linker.cpp revision 9ec0f03a0d0b17bbb94ac0b9fef6add28a133c3a
1/* 2 * Copyright (C) 2008, 2009 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <linux/auxvec.h> 30 31#include <stdio.h> 32#include <stdlib.h> 33#include <string.h> 34#include <unistd.h> 35#include <fcntl.h> 36#include <errno.h> 37#include <dlfcn.h> 38#include <sys/stat.h> 39 40#include <pthread.h> 41 42#include <sys/mman.h> 43 44#include <sys/atomics.h> 45 46/* special private C library header - see Android.mk */ 47#include <bionic_tls.h> 48 49#include "linker.h" 50#include "linker_debug.h" 51#include "linker_environ.h" 52#include "linker_format.h" 53 54#define ALLOW_SYMBOLS_FROM_MAIN 1 55#define SO_MAX 128 56 57/* Assume average path length of 64 and max 8 paths */ 58#define LDPATH_BUFSIZE 512 59#define LDPATH_MAX 8 60 61#define LDPRELOAD_BUFSIZE 512 62#define LDPRELOAD_MAX 8 63 64/* >>> IMPORTANT NOTE - READ ME BEFORE MODIFYING <<< 65 * 66 * Do NOT use malloc() and friends or pthread_*() code here. 67 * Don't use printf() either; it's caused mysterious memory 68 * corruption in the past. 69 * The linker runs before we bring up libc and it's easiest 70 * to make sure it does not depend on any complex libc features 71 * 72 * open issues / todo: 73 * 74 * - are we doing everything we should for ARM_COPY relocations? 75 * - cleaner error reporting 76 * - after linking, set as much stuff as possible to READONLY 77 * and NOEXEC 78 * - linker hardcodes PAGE_SIZE and PAGE_MASK because the kernel 79 * headers provide versions that are negative... 80 * - allocate space for soinfo structs dynamically instead of 81 * having a hard limit (64) 82*/ 83 84 85static int link_image(soinfo *si, unsigned wr_offset); 86 87static int socount = 0; 88static soinfo sopool[SO_MAX]; 89static soinfo *freelist = NULL; 90static soinfo *solist = &libdl_info; 91static soinfo *sonext = &libdl_info; 92#if ALLOW_SYMBOLS_FROM_MAIN 93static soinfo *somain; /* main process, always the one after libdl_info */ 94#endif 95 96 97static inline int validate_soinfo(soinfo *si) 98{ 99 return (si >= sopool && si < sopool + SO_MAX) || 100 si == &libdl_info; 101} 102 103static char ldpaths_buf[LDPATH_BUFSIZE]; 104static const char *ldpaths[LDPATH_MAX + 1]; 105 106static char ldpreloads_buf[LDPRELOAD_BUFSIZE]; 107static const char *ldpreload_names[LDPRELOAD_MAX + 1]; 108 109static soinfo *preloads[LDPRELOAD_MAX + 1]; 110 111int debug_verbosity; 112static int pid; 113 114/* This boolean is set if the program being loaded is setuid */ 115static int program_is_setuid; 116 117#if STATS 118struct _link_stats linker_stats; 119#endif 120 121#if COUNT_PAGES 122unsigned bitmask[4096]; 123#endif 124 125#ifndef PT_ARM_EXIDX 126#define PT_ARM_EXIDX 0x70000001 /* .ARM.exidx segment */ 127#endif 128 129#define HOODLUM(name, ret, ...) \ 130 ret name __VA_ARGS__ \ 131 { \ 132 char errstr[] = "ERROR: " #name " called from the dynamic linker!\n"; \ 133 write(2, errstr, sizeof(errstr)); \ 134 abort(); \ 135 } 136HOODLUM(malloc, void *, (size_t size)); 137HOODLUM(free, void, (void *ptr)); 138HOODLUM(realloc, void *, (void *ptr, size_t size)); 139HOODLUM(calloc, void *, (size_t cnt, size_t size)); 140 141static char tmp_err_buf[768]; 142static char __linker_dl_err_buf[768]; 143#define DL_ERR(fmt, x...) \ 144 do { \ 145 format_buffer(__linker_dl_err_buf, sizeof(__linker_dl_err_buf), \ 146 "%s[%d]: " fmt, __func__, __LINE__, ##x); \ 147 ERROR(fmt "\n", ##x); \ 148 } while(0) 149 150const char *linker_get_error(void) 151{ 152 return (const char *)&__linker_dl_err_buf[0]; 153} 154 155/* 156 * This function is an empty stub where GDB locates a breakpoint to get notified 157 * about linker activity. 158 */ 159extern void __attribute__((noinline)) rtld_db_dlactivity(void); 160 161static struct r_debug _r_debug = {1, NULL, &rtld_db_dlactivity, 162 RT_CONSISTENT, 0}; 163static struct link_map *r_debug_tail = 0; 164 165static pthread_mutex_t _r_debug_lock = PTHREAD_MUTEX_INITIALIZER; 166 167static void insert_soinfo_into_debug_map(soinfo * info) 168{ 169 struct link_map * map; 170 171 /* Copy the necessary fields into the debug structure. 172 */ 173 map = &(info->linkmap); 174 map->l_addr = info->base; 175 map->l_name = (char*) info->name; 176 map->l_ld = (uintptr_t)info->dynamic; 177 178 /* Stick the new library at the end of the list. 179 * gdb tends to care more about libc than it does 180 * about leaf libraries, and ordering it this way 181 * reduces the back-and-forth over the wire. 182 */ 183 if (r_debug_tail) { 184 r_debug_tail->l_next = map; 185 map->l_prev = r_debug_tail; 186 map->l_next = 0; 187 } else { 188 _r_debug.r_map = map; 189 map->l_prev = 0; 190 map->l_next = 0; 191 } 192 r_debug_tail = map; 193} 194 195static void remove_soinfo_from_debug_map(soinfo * info) 196{ 197 struct link_map * map = &(info->linkmap); 198 199 if (r_debug_tail == map) 200 r_debug_tail = map->l_prev; 201 202 if (map->l_prev) map->l_prev->l_next = map->l_next; 203 if (map->l_next) map->l_next->l_prev = map->l_prev; 204} 205 206void notify_gdb_of_load(soinfo * info) 207{ 208 if (info->flags & FLAG_EXE) { 209 // GDB already knows about the main executable 210 return; 211 } 212 213 pthread_mutex_lock(&_r_debug_lock); 214 215 _r_debug.r_state = RT_ADD; 216 rtld_db_dlactivity(); 217 218 insert_soinfo_into_debug_map(info); 219 220 _r_debug.r_state = RT_CONSISTENT; 221 rtld_db_dlactivity(); 222 223 pthread_mutex_unlock(&_r_debug_lock); 224} 225 226void notify_gdb_of_unload(soinfo * info) 227{ 228 if (info->flags & FLAG_EXE) { 229 // GDB already knows about the main executable 230 return; 231 } 232 233 pthread_mutex_lock(&_r_debug_lock); 234 235 _r_debug.r_state = RT_DELETE; 236 rtld_db_dlactivity(); 237 238 remove_soinfo_from_debug_map(info); 239 240 _r_debug.r_state = RT_CONSISTENT; 241 rtld_db_dlactivity(); 242 243 pthread_mutex_unlock(&_r_debug_lock); 244} 245 246void notify_gdb_of_libraries() 247{ 248 _r_debug.r_state = RT_ADD; 249 rtld_db_dlactivity(); 250 _r_debug.r_state = RT_CONSISTENT; 251 rtld_db_dlactivity(); 252} 253 254static soinfo *alloc_info(const char *name) 255{ 256 soinfo *si; 257 258 if(strlen(name) >= SOINFO_NAME_LEN) { 259 DL_ERR("%5d library name %s too long", pid, name); 260 return NULL; 261 } 262 263 /* The freelist is populated when we call free_info(), which in turn is 264 done only by dlclose(), which is not likely to be used. 265 */ 266 if (!freelist) { 267 if(socount == SO_MAX) { 268 DL_ERR("%5d too many libraries when loading %s", pid, name); 269 return NULL; 270 } 271 freelist = sopool + socount++; 272 freelist->next = NULL; 273 } 274 275 si = freelist; 276 freelist = freelist->next; 277 278 /* Make sure we get a clean block of soinfo */ 279 memset(si, 0, sizeof(soinfo)); 280 strlcpy((char*) si->name, name, sizeof(si->name)); 281 sonext->next = si; 282 si->next = NULL; 283 si->refcount = 0; 284 sonext = si; 285 286 TRACE("%5d name %s: allocated soinfo @ %p\n", pid, name, si); 287 return si; 288} 289 290static void free_info(soinfo *si) 291{ 292 soinfo *prev = NULL, *trav; 293 294 TRACE("%5d name %s: freeing soinfo @ %p\n", pid, si->name, si); 295 296 for(trav = solist; trav != NULL; trav = trav->next){ 297 if (trav == si) 298 break; 299 prev = trav; 300 } 301 if (trav == NULL) { 302 /* si was not ni solist */ 303 DL_ERR("%5d name %s is not in solist!", pid, si->name); 304 return; 305 } 306 307 /* prev will never be NULL, because the first entry in solist is 308 always the static libdl_info. 309 */ 310 prev->next = si->next; 311 if (si == sonext) sonext = prev; 312 si->next = freelist; 313 freelist = si; 314} 315 316const char *addr_to_name(unsigned addr) 317{ 318 soinfo *si; 319 320 for(si = solist; si != 0; si = si->next){ 321 if((addr >= si->base) && (addr < (si->base + si->size))) { 322 return si->name; 323 } 324 } 325 326 return ""; 327} 328 329/* For a given PC, find the .so that it belongs to. 330 * Returns the base address of the .ARM.exidx section 331 * for that .so, and the number of 8-byte entries 332 * in that section (via *pcount). 333 * 334 * Intended to be called by libc's __gnu_Unwind_Find_exidx(). 335 * 336 * This function is exposed via dlfcn.c and libdl.so. 337 */ 338#ifdef ANDROID_ARM_LINKER 339_Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int *pcount) 340{ 341 soinfo *si; 342 unsigned addr = (unsigned)pc; 343 344 for (si = solist; si != 0; si = si->next){ 345 if ((addr >= si->base) && (addr < (si->base + si->size))) { 346 *pcount = si->ARM_exidx_count; 347 return (_Unwind_Ptr)(si->base + (unsigned long)si->ARM_exidx); 348 } 349 } 350 *pcount = 0; 351 return NULL; 352} 353#elif defined(ANDROID_X86_LINKER) 354/* Here, we only have to provide a callback to iterate across all the 355 * loaded libraries. gcc_eh does the rest. */ 356int 357dl_iterate_phdr(int (*cb)(struct dl_phdr_info *info, size_t size, void *data), 358 void *data) 359{ 360 soinfo *si; 361 struct dl_phdr_info dl_info; 362 int rv = 0; 363 364 for (si = solist; si != NULL; si = si->next) { 365 dl_info.dlpi_addr = si->linkmap.l_addr; 366 dl_info.dlpi_name = si->linkmap.l_name; 367 dl_info.dlpi_phdr = si->phdr; 368 dl_info.dlpi_phnum = si->phnum; 369 rv = cb(&dl_info, sizeof (struct dl_phdr_info), data); 370 if (rv != 0) 371 break; 372 } 373 return rv; 374} 375#endif 376 377static Elf32_Sym *_elf_lookup(soinfo *si, unsigned hash, const char *name) 378{ 379 Elf32_Sym *s; 380 Elf32_Sym *symtab = si->symtab; 381 const char *strtab = si->strtab; 382 unsigned n; 383 384 TRACE_TYPE(LOOKUP, "%5d SEARCH %s in %s@0x%08x %08x %d\n", pid, 385 name, si->name, si->base, hash, hash % si->nbucket); 386 n = hash % si->nbucket; 387 388 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){ 389 s = symtab + n; 390 if(strcmp(strtab + s->st_name, name)) continue; 391 392 /* only concern ourselves with global and weak symbol definitions */ 393 switch(ELF32_ST_BIND(s->st_info)){ 394 case STB_GLOBAL: 395 case STB_WEAK: 396 /* no section == undefined */ 397 if(s->st_shndx == 0) continue; 398 399 TRACE_TYPE(LOOKUP, "%5d FOUND %s in %s (%08x) %d\n", pid, 400 name, si->name, s->st_value, s->st_size); 401 return s; 402 } 403 } 404 405 return NULL; 406} 407 408/* 409 * Essentially the same method as _elf_lookup() above, but only 410 * searches for LOCAL symbols 411 */ 412static Elf32_Sym *_elf_lookup_local(soinfo *si, unsigned hash, const char *name) 413{ 414 Elf32_Sym *symtab = si->symtab; 415 const char *strtab = si->strtab; 416 unsigned n = hash % si->nbucket;; 417 418 TRACE_TYPE(LOOKUP, "%5d LOCAL SEARCH %s in %s@0x%08x %08x %d\n", pid, 419 name, si->name, si->base, hash, hash % si->nbucket); 420 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){ 421 Elf32_Sym *s = symtab + n; 422 if (strcmp(strtab + s->st_name, name)) continue; 423 if (ELF32_ST_BIND(s->st_info) != STB_LOCAL) continue; 424 /* no section == undefined */ 425 if(s->st_shndx == 0) continue; 426 427 TRACE_TYPE(LOOKUP, "%5d FOUND LOCAL %s in %s (%08x) %d\n", pid, 428 name, si->name, s->st_value, s->st_size); 429 return s; 430 } 431 432 return NULL; 433} 434 435static unsigned elfhash(const char *_name) 436{ 437 const unsigned char *name = (const unsigned char *) _name; 438 unsigned h = 0, g; 439 440 while(*name) { 441 h = (h << 4) + *name++; 442 g = h & 0xf0000000; 443 h ^= g; 444 h ^= g >> 24; 445 } 446 return h; 447} 448 449static Elf32_Sym * 450_do_lookup(soinfo *si, const char *name, unsigned *base) 451{ 452 unsigned elf_hash = elfhash(name); 453 Elf32_Sym *s; 454 unsigned *d; 455 soinfo *lsi = si; 456 int i; 457 458 /* If we are trying to find a symbol for the linker itself, look 459 * for LOCAL symbols first. Avoid using LOCAL symbols for other 460 * shared libraries until we have a better understanding of what 461 * might break by doing so. */ 462 if (si->flags & FLAG_LINKER) { 463 s = _elf_lookup_local(si, elf_hash, name); 464 if(s != NULL) 465 goto done; 466 } 467 468 /* Look for symbols in the local scope (the object who is 469 * searching). This happens with C++ templates on i386 for some 470 * reason. 471 * 472 * Notes on weak symbols: 473 * The ELF specs are ambigious about treatment of weak definitions in 474 * dynamic linking. Some systems return the first definition found 475 * and some the first non-weak definition. This is system dependent. 476 * Here we return the first definition found for simplicity. */ 477 478 s = _elf_lookup(si, elf_hash, name); 479 if(s != NULL) 480 goto done; 481 482 /* Next, look for it in the preloads list */ 483 for(i = 0; preloads[i] != NULL; i++) { 484 lsi = preloads[i]; 485 s = _elf_lookup(lsi, elf_hash, name); 486 if(s != NULL) 487 goto done; 488 } 489 490 for(d = si->dynamic; *d; d += 2) { 491 if(d[0] == DT_NEEDED){ 492 lsi = (soinfo *)d[1]; 493 if (!validate_soinfo(lsi)) { 494 DL_ERR("%5d bad DT_NEEDED pointer in %s", 495 pid, si->name); 496 return NULL; 497 } 498 499 DEBUG("%5d %s: looking up %s in %s\n", 500 pid, si->name, name, lsi->name); 501 s = _elf_lookup(lsi, elf_hash, name); 502 if ((s != NULL) && (s->st_shndx != SHN_UNDEF)) 503 goto done; 504 } 505 } 506 507#if ALLOW_SYMBOLS_FROM_MAIN 508 /* If we are resolving relocations while dlopen()ing a library, it's OK for 509 * the library to resolve a symbol that's defined in the executable itself, 510 * although this is rare and is generally a bad idea. 511 */ 512 if (somain) { 513 lsi = somain; 514 DEBUG("%5d %s: looking up %s in executable %s\n", 515 pid, si->name, name, lsi->name); 516 s = _elf_lookup(lsi, elf_hash, name); 517 } 518#endif 519 520done: 521 if(s != NULL) { 522 TRACE_TYPE(LOOKUP, "%5d si %s sym %s s->st_value = 0x%08x, " 523 "found in %s, base = 0x%08x\n", 524 pid, si->name, name, s->st_value, lsi->name, lsi->base); 525 *base = lsi->base; 526 return s; 527 } 528 529 return NULL; 530} 531 532/* This is used by dl_sym(). It performs symbol lookup only within the 533 specified soinfo object and not in any of its dependencies. 534 */ 535Elf32_Sym *lookup_in_library(soinfo *si, const char *name) 536{ 537 return _elf_lookup(si, elfhash(name), name); 538} 539 540/* This is used by dl_sym(). It performs a global symbol lookup. 541 */ 542Elf32_Sym *lookup(const char *name, soinfo **found, soinfo *start) 543{ 544 unsigned elf_hash = elfhash(name); 545 Elf32_Sym *s = NULL; 546 soinfo *si; 547 548 if(start == NULL) { 549 start = solist; 550 } 551 552 for(si = start; (s == NULL) && (si != NULL); si = si->next) 553 { 554 if(si->flags & FLAG_ERROR) 555 continue; 556 s = _elf_lookup(si, elf_hash, name); 557 if (s != NULL) { 558 *found = si; 559 break; 560 } 561 } 562 563 if(s != NULL) { 564 TRACE_TYPE(LOOKUP, "%5d %s s->st_value = 0x%08x, " 565 "si->base = 0x%08x\n", pid, name, s->st_value, si->base); 566 return s; 567 } 568 569 return NULL; 570} 571 572soinfo *find_containing_library(const void *addr) 573{ 574 soinfo *si; 575 576 for(si = solist; si != NULL; si = si->next) 577 { 578 if((unsigned)addr >= si->base && (unsigned)addr - si->base < si->size) { 579 return si; 580 } 581 } 582 583 return NULL; 584} 585 586Elf32_Sym *find_containing_symbol(const void *addr, soinfo *si) 587{ 588 unsigned int i; 589 unsigned soaddr = (unsigned)addr - si->base; 590 591 /* Search the library's symbol table for any defined symbol which 592 * contains this address */ 593 for(i=0; i<si->nchain; i++) { 594 Elf32_Sym *sym = &si->symtab[i]; 595 596 if(sym->st_shndx != SHN_UNDEF && 597 soaddr >= sym->st_value && 598 soaddr < sym->st_value + sym->st_size) { 599 return sym; 600 } 601 } 602 603 return NULL; 604} 605 606#if 0 607static void dump(soinfo *si) 608{ 609 Elf32_Sym *s = si->symtab; 610 unsigned n; 611 612 for(n = 0; n < si->nchain; n++) { 613 TRACE("%5d %04d> %08x: %02x %04x %08x %08x %s\n", pid, n, s, 614 s->st_info, s->st_shndx, s->st_value, s->st_size, 615 si->strtab + s->st_name); 616 s++; 617 } 618} 619#endif 620 621static const char *sopaths[] = { 622 "/vendor/lib", 623 "/system/lib", 624 0 625}; 626 627static int _open_lib(const char *name) 628{ 629 int fd; 630 struct stat filestat; 631 632 if ((stat(name, &filestat) >= 0) && S_ISREG(filestat.st_mode)) { 633 if ((fd = open(name, O_RDONLY)) >= 0) 634 return fd; 635 } 636 637 return -1; 638} 639 640static int open_library(const char *name) 641{ 642 int fd; 643 char buf[512]; 644 const char **path; 645 int n; 646 647 TRACE("[ %5d opening %s ]\n", pid, name); 648 649 if(name == 0) return -1; 650 if(strlen(name) > 256) return -1; 651 652 if ((name[0] == '/') && ((fd = _open_lib(name)) >= 0)) 653 return fd; 654 655 for (path = ldpaths; *path; path++) { 656 n = format_buffer(buf, sizeof(buf), "%s/%s", *path, name); 657 if (n < 0 || n >= (int)sizeof(buf)) { 658 WARN("Ignoring very long library path: %s/%s\n", *path, name); 659 continue; 660 } 661 if ((fd = _open_lib(buf)) >= 0) 662 return fd; 663 } 664 for (path = sopaths; *path; path++) { 665 n = format_buffer(buf, sizeof(buf), "%s/%s", *path, name); 666 if (n < 0 || n >= (int)sizeof(buf)) { 667 WARN("Ignoring very long library path: %s/%s\n", *path, name); 668 continue; 669 } 670 if ((fd = _open_lib(buf)) >= 0) 671 return fd; 672 } 673 674 return -1; 675} 676 677/* temporary space for holding the first page of the shared lib 678 * which contains the elf header (with the pht). */ 679static unsigned char __header[PAGE_SIZE]; 680 681typedef struct { 682 long mmap_addr; 683 char tag[4]; /* 'P', 'R', 'E', ' ' */ 684} prelink_info_t; 685 686/* Returns the requested base address if the library is prelinked, 687 * and 0 otherwise. */ 688static unsigned long 689is_prelinked(int fd, const char *name) 690{ 691 off_t sz; 692 prelink_info_t info; 693 694 sz = lseek(fd, -sizeof(prelink_info_t), SEEK_END); 695 if (sz < 0) { 696 DL_ERR("lseek() failed!"); 697 return 0; 698 } 699 700 if (read(fd, &info, sizeof(info)) != sizeof(info)) { 701 WARN("Could not read prelink_info_t structure for `%s`\n", name); 702 return 0; 703 } 704 705 if (strncmp(info.tag, "PRE ", 4)) { 706 WARN("`%s` is not a prelinked library\n", name); 707 return 0; 708 } 709 710 return (unsigned long)info.mmap_addr; 711} 712 713/* verify_elf_object 714 * Verifies if the object @ base is a valid ELF object 715 * 716 * Args: 717 * 718 * Returns: 719 * 0 on success 720 * -1 if no valid ELF object is found @ base. 721 */ 722static int 723verify_elf_object(void *base, const char *name) 724{ 725 Elf32_Ehdr *hdr = (Elf32_Ehdr *) base; 726 727 if (hdr->e_ident[EI_MAG0] != ELFMAG0) return -1; 728 if (hdr->e_ident[EI_MAG1] != ELFMAG1) return -1; 729 if (hdr->e_ident[EI_MAG2] != ELFMAG2) return -1; 730 if (hdr->e_ident[EI_MAG3] != ELFMAG3) return -1; 731 732 /* TODO: Should we verify anything else in the header? */ 733#ifdef ANDROID_ARM_LINKER 734 if (hdr->e_machine != EM_ARM) return -1; 735#elif defined(ANDROID_X86_LINKER) 736 if (hdr->e_machine != EM_386) return -1; 737#endif 738 return 0; 739} 740 741 742/* get_lib_extents 743 * Retrieves the base (*base) address where the ELF object should be 744 * mapped and its overall memory size (*total_sz). 745 * 746 * Args: 747 * fd: Opened file descriptor for the library 748 * name: The name of the library 749 * _hdr: Pointer to the header page of the library 750 * total_sz: Total size of the memory that should be allocated for 751 * this library 752 * 753 * Returns: 754 * -1 if there was an error while trying to get the lib extents. 755 * The possible reasons are: 756 * - Could not determine if the library was prelinked. 757 * - The library provided is not a valid ELF object 758 * 0 if the library did not request a specific base offset (normal 759 * for non-prelinked libs) 760 * > 0 if the library requests a specific address to be mapped to. 761 * This indicates a pre-linked library. 762 */ 763static unsigned 764get_lib_extents(int fd, const char *name, void *__hdr, unsigned *total_sz) 765{ 766 unsigned req_base; 767 unsigned min_vaddr = 0xffffffff; 768 unsigned max_vaddr = 0; 769 unsigned char *_hdr = (unsigned char *)__hdr; 770 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)_hdr; 771 Elf32_Phdr *phdr; 772 int cnt; 773 774 TRACE("[ %5d Computing extents for '%s'. ]\n", pid, name); 775 if (verify_elf_object(_hdr, name) < 0) { 776 DL_ERR("%5d - %s is not a valid ELF object", pid, name); 777 return (unsigned)-1; 778 } 779 780 req_base = (unsigned) is_prelinked(fd, name); 781 if (req_base == (unsigned)-1) 782 return -1; 783 else if (req_base != 0) { 784 TRACE("[ %5d - Prelinked library '%s' requesting base @ 0x%08x ]\n", 785 pid, name, req_base); 786 } else { 787 TRACE("[ %5d - Non-prelinked library '%s' found. ]\n", pid, name); 788 } 789 790 phdr = (Elf32_Phdr *)(_hdr + ehdr->e_phoff); 791 792 /* find the min/max p_vaddrs from all the PT_LOAD segments so we can 793 * get the range. */ 794 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) { 795 if (phdr->p_type == PT_LOAD) { 796 if ((phdr->p_vaddr + phdr->p_memsz) > max_vaddr) 797 max_vaddr = phdr->p_vaddr + phdr->p_memsz; 798 if (phdr->p_vaddr < min_vaddr) 799 min_vaddr = phdr->p_vaddr; 800 } 801 } 802 803 if ((min_vaddr == 0xffffffff) && (max_vaddr == 0)) { 804 DL_ERR("%5d - No loadable segments found in %s.", pid, name); 805 return (unsigned)-1; 806 } 807 808 /* truncate min_vaddr down to page boundary */ 809 min_vaddr &= ~PAGE_MASK; 810 811 /* round max_vaddr up to the next page */ 812 max_vaddr = (max_vaddr + PAGE_SIZE - 1) & ~PAGE_MASK; 813 814 *total_sz = (max_vaddr - min_vaddr); 815 return (unsigned)req_base; 816} 817 818/* alloc_mem_region 819 * 820 * This function reserves a chunk of memory to be used for mapping in 821 * the shared library. We reserve the entire memory region here, and 822 * then the rest of the linker will relocate the individual loadable 823 * segments into the correct locations within this memory range. 824 * 825 * Args: 826 * si->base: The requested base of the allocation. If 0, a sane one will be 827 * chosen in the range LIBBASE <= base < LIBLAST. 828 * si->size: The size of the allocation. 829 * 830 * Returns: 831 * -1 on failure, and 0 on success. On success, si->base will contain 832 * the virtual address at which the library will be mapped. 833 */ 834 835static int reserve_mem_region(soinfo *si) 836{ 837 void *base = mmap((void *)si->base, si->size, PROT_READ | PROT_EXEC, 838 MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 839 if (base == MAP_FAILED) { 840 DL_ERR("%5d can NOT map (%sprelinked) library '%s' at 0x%08x " 841 "as requested, will try general pool: %d (%s)", 842 pid, (si->base ? "" : "non-"), si->name, si->base, 843 errno, strerror(errno)); 844 return -1; 845 } else if (base != (void *)si->base) { 846 DL_ERR("OOPS: %5d %sprelinked library '%s' mapped at 0x%08x, " 847 "not at 0x%08x", pid, (si->base ? "" : "non-"), 848 si->name, (unsigned)base, si->base); 849 munmap(base, si->size); 850 return -1; 851 } 852 return 0; 853} 854 855static int 856alloc_mem_region(soinfo *si) 857{ 858 if (si->base) { 859 /* Attempt to mmap a prelinked library. */ 860 return reserve_mem_region(si); 861 } 862 863 /* This is not a prelinked library, so we use the kernel's default 864 allocator. 865 */ 866 867 void *base = mmap(NULL, si->size, PROT_READ | PROT_EXEC, 868 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 869 if (base == MAP_FAILED) { 870 DL_ERR("%5d mmap of library '%s' failed: %d (%s)\n", 871 pid, si->name, 872 errno, strerror(errno)); 873 goto err; 874 } 875 si->base = (unsigned) base; 876 PRINT("%5d mapped library '%s' to %08x via kernel allocator.\n", 877 pid, si->name, si->base); 878 return 0; 879 880err: 881 DL_ERR("OOPS: %5d cannot map library '%s'. no vspace available.", 882 pid, si->name); 883 return -1; 884} 885 886#define MAYBE_MAP_FLAG(x,from,to) (((x) & (from)) ? (to) : 0) 887#define PFLAGS_TO_PROT(x) (MAYBE_MAP_FLAG((x), PF_X, PROT_EXEC) | \ 888 MAYBE_MAP_FLAG((x), PF_R, PROT_READ) | \ 889 MAYBE_MAP_FLAG((x), PF_W, PROT_WRITE)) 890/* load_segments 891 * 892 * This function loads all the loadable (PT_LOAD) segments into memory 893 * at their appropriate memory offsets off the base address. 894 * 895 * Args: 896 * fd: Open file descriptor to the library to load. 897 * header: Pointer to a header page that contains the ELF header. 898 * This is needed since we haven't mapped in the real file yet. 899 * si: ptr to soinfo struct describing the shared object. 900 * 901 * Returns: 902 * 0 on success, -1 on failure. 903 */ 904static int 905load_segments(int fd, void *header, soinfo *si) 906{ 907 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)header; 908 Elf32_Phdr *phdr = (Elf32_Phdr *)((unsigned char *)header + ehdr->e_phoff); 909 Elf32_Addr base = (Elf32_Addr) si->base; 910 int cnt; 911 unsigned len; 912 Elf32_Addr tmp; 913 unsigned char *pbase; 914 unsigned char *extra_base; 915 unsigned extra_len; 916 unsigned total_sz = 0; 917 918 si->wrprotect_start = 0xffffffff; 919 si->wrprotect_end = 0; 920 921 TRACE("[ %5d - Begin loading segments for '%s' @ 0x%08x ]\n", 922 pid, si->name, (unsigned)si->base); 923 /* Now go through all the PT_LOAD segments and map them into memory 924 * at the appropriate locations. */ 925 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) { 926 if (phdr->p_type == PT_LOAD) { 927 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid); 928 /* we want to map in the segment on a page boundary */ 929 tmp = base + (phdr->p_vaddr & (~PAGE_MASK)); 930 /* add the # of bytes we masked off above to the total length. */ 931 len = phdr->p_filesz + (phdr->p_vaddr & PAGE_MASK); 932 933 TRACE("[ %d - Trying to load segment from '%s' @ 0x%08x " 934 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x ]\n", pid, si->name, 935 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset); 936 pbase = mmap((void *)tmp, len, PFLAGS_TO_PROT(phdr->p_flags), 937 MAP_PRIVATE | MAP_FIXED, fd, 938 phdr->p_offset & (~PAGE_MASK)); 939 if (pbase == MAP_FAILED) { 940 DL_ERR("%d failed to map segment from '%s' @ 0x%08x (0x%08x). " 941 "p_vaddr=0x%08x p_offset=0x%08x", pid, si->name, 942 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset); 943 goto fail; 944 } 945 946 /* If 'len' didn't end on page boundary, and it's a writable 947 * segment, zero-fill the rest. */ 948 if ((len & PAGE_MASK) && (phdr->p_flags & PF_W)) 949 memset((void *)(pbase + len), 0, PAGE_SIZE - (len & PAGE_MASK)); 950 951 /* Check to see if we need to extend the map for this segment to 952 * cover the diff between filesz and memsz (i.e. for bss). 953 * 954 * base _+---------------------+ page boundary 955 * . . 956 * | | 957 * . . 958 * pbase _+---------------------+ page boundary 959 * | | 960 * . . 961 * base + p_vaddr _| | 962 * . \ \ . 963 * . | filesz | . 964 * pbase + len _| / | | 965 * <0 pad> . . . 966 * extra_base _+------------|--------+ page boundary 967 * / . . . 968 * | . . . 969 * | +------------|--------+ page boundary 970 * extra_len-> | | | | 971 * | . | memsz . 972 * | . | . 973 * \ _| / | 974 * . . 975 * | | 976 * _+---------------------+ page boundary 977 */ 978 tmp = (Elf32_Addr)(((unsigned)pbase + len + PAGE_SIZE - 1) & 979 (~PAGE_MASK)); 980 if (tmp < (base + phdr->p_vaddr + phdr->p_memsz)) { 981 extra_len = base + phdr->p_vaddr + phdr->p_memsz - tmp; 982 TRACE("[ %5d - Need to extend segment from '%s' @ 0x%08x " 983 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp, extra_len); 984 /* map in the extra page(s) as anonymous into the range. 985 * This is probably not necessary as we already mapped in 986 * the entire region previously, but we just want to be 987 * sure. This will also set the right flags on the region 988 * (though we can probably accomplish the same thing with 989 * mprotect). 990 */ 991 extra_base = mmap((void *)tmp, extra_len, 992 PFLAGS_TO_PROT(phdr->p_flags), 993 MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, 994 -1, 0); 995 if (extra_base == MAP_FAILED) { 996 DL_ERR("[ %5d - failed to extend segment from '%s' @ 0x%08x" 997 " (0x%08x) ]", pid, si->name, (unsigned)tmp, 998 extra_len); 999 goto fail; 1000 } 1001 /* TODO: Check if we need to memset-0 this region. 1002 * Anonymous mappings are zero-filled copy-on-writes, so we 1003 * shouldn't need to. */ 1004 TRACE("[ %5d - Segment from '%s' extended @ 0x%08x " 1005 "(0x%08x)\n", pid, si->name, (unsigned)extra_base, 1006 extra_len); 1007 } 1008 /* set the len here to show the full extent of the segment we 1009 * just loaded, mostly for debugging */ 1010 len = (((unsigned)base + phdr->p_vaddr + phdr->p_memsz + 1011 PAGE_SIZE - 1) & (~PAGE_MASK)) - (unsigned)pbase; 1012 TRACE("[ %5d - Successfully loaded segment from '%s' @ 0x%08x " 1013 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name, 1014 (unsigned)pbase, len, phdr->p_vaddr, phdr->p_offset); 1015 total_sz += len; 1016 /* Make the section writable just in case we'll have to write to 1017 * it during relocation (i.e. text segment). However, we will 1018 * remember what range of addresses should be write protected. 1019 * 1020 */ 1021 if (!(phdr->p_flags & PF_W)) { 1022 if ((unsigned)pbase < si->wrprotect_start) 1023 si->wrprotect_start = (unsigned)pbase; 1024 if (((unsigned)pbase + len) > si->wrprotect_end) 1025 si->wrprotect_end = (unsigned)pbase + len; 1026 mprotect(pbase, len, 1027 PFLAGS_TO_PROT(phdr->p_flags) | PROT_WRITE); 1028 } 1029 } else if (phdr->p_type == PT_DYNAMIC) { 1030 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid); 1031 /* this segment contains the dynamic linking information */ 1032 si->dynamic = (unsigned *)(base + phdr->p_vaddr); 1033 } else if (phdr->p_type == PT_GNU_RELRO) { 1034 if ((phdr->p_vaddr >= si->size) 1035 || ((phdr->p_vaddr + phdr->p_memsz) >= si->size) 1036 || ((base + phdr->p_vaddr + phdr->p_memsz) < base)) { 1037 DL_ERR("%d invalid GNU_RELRO in '%s' " 1038 "p_vaddr=0x%08x p_memsz=0x%08x", pid, si->name, 1039 phdr->p_vaddr, phdr->p_memsz); 1040 goto fail; 1041 } 1042 si->gnu_relro_start = (Elf32_Addr) (base + phdr->p_vaddr); 1043 si->gnu_relro_len = (unsigned) phdr->p_memsz; 1044 } else { 1045#ifdef ANDROID_ARM_LINKER 1046 if (phdr->p_type == PT_ARM_EXIDX) { 1047 DEBUG_DUMP_PHDR(phdr, "PT_ARM_EXIDX", pid); 1048 /* exidx entries (used for stack unwinding) are 8 bytes each. 1049 */ 1050 si->ARM_exidx = (unsigned *)phdr->p_vaddr; 1051 si->ARM_exidx_count = phdr->p_memsz / 8; 1052 } 1053#endif 1054 } 1055 1056 } 1057 1058 /* Sanity check */ 1059 if (total_sz > si->size) { 1060 DL_ERR("%5d - Total length (0x%08x) of mapped segments from '%s' is " 1061 "greater than what was allocated (0x%08x). THIS IS BAD!", 1062 pid, total_sz, si->name, si->size); 1063 goto fail; 1064 } 1065 1066 TRACE("[ %5d - Finish loading segments for '%s' @ 0x%08x. " 1067 "Total memory footprint: 0x%08x bytes ]\n", pid, si->name, 1068 (unsigned)si->base, si->size); 1069 return 0; 1070 1071fail: 1072 /* We can just blindly unmap the entire region even though some things 1073 * were mapped in originally with anonymous and others could have been 1074 * been mapped in from the file before we failed. The kernel will unmap 1075 * all the pages in the range, irrespective of how they got there. 1076 */ 1077 munmap((void *)si->base, si->size); 1078 si->flags |= FLAG_ERROR; 1079 return -1; 1080} 1081 1082/* TODO: Implement this to take care of the fact that Android ARM 1083 * ELF objects shove everything into a single loadable segment that has the 1084 * write bit set. wr_offset is then used to set non-(data|bss) pages to be 1085 * non-writable. 1086 */ 1087#if 0 1088static unsigned 1089get_wr_offset(int fd, const char *name, Elf32_Ehdr *ehdr) 1090{ 1091 Elf32_Shdr *shdr_start; 1092 Elf32_Shdr *shdr; 1093 int shdr_sz = ehdr->e_shnum * sizeof(Elf32_Shdr); 1094 int cnt; 1095 unsigned wr_offset = 0xffffffff; 1096 1097 shdr_start = mmap(0, shdr_sz, PROT_READ, MAP_PRIVATE, fd, 1098 ehdr->e_shoff & (~PAGE_MASK)); 1099 if (shdr_start == MAP_FAILED) { 1100 WARN("%5d - Could not read section header info from '%s'. Will not " 1101 "not be able to determine write-protect offset.\n", pid, name); 1102 return (unsigned)-1; 1103 } 1104 1105 for(cnt = 0, shdr = shdr_start; cnt < ehdr->e_shnum; ++cnt, ++shdr) { 1106 if ((shdr->sh_type != SHT_NULL) && (shdr->sh_flags & SHF_WRITE) && 1107 (shdr->sh_addr < wr_offset)) { 1108 wr_offset = shdr->sh_addr; 1109 } 1110 } 1111 1112 munmap(shdr_start, shdr_sz); 1113 return wr_offset; 1114} 1115#endif 1116 1117static soinfo * 1118load_library(const char *name) 1119{ 1120 int fd = open_library(name); 1121 int cnt; 1122 unsigned ext_sz; 1123 unsigned req_base; 1124 const char *bname; 1125 soinfo *si = NULL; 1126 Elf32_Ehdr *hdr; 1127 1128 if(fd == -1) { 1129 DL_ERR("Library '%s' not found", name); 1130 return NULL; 1131 } 1132 1133 /* We have to read the ELF header to figure out what to do with this image 1134 */ 1135 if (lseek(fd, 0, SEEK_SET) < 0) { 1136 DL_ERR("lseek() failed!"); 1137 goto fail; 1138 } 1139 1140 if ((cnt = read(fd, &__header[0], PAGE_SIZE)) < 0) { 1141 DL_ERR("read() failed!"); 1142 goto fail; 1143 } 1144 1145 /* Parse the ELF header and get the size of the memory footprint for 1146 * the library */ 1147 req_base = get_lib_extents(fd, name, &__header[0], &ext_sz); 1148 if (req_base == (unsigned)-1) 1149 goto fail; 1150 TRACE("[ %5d - '%s' (%s) wants base=0x%08x sz=0x%08x ]\n", pid, name, 1151 (req_base ? "prelinked" : "not pre-linked"), req_base, ext_sz); 1152 1153 /* Now configure the soinfo struct where we'll store all of our data 1154 * for the ELF object. If the loading fails, we waste the entry, but 1155 * same thing would happen if we failed during linking. Configuring the 1156 * soinfo struct here is a lot more convenient. 1157 */ 1158 bname = strrchr(name, '/'); 1159 si = alloc_info(bname ? bname + 1 : name); 1160 if (si == NULL) 1161 goto fail; 1162 1163 /* Carve out a chunk of memory where we will map in the individual 1164 * segments */ 1165 si->base = req_base; 1166 si->size = ext_sz; 1167 si->flags = 0; 1168 si->entry = 0; 1169 si->dynamic = (unsigned *)-1; 1170 if (alloc_mem_region(si) < 0) 1171 goto fail; 1172 1173 TRACE("[ %5d allocated memory for %s @ %p (0x%08x) ]\n", 1174 pid, name, (void *)si->base, (unsigned) ext_sz); 1175 1176 /* Now actually load the library's segments into right places in memory */ 1177 if (load_segments(fd, &__header[0], si) < 0) { 1178 goto fail; 1179 } 1180 1181 /* this might not be right. Technically, we don't even need this info 1182 * once we go through 'load_segments'. */ 1183 hdr = (Elf32_Ehdr *)si->base; 1184 si->phdr = (Elf32_Phdr *)((unsigned char *)si->base + hdr->e_phoff); 1185 si->phnum = hdr->e_phnum; 1186 /**/ 1187 1188 close(fd); 1189 return si; 1190 1191fail: 1192 if (si) free_info(si); 1193 close(fd); 1194 return NULL; 1195} 1196 1197static soinfo * 1198init_library(soinfo *si) 1199{ 1200 unsigned wr_offset = 0xffffffff; 1201 1202 /* At this point we know that whatever is loaded @ base is a valid ELF 1203 * shared library whose segments are properly mapped in. */ 1204 TRACE("[ %5d init_library base=0x%08x sz=0x%08x name='%s') ]\n", 1205 pid, si->base, si->size, si->name); 1206 1207 if(link_image(si, wr_offset)) { 1208 /* We failed to link. However, we can only restore libbase 1209 ** if no additional libraries have moved it since we updated it. 1210 */ 1211 munmap((void *)si->base, si->size); 1212 return NULL; 1213 } 1214 1215 return si; 1216} 1217 1218soinfo *find_library(const char *name) 1219{ 1220 soinfo *si; 1221 const char *bname; 1222 1223#if ALLOW_SYMBOLS_FROM_MAIN 1224 if (name == NULL) 1225 return somain; 1226#else 1227 if (name == NULL) 1228 return NULL; 1229#endif 1230 1231 bname = strrchr(name, '/'); 1232 bname = bname ? bname + 1 : name; 1233 1234 for(si = solist; si != 0; si = si->next){ 1235 if(!strcmp(bname, si->name)) { 1236 if(si->flags & FLAG_ERROR) { 1237 DL_ERR("%5d '%s' failed to load previously", pid, bname); 1238 return NULL; 1239 } 1240 if(si->flags & FLAG_LINKED) return si; 1241 DL_ERR("OOPS: %5d recursive link to '%s'", pid, si->name); 1242 return NULL; 1243 } 1244 } 1245 1246 TRACE("[ %5d '%s' has not been loaded yet. Locating...]\n", pid, name); 1247 si = load_library(name); 1248 if(si == NULL) 1249 return NULL; 1250 return init_library(si); 1251} 1252 1253/* TODO: 1254 * notify gdb of unload 1255 * for non-prelinked libraries, find a way to decrement libbase 1256 */ 1257static void call_destructors(soinfo *si); 1258unsigned unload_library(soinfo *si) 1259{ 1260 unsigned *d; 1261 if (si->refcount == 1) { 1262 TRACE("%5d unloading '%s'\n", pid, si->name); 1263 call_destructors(si); 1264 1265 /* 1266 * Make sure that we undo the PT_GNU_RELRO protections we added 1267 * in link_image. This is needed to undo the DT_NEEDED hack below. 1268 */ 1269 if ((si->gnu_relro_start != 0) && (si->gnu_relro_len != 0)) { 1270 Elf32_Addr start = (si->gnu_relro_start & ~PAGE_MASK); 1271 unsigned len = (si->gnu_relro_start - start) + si->gnu_relro_len; 1272 if (mprotect((void *) start, len, PROT_READ | PROT_WRITE) < 0) 1273 DL_ERR("%5d %s: could not undo GNU_RELRO protections. " 1274 "Expect a crash soon. errno=%d (%s)", 1275 pid, si->name, errno, strerror(errno)); 1276 1277 } 1278 1279 for(d = si->dynamic; *d; d += 2) { 1280 if(d[0] == DT_NEEDED){ 1281 soinfo *lsi = (soinfo *)d[1]; 1282 1283 // The next line will segfault if the we don't undo the 1284 // PT_GNU_RELRO protections (see comments above and in 1285 // link_image(). 1286 d[1] = 0; 1287 1288 if (validate_soinfo(lsi)) { 1289 TRACE("%5d %s needs to unload %s\n", pid, 1290 si->name, lsi->name); 1291 unload_library(lsi); 1292 } 1293 else 1294 DL_ERR("%5d %s: could not unload dependent library", 1295 pid, si->name); 1296 } 1297 } 1298 1299 munmap((char *)si->base, si->size); 1300 notify_gdb_of_unload(si); 1301 free_info(si); 1302 si->refcount = 0; 1303 } 1304 else { 1305 si->refcount--; 1306 PRINT("%5d not unloading '%s', decrementing refcount to %d\n", 1307 pid, si->name, si->refcount); 1308 } 1309 return si->refcount; 1310} 1311 1312/* TODO: don't use unsigned for addrs below. It works, but is not 1313 * ideal. They should probably be either uint32_t, Elf32_Addr, or unsigned 1314 * long. 1315 */ 1316static int reloc_library(soinfo *si, Elf32_Rel *rel, unsigned count) 1317{ 1318 Elf32_Sym *symtab = si->symtab; 1319 const char *strtab = si->strtab; 1320 Elf32_Sym *s; 1321 unsigned base; 1322 Elf32_Rel *start = rel; 1323 unsigned idx; 1324 1325 for (idx = 0; idx < count; ++idx) { 1326 unsigned type = ELF32_R_TYPE(rel->r_info); 1327 unsigned sym = ELF32_R_SYM(rel->r_info); 1328 unsigned reloc = (unsigned)(rel->r_offset + si->base); 1329 unsigned sym_addr = 0; 1330 char *sym_name = NULL; 1331 1332 DEBUG("%5d Processing '%s' relocation at index %d\n", pid, 1333 si->name, idx); 1334 if(sym != 0) { 1335 sym_name = (char *)(strtab + symtab[sym].st_name); 1336 s = _do_lookup(si, sym_name, &base); 1337 if(s == NULL) { 1338 /* We only allow an undefined symbol if this is a weak 1339 reference.. */ 1340 s = &symtab[sym]; 1341 if (ELF32_ST_BIND(s->st_info) != STB_WEAK) { 1342 DL_ERR("%5d cannot locate '%s'...\n", pid, sym_name); 1343 return -1; 1344 } 1345 1346 /* IHI0044C AAELF 4.5.1.1: 1347 1348 Libraries are not searched to resolve weak references. 1349 It is not an error for a weak reference to remain 1350 unsatisfied. 1351 1352 During linking, the value of an undefined weak reference is: 1353 - Zero if the relocation type is absolute 1354 - The address of the place if the relocation is pc-relative 1355 - The address of nominial base address if the relocation 1356 type is base-relative. 1357 */ 1358 1359 switch (type) { 1360#if defined(ANDROID_ARM_LINKER) 1361 case R_ARM_JUMP_SLOT: 1362 case R_ARM_GLOB_DAT: 1363 case R_ARM_ABS32: 1364 case R_ARM_RELATIVE: /* Don't care. */ 1365 case R_ARM_NONE: /* Don't care. */ 1366#elif defined(ANDROID_X86_LINKER) 1367 case R_386_JUMP_SLOT: 1368 case R_386_GLOB_DAT: 1369 case R_386_32: 1370 case R_386_RELATIVE: /* Dont' care. */ 1371#endif /* ANDROID_*_LINKER */ 1372 /* sym_addr was initialized to be zero above or relocation 1373 code below does not care about value of sym_addr. 1374 No need to do anything. */ 1375 break; 1376 1377#if defined(ANDROID_X86_LINKER) 1378 case R_386_PC32: 1379 sym_addr = reloc; 1380 break; 1381#endif /* ANDROID_X86_LINKER */ 1382 1383#if defined(ANDROID_ARM_LINKER) 1384 case R_ARM_COPY: 1385 /* Fall through. Can't really copy if weak symbol is 1386 not found in run-time. */ 1387#endif /* ANDROID_ARM_LINKER */ 1388 default: 1389 DL_ERR("%5d unknown weak reloc type %d @ %p (%d)\n", 1390 pid, type, rel, (int) (rel - start)); 1391 return -1; 1392 } 1393 } else { 1394 /* We got a definition. */ 1395#if 0 1396 if((base == 0) && (si->base != 0)){ 1397 /* linking from libraries to main image is bad */ 1398 DL_ERR("%5d cannot locate '%s'...", 1399 pid, strtab + symtab[sym].st_name); 1400 return -1; 1401 } 1402#endif 1403 sym_addr = (unsigned)(s->st_value + base); 1404 } 1405 COUNT_RELOC(RELOC_SYMBOL); 1406 } else { 1407 s = NULL; 1408 } 1409 1410/* TODO: This is ugly. Split up the relocations by arch into 1411 * different files. 1412 */ 1413 switch(type){ 1414#if defined(ANDROID_ARM_LINKER) 1415 case R_ARM_JUMP_SLOT: 1416 COUNT_RELOC(RELOC_ABSOLUTE); 1417 MARK(rel->r_offset); 1418 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1419 reloc, sym_addr, sym_name); 1420 *((unsigned*)reloc) = sym_addr; 1421 break; 1422 case R_ARM_GLOB_DAT: 1423 COUNT_RELOC(RELOC_ABSOLUTE); 1424 MARK(rel->r_offset); 1425 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1426 reloc, sym_addr, sym_name); 1427 *((unsigned*)reloc) = sym_addr; 1428 break; 1429 case R_ARM_ABS32: 1430 COUNT_RELOC(RELOC_ABSOLUTE); 1431 MARK(rel->r_offset); 1432 TRACE_TYPE(RELO, "%5d RELO ABS %08x <- %08x %s\n", pid, 1433 reloc, sym_addr, sym_name); 1434 *((unsigned*)reloc) += sym_addr; 1435 break; 1436 case R_ARM_REL32: 1437 COUNT_RELOC(RELOC_RELATIVE); 1438 MARK(rel->r_offset); 1439 TRACE_TYPE(RELO, "%5d RELO REL32 %08x <- %08x - %08x %s\n", pid, 1440 reloc, sym_addr, rel->r_offset, sym_name); 1441 *((unsigned*)reloc) += sym_addr - rel->r_offset; 1442 break; 1443#elif defined(ANDROID_X86_LINKER) 1444 case R_386_JUMP_SLOT: 1445 COUNT_RELOC(RELOC_ABSOLUTE); 1446 MARK(rel->r_offset); 1447 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid, 1448 reloc, sym_addr, sym_name); 1449 *((unsigned*)reloc) = sym_addr; 1450 break; 1451 case R_386_GLOB_DAT: 1452 COUNT_RELOC(RELOC_ABSOLUTE); 1453 MARK(rel->r_offset); 1454 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid, 1455 reloc, sym_addr, sym_name); 1456 *((unsigned*)reloc) = sym_addr; 1457 break; 1458#endif /* ANDROID_*_LINKER */ 1459 1460#if defined(ANDROID_ARM_LINKER) 1461 case R_ARM_RELATIVE: 1462#elif defined(ANDROID_X86_LINKER) 1463 case R_386_RELATIVE: 1464#endif /* ANDROID_*_LINKER */ 1465 COUNT_RELOC(RELOC_RELATIVE); 1466 MARK(rel->r_offset); 1467 if(sym){ 1468 DL_ERR("%5d odd RELATIVE form...", pid); 1469 return -1; 1470 } 1471 TRACE_TYPE(RELO, "%5d RELO RELATIVE %08x <- +%08x\n", pid, 1472 reloc, si->base); 1473 *((unsigned*)reloc) += si->base; 1474 break; 1475 1476#if defined(ANDROID_X86_LINKER) 1477 case R_386_32: 1478 COUNT_RELOC(RELOC_RELATIVE); 1479 MARK(rel->r_offset); 1480 1481 TRACE_TYPE(RELO, "%5d RELO R_386_32 %08x <- +%08x %s\n", pid, 1482 reloc, sym_addr, sym_name); 1483 *((unsigned *)reloc) += (unsigned)sym_addr; 1484 break; 1485 1486 case R_386_PC32: 1487 COUNT_RELOC(RELOC_RELATIVE); 1488 MARK(rel->r_offset); 1489 TRACE_TYPE(RELO, "%5d RELO R_386_PC32 %08x <- " 1490 "+%08x (%08x - %08x) %s\n", pid, reloc, 1491 (sym_addr - reloc), sym_addr, reloc, sym_name); 1492 *((unsigned *)reloc) += (unsigned)(sym_addr - reloc); 1493 break; 1494#endif /* ANDROID_X86_LINKER */ 1495 1496#ifdef ANDROID_ARM_LINKER 1497 case R_ARM_COPY: 1498 COUNT_RELOC(RELOC_COPY); 1499 MARK(rel->r_offset); 1500 TRACE_TYPE(RELO, "%5d RELO %08x <- %d @ %08x %s\n", pid, 1501 reloc, s->st_size, sym_addr, sym_name); 1502 memcpy((void*)reloc, (void*)sym_addr, s->st_size); 1503 break; 1504 case R_ARM_NONE: 1505 break; 1506#endif /* ANDROID_ARM_LINKER */ 1507 1508 default: 1509 DL_ERR("%5d unknown reloc type %d @ %p (%d)", 1510 pid, type, rel, (int) (rel - start)); 1511 return -1; 1512 } 1513 rel++; 1514 } 1515 return 0; 1516} 1517 1518/* Please read the "Initialization and Termination functions" functions. 1519 * of the linker design note in bionic/linker/README.TXT to understand 1520 * what the following code is doing. 1521 * 1522 * The important things to remember are: 1523 * 1524 * DT_PREINIT_ARRAY must be called first for executables, and should 1525 * not appear in shared libraries. 1526 * 1527 * DT_INIT should be called before DT_INIT_ARRAY if both are present 1528 * 1529 * DT_FINI should be called after DT_FINI_ARRAY if both are present 1530 * 1531 * DT_FINI_ARRAY must be parsed in reverse order. 1532 */ 1533 1534static void call_array(unsigned *ctor, int count, int reverse) 1535{ 1536 int n, inc = 1; 1537 1538 if (reverse) { 1539 ctor += (count-1); 1540 inc = -1; 1541 } 1542 1543 for(n = count; n > 0; n--) { 1544 TRACE("[ %5d Looking at %s *0x%08x == 0x%08x ]\n", pid, 1545 reverse ? "dtor" : "ctor", 1546 (unsigned)ctor, (unsigned)*ctor); 1547 void (*func)() = (void (*)()) *ctor; 1548 ctor += inc; 1549 if(((int) func == 0) || ((int) func == -1)) continue; 1550 TRACE("[ %5d Calling func @ 0x%08x ]\n", pid, (unsigned)func); 1551 func(); 1552 } 1553} 1554 1555void call_constructors_recursive(soinfo *si) 1556{ 1557 if (si->constructors_called) 1558 return; 1559 1560 // Set this before actually calling the constructors, otherwise it doesn't 1561 // protect against recursive constructor calls. One simple example of 1562 // constructor recursion is the libc debug malloc, which is implemented in 1563 // libc_malloc_debug_leak.so: 1564 // 1. The program depends on libc, so libc's constructor is called here. 1565 // 2. The libc constructor calls dlopen() to load libc_malloc_debug_leak.so. 1566 // 3. dlopen() calls call_constructors_recursive() with the newly created 1567 // soinfo for libc_malloc_debug_leak.so. 1568 // 4. The debug so depends on libc, so call_constructors_recursive() is 1569 // called again with the libc soinfo. If it doesn't trigger the early- 1570 // out above, the libc constructor will be called again (recursively!). 1571 si->constructors_called = 1; 1572 1573 if (si->flags & FLAG_EXE) { 1574 TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n", 1575 pid, (unsigned)si->preinit_array, si->preinit_array_count, 1576 si->name); 1577 call_array(si->preinit_array, si->preinit_array_count, 0); 1578 TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name); 1579 } else { 1580 if (si->preinit_array) { 1581 DL_ERR("%5d Shared library '%s' has a preinit_array table @ 0x%08x." 1582 " This is INVALID.", pid, si->name, 1583 (unsigned)si->preinit_array); 1584 } 1585 } 1586 1587 if (si->dynamic) { 1588 unsigned *d; 1589 for(d = si->dynamic; *d; d += 2) { 1590 if(d[0] == DT_NEEDED){ 1591 soinfo* lsi = (soinfo *)d[1]; 1592 if (!validate_soinfo(lsi)) { 1593 DL_ERR("%5d bad DT_NEEDED pointer in %s", 1594 pid, si->name); 1595 } else { 1596 call_constructors_recursive(lsi); 1597 } 1598 } 1599 } 1600 } 1601 1602 if (si->init_func) { 1603 TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid, 1604 (unsigned)si->init_func, si->name); 1605 si->init_func(); 1606 TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name); 1607 } 1608 1609 if (si->init_array) { 1610 TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid, 1611 (unsigned)si->init_array, si->init_array_count, si->name); 1612 call_array(si->init_array, si->init_array_count, 0); 1613 TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name); 1614 } 1615 1616} 1617 1618static void call_destructors(soinfo *si) 1619{ 1620 if (si->fini_array) { 1621 TRACE("[ %5d Calling fini_array @ 0x%08x [%d] for '%s' ]\n", pid, 1622 (unsigned)si->fini_array, si->fini_array_count, si->name); 1623 call_array(si->fini_array, si->fini_array_count, 1); 1624 TRACE("[ %5d Done calling fini_array for '%s' ]\n", pid, si->name); 1625 } 1626 1627 if (si->fini_func) { 1628 TRACE("[ %5d Calling fini_func @ 0x%08x for '%s' ]\n", pid, 1629 (unsigned)si->fini_func, si->name); 1630 si->fini_func(); 1631 TRACE("[ %5d Done calling fini_func for '%s' ]\n", pid, si->name); 1632 } 1633} 1634 1635/* Force any of the closed stdin, stdout and stderr to be associated with 1636 /dev/null. */ 1637static int nullify_closed_stdio (void) 1638{ 1639 int dev_null, i, status; 1640 int return_value = 0; 1641 1642 dev_null = open("/dev/null", O_RDWR); 1643 if (dev_null < 0) { 1644 DL_ERR("Cannot open /dev/null."); 1645 return -1; 1646 } 1647 TRACE("[ %5d Opened /dev/null file-descriptor=%d]\n", pid, dev_null); 1648 1649 /* If any of the stdio file descriptors is valid and not associated 1650 with /dev/null, dup /dev/null to it. */ 1651 for (i = 0; i < 3; i++) { 1652 /* If it is /dev/null already, we are done. */ 1653 if (i == dev_null) 1654 continue; 1655 1656 TRACE("[ %5d Nullifying stdio file descriptor %d]\n", pid, i); 1657 /* The man page of fcntl does not say that fcntl(..,F_GETFL) 1658 can be interrupted but we do this just to be safe. */ 1659 do { 1660 status = fcntl(i, F_GETFL); 1661 } while (status < 0 && errno == EINTR); 1662 1663 /* If file is openned, we are good. */ 1664 if (status >= 0) 1665 continue; 1666 1667 /* The only error we allow is that the file descriptor does not 1668 exist, in which case we dup /dev/null to it. */ 1669 if (errno != EBADF) { 1670 DL_ERR("nullify_stdio: unhandled error %s", strerror(errno)); 1671 return_value = -1; 1672 continue; 1673 } 1674 1675 /* Try dupping /dev/null to this stdio file descriptor and 1676 repeat if there is a signal. Note that any errors in closing 1677 the stdio descriptor are lost. */ 1678 do { 1679 status = dup2(dev_null, i); 1680 } while (status < 0 && errno == EINTR); 1681 1682 if (status < 0) { 1683 DL_ERR("nullify_stdio: dup2 error %s", strerror(errno)); 1684 return_value = -1; 1685 continue; 1686 } 1687 } 1688 1689 /* If /dev/null is not one of the stdio file descriptors, close it. */ 1690 if (dev_null > 2) { 1691 TRACE("[ %5d Closing /dev/null file-descriptor=%d]\n", pid, dev_null); 1692 do { 1693 status = close(dev_null); 1694 } while (status < 0 && errno == EINTR); 1695 1696 if (status < 0) { 1697 DL_ERR("nullify_stdio: close error %s", strerror(errno)); 1698 return_value = -1; 1699 } 1700 } 1701 1702 return return_value; 1703} 1704 1705static int link_image(soinfo *si, unsigned wr_offset) 1706{ 1707 unsigned *d; 1708 Elf32_Phdr *phdr = si->phdr; 1709 int phnum = si->phnum; 1710 1711 INFO("[ %5d linking %s ]\n", pid, si->name); 1712 DEBUG("%5d si->base = 0x%08x si->flags = 0x%08x\n", pid, 1713 si->base, si->flags); 1714 1715 if (si->flags & (FLAG_EXE | FLAG_LINKER)) { 1716 /* Locate the needed program segments (DYNAMIC/ARM_EXIDX) for 1717 * linkage info if this is the executable or the linker itself. 1718 * If this was a dynamic lib, that would have been done at load time. 1719 * 1720 * TODO: It's unfortunate that small pieces of this are 1721 * repeated from the load_library routine. Refactor this just 1722 * slightly to reuse these bits. 1723 */ 1724 si->size = 0; 1725 for(; phnum > 0; --phnum, ++phdr) { 1726#ifdef ANDROID_ARM_LINKER 1727 if(phdr->p_type == PT_ARM_EXIDX) { 1728 /* exidx entries (used for stack unwinding) are 8 bytes each. 1729 */ 1730 si->ARM_exidx = (unsigned *)phdr->p_vaddr; 1731 si->ARM_exidx_count = phdr->p_memsz / 8; 1732 } 1733#endif 1734 if (phdr->p_type == PT_LOAD) { 1735 /* For the executable, we use the si->size field only in 1736 dl_unwind_find_exidx(), so the meaning of si->size 1737 is not the size of the executable; it is the distance 1738 between the load location of the executable and the last 1739 address of the loadable part of the executable. 1740 We use the range [si->base, si->base + si->size) to 1741 determine whether a PC value falls within the executable 1742 section. Of course, if a value is between si->base and 1743 (si->base + phdr->p_vaddr), it's not in the executable 1744 section, but a) we shouldn't be asking for such a value 1745 anyway, and b) if we have to provide an EXIDX for such a 1746 value, then the executable's EXIDX is probably the better 1747 choice. 1748 */ 1749 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid); 1750 if (phdr->p_vaddr + phdr->p_memsz > si->size) 1751 si->size = phdr->p_vaddr + phdr->p_memsz; 1752 /* try to remember what range of addresses should be write 1753 * protected */ 1754 if (!(phdr->p_flags & PF_W)) { 1755 unsigned _end; 1756 1757 if (si->base + phdr->p_vaddr < si->wrprotect_start) 1758 si->wrprotect_start = si->base + phdr->p_vaddr; 1759 _end = (((si->base + phdr->p_vaddr + phdr->p_memsz + PAGE_SIZE - 1) & 1760 (~PAGE_MASK))); 1761 if (_end > si->wrprotect_end) 1762 si->wrprotect_end = _end; 1763 /* Make the section writable just in case we'll have to 1764 * write to it during relocation (i.e. text segment). 1765 * However, we will remember what range of addresses 1766 * should be write protected. 1767 */ 1768 mprotect((void *) (si->base + phdr->p_vaddr), 1769 phdr->p_memsz, 1770 PFLAGS_TO_PROT(phdr->p_flags) | PROT_WRITE); 1771 } 1772 } else if (phdr->p_type == PT_DYNAMIC) { 1773 if (si->dynamic != (unsigned *)-1) { 1774 DL_ERR("%5d multiple PT_DYNAMIC segments found in '%s'. " 1775 "Segment at 0x%08x, previously one found at 0x%08x", 1776 pid, si->name, si->base + phdr->p_vaddr, 1777 (unsigned)si->dynamic); 1778 goto fail; 1779 } 1780 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid); 1781 si->dynamic = (unsigned *) (si->base + phdr->p_vaddr); 1782 } else if (phdr->p_type == PT_GNU_RELRO) { 1783 if ((phdr->p_vaddr >= si->size) 1784 || ((phdr->p_vaddr + phdr->p_memsz) >= si->size) 1785 || ((si->base + phdr->p_vaddr + phdr->p_memsz) < si->base)) { 1786 DL_ERR("%d invalid GNU_RELRO in '%s' " 1787 "p_vaddr=0x%08x p_memsz=0x%08x", pid, si->name, 1788 phdr->p_vaddr, phdr->p_memsz); 1789 goto fail; 1790 } 1791 si->gnu_relro_start = (Elf32_Addr) (si->base + phdr->p_vaddr); 1792 si->gnu_relro_len = (unsigned) phdr->p_memsz; 1793 } 1794 } 1795 } 1796 1797 if (si->dynamic == (unsigned *)-1) { 1798 DL_ERR("%5d missing PT_DYNAMIC?!", pid); 1799 goto fail; 1800 } 1801 1802 DEBUG("%5d dynamic = %p\n", pid, si->dynamic); 1803 1804 /* extract useful information from dynamic section */ 1805 for(d = si->dynamic; *d; d++){ 1806 DEBUG("%5d d = %p, d[0] = 0x%08x d[1] = 0x%08x\n", pid, d, d[0], d[1]); 1807 switch(*d++){ 1808 case DT_HASH: 1809 si->nbucket = ((unsigned *) (si->base + *d))[0]; 1810 si->nchain = ((unsigned *) (si->base + *d))[1]; 1811 si->bucket = (unsigned *) (si->base + *d + 8); 1812 si->chain = (unsigned *) (si->base + *d + 8 + si->nbucket * 4); 1813 break; 1814 case DT_STRTAB: 1815 si->strtab = (const char *) (si->base + *d); 1816 break; 1817 case DT_SYMTAB: 1818 si->symtab = (Elf32_Sym *) (si->base + *d); 1819 break; 1820 case DT_PLTREL: 1821 if(*d != DT_REL) { 1822 DL_ERR("DT_RELA not supported"); 1823 goto fail; 1824 } 1825 break; 1826 case DT_JMPREL: 1827 si->plt_rel = (Elf32_Rel*) (si->base + *d); 1828 break; 1829 case DT_PLTRELSZ: 1830 si->plt_rel_count = *d / 8; 1831 break; 1832 case DT_REL: 1833 si->rel = (Elf32_Rel*) (si->base + *d); 1834 break; 1835 case DT_RELSZ: 1836 si->rel_count = *d / 8; 1837 break; 1838 case DT_PLTGOT: 1839 /* Save this in case we decide to do lazy binding. We don't yet. */ 1840 si->plt_got = (unsigned *)(si->base + *d); 1841 break; 1842 case DT_DEBUG: 1843 // Set the DT_DEBUG entry to the addres of _r_debug for GDB 1844 *d = (int) &_r_debug; 1845 break; 1846 case DT_RELA: 1847 DL_ERR("%5d DT_RELA not supported", pid); 1848 goto fail; 1849 case DT_INIT: 1850 si->init_func = (void (*)(void))(si->base + *d); 1851 DEBUG("%5d %s constructors (init func) found at %p\n", 1852 pid, si->name, si->init_func); 1853 break; 1854 case DT_FINI: 1855 si->fini_func = (void (*)(void))(si->base + *d); 1856 DEBUG("%5d %s destructors (fini func) found at %p\n", 1857 pid, si->name, si->fini_func); 1858 break; 1859 case DT_INIT_ARRAY: 1860 si->init_array = (unsigned *)(si->base + *d); 1861 DEBUG("%5d %s constructors (init_array) found at %p\n", 1862 pid, si->name, si->init_array); 1863 break; 1864 case DT_INIT_ARRAYSZ: 1865 si->init_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1866 break; 1867 case DT_FINI_ARRAY: 1868 si->fini_array = (unsigned *)(si->base + *d); 1869 DEBUG("%5d %s destructors (fini_array) found at %p\n", 1870 pid, si->name, si->fini_array); 1871 break; 1872 case DT_FINI_ARRAYSZ: 1873 si->fini_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1874 break; 1875 case DT_PREINIT_ARRAY: 1876 si->preinit_array = (unsigned *)(si->base + *d); 1877 DEBUG("%5d %s constructors (preinit_array) found at %p\n", 1878 pid, si->name, si->preinit_array); 1879 break; 1880 case DT_PREINIT_ARRAYSZ: 1881 si->preinit_array_count = ((unsigned)*d) / sizeof(Elf32_Addr); 1882 break; 1883 case DT_TEXTREL: 1884 /* TODO: make use of this. */ 1885 /* this means that we might have to write into where the text 1886 * segment was loaded during relocation... Do something with 1887 * it. 1888 */ 1889 DEBUG("%5d Text segment should be writable during relocation.\n", 1890 pid); 1891 break; 1892 } 1893 } 1894 1895 DEBUG("%5d si->base = 0x%08x, si->strtab = %p, si->symtab = %p\n", 1896 pid, si->base, si->strtab, si->symtab); 1897 1898 if((si->strtab == 0) || (si->symtab == 0)) { 1899 DL_ERR("%5d missing essential tables", pid); 1900 goto fail; 1901 } 1902 1903 /* if this is the main executable, then load all of the preloads now */ 1904 if(si->flags & FLAG_EXE) { 1905 int i; 1906 memset(preloads, 0, sizeof(preloads)); 1907 for(i = 0; ldpreload_names[i] != NULL; i++) { 1908 soinfo *lsi = find_library(ldpreload_names[i]); 1909 if(lsi == 0) { 1910 strlcpy(tmp_err_buf, linker_get_error(), sizeof(tmp_err_buf)); 1911 DL_ERR("%5d could not load needed library '%s' for '%s' (%s)", 1912 pid, ldpreload_names[i], si->name, tmp_err_buf); 1913 goto fail; 1914 } 1915 lsi->refcount++; 1916 preloads[i] = lsi; 1917 } 1918 } 1919 1920 for(d = si->dynamic; *d; d += 2) { 1921 if(d[0] == DT_NEEDED){ 1922 DEBUG("%5d %s needs %s\n", pid, si->name, si->strtab + d[1]); 1923 soinfo *lsi = find_library(si->strtab + d[1]); 1924 if(lsi == 0) { 1925 strlcpy(tmp_err_buf, linker_get_error(), sizeof(tmp_err_buf)); 1926 DL_ERR("%5d could not load needed library '%s' for '%s' (%s)", 1927 pid, si->strtab + d[1], si->name, tmp_err_buf); 1928 goto fail; 1929 } 1930 /* Save the soinfo of the loaded DT_NEEDED library in the payload 1931 of the DT_NEEDED entry itself, so that we can retrieve the 1932 soinfo directly later from the dynamic segment. This is a hack, 1933 but it allows us to map from DT_NEEDED to soinfo efficiently 1934 later on when we resolve relocations, trying to look up a symbol 1935 with dlsym(). 1936 */ 1937 d[1] = (unsigned)lsi; 1938 lsi->refcount++; 1939 } 1940 } 1941 1942 if(si->plt_rel) { 1943 DEBUG("[ %5d relocating %s plt ]\n", pid, si->name ); 1944 if(reloc_library(si, si->plt_rel, si->plt_rel_count)) 1945 goto fail; 1946 } 1947 if(si->rel) { 1948 DEBUG("[ %5d relocating %s ]\n", pid, si->name ); 1949 if(reloc_library(si, si->rel, si->rel_count)) 1950 goto fail; 1951 } 1952 1953 si->flags |= FLAG_LINKED; 1954 DEBUG("[ %5d finished linking %s ]\n", pid, si->name); 1955 1956#if 0 1957 /* This is the way that the old dynamic linker did protection of 1958 * non-writable areas. It would scan section headers and find where 1959 * .text ended (rather where .data/.bss began) and assume that this is 1960 * the upper range of the non-writable area. This is too coarse, 1961 * and is kept here for reference until we fully move away from single 1962 * segment elf objects. See the code in get_wr_offset (also #if'd 0) 1963 * that made this possible. 1964 */ 1965 if(wr_offset < 0xffffffff){ 1966 mprotect((void*) si->base, wr_offset, PROT_READ | PROT_EXEC); 1967 } 1968#else 1969 /* TODO: Verify that this does the right thing in all cases, as it 1970 * presently probably does not. It is possible that an ELF image will 1971 * come with multiple read-only segments. What we ought to do is scan 1972 * the program headers again and mprotect all the read-only segments. 1973 * To prevent re-scanning the program header, we would have to build a 1974 * list of loadable segments in si, and then scan that instead. */ 1975 if (si->wrprotect_start != 0xffffffff && si->wrprotect_end != 0) { 1976 mprotect((void *)si->wrprotect_start, 1977 si->wrprotect_end - si->wrprotect_start, 1978 PROT_READ | PROT_EXEC); 1979 } 1980#endif 1981 1982 if (si->gnu_relro_start != 0 && si->gnu_relro_len != 0) { 1983 Elf32_Addr start = (si->gnu_relro_start & ~PAGE_MASK); 1984 unsigned len = (si->gnu_relro_start - start) + si->gnu_relro_len; 1985 if (mprotect((void *) start, len, PROT_READ) < 0) { 1986 DL_ERR("%5d GNU_RELRO mprotect of library '%s' failed: %d (%s)\n", 1987 pid, si->name, errno, strerror(errno)); 1988 goto fail; 1989 } 1990 } 1991 1992 /* If this is a SET?ID program, dup /dev/null to opened stdin, 1993 stdout and stderr to close a security hole described in: 1994 1995 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc 1996 1997 */ 1998 if (program_is_setuid) 1999 nullify_closed_stdio (); 2000 notify_gdb_of_load(si); 2001 return 0; 2002 2003fail: 2004 ERROR("failed to link %s\n", si->name); 2005 si->flags |= FLAG_ERROR; 2006 return -1; 2007} 2008 2009static void parse_library_path(const char *path, char *delim) 2010{ 2011 size_t len; 2012 char *ldpaths_bufp = ldpaths_buf; 2013 int i = 0; 2014 2015 len = strlcpy(ldpaths_buf, path, sizeof(ldpaths_buf)); 2016 2017 while (i < LDPATH_MAX && (ldpaths[i] = strsep(&ldpaths_bufp, delim))) { 2018 if (*ldpaths[i] != '\0') 2019 ++i; 2020 } 2021 2022 /* Forget the last path if we had to truncate; this occurs if the 2nd to 2023 * last char isn't '\0' (i.e. not originally a delim). */ 2024 if (i > 0 && len >= sizeof(ldpaths_buf) && 2025 ldpaths_buf[sizeof(ldpaths_buf) - 2] != '\0') { 2026 ldpaths[i - 1] = NULL; 2027 } else { 2028 ldpaths[i] = NULL; 2029 } 2030} 2031 2032static void parse_preloads(const char *path, char *delim) 2033{ 2034 size_t len; 2035 char *ldpreloads_bufp = ldpreloads_buf; 2036 int i = 0; 2037 2038 len = strlcpy(ldpreloads_buf, path, sizeof(ldpreloads_buf)); 2039 2040 while (i < LDPRELOAD_MAX && (ldpreload_names[i] = strsep(&ldpreloads_bufp, delim))) { 2041 if (*ldpreload_names[i] != '\0') { 2042 ++i; 2043 } 2044 } 2045 2046 /* Forget the last path if we had to truncate; this occurs if the 2nd to 2047 * last char isn't '\0' (i.e. not originally a delim). */ 2048 if (i > 0 && len >= sizeof(ldpreloads_buf) && 2049 ldpreloads_buf[sizeof(ldpreloads_buf) - 2] != '\0') { 2050 ldpreload_names[i - 1] = NULL; 2051 } else { 2052 ldpreload_names[i] = NULL; 2053 } 2054} 2055 2056#define ANDROID_TLS_SLOTS BIONIC_TLS_SLOTS 2057 2058static void * __tls_area[ANDROID_TLS_SLOTS]; 2059 2060/* 2061 * This code is called after the linker has linked itself and 2062 * fixed it's own GOT. It is safe to make references to externs 2063 * and other non-local data at this point. 2064 */ 2065static unsigned __linker_init_post_relocation(unsigned **elfdata) 2066{ 2067 static soinfo linker_soinfo; 2068 2069 int argc = (int) *elfdata; 2070 char **argv = (char**) (elfdata + 1); 2071 unsigned *vecs = (unsigned*) (argv + argc + 1); 2072 unsigned *v; 2073 soinfo *si; 2074 struct link_map * map; 2075 const char *ldpath_env = NULL; 2076 const char *ldpreload_env = NULL; 2077 2078 /* Setup a temporary TLS area that is used to get a working 2079 * errno for system calls. 2080 */ 2081 __set_tls(__tls_area); 2082 2083 pid = getpid(); 2084 2085#if TIMING 2086 struct timeval t0, t1; 2087 gettimeofday(&t0, 0); 2088#endif 2089 2090 /* NOTE: we store the elfdata pointer on a special location 2091 * of the temporary TLS area in order to pass it to 2092 * the C Library's runtime initializer. 2093 * 2094 * The initializer must clear the slot and reset the TLS 2095 * to point to a different location to ensure that no other 2096 * shared library constructor can access it. 2097 */ 2098 __tls_area[TLS_SLOT_BIONIC_PREINIT] = elfdata; 2099 2100 /* Initialize environment functions, and get to the ELF aux vectors table */ 2101 vecs = linker_env_init(vecs); 2102 2103 /* Check auxv for AT_SECURE first to see if program is setuid, setgid, 2104 has file caps, or caused a SELinux/AppArmor domain transition. */ 2105 for (v = vecs; v[0]; v += 2) { 2106 if (v[0] == AT_SECURE) { 2107 /* kernel told us whether to enable secure mode */ 2108 program_is_setuid = v[1]; 2109 goto sanitize; 2110 } 2111 } 2112 2113 /* Kernel did not provide AT_SECURE - fall back on legacy test. */ 2114 program_is_setuid = (getuid() != geteuid()) || (getgid() != getegid()); 2115 2116sanitize: 2117 /* Sanitize environment if we're loading a setuid program */ 2118 if (program_is_setuid) 2119 linker_env_secure(); 2120 2121 debugger_init(); 2122 2123 /* Get a few environment variables */ 2124 { 2125 const char* env; 2126 env = linker_env_get("DEBUG"); /* XXX: TODO: Change to LD_DEBUG */ 2127 if (env) 2128 debug_verbosity = atoi(env); 2129 2130 /* Normally, these are cleaned by linker_env_secure, but the test 2131 * against program_is_setuid doesn't cost us anything */ 2132 if (!program_is_setuid) { 2133 ldpath_env = linker_env_get("LD_LIBRARY_PATH"); 2134 ldpreload_env = linker_env_get("LD_PRELOAD"); 2135 } 2136 } 2137 2138 INFO("[ android linker & debugger ]\n"); 2139 DEBUG("%5d elfdata @ 0x%08x\n", pid, (unsigned)elfdata); 2140 2141 si = alloc_info(argv[0]); 2142 if(si == 0) { 2143 exit(-1); 2144 } 2145 2146 /* bootstrap the link map, the main exe always needs to be first */ 2147 si->flags |= FLAG_EXE; 2148 map = &(si->linkmap); 2149 2150 map->l_addr = 0; 2151 map->l_name = argv[0]; 2152 map->l_prev = NULL; 2153 map->l_next = NULL; 2154 2155 _r_debug.r_map = map; 2156 r_debug_tail = map; 2157 2158 /* gdb expects the linker to be in the debug shared object list, 2159 * and we need to make sure that the reported load address is zero. 2160 * Without this, gdb gets the wrong idea of where rtld_db_dlactivity() 2161 * is. Don't use alloc_info(), because the linker shouldn't 2162 * be on the soinfo list. 2163 */ 2164 strlcpy((char*) linker_soinfo.name, "/system/bin/linker", sizeof linker_soinfo.name); 2165 linker_soinfo.flags = 0; 2166 linker_soinfo.base = 0; // This is the important part; must be zero. 2167 insert_soinfo_into_debug_map(&linker_soinfo); 2168 2169 /* extract information passed from the kernel */ 2170 while(vecs[0] != 0){ 2171 switch(vecs[0]){ 2172 case AT_PHDR: 2173 si->phdr = (Elf32_Phdr*) vecs[1]; 2174 break; 2175 case AT_PHNUM: 2176 si->phnum = (int) vecs[1]; 2177 break; 2178 case AT_ENTRY: 2179 si->entry = vecs[1]; 2180 break; 2181 } 2182 vecs += 2; 2183 } 2184 2185 /* Compute the value of si->base. We can't rely on the fact that 2186 * the first entry is the PHDR because this will not be true 2187 * for certain executables (e.g. some in the NDK unit test suite) 2188 */ 2189 int nn; 2190 si->base = 0; 2191 for ( nn = 0; nn < si->phnum; nn++ ) { 2192 if (si->phdr[nn].p_type == PT_PHDR) { 2193 si->base = (Elf32_Addr) si->phdr - si->phdr[nn].p_vaddr; 2194 break; 2195 } 2196 } 2197 si->dynamic = (unsigned *)-1; 2198 si->wrprotect_start = 0xffffffff; 2199 si->wrprotect_end = 0; 2200 si->refcount = 1; 2201 si->gnu_relro_start = 0; 2202 si->gnu_relro_len = 0; 2203 2204 /* Use LD_LIBRARY_PATH if we aren't setuid/setgid */ 2205 if (ldpath_env) 2206 parse_library_path(ldpath_env, ":"); 2207 2208 if (ldpreload_env) { 2209 parse_preloads(ldpreload_env, " :"); 2210 } 2211 2212 if(link_image(si, 0)) { 2213 char errmsg[] = "CANNOT LINK EXECUTABLE\n"; 2214 write(2, __linker_dl_err_buf, strlen(__linker_dl_err_buf)); 2215 write(2, errmsg, sizeof(errmsg)); 2216 exit(-1); 2217 } 2218 2219 call_constructors_recursive(si); 2220 2221#if ALLOW_SYMBOLS_FROM_MAIN 2222 /* Set somain after we've loaded all the libraries in order to prevent 2223 * linking of symbols back to the main image, which is not set up at that 2224 * point yet. 2225 */ 2226 somain = si; 2227#endif 2228 2229#if TIMING 2230 gettimeofday(&t1,NULL); 2231 PRINT("LINKER TIME: %s: %d microseconds\n", argv[0], (int) ( 2232 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) - 2233 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec) 2234 )); 2235#endif 2236#if STATS 2237 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol\n", argv[0], 2238 linker_stats.reloc[RELOC_ABSOLUTE], 2239 linker_stats.reloc[RELOC_RELATIVE], 2240 linker_stats.reloc[RELOC_COPY], 2241 linker_stats.reloc[RELOC_SYMBOL]); 2242#endif 2243#if COUNT_PAGES 2244 { 2245 unsigned n; 2246 unsigned i; 2247 unsigned count = 0; 2248 for(n = 0; n < 4096; n++){ 2249 if(bitmask[n]){ 2250 unsigned x = bitmask[n]; 2251 for(i = 0; i < 8; i++){ 2252 if(x & 1) count++; 2253 x >>= 1; 2254 } 2255 } 2256 } 2257 PRINT("PAGES MODIFIED: %s: %d (%dKB)\n", argv[0], count, count * 4); 2258 } 2259#endif 2260 2261#if TIMING || STATS || COUNT_PAGES 2262 fflush(stdout); 2263#endif 2264 2265 TRACE("[ %5d Ready to execute '%s' @ 0x%08x ]\n", pid, si->name, 2266 si->entry); 2267 return si->entry; 2268} 2269 2270/* 2271 * Find the value of AT_BASE passed to us by the kernel. This is the load 2272 * location of the linker. 2273 */ 2274static unsigned find_linker_base(unsigned **elfdata) { 2275 int argc = (int) *elfdata; 2276 char **argv = (char**) (elfdata + 1); 2277 unsigned *vecs = (unsigned*) (argv + argc + 1); 2278 while (vecs[0] != 0) { 2279 vecs++; 2280 } 2281 2282 /* The end of the environment block is marked by two NULL pointers */ 2283 vecs++; 2284 2285 while(vecs[0]) { 2286 if (vecs[0] == AT_BASE) { 2287 return vecs[1]; 2288 } 2289 vecs += 2; 2290 } 2291 2292 return 0; // should never happen 2293} 2294 2295/* 2296 * This is the entry point for the linker, called from begin.S. This 2297 * method is responsible for fixing the linker's own relocations, and 2298 * then calling __linker_init_post_relocation(). 2299 * 2300 * Because this method is called before the linker has fixed it's own 2301 * relocations, any attempt to reference an extern variable, extern 2302 * function, or other GOT reference will generate a segfault. 2303 */ 2304unsigned __linker_init(unsigned **elfdata) { 2305 unsigned linker_addr = find_linker_base(elfdata); 2306 Elf32_Ehdr *elf_hdr = (Elf32_Ehdr *) linker_addr; 2307 Elf32_Phdr *phdr = 2308 (Elf32_Phdr *)((unsigned char *) linker_addr + elf_hdr->e_phoff); 2309 2310 soinfo linker_so; 2311 memset(&linker_so, 0, sizeof(soinfo)); 2312 2313 linker_so.base = linker_addr; 2314 linker_so.dynamic = (unsigned *) -1; 2315 linker_so.phdr = phdr; 2316 linker_so.phnum = elf_hdr->e_phnum; 2317 linker_so.flags |= FLAG_LINKER; 2318 linker_so.wrprotect_start = 0xffffffff; 2319 linker_so.wrprotect_end = 0; 2320 linker_so.gnu_relro_start = 0; 2321 linker_so.gnu_relro_len = 0; 2322 2323 if (link_image(&linker_so, 0)) { 2324 // It would be nice to print an error message, but if the linker 2325 // can't link itself, there's no guarantee that we'll be able to 2326 // call write() (because it involves a GOT reference). 2327 // 2328 // This situation should never occur unless the linker itself 2329 // is corrupt. 2330 exit(-1); 2331 } 2332 2333 // We have successfully fixed our own relocations. It's safe to run 2334 // the main part of the linker now. 2335 return __linker_init_post_relocation(elfdata); 2336} 2337