plt.c revision d1746d17eda0c4d2c1004c9deb8b229eb6fb1c78
1#include <gelf.h> 2#include <sys/ptrace.h> 3#include <errno.h> 4#include <error.h> 5#include <inttypes.h> 6#include <assert.h> 7#include <string.h> 8 9#include "proc.h" 10#include "common.h" 11#include "library.h" 12 13/* There are two PLT types on 32-bit PPC: old-style, BSS PLT, and 14 * new-style "secure" PLT. We can tell one from the other by the 15 * flags on the .plt section. If it's +X (executable), it's BSS PLT, 16 * otherwise it's secure. 17 * 18 * BSS PLT works the same way as most architectures: the .plt section 19 * contains trampolines and we put breakpoints to those. With secure 20 * PLT, the .plt section doesn't contain instructions but addresses. 21 * The real PLT table is stored in .text. Addresses of those PLT 22 * entries can be computed, and it fact that's what the glink deal 23 * below does. 24 * 25 * If not prelinked, BSS PLT entries in the .plt section contain 26 * zeroes that are overwritten by the dynamic linker during start-up. 27 * For that reason, ltrace realizes those breakpoints only after 28 * .start is hit. 29 * 30 * 64-bit PPC is more involved. Program linker creates for each 31 * library call a _stub_ symbol named xxxxxxxx.plt_call.<callee> 32 * (where xxxxxxxx is a hexadecimal number). That stub does the call 33 * dispatch: it loads an address of a function to call from the 34 * section .plt, and branches. PLT entries themselves are essentially 35 * a curried call to the resolver. When the symbol is resolved, the 36 * resolver updates the value stored in .plt, and the next time 37 * around, the stub calls the library function directly. So we make 38 * at most one trip (none if the binary is prelinked) through each PLT 39 * entry, and correspondingly that is useless as a breakpoint site. 40 * 41 * Note the three confusing terms: stubs (that play the role of PLT 42 * entries), PLT entries, .plt section. 43 * 44 * We first check symbol tables and see if we happen to have stub 45 * symbols available. If yes we just put breakpoints to those, and 46 * treat them as usual breakpoints. The only tricky part is realizing 47 * that there can be more than one breakpoint per symbol. 48 * 49 * The case that we don't have the stub symbols available is harder. 50 * The following scheme uses two kinds of PLT breakpoints: unresolved 51 * and resolved (to some address). When the process starts (or when 52 * we attach), we distribute unresolved PLT breakpoints to the PLT 53 * entries (not stubs). Then we look in .plt, and for each entry 54 * whose value is different than the corresponding PLT entry address, 55 * we assume it was already resolved, and convert the breakpoint to 56 * resolved. We also rewrite the resolved value in .plt back to the 57 * PLT address. 58 * 59 * When a PLT entry hits a resolved breakpoint (which happens because 60 * we put back the unresolved addresses to .plt), we move the 61 * instruction pointer to the corresponding address and continue the 62 * process as if nothing happened. 63 * 64 * When unresolved PLT entry is called for the first time, we need to 65 * catch the new value that the resolver will write to a .plt slot. 66 * We also need to prevent another thread from racing through and 67 * taking the branch without ltrace noticing. So when unresolved PLT 68 * entry hits, we have to stop all threads. We then single-step 69 * through the resolver, until the .plt slot changes. When it does, 70 * we treat it the same way as above: convert the PLT breakpoint to 71 * resolved, and rewrite the .plt value back to PLT address. We then 72 * start all threads again. 73 * 74 * In theory we might find the exact instruction that will update the 75 * .plt slot, and emulate it, updating the PLT breakpoint immediately, 76 * and then just skip it. But that's even messier than the thread 77 * stopping business and single stepping that needs to be done. 78 */ 79 80#define PPC_PLT_STUB_SIZE 16 81 82static inline int 83host_powerpc64() 84{ 85#ifdef __powerpc64__ 86 return 1; 87#else 88 return 0; 89#endif 90} 91 92GElf_Addr 93arch_plt_sym_val(struct ltelf *lte, size_t ndx, GElf_Rela *rela) 94{ 95 if (lte->ehdr.e_machine == EM_PPC && lte->arch.secure_plt) { 96 assert(lte->arch.plt_stub_vma != 0); 97 return lte->arch.plt_stub_vma + PPC_PLT_STUB_SIZE * ndx; 98 99 } else if (lte->ehdr.e_machine == EM_PPC) { 100 return rela->r_offset; 101 102 } else { 103 assert(lte->ehdr.e_machine == EM_PPC64); 104 fprintf(stderr, "PPC64\n"); 105 abort(); 106 return rela->r_offset; 107 } 108} 109 110int 111arch_translate_address(struct Process *proc, 112 target_address_t addr, target_address_t *ret) 113{ 114 if (host_powerpc64() && proc->e_machine == EM_PPC64) { 115 long l = ptrace(PTRACE_PEEKTEXT, proc->pid, addr, 0); 116 fprintf(stderr, "arch_translate_address %p->%#lx\n", 117 addr, l); 118 if (l == -1 && errno) { 119 error(0, errno, ".opd translation of %p", addr); 120 return -1; 121 } 122 *ret = (target_address_t)l; 123 return 0; 124 } 125 126 *ret = addr; 127 return 0; 128} 129 130/* XXX Apparently PPC64 doesn't support PLT breakpoints. */ 131void * 132sym2addr(Process *proc, struct library_symbol *sym) { 133 void *addr = sym->enter_addr; 134 long pt_ret; 135 136 debug(3, 0); 137 138 if (sym->plt_type != LS_TOPLT_POINT) { 139 return addr; 140 } 141 142 if (proc->pid == 0) { 143 return 0; 144 } 145 146 if (options.debug >= 3) { 147 xinfdump(proc->pid, (void *)(((long)addr-32)&0xfffffff0), 148 sizeof(void*)*8); 149 } 150 151 // On a PowerPC-64 system, a plt is three 64-bit words: the first is the 152 // 64-bit address of the routine. Before the PLT has been initialized, 153 // this will be 0x0. In fact, the symbol table won't have the plt's 154 // address even. Ater the PLT has been initialized, but before it has 155 // been resolved, the first word will be the address of the function in 156 // the dynamic linker that will reslove the PLT. After the PLT is 157 // resolved, this will will be the address of the routine whose symbol 158 // is in the symbol table. 159 160 // On a PowerPC-32 system, there are two types of PLTs: secure (new) and 161 // non-secure (old). For the secure case, the PLT is simply a pointer 162 // and we can treat it much as we do for the PowerPC-64 case. For the 163 // non-secure case, the PLT is executable code and we can put the 164 // break-point right in the PLT. 165 166 pt_ret = ptrace(PTRACE_PEEKTEXT, proc->pid, addr, 0); 167 168#if SIZEOF_LONG == 8 169 if (proc->mask_32bit) { 170 // Assume big-endian. 171 addr = (void *)((pt_ret >> 32) & 0xffffffff); 172 } else { 173 addr = (void *)pt_ret; 174 } 175#else 176 /* XXX Um, so where exactly are we dealing with the non-secure 177 PLT thing? */ 178 addr = (void *)pt_ret; 179#endif 180 181 return addr; 182} 183 184static GElf_Addr 185get_glink_vma(struct ltelf *lte, GElf_Addr ppcgot, Elf_Data *plt_data) 186{ 187 Elf_Scn *ppcgot_sec = NULL; 188 GElf_Shdr ppcgot_shdr; 189 if (ppcgot != 0 190 && elf_get_section_covering(lte, ppcgot, 191 &ppcgot_sec, &ppcgot_shdr) < 0) 192 // xxx should be the log out 193 fprintf(stderr, 194 "DT_PPC_GOT=%#" PRIx64 ", but no such section found.\n", 195 ppcgot); 196 197 if (ppcgot_sec != NULL) { 198 Elf_Data *data = elf_loaddata(ppcgot_sec, &ppcgot_shdr); 199 if (data == NULL || data->d_size < 8 ) { 200 fprintf(stderr, "Couldn't read GOT data.\n"); 201 } else { 202 // where PPCGOT begins in .got 203 size_t offset = ppcgot - ppcgot_shdr.sh_addr; 204 assert(offset % 4 == 0); 205 uint32_t glink_vma; 206 if (elf_read_u32(data, offset + 4, &glink_vma) < 0) { 207 fprintf(stderr, 208 "Couldn't read glink VMA address" 209 " at %zd@GOT\n", offset); 210 return 0; 211 } 212 if (glink_vma != 0) { 213 debug(1, "PPC GOT glink_vma address: %#" PRIx32, 214 glink_vma); 215 fprintf(stderr, "PPC GOT glink_vma " 216 "address: %#"PRIx32"\n", glink_vma); 217 return (GElf_Addr)glink_vma; 218 } 219 } 220 } 221 222 if (plt_data != NULL) { 223 uint32_t glink_vma; 224 if (elf_read_u32(plt_data, 0, &glink_vma) < 0) { 225 fprintf(stderr, 226 "Couldn't read glink VMA address at 0@.plt\n"); 227 return 0; 228 } 229 debug(1, ".plt glink_vma address: %#" PRIx32, glink_vma); 230 fprintf(stderr, ".plt glink_vma address: " 231 "%#"PRIx32"\n", glink_vma); 232 return (GElf_Addr)glink_vma; 233 } 234 235 return 0; 236} 237 238static int 239load_dynamic_entry(struct ltelf *lte, int tag, GElf_Addr *valuep) 240{ 241 Elf_Scn *scn; 242 GElf_Shdr shdr; 243 if (elf_get_section_type(lte, SHT_DYNAMIC, &scn, &shdr) < 0 244 || scn == NULL) { 245 fail: 246 error(0, 0, "Couldn't get SHT_DYNAMIC: %s", 247 elf_errmsg(-1)); 248 return -1; 249 } 250 251 Elf_Data *data = elf_loaddata(scn, &shdr); 252 if (data == NULL) 253 goto fail; 254 255 size_t j; 256 for (j = 0; j < shdr.sh_size / shdr.sh_entsize; ++j) { 257 GElf_Dyn dyn; 258 if (gelf_getdyn(data, j, &dyn) == NULL) 259 goto fail; 260 261 if(dyn.d_tag == tag) { 262 *valuep = dyn.d_un.d_ptr; 263 return 0; 264 } 265 } 266 267 return -1; 268} 269 270static int 271load_ppcgot(struct ltelf *lte, GElf_Addr *ppcgotp) 272{ 273 return load_dynamic_entry(lte, DT_PPC_GOT, ppcgotp); 274} 275 276int 277arch_elf_init(struct ltelf *lte) 278{ 279 lte->arch.secure_plt = !(lte->lte_flags & LTE_PLT_EXECUTABLE); 280 if (lte->ehdr.e_machine == EM_PPC && lte->arch.secure_plt) { 281 GElf_Addr ppcgot; 282 if (load_ppcgot(lte, &ppcgot) < 0) { 283 fprintf(stderr, "Couldn't find DT_PPC_GOT.\n"); 284 return -1; 285 } 286 GElf_Addr glink_vma = get_glink_vma(lte, ppcgot, lte->plt_data); 287 288 assert (lte->relplt_size % 12 == 0); 289 size_t count = lte->relplt_size / 12; // size of RELA entry 290 lte->arch.plt_stub_vma = glink_vma 291 - (GElf_Addr)count * PPC_PLT_STUB_SIZE; 292 debug(1, "stub_vma is %#" PRIx64, lte->arch.plt_stub_vma); 293 } 294 295 /* Override the value that we gleaned from flags on the .plt 296 * section. The PLT entries are in fact executable, they are 297 * just not in .plt. */ 298 lte->lte_flags |= LTE_PLT_EXECUTABLE; 299 300 /* On PPC64, look for stub symbols in symbol table. These are 301 * called: xxxxxxxx.plt_call.callee_name@version+addend. */ 302 if (lte->ehdr.e_machine == EM_PPC64 303 && lte->symtab != NULL && lte->strtab != NULL) { 304 305 /* N.B. We can't simply skip the symbols that we fail 306 * to read or malloc. There may be more than one stub 307 * per symbol name, and if we failed in one but 308 * succeeded in another, the PLT enabling code would 309 * have no way to tell that something is missing. We 310 * could work around that, of course, but it doesn't 311 * seem worth the trouble. So if anything fails, we 312 * just pretend that we don't have stub symbols at 313 * all, as if the binary is stripped. */ 314 315 size_t i; 316 for (i = 0; i < lte->symtab_count; ++i) { 317 GElf_Sym sym; 318 if (gelf_getsym(lte->symtab, i, &sym) == NULL) { 319 struct library_symbol *sym, *next; 320 fail: 321 for (sym = lte->arch.stubs; sym != NULL; ) { 322 next = sym->next; 323 library_symbol_destroy(sym); 324 free(sym); 325 sym = next; 326 } 327 lte->arch.stubs = NULL; 328 break; 329 } 330 331 const char *name = lte->strtab + sym.st_name; 332 333#define STUBN ".plt_call." 334 if ((name = strstr(name, STUBN)) == NULL) 335 continue; 336 name += sizeof(STUBN) - 1; 337#undef STUBN 338 339 size_t len; 340 const char *ver = strchr(name, '@'); 341 if (ver != NULL) { 342 len = ver - name; 343 344 } else { 345 /* If there is "+" at all, check that 346 * the symbol name ends in "+0". */ 347 const char *add = strrchr(name, '+'); 348 if (add != NULL) { 349 assert(strcmp(add, "+0") == 0); 350 len = add - name; 351 } else { 352 len = strlen(name); 353 } 354 } 355 356 char *sym_name = strndup(name, len); 357 struct library_symbol *libsym = malloc(sizeof(*libsym)); 358 if (sym_name == NULL || libsym == NULL) { 359 free(sym_name); 360 free(libsym); 361 goto fail; 362 } 363 364 target_address_t addr 365 = (target_address_t)sym.st_value + lte->bias; 366 library_symbol_init(libsym, addr, sym_name, 1, 367 LS_TOPLT_EXEC); 368 libsym->next = lte->arch.stubs; 369 lte->arch.stubs = libsym; 370 } 371 } 372 373 return 0; 374} 375 376enum plt_status 377arch_elf_add_plt_entry(struct Process *proc, struct ltelf *lte, 378 const char *a_name, GElf_Rela *rela, size_t ndx, 379 struct library_symbol **ret) 380{ 381 if (lte->ehdr.e_machine == EM_PPC) 382 return plt_default; 383 384 /* PPC64. If we have stubs, we return a chain of breakpoint 385 * sites, one for each stub that corresponds to this PLT 386 * entry. */ 387 struct library_symbol *chain = NULL; 388 struct library_symbol **symp; 389 for (symp = <e->arch.stubs; *symp != NULL; ) { 390 struct library_symbol *sym = *symp; 391 if (strcmp(sym->name, a_name) != 0) { 392 symp = &(*symp)->next; 393 continue; 394 } 395 396 /* Re-chain the symbol from stubs to CHAIN. */ 397 *symp = sym->next; 398 sym->next = chain; 399 chain = sym; 400 } 401 402 if (chain != NULL) { 403 struct library_symbol *sym; 404 for (sym = chain; sym != NULL; sym = sym->next) 405 fprintf(stderr, "match %s --> %p\n", 406 sym->name, sym->enter_addr); 407 for (sym = lte->arch.stubs; sym != NULL; sym = sym->next) 408 fprintf(stderr, "remains %s --> %p\n", 409 sym->name, sym->enter_addr); 410 411 *ret = chain; 412 return plt_ok; 413 } 414 415 fprintf(stderr, "NO STUBS!\n"); 416 abort(); 417} 418 419void 420arch_elf_destroy(struct ltelf *lte) 421{ 422 struct library_symbol *sym; 423 for (sym = lte->arch.stubs; sym != NULL; ) { 424 struct library_symbol *next = sym->next; 425 library_symbol_destroy(sym); 426 free(sym); 427 sym = next; 428 } 429} 430