| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
The prototype of __libc_start_main is changed to
void
__libc_start_main (int main (int, char **, char **, void *),
int argc, char **argv, char **envp, void *auxv,
void rtld_fini (void), void *sp);
so envp is passed down separately and the unused init, fini args are
dropped.
|
| | |
|
| |
|
|
| |
The start address (l_entry) is now a capability so no need to fix it.
|
| |
|
|
|
|
|
|
|
| |
Previously the entry address was fixed up to be a capability before
using it so l_entry could be ElfW(Addr), but the code is simpler and
more consistent if l_entry is a capability throughout:
The AT_ENTRY auxv entry is specified to be a capability and a number
if internal l_entry usage is simpler if it is elfptr_t.
|
| |
|
|
|
|
|
| |
Used for purecap ABI.
TODO: squash into
091bcf0e1c cheri: elf: Add new a_type entries
|
| |
|
|
|
| |
squash into
3eb1c569eb TODO(l_addr): aarch64: morello: dynamic linking support
|
| |
|
|
|
| |
TODO: squash into
3eb1c569eb TODO(l_addr): aarch64: morello: dynamic linking support
|
| |
|
|
|
| |
TODO: squash into
51fe1e15ed TODO(incomplete): cheri: rtld: more elfptr_t in linkmap struct
|
| |
|
|
|
| |
Unfortunately this will keep changing during the development
as upstream linux did not want to reserve a bit for morello.
|
| |
|
|
|
|
|
|
|
| |
This is a temporary workaround.
length is rounded up to pagesize and don't use exact bound (bounds
will be larger if exact value is not representable).
TODO: kernel should do this
|
| |
|
|
|
|
|
|
| |
nl_langinfo_l ignores its locale argument with NL_CURRENT_INDIRECT
which is wrong when that argument does not match the current thread's
locale.
upstream glibc is not tested with static linking so this is not found.
|
| |
|
|
|
|
| |
warning happens in non-purecap build.
TODO: squash into original cheri printf change
|
| |
|
|
| |
On CHERI targets getauxval cannot return a valid pointer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.
Avoid OOB access by considering thousands_len when initializing cp.
On morello with strict bounds checking this fixes
FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i
both of which set cs_CZ.UTF-8 locale that has 3 byte thousands_len.
|
| |
|
|
|
|
|
|
|
|
| |
When printing numbers the alloca buffer size did not consider the
optional width parameter for padding. The width is used e.g. by
_dl_map_object_from_fd which passes '(int) sizeof (void *) * 2'
which can be larger than the buffer size on systems where
sizeof (void *) >= 2 * sizeof (unsigned long). But even if large
width is not used currently it is better to handle it to avoid
surprises.
|
| |
|
|
|
|
| |
sscanf is only defined on nul terminated string input, but '\0' was
missing in this test which caused _IO_str_init_static_internal to
read OOB on the stack when computing the bounds of the string.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test used scratch_buffer_dupfree incorrectly:
- The passed in size must be <= buf.length.
- Must be called at most once on a buf object since it frees it.
- After it is called buf.data and buf.length must not be accessed.
All of these were violated, the test happened to work because the
buffer was on the stack, which meant the test copied out-of-bounds
bytes from the stack into a new buffer and then compared those bytes.
Run one test and avoid the issues above.
|
| |
|
|
| |
Off-by-one error found on morello with strict stack bounds.
|
| |
|
|
|
|
|
| |
The iconv buffer sizes must not include the \0 string terminator.
(When \0 cannot be part of a valid character encoding glibc iconv
would copy it to the output as expected, but then later the explicit
output termination with *outbufpos = '\0' is out of bounds.)
|
| |
|
|
|
|
|
|
|
| |
Initial detection of Arm Morello architecture from the HWCAP2 bit and CPU
identification from MIDR_EL0.
TODO: not needed?
- lp64 does not have to detect
- purecap can assume morello
|
| |
|
|
|
|
| |
Assembly prologue code with mcount call for gprof instrumentation.
TODO: untested, likely needs further runtime updates too.
|
| |
|
|
|
|
|
|
|
|
| |
This is needed now to avoid referencing abort in ld.so.
TODO: Fixing shared library profiling for capabilities requires
type fixes so capabilities are not stored into shared memory
(maybe purecap layout can match the lp64 one and then no file format
and external tooling change is required.)
TODO: Proper fix also depends on _dl_runtime_profile plt entry
|
| |
|
|
|
|
|
|
|
| |
Required for LD_AUDIT PLT hooks and shared library profiling.
incomplete, untested.
TODO: needs La_aarch64* layout definition for morello
TODO: needs to save c9 for vararg abi
|
| |
|
|
|
|
|
|
|
| |
Adjust types in the E(*) structs to support capabilities.
TODO: purecap pldd should refuse to deal with lp64 and ELF32 processes.
the code for the 32bit case should be disabled.
TODO: a correct fix requires support for all abis that can run on the
same system (purecap, lp64 and ELF32 too).
|
| |
|
|
| |
Updates libc.abilist files for getauxptr to version 2.37.
|
| | |
|
| |
|
|
|
|
|
| |
New function to return values from the auxiliary vector as
capabilities. This is the same as implemented by other C libraries.
TODO: agree about exact semantics across libcs
|
| |
|
|
| |
TODO: the value will change
|
| |
|
|
| |
TEST_COMPARE should allow comparison between two capability values.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new modifier %#p for printing capability information
according to the CHERI C Programming guide:
https://github.com/CTSRD-CHERI/cheri-c-programming/wiki/Displaying-Capabilities
A %#p option in printf will display:
<address> [<permissions>,<base>-<top>] (<attr>)
* address: Virtual address of capability displayed as a hexadecimal
value with a 0x prefix.
* permissions: Zero or more of the following characters:
r: LOAD permission
w: STORE permission
x: EXECUTE permission
R: LOAD_CAP permission
W: STORE_CAP permission
E: EXECUTIVE permission (Morello only)
* base: Lower bound of capability displayed as a hexadecimal value
with a 0x prefix.
* top: Upper bound of capability plus 1 displayed as a hexadecimal
value with a 0x prefix.
* attr: Zero or more of the following comma-separated attributes. If
none of the attributes are present, this field is omitted (along
with the enclosing parentheses/brackets).
invalid: Capability's tag is clear.
sentry: Capability is a sealed entry.
sealed: Capability is sealed with a type other than the sealed
entry object type.
A %p option in printf will display the capability value (address) normally.
|
| |
|
|
|
| |
In pthread_attr_setstack fail with EINVAL if the input stack does not
meet the PCS constraints.
|
| |
|
|
| |
TODO: depends on kernel sigevent definition update.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to distinguish timerids that are small integers returned by
the kernel and timerids that are pointers to struct timer. The existing
pointer tagging does not work for CHERI because of the pointer shift.
Simply use the top bit without shift to tag pointers. This still relies
on the top byte ignore of aarch64 (the top byte does not affect the
capability representation) and that pointers are not tagged for other
reasons (like HWASAN).
TODO: this is morello specific and does not work for generic cheri.
|
| |
|
|
| |
TODO: needs agreement across cheri libcs
|
| |
|
|
| |
TODO: depends on l_addr design
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add morello specific dl-machine.h.
Add morello dynamic relocation processing support for purecap ABI.
Only support R_AARCH64_NONE, R_AARCH64_ABS64 and R_AARCH64_RELATIVE
dynamic relocs from the lp64 abi. This required several APIs to
change ElfW(Addr) to uintptr_t including in generic code (where
elfptr_t used to cover both traditional and capability abis).
RELATIVE and IRELATIVE relocs use a helper function to construct a
capability. Also fixed the IRELATIVE handling for static linking.
Use new machine routines on morello for load address computation so it
is a valid capability:
void *elf_machine_runtime_dynamic (void)
uintptr_t elf_machine_load_address_from_args (void *)
The ld.so load address is either AT_BASE or if it is invoked as a
command then derived from AT_PHDR or _DYNAMIC (pcc).
ELF_MACHINE_START_ADDRESS is updated to turn the ElfW(Addr) user entry
into a capability based on l_addr.
TODO: __tls_get_addr should return a bounded pointer.
(in case traditional tls is defined for morello)
note: tls_index struct that is used for trad tls is changed for morello.
(this is abi once trad tls is defined for morello)
arguably _dl_make_tlsdesc_dynamic should set up tlsinfo.ti_size too.
(but it's better to avoid changing the generic code)
TODO: use cheri auxv entries to derive ld.so capabilities, this will
require separate RW and RX base pointers instead of single l_addr.
AT_BASE will not be a capability covering ld.so.
|
| |
|
|
| |
Prevent lp64 ld.so loading purecap binaries.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ensure map_end is derived from map_start.
Use stricter mmap bounds when using MAP_FIXED:
c->mapend is aligned up to pagesize, but the capability representing
the mapping has bounds that are not page aligned, so use c->dataend
that is the actual end bound of the loaded segment.
TODO: l_addr of a pde is 0 but it should cover the exe.
this will have to be fixed. (and must not use morello asm)
|
| |
|
|
|
| |
TODO: requires follwup patches to make sure all usage of the fields
preserve capabilities.
|
| | |
|
| |
|
|
|
| |
Functions returning a pointer to the user entry need to use an int type
that can represent pointers.
|
| |
|
|
|
| |
The purecap version of aarch64 dl-start.S. Note: self relocation of
ld.so is handled by the rtld bootstrap code.
|
| |
|
|
| |
The dynamic section cannot be relocated to hold pointers in place.
|
| |
|
|
|
|
| |
Add purecap ld cache flag. Add the purecap ld.so name to known names.
Handle lib64c system library paths. And set the purecap abi flag on
cache entries.
|
| |
|
|
| |
The asm code of the test is for lp64 ABI only.
|
| |
|
|
|
|
|
|
|
| |
Adjust ucontext layout for purecap ABI and add make/get/set/swapcontext
implementations accordingly.
Note: mcontext layout follows the linux sigcontext struct, in userspace
*context functions rely on the c registers stored in the extension area
and ignore the mcontext fields for x registers.
|
| |
|
|
|
| |
Similar to lp64 setjmp/longjmp, but handles capability registers.
Save q regs instead of d regs to simplify the offset computation.
|
| |
|
|
|
|
| |
We should use a type that guarantees to represent all address bits.
In CHERI C this would be ptraddr_t, but we use unsigned long for now
not to cause regressions on other targets where this type is missing.
|
| |
|
|
|
|
|
|
|
| |
If sizeof(ptrdiff_t) < sizeof(void*) the alignment logic was wrong
(incorrectly assumed that base was already sufficiently aligned).
Use more robust alignment logic: this one should work on any target.
Note: this is an installed header so it must be namespace clean and
portable.
|
