1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <android/api-level.h>
30 #include <dlfcn.h>
31 #include <errno.h>
32 #include <fcntl.h>
33 #include <inttypes.h>
34 #include <pthread.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <sys/mman.h>
39 #include <sys/param.h>
40 #include <sys/prctl.h>
41 #include <unistd.h>
42
43 #include <new>
44 #include <string>
45 #include <vector>
46
47 // Private C library headers.
48 #include "private/bionic_tls.h"
49 #include "private/KernelArgumentBlock.h"
50 #include "private/ScopedPthreadMutexLocker.h"
51 #include "private/ScopeGuard.h"
52 #include "private/UniquePtr.h"
53
54 #include "linker.h"
55 #include "linker_block_allocator.h"
56 #include "linker_debug.h"
57 #include "linker_sleb128.h"
58 #include "linker_phdr.h"
59 #include "linker_relocs.h"
60 #include "linker_reloc_iterators.h"
61 #include "ziparchive/zip_archive.h"
62
63 extern void __libc_init_AT_SECURE(KernelArgumentBlock&);
64
65 // Override macros to use C++ style casts.
66 #undef ELF_ST_TYPE
67 #define ELF_ST_TYPE(x) (static_cast<uint32_t>(x) & 0xf)
68
69 static ElfW(Addr) get_elf_exec_load_bias(const ElfW(Ehdr)* elf);
70
71 static LinkerTypeAllocator<soinfo> g_soinfo_allocator;
72 static LinkerTypeAllocator<LinkedListEntry<soinfo>> g_soinfo_links_allocator;
73
74 static soinfo* solist;
75 static soinfo* sonext;
76 static soinfo* somain; // main process, always the one after libdl_info
77
78 static const char* const kDefaultLdPaths[] = {
79 #if defined(__LP64__)
80 "/vendor/lib64",
81 "/system/lib64",
82 #else
83 "/vendor/lib",
84 "/system/lib",
85 #endif
86 nullptr
87 };
88
89 static const ElfW(Versym) kVersymNotNeeded = 0;
90 static const ElfW(Versym) kVersymGlobal = 1;
91
92 static std::vector<std::string> g_ld_library_paths;
93 static std::vector<std::string> g_ld_preload_names;
94
95 static std::vector<soinfo*> g_ld_preloads;
96
97 __LIBC_HIDDEN__ int g_ld_debug_verbosity;
98
99 __LIBC_HIDDEN__ abort_msg_t* g_abort_message = nullptr; // For debuggerd.
100
101 #if STATS
102 struct linker_stats_t {
103 int count[kRelocMax];
104 };
105
106 static linker_stats_t linker_stats;
107
count_relocation(RelocationKind kind)108 void count_relocation(RelocationKind kind) {
109 ++linker_stats.count[kind];
110 }
111 #else
count_relocation(RelocationKind)112 void count_relocation(RelocationKind) {
113 }
114 #endif
115
116 #if COUNT_PAGES
117 uint32_t bitmask[4096];
118 #endif
119
120 static char __linker_dl_err_buf[768];
121
linker_get_error_buffer()122 char* linker_get_error_buffer() {
123 return &__linker_dl_err_buf[0];
124 }
125
linker_get_error_buffer_size()126 size_t linker_get_error_buffer_size() {
127 return sizeof(__linker_dl_err_buf);
128 }
129
130 // This function is an empty stub where GDB locates a breakpoint to get notified
131 // about linker activity.
132 extern "C"
133 void __attribute__((noinline)) __attribute__((visibility("default"))) rtld_db_dlactivity();
134
135 static pthread_mutex_t g__r_debug_mutex = PTHREAD_MUTEX_INITIALIZER;
136 static r_debug _r_debug =
137 {1, nullptr, reinterpret_cast<uintptr_t>(&rtld_db_dlactivity), r_debug::RT_CONSISTENT, 0};
138
139 static link_map* r_debug_tail = 0;
140
insert_soinfo_into_debug_map(soinfo * info)141 static void insert_soinfo_into_debug_map(soinfo* info) {
142 // Copy the necessary fields into the debug structure.
143 link_map* map = &(info->link_map_head);
144 map->l_addr = info->load_bias;
145 // link_map l_name field is not const.
146 map->l_name = const_cast<char*>(info->get_realpath());
147 map->l_ld = info->dynamic;
148
149 // Stick the new library at the end of the list.
150 // gdb tends to care more about libc than it does
151 // about leaf libraries, and ordering it this way
152 // reduces the back-and-forth over the wire.
153 if (r_debug_tail) {
154 r_debug_tail->l_next = map;
155 map->l_prev = r_debug_tail;
156 map->l_next = 0;
157 } else {
158 _r_debug.r_map = map;
159 map->l_prev = 0;
160 map->l_next = 0;
161 }
162 r_debug_tail = map;
163 }
164
remove_soinfo_from_debug_map(soinfo * info)165 static void remove_soinfo_from_debug_map(soinfo* info) {
166 link_map* map = &(info->link_map_head);
167
168 if (r_debug_tail == map) {
169 r_debug_tail = map->l_prev;
170 }
171
172 if (map->l_prev) {
173 map->l_prev->l_next = map->l_next;
174 }
175 if (map->l_next) {
176 map->l_next->l_prev = map->l_prev;
177 }
178 }
179
notify_gdb_of_load(soinfo * info)180 static void notify_gdb_of_load(soinfo* info) {
181 if (info->is_main_executable()) {
182 // GDB already knows about the main executable
183 return;
184 }
185
186 ScopedPthreadMutexLocker locker(&g__r_debug_mutex);
187
188 _r_debug.r_state = r_debug::RT_ADD;
189 rtld_db_dlactivity();
190
191 insert_soinfo_into_debug_map(info);
192
193 _r_debug.r_state = r_debug::RT_CONSISTENT;
194 rtld_db_dlactivity();
195 }
196
notify_gdb_of_unload(soinfo * info)197 static void notify_gdb_of_unload(soinfo* info) {
198 if (info->is_main_executable()) {
199 // GDB already knows about the main executable
200 return;
201 }
202
203 ScopedPthreadMutexLocker locker(&g__r_debug_mutex);
204
205 _r_debug.r_state = r_debug::RT_DELETE;
206 rtld_db_dlactivity();
207
208 remove_soinfo_from_debug_map(info);
209
210 _r_debug.r_state = r_debug::RT_CONSISTENT;
211 rtld_db_dlactivity();
212 }
213
notify_gdb_of_libraries()214 void notify_gdb_of_libraries() {
215 _r_debug.r_state = r_debug::RT_ADD;
216 rtld_db_dlactivity();
217 _r_debug.r_state = r_debug::RT_CONSISTENT;
218 rtld_db_dlactivity();
219 }
220
alloc()221 LinkedListEntry<soinfo>* SoinfoListAllocator::alloc() {
222 return g_soinfo_links_allocator.alloc();
223 }
224
free(LinkedListEntry<soinfo> * entry)225 void SoinfoListAllocator::free(LinkedListEntry<soinfo>* entry) {
226 g_soinfo_links_allocator.free(entry);
227 }
228
soinfo_alloc(const char * name,struct stat * file_stat,off64_t file_offset,uint32_t rtld_flags)229 static soinfo* soinfo_alloc(const char* name, struct stat* file_stat,
230 off64_t file_offset, uint32_t rtld_flags) {
231 if (strlen(name) >= PATH_MAX) {
232 DL_ERR("library name \"%s\" too long", name);
233 return nullptr;
234 }
235
236 soinfo* si = new (g_soinfo_allocator.alloc()) soinfo(name, file_stat, file_offset, rtld_flags);
237
238 sonext->next = si;
239 sonext = si;
240
241 TRACE("name %s: allocated soinfo @ %p", name, si);
242 return si;
243 }
244
soinfo_free(soinfo * si)245 static void soinfo_free(soinfo* si) {
246 if (si == nullptr) {
247 return;
248 }
249
250 if (si->base != 0 && si->size != 0) {
251 munmap(reinterpret_cast<void*>(si->base), si->size);
252 }
253
254 soinfo *prev = nullptr, *trav;
255
256 TRACE("name %s: freeing soinfo @ %p", si->get_realpath(), si);
257
258 for (trav = solist; trav != nullptr; trav = trav->next) {
259 if (trav == si) {
260 break;
261 }
262 prev = trav;
263 }
264
265 if (trav == nullptr) {
266 // si was not in solist
267 DL_ERR("name \"%s\"@%p is not in solist!", si->get_realpath(), si);
268 return;
269 }
270
271 // clear links to/from si
272 si->remove_all_links();
273
274 // prev will never be null, because the first entry in solist is
275 // always the static libdl_info.
276 prev->next = si->next;
277 if (si == sonext) {
278 sonext = prev;
279 }
280
281 si->~soinfo();
282 g_soinfo_allocator.free(si);
283 }
284
parse_path(const char * path,const char * delimiters,std::vector<std::string> * paths)285 static void parse_path(const char* path, const char* delimiters,
286 std::vector<std::string>* paths) {
287 if (path == nullptr) {
288 return;
289 }
290
291 paths->clear();
292
293 for (const char *p = path; ; ++p) {
294 size_t len = strcspn(p, delimiters);
295 // skip empty tokens
296 if (len == 0) {
297 continue;
298 }
299
300 paths->push_back(std::string(p, len));
301 p += len;
302
303 if (*p == '\0') {
304 break;
305 }
306 }
307 }
308
parse_LD_LIBRARY_PATH(const char * path)309 static void parse_LD_LIBRARY_PATH(const char* path) {
310 parse_path(path, ":", &g_ld_library_paths);
311 }
312
parse_LD_PRELOAD(const char * path)313 static void parse_LD_PRELOAD(const char* path) {
314 // We have historically supported ':' as well as ' ' in LD_PRELOAD.
315 parse_path(path, " :", &g_ld_preload_names);
316 }
317
realpath_fd(int fd,std::string * realpath)318 static bool realpath_fd(int fd, std::string* realpath) {
319 std::vector<char> buf(PATH_MAX), proc_self_fd(PATH_MAX);
320 snprintf(&proc_self_fd[0], proc_self_fd.size(), "/proc/self/fd/%d", fd);
321 // set DUMPABLE to 1 to access /proc/self/fd
322 int dumpable = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0);
323 prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
324 auto guard = make_scope_guard([&]() {
325 // restore dumpable
326 prctl(PR_SET_DUMPABLE, dumpable, 0, 0, 0);
327 });
328 if (readlink(&proc_self_fd[0], &buf[0], buf.size()) == -1) {
329 PRINT("readlink('%s') failed: %s [fd=%d]", &proc_self_fd[0], strerror(errno), fd);
330 return false;
331 }
332
333 *realpath = std::string(&buf[0]);
334 return true;
335 }
336
337 #if defined(__arm__)
338
339 // For a given PC, find the .so that it belongs to.
340 // Returns the base address of the .ARM.exidx section
341 // for that .so, and the number of 8-byte entries
342 // in that section (via *pcount).
343 //
344 // Intended to be called by libc's __gnu_Unwind_Find_exidx().
345 //
346 // This function is exposed via dlfcn.cpp and libdl.so.
dl_unwind_find_exidx(_Unwind_Ptr pc,int * pcount)347 _Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int* pcount) {
348 uintptr_t addr = reinterpret_cast<uintptr_t>(pc);
349
350 for (soinfo* si = solist; si != 0; si = si->next) {
351 if ((addr >= si->base) && (addr < (si->base + si->size))) {
352 *pcount = si->ARM_exidx_count;
353 return reinterpret_cast<_Unwind_Ptr>(si->ARM_exidx);
354 }
355 }
356 *pcount = 0;
357 return nullptr;
358 }
359
360 #endif
361
362 // Here, we only have to provide a callback to iterate across all the
363 // loaded libraries. gcc_eh does the rest.
do_dl_iterate_phdr(int (* cb)(dl_phdr_info * info,size_t size,void * data),void * data)364 int do_dl_iterate_phdr(int (*cb)(dl_phdr_info* info, size_t size, void* data), void* data) {
365 int rv = 0;
366 for (soinfo* si = solist; si != nullptr; si = si->next) {
367 dl_phdr_info dl_info;
368 dl_info.dlpi_addr = si->link_map_head.l_addr;
369 dl_info.dlpi_name = si->link_map_head.l_name;
370 dl_info.dlpi_phdr = si->phdr;
371 dl_info.dlpi_phnum = si->phnum;
372 rv = cb(&dl_info, sizeof(dl_phdr_info), data);
373 if (rv != 0) {
374 break;
375 }
376 }
377 return rv;
378 }
379
ElfW(Versym)380 const ElfW(Versym)* soinfo::get_versym(size_t n) const {
381 if (has_min_version(2) && versym_ != nullptr) {
382 return versym_ + n;
383 }
384
385 return nullptr;
386 }
387
ElfW(Addr)388 ElfW(Addr) soinfo::get_verneed_ptr() const {
389 if (has_min_version(2)) {
390 return verneed_ptr_;
391 }
392
393 return 0;
394 }
395
get_verneed_cnt() const396 size_t soinfo::get_verneed_cnt() const {
397 if (has_min_version(2)) {
398 return verneed_cnt_;
399 }
400
401 return 0;
402 }
403
ElfW(Addr)404 ElfW(Addr) soinfo::get_verdef_ptr() const {
405 if (has_min_version(2)) {
406 return verdef_ptr_;
407 }
408
409 return 0;
410 }
411
get_verdef_cnt() const412 size_t soinfo::get_verdef_cnt() const {
413 if (has_min_version(2)) {
414 return verdef_cnt_;
415 }
416
417 return 0;
418 }
419
420 template<typename F>
for_each_verdef(const soinfo * si,F functor)421 static bool for_each_verdef(const soinfo* si, F functor) {
422 if (!si->has_min_version(2)) {
423 return true;
424 }
425
426 uintptr_t verdef_ptr = si->get_verdef_ptr();
427 if (verdef_ptr == 0) {
428 return true;
429 }
430
431 size_t offset = 0;
432
433 size_t verdef_cnt = si->get_verdef_cnt();
434 for (size_t i = 0; i<verdef_cnt; ++i) {
435 const ElfW(Verdef)* verdef = reinterpret_cast<ElfW(Verdef)*>(verdef_ptr + offset);
436 size_t verdaux_offset = offset + verdef->vd_aux;
437 offset += verdef->vd_next;
438
439 if (verdef->vd_version != 1) {
440 DL_ERR("unsupported verdef[%zd] vd_version: %d (expected 1) library: %s",
441 i, verdef->vd_version, si->get_realpath());
442 return false;
443 }
444
445 if ((verdef->vd_flags & VER_FLG_BASE) != 0) {
446 // "this is the version of the file itself. It must not be used for
447 // matching a symbol. It can be used to match references."
448 //
449 // http://www.akkadia.org/drepper/symbol-versioning
450 continue;
451 }
452
453 if (verdef->vd_cnt == 0) {
454 DL_ERR("invalid verdef[%zd] vd_cnt == 0 (version without a name)", i);
455 return false;
456 }
457
458 const ElfW(Verdaux)* verdaux = reinterpret_cast<ElfW(Verdaux)*>(verdef_ptr + verdaux_offset);
459
460 if (functor(i, verdef, verdaux) == true) {
461 break;
462 }
463 }
464
465 return true;
466 }
467
find_verdef_version_index(const version_info * vi,ElfW (Versym)* versym) const468 bool soinfo::find_verdef_version_index(const version_info* vi, ElfW(Versym)* versym) const {
469 if (vi == nullptr) {
470 *versym = kVersymNotNeeded;
471 return true;
472 }
473
474 *versym = kVersymGlobal;
475
476 return for_each_verdef(this,
477 [&](size_t, const ElfW(Verdef)* verdef, const ElfW(Verdaux)* verdaux) {
478 if (verdef->vd_hash == vi->elf_hash &&
479 strcmp(vi->name, get_string(verdaux->vda_name)) == 0) {
480 *versym = verdef->vd_ndx;
481 return true;
482 }
483
484 return false;
485 }
486 );
487 }
488
find_symbol_by_name(SymbolName & symbol_name,const version_info * vi,const ElfW (Sym)** symbol) const489 bool soinfo::find_symbol_by_name(SymbolName& symbol_name,
490 const version_info* vi,
491 const ElfW(Sym)** symbol) const {
492 uint32_t symbol_index;
493 bool success =
494 is_gnu_hash() ?
495 gnu_lookup(symbol_name, vi, &symbol_index) :
496 elf_lookup(symbol_name, vi, &symbol_index);
497
498 if (success) {
499 *symbol = symbol_index == 0 ? nullptr : symtab_ + symbol_index;
500 }
501
502 return success;
503 }
504
is_symbol_global_and_defined(const soinfo * si,const ElfW (Sym)* s)505 static bool is_symbol_global_and_defined(const soinfo* si, const ElfW(Sym)* s) {
506 if (ELF_ST_BIND(s->st_info) == STB_GLOBAL ||
507 ELF_ST_BIND(s->st_info) == STB_WEAK) {
508 return s->st_shndx != SHN_UNDEF;
509 } else if (ELF_ST_BIND(s->st_info) != STB_LOCAL) {
510 DL_WARN("unexpected ST_BIND value: %d for '%s' in '%s'",
511 ELF_ST_BIND(s->st_info), si->get_string(s->st_name), si->get_realpath());
512 }
513
514 return false;
515 }
516
517 static const ElfW(Versym) kVersymHiddenBit = 0x8000;
518
is_versym_hidden(const ElfW (Versym)* versym)519 static inline bool is_versym_hidden(const ElfW(Versym)* versym) {
520 // the symbol is hidden if bit 15 of versym is set.
521 return versym != nullptr && (*versym & kVersymHiddenBit) != 0;
522 }
523
check_symbol_version(const ElfW (Versym)verneed,const ElfW (Versym)* verdef)524 static inline bool check_symbol_version(const ElfW(Versym) verneed,
525 const ElfW(Versym)* verdef) {
526 return verneed == kVersymNotNeeded ||
527 verdef == nullptr ||
528 verneed == (*verdef & ~kVersymHiddenBit);
529 }
530
gnu_lookup(SymbolName & symbol_name,const version_info * vi,uint32_t * symbol_index) const531 bool soinfo::gnu_lookup(SymbolName& symbol_name,
532 const version_info* vi,
533 uint32_t* symbol_index) const {
534 uint32_t hash = symbol_name.gnu_hash();
535 uint32_t h2 = hash >> gnu_shift2_;
536
537 uint32_t bloom_mask_bits = sizeof(ElfW(Addr))*8;
538 uint32_t word_num = (hash / bloom_mask_bits) & gnu_maskwords_;
539 ElfW(Addr) bloom_word = gnu_bloom_filter_[word_num];
540
541 *symbol_index = 0;
542
543 TRACE_TYPE(LOOKUP, "SEARCH %s in %s@%p (gnu)",
544 symbol_name.get_name(), get_realpath(), reinterpret_cast<void*>(base));
545
546 // test against bloom filter
547 if ((1 & (bloom_word >> (hash % bloom_mask_bits)) & (bloom_word >> (h2 % bloom_mask_bits))) == 0) {
548 TRACE_TYPE(LOOKUP, "NOT FOUND %s in %s@%p",
549 symbol_name.get_name(), get_realpath(), reinterpret_cast<void*>(base));
550
551 return true;
552 }
553
554 // bloom test says "probably yes"...
555 uint32_t n = gnu_bucket_[hash % gnu_nbucket_];
556
557 if (n == 0) {
558 TRACE_TYPE(LOOKUP, "NOT FOUND %s in %s@%p",
559 symbol_name.get_name(), get_realpath(), reinterpret_cast<void*>(base));
560
561 return true;
562 }
563
564 // lookup versym for the version definition in this library
565 // note the difference between "version is not requested" (vi == nullptr)
566 // and "version not found". In the first case verneed is kVersymNotNeeded
567 // which implies that the default version can be accepted; the second case results in
568 // verneed = 1 (kVersymGlobal) and implies that we should ignore versioned symbols
569 // for this library and consider only *global* ones.
570 ElfW(Versym) verneed = 0;
571 if (!find_verdef_version_index(vi, &verneed)) {
572 return false;
573 }
574
575 do {
576 ElfW(Sym)* s = symtab_ + n;
577 const ElfW(Versym)* verdef = get_versym(n);
578 // skip hidden versions when verneed == kVersymNotNeeded (0)
579 if (verneed == kVersymNotNeeded && is_versym_hidden(verdef)) {
580 continue;
581 }
582 if (((gnu_chain_[n] ^ hash) >> 1) == 0 &&
583 check_symbol_version(verneed, verdef) &&
584 strcmp(get_string(s->st_name), symbol_name.get_name()) == 0 &&
585 is_symbol_global_and_defined(this, s)) {
586 TRACE_TYPE(LOOKUP, "FOUND %s in %s (%p) %zd",
587 symbol_name.get_name(), get_realpath(), reinterpret_cast<void*>(s->st_value),
588 static_cast<size_t>(s->st_size));
589 *symbol_index = n;
590 return true;
591 }
592 } while ((gnu_chain_[n++] & 1) == 0);
593
594 TRACE_TYPE(LOOKUP, "NOT FOUND %s in %s@%p",
595 symbol_name.get_name(), get_realpath(), reinterpret_cast<void*>(base));
596
597 return true;
598 }
599
elf_lookup(SymbolName & symbol_name,const version_info * vi,uint32_t * symbol_index) const600 bool soinfo::elf_lookup(SymbolName& symbol_name,
601 const version_info* vi,
602 uint32_t* symbol_index) const {
603 uint32_t hash = symbol_name.elf_hash();
604
605 TRACE_TYPE(LOOKUP, "SEARCH %s in %s@%p h=%x(elf) %zd",
606 symbol_name.get_name(), get_realpath(),
607 reinterpret_cast<void*>(base), hash, hash % nbucket_);
608
609 ElfW(Versym) verneed = 0;
610 if (!find_verdef_version_index(vi, &verneed)) {
611 return false;
612 }
613
614 for (uint32_t n = bucket_[hash % nbucket_]; n != 0; n = chain_[n]) {
615 ElfW(Sym)* s = symtab_ + n;
616 const ElfW(Versym)* verdef = get_versym(n);
617
618 // skip hidden versions when verneed == 0
619 if (verneed == kVersymNotNeeded && is_versym_hidden(verdef)) {
620 continue;
621 }
622
623 if (check_symbol_version(verneed, verdef) &&
624 strcmp(get_string(s->st_name), symbol_name.get_name()) == 0 &&
625 is_symbol_global_and_defined(this, s)) {
626 TRACE_TYPE(LOOKUP, "FOUND %s in %s (%p) %zd",
627 symbol_name.get_name(), get_realpath(),
628 reinterpret_cast<void*>(s->st_value),
629 static_cast<size_t>(s->st_size));
630 *symbol_index = n;
631 return true;
632 }
633 }
634
635 TRACE_TYPE(LOOKUP, "NOT FOUND %s in %s@%p %x %zd",
636 symbol_name.get_name(), get_realpath(),
637 reinterpret_cast<void*>(base), hash, hash % nbucket_);
638
639 *symbol_index = 0;
640 return true;
641 }
642
soinfo(const char * realpath,const struct stat * file_stat,off64_t file_offset,int rtld_flags)643 soinfo::soinfo(const char* realpath, const struct stat* file_stat,
644 off64_t file_offset, int rtld_flags) {
645 memset(this, 0, sizeof(*this));
646
647 if (realpath != nullptr) {
648 realpath_ = realpath;
649 }
650
651 flags_ = FLAG_NEW_SOINFO;
652 version_ = SOINFO_VERSION;
653
654 if (file_stat != nullptr) {
655 this->st_dev_ = file_stat->st_dev;
656 this->st_ino_ = file_stat->st_ino;
657 this->file_offset_ = file_offset;
658 }
659
660 this->rtld_flags_ = rtld_flags;
661 }
662
663
elf_hash()664 uint32_t SymbolName::elf_hash() {
665 if (!has_elf_hash_) {
666 const uint8_t* name = reinterpret_cast<const uint8_t*>(name_);
667 uint32_t h = 0, g;
668
669 while (*name) {
670 h = (h << 4) + *name++;
671 g = h & 0xf0000000;
672 h ^= g;
673 h ^= g >> 24;
674 }
675
676 elf_hash_ = h;
677 has_elf_hash_ = true;
678 }
679
680 return elf_hash_;
681 }
682
gnu_hash()683 uint32_t SymbolName::gnu_hash() {
684 if (!has_gnu_hash_) {
685 uint32_t h = 5381;
686 const uint8_t* name = reinterpret_cast<const uint8_t*>(name_);
687 while (*name != 0) {
688 h += (h << 5) + *name++; // h*33 + c = h + h * 32 + c = h + h << 5 + c
689 }
690
691 gnu_hash_ = h;
692 has_gnu_hash_ = true;
693 }
694
695 return gnu_hash_;
696 }
697
soinfo_do_lookup(soinfo * si_from,const char * name,const version_info * vi,soinfo ** si_found_in,const soinfo::soinfo_list_t & global_group,const soinfo::soinfo_list_t & local_group,const ElfW (Sym)** symbol)698 bool soinfo_do_lookup(soinfo* si_from, const char* name, const version_info* vi,
699 soinfo** si_found_in, const soinfo::soinfo_list_t& global_group,
700 const soinfo::soinfo_list_t& local_group, const ElfW(Sym)** symbol) {
701 SymbolName symbol_name(name);
702 const ElfW(Sym)* s = nullptr;
703
704 /* "This element's presence in a shared object library alters the dynamic linker's
705 * symbol resolution algorithm for references within the library. Instead of starting
706 * a symbol search with the executable file, the dynamic linker starts from the shared
707 * object itself. If the shared object fails to supply the referenced symbol, the
708 * dynamic linker then searches the executable file and other shared objects as usual."
709 *
710 * http://www.sco.com/developers/gabi/2012-12-31/ch5.dynamic.html
711 *
712 * Note that this is unlikely since static linker avoids generating
713 * relocations for -Bsymbolic linked dynamic executables.
714 */
715 if (si_from->has_DT_SYMBOLIC) {
716 DEBUG("%s: looking up %s in local scope (DT_SYMBOLIC)", si_from->get_realpath(), name);
717 if (!si_from->find_symbol_by_name(symbol_name, vi, &s)) {
718 return false;
719 }
720
721 if (s != nullptr) {
722 *si_found_in = si_from;
723 }
724 }
725
726 // 1. Look for it in global_group
727 if (s == nullptr) {
728 bool error = false;
729 global_group.visit([&](soinfo* global_si) {
730 DEBUG("%s: looking up %s in %s (from global group)",
731 si_from->get_realpath(), name, global_si->get_realpath());
732 if (!global_si->find_symbol_by_name(symbol_name, vi, &s)) {
733 error = true;
734 return false;
735 }
736
737 if (s != nullptr) {
738 *si_found_in = global_si;
739 return false;
740 }
741
742 return true;
743 });
744
745 if (error) {
746 return false;
747 }
748 }
749
750 // 2. Look for it in the local group
751 if (s == nullptr) {
752 bool error = false;
753 local_group.visit([&](soinfo* local_si) {
754 if (local_si == si_from && si_from->has_DT_SYMBOLIC) {
755 // we already did this - skip
756 return true;
757 }
758
759 DEBUG("%s: looking up %s in %s (from local group)",
760 si_from->get_realpath(), name, local_si->get_realpath());
761 if (!local_si->find_symbol_by_name(symbol_name, vi, &s)) {
762 error = true;
763 return false;
764 }
765
766 if (s != nullptr) {
767 *si_found_in = local_si;
768 return false;
769 }
770
771 return true;
772 });
773
774 if (error) {
775 return false;
776 }
777 }
778
779 if (s != nullptr) {
780 TRACE_TYPE(LOOKUP, "si %s sym %s s->st_value = %p, "
781 "found in %s, base = %p, load bias = %p",
782 si_from->get_realpath(), name, reinterpret_cast<void*>(s->st_value),
783 (*si_found_in)->get_realpath(), reinterpret_cast<void*>((*si_found_in)->base),
784 reinterpret_cast<void*>((*si_found_in)->load_bias));
785 }
786
787 *symbol = s;
788 return true;
789 }
790
791 class ProtectedDataGuard {
792 public:
ProtectedDataGuard()793 ProtectedDataGuard() {
794 if (ref_count_++ == 0) {
795 protect_data(PROT_READ | PROT_WRITE);
796 }
797 }
798
~ProtectedDataGuard()799 ~ProtectedDataGuard() {
800 if (ref_count_ == 0) { // overflow
801 __libc_fatal("Too many nested calls to dlopen()");
802 }
803
804 if (--ref_count_ == 0) {
805 protect_data(PROT_READ);
806 }
807 }
808 private:
protect_data(int protection)809 void protect_data(int protection) {
810 g_soinfo_allocator.protect_all(protection);
811 g_soinfo_links_allocator.protect_all(protection);
812 }
813
814 static size_t ref_count_;
815 };
816
817 size_t ProtectedDataGuard::ref_count_ = 0;
818
819 // Each size has it's own allocator.
820 template<size_t size>
821 class SizeBasedAllocator {
822 public:
alloc()823 static void* alloc() {
824 return allocator_.alloc();
825 }
826
free(void * ptr)827 static void free(void* ptr) {
828 allocator_.free(ptr);
829 }
830
831 private:
832 static LinkerBlockAllocator allocator_;
833 };
834
835 template<size_t size>
836 LinkerBlockAllocator SizeBasedAllocator<size>::allocator_(size);
837
838 template<typename T>
839 class TypeBasedAllocator {
840 public:
alloc()841 static T* alloc() {
842 return reinterpret_cast<T*>(SizeBasedAllocator<sizeof(T)>::alloc());
843 }
844
free(T * ptr)845 static void free(T* ptr) {
846 SizeBasedAllocator<sizeof(T)>::free(ptr);
847 }
848 };
849
850 class LoadTask {
851 public:
852 struct deleter_t {
operator ()LoadTask::deleter_t853 void operator()(LoadTask* t) {
854 TypeBasedAllocator<LoadTask>::free(t);
855 }
856 };
857
858 typedef UniquePtr<LoadTask, deleter_t> unique_ptr;
859
860 static deleter_t deleter;
861
create(const char * name,soinfo * needed_by)862 static LoadTask* create(const char* name, soinfo* needed_by) {
863 LoadTask* ptr = TypeBasedAllocator<LoadTask>::alloc();
864 return new (ptr) LoadTask(name, needed_by);
865 }
866
get_name() const867 const char* get_name() const {
868 return name_;
869 }
870
get_needed_by() const871 soinfo* get_needed_by() const {
872 return needed_by_;
873 }
874 private:
LoadTask(const char * name,soinfo * needed_by)875 LoadTask(const char* name, soinfo* needed_by)
876 : name_(name), needed_by_(needed_by) {}
877
878 const char* name_;
879 soinfo* needed_by_;
880
881 DISALLOW_IMPLICIT_CONSTRUCTORS(LoadTask);
882 };
883
884 LoadTask::deleter_t LoadTask::deleter;
885
886 template <typename T>
887 using linked_list_t = LinkedList<T, TypeBasedAllocator<LinkedListEntry<T>>>;
888
889 typedef linked_list_t<soinfo> SoinfoLinkedList;
890 typedef linked_list_t<const char> StringLinkedList;
891 typedef linked_list_t<LoadTask> LoadTaskList;
892
893
894 // This function walks down the tree of soinfo dependencies
895 // in breadth-first order and
896 // * calls action(soinfo* si) for each node, and
897 // * terminates walk if action returns false.
898 //
899 // walk_dependencies_tree returns false if walk was terminated
900 // by the action and true otherwise.
901 template<typename F>
walk_dependencies_tree(soinfo * root_soinfos[],size_t root_soinfos_size,F action)902 static bool walk_dependencies_tree(soinfo* root_soinfos[], size_t root_soinfos_size, F action) {
903 SoinfoLinkedList visit_list;
904 SoinfoLinkedList visited;
905
906 for (size_t i = 0; i < root_soinfos_size; ++i) {
907 visit_list.push_back(root_soinfos[i]);
908 }
909
910 soinfo* si;
911 while ((si = visit_list.pop_front()) != nullptr) {
912 if (visited.contains(si)) {
913 continue;
914 }
915
916 if (!action(si)) {
917 return false;
918 }
919
920 visited.push_back(si);
921
922 si->get_children().for_each([&](soinfo* child) {
923 visit_list.push_back(child);
924 });
925 }
926
927 return true;
928 }
929
930
ElfW(Sym)931 static const ElfW(Sym)* dlsym_handle_lookup(soinfo* root, soinfo* skip_until,
932 soinfo** found, SymbolName& symbol_name) {
933 const ElfW(Sym)* result = nullptr;
934 bool skip_lookup = skip_until != nullptr;
935
936 walk_dependencies_tree(&root, 1, [&](soinfo* current_soinfo) {
937 if (skip_lookup) {
938 skip_lookup = current_soinfo != skip_until;
939 return true;
940 }
941
942 if (!current_soinfo->find_symbol_by_name(symbol_name, nullptr, &result)) {
943 result = nullptr;
944 return false;
945 }
946
947 if (result != nullptr) {
948 *found = current_soinfo;
949 return false;
950 }
951
952 return true;
953 });
954
955 return result;
956 }
957
958 // This is used by dlsym(3). It performs symbol lookup only within the
959 // specified soinfo object and its dependencies in breadth first order.
ElfW(Sym)960 const ElfW(Sym)* dlsym_handle_lookup(soinfo* si, soinfo** found, const char* name) {
961 // According to man dlopen(3) and posix docs in the case when si is handle
962 // of the main executable we need to search not only in the executable and its
963 // dependencies but also in all libraries loaded with RTLD_GLOBAL.
964 //
965 // Since RTLD_GLOBAL is always set for the main executable and all dt_needed shared
966 // libraries and they are loaded in breath-first (correct) order we can just execute
967 // dlsym(RTLD_DEFAULT, ...); instead of doing two stage lookup.
968 if (si == somain) {
969 return dlsym_linear_lookup(name, found, nullptr, RTLD_DEFAULT);
970 }
971
972 SymbolName symbol_name(name);
973 return dlsym_handle_lookup(si, nullptr, found, symbol_name);
974 }
975
976 /* This is used by dlsym(3) to performs a global symbol lookup. If the
977 start value is null (for RTLD_DEFAULT), the search starts at the
978 beginning of the global solist. Otherwise the search starts at the
979 specified soinfo (for RTLD_NEXT).
980 */
ElfW(Sym)981 const ElfW(Sym)* dlsym_linear_lookup(const char* name,
982 soinfo** found,
983 soinfo* caller,
984 void* handle) {
985 SymbolName symbol_name(name);
986
987 soinfo* start = solist;
988
989 if (handle == RTLD_NEXT) {
990 if (caller == nullptr) {
991 return nullptr;
992 } else {
993 start = caller->next;
994 }
995 }
996
997 const ElfW(Sym)* s = nullptr;
998 for (soinfo* si = start; si != nullptr; si = si->next) {
999 // Do not skip RTLD_LOCAL libraries in dlsym(RTLD_DEFAULT, ...)
1000 // if the library is opened by application with target api level <= 22
1001 // See http://b/21565766
1002 if ((si->get_rtld_flags() & RTLD_GLOBAL) == 0 && si->get_target_sdk_version() > 22) {
1003 continue;
1004 }
1005
1006 if (!si->find_symbol_by_name(symbol_name, nullptr, &s)) {
1007 return nullptr;
1008 }
1009
1010 if (s != nullptr) {
1011 *found = si;
1012 break;
1013 }
1014 }
1015
1016 // If not found - use dlsym_handle_lookup for caller's
1017 // local_group unless it is part of the global group in which
1018 // case we already did it.
1019 if (s == nullptr && caller != nullptr &&
1020 (caller->get_rtld_flags() & RTLD_GLOBAL) == 0) {
1021 return dlsym_handle_lookup(caller->get_local_group_root(),
1022 (handle == RTLD_NEXT) ? caller : nullptr, found, symbol_name);
1023 }
1024
1025 if (s != nullptr) {
1026 TRACE_TYPE(LOOKUP, "%s s->st_value = %p, found->base = %p",
1027 name, reinterpret_cast<void*>(s->st_value), reinterpret_cast<void*>((*found)->base));
1028 }
1029
1030 return s;
1031 }
1032
find_containing_library(const void * p)1033 soinfo* find_containing_library(const void* p) {
1034 ElfW(Addr) address = reinterpret_cast<ElfW(Addr)>(p);
1035 for (soinfo* si = solist; si != nullptr; si = si->next) {
1036 if (address >= si->base && address - si->base < si->size) {
1037 return si;
1038 }
1039 }
1040 return nullptr;
1041 }
1042
ElfW(Sym)1043 ElfW(Sym)* soinfo::find_symbol_by_address(const void* addr) {
1044 return is_gnu_hash() ? gnu_addr_lookup(addr) : elf_addr_lookup(addr);
1045 }
1046
symbol_matches_soaddr(const ElfW (Sym)* sym,ElfW (Addr)soaddr)1047 static bool symbol_matches_soaddr(const ElfW(Sym)* sym, ElfW(Addr) soaddr) {
1048 return sym->st_shndx != SHN_UNDEF &&
1049 soaddr >= sym->st_value &&
1050 soaddr < sym->st_value + sym->st_size;
1051 }
1052
ElfW(Sym)1053 ElfW(Sym)* soinfo::gnu_addr_lookup(const void* addr) {
1054 ElfW(Addr) soaddr = reinterpret_cast<ElfW(Addr)>(addr) - load_bias;
1055
1056 for (size_t i = 0; i < gnu_nbucket_; ++i) {
1057 uint32_t n = gnu_bucket_[i];
1058
1059 if (n == 0) {
1060 continue;
1061 }
1062
1063 do {
1064 ElfW(Sym)* sym = symtab_ + n;
1065 if (symbol_matches_soaddr(sym, soaddr)) {
1066 return sym;
1067 }
1068 } while ((gnu_chain_[n++] & 1) == 0);
1069 }
1070
1071 return nullptr;
1072 }
1073
ElfW(Sym)1074 ElfW(Sym)* soinfo::elf_addr_lookup(const void* addr) {
1075 ElfW(Addr) soaddr = reinterpret_cast<ElfW(Addr)>(addr) - load_bias;
1076
1077 // Search the library's symbol table for any defined symbol which
1078 // contains this address.
1079 for (size_t i = 0; i < nchain_; ++i) {
1080 ElfW(Sym)* sym = symtab_ + i;
1081 if (symbol_matches_soaddr(sym, soaddr)) {
1082 return sym;
1083 }
1084 }
1085
1086 return nullptr;
1087 }
1088
open_library_in_zipfile(const char * const path,off64_t * file_offset)1089 static int open_library_in_zipfile(const char* const path,
1090 off64_t* file_offset) {
1091 TRACE("Trying zip file open from path '%s'", path);
1092
1093 // Treat an '!/' separator inside a path as the separator between the name
1094 // of the zip file on disk and the subdirectory to search within it.
1095 // For example, if path is "foo.zip!/bar/bas/x.so", then we search for
1096 // "bar/bas/x.so" within "foo.zip".
1097 const char* separator = strstr(path, "!/");
1098 if (separator == nullptr) {
1099 return -1;
1100 }
1101
1102 char buf[512];
1103 if (strlcpy(buf, path, sizeof(buf)) >= sizeof(buf)) {
1104 PRINT("Warning: ignoring very long library path: %s", path);
1105 return -1;
1106 }
1107
1108 buf[separator - path] = '\0';
1109
1110 const char* zip_path = buf;
1111 const char* file_path = &buf[separator - path + 2];
1112 int fd = TEMP_FAILURE_RETRY(open(zip_path, O_RDONLY | O_CLOEXEC));
1113 if (fd == -1) {
1114 return -1;
1115 }
1116
1117 ZipArchiveHandle handle;
1118 if (OpenArchiveFd(fd, "", &handle, false) != 0) {
1119 // invalid zip-file (?)
1120 close(fd);
1121 return -1;
1122 }
1123
1124 auto archive_guard = make_scope_guard([&]() {
1125 CloseArchive(handle);
1126 });
1127
1128 ZipEntry entry;
1129
1130 if (FindEntry(handle, ZipEntryName(file_path), &entry) != 0) {
1131 // Entry was not found.
1132 close(fd);
1133 return -1;
1134 }
1135
1136 // Check if it is properly stored
1137 if (entry.method != kCompressStored || (entry.offset % PAGE_SIZE) != 0) {
1138 close(fd);
1139 return -1;
1140 }
1141
1142 *file_offset = entry.offset;
1143 return fd;
1144 }
1145
format_path(char * buf,size_t buf_size,const char * path,const char * name)1146 static bool format_path(char* buf, size_t buf_size, const char* path, const char* name) {
1147 int n = __libc_format_buffer(buf, buf_size, "%s/%s", path, name);
1148 if (n < 0 || n >= static_cast<int>(buf_size)) {
1149 PRINT("Warning: ignoring very long library path: %s/%s", path, name);
1150 return false;
1151 }
1152
1153 return true;
1154 }
1155
open_library_on_default_path(const char * name,off64_t * file_offset)1156 static int open_library_on_default_path(const char* name, off64_t* file_offset) {
1157 for (size_t i = 0; kDefaultLdPaths[i] != nullptr; ++i) {
1158 char buf[512];
1159 if (!format_path(buf, sizeof(buf), kDefaultLdPaths[i], name)) {
1160 continue;
1161 }
1162
1163 int fd = TEMP_FAILURE_RETRY(open(buf, O_RDONLY | O_CLOEXEC));
1164 if (fd != -1) {
1165 *file_offset = 0;
1166 return fd;
1167 }
1168 }
1169
1170 return -1;
1171 }
1172
open_library_on_ld_library_path(const char * name,off64_t * file_offset)1173 static int open_library_on_ld_library_path(const char* name, off64_t* file_offset) {
1174 for (const auto& path_str : g_ld_library_paths) {
1175 char buf[512];
1176 const char* const path = path_str.c_str();
1177 if (!format_path(buf, sizeof(buf), path, name)) {
1178 continue;
1179 }
1180
1181 int fd = -1;
1182 if (strchr(buf, '!') != nullptr) {
1183 fd = open_library_in_zipfile(buf, file_offset);
1184 }
1185
1186 if (fd == -1) {
1187 fd = TEMP_FAILURE_RETRY(open(buf, O_RDONLY | O_CLOEXEC));
1188 if (fd != -1) {
1189 *file_offset = 0;
1190 }
1191 }
1192
1193 if (fd != -1) {
1194 return fd;
1195 }
1196 }
1197
1198 return -1;
1199 }
1200
open_library(const char * name,off64_t * file_offset)1201 static int open_library(const char* name, off64_t* file_offset) {
1202 TRACE("[ opening %s ]", name);
1203
1204 // If the name contains a slash, we should attempt to open it directly and not search the paths.
1205 if (strchr(name, '/') != nullptr) {
1206 if (strchr(name, '!') != nullptr) {
1207 int fd = open_library_in_zipfile(name, file_offset);
1208 if (fd != -1) {
1209 return fd;
1210 }
1211 }
1212
1213 int fd = TEMP_FAILURE_RETRY(open(name, O_RDONLY | O_CLOEXEC));
1214 if (fd != -1) {
1215 *file_offset = 0;
1216 }
1217 return fd;
1218 }
1219
1220 // Otherwise we try LD_LIBRARY_PATH first, and fall back to the built-in well known paths.
1221 int fd = open_library_on_ld_library_path(name, file_offset);
1222 if (fd == -1) {
1223 fd = open_library_on_default_path(name, file_offset);
1224 }
1225 return fd;
1226 }
1227
fix_dt_needed(const char * dt_needed,const char * sopath __unused)1228 static const char* fix_dt_needed(const char* dt_needed, const char* sopath __unused) {
1229 #if !defined(__LP64__)
1230 // Work around incorrect DT_NEEDED entries for old apps: http://b/21364029
1231 if (get_application_target_sdk_version() <= 22) {
1232 const char* bname = basename(dt_needed);
1233 if (bname != dt_needed) {
1234 DL_WARN("'%s' library has invalid DT_NEEDED entry '%s'", sopath, dt_needed);
1235 }
1236
1237 return bname;
1238 }
1239 #endif
1240 return dt_needed;
1241 }
1242
1243 template<typename F>
for_each_dt_needed(const soinfo * si,F action)1244 static void for_each_dt_needed(const soinfo* si, F action) {
1245 for (ElfW(Dyn)* d = si->dynamic; d->d_tag != DT_NULL; ++d) {
1246 if (d->d_tag == DT_NEEDED) {
1247 action(fix_dt_needed(si->get_string(d->d_un.d_val), si->get_realpath()));
1248 }
1249 }
1250 }
1251
load_library(int fd,off64_t file_offset,LoadTaskList & load_tasks,const char * name,int rtld_flags,const android_dlextinfo * extinfo)1252 static soinfo* load_library(int fd, off64_t file_offset,
1253 LoadTaskList& load_tasks,
1254 const char* name, int rtld_flags,
1255 const android_dlextinfo* extinfo) {
1256 if ((file_offset % PAGE_SIZE) != 0) {
1257 DL_ERR("file offset for the library \"%s\" is not page-aligned: %" PRId64, name, file_offset);
1258 return nullptr;
1259 }
1260 if (file_offset < 0) {
1261 DL_ERR("file offset for the library \"%s\" is negative: %" PRId64, name, file_offset);
1262 return nullptr;
1263 }
1264
1265 struct stat file_stat;
1266 if (TEMP_FAILURE_RETRY(fstat(fd, &file_stat)) != 0) {
1267 DL_ERR("unable to stat file for the library \"%s\": %s", name, strerror(errno));
1268 return nullptr;
1269 }
1270 if (file_offset >= file_stat.st_size) {
1271 DL_ERR("file offset for the library \"%s\" >= file size: %" PRId64 " >= %" PRId64,
1272 name, file_offset, file_stat.st_size);
1273 return nullptr;
1274 }
1275
1276 // Check for symlink and other situations where
1277 // file can have different names, unless ANDROID_DLEXT_FORCE_LOAD is set
1278 if (extinfo == nullptr || (extinfo->flags & ANDROID_DLEXT_FORCE_LOAD) == 0) {
1279 for (soinfo* si = solist; si != nullptr; si = si->next) {
1280 if (si->get_st_dev() != 0 &&
1281 si->get_st_ino() != 0 &&
1282 si->get_st_dev() == file_stat.st_dev &&
1283 si->get_st_ino() == file_stat.st_ino &&
1284 si->get_file_offset() == file_offset) {
1285 TRACE("library \"%s\" is already loaded under different name/path \"%s\" - "
1286 "will return existing soinfo", name, si->get_realpath());
1287 return si;
1288 }
1289 }
1290 }
1291
1292 if ((rtld_flags & RTLD_NOLOAD) != 0) {
1293 DL_ERR("library \"%s\" wasn't loaded and RTLD_NOLOAD prevented it", name);
1294 return nullptr;
1295 }
1296
1297 std::string realpath = name;
1298 if (!realpath_fd(fd, &realpath)) {
1299 PRINT("warning: unable to get realpath for the library \"%s\". Will use given name.", name);
1300 realpath = name;
1301 }
1302
1303 // Read the ELF header and load the segments.
1304 ElfReader elf_reader(realpath.c_str(), fd, file_offset, file_stat.st_size);
1305 if (!elf_reader.Load(extinfo)) {
1306 return nullptr;
1307 }
1308
1309 soinfo* si = soinfo_alloc(realpath.c_str(), &file_stat, file_offset, rtld_flags);
1310 if (si == nullptr) {
1311 return nullptr;
1312 }
1313 si->base = elf_reader.load_start();
1314 si->size = elf_reader.load_size();
1315 si->load_bias = elf_reader.load_bias();
1316 si->phnum = elf_reader.phdr_count();
1317 si->phdr = elf_reader.loaded_phdr();
1318
1319 if (!si->prelink_image()) {
1320 soinfo_free(si);
1321 return nullptr;
1322 }
1323
1324 for_each_dt_needed(si, [&] (const char* name) {
1325 load_tasks.push_back(LoadTask::create(name, si));
1326 });
1327
1328 return si;
1329 }
1330
load_library(LoadTaskList & load_tasks,const char * name,int rtld_flags,const android_dlextinfo * extinfo)1331 static soinfo* load_library(LoadTaskList& load_tasks,
1332 const char* name, int rtld_flags,
1333 const android_dlextinfo* extinfo) {
1334 if (extinfo != nullptr && (extinfo->flags & ANDROID_DLEXT_USE_LIBRARY_FD) != 0) {
1335 off64_t file_offset = 0;
1336 if ((extinfo->flags & ANDROID_DLEXT_USE_LIBRARY_FD_OFFSET) != 0) {
1337 file_offset = extinfo->library_fd_offset;
1338 }
1339 return load_library(extinfo->library_fd, file_offset, load_tasks, name, rtld_flags, extinfo);
1340 }
1341
1342 // Open the file.
1343 off64_t file_offset;
1344 int fd = open_library(name, &file_offset);
1345 if (fd == -1) {
1346 DL_ERR("library \"%s\" not found", name);
1347 return nullptr;
1348 }
1349 soinfo* result = load_library(fd, file_offset, load_tasks, name, rtld_flags, extinfo);
1350 close(fd);
1351 return result;
1352 }
1353
1354 // Returns true if library was found and false in 2 cases
1355 // 1. The library was found but loaded under different target_sdk_version
1356 // (*candidate != nullptr)
1357 // 2. The library was not found by soname (*candidate is nullptr)
find_loaded_library_by_soname(const char * name,soinfo ** candidate)1358 static bool find_loaded_library_by_soname(const char* name, soinfo** candidate) {
1359 *candidate = nullptr;
1360
1361 // Ignore filename with path.
1362 if (strchr(name, '/') != nullptr) {
1363 return false;
1364 }
1365
1366 uint32_t target_sdk_version = get_application_target_sdk_version();
1367
1368 for (soinfo* si = solist; si != nullptr; si = si->next) {
1369 const char* soname = si->get_soname();
1370 if (soname != nullptr && (strcmp(name, soname) == 0)) {
1371 // If the library was opened under different target sdk version
1372 // skip this step and try to reopen it. The exceptions are
1373 // "libdl.so" and global group. There is no point in skipping
1374 // them because relocation process is going to use them
1375 // in any case.
1376 bool is_libdl = si == solist;
1377 if (is_libdl || (si->get_dt_flags_1() & DF_1_GLOBAL) != 0 ||
1378 !si->is_linked() || si->get_target_sdk_version() == target_sdk_version) {
1379 *candidate = si;
1380 return true;
1381 } else if (*candidate == nullptr) {
1382 // for the different sdk version - remember the first library.
1383 *candidate = si;
1384 }
1385 }
1386 }
1387
1388 return false;
1389 }
1390
find_library_internal(LoadTaskList & load_tasks,const char * name,int rtld_flags,const android_dlextinfo * extinfo)1391 static soinfo* find_library_internal(LoadTaskList& load_tasks, const char* name,
1392 int rtld_flags, const android_dlextinfo* extinfo) {
1393 soinfo* candidate;
1394
1395 if (find_loaded_library_by_soname(name, &candidate)) {
1396 return candidate;
1397 }
1398
1399 // Library might still be loaded, the accurate detection
1400 // of this fact is done by load_library.
1401 TRACE("[ '%s' find_loaded_library_by_soname returned false (*candidate=%s@%p). Trying harder...]",
1402 name, candidate == nullptr ? "n/a" : candidate->get_realpath(), candidate);
1403
1404 soinfo* si = load_library(load_tasks, name, rtld_flags, extinfo);
1405
1406 // In case we were unable to load the library but there
1407 // is a candidate loaded under the same soname but different
1408 // sdk level - return it anyways.
1409 if (si == nullptr && candidate != nullptr) {
1410 si = candidate;
1411 }
1412
1413 return si;
1414 }
1415
1416 static void soinfo_unload(soinfo* si);
1417
1418 // TODO: this is slightly unusual way to construct
1419 // the global group for relocation. Not every RTLD_GLOBAL
1420 // library is included in this group for backwards-compatibility
1421 // reasons.
1422 //
1423 // This group consists of the main executable, LD_PRELOADs
1424 // and libraries with the DF_1_GLOBAL flag set.
make_global_group()1425 static soinfo::soinfo_list_t make_global_group() {
1426 soinfo::soinfo_list_t global_group;
1427 for (soinfo* si = somain; si != nullptr; si = si->next) {
1428 if ((si->get_dt_flags_1() & DF_1_GLOBAL) != 0) {
1429 global_group.push_back(si);
1430 }
1431 }
1432
1433 return global_group;
1434 }
1435
find_libraries(soinfo * start_with,const char * const library_names[],size_t library_names_count,soinfo * soinfos[],std::vector<soinfo * > * ld_preloads,size_t ld_preloads_count,int rtld_flags,const android_dlextinfo * extinfo)1436 static bool find_libraries(soinfo* start_with, const char* const library_names[],
1437 size_t library_names_count, soinfo* soinfos[], std::vector<soinfo*>* ld_preloads,
1438 size_t ld_preloads_count, int rtld_flags, const android_dlextinfo* extinfo) {
1439 // Step 0: prepare.
1440 LoadTaskList load_tasks;
1441 for (size_t i = 0; i < library_names_count; ++i) {
1442 const char* name = library_names[i];
1443 load_tasks.push_back(LoadTask::create(name, start_with));
1444 }
1445
1446 // Construct global_group.
1447 soinfo::soinfo_list_t global_group = make_global_group();
1448
1449 // If soinfos array is null allocate one on stack.
1450 // The array is needed in case of failure; for example
1451 // when library_names[] = {libone.so, libtwo.so} and libone.so
1452 // is loaded correctly but libtwo.so failed for some reason.
1453 // In this case libone.so should be unloaded on return.
1454 // See also implementation of failure_guard below.
1455
1456 if (soinfos == nullptr) {
1457 size_t soinfos_size = sizeof(soinfo*)*library_names_count;
1458 soinfos = reinterpret_cast<soinfo**>(alloca(soinfos_size));
1459 memset(soinfos, 0, soinfos_size);
1460 }
1461
1462 // list of libraries to link - see step 2.
1463 size_t soinfos_count = 0;
1464
1465 auto failure_guard = make_scope_guard([&]() {
1466 // Housekeeping
1467 load_tasks.for_each([] (LoadTask* t) {
1468 LoadTask::deleter(t);
1469 });
1470
1471 for (size_t i = 0; i<soinfos_count; ++i) {
1472 soinfo_unload(soinfos[i]);
1473 }
1474 });
1475
1476 // Step 1: load and pre-link all DT_NEEDED libraries in breadth first order.
1477 for (LoadTask::unique_ptr task(load_tasks.pop_front());
1478 task.get() != nullptr; task.reset(load_tasks.pop_front())) {
1479 soinfo* needed_by = task->get_needed_by();
1480
1481 soinfo* si = find_library_internal(load_tasks, task->get_name(),
1482 rtld_flags, needed_by == nullptr ? extinfo : nullptr);
1483 if (si == nullptr) {
1484 return false;
1485 }
1486
1487 if (needed_by != nullptr) {
1488 needed_by->add_child(si);
1489 }
1490
1491 if (si->is_linked()) {
1492 si->increment_ref_count();
1493 }
1494
1495 // When ld_preloads is not null, the first
1496 // ld_preloads_count libs are in fact ld_preloads.
1497 if (ld_preloads != nullptr && soinfos_count < ld_preloads_count) {
1498 // Add LD_PRELOADed libraries to the global group for future runs.
1499 // There is no need to explicitly add them to the global group
1500 // for this run because they are going to appear in the local
1501 // group in the correct order.
1502 si->set_dt_flags_1(si->get_dt_flags_1() | DF_1_GLOBAL);
1503 ld_preloads->push_back(si);
1504 }
1505
1506 if (soinfos_count < library_names_count) {
1507 soinfos[soinfos_count++] = si;
1508 }
1509 }
1510
1511 // Step 2: link libraries.
1512 soinfo::soinfo_list_t local_group;
1513 walk_dependencies_tree(
1514 start_with == nullptr ? soinfos : &start_with,
1515 start_with == nullptr ? soinfos_count : 1,
1516 [&] (soinfo* si) {
1517 local_group.push_back(si);
1518 return true;
1519 });
1520
1521 // We need to increment ref_count in case
1522 // the root of the local group was not linked.
1523 bool was_local_group_root_linked = local_group.front()->is_linked();
1524
1525 bool linked = local_group.visit([&](soinfo* si) {
1526 if (!si->is_linked()) {
1527 if (!si->link_image(global_group, local_group, extinfo)) {
1528 return false;
1529 }
1530 si->set_linked();
1531 }
1532
1533 return true;
1534 });
1535
1536 if (linked) {
1537 failure_guard.disable();
1538 }
1539
1540 if (!was_local_group_root_linked) {
1541 local_group.front()->increment_ref_count();
1542 }
1543
1544 return linked;
1545 }
1546
find_library(const char * name,int rtld_flags,const android_dlextinfo * extinfo)1547 static soinfo* find_library(const char* name, int rtld_flags, const android_dlextinfo* extinfo) {
1548 soinfo* si;
1549
1550 if (name == nullptr) {
1551 si = somain;
1552 } else if (!find_libraries(nullptr, &name, 1, &si, nullptr, 0, rtld_flags, extinfo)) {
1553 return nullptr;
1554 }
1555
1556 return si;
1557 }
1558
soinfo_unload(soinfo * root)1559 static void soinfo_unload(soinfo* root) {
1560 // Note that the library can be loaded but not linked;
1561 // in which case there is no root but we still need
1562 // to walk the tree and unload soinfos involved.
1563 //
1564 // This happens on unsuccessful dlopen, when one of
1565 // the DT_NEEDED libraries could not be linked/found.
1566 if (root->is_linked()) {
1567 root = root->get_local_group_root();
1568 }
1569
1570 if (!root->can_unload()) {
1571 TRACE("not unloading '%s' - the binary is flagged with NODELETE", root->get_realpath());
1572 return;
1573 }
1574
1575 size_t ref_count = root->is_linked() ? root->decrement_ref_count() : 0;
1576
1577 if (ref_count == 0) {
1578 soinfo::soinfo_list_t local_unload_list;
1579 soinfo::soinfo_list_t external_unload_list;
1580 soinfo::soinfo_list_t depth_first_list;
1581 depth_first_list.push_back(root);
1582 soinfo* si = nullptr;
1583
1584 while ((si = depth_first_list.pop_front()) != nullptr) {
1585 if (local_unload_list.contains(si)) {
1586 continue;
1587 }
1588
1589 local_unload_list.push_back(si);
1590
1591 if (si->has_min_version(0)) {
1592 soinfo* child = nullptr;
1593 while ((child = si->get_children().pop_front()) != nullptr) {
1594 TRACE("%s@%p needs to unload %s@%p", si->get_realpath(), si,
1595 child->get_realpath(), child);
1596
1597 if (local_unload_list.contains(child)) {
1598 continue;
1599 } else if (child->is_linked() && child->get_local_group_root() != root) {
1600 external_unload_list.push_back(child);
1601 } else {
1602 depth_first_list.push_front(child);
1603 }
1604 }
1605 } else {
1606 #if !defined(__work_around_b_19059885__)
1607 __libc_fatal("soinfo for \"%s\"@%p has no version", si->get_realpath(), si);
1608 #else
1609 PRINT("warning: soinfo for \"%s\"@%p has no version", si->get_realpath(), si);
1610 for_each_dt_needed(si, [&] (const char* library_name) {
1611 TRACE("deprecated (old format of soinfo): %s needs to unload %s",
1612 si->get_realpath(), library_name);
1613
1614 soinfo* needed = find_library(library_name, RTLD_NOLOAD, nullptr);
1615 if (needed != nullptr) {
1616 // Not found: for example if symlink was deleted between dlopen and dlclose
1617 // Since we cannot really handle errors at this point - print and continue.
1618 PRINT("warning: couldn't find %s needed by %s on unload.",
1619 library_name, si->get_realpath());
1620 return;
1621 } else if (local_unload_list.contains(needed)) {
1622 // already visited
1623 return;
1624 } else if (needed->is_linked() && needed->get_local_group_root() != root) {
1625 // external group
1626 external_unload_list.push_back(needed);
1627 } else {
1628 // local group
1629 depth_first_list.push_front(needed);
1630 }
1631 });
1632 #endif
1633 }
1634 }
1635
1636 local_unload_list.for_each([](soinfo* si) {
1637 si->call_destructors();
1638 });
1639
1640 while ((si = local_unload_list.pop_front()) != nullptr) {
1641 notify_gdb_of_unload(si);
1642 soinfo_free(si);
1643 }
1644
1645 while ((si = external_unload_list.pop_front()) != nullptr) {
1646 soinfo_unload(si);
1647 }
1648 } else {
1649 TRACE("not unloading '%s' group, decrementing ref_count to %zd",
1650 root->get_realpath(), ref_count);
1651 }
1652 }
1653
do_android_get_LD_LIBRARY_PATH(char * buffer,size_t buffer_size)1654 void do_android_get_LD_LIBRARY_PATH(char* buffer, size_t buffer_size) {
1655 // Use basic string manipulation calls to avoid snprintf.
1656 // snprintf indirectly calls pthread_getspecific to get the size of a buffer.
1657 // When debug malloc is enabled, this call returns 0. This in turn causes
1658 // snprintf to do nothing, which causes libraries to fail to load.
1659 // See b/17302493 for further details.
1660 // Once the above bug is fixed, this code can be modified to use
1661 // snprintf again.
1662 size_t required_len = strlen(kDefaultLdPaths[0]) + strlen(kDefaultLdPaths[1]) + 2;
1663 if (buffer_size < required_len) {
1664 __libc_fatal("android_get_LD_LIBRARY_PATH failed, buffer too small: "
1665 "buffer len %zu, required len %zu", buffer_size, required_len);
1666 }
1667 char* end = stpcpy(buffer, kDefaultLdPaths[0]);
1668 *end = ':';
1669 strcpy(end + 1, kDefaultLdPaths[1]);
1670 }
1671
do_android_update_LD_LIBRARY_PATH(const char * ld_library_path)1672 void do_android_update_LD_LIBRARY_PATH(const char* ld_library_path) {
1673 parse_LD_LIBRARY_PATH(ld_library_path);
1674 }
1675
do_dlopen(const char * name,int flags,const android_dlextinfo * extinfo)1676 soinfo* do_dlopen(const char* name, int flags, const android_dlextinfo* extinfo) {
1677 if ((flags & ~(RTLD_NOW|RTLD_LAZY|RTLD_LOCAL|RTLD_GLOBAL|RTLD_NODELETE|RTLD_NOLOAD)) != 0) {
1678 DL_ERR("invalid flags to dlopen: %x", flags);
1679 return nullptr;
1680 }
1681 if (extinfo != nullptr) {
1682 if ((extinfo->flags & ~(ANDROID_DLEXT_VALID_FLAG_BITS)) != 0) {
1683 DL_ERR("invalid extended flags to android_dlopen_ext: 0x%" PRIx64, extinfo->flags);
1684 return nullptr;
1685 }
1686 if ((extinfo->flags & ANDROID_DLEXT_USE_LIBRARY_FD) == 0 &&
1687 (extinfo->flags & ANDROID_DLEXT_USE_LIBRARY_FD_OFFSET) != 0) {
1688 DL_ERR("invalid extended flag combination (ANDROID_DLEXT_USE_LIBRARY_FD_OFFSET without "
1689 "ANDROID_DLEXT_USE_LIBRARY_FD): 0x%" PRIx64, extinfo->flags);
1690 return nullptr;
1691 }
1692 }
1693
1694 ProtectedDataGuard guard;
1695 soinfo* si = find_library(name, flags, extinfo);
1696 if (si != nullptr) {
1697 si->call_constructors();
1698 }
1699 return si;
1700 }
1701
do_dlclose(soinfo * si)1702 void do_dlclose(soinfo* si) {
1703 ProtectedDataGuard guard;
1704 soinfo_unload(si);
1705 }
1706
call_ifunc_resolver(ElfW (Addr)resolver_addr)1707 static ElfW(Addr) call_ifunc_resolver(ElfW(Addr) resolver_addr) {
1708 typedef ElfW(Addr) (*ifunc_resolver_t)(void);
1709 ifunc_resolver_t ifunc_resolver = reinterpret_cast<ifunc_resolver_t>(resolver_addr);
1710 ElfW(Addr) ifunc_addr = ifunc_resolver();
1711 TRACE_TYPE(RELO, "Called ifunc_resolver@%p. The result is %p",
1712 ifunc_resolver, reinterpret_cast<void*>(ifunc_addr));
1713
1714 return ifunc_addr;
1715 }
1716
get_version_info(ElfW (Versym)source_symver) const1717 const version_info* VersionTracker::get_version_info(ElfW(Versym) source_symver) const {
1718 if (source_symver < 2 ||
1719 source_symver >= version_infos.size() ||
1720 version_infos[source_symver].name == nullptr) {
1721 return nullptr;
1722 }
1723
1724 return &version_infos[source_symver];
1725 }
1726
add_version_info(size_t source_index,ElfW (Word)elf_hash,const char * ver_name,const soinfo * target_si)1727 void VersionTracker::add_version_info(size_t source_index,
1728 ElfW(Word) elf_hash,
1729 const char* ver_name,
1730 const soinfo* target_si) {
1731 if (source_index >= version_infos.size()) {
1732 version_infos.resize(source_index+1);
1733 }
1734
1735 version_infos[source_index].elf_hash = elf_hash;
1736 version_infos[source_index].name = ver_name;
1737 version_infos[source_index].target_si = target_si;
1738 }
1739
init_verneed(const soinfo * si_from)1740 bool VersionTracker::init_verneed(const soinfo* si_from) {
1741 uintptr_t verneed_ptr = si_from->get_verneed_ptr();
1742
1743 if (verneed_ptr == 0) {
1744 return true;
1745 }
1746
1747 size_t verneed_cnt = si_from->get_verneed_cnt();
1748
1749 for (size_t i = 0, offset = 0; i<verneed_cnt; ++i) {
1750 const ElfW(Verneed)* verneed = reinterpret_cast<ElfW(Verneed)*>(verneed_ptr + offset);
1751 size_t vernaux_offset = offset + verneed->vn_aux;
1752 offset += verneed->vn_next;
1753
1754 if (verneed->vn_version != 1) {
1755 DL_ERR("unsupported verneed[%zd] vn_version: %d (expected 1)", i, verneed->vn_version);
1756 return false;
1757 }
1758
1759 const char* target_soname = si_from->get_string(verneed->vn_file);
1760 // find it in dependencies
1761 soinfo* target_si = si_from->get_children().find_if([&](const soinfo* si) {
1762 return si->get_soname() != nullptr && strcmp(si->get_soname(), target_soname) == 0;
1763 });
1764
1765 if (target_si == nullptr) {
1766 DL_ERR("cannot find \"%s\" from verneed[%zd] in DT_NEEDED list for \"%s\"",
1767 target_soname, i, si_from->get_realpath());
1768 return false;
1769 }
1770
1771 for (size_t j = 0; j<verneed->vn_cnt; ++j) {
1772 const ElfW(Vernaux)* vernaux = reinterpret_cast<ElfW(Vernaux)*>(verneed_ptr + vernaux_offset);
1773 vernaux_offset += vernaux->vna_next;
1774
1775 const ElfW(Word) elf_hash = vernaux->vna_hash;
1776 const char* ver_name = si_from->get_string(vernaux->vna_name);
1777 ElfW(Half) source_index = vernaux->vna_other;
1778
1779 add_version_info(source_index, elf_hash, ver_name, target_si);
1780 }
1781 }
1782
1783 return true;
1784 }
1785
init_verdef(const soinfo * si_from)1786 bool VersionTracker::init_verdef(const soinfo* si_from) {
1787 return for_each_verdef(si_from,
1788 [&](size_t, const ElfW(Verdef)* verdef, const ElfW(Verdaux)* verdaux) {
1789 add_version_info(verdef->vd_ndx, verdef->vd_hash,
1790 si_from->get_string(verdaux->vda_name), si_from);
1791 return false;
1792 }
1793 );
1794 }
1795
init(const soinfo * si_from)1796 bool VersionTracker::init(const soinfo* si_from) {
1797 if (!si_from->has_min_version(2)) {
1798 return true;
1799 }
1800
1801 return init_verneed(si_from) && init_verdef(si_from);
1802 }
1803
lookup_version_info(const VersionTracker & version_tracker,ElfW (Word)sym,const char * sym_name,const version_info ** vi)1804 bool soinfo::lookup_version_info(const VersionTracker& version_tracker, ElfW(Word) sym,
1805 const char* sym_name, const version_info** vi) {
1806 const ElfW(Versym)* sym_ver_ptr = get_versym(sym);
1807 ElfW(Versym) sym_ver = sym_ver_ptr == nullptr ? 0 : *sym_ver_ptr;
1808
1809 if (sym_ver != VER_NDX_LOCAL && sym_ver != VER_NDX_GLOBAL) {
1810 *vi = version_tracker.get_version_info(sym_ver);
1811
1812 if (*vi == nullptr) {
1813 DL_ERR("cannot find verneed/verdef for version index=%d "
1814 "referenced by symbol \"%s\" at \"%s\"", sym_ver, sym_name, get_realpath());
1815 return false;
1816 }
1817 } else {
1818 // there is no version info
1819 *vi = nullptr;
1820 }
1821
1822 return true;
1823 }
1824
1825 #if !defined(__mips__)
1826 #if defined(USE_RELA)
get_addend(ElfW (Rela)* rela,ElfW (Addr)reloc_addr __unused)1827 static ElfW(Addr) get_addend(ElfW(Rela)* rela, ElfW(Addr) reloc_addr __unused) {
1828 return rela->r_addend;
1829 }
1830 #else
get_addend(ElfW (Rel)* rel,ElfW (Addr)reloc_addr)1831 static ElfW(Addr) get_addend(ElfW(Rel)* rel, ElfW(Addr) reloc_addr) {
1832 if (ELFW(R_TYPE)(rel->r_info) == R_GENERIC_RELATIVE ||
1833 ELFW(R_TYPE)(rel->r_info) == R_GENERIC_IRELATIVE) {
1834 return *reinterpret_cast<ElfW(Addr)*>(reloc_addr);
1835 }
1836 return 0;
1837 }
1838 #endif
1839
1840 template<typename ElfRelIteratorT>
relocate(const VersionTracker & version_tracker,ElfRelIteratorT && rel_iterator,const soinfo_list_t & global_group,const soinfo_list_t & local_group)1841 bool soinfo::relocate(const VersionTracker& version_tracker, ElfRelIteratorT&& rel_iterator,
1842 const soinfo_list_t& global_group, const soinfo_list_t& local_group) {
1843 for (size_t idx = 0; rel_iterator.has_next(); ++idx) {
1844 const auto rel = rel_iterator.next();
1845 if (rel == nullptr) {
1846 return false;
1847 }
1848
1849 ElfW(Word) type = ELFW(R_TYPE)(rel->r_info);
1850 ElfW(Word) sym = ELFW(R_SYM)(rel->r_info);
1851
1852 ElfW(Addr) reloc = static_cast<ElfW(Addr)>(rel->r_offset + load_bias);
1853 ElfW(Addr) sym_addr = 0;
1854 const char* sym_name = nullptr;
1855 ElfW(Addr) addend = get_addend(rel, reloc);
1856
1857 DEBUG("Processing '%s' relocation at index %zd", get_realpath(), idx);
1858 if (type == R_GENERIC_NONE) {
1859 continue;
1860 }
1861
1862 const ElfW(Sym)* s = nullptr;
1863 soinfo* lsi = nullptr;
1864
1865 if (sym != 0) {
1866 sym_name = get_string(symtab_[sym].st_name);
1867 const version_info* vi = nullptr;
1868
1869 if (!lookup_version_info(version_tracker, sym, sym_name, &vi)) {
1870 return false;
1871 }
1872
1873 if (!soinfo_do_lookup(this, sym_name, vi, &lsi, global_group, local_group, &s)) {
1874 return false;
1875 }
1876
1877 if (s == nullptr) {
1878 // We only allow an undefined symbol if this is a weak reference...
1879 s = &symtab_[sym];
1880 if (ELF_ST_BIND(s->st_info) != STB_WEAK) {
1881 DL_ERR("cannot locate symbol \"%s\" referenced by \"%s\"...", sym_name, get_realpath());
1882 return false;
1883 }
1884
1885 /* IHI0044C AAELF 4.5.1.1:
1886
1887 Libraries are not searched to resolve weak references.
1888 It is not an error for a weak reference to remain unsatisfied.
1889
1890 During linking, the value of an undefined weak reference is:
1891 - Zero if the relocation type is absolute
1892 - The address of the place if the relocation is pc-relative
1893 - The address of nominal base address if the relocation
1894 type is base-relative.
1895 */
1896
1897 switch (type) {
1898 case R_GENERIC_JUMP_SLOT:
1899 case R_GENERIC_GLOB_DAT:
1900 case R_GENERIC_RELATIVE:
1901 case R_GENERIC_IRELATIVE:
1902 #if defined(__aarch64__)
1903 case R_AARCH64_ABS64:
1904 case R_AARCH64_ABS32:
1905 case R_AARCH64_ABS16:
1906 #elif defined(__x86_64__)
1907 case R_X86_64_32:
1908 case R_X86_64_64:
1909 #elif defined(__arm__)
1910 case R_ARM_ABS32:
1911 #elif defined(__i386__)
1912 case R_386_32:
1913 #endif
1914 /*
1915 * The sym_addr was initialized to be zero above, or the relocation
1916 * code below does not care about value of sym_addr.
1917 * No need to do anything.
1918 */
1919 break;
1920 #if defined(__x86_64__)
1921 case R_X86_64_PC32:
1922 sym_addr = reloc;
1923 break;
1924 #elif defined(__i386__)
1925 case R_386_PC32:
1926 sym_addr = reloc;
1927 break;
1928 #endif
1929 default:
1930 DL_ERR("unknown weak reloc type %d @ %p (%zu)", type, rel, idx);
1931 return false;
1932 }
1933 } else { // We got a definition.
1934 #if !defined(__LP64__)
1935 // When relocating dso with text_relocation .text segment is
1936 // not executable. We need to restore elf flags before resolving
1937 // STT_GNU_IFUNC symbol.
1938 bool protect_segments = has_text_relocations &&
1939 lsi == this &&
1940 ELF_ST_TYPE(s->st_info) == STT_GNU_IFUNC;
1941 if (protect_segments) {
1942 if (phdr_table_protect_segments(phdr, phnum, load_bias) < 0) {
1943 DL_ERR("can't protect segments for \"%s\": %s",
1944 get_realpath(), strerror(errno));
1945 return false;
1946 }
1947 }
1948 #endif
1949 sym_addr = lsi->resolve_symbol_address(s);
1950 #if !defined(__LP64__)
1951 if (protect_segments) {
1952 if (phdr_table_unprotect_segments(phdr, phnum, load_bias) < 0) {
1953 DL_ERR("can't unprotect loadable segments for \"%s\": %s",
1954 get_realpath(), strerror(errno));
1955 return false;
1956 }
1957 }
1958 #endif
1959 }
1960 count_relocation(kRelocSymbol);
1961 }
1962
1963 switch (type) {
1964 case R_GENERIC_JUMP_SLOT:
1965 count_relocation(kRelocAbsolute);
1966 MARK(rel->r_offset);
1967 TRACE_TYPE(RELO, "RELO JMP_SLOT %16p <- %16p %s\n",
1968 reinterpret_cast<void*>(reloc),
1969 reinterpret_cast<void*>(sym_addr + addend), sym_name);
1970
1971 *reinterpret_cast<ElfW(Addr)*>(reloc) = (sym_addr + addend);
1972 break;
1973 case R_GENERIC_GLOB_DAT:
1974 count_relocation(kRelocAbsolute);
1975 MARK(rel->r_offset);
1976 TRACE_TYPE(RELO, "RELO GLOB_DAT %16p <- %16p %s\n",
1977 reinterpret_cast<void*>(reloc),
1978 reinterpret_cast<void*>(sym_addr + addend), sym_name);
1979 *reinterpret_cast<ElfW(Addr)*>(reloc) = (sym_addr + addend);
1980 break;
1981 case R_GENERIC_RELATIVE:
1982 count_relocation(kRelocRelative);
1983 MARK(rel->r_offset);
1984 TRACE_TYPE(RELO, "RELO RELATIVE %16p <- %16p\n",
1985 reinterpret_cast<void*>(reloc),
1986 reinterpret_cast<void*>(load_bias + addend));
1987 *reinterpret_cast<ElfW(Addr)*>(reloc) = (load_bias + addend);
1988 break;
1989 case R_GENERIC_IRELATIVE:
1990 count_relocation(kRelocRelative);
1991 MARK(rel->r_offset);
1992 TRACE_TYPE(RELO, "RELO IRELATIVE %16p <- %16p\n",
1993 reinterpret_cast<void*>(reloc),
1994 reinterpret_cast<void*>(load_bias + addend));
1995 {
1996 #if !defined(__LP64__)
1997 // When relocating dso with text_relocation .text segment is
1998 // not executable. We need to restore elf flags for this
1999 // particular call.
2000 if (has_text_relocations) {
2001 if (phdr_table_protect_segments(phdr, phnum, load_bias) < 0) {
2002 DL_ERR("can't protect segments for \"%s\": %s",
2003 get_realpath(), strerror(errno));
2004 return false;
2005 }
2006 }
2007 #endif
2008 ElfW(Addr) ifunc_addr = call_ifunc_resolver(load_bias + addend);
2009 #if !defined(__LP64__)
2010 // Unprotect it afterwards...
2011 if (has_text_relocations) {
2012 if (phdr_table_unprotect_segments(phdr, phnum, load_bias) < 0) {
2013 DL_ERR("can't unprotect loadable segments for \"%s\": %s",
2014 get_realpath(), strerror(errno));
2015 return false;
2016 }
2017 }
2018 #endif
2019 *reinterpret_cast<ElfW(Addr)*>(reloc) = ifunc_addr;
2020 }
2021 break;
2022
2023 #if defined(__aarch64__)
2024 case R_AARCH64_ABS64:
2025 count_relocation(kRelocAbsolute);
2026 MARK(rel->r_offset);
2027 TRACE_TYPE(RELO, "RELO ABS64 %16llx <- %16llx %s\n",
2028 reloc, (sym_addr + addend), sym_name);
2029 *reinterpret_cast<ElfW(Addr)*>(reloc) += (sym_addr + addend);
2030 break;
2031 case R_AARCH64_ABS32:
2032 count_relocation(kRelocAbsolute);
2033 MARK(rel->r_offset);
2034 TRACE_TYPE(RELO, "RELO ABS32 %16llx <- %16llx %s\n",
2035 reloc, (sym_addr + addend), sym_name);
2036 {
2037 const ElfW(Addr) reloc_value = *reinterpret_cast<ElfW(Addr)*>(reloc);
2038 const ElfW(Addr) min_value = static_cast<ElfW(Addr)>(INT32_MIN);
2039 const ElfW(Addr) max_value = static_cast<ElfW(Addr)>(UINT32_MAX);
2040 if ((min_value <= (reloc_value + (sym_addr + addend))) &&
2041 ((reloc_value + (sym_addr + addend)) <= max_value)) {
2042 *reinterpret_cast<ElfW(Addr)*>(reloc) += (sym_addr + addend);
2043 } else {
2044 DL_ERR("0x%016llx out of range 0x%016llx to 0x%016llx",
2045 (reloc_value + (sym_addr + addend)), min_value, max_value);
2046 return false;
2047 }
2048 }
2049 break;
2050 case R_AARCH64_ABS16:
2051 count_relocation(kRelocAbsolute);
2052 MARK(rel->r_offset);
2053 TRACE_TYPE(RELO, "RELO ABS16 %16llx <- %16llx %s\n",
2054 reloc, (sym_addr + addend), sym_name);
2055 {
2056 const ElfW(Addr) reloc_value = *reinterpret_cast<ElfW(Addr)*>(reloc);
2057 const ElfW(Addr) min_value = static_cast<ElfW(Addr)>(INT16_MIN);
2058 const ElfW(Addr) max_value = static_cast<ElfW(Addr)>(UINT16_MAX);
2059 if ((min_value <= (reloc_value + (sym_addr + addend))) &&
2060 ((reloc_value + (sym_addr + addend)) <= max_value)) {
2061 *reinterpret_cast<ElfW(Addr)*>(reloc) += (sym_addr + addend);
2062 } else {
2063 DL_ERR("0x%016llx out of range 0x%016llx to 0x%016llx",
2064 reloc_value + (sym_addr + addend), min_value, max_value);
2065 return false;
2066 }
2067 }
2068 break;
2069 case R_AARCH64_PREL64:
2070 count_relocation(kRelocRelative);
2071 MARK(rel->r_offset);
2072 TRACE_TYPE(RELO, "RELO REL64 %16llx <- %16llx - %16llx %s\n",
2073 reloc, (sym_addr + addend), rel->r_offset, sym_name);
2074 *reinterpret_cast<ElfW(Addr)*>(reloc) += (sym_addr + addend) - rel->r_offset;
2075 break;
2076 case R_AARCH64_PREL32:
2077 count_relocation(kRelocRelative);
2078 MARK(rel->r_offset);
2079 TRACE_TYPE(RELO, "RELO REL32 %16llx <- %16llx - %16llx %s\n",
2080 reloc, (sym_addr + addend), rel->r_offset, sym_name);
2081 {
2082 const ElfW(Addr) reloc_value = *reinterpret_cast<ElfW(Addr)*>(reloc);
2083 const ElfW(Addr) min_value = static_cast<ElfW(Addr)>(INT32_MIN);
2084 const ElfW(Addr) max_value = static_cast<ElfW(Addr)>(UINT32_MAX);
2085 if ((min_value <= (reloc_value + ((sym_addr + addend) - rel->r_offset))) &&
2086 ((reloc_value + ((sym_addr + addend) - rel->r_offset)) <= max_value)) {
2087 *reinterpret_cast<ElfW(Addr)*>(reloc) += ((sym_addr + addend) - rel->r_offset);
2088 } else {
2089 DL_ERR("0x%016llx out of range 0x%016llx to 0x%016llx",
2090 reloc_value + ((sym_addr + addend) - rel->r_offset), min_value, max_value);
2091 return false;
2092 }
2093 }
2094 break;
2095 case R_AARCH64_PREL16:
2096 count_relocation(kRelocRelative);
2097 MARK(rel->r_offset);
2098 TRACE_TYPE(RELO, "RELO REL16 %16llx <- %16llx - %16llx %s\n",
2099 reloc, (sym_addr + addend), rel->r_offset, sym_name);
2100 {
2101 const ElfW(Addr) reloc_value = *reinterpret_cast<ElfW(Addr)*>(reloc);
2102 const ElfW(Addr) min_value = static_cast<ElfW(Addr)>(INT16_MIN);
2103 const ElfW(Addr) max_value = static_cast<ElfW(Addr)>(UINT16_MAX);
2104 if ((min_value <= (reloc_value + ((sym_addr + addend) - rel->r_offset))) &&
2105 ((reloc_value + ((sym_addr + addend) - rel->r_offset)) <= max_value)) {
2106 *reinterpret_cast<ElfW(Addr)*>(reloc) += ((sym_addr + addend) - rel->r_offset);
2107 } else {
2108 DL_ERR("0x%016llx out of range 0x%016llx to 0x%016llx",
2109 reloc_value + ((sym_addr + addend) - rel->r_offset), min_value, max_value);
2110 return false;
2111 }
2112 }
2113 break;
2114
2115 case R_AARCH64_COPY:
2116 /*
2117 * ET_EXEC is not supported so this should not happen.
2118 *
2119 * http://infocenter.arm.com/help/topic/com.arm.doc.ihi0056b/IHI0056B_aaelf64.pdf
2120 *
2121 * Section 4.6.11 "Dynamic relocations"
2122 * R_AARCH64_COPY may only appear in executable objects where e_type is
2123 * set to ET_EXEC.
2124 */
2125 DL_ERR("%s R_AARCH64_COPY relocations are not supported", get_realpath());
2126 return false;
2127 case R_AARCH64_TLS_TPREL64:
2128 TRACE_TYPE(RELO, "RELO TLS_TPREL64 *** %16llx <- %16llx - %16llx\n",
2129 reloc, (sym_addr + addend), rel->r_offset);
2130 break;
2131 case R_AARCH64_TLS_DTPREL32:
2132 TRACE_TYPE(RELO, "RELO TLS_DTPREL32 *** %16llx <- %16llx - %16llx\n",
2133 reloc, (sym_addr + addend), rel->r_offset);
2134 break;
2135 #elif defined(__x86_64__)
2136 case R_X86_64_32:
2137 count_relocation(kRelocRelative);
2138 MARK(rel->r_offset);
2139 TRACE_TYPE(RELO, "RELO R_X86_64_32 %08zx <- +%08zx %s", static_cast<size_t>(reloc),
2140 static_cast<size_t>(sym_addr), sym_name);
2141 *reinterpret_cast<ElfW(Addr)*>(reloc) = sym_addr + addend;
2142 break;
2143 case R_X86_64_64:
2144 count_relocation(kRelocRelative);
2145 MARK(rel->r_offset);
2146 TRACE_TYPE(RELO, "RELO R_X86_64_64 %08zx <- +%08zx %s", static_cast<size_t>(reloc),
2147 static_cast<size_t>(sym_addr), sym_name);
2148 *reinterpret_cast<ElfW(Addr)*>(reloc) = sym_addr + addend;
2149 break;
2150 case R_X86_64_PC32:
2151 count_relocation(kRelocRelative);
2152 MARK(rel->r_offset);
2153 TRACE_TYPE(RELO, "RELO R_X86_64_PC32 %08zx <- +%08zx (%08zx - %08zx) %s",
2154 static_cast<size_t>(reloc), static_cast<size_t>(sym_addr - reloc),
2155 static_cast<size_t>(sym_addr), static_cast<size_t>(reloc), sym_name);
2156 *reinterpret_cast<ElfW(Addr)*>(reloc) = sym_addr + addend - reloc;
2157 break;
2158 #elif defined(__arm__)
2159 case R_ARM_ABS32:
2160 count_relocation(kRelocAbsolute);
2161 MARK(rel->r_offset);
2162 TRACE_TYPE(RELO, "RELO ABS %08x <- %08x %s", reloc, sym_addr, sym_name);
2163 *reinterpret_cast<ElfW(Addr)*>(reloc) += sym_addr;
2164 break;
2165 case R_ARM_REL32:
2166 count_relocation(kRelocRelative);
2167 MARK(rel->r_offset);
2168 TRACE_TYPE(RELO, "RELO REL32 %08x <- %08x - %08x %s",
2169 reloc, sym_addr, rel->r_offset, sym_name);
2170 *reinterpret_cast<ElfW(Addr)*>(reloc) += sym_addr - rel->r_offset;
2171 break;
2172 case R_ARM_COPY:
2173 /*
2174 * ET_EXEC is not supported so this should not happen.
2175 *
2176 * http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044d/IHI0044D_aaelf.pdf
2177 *
2178 * Section 4.6.1.10 "Dynamic relocations"
2179 * R_ARM_COPY may only appear in executable objects where e_type is
2180 * set to ET_EXEC.
2181 */
2182 DL_ERR("%s R_ARM_COPY relocations are not supported", get_realpath());
2183 return false;
2184 #elif defined(__i386__)
2185 case R_386_32:
2186 count_relocation(kRelocRelative);
2187 MARK(rel->r_offset);
2188 TRACE_TYPE(RELO, "RELO R_386_32 %08x <- +%08x %s", reloc, sym_addr, sym_name);
2189 *reinterpret_cast<ElfW(Addr)*>(reloc) += sym_addr;
2190 break;
2191 case R_386_PC32:
2192 count_relocation(kRelocRelative);
2193 MARK(rel->r_offset);
2194 TRACE_TYPE(RELO, "RELO R_386_PC32 %08x <- +%08x (%08x - %08x) %s",
2195 reloc, (sym_addr - reloc), sym_addr, reloc, sym_name);
2196 *reinterpret_cast<ElfW(Addr)*>(reloc) += (sym_addr - reloc);
2197 break;
2198 #endif
2199 default:
2200 DL_ERR("unknown reloc type %d @ %p (%zu)", type, rel, idx);
2201 return false;
2202 }
2203 }
2204 return true;
2205 }
2206 #endif // !defined(__mips__)
2207
call_array(const char * array_name __unused,linker_function_t * functions,size_t count,bool reverse)2208 void soinfo::call_array(const char* array_name __unused, linker_function_t* functions,
2209 size_t count, bool reverse) {
2210 if (functions == nullptr) {
2211 return;
2212 }
2213
2214 TRACE("[ Calling %s (size %zd) @ %p for '%s' ]", array_name, count, functions, get_realpath());
2215
2216 int begin = reverse ? (count - 1) : 0;
2217 int end = reverse ? -1 : count;
2218 int step = reverse ? -1 : 1;
2219
2220 for (int i = begin; i != end; i += step) {
2221 TRACE("[ %s[%d] == %p ]", array_name, i, functions[i]);
2222 call_function("function", functions[i]);
2223 }
2224
2225 TRACE("[ Done calling %s for '%s' ]", array_name, get_realpath());
2226 }
2227
call_function(const char * function_name __unused,linker_function_t function)2228 void soinfo::call_function(const char* function_name __unused, linker_function_t function) {
2229 if (function == nullptr || reinterpret_cast<uintptr_t>(function) == static_cast<uintptr_t>(-1)) {
2230 return;
2231 }
2232
2233 TRACE("[ Calling %s @ %p for '%s' ]", function_name, function, get_realpath());
2234 function();
2235 TRACE("[ Done calling %s @ %p for '%s' ]", function_name, function, get_realpath());
2236 }
2237
call_pre_init_constructors()2238 void soinfo::call_pre_init_constructors() {
2239 // DT_PREINIT_ARRAY functions are called before any other constructors for executables,
2240 // but ignored in a shared library.
2241 call_array("DT_PREINIT_ARRAY", preinit_array_, preinit_array_count_, false);
2242 }
2243
call_constructors()2244 void soinfo::call_constructors() {
2245 if (constructors_called) {
2246 return;
2247 }
2248
2249 // We set constructors_called before actually calling the constructors, otherwise it doesn't
2250 // protect against recursive constructor calls. One simple example of constructor recursion
2251 // is the libc debug malloc, which is implemented in libc_malloc_debug_leak.so:
2252 // 1. The program depends on libc, so libc's constructor is called here.
2253 // 2. The libc constructor calls dlopen() to load libc_malloc_debug_leak.so.
2254 // 3. dlopen() calls the constructors on the newly created
2255 // soinfo for libc_malloc_debug_leak.so.
2256 // 4. The debug .so depends on libc, so CallConstructors is
2257 // called again with the libc soinfo. If it doesn't trigger the early-
2258 // out above, the libc constructor will be called again (recursively!).
2259 constructors_called = true;
2260
2261 if (!is_main_executable() && preinit_array_ != nullptr) {
2262 // The GNU dynamic linker silently ignores these, but we warn the developer.
2263 PRINT("\"%s\": ignoring %zd-entry DT_PREINIT_ARRAY in shared library!",
2264 get_realpath(), preinit_array_count_);
2265 }
2266
2267 get_children().for_each([] (soinfo* si) {
2268 si->call_constructors();
2269 });
2270
2271 TRACE("\"%s\": calling constructors", get_realpath());
2272
2273 // DT_INIT should be called before DT_INIT_ARRAY if both are present.
2274 call_function("DT_INIT", init_func_);
2275 call_array("DT_INIT_ARRAY", init_array_, init_array_count_, false);
2276 }
2277
call_destructors()2278 void soinfo::call_destructors() {
2279 if (!constructors_called) {
2280 return;
2281 }
2282 TRACE("\"%s\": calling destructors", get_realpath());
2283
2284 // DT_FINI_ARRAY must be parsed in reverse order.
2285 call_array("DT_FINI_ARRAY", fini_array_, fini_array_count_, true);
2286
2287 // DT_FINI should be called after DT_FINI_ARRAY if both are present.
2288 call_function("DT_FINI", fini_func_);
2289
2290 // This is needed on second call to dlopen
2291 // after library has been unloaded with RTLD_NODELETE
2292 constructors_called = false;
2293 }
2294
add_child(soinfo * child)2295 void soinfo::add_child(soinfo* child) {
2296 if (has_min_version(0)) {
2297 child->parents_.push_back(this);
2298 this->children_.push_back(child);
2299 }
2300 }
2301
remove_all_links()2302 void soinfo::remove_all_links() {
2303 if (!has_min_version(0)) {
2304 return;
2305 }
2306
2307 // 1. Untie connected soinfos from 'this'.
2308 children_.for_each([&] (soinfo* child) {
2309 child->parents_.remove_if([&] (const soinfo* parent) {
2310 return parent == this;
2311 });
2312 });
2313
2314 parents_.for_each([&] (soinfo* parent) {
2315 parent->children_.remove_if([&] (const soinfo* child) {
2316 return child == this;
2317 });
2318 });
2319
2320 // 2. Once everything untied - clear local lists.
2321 parents_.clear();
2322 children_.clear();
2323 }
2324
get_st_dev() const2325 dev_t soinfo::get_st_dev() const {
2326 if (has_min_version(0)) {
2327 return st_dev_;
2328 }
2329
2330 return 0;
2331 };
2332
get_st_ino() const2333 ino_t soinfo::get_st_ino() const {
2334 if (has_min_version(0)) {
2335 return st_ino_;
2336 }
2337
2338 return 0;
2339 }
2340
get_file_offset() const2341 off64_t soinfo::get_file_offset() const {
2342 if (has_min_version(1)) {
2343 return file_offset_;
2344 }
2345
2346 return 0;
2347 }
2348
get_rtld_flags() const2349 uint32_t soinfo::get_rtld_flags() const {
2350 if (has_min_version(1)) {
2351 return rtld_flags_;
2352 }
2353
2354 return 0;
2355 }
2356
get_dt_flags_1() const2357 uint32_t soinfo::get_dt_flags_1() const {
2358 if (has_min_version(1)) {
2359 return dt_flags_1_;
2360 }
2361
2362 return 0;
2363 }
2364
set_dt_flags_1(uint32_t dt_flags_1)2365 void soinfo::set_dt_flags_1(uint32_t dt_flags_1) {
2366 if (has_min_version(1)) {
2367 if ((dt_flags_1 & DF_1_GLOBAL) != 0) {
2368 rtld_flags_ |= RTLD_GLOBAL;
2369 }
2370
2371 if ((dt_flags_1 & DF_1_NODELETE) != 0) {
2372 rtld_flags_ |= RTLD_NODELETE;
2373 }
2374
2375 dt_flags_1_ = dt_flags_1;
2376 }
2377 }
2378
get_realpath() const2379 const char* soinfo::get_realpath() const {
2380 #if defined(__work_around_b_19059885__)
2381 if (has_min_version(2)) {
2382 return realpath_.c_str();
2383 } else {
2384 return old_name_;
2385 }
2386 #else
2387 return realpath_.c_str();
2388 #endif
2389 }
2390
get_soname() const2391 const char* soinfo::get_soname() const {
2392 #if defined(__work_around_b_19059885__)
2393 if (has_min_version(2)) {
2394 return soname_;
2395 } else {
2396 return old_name_;
2397 }
2398 #else
2399 return soname_;
2400 #endif
2401 }
2402
2403 // This is a return on get_children()/get_parents() if
2404 // 'this->flags' does not have FLAG_NEW_SOINFO set.
2405 static soinfo::soinfo_list_t g_empty_list;
2406
get_children()2407 soinfo::soinfo_list_t& soinfo::get_children() {
2408 if (has_min_version(0)) {
2409 return children_;
2410 }
2411
2412 return g_empty_list;
2413 }
2414
get_children() const2415 const soinfo::soinfo_list_t& soinfo::get_children() const {
2416 if (has_min_version(0)) {
2417 return children_;
2418 }
2419
2420 return g_empty_list;
2421 }
2422
get_parents()2423 soinfo::soinfo_list_t& soinfo::get_parents() {
2424 if (has_min_version(0)) {
2425 return parents_;
2426 }
2427
2428 return g_empty_list;
2429 }
2430
ElfW(Addr)2431 ElfW(Addr) soinfo::resolve_symbol_address(const ElfW(Sym)* s) const {
2432 if (ELF_ST_TYPE(s->st_info) == STT_GNU_IFUNC) {
2433 return call_ifunc_resolver(s->st_value + load_bias);
2434 }
2435
2436 return static_cast<ElfW(Addr)>(s->st_value + load_bias);
2437 }
2438
get_string(ElfW (Word)index) const2439 const char* soinfo::get_string(ElfW(Word) index) const {
2440 if (has_min_version(1) && (index >= strtab_size_)) {
2441 __libc_fatal("%s: strtab out of bounds error; STRSZ=%zd, name=%d",
2442 get_realpath(), strtab_size_, index);
2443 }
2444
2445 return strtab_ + index;
2446 }
2447
is_gnu_hash() const2448 bool soinfo::is_gnu_hash() const {
2449 return (flags_ & FLAG_GNU_HASH) != 0;
2450 }
2451
can_unload() const2452 bool soinfo::can_unload() const {
2453 return (get_rtld_flags() & (RTLD_NODELETE | RTLD_GLOBAL)) == 0;
2454 }
2455
is_linked() const2456 bool soinfo::is_linked() const {
2457 return (flags_ & FLAG_LINKED) != 0;
2458 }
2459
is_main_executable() const2460 bool soinfo::is_main_executable() const {
2461 return (flags_ & FLAG_EXE) != 0;
2462 }
2463
set_linked()2464 void soinfo::set_linked() {
2465 flags_ |= FLAG_LINKED;
2466 }
2467
set_linker_flag()2468 void soinfo::set_linker_flag() {
2469 flags_ |= FLAG_LINKER;
2470 }
2471
set_main_executable()2472 void soinfo::set_main_executable() {
2473 flags_ |= FLAG_EXE;
2474 }
2475
increment_ref_count()2476 void soinfo::increment_ref_count() {
2477 local_group_root_->ref_count_++;
2478 }
2479
decrement_ref_count()2480 size_t soinfo::decrement_ref_count() {
2481 return --local_group_root_->ref_count_;
2482 }
2483
get_local_group_root() const2484 soinfo* soinfo::get_local_group_root() const {
2485 return local_group_root_;
2486 }
2487
2488 // This function returns api-level at the time of
2489 // dlopen/load. Note that libraries opened by system
2490 // will always have 'current' api level.
get_target_sdk_version() const2491 uint32_t soinfo::get_target_sdk_version() const {
2492 if (!has_min_version(2)) {
2493 return __ANDROID_API__;
2494 }
2495
2496 return local_group_root_->target_sdk_version_;
2497 }
2498
prelink_image()2499 bool soinfo::prelink_image() {
2500 /* Extract dynamic section */
2501 ElfW(Word) dynamic_flags = 0;
2502 phdr_table_get_dynamic_section(phdr, phnum, load_bias, &dynamic, &dynamic_flags);
2503
2504 /* We can't log anything until the linker is relocated */
2505 bool relocating_linker = (flags_ & FLAG_LINKER) != 0;
2506 if (!relocating_linker) {
2507 INFO("[ linking %s ]", get_realpath());
2508 DEBUG("si->base = %p si->flags = 0x%08x", reinterpret_cast<void*>(base), flags_);
2509 }
2510
2511 if (dynamic == nullptr) {
2512 if (!relocating_linker) {
2513 DL_ERR("missing PT_DYNAMIC in \"%s\"", get_realpath());
2514 }
2515 return false;
2516 } else {
2517 if (!relocating_linker) {
2518 DEBUG("dynamic = %p", dynamic);
2519 }
2520 }
2521
2522 #if defined(__arm__)
2523 (void) phdr_table_get_arm_exidx(phdr, phnum, load_bias,
2524 &ARM_exidx, &ARM_exidx_count);
2525 #endif
2526
2527 // Extract useful information from dynamic section.
2528 // Note that: "Except for the DT_NULL element at the end of the array,
2529 // and the relative order of DT_NEEDED elements, entries may appear in any order."
2530 //
2531 // source: http://www.sco.com/developers/gabi/1998-04-29/ch5.dynamic.html
2532 uint32_t needed_count = 0;
2533 for (ElfW(Dyn)* d = dynamic; d->d_tag != DT_NULL; ++d) {
2534 DEBUG("d = %p, d[0](tag) = %p d[1](val) = %p",
2535 d, reinterpret_cast<void*>(d->d_tag), reinterpret_cast<void*>(d->d_un.d_val));
2536 switch (d->d_tag) {
2537 case DT_SONAME:
2538 // this is parsed after we have strtab initialized (see below).
2539 break;
2540
2541 case DT_HASH:
2542 nbucket_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr)[0];
2543 nchain_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr)[1];
2544 bucket_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr + 8);
2545 chain_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr + 8 + nbucket_ * 4);
2546 break;
2547
2548 case DT_GNU_HASH:
2549 gnu_nbucket_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr)[0];
2550 // skip symndx
2551 gnu_maskwords_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr)[2];
2552 gnu_shift2_ = reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr)[3];
2553
2554 gnu_bloom_filter_ = reinterpret_cast<ElfW(Addr)*>(load_bias + d->d_un.d_ptr + 16);
2555 gnu_bucket_ = reinterpret_cast<uint32_t*>(gnu_bloom_filter_ + gnu_maskwords_);
2556 // amend chain for symndx = header[1]
2557 gnu_chain_ = gnu_bucket_ + gnu_nbucket_ -
2558 reinterpret_cast<uint32_t*>(load_bias + d->d_un.d_ptr)[1];
2559
2560 if (!powerof2(gnu_maskwords_)) {
2561 DL_ERR("invalid maskwords for gnu_hash = 0x%x, in \"%s\" expecting power to two",
2562 gnu_maskwords_, get_realpath());
2563 return false;
2564 }
2565 --gnu_maskwords_;
2566
2567 flags_ |= FLAG_GNU_HASH;
2568 break;
2569
2570 case DT_STRTAB:
2571 strtab_ = reinterpret_cast<const char*>(load_bias + d->d_un.d_ptr);
2572 break;
2573
2574 case DT_STRSZ:
2575 strtab_size_ = d->d_un.d_val;
2576 break;
2577
2578 case DT_SYMTAB:
2579 symtab_ = reinterpret_cast<ElfW(Sym)*>(load_bias + d->d_un.d_ptr);
2580 break;
2581
2582 case DT_SYMENT:
2583 if (d->d_un.d_val != sizeof(ElfW(Sym))) {
2584 DL_ERR("invalid DT_SYMENT: %zd in \"%s\"",
2585 static_cast<size_t>(d->d_un.d_val), get_realpath());
2586 return false;
2587 }
2588 break;
2589
2590 case DT_PLTREL:
2591 #if defined(USE_RELA)
2592 if (d->d_un.d_val != DT_RELA) {
2593 DL_ERR("unsupported DT_PLTREL in \"%s\"; expected DT_RELA", get_realpath());
2594 return false;
2595 }
2596 #else
2597 if (d->d_un.d_val != DT_REL) {
2598 DL_ERR("unsupported DT_PLTREL in \"%s\"; expected DT_REL", get_realpath());
2599 return false;
2600 }
2601 #endif
2602 break;
2603
2604 case DT_JMPREL:
2605 #if defined(USE_RELA)
2606 plt_rela_ = reinterpret_cast<ElfW(Rela)*>(load_bias + d->d_un.d_ptr);
2607 #else
2608 plt_rel_ = reinterpret_cast<ElfW(Rel)*>(load_bias + d->d_un.d_ptr);
2609 #endif
2610 break;
2611
2612 case DT_PLTRELSZ:
2613 #if defined(USE_RELA)
2614 plt_rela_count_ = d->d_un.d_val / sizeof(ElfW(Rela));
2615 #else
2616 plt_rel_count_ = d->d_un.d_val / sizeof(ElfW(Rel));
2617 #endif
2618 break;
2619
2620 case DT_PLTGOT:
2621 #if defined(__mips__)
2622 // Used by mips and mips64.
2623 plt_got_ = reinterpret_cast<ElfW(Addr)**>(load_bias + d->d_un.d_ptr);
2624 #endif
2625 // Ignore for other platforms... (because RTLD_LAZY is not supported)
2626 break;
2627
2628 case DT_DEBUG:
2629 // Set the DT_DEBUG entry to the address of _r_debug for GDB
2630 // if the dynamic table is writable
2631 // FIXME: not working currently for N64
2632 // The flags for the LOAD and DYNAMIC program headers do not agree.
2633 // The LOAD section containing the dynamic table has been mapped as
2634 // read-only, but the DYNAMIC header claims it is writable.
2635 #if !(defined(__mips__) && defined(__LP64__))
2636 if ((dynamic_flags & PF_W) != 0) {
2637 d->d_un.d_val = reinterpret_cast<uintptr_t>(&_r_debug);
2638 }
2639 #endif
2640 break;
2641 #if defined(USE_RELA)
2642 case DT_RELA:
2643 rela_ = reinterpret_cast<ElfW(Rela)*>(load_bias + d->d_un.d_ptr);
2644 break;
2645
2646 case DT_RELASZ:
2647 rela_count_ = d->d_un.d_val / sizeof(ElfW(Rela));
2648 break;
2649
2650 case DT_ANDROID_RELA:
2651 android_relocs_ = reinterpret_cast<uint8_t*>(load_bias + d->d_un.d_ptr);
2652 break;
2653
2654 case DT_ANDROID_RELASZ:
2655 android_relocs_size_ = d->d_un.d_val;
2656 break;
2657
2658 case DT_ANDROID_REL:
2659 DL_ERR("unsupported DT_ANDROID_REL in \"%s\"", get_realpath());
2660 return false;
2661
2662 case DT_ANDROID_RELSZ:
2663 DL_ERR("unsupported DT_ANDROID_RELSZ in \"%s\"", get_realpath());
2664 return false;
2665
2666 case DT_RELAENT:
2667 if (d->d_un.d_val != sizeof(ElfW(Rela))) {
2668 DL_ERR("invalid DT_RELAENT: %zd", static_cast<size_t>(d->d_un.d_val));
2669 return false;
2670 }
2671 break;
2672
2673 // ignored (see DT_RELCOUNT comments for details)
2674 case DT_RELACOUNT:
2675 break;
2676
2677 case DT_REL:
2678 DL_ERR("unsupported DT_REL in \"%s\"", get_realpath());
2679 return false;
2680
2681 case DT_RELSZ:
2682 DL_ERR("unsupported DT_RELSZ in \"%s\"", get_realpath());
2683 return false;
2684
2685 #else
2686 case DT_REL:
2687 rel_ = reinterpret_cast<ElfW(Rel)*>(load_bias + d->d_un.d_ptr);
2688 break;
2689
2690 case DT_RELSZ:
2691 rel_count_ = d->d_un.d_val / sizeof(ElfW(Rel));
2692 break;
2693
2694 case DT_RELENT:
2695 if (d->d_un.d_val != sizeof(ElfW(Rel))) {
2696 DL_ERR("invalid DT_RELENT: %zd", static_cast<size_t>(d->d_un.d_val));
2697 return false;
2698 }
2699 break;
2700
2701 case DT_ANDROID_REL:
2702 android_relocs_ = reinterpret_cast<uint8_t*>(load_bias + d->d_un.d_ptr);
2703 break;
2704
2705 case DT_ANDROID_RELSZ:
2706 android_relocs_size_ = d->d_un.d_val;
2707 break;
2708
2709 case DT_ANDROID_RELA:
2710 DL_ERR("unsupported DT_ANDROID_RELA in \"%s\"", get_realpath());
2711 return false;
2712
2713 case DT_ANDROID_RELASZ:
2714 DL_ERR("unsupported DT_ANDROID_RELASZ in \"%s\"", get_realpath());
2715 return false;
2716
2717 // "Indicates that all RELATIVE relocations have been concatenated together,
2718 // and specifies the RELATIVE relocation count."
2719 //
2720 // TODO: Spec also mentions that this can be used to optimize relocation process;
2721 // Not currently used by bionic linker - ignored.
2722 case DT_RELCOUNT:
2723 break;
2724
2725 case DT_RELA:
2726 DL_ERR("unsupported DT_RELA in \"%s\"", get_realpath());
2727 return false;
2728
2729 case DT_RELASZ:
2730 DL_ERR("unsupported DT_RELASZ in \"%s\"", get_realpath());
2731 return false;
2732
2733 #endif
2734 case DT_INIT:
2735 init_func_ = reinterpret_cast<linker_function_t>(load_bias + d->d_un.d_ptr);
2736 DEBUG("%s constructors (DT_INIT) found at %p", get_realpath(), init_func_);
2737 break;
2738
2739 case DT_FINI:
2740 fini_func_ = reinterpret_cast<linker_function_t>(load_bias + d->d_un.d_ptr);
2741 DEBUG("%s destructors (DT_FINI) found at %p", get_realpath(), fini_func_);
2742 break;
2743
2744 case DT_INIT_ARRAY:
2745 init_array_ = reinterpret_cast<linker_function_t*>(load_bias + d->d_un.d_ptr);
2746 DEBUG("%s constructors (DT_INIT_ARRAY) found at %p", get_realpath(), init_array_);
2747 break;
2748
2749 case DT_INIT_ARRAYSZ:
2750 init_array_count_ = static_cast<uint32_t>(d->d_un.d_val) / sizeof(ElfW(Addr));
2751 break;
2752
2753 case DT_FINI_ARRAY:
2754 fini_array_ = reinterpret_cast<linker_function_t*>(load_bias + d->d_un.d_ptr);
2755 DEBUG("%s destructors (DT_FINI_ARRAY) found at %p", get_realpath(), fini_array_);
2756 break;
2757
2758 case DT_FINI_ARRAYSZ:
2759 fini_array_count_ = static_cast<uint32_t>(d->d_un.d_val) / sizeof(ElfW(Addr));
2760 break;
2761
2762 case DT_PREINIT_ARRAY:
2763 preinit_array_ = reinterpret_cast<linker_function_t*>(load_bias + d->d_un.d_ptr);
2764 DEBUG("%s constructors (DT_PREINIT_ARRAY) found at %p", get_realpath(), preinit_array_);
2765 break;
2766
2767 case DT_PREINIT_ARRAYSZ:
2768 preinit_array_count_ = static_cast<uint32_t>(d->d_un.d_val) / sizeof(ElfW(Addr));
2769 break;
2770
2771 case DT_TEXTREL:
2772 #if defined(__LP64__)
2773 DL_ERR("text relocations (DT_TEXTREL) found in 64-bit ELF file \"%s\"", get_realpath());
2774 return false;
2775 #else
2776 has_text_relocations = true;
2777 break;
2778 #endif
2779
2780 case DT_SYMBOLIC:
2781 has_DT_SYMBOLIC = true;
2782 break;
2783
2784 case DT_NEEDED:
2785 ++needed_count;
2786 break;
2787
2788 case DT_FLAGS:
2789 if (d->d_un.d_val & DF_TEXTREL) {
2790 #if defined(__LP64__)
2791 DL_ERR("text relocations (DF_TEXTREL) found in 64-bit ELF file \"%s\"", get_realpath());
2792 return false;
2793 #else
2794 has_text_relocations = true;
2795 #endif
2796 }
2797 if (d->d_un.d_val & DF_SYMBOLIC) {
2798 has_DT_SYMBOLIC = true;
2799 }
2800 break;
2801
2802 case DT_FLAGS_1:
2803 set_dt_flags_1(d->d_un.d_val);
2804
2805 if ((d->d_un.d_val & ~SUPPORTED_DT_FLAGS_1) != 0) {
2806 DL_WARN("%s: unsupported flags DT_FLAGS_1=%p", get_realpath(), reinterpret_cast<void*>(d->d_un.d_val));
2807 }
2808 break;
2809 #if defined(__mips__)
2810 case DT_MIPS_RLD_MAP:
2811 // Set the DT_MIPS_RLD_MAP entry to the address of _r_debug for GDB.
2812 {
2813 r_debug** dp = reinterpret_cast<r_debug**>(load_bias + d->d_un.d_ptr);
2814 *dp = &_r_debug;
2815 }
2816 break;
2817 case DT_MIPS_RLD_MAP2:
2818 // Set the DT_MIPS_RLD_MAP2 entry to the address of _r_debug for GDB.
2819 {
2820 r_debug** dp = reinterpret_cast<r_debug**>(
2821 reinterpret_cast<ElfW(Addr)>(d) + d->d_un.d_val);
2822 *dp = &_r_debug;
2823 }
2824 break;
2825
2826 case DT_MIPS_RLD_VERSION:
2827 case DT_MIPS_FLAGS:
2828 case DT_MIPS_BASE_ADDRESS:
2829 case DT_MIPS_UNREFEXTNO:
2830 break;
2831
2832 case DT_MIPS_SYMTABNO:
2833 mips_symtabno_ = d->d_un.d_val;
2834 break;
2835
2836 case DT_MIPS_LOCAL_GOTNO:
2837 mips_local_gotno_ = d->d_un.d_val;
2838 break;
2839
2840 case DT_MIPS_GOTSYM:
2841 mips_gotsym_ = d->d_un.d_val;
2842 break;
2843 #endif
2844 // Ignored: "Its use has been superseded by the DF_BIND_NOW flag"
2845 case DT_BIND_NOW:
2846 break;
2847
2848 case DT_VERSYM:
2849 versym_ = reinterpret_cast<ElfW(Versym)*>(load_bias + d->d_un.d_ptr);
2850 break;
2851
2852 case DT_VERDEF:
2853 verdef_ptr_ = load_bias + d->d_un.d_ptr;
2854 break;
2855 case DT_VERDEFNUM:
2856 verdef_cnt_ = d->d_un.d_val;
2857 break;
2858
2859 case DT_VERNEED:
2860 verneed_ptr_ = load_bias + d->d_un.d_ptr;
2861 break;
2862
2863 case DT_VERNEEDNUM:
2864 verneed_cnt_ = d->d_un.d_val;
2865 break;
2866
2867 default:
2868 if (!relocating_linker) {
2869 DL_WARN("%s: unused DT entry: type %p arg %p", get_realpath(),
2870 reinterpret_cast<void*>(d->d_tag), reinterpret_cast<void*>(d->d_un.d_val));
2871 }
2872 break;
2873 }
2874 }
2875
2876 DEBUG("si->base = %p, si->strtab = %p, si->symtab = %p",
2877 reinterpret_cast<void*>(base), strtab_, symtab_);
2878
2879 // Sanity checks.
2880 if (relocating_linker && needed_count != 0) {
2881 DL_ERR("linker cannot have DT_NEEDED dependencies on other libraries");
2882 return false;
2883 }
2884 if (nbucket_ == 0 && gnu_nbucket_ == 0) {
2885 DL_ERR("empty/missing DT_HASH/DT_GNU_HASH in \"%s\" "
2886 "(new hash type from the future?)", get_realpath());
2887 return false;
2888 }
2889 if (strtab_ == 0) {
2890 DL_ERR("empty/missing DT_STRTAB in \"%s\"", get_realpath());
2891 return false;
2892 }
2893 if (symtab_ == 0) {
2894 DL_ERR("empty/missing DT_SYMTAB in \"%s\"", get_realpath());
2895 return false;
2896 }
2897
2898 // second pass - parse entries relying on strtab
2899 for (ElfW(Dyn)* d = dynamic; d->d_tag != DT_NULL; ++d) {
2900 if (d->d_tag == DT_SONAME) {
2901 soname_ = get_string(d->d_un.d_val);
2902 #if defined(__work_around_b_19059885__)
2903 strlcpy(old_name_, soname_, sizeof(old_name_));
2904 #endif
2905 break;
2906 }
2907 }
2908
2909 // Before M release linker was using basename in place of soname.
2910 // In the case when dt_soname is absent some apps stop working
2911 // because they can't find dt_needed library by soname.
2912 // This workaround should keep them working. (applies only
2913 // for apps targeting sdk version <=22). Make an exception for
2914 // the main executable and linker; they do not need to have dt_soname
2915 if (soname_ == nullptr && this != somain && (flags_ & FLAG_LINKER) == 0 &&
2916 get_application_target_sdk_version() <= 22) {
2917 soname_ = basename(realpath_.c_str());
2918 DL_WARN("%s: is missing DT_SONAME will use basename as a replacement: \"%s\"",
2919 get_realpath(), soname_);
2920 }
2921 return true;
2922 }
2923
link_image(const soinfo_list_t & global_group,const soinfo_list_t & local_group,const android_dlextinfo * extinfo)2924 bool soinfo::link_image(const soinfo_list_t& global_group, const soinfo_list_t& local_group,
2925 const android_dlextinfo* extinfo) {
2926
2927 local_group_root_ = local_group.front();
2928 if (local_group_root_ == nullptr) {
2929 local_group_root_ = this;
2930 }
2931
2932 if ((flags_ & FLAG_LINKER) == 0 && local_group_root_ == this) {
2933 target_sdk_version_ = get_application_target_sdk_version();
2934 }
2935
2936 VersionTracker version_tracker;
2937
2938 if (!version_tracker.init(this)) {
2939 return false;
2940 }
2941
2942 #if !defined(__LP64__)
2943 if (has_text_relocations) {
2944 // Fail if app is targeting sdk version > 22
2945 // TODO (dimitry): remove != __ANDROID_API__ check once http://b/20020312 is fixed
2946 if (get_application_target_sdk_version() != __ANDROID_API__
2947 && get_application_target_sdk_version() > 22) {
2948 PRINT("%s: has text relocations", get_realpath());
2949 DL_ERR("%s: has text relocations", get_realpath());
2950 return false;
2951 }
2952 // Make segments writable to allow text relocations to work properly. We will later call
2953 // phdr_table_protect_segments() after all of them are applied and all constructors are run.
2954 DL_WARN("%s has text relocations. This is wasting memory and prevents "
2955 "security hardening. Please fix.", get_realpath());
2956 if (phdr_table_unprotect_segments(phdr, phnum, load_bias) < 0) {
2957 DL_ERR("can't unprotect loadable segments for \"%s\": %s",
2958 get_realpath(), strerror(errno));
2959 return false;
2960 }
2961 }
2962 #endif
2963
2964 if (android_relocs_ != nullptr) {
2965 // check signature
2966 if (android_relocs_size_ > 3 &&
2967 android_relocs_[0] == 'A' &&
2968 android_relocs_[1] == 'P' &&
2969 android_relocs_[2] == 'S' &&
2970 android_relocs_[3] == '2') {
2971 DEBUG("[ android relocating %s ]", get_realpath());
2972
2973 bool relocated = false;
2974 const uint8_t* packed_relocs = android_relocs_ + 4;
2975 const size_t packed_relocs_size = android_relocs_size_ - 4;
2976
2977 relocated = relocate(
2978 version_tracker,
2979 packed_reloc_iterator<sleb128_decoder>(
2980 sleb128_decoder(packed_relocs, packed_relocs_size)),
2981 global_group, local_group);
2982
2983 if (!relocated) {
2984 return false;
2985 }
2986 } else {
2987 DL_ERR("bad android relocation header.");
2988 return false;
2989 }
2990 }
2991
2992 #if defined(USE_RELA)
2993 if (rela_ != nullptr) {
2994 DEBUG("[ relocating %s ]", get_realpath());
2995 if (!relocate(version_tracker,
2996 plain_reloc_iterator(rela_, rela_count_), global_group, local_group)) {
2997 return false;
2998 }
2999 }
3000 if (plt_rela_ != nullptr) {
3001 DEBUG("[ relocating %s plt ]", get_realpath());
3002 if (!relocate(version_tracker,
3003 plain_reloc_iterator(plt_rela_, plt_rela_count_), global_group, local_group)) {
3004 return false;
3005 }
3006 }
3007 #else
3008 if (rel_ != nullptr) {
3009 DEBUG("[ relocating %s ]", get_realpath());
3010 if (!relocate(version_tracker,
3011 plain_reloc_iterator(rel_, rel_count_), global_group, local_group)) {
3012 return false;
3013 }
3014 }
3015 if (plt_rel_ != nullptr) {
3016 DEBUG("[ relocating %s plt ]", get_realpath());
3017 if (!relocate(version_tracker,
3018 plain_reloc_iterator(plt_rel_, plt_rel_count_), global_group, local_group)) {
3019 return false;
3020 }
3021 }
3022 #endif
3023
3024 #if defined(__mips__)
3025 if (!mips_relocate_got(version_tracker, global_group, local_group)) {
3026 return false;
3027 }
3028 #endif
3029
3030 DEBUG("[ finished linking %s ]", get_realpath());
3031
3032 #if !defined(__LP64__)
3033 if (has_text_relocations) {
3034 // All relocations are done, we can protect our segments back to read-only.
3035 if (phdr_table_protect_segments(phdr, phnum, load_bias) < 0) {
3036 DL_ERR("can't protect segments for \"%s\": %s",
3037 get_realpath(), strerror(errno));
3038 return false;
3039 }
3040 }
3041 #endif
3042
3043 /* We can also turn on GNU RELRO protection */
3044 if (phdr_table_protect_gnu_relro(phdr, phnum, load_bias) < 0) {
3045 DL_ERR("can't enable GNU RELRO protection for \"%s\": %s",
3046 get_realpath(), strerror(errno));
3047 return false;
3048 }
3049
3050 /* Handle serializing/sharing the RELRO segment */
3051 if (extinfo && (extinfo->flags & ANDROID_DLEXT_WRITE_RELRO)) {
3052 if (phdr_table_serialize_gnu_relro(phdr, phnum, load_bias,
3053 extinfo->relro_fd) < 0) {
3054 DL_ERR("failed serializing GNU RELRO section for \"%s\": %s",
3055 get_realpath(), strerror(errno));
3056 return false;
3057 }
3058 } else if (extinfo && (extinfo->flags & ANDROID_DLEXT_USE_RELRO)) {
3059 if (phdr_table_map_gnu_relro(phdr, phnum, load_bias,
3060 extinfo->relro_fd) < 0) {
3061 DL_ERR("failed mapping GNU RELRO section for \"%s\": %s",
3062 get_realpath(), strerror(errno));
3063 return false;
3064 }
3065 }
3066
3067 notify_gdb_of_load(this);
3068 return true;
3069 }
3070
3071 /*
3072 * This function add vdso to internal dso list.
3073 * It helps to stack unwinding through signal handlers.
3074 * Also, it makes bionic more like glibc.
3075 */
add_vdso(KernelArgumentBlock & args __unused)3076 static void add_vdso(KernelArgumentBlock& args __unused) {
3077 #if defined(AT_SYSINFO_EHDR)
3078 ElfW(Ehdr)* ehdr_vdso = reinterpret_cast<ElfW(Ehdr)*>(args.getauxval(AT_SYSINFO_EHDR));
3079 if (ehdr_vdso == nullptr) {
3080 return;
3081 }
3082
3083 soinfo* si = soinfo_alloc("[vdso]", nullptr, 0, 0);
3084
3085 si->phdr = reinterpret_cast<ElfW(Phdr)*>(reinterpret_cast<char*>(ehdr_vdso) + ehdr_vdso->e_phoff);
3086 si->phnum = ehdr_vdso->e_phnum;
3087 si->base = reinterpret_cast<ElfW(Addr)>(ehdr_vdso);
3088 si->size = phdr_table_get_load_size(si->phdr, si->phnum);
3089 si->load_bias = get_elf_exec_load_bias(ehdr_vdso);
3090
3091 si->prelink_image();
3092 si->link_image(g_empty_list, soinfo::soinfo_list_t::make_list(si), nullptr);
3093 #endif
3094 }
3095
3096 /*
3097 * This is linker soinfo for GDB. See details below.
3098 */
3099 #if defined(__LP64__)
3100 #define LINKER_PATH "/system/bin/linker64"
3101 #else
3102 #define LINKER_PATH "/system/bin/linker"
3103 #endif
3104
3105 // This is done to avoid calling c-tor prematurely
3106 // because soinfo c-tor needs memory allocator
3107 // which might be initialized after global variables.
3108 static uint8_t linker_soinfo_for_gdb_buf[sizeof(soinfo)] __attribute__((aligned(8)));
3109 static soinfo* linker_soinfo_for_gdb = nullptr;
3110
3111 /* gdb expects the linker to be in the debug shared object list.
3112 * Without this, gdb has trouble locating the linker's ".text"
3113 * and ".plt" sections. Gdb could also potentially use this to
3114 * relocate the offset of our exported 'rtld_db_dlactivity' symbol.
3115 * Don't use soinfo_alloc(), because the linker shouldn't
3116 * be on the soinfo list.
3117 */
init_linker_info_for_gdb(ElfW (Addr)linker_base)3118 static void init_linker_info_for_gdb(ElfW(Addr) linker_base) {
3119 linker_soinfo_for_gdb = new (linker_soinfo_for_gdb_buf) soinfo(LINKER_PATH, nullptr, 0, 0);
3120
3121 linker_soinfo_for_gdb->load_bias = linker_base;
3122
3123 /*
3124 * Set the dynamic field in the link map otherwise gdb will complain with
3125 * the following:
3126 * warning: .dynamic section for "/system/bin/linker" is not at the
3127 * expected address (wrong library or version mismatch?)
3128 */
3129 ElfW(Ehdr)* elf_hdr = reinterpret_cast<ElfW(Ehdr)*>(linker_base);
3130 ElfW(Phdr)* phdr = reinterpret_cast<ElfW(Phdr)*>(linker_base + elf_hdr->e_phoff);
3131 phdr_table_get_dynamic_section(phdr, elf_hdr->e_phnum, linker_base,
3132 &linker_soinfo_for_gdb->dynamic, nullptr);
3133 insert_soinfo_into_debug_map(linker_soinfo_for_gdb);
3134 }
3135
3136 extern "C" int __system_properties_init(void);
3137
3138 /*
3139 * This code is called after the linker has linked itself and
3140 * fixed it's own GOT. It is safe to make references to externs
3141 * and other non-local data at this point.
3142 */
__linker_init_post_relocation(KernelArgumentBlock & args,ElfW (Addr)linker_base)3143 static ElfW(Addr) __linker_init_post_relocation(KernelArgumentBlock& args, ElfW(Addr) linker_base) {
3144 #if TIMING
3145 struct timeval t0, t1;
3146 gettimeofday(&t0, 0);
3147 #endif
3148
3149 // Sanitize the environment.
3150 __libc_init_AT_SECURE(args);
3151
3152 // Initialize system properties
3153 __system_properties_init(); // may use 'environ'
3154
3155 debuggerd_init();
3156
3157 // Get a few environment variables.
3158 const char* LD_DEBUG = getenv("LD_DEBUG");
3159 if (LD_DEBUG != nullptr) {
3160 g_ld_debug_verbosity = atoi(LD_DEBUG);
3161 }
3162
3163 // These should have been sanitized by __libc_init_AT_SECURE, but the test
3164 // doesn't cost us anything.
3165 const char* ldpath_env = nullptr;
3166 const char* ldpreload_env = nullptr;
3167 if (!getauxval(AT_SECURE)) {
3168 ldpath_env = getenv("LD_LIBRARY_PATH");
3169 ldpreload_env = getenv("LD_PRELOAD");
3170 }
3171
3172 INFO("[ android linker & debugger ]");
3173
3174 soinfo* si = soinfo_alloc(args.argv[0], nullptr, 0, RTLD_GLOBAL);
3175 if (si == nullptr) {
3176 exit(EXIT_FAILURE);
3177 }
3178
3179 /* bootstrap the link map, the main exe always needs to be first */
3180 si->set_main_executable();
3181 link_map* map = &(si->link_map_head);
3182
3183 map->l_addr = 0;
3184 map->l_name = args.argv[0];
3185 map->l_prev = nullptr;
3186 map->l_next = nullptr;
3187
3188 _r_debug.r_map = map;
3189 r_debug_tail = map;
3190
3191 init_linker_info_for_gdb(linker_base);
3192
3193 // Extract information passed from the kernel.
3194 si->phdr = reinterpret_cast<ElfW(Phdr)*>(args.getauxval(AT_PHDR));
3195 si->phnum = args.getauxval(AT_PHNUM);
3196 si->entry = args.getauxval(AT_ENTRY);
3197
3198 /* Compute the value of si->base. We can't rely on the fact that
3199 * the first entry is the PHDR because this will not be true
3200 * for certain executables (e.g. some in the NDK unit test suite)
3201 */
3202 si->base = 0;
3203 si->size = phdr_table_get_load_size(si->phdr, si->phnum);
3204 si->load_bias = 0;
3205 for (size_t i = 0; i < si->phnum; ++i) {
3206 if (si->phdr[i].p_type == PT_PHDR) {
3207 si->load_bias = reinterpret_cast<ElfW(Addr)>(si->phdr) - si->phdr[i].p_vaddr;
3208 si->base = reinterpret_cast<ElfW(Addr)>(si->phdr) - si->phdr[i].p_offset;
3209 break;
3210 }
3211 }
3212 si->dynamic = nullptr;
3213
3214 ElfW(Ehdr)* elf_hdr = reinterpret_cast<ElfW(Ehdr)*>(si->base);
3215 if (elf_hdr->e_type != ET_DYN) {
3216 __libc_format_fd(2, "error: only position independent executables (PIE) are supported.\n");
3217 exit(EXIT_FAILURE);
3218 }
3219
3220 // Use LD_LIBRARY_PATH and LD_PRELOAD (but only if we aren't setuid/setgid).
3221 parse_LD_LIBRARY_PATH(ldpath_env);
3222 parse_LD_PRELOAD(ldpreload_env);
3223
3224 somain = si;
3225
3226 if (!si->prelink_image()) {
3227 __libc_format_fd(2, "CANNOT LINK EXECUTABLE: %s\n", linker_get_error_buffer());
3228 exit(EXIT_FAILURE);
3229 }
3230
3231 // add somain to global group
3232 si->set_dt_flags_1(si->get_dt_flags_1() | DF_1_GLOBAL);
3233
3234 // Load ld_preloads and dependencies.
3235 StringLinkedList needed_library_name_list;
3236 size_t needed_libraries_count = 0;
3237 size_t ld_preloads_count = 0;
3238
3239 for (const auto& ld_preload_name : g_ld_preload_names) {
3240 needed_library_name_list.push_back(ld_preload_name.c_str());
3241 ++needed_libraries_count;
3242 ++ld_preloads_count;
3243 }
3244
3245 for_each_dt_needed(si, [&](const char* name) {
3246 needed_library_name_list.push_back(name);
3247 ++needed_libraries_count;
3248 });
3249
3250 const char* needed_library_names[needed_libraries_count];
3251
3252 memset(needed_library_names, 0, sizeof(needed_library_names));
3253 needed_library_name_list.copy_to_array(needed_library_names, needed_libraries_count);
3254
3255 if (needed_libraries_count > 0 &&
3256 !find_libraries(si, needed_library_names, needed_libraries_count, nullptr,
3257 &g_ld_preloads, ld_preloads_count, RTLD_GLOBAL, nullptr)) {
3258 __libc_format_fd(2, "CANNOT LINK EXECUTABLE: %s\n", linker_get_error_buffer());
3259 exit(EXIT_FAILURE);
3260 } else if (needed_libraries_count == 0) {
3261 if (!si->link_image(g_empty_list, soinfo::soinfo_list_t::make_list(si), nullptr)) {
3262 __libc_format_fd(2, "CANNOT LINK EXECUTABLE: %s\n", linker_get_error_buffer());
3263 exit(EXIT_FAILURE);
3264 }
3265 si->increment_ref_count();
3266 }
3267
3268 add_vdso(args);
3269
3270 {
3271 ProtectedDataGuard guard;
3272
3273 si->call_pre_init_constructors();
3274
3275 /* After the prelink_image, the si->load_bias is initialized.
3276 * For so lib, the map->l_addr will be updated in notify_gdb_of_load.
3277 * We need to update this value for so exe here. So Unwind_Backtrace
3278 * for some arch like x86 could work correctly within so exe.
3279 */
3280 map->l_addr = si->load_bias;
3281 si->call_constructors();
3282 }
3283
3284 #if TIMING
3285 gettimeofday(&t1, nullptr);
3286 PRINT("LINKER TIME: %s: %d microseconds", args.argv[0], (int) (
3287 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) -
3288 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec)));
3289 #endif
3290 #if STATS
3291 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol", args.argv[0],
3292 linker_stats.count[kRelocAbsolute],
3293 linker_stats.count[kRelocRelative],
3294 linker_stats.count[kRelocCopy],
3295 linker_stats.count[kRelocSymbol]);
3296 #endif
3297 #if COUNT_PAGES
3298 {
3299 unsigned n;
3300 unsigned i;
3301 unsigned count = 0;
3302 for (n = 0; n < 4096; n++) {
3303 if (bitmask[n]) {
3304 unsigned x = bitmask[n];
3305 #if defined(__LP64__)
3306 for (i = 0; i < 32; i++) {
3307 #else
3308 for (i = 0; i < 8; i++) {
3309 #endif
3310 if (x & 1) {
3311 count++;
3312 }
3313 x >>= 1;
3314 }
3315 }
3316 }
3317 PRINT("PAGES MODIFIED: %s: %d (%dKB)", args.argv[0], count, count * 4);
3318 }
3319 #endif
3320
3321 #if TIMING || STATS || COUNT_PAGES
3322 fflush(stdout);
3323 #endif
3324
3325 TRACE("[ Ready to execute '%s' @ %p ]", si->get_realpath(), reinterpret_cast<void*>(si->entry));
3326 return si->entry;
3327 }
3328
3329 /* Compute the load-bias of an existing executable. This shall only
3330 * be used to compute the load bias of an executable or shared library
3331 * that was loaded by the kernel itself.
3332 *
3333 * Input:
3334 * elf -> address of ELF header, assumed to be at the start of the file.
3335 * Return:
3336 * load bias, i.e. add the value of any p_vaddr in the file to get
3337 * the corresponding address in memory.
3338 */
3339 static ElfW(Addr) get_elf_exec_load_bias(const ElfW(Ehdr)* elf) {
3340 ElfW(Addr) offset = elf->e_phoff;
3341 const ElfW(Phdr)* phdr_table =
3342 reinterpret_cast<const ElfW(Phdr)*>(reinterpret_cast<uintptr_t>(elf) + offset);
3343 const ElfW(Phdr)* phdr_end = phdr_table + elf->e_phnum;
3344
3345 for (const ElfW(Phdr)* phdr = phdr_table; phdr < phdr_end; phdr++) {
3346 if (phdr->p_type == PT_LOAD) {
3347 return reinterpret_cast<ElfW(Addr)>(elf) + phdr->p_offset - phdr->p_vaddr;
3348 }
3349 }
3350 return 0;
3351 }
3352
3353 extern "C" void _start();
3354
3355 /*
3356 * This is the entry point for the linker, called from begin.S. This
3357 * method is responsible for fixing the linker's own relocations, and
3358 * then calling __linker_init_post_relocation().
3359 *
3360 * Because this method is called before the linker has fixed it's own
3361 * relocations, any attempt to reference an extern variable, extern
3362 * function, or other GOT reference will generate a segfault.
3363 */
3364 extern "C" ElfW(Addr) __linker_init(void* raw_args) {
3365 KernelArgumentBlock args(raw_args);
3366
3367 ElfW(Addr) linker_addr = args.getauxval(AT_BASE);
3368 ElfW(Addr) entry_point = args.getauxval(AT_ENTRY);
3369 ElfW(Ehdr)* elf_hdr = reinterpret_cast<ElfW(Ehdr)*>(linker_addr);
3370 ElfW(Phdr)* phdr = reinterpret_cast<ElfW(Phdr)*>(linker_addr + elf_hdr->e_phoff);
3371
3372 soinfo linker_so(nullptr, nullptr, 0, 0);
3373
3374 // If the linker is not acting as PT_INTERP entry_point is equal to
3375 // _start. Which means that the linker is running as an executable and
3376 // already linked by PT_INTERP.
3377 //
3378 // This happens when user tries to run 'adb shell /system/bin/linker'
3379 // see also https://code.google.com/p/android/issues/detail?id=63174
3380 if (reinterpret_cast<ElfW(Addr)>(&_start) == entry_point) {
3381 __libc_fatal("This is %s, the helper program for shared library executables.\n", args.argv[0]);
3382 }
3383
3384 linker_so.base = linker_addr;
3385 linker_so.size = phdr_table_get_load_size(phdr, elf_hdr->e_phnum);
3386 linker_so.load_bias = get_elf_exec_load_bias(elf_hdr);
3387 linker_so.dynamic = nullptr;
3388 linker_so.phdr = phdr;
3389 linker_so.phnum = elf_hdr->e_phnum;
3390 linker_so.set_linker_flag();
3391
3392 // This might not be obvious... The reasons why we pass g_empty_list
3393 // in place of local_group here are (1) we do not really need it, because
3394 // linker is built with DT_SYMBOLIC and therefore relocates its symbols against
3395 // itself without having to look into local_group and (2) allocators
3396 // are not yet initialized, and therefore we cannot use linked_list.push_*
3397 // functions at this point.
3398 if (!(linker_so.prelink_image() && linker_so.link_image(g_empty_list, g_empty_list, nullptr))) {
3399 // It would be nice to print an error message, but if the linker
3400 // can't link itself, there's no guarantee that we'll be able to
3401 // call write() (because it involves a GOT reference). We may as
3402 // well try though...
3403 const char* msg = "CANNOT LINK EXECUTABLE: ";
3404 write(2, msg, strlen(msg));
3405 write(2, __linker_dl_err_buf, strlen(__linker_dl_err_buf));
3406 write(2, "\n", 1);
3407 _exit(EXIT_FAILURE);
3408 }
3409
3410 __libc_init_tls(args);
3411
3412 // Initialize the linker's own global variables
3413 linker_so.call_constructors();
3414
3415 // Initialize static variables. Note that in order to
3416 // get correct libdl_info we need to call constructors
3417 // before get_libdl_info().
3418 solist = get_libdl_info();
3419 sonext = get_libdl_info();
3420
3421 // We have successfully fixed our own relocations. It's safe to run
3422 // the main part of the linker now.
3423 args.abort_message_ptr = &g_abort_message;
3424 ElfW(Addr) start_address = __linker_init_post_relocation(args, linker_addr);
3425
3426 INFO("[ jumping to _start ]");
3427
3428 // Return the address that the calling assembly stub should jump to.
3429 return start_address;
3430 }
3431