solist = &libdl_info; 60static soinfo *sonext = &libdl_info; 61 62int debug_verbosity; 63static int pid; 64 65#if STATS 66struct _link_stats linker_stats; 67#endif 68 69#if COUNT_PAGES 70unsigned bitmask[4096]; 71#endif 72 73#ifndef PT_ARM_EXIDX 74#define PT_ARM_EXIDX 0x70000001 /* .ARM.exidx segment */ 75#endif 76 77/* 78 * This function is an empty stub where GDB locates a breakpoint to get notified 79 * about linker activity. 80 */ 81extern void __attribute__((noinline)) rtld_db_dlactivity(void); 82 83extern void sched_yield(void); 84 85static struct r_debug _r_debug = {1, NULL, &rtld_db_dlactivity, RT_CONSISTENT, 0}; 86static struct link_map *r_debug_tail = 0; 87 88//static pthread_mutex_t _r_debug_lock = PTHREAD_MUTEX_INITIALIZER; 89 90static volatile int loader_lock = 0; 91 92static void insert_soinfo_into_debug_map(soinfo * info) 93{ 94 struct link_map * map; 95 96 /* Copy the necessary fields into the debug structure. 97 */ 98 map = &(info->linkmap); 99 map->l_addr = info->base; 100 map->l_name = (char*) info->name; 101 102 /* Stick the new library at the end of the list. 103 * gdb tends to care more about libc than it does 104 * about leaf libraries, and ordering it this way 105 * reduces the back-and-forth over the wire. 106 */ 107 if (r_debug_tail) { 108 r_debug_tail->l_next = map; 109 map->l_prev = r_debug_tail; 110 map->l_next = 0; 111 } else { 112 _r_debug.r_map = map; 113 map->l_prev = 0; 114 map->l_next = 0; 115 } 116 r_debug_tail = map; 117} 118 119void notify_gdb_of_load(soinfo * info) 120{ 121 if (info->flags & FLAG_EXE) { 122 // GDB already knows about the main executable 123 return; 124 } 125 126 /* yes, this is a little gross, but it does avoid 127 ** pulling in pthread_*() and at the moment we don't 128 ** dlopen() anything anyway 129 */ 130 while(__atomic_swap(1, &loader_lock) != 0) { 131 sched_yield(); 132 usleep(5000); 133 } 134 135 _r_debug.r_state = RT_ADD; 136 rtld_db_dlactivity(); 137 138 insert_soinfo_into_debug_map(info); 139 140 _r_debug.r_state = RT_CONSISTENT; 141 rtld_db_dlactivity(); 142 143 __atomic_swap(0, &loader_lock); 144} 145 146void notify_gdb_of_libraries() 147{ 148 _r_debug.r_state = RT_ADD; 149 rtld_db_dlactivity(); 150 _r_debug.r_state = RT_CONSISTENT; 151 rtld_db_dlactivity(); 152} 153 154static soinfo *alloc_info(const char *name) 155{ 156 soinfo *si; 157 158 if(strlen(name) >= SOINFO_NAME_LEN) { 159 ERROR("%5d library name %s too long\n", pid, name); 160 return 0; 161 } 162 163 /* The freelist is populated when we call free_info(), which in turn is 164 done only by dlclose(), which is not likely to be used. 165 */ 166 if (!freelist) { 167 if(socount == SO_MAX) { 168 ERROR("%5d too many libraries when loading %s\n", pid, name); 169 return NULL; 170 } 171 freelist = sopool + socount++; 172 freelist->next = NULL; 173 } 174 175 si = freelist; 176 freelist = freelist->next; 177 178 /* Make sure we get a clean block of soinfo */ 179 memset(si, 0, sizeof(soinfo)); 180 strcpy((char*) si->name, name); 181 sonext->next = si; 182 si->next = NULL; 183 si->refcount = 0; 184 sonext = si; 185 186 TRACE("%5d name %s: allocated soinfo @ %p\n", pid, name, si); 187 return si; 188} 189 190static void free_info(soinfo *si) 191{ 192 soinfo *prev = NULL, *trav; 193 194 TRACE("%5d name %s: freeing soinfo @ %p\n", pid, si->name, si); 195 196 for(trav = solist; trav != NULL; trav = trav->next){ 197 if (trav == si) 198 break; 199 prev = trav; 200 } 201 if (trav == NULL) { 202 /* si was not ni solist */ 203 ERROR("%5d name %s is not in solist!\n", pid, si->name); 204 return; 205 } 206 207 /* prev will never be NULL, because the first entry in solist is 208 always the static libdl_info. 209 */ 210 prev->next = si->next; 211 if (si == sonext) sonext = prev; 212 si->next = freelist; 213 freelist = si; 214} 215 216#ifndef LINKER_TEXT_BASE 217#error "linker's makefile must define LINKER_TEXT_BASE" 218#endif 219#ifndef LINKER_AREA_SIZE 220#error "linker's makefile must define LINKER_AREA_SIZE" 221#endif 222#define LINKER_BASE ((LINKER_TEXT_BASE) & 0xfff00000) 223#define LINKER_TOP (LINKER_BASE + (LINKER_AREA_SIZE)) 224 225const char *addr_to_name(unsigned addr) 226{ 227 soinfo *si; 228 229 for(si = solist; si != 0; si = si->next){ 230 if((addr >= si->base) && (addr < (si->base + si->size))) { 231 return si->name; 232 } 233 } 234 235 if((addr >= LINKER_BASE) && (addr < LINKER_TOP)){ 236 return "linker"; 237 } 238 239 return ""; 240} 241 242/* For a given PC, find the .so that it belongs to. 243 * Returns the base address of the .ARM.exidx section 244 * for that .so, and the number of 8-byte entries 245 * in that section (via *pcount). 246 * 247 * Intended to be called by libc's __gnu_Unwind_Find_exidx(). 248 * 249 * This function is exposed via dlfcn.c and libdl.so. 250 */ 251#ifdef ANDROID_ARM_LINKER 252_Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int *pcount) 253{ 254 soinfo *si; 255 unsigned addr = (unsigned)pc; 256 257 if ((addr < LINKER_BASE) || (addr >= LINKER_TOP)) { 258 for (si = solist; si != 0; si = si->next){ 259 if ((addr >= si->base) && (addr < (si->base + si->size))) { 260 *pcount = si->ARM_exidx_count; 261 return (_Unwind_Ptr)(si->base + (unsigned long)si->ARM_exidx); 262 } 263 } 264 } 265 *pcount = 0; 266 return NULL; 267} 268#elif defined(ANDROID_X86_LINKER) 269/* Here, we only have to provide a callback to iterate across all the 270 * loaded libraries. gcc_eh does the rest. */ 271int 272dl_iterate_phdr(int (*cb)(struct dl_phdr_info *info, size_t size, void *data), 273 void *data) 274{ 275 soinfo *si; 276 struct dl_phdr_info dl_info; 277 int rv = 0; 278 279 for (si = solist; si != NULL; si = si->next) { 280 dl_info.dlpi_addr = si->linkmap.l_addr; 281 dl_info.dlpi_name = si->linkmap.l_name; 282 dl_info.dlpi_phdr = si->phdr; 283 dl_info.dlpi_phnum = si->phnum; 284 rv = cb(&dl_info, sizeof (struct dl_phdr_info), data); 285 if (rv != 0) 286 break; 287 } 288 return rv; 289} 290#endif 291 292static Elf32_Sym *_elf_lookup(soinfo *si, unsigned hash, const char *name) 293{ 294 Elf32_Sym *s; 295 Elf32_Sym *symtab = si->symtab; 296 const char *strtab = si->strtab; 297 unsigned n; 298 299 TRACE_TYPE(LOOKUP, "%5d SEARCH %s in %s@0x%08x %08x %d\n", pid, 300 name, si->name, si->base, hash, hash % si->nbucket); 301 n = hash % si->nbucket; 302 303 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){ 304 s = symtab + n; 305 if(strcmp(strtab + s->st_name, name)) continue; 306 307 /* only concern ourselves with global symbols */ 308 switch(ELF32_ST_BIND(s->st_info)){ 309 case STB_GLOBAL: 310 /* no section == undefined */ 311 if(s->st_shndx == 0) continue; 312 313 case STB_WEAK: 314 TRACE_TYPE(LOOKUP, "%5d FOUND %s in %s (%08x) %d\n", pid, 315 name, si->name, s->st_value, s->st_size); 316 return s; 317 } 318 } 319 320 return 0; 321} 322 323static unsigned elfhash(const char *_name) 324{ 325 const unsigned char *name = (const unsigned char *) _name; 326 unsigned h = 0, g; 327 328 while(*name) { 329 h = (h << 4) + *name++; 330 g = h & 0xf0000000; 331 h ^= g; 332 h ^= g >> 24; 333 } 334 return h; 335} 336 337static Elf32_Sym * 338_do_lookup_in_so(soinfo *si, const char *name, unsigned *elf_hash) 339{ 340 if (*elf_hash == 0) 341 *elf_hash = elfhash(name); 342 return _elf_lookup (si, *elf_hash, name); 343} 344 345/* This is used by dl_sym() */ 346Elf32_Sym *lookup_in_library(soinfo *si, const char *name) 347{ 348 unsigned unused = 0; 349 return _do_lookup_in_so(si, name, &unused); 350} 351 352static Elf32_Sym * 353_do_lookup(soinfo *user_si, const char *name, unsigned *base) 354{ 355 unsigned elf_hash = 0; 356 Elf32_Sym *s = NULL; 357 soinfo *si; 358 359 /* Look for symbols in the local scope first (the object who is 360 * searching). This happens with C++ templates on i386 for some 361 * reason. */ 362 if (user_si) { 363 s = _do_lookup_in_so(user_si, name, &elf_hash); 364 if (s != NULL) 365 *base = user_si->base; 366 } 367 368 for(si = solist; (s == NULL) && (si != NULL); si = si->next) 369 { 370 if((si->flags & FLAG_ERROR) || (si == user_si)) 371 continue; 372 s = _do_lookup_in_so(si, name, &elf_hash); 373 if (s != NULL) { 374 *base = si->base; 375 break; 376 } 377 } 378 379 if (s != NULL) { 380 TRACE_TYPE(LOOKUP, "%5d %s s->st_value = 0x%08x, " 381 "si->base = 0x%08x\n", pid, name, s->st_value, si->base); 382 return s; 383 } 384 385 return 0; 386} 387 388/* This is used by dl_sym() */ 389Elf32_Sym *lookup(const char *name, unsigned *base) 390{ 391 return _do_lookup(NULL, name, base); 392} 393 394#if 0 395static void dump(soinfo *si) 396{ 397 Elf32_Sym *s = si->symtab; 398 unsigned n; 399 400 for(n = 0; n < si->nchain; n++) { 401 TRACE("%5d %04d> %08x: %02x %04x %08x %08x %s\n", pid, n, s, 402 s->st_info, s->st_shndx, s->st_value, s->st_size, 403 si->strtab + s->st_name); 404 s++; 405 } 406} 407#endif 408 409static const char *sopaths[] = { 410 "/system/lib", 411 "/lib", 412 0 413}; 414 415static int _open_lib(const char *name) 416{ 417 int fd; 418 struct stat filestat; 419 420 if ((stat(name, &filestat) >= 0) && S_ISREG(filestat.st_mode)) { 421 if ((fd = open(name, O_RDONLY)) >= 0) 422 return fd; 423 } 424 425 return -1; 426} 427 428/* TODO: Need to add support for initializing the so search path with 429 * LD_LIBRARY_PATH env variable for non-setuid programs. */ 430static int open_library(const char *name) 431{ 432 int fd; 433 char buf[512]; 434 const char **path; 435 436 TRACE("[ %5d opening %s ]\n", pid, name); 437 438 if(name == 0) return -1; 439 if(strlen(name) > 256) return -1; 440 441 if ((name[0] == '/') && ((fd = _open_lib(name)) >= 0)) 442 return fd; 443 444 for (path = sopaths; *path; path++) { 445 snprintf(buf, sizeof(buf), "%s/%s", *path, name); 446 if ((fd = _open_lib(buf)) >= 0) 447 return fd; 448 } 449 450 return -1; 451} 452 453static unsigned libbase = LIBBASE; 454 455/* temporary space for holding the first page of the shared lib 456 * which contains the elf header (with the pht). */ 457static unsigned char __header[PAGE_SIZE]; 458 459typedef struct { 460 long mmap_addr; 461 char tag[4]; /* 'P', 'R', 'E', ' ' */ 462} prelink_info_t; 463 464/* Returns the requested base address if the library is prelinked, 465 * and 0 otherwise. */ 466static unsigned long 467is_prelinked(int fd, const char *name) 468{ 469 off_t sz; 470 prelink_info_t info; 471 472 sz = lseek(fd, -sizeof(prelink_info_t), SEEK_END); 473 if (sz < 0) { 474 ERROR("lseek() failed!\n"); 475 return 0; 476 } 477 478 if (read(fd, &info, sizeof(info)) != sizeof(info)) { 479 WARN("Could not read prelink_info_t structure for `%s`\n", name); 480 return 0; 481 } 482 483 if (strncmp(info.tag, "PRE ", 4)) { 484 WARN("`%s` is not a prelinked library\n", name); 485 return 0; 486 } 487 488 return (unsigned long)info.mmap_addr; 489} 490 491/* verify_elf_object 492 * Verifies if the object @ base is a valid ELF object 493 * 494 * Args: 495 * 496 * Returns: 497 * 0 on success 498 * -1 if no valid ELF object is found @ base. 499 */ 500static int 501verify_elf_object(void *base, const char *name) 502{ 503 Elf32_Ehdr *hdr = (Elf32_Ehdr *) base; 504 505 if (hdr->e_ident[EI_MAG0] != ELFMAG0) return -1; 506 if (hdr->e_ident[EI_MAG1] != ELFMAG1) return -1; 507 if (hdr->e_ident[EI_MAG2] != ELFMAG2) return -1; 508 if (hdr->e_ident[EI_MAG3] != ELFMAG3) return -1; 509 510 /* TODO: Should we verify anything else in the header? */ 511 512 return 0; 513} 514 515 516/* get_lib_extents 517 * Retrieves the base (*base) address where the ELF object should be 518 * mapped and its overall memory size (*total_sz). 519 * 520 * Args: 521 * fd: Opened file descriptor for the library 522 * name: The name of the library 523 * _hdr: Pointer to the header page of the library 524 * total_sz: Total size of the memory that should be allocated for 525 * this library 526 * 527 * Returns: 528 * -1 if there was an error while trying to get the lib extents. 529 * The possible reasons are: 530 * - Could not determine if the library was prelinked. 531 * - The library provided is not a valid ELF object 532 * 0 if the library did not request a specific base offset (normal 533 * for non-prelinked libs) 534 * > 0 if the library requests a specific address to be mapped to. 535 * This indicates a pre-linked library. 536 */ 537static unsigned 538get_lib_extents(int fd, const char *name, void *__hdr, unsigned *total_sz) 539{ 540 unsigned req_base; 541 unsigned min_vaddr = 0xffffffff; 542 unsigned max_vaddr = 0; 543 unsigned char *_hdr = (unsigned char *)__hdr; 544 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)_hdr; 545 Elf32_Phdr *phdr; 546 int cnt; 547 548 TRACE("[ %5d Computing extents for '%s'. ]\n", pid, name); 549 if (verify_elf_object(_hdr, name) < 0) { 550 ERROR("%5d - %s is not a valid ELF object\n", pid, name); 551 return (unsigned)-1; 552 } 553 554 req_base = (unsigned) is_prelinked(fd, name); 555 if (req_base == (unsigned)-1) 556 return -1; 557 else if (req_base != 0) { 558 TRACE("[ %5d - Prelinked library '%s' requesting base @ 0x%08x ]\n", 559 pid, name, req_base); 560 } else { 561 TRACE("[ %5d - Non-prelinked library '%s' found. ]\n", pid, name); 562 } 563 564 phdr = (Elf32_Phdr *)(_hdr + ehdr->e_phoff); 565 566 /* find the min/max p_vaddrs from all the PT_LOAD segments so we can 567 * get the range. */ 568 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) { 569 if (phdr->p_type == PT_LOAD) { 570 if ((phdr->p_vaddr + phdr->p_memsz) > max_vaddr) 571 max_vaddr = phdr->p_vaddr + phdr->p_memsz; 572 if (phdr->p_vaddr < min_vaddr) 573 min_vaddr = phdr->p_vaddr; 574 } 575 } 576 577 if ((min_vaddr == 0xffffffff) && (max_vaddr == 0)) { 578 ERROR("%5d - No loadable segments found in %s.\n", pid, name); 579 return (unsigned)-1; 580 } 581 582 /* truncate min_vaddr down to page boundary */ 583 min_vaddr &= ~PAGE_MASK; 584 585 /* round max_vaddr up to the next page */ 586 max_vaddr = (max_vaddr + PAGE_SIZE - 1) & ~PAGE_MASK; 587 588 *total_sz = (max_vaddr - min_vaddr); 589 return (unsigned)req_base; 590} 591 592/* alloc_mem_region 593 * 594 * This function reserves a chunk of memory to be used for mapping in 595 * the shared library. We reserve the entire memory region here, and 596 * then the rest of the linker will relocate the individual loadable 597 * segments into the correct locations within this memory range. 598 * 599 * Args: 600 * req_base: The requested base of the allocation. If 0, a sane one will be 601 * chosen in the range LIBBASE <= base < LIBLAST. 602 * sz: The size of the allocation. 603 * 604 * Returns: 605 * NULL on failure, and non-NULL pointer to memory region on success. 606 */ 607static void * 608alloc_mem_region(const char *name, unsigned req_base, unsigned sz) 609{ 610 void *base; 611 612 if (req_base) { 613 /* we should probably map it as PROT_NONE, but the init code needs 614 * to read the phdr, so mark everything as readable. */ 615 base = mmap((void *)req_base, sz, PROT_READ | PROT_EXEC, 616 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 617 if (base == MAP_FAILED) { 618 WARN("%5d can NOT map (prelinked) library '%s' at 0x%08x " 619 "as requested, will try general pool: %d (%s)\n", 620 pid, name, req_base, errno, strerror(errno)); 621 } else if (base != (void *)req_base) { 622 ERROR("OOPS: %5d prelinked library '%s' mapped at 0x%08x, " 623 "not at 0x%08x\n", pid, name, (unsigned)base, req_base); 624 munmap(base, sz); 625 return NULL; 626 } 627 628 /* Here we know that we got a valid allocation. Hooray! */ 629 return base; 630 } 631 632 /* We either did not request a specific base address to map at 633 * (i.e. not-prelinked) OR we could not map at the requested address. 634 * Try to find a memory range in our "reserved" area that can be mapped. 635 */ 636 while(libbase < LIBLAST) { 637 base = mmap((void*) libbase, sz, PROT_READ | PROT_EXEC, 638 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 639 640 if(((unsigned)base) == libbase) { 641 /* success -- got the address we wanted */ 642 return base; 643 } 644 645 /* If we got a different address than requested (rather than 646 * just a failure), we need to unmap the mismapped library 647 * before trying again 648 */ 649 if(base != MAP_FAILED) 650 munmap(base, sz); 651 652 libbase += LIBINC; 653 } 654 655 ERROR("OOPS: %5d cannot map library '%s'. no vspace available.\n", 656 pid, name); 657 return NULL; 658} 659 660#define MAYBE_MAP_FLAG(x,from,to) (((x) & (from)) ? (to) : 0) 661#define PFLAGS_TO_PROT(x) (MAYBE_MAP_FLAG((x), PF_X, PROT_EXEC) | \ 662 MAYBE_MAP_FLAG((x), PF_R, PROT_READ) | \ 663 MAYBE_MAP_FLAG((x), PF_W, PROT_WRITE)) 664/* load_segments 665 * 666 * This function loads all the loadable (PT_LOAD) segments into memory 667 * at their appropriate memory offsets off the base address. 668 * 669 * Args: 670 * fd: Open file descriptor to the library to load. 671 * header: Pointer to a header page that contains the ELF header. 672 * This is needed since we haven't mapped in the real file yet. 673 * si: ptr to soinfo struct describing the shared object. 674 * 675 * Returns: 676 * 0 on success, -1 on failure. 677 */ 678static int 679load_segments(int fd, void *header, soinfo *si) 680{ 681 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)header; 682 Elf32_Phdr *phdr = (Elf32_Phdr *)((unsigned char *)header + ehdr->e_phoff); 683 unsigned char *base = (unsigned char *)si->base; 684 int cnt; 685 unsigned len; 686 unsigned char *tmp; 687 unsigned char *pbase; 688 unsigned char *extra_base; 689 unsigned extra_len; 690 unsigned total_sz = 0; 691 692 si->wrprotect_start = 0xffffffff; 693 si->wrprotect_end = 0; 694 695 TRACE("[ %5d - Begin loading segments for '%s' @ 0x%08x ]\n", 696 pid, si->name, (unsigned)si->base); 697 /* Now go through all the PT_LOAD segments and map them into memory 698 * at the appropriate locations. */ 699 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) { 700 if (phdr->p_type == PT_LOAD) { 701 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid); 702 /* we want to map in the segment on a page boundary */ 703 tmp = base + (phdr->p_vaddr & (~PAGE_MASK)); 704 /* add the # of bytes we masked off above to the total length. */ 705 len = phdr->p_filesz + (phdr->p_vaddr & PAGE_MASK); 706 707 TRACE("[ %d - Trying to load segment from '%s' @ 0x%08x " 708 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x ]\n", pid, si->name, 709 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset); 710 pbase = mmap(tmp, len, PFLAGS_TO_PROT(phdr->p_flags), 711 MAP_PRIVATE | MAP_FIXED, fd, 712 phdr->p_offset & (~PAGE_MASK)); 713 if (pbase == MAP_FAILED) { 714 ERROR("%d failed to map segment from '%s' @ 0x%08x (0x%08x). " 715 "p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name, 716 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset); 717 goto fail; 718 } 719 720 /* If 'len' didn't end on page boundary, and it's a writable 721 * segment, zero-fill the rest. */ 722 if ((len & PAGE_MASK) && (phdr->p_flags & PF_W)) 723 memset((void *)(pbase + len), 0, PAGE_SIZE - (len & PAGE_MASK)); 724 725 /* Check to see if we need to extend the map for this segment to 726 * cover the diff between filesz and memsz (i.e. for bss). 727 * 728 * base _+---------------------+ page boundary 729 * . . 730 * | | 731 * . . 732 * pbase _+---------------------+ page boundary 733 * | | 734 * . . 735 * base + p_vaddr _| | 736 * . \ \ . 737 * . | filesz | . 738 * pbase + len _| / | | 739 * <0 pad> . . . 740 * extra_base _+------------|--------+ page boundary 741 * / . . . 742 * | . . . 743 * | +------------|--------+ page boundary 744 * extra_len-> | | | | 745 * | . | memsz . 746 * | . | . 747 * \ _| / | 748 * . . 749 * | | 750 * _+---------------------+ page boundary 751 */ 752 tmp = (unsigned char *)(((unsigned)pbase + len + PAGE_SIZE - 1) & 753 (~PAGE_MASK)); 754 if (tmp < (base + phdr->p_vaddr + phdr->p_memsz)) { 755 extra_len = base + phdr->p_vaddr + phdr->p_memsz - tmp; 756 TRACE("[ %5d - Need to extend segment from '%s' @ 0x%08x " 757 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp, extra_len); 758 /* map in the extra page(s) as anonymous into the range. 759 * This is probably not necessary as we already mapped in 760 * the entire region previously, but we just want to be 761 * sure. This will also set the right flags on the region 762 * (though we can probably accomplish the same thing with 763 * mprotect). 764 */ 765 extra_base = mmap((void *)tmp, extra_len, 766 PFLAGS_TO_PROT(phdr->p_flags), 767 MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, 768 -1, 0); 769 if (extra_base == MAP_FAILED) { 770 ERROR("[ %5d - failed to extend segment from '%s' @ 0x%08x " 771 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp, 772 extra_len); 773 goto fail; 774 } 775 /* TODO: Check if we need to memset-0 this region. 776 * Anonymous mappings are zero-filled copy-on-writes, so we 777 * shouldn't need to. */ 778 TRACE("[ %5d - Segment from '%s' extended @ 0x%08x " 779 "(0x%08x)\n", pid, si->name, (unsigned)extra_base, 780 extra_len); 781 } 782 /* set the len here to show the full extent of the segment we 783 * just loaded, mostly for debugging */ 784 len = (((unsigned)base + phdr->p_vaddr + phdr->p_memsz + 785 PAGE_SIZE - 1) & (~PAGE_MASK)) - (unsigned)pbase; 786 TRACE("[ %5d - Successfully loaded segment from '%s' @ 0x%08x " 787 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name, 788 (unsigned)pbase, len, phdr->p_vaddr, phdr->p_offset); 789 total_sz += len; 790 /* Make the section writable just in case we'll have to write to 791 * it during relocation (i.e. text segment). However, we will 792 * remember what range of addresses should be write protected. 793 * 794 */ 795 if (!(phdr->p_flags & PF_W)) { 796 if ((unsigned)pbase < si->wrprotect_start) 797 si->wrprotect_start = (unsigned)pbase; 798 if (((unsigned)pbase + len) > si->wrprotect_end) 799 si->wrprotect_end = (unsigned)pbase + len; 800 mprotect(pbase, len, 801 PFLAGS_TO_PROT(phdr->p_flags) | PROT_WRITE); 802 } 803 } else if (phdr->p_type == PT_DYNAMIC) { 804 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid); 805 /* this segment contains the dynamic linking information */ 806 si->dynamic = (unsigned *)(base + phdr->p_vaddr); 807 } else { 808#ifdef ANDROID_ARM_LINKER 809 if (phdr->p_type == PT_ARM_EXIDX) { 810 DEBUG_DUMP_PHDR(phdr, "PT_ARM_EXIDX", pid); 811 /* exidx entries (used for stack unwinding) are 8 bytes each. 812 */ 813 si->ARM_exidx = (unsigned *)phdr->p_vaddr; 814 si->ARM_exidx_count = phdr->p_memsz / 8; 815 } 816#endif 817 } 818 819 } 820 821 /* Sanity check */ 822 if (total_sz > si->size) { 823 ERROR("%5d - Total length (0x%08x) of mapped segments from '%s' is " 824 "greater than what was allocated (0x%08x). THIS IS BAD!\n", 825 pid, total_sz, si->name, si->size); 826 goto fail; 827 } 828 829 TRACE("[ %5d - Finish loading segments for '%s' @ 0x%08x. " 830 "Total memory footprint: 0x%08x bytes ]\n", pid, si->name, 831 (unsigned)si->base, si->size); 832 return 0; 833 834fail: 835 /* We can just blindly unmap the entire region even though some things 836 * were mapped in originally with anonymous and others could have been 837 * been mapped in from the file before we failed. The kernel will unmap 838 * all the pages in the range, irrespective of how they got there. 839 */ 840 munmap((void *)si->base, si->size); 841 si->flags |= FLAG_ERROR; 842 return -1; 843} 844 845/* TODO: Implement this to take care of the fact that Android ARM 846 * ELF objects shove everything into a single loadable segment that has the 847 * write bit set. wr_offset is then used to set non-(data|bss) pages to be 848 * non-writable. 849 */ 850#if 0 851static unsigned 852get_wr_offset(int fd, const char *name, Elf32_Ehdr *ehdr) 853{ 854 Elf32_Shdr *shdr_start; 855 Elf32_Shdr *shdr; 856 int shdr_sz = ehdr->e_shnum * sizeof(Elf32_Shdr); 857 int cnt; 858 unsigned wr_offset = 0xffffffff; 859 860 shdr_start = mmap(0, shdr_sz, PROT_READ, MAP_PRIVATE, fd, 861 ehdr->e_shoff & (~PAGE_MASK)); 862 if (shdr_start == MAP_FAILED) { 863 WARN("%5d - Could not read section header info from '%s'. Will not " 864 "not be able to determine write-protect offset.\n", pid, name); 865 return (unsigned)-1; 866 } 867 868 for(cnt = 0, shdr = shdr_start; cnt < ehdr->e_shnum; ++cnt, ++shdr) { 869 if ((shdr->sh_type != SHT_NULL) && (shdr->sh_flags & SHF_WRITE) && 870 (shdr->sh_addr < wr_offset)) { 871 wr_offset = shdr->sh_addr; 872 } 873 } 874 875 munmap(shdr_start, shdr_sz); 876 return wr_offset; 877} 878#endif 879 880static soinfo * 881load_library(const char *name) 882{ 883 int fd = open_library(name); 884 int cnt; 885 unsigned ext_sz; 886 unsigned req_base; 887 void *base; 888 soinfo *si; 889 Elf32_Ehdr *hdr; 890 891 if(fd == -1) 892 return NULL; 893 894 /* We have to read the ELF header to figure out what to do with this image 895 */ 896 if (lseek(fd, 0, SEEK_SET) < 0) { 897 ERROR("lseek() failed!\n"); 898 goto fail; 899 } 900 901 if ((cnt = read(fd, &__header[0], PAGE_SIZE)) < 0) { 902 ERROR("read() failed!\n"); 903 goto fail; 904 } 905 906 /* Parse the ELF header and get the size of the memory footprint for 907 * the library */ 908 req_base = get_lib_extents(fd, name, &__header[0], &ext_sz); 909 if (req_base == (unsigned)-1) 910 goto fail; 911 TRACE("[ %5d - '%s' (%s) wants base=0x%08x sz=0x%08x ]\n", pid, name, 912 (req_base ? "prelinked" : "not pre-linked"), req_base, ext_sz); 913 914 /* Carve out a chunk of memory where we will map in the individual 915 * segments */ 916 base = alloc_mem_region(name, req_base, ext_sz); 917 if (base == NULL) 918 goto fail; 919 TRACE("[ %5d allocated memory for %s @ %p (0x%08x) ]\n", 920 pid, name, base, (unsigned) ext_sz); 921 922 /* Now configure the soinfo struct where we'll store all of our data 923 * for the ELF object. If the loading fails, we waste the entry, but 924 * same thing would happen if we failed during linking. Configuring the 925 * soinfo struct here is a lot more convenient. 926 */ 927 si = alloc_info(name); 928 if (si == NULL) 929 goto fail; 930 931 si->base = (unsigned)base; 932 si->size = ext_sz; 933 si->flags = 0; 934 si->entry = 0; 935 si->dynamic = (unsigned *)-1; 936 937 /* Now actually load the library's segments into right places in memory */ 938 if (load_segments(fd, &__header[0], si) < 0) 939 goto fail; 940 941 /* this might not be right. Technically, we don't even need this info 942 * once we go through 'load_segments'. */ 943 hdr = (Elf32_Ehdr *)base; 944 si->phdr = (Elf32_Phdr *)((unsigned char *)si->base + hdr->e_phoff); 945 si->phnum = hdr->e_phnum; 946 /**/ 947 948 close(fd); 949 return si; 950 951fail: 952 close(fd); 953 return NULL; 954} 955 956static soinfo * 957init_library(soinfo *si) 958{ 959 unsigned wr_offset = 0xffffffff; 960 unsigned libbase_before = 0; 961 unsigned libbase_after = 0; 962 963 /* At this point we know that whatever is loaded @ base is a valid ELF 964 * shared library whose segments are properly mapped in. */ 965 TRACE("[ %5d init_library base=0x%08x sz=0x%08x name='%s') ]\n", 966 pid, si->base, si->size, si->name); 967 968 if (si->base < LIBBASE || si->base >= LIBLAST) 969 si->flags |= FLAG_PRELINKED; 970 971 /* Adjust libbase for the size of this library, rounded up to 972 ** LIBINC alignment. Make note of the previous and current 973 ** value of libbase to allow us to roll back in the event of 974 ** a link failure. 975 */ 976 if (!(si->flags & FLAG_PRELINKED)) { 977 libbase_before = libbase; 978 libbase += (si->size + (LIBINC - 1)) & (~(LIBINC - 1)); 979 libbase_after = libbase; 980 } 981 982 if(link_image(si, wr_offset)) { 983 /* We failed to link. However, we can only restore libbase 984 ** if no additional libraries have moved it since we updated it. 985 */ 986 if(!(si->flags & FLAG_PRELINKED) && (libbase == libbase_after)) { 987 libbase = libbase_before; 988 } 989 munmap((void *)si->base, si->size); 990 return NULL; 991 } 992 993 return si; 994} 995 996soinfo *find_library(const char *name) 997{ 998 soinfo *si; 999 1000 for(si = solist; si != 0; si = si->next){ 1001 if(!strcmp(name, si->name)) { 1002 if(si->flags & FLAG_ERROR) return 0; 1003 if(si->flags & FLAG_LINKED) return si; 1004 ERROR("OOPS: %5d recursive link to '%s'\n", pid, si->name); 1005 return 0; 1006 } 1007 } 1008 1009 TRACE("[ %5d '%s' has not been loaded yet. Locating...]\n", pid, name); 1010 si = load_library(name); 1011 if(si == NULL) 1012 return NULL; 1013 return init_library(si); 1014} 1015 1016/* TODO: 1017 * notify gdb of unload 1018 * for non-prelinked libraries, find a way to decrement libbase 1019 */ 1020static void call_destructors(soinfo *si); 1021unsigned unload_library(soinfo *si) 1022{ 1023 unsigned *d; 1024 if (si->refcount == 1) { 1025 TRACE("%5d unloading '%s'\n", pid, si->name); 1026 call_destructors(si); 1027 1028 for(d = si->dynamic; *d; d += 2) { 1029 if(d[0] == DT_NEEDED){ 1030 TRACE("%5d %s needs to unload %s\n", pid, 1031 si->name, si->strtab + d[1]); 1032 soinfo *lsi = find_library(si->strtab + d[1]); 1033 if(lsi) 1034 unload_library(lsi); 1035 else 1036 ERROR("%5d could not unload '%s'\n", 1037 pid, si->strtab + d[1]); 1038 } 1039 } 1040 1041 munmap((char *)si->base, si->size); 1042 free_info(si); 1043 si->refcount = 0; 1044 } 1045 else { 1046 si->refcount--; 1047 PRINT("%5d not unloading '%s', decrementing refcount to %d\n", 1048 pid, si->name, si->refcount); 1049 } 1050 return si->refcount; 1051} 1052 1053/* TODO: don't use unsigned for addrs below. It works, but is not 1054 * ideal. They should probably be either uint32_t, Elf32_Addr, or unsigned 1055 * long. 1056 */ 1057static int reloc_library(soinfo *si, Elf32_Rel *rel, unsigned count) 1058{ 1059 Elf32_Sym *symtab = si->symtab; 1060 const char *strtab = si->strtab; 1061 Elf32_Sym *s; 1062 unsigned base; 1063 Elf32_Rel *start = rel; 1064 unsigned idx; 1065 1066 for (idx = 0; idx < count; ++idx) { 1067 unsigned type = ELF32_R_TYPE(rel->r_info); 1068 unsigned sym = ELF32_R_SYM(rel->r_info); 1069 unsigned reloc = (unsigned)(rel->r_offset + si->base); 1070 unsigned sym_addr = 0; 1071 char *sym_name = NULL; 1072 1073 DEBUG("%5d Processing '%s' relocation at index %d\n", pid, 1074 si->name, idx); 1075 if(sym != 0) { 1076 s = _do_lookup(si, strtab + symtab[sym].st_name, &base); 1077 if(s == 0) { 1078 ERROR("%5d cannot locate '%s'...\n", pid, sym_name); 1079 return -1; 1080 } 1081#if 0 1082 if((base == 0) && (si->base != 0)){ 1083 /* linking from libraries to main image is bad */ 1084 ERROR("%5d cannot locate '%s'...\n", 1085 pid, strtab + symtab[sym].st_name); 1086 return -1; 1087 } 1088#endif 1089 if ((s->st_shndx == SHN_UNDEF) && (s->st_value != 0)) { 1090 ERROR("%5d In '%s', shndx=%d && value=0x%08x. We do not " 1091 "handle this yet\n", pid, si->name, s->st_shndx, 1092 s->st_value); 1093 return -1; 1094 } 1095 sym_addr = (unsigned)(s->st_value + base); 1096 sym_name = (char *)(strtab + symtab[sym].st_name); 1097 COUNT_RELOC(RELOC_SYMBOL); 1098 } else { 1099 s = 0; 1100 } 1101 1102/* TODO: This is ugly. Split up the relocations by arch into 1103 * different files. 1104 */ 1105 switch(type){ 1106#if defined(ANDROID_ARM_LINKER) 1107 case R_ARM_JUMP_SLOT: 1108 case R_ARM_GLOB_DAT: 1109 case R_ARM_ABS32: 1110 COUNT_RELOC(RELOC_ABSOLUTE); 1111 MARK(rel->r_offset); 1112 TRACE_TYPE(RELO, "%5d RELO ABS %08x <- %08x %s\n", pid, 1113 reloc, sym_addr, sym_name); 1114 *((unsigned*)reloc) = sym_addr; 1115 break; 1116#elif defined(ANDROID_X86_LINKER) 1117 case R_386_JUMP_SLOT: 1118 COUNT_RELOC(RELOC_ABSOLUTE); 1119 MARK(rel->r_offset); 1120 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1121 reloc, sym_addr, sym_name); 1122 *((unsigned*)reloc) = sym_addr; 1123 break; 1124 case R_386_GLOB_DAT: 1125 COUNT_RELOC(RELOC_ABSOLUTE); 1126 MARK(rel->r_offset); 1127 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1128 reloc, sym_addr, sym_name); 1129 *((unsigned*)reloc) = sym_addr; 1130 break; 1131#endif /* ANDROID_*_LINKER */ 1132 1133#if defined(ANDROID_ARM_LINKER) 1134 case R_ARM_RELATIVE: 1135#elif defined(ANDROID_X86_LINKER) 1136 case R_386_RELATIVE: 1137#endif /* ANDROID_*_LINKER */ 1138 COUNT_RELOC(RELOC_RELATIVE); 1139 MARK(rel->r_offset); 1140 if(sym){ 1141 ERROR("%5d odd RELATIVE form...\n", pid); 1142 return -1; 1143 } 1144 TRACE_TYPE(RELO, "%5d RELO RELATIVE %08x <- +%08x\n", pid, 1145 reloc, si->base); 1146 *((unsigned*)reloc) += si->base; 1147 break; 1148 1149#if defined(ANDROID_X86_LINKER) 1150 case R_386_32: 1151 COUNT_RELOC(RELOC_RELATIVE); 1152 MARK(rel->r_offset); 1153 1154 TRACE_TYPE(RELO, "%5d RELO R_386_32 %08x <- +%08x %s\n", pid, 1155 reloc, sym_addr, sym_name); 1156 *((unsigned *)reloc) += (unsigned)sym_addr; 1157 break; 1158 1159 case R_386_PC32: 1160 COUNT_RELOC(RELOC_RELATIVE); 1161 MARK(rel->r_offset); 1162 TRACE_TYPE(RELO, "%5d RELO R_386_PC32 %08x <- " 1163 "+%08x (%08x - %08x) %s\n", pid, reloc, 1164 (sym_addr - reloc), sym_addr, reloc, sym_name); 1165 *((unsigned *)reloc) += (unsigned)(sym_addr - reloc); 1166 break; 1167#endif /* ANDROID_X86_LINKER */ 1168 1169#ifdef ANDROID_ARM_LINKER 1170 case R_ARM_COPY: 1171 COUNT_RELOC(RELOC_COPY); 1172 MARK(rel->r_offset); 1173 TRACE_TYPE(RELO, "%5d RELO %08x <- %d @ %08x %s\n", pid, 1174 reloc, s->st_size, sym_addr, sym_name); 1175 memcpy((void*)reloc, (void*)sym_addr, s->st_size); 1176 break; 1177#endif /* ANDROID_ARM_LINKER */ 1178 1179 default: 1180 ERROR("%5d unknown reloc type %d @ %p (%d)\n", 1181 pid, type, rel, (int) (rel - start)); 1182 return -1; 1183 } 1184 rel++; 1185 } 1186 return 0; 1187} 1188 1189static void call_array(unsigned *ctor, int count) 1190{ 1191 int n; 1192 for(n = count; n > 0; n--){ 1193 TRACE("[ %5d Looking at ctor *0x%08x == 0x%08x ]\n", pid, 1194 (unsigned)ctor, (unsigned)*ctor); 1195 void (*func)() = (void (*)()) *ctor++; 1196 if(((int) func == 0) || ((int) func == -1)) continue; 1197 TRACE("[ %5d Calling func @ 0x%08x ]\n", pid, (unsigned)func); 1198 func(); 1199 } 1200} 1201 1202static void call_constructors(soinfo *si) 1203{ 1204 /* TODO: THE ORIGINAL CODE SEEMED TO CALL THE INIT FUNCS IN THE WRONG ORDER. 1205 * Old order: init, init_array, preinit_array.. 1206 * Correct order: preinit_array, init, init_array. 1207 * Verify WHY. 1208 */ 1209 1210 if (si->flags & FLAG_EXE) { 1211 TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n", 1212 pid, (unsigned)si->preinit_array, si->preinit_array_count, 1213 si->name); 1214 call_array(si->preinit_array, si->preinit_array_count); 1215 TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name); 1216 } else { 1217 if (si->preinit_array) { 1218 ERROR("%5d Shared library '%s' has a preinit_array table @ 0x%08x." 1219 " This is INVALID.\n", pid, si->name, 1220 (unsigned)si->preinit_array); 1221 } 1222 } 1223 1224 // If we have an init section, then we should call it now, to make sure 1225 // that all the funcs in the .ctors section get run. 1226 // Note: For ARM, we shouldn't have a .ctor section (should be empty) 1227 // when we have an (pre)init_array section, but let's be compatible with 1228 // old (non-eabi) binaries and try the _init (DT_INIT) anyway. 1229 if (si->init_func) { 1230 TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid, 1231 (unsigned)si->init_func, si->name); 1232 si->init_func(); 1233 TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name); 1234 } 1235 1236 if (si->init_array) { 1237 TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid, 1238 (unsigned)si->init_array, si->init_array_count, si->name); 1239 call_array(si->init_array, si->init_array_count); 1240 TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name); 1241 } 1242} 1243 1244static void call_destructors(soinfo *si) 1245{ 1246 if (si->fini_array) { 1247 TRACE("[ %5d Calling fini_array @ 0x%08x [%d] for '%s' ]\n", pid, 1248 (unsigned)si->fini_array, si->fini_array_count, si->name); 1249 call_array(si->fini_array, si->fini_array_count); 1250 TRACE("[ %5d Done calling fini_array for '%s' ]\n", pid, si->name); 1251 } 1252 1253 // If we have an fini section, then we should call it now, to make sure 1254 // that all the funcs in the .dtors section get run. 1255 // Note: For ARM, we shouldn't have a .dtor section (should be empty) 1256 // when we have an fini_array section, but let's be compatible with 1257 // old (non-eabi) binaries and try the _fini (DT_FINI) anyway. 1258 if (si->fini_func) { 1259 TRACE("[ %5d Calling fini_func @ 0x%08x for '%s' ]\n", pid, 1260 (unsigned)si->fini_func, si->name); 1261 si->fini_func(); 1262 TRACE("[ %5d Done calling fini_func for '%s' ]\n", pid, si->name); 1263 } 1264} 1265 1266/* Force any of the closed stdin, stdout and stderr to be associated with 1267 /dev/null. */ 1268static int nullify_closed_stdio (void) 1269{ 1270 int dev_null, i, status; 1271 int return_value = 0; 1272 1273 dev_null = open("/dev/null", O_RDWR); 1274 if (dev_null < 0) { 1275 ERROR("Cannot open /dev/null.\n"); 1276 return -1; 1277 } 1278 TRACE("[ %5d Opened /dev/null file-descriptor=%d]\n", pid, dev_null); 1279 1280 /* If any of the stdio file descriptors is valid and not associated 1281 with /dev/null, dup /dev/null to it. */ 1282 for (i = 0; i < 3; i++) { 1283 /* If it is /dev/null already, we are done. */ 1284 if (i == dev_null) 1285 continue; 1286 1287 TRACE("[ %5d Nullifying stdio file descriptor %d]\n", pid, i); 1288 /* The man page of fcntl does not say that fcntl(..,F_GETFL) 1289 can be interrupted but we do this just to be safe. */ 1290 do { 1291 status = fcntl(i, F_GETFL); 1292 } while (status < 0 && errno == EINTR); 1293 1294 /* If file is openned, we are good. */ 1295 if (status >= 0) 1296 continue; 1297 1298 /* The only error we allow is that the file descriptor does not 1299 exist, in which case we dup /dev/null to it. */ 1300 if (errno != EBADF) { 1301 ERROR("nullify_stdio: unhandled error %s\n", strerror(errno)); 1302 return_value = -1; 1303 continue; 1304 } 1305 1306 /* Try dupping /dev/null to this stdio file descriptor and 1307 repeat if there is a signal. Note that any errors in closing 1308 the stdio descriptor are lost. */ 1309 do { 1310 status = dup2(dev_null, i); 1311 } while (status < 0 && errno == EINTR); 1312 1313 if (status < 0) { 1314 ERROR("nullify_stdio: dup2 error %s\n", strerror(errno)); 1315 return_value = -1; 1316 continue; 1317 } 1318 } 1319 1320 /* If /dev/null is not one of the stdio file descriptors, close it. */ 1321 if (dev_null > 2) { 1322 TRACE("[ %5d Closing /dev/null file-descriptor=%d]\n", pid, dev_null); 1323 do { 1324 status = close(dev_null); 1325 } while (status < 0 && errno == EINTR); 1326 1327 if (status < 0) { 1328 ERROR("nullify_stdio: close error %s\n", strerror(errno)); 1329 return_value = -1; 1330 } 1331 } 1332 1333 return return_value; 1334} 1335 1336static int link_image(soinfo *si, unsigned wr_offset) 1337{ 1338 unsigned *d; 1339 Elf32_Phdr *phdr = si->phdr; 1340 int phnum = si->phnum; 1341 1342 INFO("[ %5d linking %s ]\n", pid, si->name); 1343 DEBUG("%5d si->base = 0x%08x si->flags = 0x%08x\n", pid, 1344 si->base, si->flags); 1345 1346 if (si->flags & FLAG_EXE) { 1347 /* Locate the needed program segments (DYNAMIC/ARM_EXIDX) for 1348 * linkage info if this is the executable. If this was a 1349 * dynamic lib, that would have been done at load time. 1350 * 1351 * TODO: It's unfortunate that small pieces of this are 1352 * repeated from the load_library routine. Refactor this just 1353 * slightly to reuse these bits. 1354 */ 1355 si->size = 0; 1356 for(; phnum > 0; --phnum, ++phdr) { 1357#ifdef ANDROID_ARM_LINKER 1358 if(phdr->p_type == PT_ARM_EXIDX) { 1359 /* exidx entries (used for stack unwinding) are 8 bytes each. 1360 */ 1361 si->ARM_exidx = (unsigned *)phdr->p_vaddr; 1362 si->ARM_exidx_count = phdr->p_memsz / 8; 1363 } 1364#endif 1365 if (phdr->p_type == PT_LOAD) { 1366 /* For the executable, we use the si->size field only in 1367 dl_unwind_find_exidx(), so the meaning of si->size 1368 is not the size of the executable; it is the last 1369 virtual address of the loadable part of the executable; 1370 since si->base == 0 for an executable, we use the 1371 range [0, si->size) to determine whether a PC value 1372 falls within the executable section. Of course, if 1373 a value is below phdr->p_vaddr, it's not in the 1374 executable section, but a) we shouldn't be asking for 1375 such a value anyway, and b) if we have to provide 1376 an EXIDX for such a value, then the executable's 1377 EXIDX is probably the better choice. 1378 */ 1379 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid); 1380 if (phdr->p_vaddr + phdr->p_memsz > si->size) 1381 si->size = phdr->p_vaddr + phdr->p_memsz; 1382 /* try to remember what range of addresses should be write 1383 * protected */ 1384 if (!(phdr->p_flags & PF_W)) { 1385 unsigned _end; 1386 1387 if (phdr->p_vaddr < si->wrprotect_start) 1388 si->wrprotect_start = phdr->p_vaddr; 1389 _end = (((phdr->p_vaddr + phdr->p_memsz + PAGE_SIZE - 1) & 1390 (~PAGE_MASK))); 1391 if (_end > si->wrprotect_end) 1392 si->wrprotect_end = _end; 1393 } 1394 } else if (phdr->p_type == PT_DYNAMIC) { 1395 if (si->dynamic != (unsigned *)-1) { 1396 ERROR("%5d multiple PT_DYNAMIC segments found in '%s'. " 1397 "Segment at 0x%08x, previously one found at 0x%08x\n", 1398 pid, si->name, si->base + phdr->p_vaddr, 1399 (unsigned)si->dynamic); 1400 goto fail; 1401 } 1402 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid); 1403 si->dynamic = (unsigned *) (si->base + phdr->p_vaddr); 1404 } 1405 } 1406 } 1407 1408 if (si->dynamic == (unsigned *)-1) { 1409 ERROR("%5d missing PT_DYNAMIC?!\n", pid); 1410 goto fail; 1411 } 1412 1413 DEBUG("%5d dynamic = %p\n", pid, si->dynamic); 1414 1415 /* extract useful information from dynamic section */ 1416 for(d = si->dynamic; *d; d++){ 1417 DEBUG("%5d d = %p, d[0] = 0x%08x d[1] = 0x%08x\n", pid, d, d[0], d[1]); 1418 switch(*d++){ 1419 case DT_HASH: 1420 si->nbucket = ((unsigned *) (si->base + *d))[0]; 1421 si->nchain = ((unsigned *) (si->base + *d))[1]; 1422 si->bucket = (unsigned *) (si->base + *d + 8); 1423 si->chain = (unsigned *) (si->base + *d + 8 + si->nbucket * 4); 1424 break; 1425 case DT_STRTAB: 1426 si->strtab = (const char *) (si->base + *d); 1427 break; 1428 case DT_SYMTAB: 1429 si->symtab = (Elf32_Sym *) (si->base + *d); 1430 break; 1431 case DT_PLTREL: 1432 if(*d != DT_REL) { 1433 ERROR("DT_RELA not supported\n"); 1434 goto fail; 1435 } 1436 break; 1437 case DT_JMPREL: 1438 si->plt_rel = (Elf32_Rel*) (si->base + *d); 1439 break; 1440 case DT_PLTRELSZ: 1441 si->plt_rel_count = *d / 8; 1442 break; 1443 case DT_REL: 1444 si->rel = (Elf32_Rel*) (si->base + *d); 1445 break; 1446 case DT_RELSZ: 1447 si->rel_count = *d / 8; 1448 break; 1449 case DT_PLTGOT: 1450 /* Save this in case we decide to do lazy binding. We don't yet. */ 1451 si->plt_got = (unsigned *)(si->base + *d); 1452 break; 1453 case DT_DEBUG: 1454 // Set the DT_DEBUG entry to the addres of _r_debug for GDB 1455 *d = (int) &_r_debug; 1456 break; 1457 case DT_RELA: 1458 ERROR("%5d DT_RELA not supported\n", pid); 1459 goto fail; 1460 case DT_INIT: 1461 si->init_func = (void (*)(void))(si->base + *d); 1462 DEBUG("%5d %s constructors (init func) found at %p\n", 1463 pid, si->name, si->init_func); 1464 break; 1465 case DT_FINI: 1466 si->fini_func = (void (*)(void))(si->base + *d); 1467 DEBUG("%5d %s destructors (fini func) found at %p\n", 1468 pid, si->name, si->fini_func); 1469 break; 1470 case DT_INIT_ARRAY: 1471 si->init_array = (unsigned *)(si->base + *d); 1472 DEBUG("%5d %s constructors (init_array) found at %p\n", 1473 pid, si->name, si->init_array); 1474 break; 1475 case DT_INIT_ARRAYSZ: 1476 si->init_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1477 break; 1478 case DT_FINI_ARRAY: 1479 si->fini_array = (unsigned *)(si->base + *d); 1480 DEBUG("%5d %s destructors (fini_array) found at %p\n", 1481 pid, si->name, si->fini_array); 1482 break; 1483 case DT_FINI_ARRAYSZ: 1484 si->fini_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1485 break; 1486 case DT_PREINIT_ARRAY: 1487 si->preinit_array = (unsigned *)(si->base + *d); 1488 DEBUG("%5d %s constructors (preinit_array) found at %p\n", 1489 pid, si->name, si->preinit_array); 1490 break; 1491 case DT_PREINIT_ARRAYSZ: 1492 si->preinit_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1493 break; 1494 case DT_TEXTREL: 1495 /* TODO: make use of this. */ 1496 /* this means that we might have to write into where the text 1497 * segment was loaded during relocation... Do something with 1498 * it. 1499 */ 1500 DEBUG("%5d Text segment should be writable during relocation.\n", 1501 pid); 1502 break; 1503 } 1504 } 1505 1506 DEBUG("%5d si->base = 0x%08x, si->strtab = %p, si->symtab = %p\n", 1507 pid, si->base, si->strtab, si->symtab); 1508 1509 if((si->strtab == 0) || (si->symtab == 0)) { 1510 ERROR("%5d missing essential tables\n", pid); 1511 goto fail; 1512 } 1513 1514 for(d = si->dynamic; *d; d += 2) { 1515 if(d[0] == DT_NEEDED){ 1516 DEBUG("%5d %s needs %s\n", pid, si->name, si->strtab + d[1]); 1517 soinfo *lsi = find_library(si->strtab + d[1]); 1518 if(lsi == 0) { 1519 ERROR("%5d could not load '%s'\n", pid, si->strtab + d[1]); 1520 goto fail; 1521 } 1522 lsi->refcount++; 1523 } 1524 } 1525 1526 if(si->plt_rel) { 1527 DEBUG("[ %5d relocating %s plt ]\n", pid, si->name ); 1528 if(reloc_library(si, si->plt_rel, si->plt_rel_count)) 1529 goto fail; 1530 } 1531 if(si->rel) { 1532 DEBUG("[ %5d relocating %s ]\n", pid, si->name ); 1533 if(reloc_library(si, si->rel, si->rel_count)) 1534 goto fail; 1535 } 1536 1537 si->flags |= FLAG_LINKED; 1538 DEBUG("[ %5d finished linking %s ]\n", pid, si->name); 1539 1540#if 0 1541 /* This is the way that the old dynamic linker did protection of 1542 * non-writable areas. It would scan section headers and find where 1543 * .text ended (rather where .data/.bss began) and assume that this is 1544 * the upper range of the non-writable area. This is too coarse, 1545 * and is kept here for reference until we fully move away from single 1546 * segment elf objects. See the code in get_wr_offset (also #if'd 0) 1547 * that made this possible. 1548 */ 1549 if(wr_offset < 0xffffffff){ 1550 mprotect((void*) si->base, wr_offset, PROT_READ | PROT_EXEC); 1551 } 1552#else 1553 /* TODO: Verify that this does the right thing in all cases, as it 1554 * presently probably does not. It is possible that an ELF image will 1555 * come with multiple read-only segments. What we ought to do is scan 1556 * the program headers again and mprotect all the read-only segments. 1557 * To prevent re-scanning the program header, we would have to build a 1558 * list of loadable segments in si, and then scan that instead. */ 1559 if (si->wrprotect_start != 0xffffffff && si->wrprotect_end != 0) { 1560 mprotect((void *)si->wrprotect_start, 1561 si->wrprotect_end - si->wrprotect_start, 1562 PROT_READ | PROT_EXEC); 1563 } 1564#endif 1565 1566 /* If this is a SETUID programme, dup /dev/null to openned stdin, 1567 stdout and stderr to close a security hole described in: 1568 1569 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc 1570 1571 */ 1572 if (getuid() != geteuid()) 1573 nullify_closed_stdio (); 1574 call_constructors(si); 1575 notify_gdb_of_load(si); 1576 return 0; 1577 1578fail: 1579 ERROR("failed to link %s\n", si->name); 1580 si->flags |= FLAG_ERROR; 1581 return -1; 1582} 1583 1584int main(int argc, char **argv) 1585{ 1586 return 0; 1587} 1588 1589#define ANDROID_TLS_SLOTS BIONIC_TLS_SLOTS 1590 1591static void * __tls_area[ANDROID_TLS_SLOTS]; 1592 1593unsigned __linker_init(unsigned **elfdata) 1594{ 1595 static soinfo linker_soinfo; 1596 1597 int argc = (int) *elfdata; 1598 char **argv = (char**) (elfdata + 1); 1599 unsigned *vecs = (unsigned*) (argv + argc + 1); 1600 soinfo *si; 1601 struct link_map * map; 1602 1603 pid = getpid(); 1604 1605#if TIMING 1606 struct timeval t0, t1; 1607 gettimeofday(&t0, 0); 1608#endif 1609 1610 __set_tls(__tls_area); 1611 ((unsigned *)__get_tls())[TLS_SLOT_THREAD_ID] = gettid(); 1612 1613 debugger_init(); 1614 1615 /* skip past the environment */ 1616 while(vecs[0] != 0) { 1617 if(!strncmp((char*) vecs[0], "DEBUG=", 6)) { 1618 debug_verbosity = atoi(((char*) vecs[0]) + 6); 1619 } 1620 vecs++; 1621 } 1622 vecs++; 1623 1624 INFO("[ android linker & debugger ]\n"); 1625 DEBUG("%5d elfdata @ 0x%08x\n", pid, (unsigned)elfdata); 1626 1627 si = alloc_info(argv[0]); 1628 if(si == 0) { 1629 exit(-1); 1630 } 1631 1632 /* bootstrap the link map, the main exe always needs to be first */ 1633 si->flags |= FLAG_EXE; 1634 map = &(si->linkmap); 1635 1636 map->l_addr = 0; 1637 map->l_name = argv[0]; 1638 map->l_prev = NULL; 1639 map->l_next = NULL; 1640 1641 _r_debug.r_map = map; 1642 r_debug_tail = map; 1643 1644 /* gdb expects the linker to be in the debug shared object list, 1645 * and we need to make sure that the reported load address is zero. 1646 * Without this, gdb gets the wrong idea of where rtld_db_dlactivity() 1647 * is. Don't use alloc_info(), because the linker shouldn't 1648 * be on the soinfo list. 1649 */ 1650 strcpy((char*) linker_soinfo.name, "/system/bin/linker"); 1651 linker_soinfo.flags = 0; 1652 linker_soinfo.base = 0; // This is the important part; must be zero. 1653 insert_soinfo_into_debug_map(&linker_soinfo); 1654 1655 /* extract information passed from the kernel */ 1656 while(vecs[0] != 0){ 1657 switch(vecs[0]){ 1658 case AT_PHDR: 1659 si->phdr = (Elf32_Phdr*) vecs[1]; 1660 break; 1661 case AT_PHNUM: 1662 si->phnum = (int) vecs[1]; 1663 break; 1664 case AT_ENTRY: 1665 si->entry = vecs[1]; 1666 break; 1667 } 1668 vecs += 2; 1669 } 1670 1671 si->base = 0; 1672 si->dynamic = (unsigned *)-1; 1673 si->wrprotect_start = 0xffffffff; 1674 si->wrprotect_end = 0; 1675 1676 if(link_image(si, 0)){ 1677 ERROR("CANNOT LINK EXECUTABLE '%s'\n", argv[0]); 1678 exit(-1); 1679 } 1680 1681#if TIMING 1682 gettimeofday(&t1,NULL); 1683 PRINT("LINKER TIME: %s: %d microseconds\n", argv[0], (int) ( 1684 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) - 1685 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec) 1686 )); 1687#endif 1688#if STATS 1689 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol\n", argv[0], 1690 linker_stats.reloc[RELOC_ABSOLUTE], 1691 linker_stats.reloc[RELOC_RELATIVE], 1692 linker_stats.reloc[RELOC_COPY], 1693 linker_stats.reloc[RELOC_SYMBOL]); 1694#endif 1695#if COUNT_PAGES 1696 { 1697 unsigned n; 1698 unsigned i; 1699 unsigned count = 0; 1700 for(n = 0; n < 4096; n++){ 1701 if(bitmask[n]){ 1702 unsigned x = bitmask[n]; 1703 for(i = 0; i < 8; i++){ 1704 if(x & 1) count++; 1705 x >>= 1; 1706 } 1707 } 1708 } 1709 PRINT("PAGES MODIFIED: %s: %d (%dKB)\n", argv[0], count, count * 4); 1710 } 1711#endif 1712 1713#if TIMING || STATS || COUNT_PAGES 1714 fflush(stdout); 1715#endif 1716 1717 TRACE("[ %5d Ready to execute '%s' @ 0x%08x ]\n", pid, si->name, 1718 si->entry); 1719 return si->entry; 1720} 1721