plt.c revision e99af270a60891e68d465c4cd97dbe29cd1a05e4
1/* 2 * This file is part of ltrace. 3 * Copyright (C) 2012 Petr Machata, Red Hat Inc. 4 * Copyright (C) 2004,2008,2009 Juan Cespedes 5 * Copyright (C) 2006 Paul Gilliam 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License as 9 * published by the Free Software Foundation; either version 2 of the 10 * License, or (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, but 13 * WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 * General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 20 * 02110-1301 USA 21 */ 22 23#include <gelf.h> 24#include <sys/ptrace.h> 25#include <errno.h> 26#include <error.h> 27#include <inttypes.h> 28#include <assert.h> 29#include <string.h> 30 31#include "proc.h" 32#include "common.h" 33#include "library.h" 34#include "breakpoint.h" 35#include "linux-gnu/trace.h" 36#include "backend.h" 37 38/* There are two PLT types on 32-bit PPC: old-style, BSS PLT, and 39 * new-style "secure" PLT. We can tell one from the other by the 40 * flags on the .plt section. If it's +X (executable), it's BSS PLT, 41 * otherwise it's secure. 42 * 43 * BSS PLT works the same way as most architectures: the .plt section 44 * contains trampolines and we put breakpoints to those. If not 45 * prelinked, .plt contains zeroes, and dynamic linker fills in the 46 * initial set of trampolines, which means that we need to delay 47 * enabling breakpoints until after binary entry point is hit. 48 * Additionally, after first call, dynamic linker updates .plt with 49 * branch to resolved address. That means that on first hit, we must 50 * do something similar to the PPC64 gambit described below. 51 * 52 * With secure PLT, the .plt section doesn't contain instructions but 53 * addresses. The real PLT table is stored in .text. Addresses of 54 * those PLT entries can be computed, and apart from the fact that 55 * they are in .text, they are ordinary PLT entries. 56 * 57 * 64-bit PPC is more involved. Program linker creates for each 58 * library call a _stub_ symbol named xxxxxxxx.plt_call.<callee> 59 * (where xxxxxxxx is a hexadecimal number). That stub does the call 60 * dispatch: it loads an address of a function to call from the 61 * section .plt, and branches. PLT entries themselves are essentially 62 * a curried call to the resolver. When the symbol is resolved, the 63 * resolver updates the value stored in .plt, and the next time 64 * around, the stub calls the library function directly. So we make 65 * at most one trip (none if the binary is prelinked) through each PLT 66 * entry, and correspondingly that is useless as a breakpoint site. 67 * 68 * Note the three confusing terms: stubs (that play the role of PLT 69 * entries), PLT entries, .plt section. 70 * 71 * We first check symbol tables and see if we happen to have stub 72 * symbols available. If yes we just put breakpoints to those, and 73 * treat them as usual breakpoints. The only tricky part is realizing 74 * that there can be more than one breakpoint per symbol. 75 * 76 * The case that we don't have the stub symbols available is harder. 77 * The following scheme uses two kinds of PLT breakpoints: unresolved 78 * and resolved (to some address). When the process starts (or when 79 * we attach), we distribute unresolved PLT breakpoints to the PLT 80 * entries (not stubs). Then we look in .plt, and for each entry 81 * whose value is different than the corresponding PLT entry address, 82 * we assume it was already resolved, and convert the breakpoint to 83 * resolved. We also rewrite the resolved value in .plt back to the 84 * PLT address. 85 * 86 * When a PLT entry hits a resolved breakpoint (which happens because 87 * we rewrite .plt with the original unresolved addresses), we move 88 * the instruction pointer to the corresponding address and continue 89 * the process as if nothing happened. 90 * 91 * When unresolved PLT entry is called for the first time, we need to 92 * catch the new value that the resolver will write to a .plt slot. 93 * We also need to prevent another thread from racing through and 94 * taking the branch without ltrace noticing. So when unresolved PLT 95 * entry hits, we have to stop all threads. We then single-step 96 * through the resolver, until the .plt slot changes. When it does, 97 * we treat it the same way as above: convert the PLT breakpoint to 98 * resolved, and rewrite the .plt value back to PLT address. We then 99 * start all threads again. 100 * 101 * As an optimization, we remember the address where the address was 102 * resolved, and put a breakpoint there. The next time around (when 103 * the next PLT entry is to be resolved), instead of single-stepping 104 * through half the dynamic linker, we just let the thread run and hit 105 * this breakpoint. When it hits, we know the PLT entry was resolved. 106 * 107 * XXX TODO If we have hardware watch point, we might put a read watch 108 * on .plt slot, and discover the offenders this way. I don't know 109 * the details, but I assume at most a handful (like, one or two, if 110 * available at all) addresses may be watched at a time, and thus this 111 * would be used as an amendment of the above rather than full-on 112 * solution to PLT tracing on PPC. 113 */ 114 115#define PPC_PLT_STUB_SIZE 16 116#define PPC64_PLT_STUB_SIZE 8 //xxx 117 118static inline int 119host_powerpc64() 120{ 121#ifdef __powerpc64__ 122 return 1; 123#else 124 return 0; 125#endif 126} 127 128int 129read_target_4(struct Process *proc, arch_addr_t addr, uint32_t *lp) 130{ 131 unsigned long l = ptrace(PTRACE_PEEKTEXT, proc->pid, addr, 0); 132 if (l == -1UL && errno) 133 return -1; 134#ifdef __powerpc64__ 135 l >>= 32; 136#endif 137 *lp = l; 138 return 0; 139} 140 141static int 142read_target_8(struct Process *proc, arch_addr_t addr, uint64_t *lp) 143{ 144 unsigned long l = ptrace(PTRACE_PEEKTEXT, proc->pid, addr, 0); 145 if (l == -1UL && errno) 146 return -1; 147 if (host_powerpc64()) { 148 *lp = l; 149 } else { 150 unsigned long l2 = ptrace(PTRACE_PEEKTEXT, proc->pid, 151 addr + 4, 0); 152 if (l2 == -1UL && errno) 153 return -1; 154 *lp = ((uint64_t)l << 32) | l2; 155 } 156 return 0; 157} 158 159int 160read_target_long(struct Process *proc, arch_addr_t addr, uint64_t *lp) 161{ 162 if (proc->e_machine == EM_PPC) { 163 uint32_t w; 164 int ret = read_target_4(proc, addr, &w); 165 if (ret >= 0) 166 *lp = (uint64_t)w; 167 return ret; 168 } else { 169 return read_target_8(proc, addr, lp); 170 } 171} 172 173static enum callback_status 174reenable_breakpoint(struct Process *proc, struct breakpoint *bp, void *data) 175{ 176 /* We don't need to re-enable non-PLT breakpoints and 177 * breakpoints that are not PPC32 BSS unprelinked. */ 178 if (bp->libsym == NULL 179 || bp->libsym->plt_type == LS_TOPLT_NONE 180 || bp->libsym->lib->arch.bss_plt_prelinked != 0) 181 return CBS_CONT; 182 183 debug(DEBUG_PROCESS, "pid=%d reenable_breakpoint %s", 184 proc->pid, breakpoint_name(bp)); 185 186 assert(proc->e_machine == EM_PPC); 187 uint64_t l; 188 if (read_target_8(proc, bp->addr, &l) < 0) { 189 error(0, errno, "couldn't read PLT value for %s(%p)", 190 breakpoint_name(bp), bp->addr); 191 return CBS_CONT; 192 } 193 194 /* XXX double cast */ 195 bp->libsym->arch.plt_slot_addr = (GElf_Addr)(uintptr_t)bp->addr; 196 197 /* If necessary, re-enable the breakpoint if it was 198 * overwritten by the dynamic linker. */ 199 union { 200 uint32_t insn; 201 char buf[4]; 202 } u = { .buf = BREAKPOINT_VALUE }; 203 if (l >> 32 == u.insn) 204 debug(DEBUG_PROCESS, "pid=%d, breakpoint still present" 205 " at %p, avoiding reenable", proc->pid, bp->addr); 206 else 207 enable_breakpoint(proc, bp); 208 209 bp->libsym->arch.resolved_value = l; 210 211 return CBS_CONT; 212} 213 214void 215arch_dynlink_done(struct Process *proc) 216{ 217 /* On PPC32, .plt of objects that use BSS PLT are overwritten 218 * by the dynamic linker (unless that object was prelinked). 219 * We need to re-enable breakpoints in those objects. */ 220 proc_each_breakpoint(proc, NULL, reenable_breakpoint, NULL); 221} 222 223GElf_Addr 224arch_plt_sym_val(struct ltelf *lte, size_t ndx, GElf_Rela *rela) 225{ 226 if (lte->ehdr.e_machine == EM_PPC && lte->arch.secure_plt) { 227 assert(lte->arch.plt_stub_vma != 0); 228 return lte->arch.plt_stub_vma + PPC_PLT_STUB_SIZE * ndx; 229 230 } else if (lte->ehdr.e_machine == EM_PPC) { 231 return rela->r_offset; 232 233 } else { 234 /* If we get here, we don't have stub symbols. In 235 * that case we put brakpoints to PLT entries the same 236 * as the PPC32 secure PLT case does. */ 237 assert(lte->arch.plt_stub_vma != 0); 238 return lte->arch.plt_stub_vma + PPC64_PLT_STUB_SIZE * ndx; 239 } 240} 241 242/* This entry point is called when ltelf is not available 243 * anymore--during runtime. At that point we don't have to concern 244 * ourselves with bias, as the values in OPD have been resolved 245 * already. */ 246int 247arch_translate_address_dyn(struct Process *proc, 248 arch_addr_t addr, arch_addr_t *ret) 249{ 250 if (proc->e_machine == EM_PPC64) { 251 uint64_t value; 252 if (read_target_8(proc, addr, &value) < 0) { 253 error(0, errno, "dynamic .opd translation of %p", addr); 254 return -1; 255 } 256 /* XXX The double cast should be removed when 257 * arch_addr_t becomes integral type. */ 258 *ret = (arch_addr_t)(uintptr_t)value; 259 return 0; 260 } 261 262 *ret = addr; 263 return 0; 264} 265 266int 267arch_translate_address(struct ltelf *lte, 268 arch_addr_t addr, arch_addr_t *ret) 269{ 270 if (lte->ehdr.e_machine == EM_PPC64) { 271 /* XXX The double cast should be removed when 272 * arch_addr_t becomes integral type. */ 273 GElf_Xword offset 274 = (GElf_Addr)(uintptr_t)addr - lte->arch.opd_base; 275 uint64_t value; 276 if (elf_read_u64(lte->arch.opd_data, offset, &value) < 0) { 277 error(0, 0, "static .opd translation of %p: %s", addr, 278 elf_errmsg(-1)); 279 return -1; 280 } 281 *ret = (arch_addr_t)(uintptr_t)(value + lte->bias); 282 return 0; 283 } 284 285 *ret = addr; 286 return 0; 287} 288 289static int 290load_opd_data(struct ltelf *lte, struct library *lib) 291{ 292 Elf_Scn *sec; 293 GElf_Shdr shdr; 294 if (elf_get_section_named(lte, ".opd", &sec, &shdr) < 0) { 295 fail: 296 fprintf(stderr, "couldn't find .opd data\n"); 297 return -1; 298 } 299 300 lte->arch.opd_data = elf_rawdata(sec, NULL); 301 if (lte->arch.opd_data == NULL) 302 goto fail; 303 304 lte->arch.opd_base = shdr.sh_addr + lte->bias; 305 lte->arch.opd_size = shdr.sh_size; 306 307 return 0; 308} 309 310void * 311sym2addr(struct Process *proc, struct library_symbol *sym) 312{ 313 return sym->enter_addr; 314} 315 316static GElf_Addr 317get_glink_vma(struct ltelf *lte, GElf_Addr ppcgot, Elf_Data *plt_data) 318{ 319 Elf_Scn *ppcgot_sec = NULL; 320 GElf_Shdr ppcgot_shdr; 321 if (ppcgot != 0 322 && elf_get_section_covering(lte, ppcgot, 323 &ppcgot_sec, &ppcgot_shdr) < 0) 324 error(0, 0, "DT_PPC_GOT=%#"PRIx64", but no such section found", 325 ppcgot); 326 327 if (ppcgot_sec != NULL) { 328 Elf_Data *data = elf_loaddata(ppcgot_sec, &ppcgot_shdr); 329 if (data == NULL || data->d_size < 8 ) { 330 error(0, 0, "couldn't read GOT data"); 331 } else { 332 // where PPCGOT begins in .got 333 size_t offset = ppcgot - ppcgot_shdr.sh_addr; 334 assert(offset % 4 == 0); 335 uint32_t glink_vma; 336 if (elf_read_u32(data, offset + 4, &glink_vma) < 0) { 337 error(0, 0, "couldn't read glink VMA address" 338 " at %zd@GOT", offset); 339 return 0; 340 } 341 if (glink_vma != 0) { 342 debug(1, "PPC GOT glink_vma address: %#" PRIx32, 343 glink_vma); 344 return (GElf_Addr)glink_vma; 345 } 346 } 347 } 348 349 if (plt_data != NULL) { 350 uint32_t glink_vma; 351 if (elf_read_u32(plt_data, 0, &glink_vma) < 0) { 352 error(0, 0, "couldn't read glink VMA address"); 353 return 0; 354 } 355 debug(1, ".plt glink_vma address: %#" PRIx32, glink_vma); 356 return (GElf_Addr)glink_vma; 357 } 358 359 return 0; 360} 361 362static int 363load_dynamic_entry(struct ltelf *lte, int tag, GElf_Addr *valuep) 364{ 365 Elf_Scn *scn; 366 GElf_Shdr shdr; 367 if (elf_get_section_type(lte, SHT_DYNAMIC, &scn, &shdr) < 0 368 || scn == NULL) { 369 fail: 370 error(0, 0, "Couldn't get SHT_DYNAMIC: %s", 371 elf_errmsg(-1)); 372 return -1; 373 } 374 375 Elf_Data *data = elf_loaddata(scn, &shdr); 376 if (data == NULL) 377 goto fail; 378 379 size_t j; 380 for (j = 0; j < shdr.sh_size / shdr.sh_entsize; ++j) { 381 GElf_Dyn dyn; 382 if (gelf_getdyn(data, j, &dyn) == NULL) 383 goto fail; 384 385 if(dyn.d_tag == tag) { 386 *valuep = dyn.d_un.d_ptr; 387 return 0; 388 } 389 } 390 391 return -1; 392} 393 394static int 395load_ppcgot(struct ltelf *lte, GElf_Addr *ppcgotp) 396{ 397 return load_dynamic_entry(lte, DT_PPC_GOT, ppcgotp); 398} 399 400static int 401load_ppc64_glink(struct ltelf *lte, GElf_Addr *glinkp) 402{ 403 return load_dynamic_entry(lte, DT_PPC64_GLINK, glinkp); 404} 405 406static int 407nonzero_data(Elf_Data *data) 408{ 409 /* We are not supposed to get here if there's no PLT. */ 410 assert(data != NULL); 411 412 unsigned char *buf = data->d_buf; 413 if (buf == NULL) 414 return 0; 415 416 size_t i; 417 for (i = 0; i < data->d_size; ++i) 418 if (buf[i] != 0) 419 return 1; 420 return 0; 421} 422 423int 424arch_elf_init(struct ltelf *lte, struct library *lib) 425{ 426 if (lte->ehdr.e_machine == EM_PPC64 427 && load_opd_data(lte, lib) < 0) 428 return -1; 429 430 lte->arch.secure_plt = !(lte->plt_flags & SHF_EXECINSTR); 431 432 /* For PPC32 BSS, it is important whether the binary was 433 * prelinked. If .plt section is NODATA, or if it contains 434 * zeroes, then this library is not prelinked, and we need to 435 * delay breakpoints. */ 436 if (lte->ehdr.e_machine == EM_PPC && !lte->arch.secure_plt) 437 lib->arch.bss_plt_prelinked = nonzero_data(lte->plt_data); 438 else 439 /* For cases where it's irrelevant, initialize the 440 * value to something conspicuous. */ 441 lib->arch.bss_plt_prelinked = -1; 442 443 if (lte->ehdr.e_machine == EM_PPC && lte->arch.secure_plt) { 444 GElf_Addr ppcgot; 445 if (load_ppcgot(lte, &ppcgot) < 0) { 446 error(0, 0, "couldn't find DT_PPC_GOT"); 447 return -1; 448 } 449 GElf_Addr glink_vma = get_glink_vma(lte, ppcgot, lte->plt_data); 450 451 assert (lte->relplt_size % 12 == 0); 452 size_t count = lte->relplt_size / 12; // size of RELA entry 453 lte->arch.plt_stub_vma = glink_vma 454 - (GElf_Addr)count * PPC_PLT_STUB_SIZE; 455 debug(1, "stub_vma is %#" PRIx64, lte->arch.plt_stub_vma); 456 457 } else if (lte->ehdr.e_machine == EM_PPC64) { 458 GElf_Addr glink_vma; 459 if (load_ppc64_glink(lte, &glink_vma) < 0) { 460 error(0, 0, "couldn't find DT_PPC64_GLINK"); 461 return -1; 462 } 463 464 /* The first glink stub starts at offset 32. */ 465 lte->arch.plt_stub_vma = glink_vma + 32; 466 } 467 468 /* On PPC64, look for stub symbols in symbol table. These are 469 * called: xxxxxxxx.plt_call.callee_name@version+addend. */ 470 if (lte->ehdr.e_machine == EM_PPC64 471 && lte->symtab != NULL && lte->strtab != NULL) { 472 473 /* N.B. We can't simply skip the symbols that we fail 474 * to read or malloc. There may be more than one stub 475 * per symbol name, and if we failed in one but 476 * succeeded in another, the PLT enabling code would 477 * have no way to tell that something is missing. We 478 * could work around that, of course, but it doesn't 479 * seem worth the trouble. So if anything fails, we 480 * just pretend that we don't have stub symbols at 481 * all, as if the binary is stripped. */ 482 483 size_t i; 484 for (i = 0; i < lte->symtab_count; ++i) { 485 GElf_Sym sym; 486 if (gelf_getsym(lte->symtab, i, &sym) == NULL) { 487 struct library_symbol *sym, *next; 488 fail: 489 for (sym = lte->arch.stubs; sym != NULL; ) { 490 next = sym->next; 491 library_symbol_destroy(sym); 492 free(sym); 493 sym = next; 494 } 495 lte->arch.stubs = NULL; 496 break; 497 } 498 499 const char *name = lte->strtab + sym.st_name; 500 501#define STUBN ".plt_call." 502 if ((name = strstr(name, STUBN)) == NULL) 503 continue; 504 name += sizeof(STUBN) - 1; 505#undef STUBN 506 507 size_t len; 508 const char *ver = strchr(name, '@'); 509 if (ver != NULL) { 510 len = ver - name; 511 512 } else { 513 /* If there is "+" at all, check that 514 * the symbol name ends in "+0". */ 515 const char *add = strrchr(name, '+'); 516 if (add != NULL) { 517 assert(strcmp(add, "+0") == 0); 518 len = add - name; 519 } else { 520 len = strlen(name); 521 } 522 } 523 524 char *sym_name = strndup(name, len); 525 struct library_symbol *libsym = malloc(sizeof(*libsym)); 526 if (sym_name == NULL || libsym == NULL) { 527 fail2: 528 free(sym_name); 529 free(libsym); 530 goto fail; 531 } 532 533 /* XXX The double cast should be removed when 534 * arch_addr_t becomes integral type. */ 535 arch_addr_t addr = (arch_addr_t) 536 (uintptr_t)sym.st_value + lte->bias; 537 if (library_symbol_init(libsym, addr, sym_name, 1, 538 LS_TOPLT_EXEC) < 0) 539 goto fail2; 540 libsym->arch.type = PPC64_PLT_STUB; 541 libsym->next = lte->arch.stubs; 542 lte->arch.stubs = libsym; 543 } 544 } 545 546 return 0; 547} 548 549static int 550read_plt_slot_value(struct Process *proc, GElf_Addr addr, GElf_Addr *valp) 551{ 552 /* On PPC64, we read from .plt, which contains 8 byte 553 * addresses. On PPC32 we read from .plt, which contains 4 554 * byte instructions, but the PLT is two instructions, and 555 * either can change. */ 556 uint64_t l; 557 /* XXX double cast. */ 558 if (read_target_8(proc, (arch_addr_t)(uintptr_t)addr, &l) < 0) { 559 error(0, errno, "ptrace .plt slot value @%#" PRIx64, addr); 560 return -1; 561 } 562 563 *valp = (GElf_Addr)l; 564 return 0; 565} 566 567static int 568unresolve_plt_slot(struct Process *proc, GElf_Addr addr, GElf_Addr value) 569{ 570 /* We only modify plt_entry[0], which holds the resolved 571 * address of the routine. We keep the TOC and environment 572 * pointers intact. Hence the only adjustment that we need to 573 * do is to IP. */ 574 if (ptrace(PTRACE_POKETEXT, proc->pid, addr, value) < 0) { 575 error(0, errno, "unresolve .plt slot"); 576 return -1; 577 } 578 return 0; 579} 580 581static void 582mark_as_resolved(struct library_symbol *libsym, GElf_Addr value) 583{ 584 libsym->arch.type = PPC_PLT_RESOLVED; 585 libsym->arch.resolved_value = value; 586} 587 588enum plt_status 589arch_elf_add_plt_entry(struct Process *proc, struct ltelf *lte, 590 const char *a_name, GElf_Rela *rela, size_t ndx, 591 struct library_symbol **ret) 592{ 593 if (lte->ehdr.e_machine == EM_PPC) 594 return plt_default; 595 596 /* PPC64. If we have stubs, we return a chain of breakpoint 597 * sites, one for each stub that corresponds to this PLT 598 * entry. */ 599 struct library_symbol *chain = NULL; 600 struct library_symbol **symp; 601 for (symp = <e->arch.stubs; *symp != NULL; ) { 602 struct library_symbol *sym = *symp; 603 if (strcmp(sym->name, a_name) != 0) { 604 symp = &(*symp)->next; 605 continue; 606 } 607 608 /* Re-chain the symbol from stubs to CHAIN. */ 609 *symp = sym->next; 610 sym->next = chain; 611 chain = sym; 612 } 613 614 if (chain != NULL) { 615 *ret = chain; 616 return plt_ok; 617 } 618 619 /* We don't have stub symbols. Find corresponding .plt slot, 620 * and check whether it contains the corresponding PLT address 621 * (or 0 if the dynamic linker hasn't run yet). N.B. we don't 622 * want read this from ELF file, but from process image. That 623 * makes a difference if we are attaching to a running 624 * process. */ 625 626 GElf_Addr plt_entry_addr = arch_plt_sym_val(lte, ndx, rela); 627 GElf_Addr plt_slot_addr = rela->r_offset; 628 assert(plt_slot_addr >= lte->plt_addr 629 || plt_slot_addr < lte->plt_addr + lte->plt_size); 630 631 GElf_Addr plt_slot_value; 632 if (read_plt_slot_value(proc, plt_slot_addr, &plt_slot_value) < 0) 633 return plt_fail; 634 635 char *name = strdup(a_name); 636 struct library_symbol *libsym = malloc(sizeof(*libsym)); 637 if (name == NULL || libsym == NULL) { 638 error(0, errno, "allocation for .plt slot"); 639 fail: 640 free(name); 641 free(libsym); 642 return plt_fail; 643 } 644 645 /* XXX The double cast should be removed when 646 * arch_addr_t becomes integral type. */ 647 if (library_symbol_init(libsym, 648 (arch_addr_t)(uintptr_t)plt_entry_addr, 649 name, 1, LS_TOPLT_EXEC) < 0) 650 goto fail; 651 libsym->arch.plt_slot_addr = plt_slot_addr; 652 653 if (plt_slot_value == plt_entry_addr || plt_slot_value == 0) { 654 libsym->arch.type = PPC_PLT_UNRESOLVED; 655 libsym->arch.resolved_value = plt_entry_addr; 656 657 } else { 658 /* Unresolve the .plt slot. If the binary was 659 * prelinked, this makes the code invalid, because in 660 * case of prelinked binary, the dynamic linker 661 * doesn't update .plt[0] and .plt[1] with addresses 662 * of the resover. But we don't care, we will never 663 * need to enter the resolver. That just means that 664 * we have to un-un-resolve this back before we 665 * detach. */ 666 667 if (unresolve_plt_slot(proc, plt_slot_addr, plt_entry_addr) < 0) { 668 library_symbol_destroy(libsym); 669 goto fail; 670 } 671 mark_as_resolved(libsym, plt_slot_value); 672 } 673 674 *ret = libsym; 675 return plt_ok; 676} 677 678void 679arch_elf_destroy(struct ltelf *lte) 680{ 681 struct library_symbol *sym; 682 for (sym = lte->arch.stubs; sym != NULL; ) { 683 struct library_symbol *next = sym->next; 684 library_symbol_destroy(sym); 685 free(sym); 686 sym = next; 687 } 688} 689 690static void 691dl_plt_update_bp_on_hit(struct breakpoint *bp, struct Process *proc) 692{ 693 debug(DEBUG_PROCESS, "pid=%d dl_plt_update_bp_on_hit %s(%p)", 694 proc->pid, breakpoint_name(bp), bp->addr); 695 struct process_stopping_handler *self = proc->arch.handler; 696 assert(self != NULL); 697 698 struct library_symbol *libsym = self->breakpoint_being_enabled->libsym; 699 GElf_Addr value; 700 if (read_plt_slot_value(proc, libsym->arch.plt_slot_addr, &value) < 0) 701 return; 702 703 /* On PPC64, we rewrite the slot value. */ 704 if (proc->e_machine == EM_PPC64) 705 unresolve_plt_slot(proc, libsym->arch.plt_slot_addr, 706 libsym->arch.resolved_value); 707 /* We mark the breakpoint as resolved on both arches. */ 708 mark_as_resolved(libsym, value); 709 710 /* cb_on_all_stopped looks if HANDLER is set to NULL as a way 711 * to check that this was run. It's an error if it 712 * wasn't. */ 713 proc->arch.handler = NULL; 714 715 breakpoint_turn_off(bp, proc); 716} 717 718static void 719cb_on_all_stopped(struct process_stopping_handler *self) 720{ 721 /* Put that in for dl_plt_update_bp_on_hit to see. */ 722 assert(self->task_enabling_breakpoint->arch.handler == NULL); 723 self->task_enabling_breakpoint->arch.handler = self; 724 725 linux_ptrace_disable_and_continue(self); 726} 727 728static enum callback_status 729cb_keep_stepping_p(struct process_stopping_handler *self) 730{ 731 struct Process *proc = self->task_enabling_breakpoint; 732 struct library_symbol *libsym = self->breakpoint_being_enabled->libsym; 733 734 GElf_Addr value; 735 if (read_plt_slot_value(proc, libsym->arch.plt_slot_addr, &value) < 0) 736 return CBS_FAIL; 737 738 /* In UNRESOLVED state, the RESOLVED_VALUE in fact contains 739 * the PLT entry value. */ 740 if (value == libsym->arch.resolved_value) 741 return CBS_CONT; 742 743 debug(DEBUG_PROCESS, "pid=%d PLT got resolved to value %#"PRIx64, 744 proc->pid, value); 745 746 /* The .plt slot got resolved! We can migrate the breakpoint 747 * to RESOLVED and stop single-stepping. */ 748 if (proc->e_machine == EM_PPC64 749 && unresolve_plt_slot(proc, libsym->arch.plt_slot_addr, 750 libsym->arch.resolved_value) < 0) 751 return CBS_FAIL; 752 753 /* Resolving on PPC64 consists of overwriting a doubleword in 754 * .plt. That doubleword is than read back by a stub, and 755 * jumped on. Hopefully we can assume that double word update 756 * is done on a single place only, as it contains a final 757 * address. We still need to look around for any sync 758 * instruction, but essentially it is safe to optimize away 759 * the single stepping next time and install a post-update 760 * breakpoint. 761 * 762 * The situation on PPC32 BSS is more complicated. The 763 * dynamic linker here updates potentially several 764 * instructions (XXX currently we assume two) and the rules 765 * are more complicated. Sometimes it's enough to adjust just 766 * one of the addresses--the logic for generating optimal 767 * dispatch depends on relative addresses of the .plt entry 768 * and the jump destination. We can't assume that the some 769 * instruction block does the update every time. So on PPC32, 770 * we turn the optimization off and just step through it each 771 * time. */ 772 if (proc->e_machine == EM_PPC) 773 goto done; 774 775 /* Install breakpoint to the address where the change takes 776 * place. If we fail, then that just means that we'll have to 777 * singlestep the next time around as well. */ 778 struct Process *leader = proc->leader; 779 if (leader == NULL || leader->arch.dl_plt_update_bp != NULL) 780 goto done; 781 782 /* We need to install to the next instruction. ADDR points to 783 * a store instruction, so moving the breakpoint one 784 * instruction forward is safe. */ 785 arch_addr_t addr = get_instruction_pointer(proc) + 4; 786 leader->arch.dl_plt_update_bp = insert_breakpoint(proc, addr, NULL); 787 if (leader->arch.dl_plt_update_bp == NULL) 788 goto done; 789 790 static struct bp_callbacks dl_plt_update_cbs = { 791 .on_hit = dl_plt_update_bp_on_hit, 792 }; 793 leader->arch.dl_plt_update_bp->cbs = &dl_plt_update_cbs; 794 795 /* Turn it off for now. We will turn it on again when we hit 796 * the PLT entry that needs this. */ 797 breakpoint_turn_off(leader->arch.dl_plt_update_bp, proc); 798 799done: 800 mark_as_resolved(libsym, value); 801 802 return CBS_STOP; 803} 804 805static void 806jump_to_entry_point(struct Process *proc, struct breakpoint *bp) 807{ 808 /* XXX The double cast should be removed when 809 * arch_addr_t becomes integral type. */ 810 arch_addr_t rv = (arch_addr_t) 811 (uintptr_t)bp->libsym->arch.resolved_value; 812 set_instruction_pointer(proc, rv); 813} 814 815static void 816ppc_plt_bp_continue(struct breakpoint *bp, struct Process *proc) 817{ 818 switch (bp->libsym->arch.type) { 819 struct Process *leader; 820 void (*on_all_stopped)(struct process_stopping_handler *); 821 enum callback_status (*keep_stepping_p) 822 (struct process_stopping_handler *); 823 824 case PPC_DEFAULT: 825 assert(proc->e_machine == EM_PPC); 826 assert(bp->libsym != NULL); 827 assert(bp->libsym->lib->arch.bss_plt_prelinked == 0); 828 /* fall-through */ 829 830 case PPC_PLT_UNRESOLVED: 831 on_all_stopped = NULL; 832 keep_stepping_p = NULL; 833 leader = proc->leader; 834 835 if (leader != NULL && leader->arch.dl_plt_update_bp != NULL 836 && breakpoint_turn_on(leader->arch.dl_plt_update_bp, 837 proc) >= 0) 838 on_all_stopped = cb_on_all_stopped; 839 else 840 keep_stepping_p = cb_keep_stepping_p; 841 842 if (process_install_stopping_handler 843 (proc, bp, on_all_stopped, keep_stepping_p, NULL) < 0) { 844 error(0, 0, "ppc_plt_bp_continue: couldn't install" 845 " event handler"); 846 continue_after_breakpoint(proc, bp); 847 } 848 return; 849 850 case PPC_PLT_RESOLVED: 851 if (proc->e_machine == EM_PPC) { 852 continue_after_breakpoint(proc, bp); 853 return; 854 } 855 856 jump_to_entry_point(proc, bp); 857 continue_process(proc->pid); 858 return; 859 860 case PPC64_PLT_STUB: 861 /* These should never hit here. */ 862 break; 863 } 864 865 assert(bp->libsym->arch.type != bp->libsym->arch.type); 866 abort(); 867} 868 869/* When a process is in a PLT stub, it may have already read the data 870 * in .plt that we changed. If we detach now, it will jump to PLT 871 * entry and continue to the dynamic linker, where it will SIGSEGV, 872 * because zeroth .plt slot is not filled in prelinked binaries, and 873 * the dynamic linker needs that data. Moreover, the process may 874 * actually have hit the breakpoint already. This functions tries to 875 * detect both cases and do any fix-ups necessary to mend this 876 * situation. */ 877static enum callback_status 878detach_task_cb(struct Process *task, void *data) 879{ 880 struct breakpoint *bp = data; 881 882 if (get_instruction_pointer(task) == bp->addr) { 883 debug(DEBUG_PROCESS, "%d at %p, which is PLT slot", 884 task->pid, bp->addr); 885 jump_to_entry_point(task, bp); 886 return CBS_CONT; 887 } 888 889 /* XXX There's still a window of several instructions where we 890 * might catch the task inside a stub such that it has already 891 * read destination address from .plt, but hasn't jumped yet, 892 * thus avoiding the breakpoint. */ 893 894 return CBS_CONT; 895} 896 897static void 898ppc_plt_bp_retract(struct breakpoint *bp, struct Process *proc) 899{ 900 /* On PPC64, we rewrite .plt with PLT entry addresses. This 901 * needs to be undone. Unfortunately, the program may have 902 * made decisions based on that value */ 903 if (proc->e_machine == EM_PPC64 904 && bp->libsym != NULL 905 && bp->libsym->arch.type == PPC_PLT_RESOLVED) { 906 each_task(proc->leader, NULL, detach_task_cb, bp); 907 unresolve_plt_slot(proc, bp->libsym->arch.plt_slot_addr, 908 bp->libsym->arch.resolved_value); 909 } 910} 911 912void 913arch_library_init(struct library *lib) 914{ 915} 916 917void 918arch_library_destroy(struct library *lib) 919{ 920} 921 922void 923arch_library_clone(struct library *retp, struct library *lib) 924{ 925} 926 927int 928arch_library_symbol_init(struct library_symbol *libsym) 929{ 930 /* We set type explicitly in the code above, where we have the 931 * necessary context. This is for calls from ltrace-elf.c and 932 * such. */ 933 libsym->arch.type = PPC_DEFAULT; 934 return 0; 935} 936 937void 938arch_library_symbol_destroy(struct library_symbol *libsym) 939{ 940} 941 942int 943arch_library_symbol_clone(struct library_symbol *retp, 944 struct library_symbol *libsym) 945{ 946 retp->arch = libsym->arch; 947 return 0; 948} 949 950/* For some symbol types, we need to set up custom callbacks. XXX we 951 * don't need PROC here, we can store the data in BP if it is of 952 * interest to us. */ 953int 954arch_breakpoint_init(struct Process *proc, struct breakpoint *bp) 955{ 956 /* Artificial and entry-point breakpoints are plain. */ 957 if (bp->libsym == NULL || bp->libsym->plt_type != LS_TOPLT_EXEC) 958 return 0; 959 960 /* On PPC, secure PLT and prelinked BSS PLT are plain. */ 961 if (proc->e_machine == EM_PPC 962 && bp->libsym->lib->arch.bss_plt_prelinked != 0) 963 return 0; 964 965 /* On PPC64, stub PLT breakpoints are plain. */ 966 if (proc->e_machine == EM_PPC64 967 && bp->libsym->arch.type == PPC64_PLT_STUB) 968 return 0; 969 970 static struct bp_callbacks cbs = { 971 .on_continue = ppc_plt_bp_continue, 972 .on_retract = ppc_plt_bp_retract, 973 }; 974 breakpoint_set_callbacks(bp, &cbs); 975 return 0; 976} 977 978void 979arch_breakpoint_destroy(struct breakpoint *bp) 980{ 981} 982 983int 984arch_breakpoint_clone(struct breakpoint *retp, struct breakpoint *sbp) 985{ 986 retp->arch = sbp->arch; 987 return 0; 988} 989 990int 991arch_process_init(struct Process *proc) 992{ 993 proc->arch.dl_plt_update_bp = NULL; 994 proc->arch.handler = NULL; 995 return 0; 996} 997 998void 999arch_process_destroy(struct Process *proc) 1000{ 1001} 1002 1003int 1004arch_process_clone(struct Process *retp, struct Process *proc) 1005{ 1006 retp->arch = proc->arch; 1007 return 0; 1008} 1009 1010int 1011arch_process_exec(struct Process *proc) 1012{ 1013 return arch_process_init(proc); 1014} 1015