1/* On-demand PLT fixup for shared objects.
2 Copyright (C) 1995-2018 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <http://www.gnu.org/licenses/>. */
18
19#define IN_DL_RUNTIME 1 /* This can be tested in dl-machine.h. */
20
21#include <alloca.h>
22#include <stdlib.h>
23#include <unistd.h>
24#include <sys/param.h>
25#include <ldsodefs.h>
26#include <sysdep-cancel.h>
27#include "dynamic-link.h"
28#include <tls.h>
29#include <dl-irel.h>
30
31
32#if (!ELF_MACHINE_NO_RELA && !defined ELF_MACHINE_PLT_REL) \
33 || ELF_MACHINE_NO_REL
34# define PLTREL ElfW(Rela)
35#else
36# define PLTREL ElfW(Rel)
37#endif
38
39/* The fixup functions might have need special attributes. If none
40 are provided define the macro as empty. */
41#ifndef ARCH_FIXUP_ATTRIBUTE
42# define ARCH_FIXUP_ATTRIBUTE
43#endif
44
45#ifndef reloc_offset
46# define reloc_offset reloc_arg
47# define reloc_index reloc_arg / sizeof (PLTREL)
48#endif
49
50
51
52/* This function is called through a special trampoline from the PLT the
53 first time each PLT entry is called. We must perform the relocation
54 specified in the PLT of the given shared object, and return the resolved
55 function address to the trampoline, which will restart the original call
56 to that address. Future calls will bounce directly from the PLT to the
57 function. */
58
59DL_FIXUP_VALUE_TYPE
60attribute_hidden __attribute ((noinline)) ARCH_FIXUP_ATTRIBUTE
61_dl_fixup (
62# ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS
63 ELF_MACHINE_RUNTIME_FIXUP_ARGS,
64# endif
65 struct link_map *l, ElfW(Word) reloc_arg)
66{
67 const ElfW(Sym) *const symtab
68 = (const void *) D_PTR (l, l_info[DT_SYMTAB]);
69 const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);
70
71 const PLTREL *const reloc
72 = (const void *) (D_PTR (l, l_info[DT_JMPREL]) + reloc_offset);
73 const ElfW(Sym) *sym = &symtab[ELFW(R_SYM) (reloc->r_info)];
74 const ElfW(Sym) *refsym = sym;
75 void *const rel_addr = (void *)(l->l_addr + reloc->r_offset);
76 lookup_t result;
77 DL_FIXUP_VALUE_TYPE value;
78
79 /* Sanity check that we're really looking at a PLT relocation. */
80 assert (ELFW(R_TYPE)(reloc->r_info) == ELF_MACHINE_JMP_SLOT);
81
82 /* Look up the target symbol. If the normal lookup rules are not
83 used don't look in the global scope. */
84 if (__builtin_expect (ELFW(ST_VISIBILITY) (sym->st_other), 0) == 0)
85 {
86 const struct r_found_version *version = NULL;
87
88 if (l->l_info[VERSYMIDX (DT_VERSYM)] != NULL)
89 {
90 const ElfW(Half) *vernum =
91 (const void *) D_PTR (l, l_info[VERSYMIDX (DT_VERSYM)]);
92 ElfW(Half) ndx = vernum[ELFW(R_SYM) (reloc->r_info)] & 0x7fff;
93 version = &l->l_versions[ndx];
94 if (version->hash == 0)
95 version = NULL;
96 }
97
98 /* We need to keep the scope around so do some locking. This is
99 not necessary for objects which cannot be unloaded or when
100 we are not using any threads (yet). */
101 int flags = DL_LOOKUP_ADD_DEPENDENCY;
102 if (!RTLD_SINGLE_THREAD_P)
103 {
104 THREAD_GSCOPE_SET_FLAG ();
105 flags |= DL_LOOKUP_GSCOPE_LOCK;
106 }
107
108#ifdef RTLD_ENABLE_FOREIGN_CALL
109 RTLD_ENABLE_FOREIGN_CALL;
110#endif
111
112 result = _dl_lookup_symbol_x (strtab + sym->st_name, l, &sym, l->l_scope,
113 version, ELF_RTYPE_CLASS_PLT, flags, NULL);
114
115 /* We are done with the global scope. */
116 if (!RTLD_SINGLE_THREAD_P)
117 THREAD_GSCOPE_RESET_FLAG ();
118
119#ifdef RTLD_FINALIZE_FOREIGN_CALL
120 RTLD_FINALIZE_FOREIGN_CALL;
121#endif
122
123 /* Currently result contains the base load address (or link map)
124 of the object that defines sym. Now add in the symbol
125 offset. */
126 value = DL_FIXUP_MAKE_VALUE (result,
127 sym ? (LOOKUP_VALUE_ADDRESS (result)
128 + sym->st_value) : 0);
129 }
130 else
131 {
132 /* We already found the symbol. The module (and therefore its load
133 address) is also known. */
134 value = DL_FIXUP_MAKE_VALUE (l, l->l_addr + sym->st_value);
135 result = l;
136 }
137
138 /* And now perhaps the relocation addend. */
139 value = elf_machine_plt_value (l, reloc, value);
140
141 if (sym != NULL
142 && __builtin_expect (ELFW(ST_TYPE) (sym->st_info) == STT_GNU_IFUNC, 0))
143 value = elf_ifunc_invoke (DL_FIXUP_VALUE_ADDR (value));
144
145 /* Finally, fix up the plt itself. */
146 if (__glibc_unlikely (GLRO(dl_bind_not)))
147 return value;
148
149 return elf_machine_fixup_plt (l, result, refsym, sym, reloc, rel_addr, value);
150}
151
152#ifndef PROF
153DL_FIXUP_VALUE_TYPE
154__attribute ((noinline)) ARCH_FIXUP_ATTRIBUTE
155_dl_profile_fixup (
156#ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS
157 ELF_MACHINE_RUNTIME_FIXUP_ARGS,
158#endif
159 struct link_map *l, ElfW(Word) reloc_arg,
160 ElfW(Addr) retaddr, void *regs, long int *framesizep)
161{
162 void (*mcount_fct) (ElfW(Addr), ElfW(Addr)) = _dl_mcount;
163
164 if (l->l_reloc_result == NULL)
165 {
166 /* BZ #14843: ELF_DYNAMIC_RELOCATE is called before l_reloc_result
167 is allocated. We will get here if ELF_DYNAMIC_RELOCATE calls a
168 resolver function to resolve an IRELATIVE relocation and that
169 resolver calls a function that is not yet resolved (lazy). For
170 example, the resolver in x86-64 libm.so calls __get_cpu_features
171 defined in libc.so. Skip audit and resolve the external function
172 in this case. */
173 *framesizep = -1;
174 return _dl_fixup (
175# ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS
176# ifndef ELF_MACHINE_RUNTIME_FIXUP_PARAMS
177# error Please define ELF_MACHINE_RUNTIME_FIXUP_PARAMS.
178# endif
179 ELF_MACHINE_RUNTIME_FIXUP_PARAMS,
180# endif
181 l, reloc_arg);
182 }
183
184 /* This is the address in the array where we store the result of previous
185 relocations. */
186 struct reloc_result *reloc_result = &l->l_reloc_result[reloc_index];
187
188 /* CONCURRENCY NOTES:
189
190 Multiple threads may be calling the same PLT sequence and with
191 LD_AUDIT enabled they will be calling into _dl_profile_fixup to
192 update the reloc_result with the result of the lazy resolution.
193 The reloc_result guard variable is reloc_init, and we use
194 acquire/release loads and store to it to ensure that the results of
195 the structure are consistent with the loaded value of the guard.
196 This does not fix all of the data races that occur when two or more
197 threads read reloc_result->reloc_init with a value of zero and read
198 and write to that reloc_result concurrently. The expectation is
199 generally that while this is a data race it works because the
200 threads write the same values. Until the data races are fixed
201 there is a potential for problems to arise from these data races.
202 The reloc result updates should happen in parallel but there should
203 be an atomic RMW which does the final update to the real result
204 entry (see bug 23790).
205
206 The following code uses reloc_result->init set to 0 to indicate if it is
207 the first time this object is being relocated, otherwise 1 which
208 indicates the object has already been relocated.
209
210 Reading/Writing from/to reloc_result->reloc_init must not happen
211 before previous writes to reloc_result complete as they could
212 end-up with an incomplete struct. */
213 DL_FIXUP_VALUE_TYPE value;
214 unsigned int init = atomic_load_acquire (&reloc_result->init);
215
216 if (init == 0)
217 {
218 /* This is the first time we have to relocate this object. */
219 const ElfW(Sym) *const symtab
220 = (const void *) D_PTR (l, l_info[DT_SYMTAB]);
221 const char *strtab = (const char *) D_PTR (l, l_info[DT_STRTAB]);
222
223 const PLTREL *const reloc
224 = (const void *) (D_PTR (l, l_info[DT_JMPREL]) + reloc_offset);
225 const ElfW(Sym) *refsym = &symtab[ELFW(R_SYM) (reloc->r_info)];
226 const ElfW(Sym) *defsym = refsym;
227 lookup_t result;
228
229 /* Sanity check that we're really looking at a PLT relocation. */
230 assert (ELFW(R_TYPE)(reloc->r_info) == ELF_MACHINE_JMP_SLOT);
231
232 /* Look up the target symbol. If the symbol is marked STV_PROTECTED
233 don't look in the global scope. */
234 if (__builtin_expect (ELFW(ST_VISIBILITY) (refsym->st_other), 0) == 0)
235 {
236 const struct r_found_version *version = NULL;
237
238 if (l->l_info[VERSYMIDX (DT_VERSYM)] != NULL)
239 {
240 const ElfW(Half) *vernum =
241 (const void *) D_PTR (l, l_info[VERSYMIDX (DT_VERSYM)]);
242 ElfW(Half) ndx = vernum[ELFW(R_SYM) (reloc->r_info)] & 0x7fff;
243 version = &l->l_versions[ndx];
244 if (version->hash == 0)
245 version = NULL;
246 }
247
248 /* We need to keep the scope around so do some locking. This is
249 not necessary for objects which cannot be unloaded or when
250 we are not using any threads (yet). */
251 int flags = DL_LOOKUP_ADD_DEPENDENCY;
252 if (!RTLD_SINGLE_THREAD_P)
253 {
254 THREAD_GSCOPE_SET_FLAG ();
255 flags |= DL_LOOKUP_GSCOPE_LOCK;
256 }
257
258 result = _dl_lookup_symbol_x (strtab + refsym->st_name, l,
259 &defsym, l->l_scope, version,
260 ELF_RTYPE_CLASS_PLT, flags, NULL);
261
262 /* We are done with the global scope. */
263 if (!RTLD_SINGLE_THREAD_P)
264 THREAD_GSCOPE_RESET_FLAG ();
265
266 /* Currently result contains the base load address (or link map)
267 of the object that defines sym. Now add in the symbol
268 offset. */
269 value = DL_FIXUP_MAKE_VALUE (result,
270 defsym != NULL
271 ? LOOKUP_VALUE_ADDRESS (result)
272 + defsym->st_value : 0);
273
274 if (defsym != NULL
275 && __builtin_expect (ELFW(ST_TYPE) (defsym->st_info)
276 == STT_GNU_IFUNC, 0))
277 value = elf_ifunc_invoke (DL_FIXUP_VALUE_ADDR (value));
278 }
279 else
280 {
281 /* We already found the symbol. The module (and therefore its load
282 address) is also known. */
283 value = DL_FIXUP_MAKE_VALUE (l, l->l_addr + refsym->st_value);
284
285 if (__builtin_expect (ELFW(ST_TYPE) (refsym->st_info)
286 == STT_GNU_IFUNC, 0))
287 value = elf_ifunc_invoke (DL_FIXUP_VALUE_ADDR (value));
288
289 result = l;
290 }
291 /* And now perhaps the relocation addend. */
292 value = elf_machine_plt_value (l, reloc, value);
293
294#ifdef SHARED
295 /* Auditing checkpoint: we have a new binding. Provide the
296 auditing libraries the possibility to change the value and
297 tell us whether further auditing is wanted. */
298 if (defsym != NULL && GLRO(dl_naudit) > 0)
299 {
300 reloc_result->bound = result;
301 /* Compute index of the symbol entry in the symbol table of
302 the DSO with the definition. */
303 reloc_result->boundndx = (defsym
304 - (ElfW(Sym) *) D_PTR (result,
305 l_info[DT_SYMTAB]));
306
307 /* Determine whether any of the two participating DSOs is
308 interested in auditing. */
309 if ((l->l_audit_any_plt | result->l_audit_any_plt) != 0)
310 {
311 unsigned int flags = 0;
312 struct audit_ifaces *afct = GLRO(dl_audit);
313 /* Synthesize a symbol record where the st_value field is
314 the result. */
315 ElfW(Sym) sym = *defsym;
316 sym.st_value = DL_FIXUP_VALUE_ADDR (value);
317
318 /* Keep track whether there is any interest in tracing
319 the call in the lower two bits. */
320 assert (DL_NNS * 2 <= sizeof (reloc_result->flags) * 8);
321 assert ((LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT) == 3);
322 reloc_result->enterexit = LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT;
323
324 const char *strtab2 = (const void *) D_PTR (result,
325 l_info[DT_STRTAB]);
326
327 for (unsigned int cnt = 0; cnt < GLRO(dl_naudit); ++cnt)
328 {
329 /* XXX Check whether both DSOs must request action or
330 only one */
331 if ((l->l_audit[cnt].bindflags & LA_FLG_BINDFROM) != 0
332 && (result->l_audit[cnt].bindflags & LA_FLG_BINDTO) != 0)
333 {
334 if (afct->symbind != NULL)
335 {
336 uintptr_t new_value
337 = afct->symbind (&sym, reloc_result->boundndx,
338 &l->l_audit[cnt].cookie,
339 &result->l_audit[cnt].cookie,
340 &flags,
341 strtab2 + defsym->st_name);
342 if (new_value != (uintptr_t) sym.st_value)
343 {
344 flags |= LA_SYMB_ALTVALUE;
345 sym.st_value = new_value;
346 }
347 }
348
349 /* Remember the results for every audit library and
350 store a summary in the first two bits. */
351 reloc_result->enterexit
352 &= flags & (LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT);
353 reloc_result->enterexit
354 |= ((flags & (LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT))
355 << ((cnt + 1) * 2));
356 }
357 else
358 /* If the bind flags say this auditor is not interested,
359 set the bits manually. */
360 reloc_result->enterexit
361 |= ((LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT)
362 << ((cnt + 1) * 2));
363
364 afct = afct->next;
365 }
366
367 reloc_result->flags = flags;
368 value = DL_FIXUP_ADDR_VALUE (sym.st_value);
369 }
370 else
371 /* Set all bits since this symbol binding is not interesting. */
372 reloc_result->enterexit = (1u << DL_NNS) - 1;
373 }
374#endif
375
376 /* Store the result for later runs. */
377 if (__glibc_likely (! GLRO(dl_bind_not)))
378 {
379 reloc_result->addr = value;
380 /* Guarantee all previous writes complete before
381 init is updated. See CONCURRENCY NOTES earlier */
382 atomic_store_release (&reloc_result->init, 1);
383 }
384 init = 1;
385 }
386 else
387 value = reloc_result->addr;
388
389 /* By default we do not call the pltexit function. */
390 long int framesize = -1;
391
392
393#ifdef SHARED
394 /* Auditing checkpoint: report the PLT entering and allow the
395 auditors to change the value. */
396 if (GLRO(dl_naudit) > 0
397 /* Don't do anything if no auditor wants to intercept this call. */
398 && (reloc_result->enterexit & LA_SYMB_NOPLTENTER) == 0)
399 {
400 /* Sanity check: DL_FIXUP_VALUE_CODE_ADDR (value) should have been
401 initialized earlier in this function or in another thread. */
402 assert (DL_FIXUP_VALUE_CODE_ADDR (value) != 0);
403 ElfW(Sym) *defsym = ((ElfW(Sym) *) D_PTR (reloc_result->bound,
404 l_info[DT_SYMTAB])
405 + reloc_result->boundndx);
406
407 /* Set up the sym parameter. */
408 ElfW(Sym) sym = *defsym;
409 sym.st_value = DL_FIXUP_VALUE_ADDR (value);
410
411 /* Get the symbol name. */
412 const char *strtab = (const void *) D_PTR (reloc_result->bound,
413 l_info[DT_STRTAB]);
414 const char *symname = strtab + sym.st_name;
415
416 /* Keep track of overwritten addresses. */
417 unsigned int flags = reloc_result->flags;
418
419 struct audit_ifaces *afct = GLRO(dl_audit);
420 for (unsigned int cnt = 0; cnt < GLRO(dl_naudit); ++cnt)
421 {
422 if (afct->ARCH_LA_PLTENTER != NULL
423 && (reloc_result->enterexit
424 & (LA_SYMB_NOPLTENTER << (2 * (cnt + 1)))) == 0)
425 {
426 long int new_framesize = -1;
427 uintptr_t new_value
428 = afct->ARCH_LA_PLTENTER (&sym, reloc_result->boundndx,
429 &l->l_audit[cnt].cookie,
430 &reloc_result->bound->l_audit[cnt].cookie,
431 regs, &flags, symname,
432 &new_framesize);
433 if (new_value != (uintptr_t) sym.st_value)
434 {
435 flags |= LA_SYMB_ALTVALUE;
436 sym.st_value = new_value;
437 }
438
439 /* Remember the results for every audit library and
440 store a summary in the first two bits. */
441 reloc_result->enterexit
442 |= ((flags & (LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT))
443 << (2 * (cnt + 1)));
444
445 if ((reloc_result->enterexit & (LA_SYMB_NOPLTEXIT
446 << (2 * (cnt + 1))))
447 == 0 && new_framesize != -1 && framesize != -2)
448 {
449 /* If this is the first call providing information,
450 use it. */
451 if (framesize == -1)
452 framesize = new_framesize;
453 /* If two pltenter calls provide conflicting information,
454 use the larger value. */
455 else if (new_framesize != framesize)
456 framesize = MAX (new_framesize, framesize);
457 }
458 }
459
460 afct = afct->next;
461 }
462
463 value = DL_FIXUP_ADDR_VALUE (sym.st_value);
464 }
465#endif
466
467 /* Store the frame size information. */
468 *framesizep = framesize;
469
470 (*mcount_fct) (retaddr, DL_FIXUP_VALUE_CODE_ADDR (value));
471
472 return value;
473}
474
475#endif /* PROF */
476
477
478#include <stdio.h>
479void
480ARCH_FIXUP_ATTRIBUTE
481_dl_call_pltexit (struct link_map *l, ElfW(Word) reloc_arg,
482 const void *inregs, void *outregs)
483{
484#ifdef SHARED
485 /* This is the address in the array where we store the result of previous
486 relocations. */
487 // XXX Maybe the bound information must be stored on the stack since
488 // XXX with bind_not a new value could have been stored in the meantime.
489 struct reloc_result *reloc_result = &l->l_reloc_result[reloc_index];
490 ElfW(Sym) *defsym = ((ElfW(Sym) *) D_PTR (reloc_result->bound,
491 l_info[DT_SYMTAB])
492 + reloc_result->boundndx);
493
494 /* Set up the sym parameter. */
495 ElfW(Sym) sym = *defsym;
496 sym.st_value = DL_FIXUP_VALUE_ADDR (reloc_result->addr);
497
498 /* Get the symbol name. */
499 const char *strtab = (const void *) D_PTR (reloc_result->bound,
500 l_info[DT_STRTAB]);
501 const char *symname = strtab + sym.st_name;
502
503 struct audit_ifaces *afct = GLRO(dl_audit);
504 for (unsigned int cnt = 0; cnt < GLRO(dl_naudit); ++cnt)
505 {
506 if (afct->ARCH_LA_PLTEXIT != NULL
507 && (reloc_result->enterexit
508 & (LA_SYMB_NOPLTEXIT >> (2 * cnt))) == 0)
509 {
510 afct->ARCH_LA_PLTEXIT (&sym, reloc_result->boundndx,
511 &l->l_audit[cnt].cookie,
512 &reloc_result->bound->l_audit[cnt].cookie,
513 inregs, outregs, symname);
514 }
515
516 afct = afct->next;
517 }
518#endif
519}
520