linker.cpp revision 06f0e74a2b957db93fed3fdd49fe939ab2fe1595
1/* 2 * Copyright (C) 2008, 2009 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <dlfcn.h> 30#include <errno.h> 31#include <fcntl.h> 32#include <linux/auxvec.h> 33#include <pthread.h> 34#include <stdbool.h> 35#include <stdio.h> 36#include <stdlib.h> 37#include <string.h> 38#include <sys/atomics.h> 39#include <sys/mman.h> 40#include <sys/stat.h> 41#include <unistd.h> 42 43// Private C library headers. 44#include <private/bionic_tls.h> 45#include <private/logd.h> 46 47#include "linker.h" 48#include "linker_debug.h" 49#include "linker_environ.h" 50#include "linker_format.h" 51#include "linker_phdr.h" 52 53#define ALLOW_SYMBOLS_FROM_MAIN 1 54#define SO_MAX 128 55 56/* Assume average path length of 64 and max 8 paths */ 57#define LDPATH_BUFSIZE 512 58#define LDPATH_MAX 8 59 60#define LDPRELOAD_BUFSIZE 512 61#define LDPRELOAD_MAX 8 62 63/* >>> IMPORTANT NOTE - READ ME BEFORE MODIFYING <<< 64 * 65 * Do NOT use malloc() and friends or pthread_*() code here. 66 * Don't use printf() either; it's caused mysterious memory 67 * corruption in the past. 68 * The linker runs before we bring up libc and it's easiest 69 * to make sure it does not depend on any complex libc features 70 * 71 * open issues / todo: 72 * 73 * - are we doing everything we should for ARM_COPY relocations? 74 * - cleaner error reporting 75 * - after linking, set as much stuff as possible to READONLY 76 * and NOEXEC 77 * - linker hardcodes PAGE_SIZE and PAGE_MASK because the kernel 78 * headers provide versions that are negative... 79 * - allocate space for soinfo structs dynamically instead of 80 * having a hard limit (SO_MAX) 81 */ 82 83 84static int soinfo_link_image(soinfo *si, unsigned wr_offset); 85 86static int socount = 0; 87static soinfo sopool[SO_MAX]; 88static soinfo *freelist = NULL; 89static soinfo *solist = &libdl_info; 90static soinfo *sonext = &libdl_info; 91#if ALLOW_SYMBOLS_FROM_MAIN 92static soinfo *somain; /* main process, always the one after libdl_info */ 93#endif 94 95 96static inline int validate_soinfo(soinfo *si) 97{ 98 return (si >= sopool && si < sopool + SO_MAX) || 99 si == &libdl_info; 100} 101 102static char ldpaths_buf[LDPATH_BUFSIZE]; 103static const char *ldpaths[LDPATH_MAX + 1]; 104 105static char ldpreloads_buf[LDPRELOAD_BUFSIZE]; 106static const char *ldpreload_names[LDPRELOAD_MAX + 1]; 107 108static soinfo *preloads[LDPRELOAD_MAX + 1]; 109 110#if LINKER_DEBUG 111int debug_verbosity; 112#endif 113 114static int pid; 115 116/* This boolean is set if the program being loaded is setuid */ 117static int program_is_setuid; 118 119#if STATS 120struct _link_stats linker_stats; 121#endif 122 123#if COUNT_PAGES 124unsigned bitmask[4096]; 125#endif 126 127// You shouldn't try to call memory-allocating functions in the dynamic linker. 128// Guard against the most obvious ones. 129#define DISALLOW_ALLOCATION(return_type, name, ...) \ 130 return_type name __VA_ARGS__ \ 131 { \ 132 const char* msg = "ERROR: " #name " called from the dynamic linker!\n"; \ 133 __libc_android_log_write(ANDROID_LOG_FATAL, "linker", msg); \ 134 write(2, msg, sizeof(msg)); \ 135 abort(); \ 136 } 137#define UNUSED __attribute__((unused)) 138DISALLOW_ALLOCATION(void*, malloc, (size_t u UNUSED)); 139DISALLOW_ALLOCATION(void, free, (void* u UNUSED)); 140DISALLOW_ALLOCATION(void*, realloc, (void* u1 UNUSED, size_t u2 UNUSED)); 141DISALLOW_ALLOCATION(void*, calloc, (size_t u1 UNUSED, size_t u2 UNUSED)); 142 143static char tmp_err_buf[768]; 144static char __linker_dl_err_buf[768]; 145#define BASENAME(s) (strrchr(s, '/') != NULL ? strrchr(s, '/') + 1 : s) 146#define DL_ERR(fmt, x...) \ 147 do { \ 148 format_buffer(__linker_dl_err_buf, sizeof(__linker_dl_err_buf), \ 149 "(%s:%d, pid %d) %s: " fmt, \ 150 BASENAME(__FILE__), __LINE__, pid, __func__, ##x); \ 151 ERROR(fmt "\n", ##x); \ 152 } while(0) 153 154const char *linker_get_error(void) 155{ 156 return (const char *)&__linker_dl_err_buf[0]; 157} 158 159/* 160 * This function is an empty stub where GDB locates a breakpoint to get notified 161 * about linker activity. 162 */ 163extern "C" void __attribute__((noinline)) __attribute__((visibility("default"))) rtld_db_dlactivity(void); 164 165static struct r_debug _r_debug = {1, NULL, &rtld_db_dlactivity, 166 RT_CONSISTENT, 0}; 167static struct link_map *r_debug_tail = 0; 168 169static pthread_mutex_t _r_debug_lock = PTHREAD_MUTEX_INITIALIZER; 170 171static void insert_soinfo_into_debug_map(soinfo * info) 172{ 173 struct link_map * map; 174 175 /* Copy the necessary fields into the debug structure. 176 */ 177 map = &(info->linkmap); 178 map->l_addr = info->base; 179 map->l_name = (char*) info->name; 180 map->l_ld = (uintptr_t)info->dynamic; 181 182 /* Stick the new library at the end of the list. 183 * gdb tends to care more about libc than it does 184 * about leaf libraries, and ordering it this way 185 * reduces the back-and-forth over the wire. 186 */ 187 if (r_debug_tail) { 188 r_debug_tail->l_next = map; 189 map->l_prev = r_debug_tail; 190 map->l_next = 0; 191 } else { 192 _r_debug.r_map = map; 193 map->l_prev = 0; 194 map->l_next = 0; 195 } 196 r_debug_tail = map; 197} 198 199static void remove_soinfo_from_debug_map(soinfo * info) 200{ 201 struct link_map * map = &(info->linkmap); 202 203 if (r_debug_tail == map) 204 r_debug_tail = map->l_prev; 205 206 if (map->l_prev) map->l_prev->l_next = map->l_next; 207 if (map->l_next) map->l_next->l_prev = map->l_prev; 208} 209 210void notify_gdb_of_load(soinfo * info) 211{ 212 if (info->flags & FLAG_EXE) { 213 // GDB already knows about the main executable 214 return; 215 } 216 217 pthread_mutex_lock(&_r_debug_lock); 218 219 _r_debug.r_state = RT_ADD; 220 rtld_db_dlactivity(); 221 222 insert_soinfo_into_debug_map(info); 223 224 _r_debug.r_state = RT_CONSISTENT; 225 rtld_db_dlactivity(); 226 227 pthread_mutex_unlock(&_r_debug_lock); 228} 229 230void notify_gdb_of_unload(soinfo * info) 231{ 232 if (info->flags & FLAG_EXE) { 233 // GDB already knows about the main executable 234 return; 235 } 236 237 pthread_mutex_lock(&_r_debug_lock); 238 239 _r_debug.r_state = RT_DELETE; 240 rtld_db_dlactivity(); 241 242 remove_soinfo_from_debug_map(info); 243 244 _r_debug.r_state = RT_CONSISTENT; 245 rtld_db_dlactivity(); 246 247 pthread_mutex_unlock(&_r_debug_lock); 248} 249 250extern "C" void notify_gdb_of_libraries() 251{ 252 _r_debug.r_state = RT_ADD; 253 rtld_db_dlactivity(); 254 _r_debug.r_state = RT_CONSISTENT; 255 rtld_db_dlactivity(); 256} 257 258static soinfo *soinfo_alloc(const char *name) 259{ 260 if (strlen(name) >= SOINFO_NAME_LEN) { 261 DL_ERR("library name \"%s\" too long", name); 262 return NULL; 263 } 264 265 /* The freelist is populated when we call soinfo_free(), which in turn is 266 done only by dlclose(), which is not likely to be used. 267 */ 268 if (!freelist) { 269 if (socount == SO_MAX) { 270 DL_ERR("too many libraries when loading \"%s\"", name); 271 return NULL; 272 } 273 freelist = sopool + socount++; 274 freelist->next = NULL; 275 } 276 277 soinfo* si = freelist; 278 freelist = freelist->next; 279 280 /* Make sure we get a clean block of soinfo */ 281 memset(si, 0, sizeof(soinfo)); 282 strlcpy((char*) si->name, name, sizeof(si->name)); 283 sonext->next = si; 284 si->next = NULL; 285 si->refcount = 0; 286 sonext = si; 287 288 TRACE("%5d name %s: allocated soinfo @ %p\n", pid, name, si); 289 return si; 290} 291 292static void soinfo_free(soinfo* si) 293{ 294 if (si == NULL) { 295 return; 296 } 297 298 soinfo *prev = NULL, *trav; 299 300 TRACE("%5d name %s: freeing soinfo @ %p\n", pid, si->name, si); 301 302 for(trav = solist; trav != NULL; trav = trav->next){ 303 if (trav == si) 304 break; 305 prev = trav; 306 } 307 if (trav == NULL) { 308 /* si was not ni solist */ 309 DL_ERR("name \"%s\" is not in solist!", si->name); 310 return; 311 } 312 313 /* prev will never be NULL, because the first entry in solist is 314 always the static libdl_info. 315 */ 316 prev->next = si->next; 317 if (si == sonext) sonext = prev; 318 si->next = freelist; 319 freelist = si; 320} 321 322const char *addr_to_name(unsigned addr) 323{ 324 for (soinfo* si = solist; si != 0; si = si->next) { 325 if ((addr >= si->base) && (addr < (si->base + si->size))) { 326 return si->name; 327 } 328 } 329 return ""; 330} 331 332#ifdef ANDROID_ARM_LINKER 333 334/* For a given PC, find the .so that it belongs to. 335 * Returns the base address of the .ARM.exidx section 336 * for that .so, and the number of 8-byte entries 337 * in that section (via *pcount). 338 * 339 * Intended to be called by libc's __gnu_Unwind_Find_exidx(). 340 * 341 * This function is exposed via dlfcn.c and libdl.so. 342 */ 343_Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int *pcount) 344{ 345 soinfo *si; 346 unsigned addr = (unsigned)pc; 347 348 for (si = solist; si != 0; si = si->next){ 349 if ((addr >= si->base) && (addr < (si->base + si->size))) { 350 *pcount = si->ARM_exidx_count; 351 return (_Unwind_Ptr)si->ARM_exidx; 352 } 353 } 354 *pcount = 0; 355 return NULL; 356} 357 358#elif defined(ANDROID_X86_LINKER) || defined(ANDROID_MIPS_LINKER) 359 360/* Here, we only have to provide a callback to iterate across all the 361 * loaded libraries. gcc_eh does the rest. */ 362int 363dl_iterate_phdr(int (*cb)(struct dl_phdr_info *info, size_t size, void *data), 364 void *data) 365{ 366 soinfo *si; 367 struct dl_phdr_info dl_info; 368 int rv = 0; 369 370 for (si = solist; si != NULL; si = si->next) { 371 dl_info.dlpi_addr = si->linkmap.l_addr; 372 dl_info.dlpi_name = si->linkmap.l_name; 373 dl_info.dlpi_phdr = si->phdr; 374 dl_info.dlpi_phnum = si->phnum; 375 rv = cb(&dl_info, sizeof (struct dl_phdr_info), data); 376 if (rv != 0) 377 break; 378 } 379 return rv; 380} 381 382#endif 383 384static Elf32_Sym *soinfo_elf_lookup(soinfo *si, unsigned hash, const char *name) 385{ 386 Elf32_Sym *s; 387 Elf32_Sym *symtab = si->symtab; 388 const char *strtab = si->strtab; 389 unsigned n; 390 391 TRACE_TYPE(LOOKUP, "%5d SEARCH %s in %s@0x%08x %08x %d\n", pid, 392 name, si->name, si->base, hash, hash % si->nbucket); 393 n = hash % si->nbucket; 394 395 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){ 396 s = symtab + n; 397 if(strcmp(strtab + s->st_name, name)) continue; 398 399 /* only concern ourselves with global and weak symbol definitions */ 400 switch(ELF32_ST_BIND(s->st_info)){ 401 case STB_GLOBAL: 402 case STB_WEAK: 403 if(s->st_shndx == SHN_UNDEF) 404 continue; 405 406 TRACE_TYPE(LOOKUP, "%5d FOUND %s in %s (%08x) %d\n", pid, 407 name, si->name, s->st_value, s->st_size); 408 return s; 409 } 410 } 411 412 return NULL; 413} 414 415static unsigned elfhash(const char *_name) 416{ 417 const unsigned char *name = (const unsigned char *) _name; 418 unsigned h = 0, g; 419 420 while(*name) { 421 h = (h << 4) + *name++; 422 g = h & 0xf0000000; 423 h ^= g; 424 h ^= g >> 24; 425 } 426 return h; 427} 428 429static Elf32_Sym * 430soinfo_do_lookup(soinfo *si, const char *name, Elf32_Addr *offset) 431{ 432 unsigned elf_hash = elfhash(name); 433 Elf32_Sym *s; 434 unsigned *d; 435 soinfo *lsi = si; 436 int i; 437 438 /* Look for symbols in the local scope (the object who is 439 * searching). This happens with C++ templates on i386 for some 440 * reason. 441 * 442 * Notes on weak symbols: 443 * The ELF specs are ambigious about treatment of weak definitions in 444 * dynamic linking. Some systems return the first definition found 445 * and some the first non-weak definition. This is system dependent. 446 * Here we return the first definition found for simplicity. */ 447 448 s = soinfo_elf_lookup(si, elf_hash, name); 449 if(s != NULL) 450 goto done; 451 452 /* Next, look for it in the preloads list */ 453 for(i = 0; preloads[i] != NULL; i++) { 454 lsi = preloads[i]; 455 s = soinfo_elf_lookup(lsi, elf_hash, name); 456 if(s != NULL) 457 goto done; 458 } 459 460 for(d = si->dynamic; *d; d += 2) { 461 if(d[0] == DT_NEEDED){ 462 lsi = (soinfo *)d[1]; 463 if (!validate_soinfo(lsi)) { 464 DL_ERR("bad DT_NEEDED pointer in \"%s\"", lsi->name); 465 return NULL; 466 } 467 468 DEBUG("%5d %s: looking up %s in %s\n", 469 pid, si->name, name, lsi->name); 470 s = soinfo_elf_lookup(lsi, elf_hash, name); 471 if (s != NULL) 472 goto done; 473 } 474 } 475 476#if ALLOW_SYMBOLS_FROM_MAIN 477 /* If we are resolving relocations while dlopen()ing a library, it's OK for 478 * the library to resolve a symbol that's defined in the executable itself, 479 * although this is rare and is generally a bad idea. 480 */ 481 if (somain) { 482 lsi = somain; 483 DEBUG("%5d %s: looking up %s in executable %s\n", 484 pid, si->name, name, lsi->name); 485 s = soinfo_elf_lookup(lsi, elf_hash, name); 486 } 487#endif 488 489done: 490 if(s != NULL) { 491 TRACE_TYPE(LOOKUP, "%5d si %s sym %s s->st_value = 0x%08x, " 492 "found in %s, base = 0x%08x, load bias = 0x%08x\n", 493 pid, si->name, name, s->st_value, 494 lsi->name, lsi->base, lsi->load_bias); 495 *offset = lsi->load_bias; 496 return s; 497 } 498 499 return NULL; 500} 501 502/* This is used by dl_sym(). It performs symbol lookup only within the 503 specified soinfo object and not in any of its dependencies. 504 */ 505Elf32_Sym *soinfo_lookup(soinfo *si, const char *name) 506{ 507 return soinfo_elf_lookup(si, elfhash(name), name); 508} 509 510/* This is used by dl_sym(). It performs a global symbol lookup. 511 */ 512Elf32_Sym *lookup(const char *name, soinfo **found, soinfo *start) 513{ 514 unsigned elf_hash = elfhash(name); 515 Elf32_Sym *s = NULL; 516 soinfo *si; 517 518 if(start == NULL) { 519 start = solist; 520 } 521 522 for(si = start; (s == NULL) && (si != NULL); si = si->next) 523 { 524 if(si->flags & FLAG_ERROR) 525 continue; 526 s = soinfo_elf_lookup(si, elf_hash, name); 527 if (s != NULL) { 528 *found = si; 529 break; 530 } 531 } 532 533 if(s != NULL) { 534 TRACE_TYPE(LOOKUP, "%5d %s s->st_value = 0x%08x, " 535 "si->base = 0x%08x\n", pid, name, s->st_value, si->base); 536 return s; 537 } 538 539 return NULL; 540} 541 542soinfo *find_containing_library(const void *addr) 543{ 544 soinfo *si; 545 546 for(si = solist; si != NULL; si = si->next) 547 { 548 if((unsigned)addr >= si->base && (unsigned)addr - si->base < si->size) { 549 return si; 550 } 551 } 552 553 return NULL; 554} 555 556Elf32_Sym *soinfo_find_symbol(soinfo* si, const void *addr) 557{ 558 unsigned int i; 559 unsigned soaddr = (unsigned)addr - si->base; 560 561 /* Search the library's symbol table for any defined symbol which 562 * contains this address */ 563 for(i=0; i<si->nchain; i++) { 564 Elf32_Sym *sym = &si->symtab[i]; 565 566 if(sym->st_shndx != SHN_UNDEF && 567 soaddr >= sym->st_value && 568 soaddr < sym->st_value + sym->st_size) { 569 return sym; 570 } 571 } 572 573 return NULL; 574} 575 576#if 0 577static void dump(soinfo *si) 578{ 579 Elf32_Sym *s = si->symtab; 580 unsigned n; 581 582 for(n = 0; n < si->nchain; n++) { 583 TRACE("%5d %04d> %08x: %02x %04x %08x %08x %s\n", pid, n, s, 584 s->st_info, s->st_shndx, s->st_value, s->st_size, 585 si->strtab + s->st_name); 586 s++; 587 } 588} 589#endif 590 591static const char * const sopaths[] = { 592 "/vendor/lib", 593 "/system/lib", 594 0 595}; 596 597static int _open_lib(const char *name) 598{ 599 int fd; 600 struct stat filestat; 601 602 if ((stat(name, &filestat) >= 0) && S_ISREG(filestat.st_mode)) { 603 if ((fd = TEMP_FAILURE_RETRY(open(name, O_RDONLY))) >= 0) 604 return fd; 605 } 606 607 return -1; 608} 609 610static int open_library(const char *name) 611{ 612 int fd; 613 char buf[512]; 614 const char * const*path; 615 int n; 616 617 TRACE("[ %5d opening %s ]\n", pid, name); 618 619 if(name == 0) return -1; 620 if(strlen(name) > 256) return -1; 621 622 if ((name[0] == '/') && ((fd = _open_lib(name)) >= 0)) 623 return fd; 624 625 for (path = ldpaths; *path; path++) { 626 n = format_buffer(buf, sizeof(buf), "%s/%s", *path, name); 627 if (n < 0 || n >= (int)sizeof(buf)) { 628 WARN("Ignoring very long library path: %s/%s\n", *path, name); 629 continue; 630 } 631 if ((fd = _open_lib(buf)) >= 0) 632 return fd; 633 } 634 for (path = sopaths; *path; path++) { 635 n = format_buffer(buf, sizeof(buf), "%s/%s", *path, name); 636 if (n < 0 || n >= (int)sizeof(buf)) { 637 WARN("Ignoring very long library path: %s/%s\n", *path, name); 638 continue; 639 } 640 if ((fd = _open_lib(buf)) >= 0) 641 return fd; 642 } 643 644 return -1; 645} 646 647// Returns 'true' if the library is prelinked or on failure so we error out 648// either way. We no longer support prelinking. 649static bool is_prelinked(int fd, const char* name) 650{ 651 struct prelink_info_t { 652 long mmap_addr; 653 char tag[4]; // "PRE ". 654 }; 655 656 off_t sz = lseek(fd, -sizeof(struct prelink_info_t), SEEK_END); 657 if (sz < 0) { 658 DL_ERR("lseek failed: %s", strerror(errno)); 659 return true; 660 } 661 662 struct prelink_info_t info; 663 int rc = TEMP_FAILURE_RETRY(read(fd, &info, sizeof(info))); 664 if (rc != sizeof(info)) { 665 DL_ERR("could not read prelink_info_t structure for \"%s\":", name, strerror(errno)); 666 return true; 667 } 668 669 if (memcmp(info.tag, "PRE ", 4) == 0) { 670 DL_ERR("prelinked libraries no longer supported: %s", name); 671 return true; 672 } 673 return false; 674} 675 676/* verify_elf_header 677 * Verifies the content of an ELF header. 678 * 679 * Args: 680 * 681 * Returns: 682 * 0 on success 683 * -1 if no valid ELF object is found @ base. 684 */ 685static int 686verify_elf_header(const Elf32_Ehdr* hdr) 687{ 688 if (hdr->e_ident[EI_MAG0] != ELFMAG0) return -1; 689 if (hdr->e_ident[EI_MAG1] != ELFMAG1) return -1; 690 if (hdr->e_ident[EI_MAG2] != ELFMAG2) return -1; 691 if (hdr->e_ident[EI_MAG3] != ELFMAG3) return -1; 692 693 /* TODO: Should we verify anything else in the header? */ 694#ifdef ANDROID_ARM_LINKER 695 if (hdr->e_machine != EM_ARM) return -1; 696#elif defined(ANDROID_X86_LINKER) 697 if (hdr->e_machine != EM_386) return -1; 698#elif defined(ANDROID_MIPS_LINKER) 699 if (hdr->e_machine != EM_MIPS) return -1; 700#endif 701 return 0; 702} 703 704struct scoped_fd { 705 ~scoped_fd() { 706 if (fd != -1) { 707 close(fd); 708 } 709 } 710 int fd; 711}; 712 713struct soinfo_ptr { 714 soinfo_ptr(const char* name) { 715 const char* bname = strrchr(name, '/'); 716 ptr = soinfo_alloc(bname ? bname + 1 : name); 717 } 718 ~soinfo_ptr() { 719 soinfo_free(ptr); 720 } 721 soinfo* release() { 722 soinfo* result = ptr; 723 ptr = NULL; 724 return result; 725 } 726 soinfo* ptr; 727}; 728 729// TODO: rewrite linker_phdr.h to use a class, then lose this. 730struct phdr_ptr { 731 phdr_ptr() : phdr_mmap(NULL) {} 732 ~phdr_ptr() { 733 if (phdr_mmap != NULL) { 734 phdr_table_unload(phdr_mmap, phdr_size); 735 } 736 } 737 void* phdr_mmap; 738 Elf32_Addr phdr_size; 739}; 740 741static soinfo* load_library(const char* name) 742{ 743 // Open the file. 744 scoped_fd fd; 745 fd.fd = open_library(name); 746 if (fd.fd == -1) { 747 DL_ERR("library \"%s\" not found", name); 748 return NULL; 749 } 750 751 // Read the ELF header. 752 Elf32_Ehdr header[1]; 753 int ret = TEMP_FAILURE_RETRY(read(fd.fd, (void*)header, sizeof(header))); 754 if (ret < 0) { 755 DL_ERR("can't read file \"%s\": %s", name, strerror(errno)); 756 return NULL; 757 } 758 if (ret != (int)sizeof(header)) { 759 DL_ERR("too small to be an ELF executable: %s", name); 760 return NULL; 761 } 762 if (verify_elf_header(header) < 0) { 763 DL_ERR("not a valid ELF executable: %s", name); 764 return NULL; 765 } 766 767 // Read the program header table. 768 const Elf32_Phdr* phdr_table; 769 phdr_ptr phdr_holder; 770 ret = phdr_table_load(fd.fd, header->e_phoff, header->e_phnum, 771 &phdr_holder.phdr_mmap, &phdr_holder.phdr_size, &phdr_table); 772 if (ret < 0) { 773 DL_ERR("can't load program header table: %s: %s", name, strerror(errno)); 774 return NULL; 775 } 776 size_t phdr_count = header->e_phnum; 777 778 // Get the load extents. 779 Elf32_Addr ext_sz = phdr_table_get_load_size(phdr_table, phdr_count); 780 TRACE("[ %5d - '%s' wants sz=0x%08x ]\n", pid, name, ext_sz); 781 if (ext_sz == 0) { 782 DL_ERR("no loadable segments in file: %s", name); 783 return NULL; 784 } 785 786 // We no longer support pre-linked libraries. 787 if (is_prelinked(fd.fd, name)) { 788 return NULL; 789 } 790 791 // Reserve address space for all loadable segments. 792 void* load_start = NULL; 793 Elf32_Addr load_size = 0; 794 Elf32_Addr load_bias = 0; 795 ret = phdr_table_reserve_memory(phdr_table, 796 phdr_count, 797 &load_start, 798 &load_size, 799 &load_bias); 800 if (ret < 0) { 801 DL_ERR("can't reserve %d bytes in address space for \"%s\": %s", 802 ext_sz, name, strerror(errno)); 803 return NULL; 804 } 805 806 TRACE("[ %5d allocated memory for %s @ %p (0x%08x) ]\n", 807 pid, name, load_start, load_size); 808 809 /* Map all the segments in our address space with default protections */ 810 ret = phdr_table_load_segments(phdr_table, 811 phdr_count, 812 load_bias, 813 fd.fd); 814 if (ret < 0) { 815 DL_ERR("can't map loadable segments for \"%s\": %s", 816 name, strerror(errno)); 817 return NULL; 818 } 819 820 /* Unprotect the segments, i.e. make them writable, to allow 821 * relocations to work properly. We will later call 822 * phdr_table_protect_segments() after all of them are applied 823 * and all constructors are run. 824 */ 825 ret = phdr_table_unprotect_segments(phdr_table, 826 phdr_count, 827 load_bias); 828 if (ret < 0) { 829 DL_ERR("can't unprotect loadable segments for \"%s\": %s", 830 name, strerror(errno)); 831 return NULL; 832 } 833 834 soinfo_ptr si(name); 835 if (si.ptr == NULL) { 836 return NULL; 837 } 838 839 si.ptr->base = (Elf32_Addr) load_start; 840 si.ptr->size = load_size; 841 si.ptr->load_bias = load_bias; 842 si.ptr->flags = 0; 843 si.ptr->entry = 0; 844 si.ptr->dynamic = (unsigned *)-1; 845 si.ptr->phnum = phdr_count; 846 si.ptr->phdr = phdr_table_get_loaded_phdr(phdr_table, phdr_count, load_bias); 847 if (si.ptr->phdr == NULL) { 848 DL_ERR("can't find loaded PHDR for \"%s\"", name); 849 return NULL; 850 } 851 852 return si.release(); 853} 854 855static soinfo * 856init_library(soinfo *si) 857{ 858 unsigned wr_offset = 0xffffffff; 859 860 /* At this point we know that whatever is loaded @ base is a valid ELF 861 * shared library whose segments are properly mapped in. */ 862 TRACE("[ %5d init_library base=0x%08x sz=0x%08x name='%s') ]\n", 863 pid, si->base, si->size, si->name); 864 865 if(soinfo_link_image(si, wr_offset)) { 866 /* We failed to link. However, we can only restore libbase 867 ** if no additional libraries have moved it since we updated it. 868 */ 869 munmap((void *)si->base, si->size); 870 return NULL; 871 } 872 873 return si; 874} 875 876soinfo *find_library(const char *name) 877{ 878 soinfo *si; 879 const char *bname; 880 881#if ALLOW_SYMBOLS_FROM_MAIN 882 if (name == NULL) 883 return somain; 884#else 885 if (name == NULL) 886 return NULL; 887#endif 888 889 bname = strrchr(name, '/'); 890 bname = bname ? bname + 1 : name; 891 892 for(si = solist; si != 0; si = si->next){ 893 if(!strcmp(bname, si->name)) { 894 if(si->flags & FLAG_ERROR) { 895 DL_ERR("\"%s\" failed to load previously", bname); 896 return NULL; 897 } 898 if(si->flags & FLAG_LINKED) return si; 899 DL_ERR("OOPS: recursive link to \"%s\"", si->name); 900 return NULL; 901 } 902 } 903 904 TRACE("[ %5d '%s' has not been loaded yet. Locating...]\n", pid, name); 905 si = load_library(name); 906 if(si == NULL) 907 return NULL; 908 return init_library(si); 909} 910 911/* TODO: 912 * find a way to decrement libbase 913 */ 914static void call_destructors(soinfo *si); 915unsigned soinfo_unload(soinfo *si) 916{ 917 unsigned *d; 918 if (si->refcount == 1) { 919 TRACE("%5d unloading '%s'\n", pid, si->name); 920 call_destructors(si); 921 922 /* 923 * Make sure that we undo the PT_GNU_RELRO protections we added 924 * in soinfo_link_image. This is needed to undo the DT_NEEDED hack below. 925 */ 926 if (phdr_table_unprotect_gnu_relro(si->phdr, si->phnum, 927 si->load_bias) < 0) { 928 DL_ERR("%s: could not undo GNU_RELRO protections. " 929 "Expect a crash soon. errno=%d (%s)", 930 si->name, errno, strerror(errno)); 931 } 932 933 for(d = si->dynamic; *d; d += 2) { 934 if(d[0] == DT_NEEDED){ 935 soinfo *lsi = (soinfo *)d[1]; 936 937 // The next line will segfault if the we don't undo the 938 // PT_GNU_RELRO protections (see comments above and in 939 // soinfo_link_image(). 940 d[1] = 0; 941 942 if (validate_soinfo(lsi)) { 943 TRACE("%5d %s needs to unload %s\n", pid, 944 si->name, lsi->name); 945 soinfo_unload(lsi); 946 } 947 else 948 DL_ERR("\"%s\": could not unload dependent library", 949 si->name); 950 } 951 } 952 953 munmap((char *)si->base, si->size); 954 notify_gdb_of_unload(si); 955 soinfo_free(si); 956 si->refcount = 0; 957 } 958 else { 959 si->refcount--; 960 PRINT("%5d not unloading '%s', decrementing refcount to %d\n", 961 pid, si->name, si->refcount); 962 } 963 return si->refcount; 964} 965 966/* TODO: don't use unsigned for addrs below. It works, but is not 967 * ideal. They should probably be either uint32_t, Elf32_Addr, or unsigned 968 * long. 969 */ 970static int soinfo_relocate(soinfo *si, Elf32_Rel *rel, unsigned count) 971{ 972 Elf32_Sym *symtab = si->symtab; 973 const char *strtab = si->strtab; 974 Elf32_Sym *s; 975 Elf32_Addr offset; 976 Elf32_Rel *start = rel; 977 978 for (size_t idx = 0; idx < count; ++idx, ++rel) { 979 unsigned type = ELF32_R_TYPE(rel->r_info); 980 unsigned sym = ELF32_R_SYM(rel->r_info); 981 unsigned reloc = (unsigned)(rel->r_offset + si->load_bias); 982 unsigned sym_addr = 0; 983 char *sym_name = NULL; 984 985 DEBUG("%5d Processing '%s' relocation at index %d\n", pid, 986 si->name, idx); 987 if (type == 0) { // R_*_NONE 988 continue; 989 } 990 if(sym != 0) { 991 sym_name = (char *)(strtab + symtab[sym].st_name); 992 s = soinfo_do_lookup(si, sym_name, &offset); 993 if(s == NULL) { 994 /* We only allow an undefined symbol if this is a weak 995 reference.. */ 996 s = &symtab[sym]; 997 if (ELF32_ST_BIND(s->st_info) != STB_WEAK) { 998 DL_ERR("cannot locate \"%s\"...", sym_name); 999 return -1; 1000 } 1001 1002 /* IHI0044C AAELF 4.5.1.1: 1003 1004 Libraries are not searched to resolve weak references. 1005 It is not an error for a weak reference to remain 1006 unsatisfied. 1007 1008 During linking, the value of an undefined weak reference is: 1009 - Zero if the relocation type is absolute 1010 - The address of the place if the relocation is pc-relative 1011 - The address of nominial base address if the relocation 1012 type is base-relative. 1013 */ 1014 1015 switch (type) { 1016#if defined(ANDROID_ARM_LINKER) 1017 case R_ARM_JUMP_SLOT: 1018 case R_ARM_GLOB_DAT: 1019 case R_ARM_ABS32: 1020 case R_ARM_RELATIVE: /* Don't care. */ 1021#elif defined(ANDROID_X86_LINKER) 1022 case R_386_JMP_SLOT: 1023 case R_386_GLOB_DAT: 1024 case R_386_32: 1025 case R_386_RELATIVE: /* Dont' care. */ 1026#endif /* ANDROID_*_LINKER */ 1027 /* sym_addr was initialized to be zero above or relocation 1028 code below does not care about value of sym_addr. 1029 No need to do anything. */ 1030 break; 1031 1032#if defined(ANDROID_X86_LINKER) 1033 case R_386_PC32: 1034 sym_addr = reloc; 1035 break; 1036#endif /* ANDROID_X86_LINKER */ 1037 1038#if defined(ANDROID_ARM_LINKER) 1039 case R_ARM_COPY: 1040 /* Fall through. Can't really copy if weak symbol is 1041 not found in run-time. */ 1042#endif /* ANDROID_ARM_LINKER */ 1043 default: 1044 DL_ERR("unknown weak reloc type %d @ %p (%d)", 1045 type, rel, (int) (rel - start)); 1046 return -1; 1047 } 1048 } else { 1049 /* We got a definition. */ 1050#if 0 1051 if((base == 0) && (si->base != 0)){ 1052 /* linking from libraries to main image is bad */ 1053 DL_ERR("cannot locate \"%s\"...", 1054 strtab + symtab[sym].st_name); 1055 return -1; 1056 } 1057#endif 1058 sym_addr = (unsigned)(s->st_value + offset); 1059 } 1060 COUNT_RELOC(RELOC_SYMBOL); 1061 } else { 1062 s = NULL; 1063 } 1064 1065/* TODO: This is ugly. Split up the relocations by arch into 1066 * different files. 1067 */ 1068 switch(type){ 1069#if defined(ANDROID_ARM_LINKER) 1070 case R_ARM_JUMP_SLOT: 1071 COUNT_RELOC(RELOC_ABSOLUTE); 1072 MARK(rel->r_offset); 1073 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1074 reloc, sym_addr, sym_name); 1075 *((unsigned*)reloc) = sym_addr; 1076 break; 1077 case R_ARM_GLOB_DAT: 1078 COUNT_RELOC(RELOC_ABSOLUTE); 1079 MARK(rel->r_offset); 1080 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1081 reloc, sym_addr, sym_name); 1082 *((unsigned*)reloc) = sym_addr; 1083 break; 1084 case R_ARM_ABS32: 1085 COUNT_RELOC(RELOC_ABSOLUTE); 1086 MARK(rel->r_offset); 1087 TRACE_TYPE(RELO, "%5d RELO ABS %08x <- %08x %s\n", pid, 1088 reloc, sym_addr, sym_name); 1089 *((unsigned*)reloc) += sym_addr; 1090 break; 1091 case R_ARM_REL32: 1092 COUNT_RELOC(RELOC_RELATIVE); 1093 MARK(rel->r_offset); 1094 TRACE_TYPE(RELO, "%5d RELO REL32 %08x <- %08x - %08x %s\n", pid, 1095 reloc, sym_addr, rel->r_offset, sym_name); 1096 *((unsigned*)reloc) += sym_addr - rel->r_offset; 1097 break; 1098#elif defined(ANDROID_X86_LINKER) 1099 case R_386_JMP_SLOT: 1100 COUNT_RELOC(RELOC_ABSOLUTE); 1101 MARK(rel->r_offset); 1102 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1103 reloc, sym_addr, sym_name); 1104 *((unsigned*)reloc) = sym_addr; 1105 break; 1106 case R_386_GLOB_DAT: 1107 COUNT_RELOC(RELOC_ABSOLUTE); 1108 MARK(rel->r_offset); 1109 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1110 reloc, sym_addr, sym_name); 1111 *((unsigned*)reloc) = sym_addr; 1112 break; 1113#elif defined(ANDROID_MIPS_LINKER) 1114 case R_MIPS_JUMP_SLOT: 1115 COUNT_RELOC(RELOC_ABSOLUTE); 1116 MARK(rel->r_offset); 1117 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1118 reloc, sym_addr, sym_name); 1119 *((unsigned*)reloc) = sym_addr; 1120 break; 1121 case R_MIPS_REL32: 1122 COUNT_RELOC(RELOC_ABSOLUTE); 1123 MARK(rel->r_offset); 1124 TRACE_TYPE(RELO, "%5d RELO REL32 %08x <- %08x %s\n", pid, 1125 reloc, sym_addr, (sym_name) ? sym_name : "*SECTIONHDR*"); 1126 if (s) { 1127 *((unsigned*)reloc) += sym_addr; 1128 } else { 1129 *((unsigned*)reloc) += si->base; 1130 } 1131 break; 1132#endif /* ANDROID_*_LINKER */ 1133 1134#if defined(ANDROID_ARM_LINKER) 1135 case R_ARM_RELATIVE: 1136#elif defined(ANDROID_X86_LINKER) 1137 case R_386_RELATIVE: 1138#endif /* ANDROID_*_LINKER */ 1139 COUNT_RELOC(RELOC_RELATIVE); 1140 MARK(rel->r_offset); 1141 if (sym) { 1142 DL_ERR("odd RELATIVE form...", pid); 1143 return -1; 1144 } 1145 TRACE_TYPE(RELO, "%5d RELO RELATIVE %08x <- +%08x\n", pid, 1146 reloc, si->base); 1147 *((unsigned*)reloc) += si->base; 1148 break; 1149 1150#if defined(ANDROID_X86_LINKER) 1151 case R_386_32: 1152 COUNT_RELOC(RELOC_RELATIVE); 1153 MARK(rel->r_offset); 1154 1155 TRACE_TYPE(RELO, "%5d RELO R_386_32 %08x <- +%08x %s\n", pid, 1156 reloc, sym_addr, sym_name); 1157 *((unsigned *)reloc) += (unsigned)sym_addr; 1158 break; 1159 1160 case R_386_PC32: 1161 COUNT_RELOC(RELOC_RELATIVE); 1162 MARK(rel->r_offset); 1163 TRACE_TYPE(RELO, "%5d RELO R_386_PC32 %08x <- " 1164 "+%08x (%08x - %08x) %s\n", pid, reloc, 1165 (sym_addr - reloc), sym_addr, reloc, sym_name); 1166 *((unsigned *)reloc) += (unsigned)(sym_addr - reloc); 1167 break; 1168#endif /* ANDROID_X86_LINKER */ 1169 1170#ifdef ANDROID_ARM_LINKER 1171 case R_ARM_COPY: 1172 COUNT_RELOC(RELOC_COPY); 1173 MARK(rel->r_offset); 1174 TRACE_TYPE(RELO, "%5d RELO %08x <- %d @ %08x %s\n", pid, 1175 reloc, s->st_size, sym_addr, sym_name); 1176 memcpy((void*)reloc, (void*)sym_addr, s->st_size); 1177 break; 1178#endif /* ANDROID_ARM_LINKER */ 1179 1180 default: 1181 DL_ERR("unknown reloc type %d @ %p (%d)", 1182 type, rel, (int) (rel - start)); 1183 return -1; 1184 } 1185 } 1186 return 0; 1187} 1188 1189#ifdef ANDROID_MIPS_LINKER 1190int mips_relocate_got(struct soinfo *si) 1191{ 1192 unsigned *got; 1193 unsigned local_gotno, gotsym, symtabno; 1194 Elf32_Sym *symtab, *sym; 1195 unsigned g; 1196 1197 got = si->plt_got; 1198 local_gotno = si->mips_local_gotno; 1199 gotsym = si->mips_gotsym; 1200 symtabno = si->mips_symtabno; 1201 symtab = si->symtab; 1202 1203 /* 1204 * got[0] is address of lazy resolver function 1205 * got[1] may be used for a GNU extension 1206 * set it to a recognisable address in case someone calls it 1207 * (should be _rtld_bind_start) 1208 * FIXME: maybe this should be in a separate routine 1209 */ 1210 1211 if ((si->flags & FLAG_LINKER) == 0) { 1212 g = 0; 1213 got[g++] = 0xdeadbeef; 1214 if (got[g] & 0x80000000) { 1215 got[g++] = 0xdeadfeed; 1216 } 1217 /* 1218 * Relocate the local GOT entries need to be relocated 1219 */ 1220 for (; g < local_gotno; g++) { 1221 got[g] += si->load_bias; 1222 } 1223 } 1224 1225 /* Now for the global GOT entries */ 1226 sym = symtab + gotsym; 1227 got = si->plt_got + local_gotno; 1228 for (g = gotsym; g < symtabno; g++, sym++, got++) { 1229 const char *sym_name; 1230 unsigned base; 1231 Elf32_Sym *s; 1232 1233 /* This is an undefined reference... try to locate it */ 1234 sym_name = si->strtab + sym->st_name; 1235 s = soinfo_do_lookup(si, sym_name, &base); 1236 if (s == NULL) { 1237 /* We only allow an undefined symbol if this is a weak 1238 reference.. */ 1239 s = &symtab[g]; 1240 if (ELF32_ST_BIND(s->st_info) != STB_WEAK) { 1241 DL_ERR("cannot locate \"%s\"...", sym_name); 1242 return -1; 1243 } 1244 *got = 0; 1245 } 1246 else { 1247 /* FIXME: is this sufficient? 1248 * For reference see NetBSD link loader 1249 * http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/arch/mips/mips_reloc.c?rev=1.53&content-type=text/x-cvsweb-markup 1250 */ 1251 *got = base + s->st_value; 1252 } 1253 } 1254 return 0; 1255} 1256#endif 1257 1258/* Please read the "Initialization and Termination functions" functions. 1259 * of the linker design note in bionic/linker/README.TXT to understand 1260 * what the following code is doing. 1261 * 1262 * The important things to remember are: 1263 * 1264 * DT_PREINIT_ARRAY must be called first for executables, and should 1265 * not appear in shared libraries. 1266 * 1267 * DT_INIT should be called before DT_INIT_ARRAY if both are present 1268 * 1269 * DT_FINI should be called after DT_FINI_ARRAY if both are present 1270 * 1271 * DT_FINI_ARRAY must be parsed in reverse order. 1272 */ 1273 1274static void call_array(unsigned *ctor, int count, int reverse) 1275{ 1276 int n, inc = 1; 1277 1278 if (reverse) { 1279 ctor += (count-1); 1280 inc = -1; 1281 } 1282 1283 for(n = count; n > 0; n--) { 1284 TRACE("[ %5d Looking at %s *0x%08x == 0x%08x ]\n", pid, 1285 reverse ? "dtor" : "ctor", 1286 (unsigned)ctor, (unsigned)*ctor); 1287 void (*func)() = (void (*)()) *ctor; 1288 ctor += inc; 1289 if(((int) func == 0) || ((int) func == -1)) continue; 1290 TRACE("[ %5d Calling func @ 0x%08x ]\n", pid, (unsigned)func); 1291 func(); 1292 } 1293} 1294 1295void soinfo_call_constructors(soinfo *si) 1296{ 1297 if (si->constructors_called) 1298 return; 1299 1300 // Set this before actually calling the constructors, otherwise it doesn't 1301 // protect against recursive constructor calls. One simple example of 1302 // constructor recursion is the libc debug malloc, which is implemented in 1303 // libc_malloc_debug_leak.so: 1304 // 1. The program depends on libc, so libc's constructor is called here. 1305 // 2. The libc constructor calls dlopen() to load libc_malloc_debug_leak.so. 1306 // 3. dlopen() calls soinfo_call_constructors() with the newly created 1307 // soinfo for libc_malloc_debug_leak.so. 1308 // 4. The debug so depends on libc, so soinfo_call_constructors() is 1309 // called again with the libc soinfo. If it doesn't trigger the early- 1310 // out above, the libc constructor will be called again (recursively!). 1311 si->constructors_called = 1; 1312 1313 if (si->flags & FLAG_EXE) { 1314 TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n", 1315 pid, (unsigned)si->preinit_array, si->preinit_array_count, 1316 si->name); 1317 call_array(si->preinit_array, si->preinit_array_count, 0); 1318 TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name); 1319 } else { 1320 if (si->preinit_array) { 1321 DL_ERR("shared library \"%s\" has a preinit_array table @ 0x%08x. " 1322 "This is INVALID.", si->name, (unsigned) si->preinit_array); 1323 } 1324 } 1325 1326 if (si->dynamic) { 1327 unsigned *d; 1328 for(d = si->dynamic; *d; d += 2) { 1329 if(d[0] == DT_NEEDED){ 1330 soinfo* lsi = (soinfo *)d[1]; 1331 if (!validate_soinfo(lsi)) { 1332 DL_ERR("bad DT_NEEDED pointer in \"%s\"", si->name); 1333 } else { 1334 soinfo_call_constructors(lsi); 1335 } 1336 } 1337 } 1338 } 1339 1340 if (si->init_func) { 1341 TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid, 1342 (unsigned)si->init_func, si->name); 1343 si->init_func(); 1344 TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name); 1345 } 1346 1347 if (si->init_array) { 1348 TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid, 1349 (unsigned)si->init_array, si->init_array_count, si->name); 1350 call_array(si->init_array, si->init_array_count, 0); 1351 TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name); 1352 } 1353 1354} 1355 1356static void call_destructors(soinfo *si) 1357{ 1358 if (si->fini_array) { 1359 TRACE("[ %5d Calling fini_array @ 0x%08x [%d] for '%s' ]\n", pid, 1360 (unsigned)si->fini_array, si->fini_array_count, si->name); 1361 call_array(si->fini_array, si->fini_array_count, 1); 1362 TRACE("[ %5d Done calling fini_array for '%s' ]\n", pid, si->name); 1363 } 1364 1365 if (si->fini_func) { 1366 TRACE("[ %5d Calling fini_func @ 0x%08x for '%s' ]\n", pid, 1367 (unsigned)si->fini_func, si->name); 1368 si->fini_func(); 1369 TRACE("[ %5d Done calling fini_func for '%s' ]\n", pid, si->name); 1370 } 1371} 1372 1373/* Force any of the closed stdin, stdout and stderr to be associated with 1374 /dev/null. */ 1375static int nullify_closed_stdio (void) 1376{ 1377 int dev_null, i, status; 1378 int return_value = 0; 1379 1380 dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR)); 1381 if (dev_null < 0) { 1382 DL_ERR("cannot open /dev/null: %s", strerror(errno)); 1383 return -1; 1384 } 1385 TRACE("[ %5d Opened /dev/null file-descriptor=%d]\n", pid, dev_null); 1386 1387 /* If any of the stdio file descriptors is valid and not associated 1388 with /dev/null, dup /dev/null to it. */ 1389 for (i = 0; i < 3; i++) { 1390 /* If it is /dev/null already, we are done. */ 1391 if (i == dev_null) { 1392 continue; 1393 } 1394 1395 TRACE("[ %5d Nullifying stdio file descriptor %d]\n", pid, i); 1396 status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL)); 1397 1398 /* If file is opened, we are good. */ 1399 if (status != -1) { 1400 continue; 1401 } 1402 1403 /* The only error we allow is that the file descriptor does not 1404 exist, in which case we dup /dev/null to it. */ 1405 if (errno != EBADF) { 1406 DL_ERR("fcntl failed: %s", strerror(errno)); 1407 return_value = -1; 1408 continue; 1409 } 1410 1411 /* Try dupping /dev/null to this stdio file descriptor and 1412 repeat if there is a signal. Note that any errors in closing 1413 the stdio descriptor are lost. */ 1414 status = TEMP_FAILURE_RETRY(dup2(dev_null, i)); 1415 if (status < 0) { 1416 DL_ERR("dup2 failed: %s", strerror(errno)); 1417 return_value = -1; 1418 continue; 1419 } 1420 } 1421 1422 /* If /dev/null is not one of the stdio file descriptors, close it. */ 1423 if (dev_null > 2) { 1424 TRACE("[ %5d Closing /dev/null file-descriptor=%d]\n", pid, dev_null); 1425 status = TEMP_FAILURE_RETRY(close(dev_null)); 1426 if (status == -1) { 1427 DL_ERR("close failed: %s", strerror(errno)); 1428 return_value = -1; 1429 } 1430 } 1431 1432 return return_value; 1433} 1434 1435static int soinfo_link_image(soinfo *si, unsigned wr_offset) 1436{ 1437 unsigned *d; 1438 /* "base" might wrap around UINT32_MAX. */ 1439 Elf32_Addr base = si->load_bias; 1440 const Elf32_Phdr *phdr = si->phdr; 1441 int phnum = si->phnum; 1442 int relocating_linker = (si->flags & FLAG_LINKER) != 0; 1443 1444 /* We can't debug anything until the linker is relocated */ 1445 if (!relocating_linker) { 1446 INFO("[ %5d linking %s ]\n", pid, si->name); 1447 DEBUG("%5d si->base = 0x%08x si->flags = 0x%08x\n", pid, 1448 si->base, si->flags); 1449 } 1450 1451 /* Extract dynamic section */ 1452 si->dynamic = phdr_table_get_dynamic_section(phdr, phnum, base); 1453 if (si->dynamic == NULL) { 1454 if (!relocating_linker) { 1455 DL_ERR("missing PT_DYNAMIC?!"); 1456 } 1457 goto fail; 1458 } else { 1459 if (!relocating_linker) { 1460 DEBUG("%5d dynamic = %p\n", pid, si->dynamic); 1461 } 1462 } 1463 1464#ifdef ANDROID_ARM_LINKER 1465 (void) phdr_table_get_arm_exidx(phdr, phnum, base, 1466 &si->ARM_exidx, &si->ARM_exidx_count); 1467#endif 1468 1469 if (si->flags & (FLAG_EXE | FLAG_LINKER)) { 1470 if (phdr_table_unprotect_segments(si->phdr, 1471 si->phnum, 1472 si->load_bias) < 0) { 1473 /* We can't call DL_ERR if the linker's relocations haven't 1474 * been performed yet */ 1475 if (!relocating_linker) { 1476 DL_ERR("can't unprotect segments for \"%s\": %s", 1477 si->name, strerror(errno)); 1478 } 1479 goto fail; 1480 } 1481 } 1482 1483 /* extract useful information from dynamic section */ 1484 for(d = si->dynamic; *d; d++){ 1485 DEBUG("%5d d = %p, d[0] = 0x%08x d[1] = 0x%08x\n", pid, d, d[0], d[1]); 1486 switch(*d++){ 1487 case DT_HASH: 1488 si->nbucket = ((unsigned *) (base + *d))[0]; 1489 si->nchain = ((unsigned *) (base + *d))[1]; 1490 si->bucket = (unsigned *) (base + *d + 8); 1491 si->chain = (unsigned *) (base + *d + 8 + si->nbucket * 4); 1492 break; 1493 case DT_STRTAB: 1494 si->strtab = (const char *) (base + *d); 1495 break; 1496 case DT_SYMTAB: 1497 si->symtab = (Elf32_Sym *) (base + *d); 1498 break; 1499 case DT_PLTREL: 1500 if(*d != DT_REL) { 1501 DL_ERR("DT_RELA not supported"); 1502 goto fail; 1503 } 1504 break; 1505 case DT_JMPREL: 1506 si->plt_rel = (Elf32_Rel*) (base + *d); 1507 break; 1508 case DT_PLTRELSZ: 1509 si->plt_rel_count = *d / 8; 1510 break; 1511 case DT_REL: 1512 si->rel = (Elf32_Rel*) (base + *d); 1513 break; 1514 case DT_RELSZ: 1515 si->rel_count = *d / 8; 1516 break; 1517 case DT_PLTGOT: 1518 /* Save this in case we decide to do lazy binding. We don't yet. */ 1519 si->plt_got = (unsigned *)(base + *d); 1520 break; 1521 case DT_DEBUG: 1522#if !defined(ANDROID_MIPS_LINKER) 1523 // Set the DT_DEBUG entry to the addres of _r_debug for GDB 1524 *d = (int) &_r_debug; 1525#endif 1526 break; 1527 case DT_RELA: 1528 DL_ERR("DT_RELA not supported"); 1529 goto fail; 1530 case DT_INIT: 1531 si->init_func = (void (*)(void))(base + *d); 1532 DEBUG("%5d %s constructors (init func) found at %p\n", 1533 pid, si->name, si->init_func); 1534 break; 1535 case DT_FINI: 1536 si->fini_func = (void (*)(void))(base + *d); 1537 DEBUG("%5d %s destructors (fini func) found at %p\n", 1538 pid, si->name, si->fini_func); 1539 break; 1540 case DT_INIT_ARRAY: 1541 si->init_array = (unsigned *)(base + *d); 1542 DEBUG("%5d %s constructors (init_array) found at %p\n", 1543 pid, si->name, si->init_array); 1544 break; 1545 case DT_INIT_ARRAYSZ: 1546 si->init_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1547 break; 1548 case DT_FINI_ARRAY: 1549 si->fini_array = (unsigned *)(base + *d); 1550 DEBUG("%5d %s destructors (fini_array) found at %p\n", 1551 pid, si->name, si->fini_array); 1552 break; 1553 case DT_FINI_ARRAYSZ: 1554 si->fini_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1555 break; 1556 case DT_PREINIT_ARRAY: 1557 si->preinit_array = (unsigned *)(base + *d); 1558 DEBUG("%5d %s constructors (preinit_array) found at %p\n", 1559 pid, si->name, si->preinit_array); 1560 break; 1561 case DT_PREINIT_ARRAYSZ: 1562 si->preinit_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1563 break; 1564 case DT_TEXTREL: 1565 /* TODO: make use of this. */ 1566 /* this means that we might have to write into where the text 1567 * segment was loaded during relocation... Do something with 1568 * it. 1569 */ 1570 DEBUG("%5d Text segment should be writable during relocation.\n", 1571 pid); 1572 break; 1573#if defined(ANDROID_MIPS_LINKER) 1574 case DT_NEEDED: 1575 case DT_STRSZ: 1576 case DT_SYMENT: 1577 case DT_RELENT: 1578 break; 1579 case DT_MIPS_RLD_MAP: 1580 /* Set the DT_MIPS_RLD_MAP entry to the addres of _r_debug for GDB */ 1581 { 1582 struct r_debug **dp = (struct r_debug **)*d; 1583 *dp = &_r_debug; 1584 } 1585 break; 1586 case DT_MIPS_RLD_VERSION: 1587 case DT_MIPS_FLAGS: 1588 case DT_MIPS_BASE_ADDRESS: 1589 case DT_MIPS_UNREFEXTNO: 1590 case DT_MIPS_RWPLT: 1591 break; 1592 1593 case DT_MIPS_PLTGOT: 1594#if 0 1595 /* not yet... */ 1596 si->mips_pltgot = (unsigned *)(si->base + *d); 1597#endif 1598 break; 1599 1600 case DT_MIPS_SYMTABNO: 1601 si->mips_symtabno = *d; 1602 break; 1603 1604 case DT_MIPS_LOCAL_GOTNO: 1605 si->mips_local_gotno = *d; 1606 break; 1607 1608 case DT_MIPS_GOTSYM: 1609 si->mips_gotsym = *d; 1610 break; 1611 1612 default: 1613 DEBUG("%5d Unused DT entry: type 0x%08x arg 0x%08x\n", 1614 pid, d[-1], d[0]); 1615 break; 1616#endif 1617 } 1618 } 1619 1620 DEBUG("%5d si->base = 0x%08x, si->strtab = %p, si->symtab = %p\n", 1621 pid, si->base, si->strtab, si->symtab); 1622 1623 if((si->strtab == 0) || (si->symtab == 0)) { 1624 DL_ERR("missing essential tables"); 1625 goto fail; 1626 } 1627 1628 /* if this is the main executable, then load all of the preloads now */ 1629 if(si->flags & FLAG_EXE) { 1630 int i; 1631 memset(preloads, 0, sizeof(preloads)); 1632 for(i = 0; ldpreload_names[i] != NULL; i++) { 1633 soinfo *lsi = find_library(ldpreload_names[i]); 1634 if(lsi == 0) { 1635 strlcpy(tmp_err_buf, linker_get_error(), sizeof(tmp_err_buf)); 1636 DL_ERR("could not load library \"%s\" needed by \"%s\"; caused by %s", 1637 ldpreload_names[i], si->name, tmp_err_buf); 1638 goto fail; 1639 } 1640 lsi->refcount++; 1641 preloads[i] = lsi; 1642 } 1643 } 1644 1645 for(d = si->dynamic; *d; d += 2) { 1646 if(d[0] == DT_NEEDED){ 1647 DEBUG("%5d %s needs %s\n", pid, si->name, si->strtab + d[1]); 1648 soinfo *lsi = find_library(si->strtab + d[1]); 1649 if(lsi == 0) { 1650 strlcpy(tmp_err_buf, linker_get_error(), sizeof(tmp_err_buf)); 1651 DL_ERR("could not load library \"%s\" needed by \"%s\"; caused by %s", 1652 si->strtab + d[1], si->name, tmp_err_buf); 1653 goto fail; 1654 } 1655 /* Save the soinfo of the loaded DT_NEEDED library in the payload 1656 of the DT_NEEDED entry itself, so that we can retrieve the 1657 soinfo directly later from the dynamic segment. This is a hack, 1658 but it allows us to map from DT_NEEDED to soinfo efficiently 1659 later on when we resolve relocations, trying to look up a symbol 1660 with dlsym(). 1661 */ 1662 d[1] = (unsigned)lsi; 1663 lsi->refcount++; 1664 } 1665 } 1666 1667 if(si->plt_rel) { 1668 DEBUG("[ %5d relocating %s plt ]\n", pid, si->name ); 1669 if(soinfo_relocate(si, si->plt_rel, si->plt_rel_count)) 1670 goto fail; 1671 } 1672 if(si->rel) { 1673 DEBUG("[ %5d relocating %s ]\n", pid, si->name ); 1674 if(soinfo_relocate(si, si->rel, si->rel_count)) 1675 goto fail; 1676 } 1677 1678#ifdef ANDROID_MIPS_LINKER 1679 if(mips_relocate_got(si)) { 1680 goto fail; 1681 } 1682#endif 1683 1684 si->flags |= FLAG_LINKED; 1685 DEBUG("[ %5d finished linking %s ]\n", pid, si->name); 1686 1687 /* All relocations are done, we can protect our segments back to 1688 * read-only. */ 1689 if (phdr_table_protect_segments(si->phdr, si->phnum, si->load_bias) < 0) { 1690 DL_ERR("can't protect segments for \"%s\": %s", 1691 si->name, strerror(errno)); 1692 goto fail; 1693 } 1694 1695 /* We can also turn on GNU RELRO protection */ 1696 if (phdr_table_protect_gnu_relro(si->phdr, si->phnum, si->load_bias) < 0) { 1697 DL_ERR("can't enable GNU RELRO protection for \"%s\": %s", 1698 si->name, strerror(errno)); 1699 goto fail; 1700 } 1701 1702 /* If this is a SET?ID program, dup /dev/null to opened stdin, 1703 stdout and stderr to close a security hole described in: 1704 1705 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc 1706 1707 */ 1708 if (program_is_setuid) { 1709 nullify_closed_stdio(); 1710 } 1711 notify_gdb_of_load(si); 1712 return 0; 1713 1714fail: 1715 ERROR("failed to link %s\n", si->name); 1716 si->flags |= FLAG_ERROR; 1717 return -1; 1718} 1719 1720static void parse_path(const char* path, const char* delimiters, 1721 const char** array, char* buf, size_t buf_size, size_t max_count) 1722{ 1723 if (path == NULL) { 1724 return; 1725 } 1726 1727 size_t len = strlcpy(buf, path, buf_size); 1728 1729 size_t i = 0; 1730 char* buf_p = buf; 1731 while (i < max_count && (array[i] = strsep(&buf_p, delimiters))) { 1732 if (*array[i] != '\0') { 1733 ++i; 1734 } 1735 } 1736 1737 // Forget the last path if we had to truncate; this occurs if the 2nd to 1738 // last char isn't '\0' (i.e. wasn't originally a delimiter). 1739 if (i > 0 && len >= buf_size && buf[buf_size - 2] != '\0') { 1740 array[i - 1] = NULL; 1741 } else { 1742 array[i] = NULL; 1743 } 1744} 1745 1746static void parse_LD_LIBRARY_PATH(const char* path) { 1747 parse_path(path, ":", ldpaths, 1748 ldpaths_buf, sizeof(ldpaths_buf), LDPATH_MAX); 1749} 1750 1751static void parse_LD_PRELOAD(const char* path) { 1752 // We have historically supported ':' as well as ' ' in LD_PRELOAD. 1753 parse_path(path, " :", ldpreload_names, 1754 ldpreloads_buf, sizeof(ldpreloads_buf), LDPRELOAD_MAX); 1755} 1756 1757/* 1758 * This code is called after the linker has linked itself and 1759 * fixed it's own GOT. It is safe to make references to externs 1760 * and other non-local data at this point. 1761 */ 1762static unsigned __linker_init_post_relocation(unsigned **elfdata, unsigned linker_base) 1763{ 1764 static soinfo linker_soinfo; 1765 1766 int argc = (int) *elfdata; 1767 char **argv = (char**) (elfdata + 1); 1768 unsigned *vecs = (unsigned*) (argv + argc + 1); 1769 unsigned *v; 1770 soinfo *si; 1771 int i; 1772 struct link_map * map; 1773 const char *ldpath_env = NULL; 1774 const char *ldpreload_env = NULL; 1775 1776 /* NOTE: we store the elfdata pointer on a special location 1777 * of the temporary TLS area in order to pass it to 1778 * the C Library's runtime initializer. 1779 * 1780 * The initializer must clear the slot and reset the TLS 1781 * to point to a different location to ensure that no other 1782 * shared library constructor can access it. 1783 */ 1784 __libc_init_tls(elfdata); 1785 1786 pid = getpid(); 1787 1788#if TIMING 1789 struct timeval t0, t1; 1790 gettimeofday(&t0, 0); 1791#endif 1792 1793 /* Initialize environment functions, and get to the ELF aux vectors table */ 1794 vecs = linker_env_init(vecs); 1795 1796 /* Check auxv for AT_SECURE first to see if program is setuid, setgid, 1797 has file caps, or caused a SELinux/AppArmor domain transition. */ 1798 for (v = vecs; v[0]; v += 2) { 1799 if (v[0] == AT_SECURE) { 1800 /* kernel told us whether to enable secure mode */ 1801 program_is_setuid = v[1]; 1802 goto sanitize; 1803 } 1804 } 1805 1806 /* Kernel did not provide AT_SECURE - fall back on legacy test. */ 1807 program_is_setuid = (getuid() != geteuid()) || (getgid() != getegid()); 1808 1809sanitize: 1810 /* Sanitize environment if we're loading a setuid program */ 1811 if (program_is_setuid) 1812 linker_env_secure(); 1813 1814 debugger_init(); 1815 1816 /* Get a few environment variables */ 1817 { 1818#if LINKER_DEBUG 1819 const char* env; 1820 env = linker_env_get("DEBUG"); /* XXX: TODO: Change to LD_DEBUG */ 1821 if (env) 1822 debug_verbosity = atoi(env); 1823#endif 1824 1825 /* Normally, these are cleaned by linker_env_secure, but the test 1826 * against program_is_setuid doesn't cost us anything */ 1827 if (!program_is_setuid) { 1828 ldpath_env = linker_env_get("LD_LIBRARY_PATH"); 1829 ldpreload_env = linker_env_get("LD_PRELOAD"); 1830 } 1831 } 1832 1833 INFO("[ android linker & debugger ]\n"); 1834 DEBUG("%5d elfdata @ 0x%08x\n", pid, (unsigned)elfdata); 1835 1836 si = soinfo_alloc(argv[0]); 1837 if(si == 0) { 1838 exit(-1); 1839 } 1840 1841 /* bootstrap the link map, the main exe always needs to be first */ 1842 si->flags |= FLAG_EXE; 1843 map = &(si->linkmap); 1844 1845 map->l_addr = 0; 1846 map->l_name = argv[0]; 1847 map->l_prev = NULL; 1848 map->l_next = NULL; 1849 1850 _r_debug.r_map = map; 1851 r_debug_tail = map; 1852 1853 /* gdb expects the linker to be in the debug shared object list. 1854 * Without this, gdb has trouble locating the linker's ".text" 1855 * and ".plt" sections. Gdb could also potentially use this to 1856 * relocate the offset of our exported 'rtld_db_dlactivity' symbol. 1857 * Don't use soinfo_alloc(), because the linker shouldn't 1858 * be on the soinfo list. 1859 */ 1860 strlcpy((char*) linker_soinfo.name, "/system/bin/linker", sizeof linker_soinfo.name); 1861 linker_soinfo.flags = 0; 1862 linker_soinfo.base = linker_base; 1863 /* 1864 * Set the dynamic field in the link map otherwise gdb will complain with 1865 * the following: 1866 * warning: .dynamic section for "/system/bin/linker" is not at the 1867 * expected address (wrong library or version mismatch?) 1868 */ 1869 Elf32_Ehdr *elf_hdr = (Elf32_Ehdr *) linker_base; 1870 Elf32_Phdr *phdr = 1871 (Elf32_Phdr *)((unsigned char *) linker_base + elf_hdr->e_phoff); 1872 linker_soinfo.dynamic = 1873 phdr_table_get_dynamic_section(phdr, elf_hdr->e_phnum, linker_base); 1874 insert_soinfo_into_debug_map(&linker_soinfo); 1875 1876 /* extract information passed from the kernel */ 1877 while(vecs[0] != 0){ 1878 switch(vecs[0]){ 1879 case AT_PHDR: 1880 si->phdr = (Elf32_Phdr*) vecs[1]; 1881 break; 1882 case AT_PHNUM: 1883 si->phnum = (int) vecs[1]; 1884 break; 1885 case AT_ENTRY: 1886 si->entry = vecs[1]; 1887 break; 1888 } 1889 vecs += 2; 1890 } 1891 1892 /* Compute the value of si->base. We can't rely on the fact that 1893 * the first entry is the PHDR because this will not be true 1894 * for certain executables (e.g. some in the NDK unit test suite) 1895 */ 1896 int nn; 1897 si->base = 0; 1898 si->size = phdr_table_get_load_size(si->phdr, si->phnum); 1899 si->load_bias = 0; 1900 for ( nn = 0; nn < si->phnum; nn++ ) { 1901 if (si->phdr[nn].p_type == PT_PHDR) { 1902 si->load_bias = (Elf32_Addr)si->phdr - si->phdr[nn].p_vaddr; 1903 si->base = (Elf32_Addr) si->phdr - si->phdr[nn].p_offset; 1904 break; 1905 } 1906 } 1907 si->dynamic = (unsigned *)-1; 1908 si->refcount = 1; 1909 1910 // Use LD_LIBRARY_PATH and LD_PRELOAD (but only if we aren't setuid/setgid). 1911 parse_LD_LIBRARY_PATH(ldpath_env); 1912 parse_LD_PRELOAD(ldpreload_env); 1913 1914 if(soinfo_link_image(si, 0)) { 1915 char errmsg[] = "CANNOT LINK EXECUTABLE\n"; 1916 write(2, __linker_dl_err_buf, strlen(__linker_dl_err_buf)); 1917 write(2, errmsg, sizeof(errmsg)); 1918 exit(-1); 1919 } 1920 1921 for(i = 0; preloads[i] != NULL; i++) { 1922 soinfo_call_constructors(preloads[i]); 1923 } 1924 1925 soinfo_call_constructors(si); 1926 1927#if ALLOW_SYMBOLS_FROM_MAIN 1928 /* Set somain after we've loaded all the libraries in order to prevent 1929 * linking of symbols back to the main image, which is not set up at that 1930 * point yet. 1931 */ 1932 somain = si; 1933#endif 1934 1935#if TIMING 1936 gettimeofday(&t1,NULL); 1937 PRINT("LINKER TIME: %s: %d microseconds\n", argv[0], (int) ( 1938 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) - 1939 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec) 1940 )); 1941#endif 1942#if STATS 1943 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol\n", argv[0], 1944 linker_stats.reloc[RELOC_ABSOLUTE], 1945 linker_stats.reloc[RELOC_RELATIVE], 1946 linker_stats.reloc[RELOC_COPY], 1947 linker_stats.reloc[RELOC_SYMBOL]); 1948#endif 1949#if COUNT_PAGES 1950 { 1951 unsigned n; 1952 unsigned i; 1953 unsigned count = 0; 1954 for(n = 0; n < 4096; n++){ 1955 if(bitmask[n]){ 1956 unsigned x = bitmask[n]; 1957 for(i = 0; i < 8; i++){ 1958 if(x & 1) count++; 1959 x >>= 1; 1960 } 1961 } 1962 } 1963 PRINT("PAGES MODIFIED: %s: %d (%dKB)\n", argv[0], count, count * 4); 1964 } 1965#endif 1966 1967#if TIMING || STATS || COUNT_PAGES 1968 fflush(stdout); 1969#endif 1970 1971 TRACE("[ %5d Ready to execute '%s' @ 0x%08x ]\n", pid, si->name, 1972 si->entry); 1973 return si->entry; 1974} 1975 1976/* 1977 * Find the value of AT_BASE passed to us by the kernel. This is the load 1978 * location of the linker. 1979 */ 1980static unsigned find_linker_base(unsigned **elfdata) { 1981 int argc = (int) *elfdata; 1982 char **argv = (char**) (elfdata + 1); 1983 unsigned *vecs = (unsigned*) (argv + argc + 1); 1984 while (vecs[0] != 0) { 1985 vecs++; 1986 } 1987 1988 /* The end of the environment block is marked by two NULL pointers */ 1989 vecs++; 1990 1991 while(vecs[0]) { 1992 if (vecs[0] == AT_BASE) { 1993 return vecs[1]; 1994 } 1995 vecs += 2; 1996 } 1997 1998 return 0; // should never happen 1999} 2000 2001/* Compute the load-bias of an existing executable. This shall only 2002 * be used to compute the load bias of an executable or shared library 2003 * that was loaded by the kernel itself. 2004 * 2005 * Input: 2006 * elf -> address of ELF header, assumed to be at the start of the file. 2007 * Return: 2008 * load bias, i.e. add the value of any p_vaddr in the file to get 2009 * the corresponding address in memory. 2010 */ 2011static Elf32_Addr 2012get_elf_exec_load_bias(const Elf32_Ehdr* elf) 2013{ 2014 Elf32_Addr offset = elf->e_phoff; 2015 const Elf32_Phdr* phdr_table = (const Elf32_Phdr*)((char*)elf + offset); 2016 const Elf32_Phdr* phdr_end = phdr_table + elf->e_phnum; 2017 const Elf32_Phdr* phdr; 2018 2019 for (phdr = phdr_table; phdr < phdr_end; phdr++) { 2020 if (phdr->p_type == PT_LOAD) { 2021 return (Elf32_Addr)elf + phdr->p_offset - phdr->p_vaddr; 2022 } 2023 } 2024 return 0; 2025} 2026 2027/* 2028 * This is the entry point for the linker, called from begin.S. This 2029 * method is responsible for fixing the linker's own relocations, and 2030 * then calling __linker_init_post_relocation(). 2031 * 2032 * Because this method is called before the linker has fixed it's own 2033 * relocations, any attempt to reference an extern variable, extern 2034 * function, or other GOT reference will generate a segfault. 2035 */ 2036extern "C" unsigned __linker_init(unsigned **elfdata) { 2037 unsigned linker_addr = find_linker_base(elfdata); 2038 Elf32_Ehdr *elf_hdr = (Elf32_Ehdr *) linker_addr; 2039 Elf32_Phdr *phdr = 2040 (Elf32_Phdr *)((unsigned char *) linker_addr + elf_hdr->e_phoff); 2041 2042 soinfo linker_so; 2043 memset(&linker_so, 0, sizeof(soinfo)); 2044 2045 linker_so.base = linker_addr; 2046 linker_so.size = phdr_table_get_load_size(phdr, elf_hdr->e_phnum); 2047 linker_so.load_bias = get_elf_exec_load_bias(elf_hdr); 2048 linker_so.dynamic = (unsigned *) -1; 2049 linker_so.phdr = phdr; 2050 linker_so.phnum = elf_hdr->e_phnum; 2051 linker_so.flags |= FLAG_LINKER; 2052 2053 if (soinfo_link_image(&linker_so, 0)) { 2054 // It would be nice to print an error message, but if the linker 2055 // can't link itself, there's no guarantee that we'll be able to 2056 // call write() (because it involves a GOT reference). 2057 // 2058 // This situation should never occur unless the linker itself 2059 // is corrupt. 2060 exit(-1); 2061 } 2062 2063 // We have successfully fixed our own relocations. It's safe to run 2064 // the main part of the linker now. 2065 return __linker_init_post_relocation(elfdata, linker_addr); 2066} 2067