about summary refs log tree commit diff
path: root/elf/dl-open.c
Commit message (Collapse)AuthorAgeFilesLines
* elf: Do not completely clear reused namespace in dlmopen (bug 29600)Florian Weimer2022-10-141-8/+6
| | | | | | | | | | | | | | The data in the _ns_debug member must be preserved, otherwise _dl_debug_initialize enters an infinite loop. To be conservative, only clear the libc_map member for now, to fix bug 29528. Fixes commit d0e357ff45a75553dee3b17ed7d303bfa544f6fe ("elf: Call __libc_early_init for reused namespaces (bug 29528)"), by reverting most of it. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commit 2c42257314536b94cc8d52edede86e94e98c1436)
* elf: Call __libc_early_init for reused namespaces (bug 29528)Florian Weimer2022-08-301-5/+8
| | | | | | | | | | | | libc_map is never reset to NULL, neither during dlclose nor on a dlopen call which reuses the namespace structure. As a result, if a namespace is reused, its libc is not initialized properly. The most visible result is a crash in the <ctype.h> functions. To prevent similar bugs on namespace reuse from surfacing, unconditionally initialize the chosen namespace to zero using memset. (cherry picked from commit d0e357ff45a75553dee3b17ed7d303bfa544f6fe)
* Update copyright dates with scripts/update-copyrightsPaul Eggert2022-01-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
* elf: Add _dl_find_object functionFlorian Weimer2021-12-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | It can be used to speed up the libgcc unwinder, and the internal _dl_find_dso_for_object function (which is used for caller identification in dlopen and related functions, and in dladdr). _dl_find_object is in the internal namespace due to bug 28503. If libgcc switches to _dl_find_object, this namespace issue will be fixed. It is located in libc for two reasons: it is necessary to forward the call to the static libc after static dlopen, and there is a link ordering issue with -static-libgcc and libgcc_eh.a because libc.so is not a linker script that includes ld.so in the glibc build tree (so that GCC's internal -lc after libgcc_eh.a does not pick up ld.so). It is necessary to do the i386 customization in the sysdeps/x86/bits/dl_find_object.h header shared with x86-64 because otherwise, multilib installations are broken. The implementation uses software transactional memory, as suggested by Torvald Riegel. Two copies of the supporting data structures are used, also achieving full async-signal-safety. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Do not fail for failed dlmopen on audit modules (BZ #28061)Adhemerval Zanella2021-12-281-2/+0
| | | | | | | | | | | | | | | | | | | | | The dl_main sets the LM_ID_BASE to RT_ADD just before starting to add load new shared objects. The state is set to RT_CONSISTENT just after all objects are loaded. However if a audit modules tries to dlmopen an inexistent module, the _dl_open will assert that the namespace is in an inconsistent state. This is different than dlopen, since first it will not use LM_ID_BASE and second _dl_map_object_from_fd is the sole responsible to set and reset the r_state value. So the assert on _dl_open can not really be seen if the state is consistent, since _dt_main resets it. This patch removes the assert. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* elf: Add _dl_audit_activity_map and _dl_audit_activity_nsidAdhemerval Zanella2021-12-281-19/+1
| | | | | | | | | | | | | It consolidates the code required to call la_activity audit callback. Also for a new Lmid_t the namespace link_map list are empty, so it requires to check if before using it. This can happen for when audit module is used along with dlmopen. Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* elf: Avoid deadlock between pthread_create and ctors [BZ #28357]Szabolcs Nagy2021-10-041-1/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fix for bug 19329 caused a regression such that pthread_create can deadlock when concurrent ctors from dlopen are waiting for it to finish. Use a new GL(dl_load_tls_lock) in pthread_create that is not taken around ctors in dlopen. The new lock is also used in __tls_get_addr instead of GL(dl_load_lock). The new lock is held in _dl_open_worker and _dl_close_worker around most of the logic before/after the init/fini routines. When init/fini routines are running then TLS is in a consistent, usable state. In _dl_open_worker the new lock requires catching and reraising dlopen failures that happen in the critical section. The new lock is reinitialized in a fork child, to keep the existing behaviour and it is kept recursive in case malloc interposition or TLS access from signal handlers can retake it. It is not obvious if this is necessary or helps, but avoids changing the preexisting behaviour. The new lock may be more appropriate for dl_iterate_phdr too than GL(dl_load_write_lock), since TLS state of an incompletely loaded module may be accessed. If the new lock can replace the old one, that can be a separate change. Fixes bug 28357. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Replace nsid with args.nsid [BZ #27609]H.J. Lu2021-09-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | commit ec935dea6332cb22f9881cd1162bad156173f4b0 Author: Florian Weimer <fweimer@redhat.com> Date: Fri Apr 24 22:31:15 2020 +0200 elf: Implement __libc_early_init has @@ -856,6 +876,11 @@ no more namespaces available for dlmopen()")); /* See if an error occurred during loading. */ if (__glibc_unlikely (exception.errstring != NULL)) { + /* Avoid keeping around a dangling reference to the libc.so link + map in case it has been cached in libc_map. */ + if (!args.libc_already_loaded) + GL(dl_ns)[nsid].libc_map = NULL; + do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2), which calls dl_open_worker with args.nsid = nsid. dl_open_worker updates args.nsid if it is __LM_ID_CALLER. After dl_open_worker returns, it is wrong to use nsid. Replace nsid with args.nsid after dl_open_worker returns. This fixes BZ #27609.
* Extend struct r_debug to support multiple namespaces [BZ #15971]H.J. Lu2021-09-191-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Glibc does not provide an interface for debugger to access libraries loaded in multiple namespaces via dlmopen. The current rtld-debugger interface is described in the file: elf/rtld-debugger-interface.txt under the "Standard debugger interface" heading. This interface only provides access to the first link-map (LM_ID_BASE). 1. Bump r_version to 2 when multiple namespaces are used. This triggers the GDB bug: https://sourceware.org/bugzilla/show_bug.cgi?id=28236 2. Add struct r_debug_extended to extend struct r_debug into a linked-list, where each element correlates to an unique namespace. 3. Initialize the r_debug_extended structure. Bump r_version to 2 for the new namespace and add the new namespace to the namespace linked list. 4. Add _dl_debug_update to return the address of struct r_debug' of a namespace. 5. Add a hidden symbol, _r_debug_extended, for struct r_debug_extended. 6. Provide the symbol, _r_debug, with size of struct r_debug, as an alias of _r_debug_extended, for programs which reference _r_debug. This fixes BZ #15971. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* elf: Fix audit regressionAdhemerval Zanella2021-07-301-9/+2
| | | | | | | Commit 03e187a41d9 added a regression when an audit module does not have libc as DT_NEEDED (although unusual it is possible). Checked on x86_64-linux-gnu.
* elf: Fix DTV gap reuse logic (BZ #27135)Adhemerval Zanella2021-07-141-10/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | This is updated version of the 572bd547d57a (reverted by 40ebfd016ad2) that fixes the _dl_next_tls_modid issues. This issue with 572bd547d57a patch is the DTV entry will be only update on dl_open_worker() with the update_tls_slotinfo() call after all dependencies are being processed by _dl_map_object_deps(). However _dl_map_object_deps() itself might call _dl_next_tls_modid(), and since the _dl_tls_dtv_slotinfo_list::map is not yet set the entry will be wrongly reused. This patch fixes by renaming the _dl_next_tls_modid() function to _dl_assign_tls_modid() and by passing the link_map so it can set the slotinfo value so a subsequente _dl_next_tls_modid() call will see the entry as allocated. The intermediary value is cleared up on remove_slotinfo() for the case a library fails to load with RTLD_NOW. This patch fixes BZ #27135. Checked on x86_64-linux-gnu. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
* elf: Disable most of TLS modid gaps processing [BZ #27135]Florian Weimer2021-06-251-0/+10
| | | | | | | | | | | | | Revert "elf: Fix DTV gap reuse logic [BZ #27135]" This reverts commit 572bd547d57a39b6cf0ea072545dc4048921f4c3. It turns out that the _dl_next_tls_modid in _dl_map_object_from_fd keeps returning the same modid over and over again if there is a gap and more than TLS-using module is loaded in one dlopen call. This corrupts TLS data structures. The bug is still present after a revert, but empirically it is much more difficult to trigger (because it involves a dlopen failure).
* elf: Remove DL_STATIC_INITFlorian Weimer2021-05-171-4/+0
| | | | | | All users have been converted to the __rtld_static_init mechanism. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Partially initialize ld.so after static dlopen (bug 20802)Florian Weimer2021-05-171-2/+15
| | | | | | | | | | | | | | After static dlopen, a copy of ld.so is loaded into the inner namespace, but that copy is not initialized at all. Some architectures run into serious problems as result, which is why the _dl_var_init mechanism was invented. With libpthread moving into libc and parts into ld.so, more architectures impacted, so it makes sense to switch to a generic mechanism which performs the partial initialization. As a result, getauxval now works after static dlopen (bug 20802). Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Fix DTV gap reuse logic [BZ #27135]Szabolcs Nagy2021-05-111-10/+0
| | | | | | | | | | | | | | | | | | | | | | | For some reason only dlopen failure caused dtv gaps to be reused. It is possible that the intent was to never reuse modids for a different module, but after dlopen failure all gaps are reused not just the ones caused by the unfinished dlopened. So the code has to handle reused modids already which seems to work, however the data races at thread creation and tls access (see bug 19329 and bug 27111) may be more severe if slots are reused so this is scheduled after those fixes. I think fixing the races are not simpler if reuse is disallowed and reuse has other benefits, so set GL(dl_tls_dtv_gaps) whenever entries are removed from the middle of the slotinfo list. The value does not have to be correct: incorrect true value causes the next modid query to do a slotinfo walk, incorrect false will leave gaps and new entries are added at the end. Fixes bug 27135. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Use relaxed atomics for racy accesses [BZ #19329]Szabolcs Nagy2021-05-111-1/+4
| | | | | | | | | | | | | | | | | | This is a follow up patch to the fix for bug 19329. This adds relaxed MO atomics to accesses that were previously data races but are now race conditions, and where relaxed MO is sufficient. The race conditions all follow the pattern that the write is behind the dlopen lock, but a read can happen concurrently (e.g. during tls access) without holding the lock. For slotinfo entries the read value only matters if it reads from a synchronized write in dlopen or dlclose, otherwise the related dtv entry is not valid to access so it is fine to leave it in an inconsistent state. The same applies for GL(dl_tls_max_dtv_idx) and GL(dl_tls_generation), but there the algorithm relies on the fact that the read of the last synchronized write is an increasing value. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf, nptl: Initialize static TLS directly in ld.soFlorian Weimer2021-05-051-1/+1
| | | | | | | | | | The stack list is available in ld.so since commit 1daccf403b1bd86370eb94edca794dc106d02039 ("nptl: Move stack list variables into _rtld_global"), so it's possible to walk the stack list directly in ld.so and perform the initialization there. This eliminates an unprotected function pointer from _rtld_global and reduces the libpthread initialization code.
* Update copyright dates with scripts/update-copyrightsPaul Eggert2021-01-021-1/+1
| | | | | | | | | | | | | | | | I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master
* Replace __libc_multiple_libcs with __libc_initial flagFlorian Weimer2020-12-161-6/+0
| | | | | | | | | | | | | | Change sbrk to fail for !__libc_initial (in the generic implementation). As a result, sbrk is (relatively) safe to use for the __libc_initial case (from the main libc). It is therefore no longer necessary to avoid using it in that case (or updating the brk cache), and the __libc_initial flag does not need to be updated as part of dlmopen or static dlopen. As before, direct brk system calls on Linux may lead to memory corruption. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Remove redundant add_to_global_resize_failure call from dl_open_argsFlorian Weimer2020-05-121-5/+0
| | | | | | | | | | The second call does not do anything because the data structures have already been resized by the call that comes before the demarcation point. Fixes commit a509eb117fac1d764b15eba64993f4bdb63d7f3c ("Avoid late dlopen failure due to scope, TLS slotinfo updates [BZ #25112]"). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Add initial flag argument to __libc_early_initFlorian Weimer2020-04-291-2/+15
| | | | | | | | | | | The rseq initialization should happen only for the libc in the base namespace (in the dynamic case) or the statically linked libc. The __libc_multiple_libcs flag does not quite cover this case at present, so this commit introduces a flag argument to __libc_early_init, indicating whether the libc being libc is the primary one (of the main program). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Implement __libc_early_initFlorian Weimer2020-04-241-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This function is defined in libc.so, and the dynamic loader calls right after relocation has been finished, before any ELF constructors or the preinit function is invoked. It is also used in the static build for initializing parts of the static libc. To locate __libc_early_init, a direct symbol lookup function is used, _dl_lookup_direct. It does not search the entire symbol scope and consults merely a single link map. This function could also be used to implement lookups in the vDSO (as an optimization). A per-namespace variable (libc_map) is added for locating libc.so, to avoid repeated traversals of the search scope. It is similar to GL(dl_initfirst). An alternative would have been to thread a context argument from _dl_open down to _dl_map_object_from_fd (where libc.so is identified). This could have avoided the global variable, but the change would be larger as a result. It would not have been possible to use this to replace GL(dl_initfirst) because that global variable is used to pass the function pointer past the stack switch from dl_main to the main program. Replacing that requires adding a new argument to _dl_init, which in turn needs changes to the architecture-specific libc.so startup code written in assembler. __libc_early_init should not be used to replace _dl_var_init (as it exists today on some architectures). Instead, _dl_lookup_direct should be used to look up a new variable symbol in libc.so, and that should then be initialized from the dynamic loader, immediately after the object has been loaded in _dl_map_object_from_fd (before relocation is run). This way, more IFUNC resolvers which depend on these variables will work. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: avoid stack allocation in dl_open_workerDavid Kilroy2020-02-121-16/+12
| | | | | | | | | | | | As the sort was removed, there's no need to keep a separate map of links. Instead, when relocating objects iterate over l_initfini directly. This allows us to remove the loop copying l_initfini elements into map. We still need a loop to identify the first and last elements that need relocation. Tested by running the testsuite on x86_64.
* elf: avoid redundant sort in dlopenDavid Kilroy2020-02-121-4/+4
| | | | | | | l_initfini is already sorted by dependency in _dl_map_object_deps(), so avoid sorting again in dl_open_worker(). Tested by running the testsuite on x86_64.
* elf: Allow dlopen of filter object to work [BZ #16272]David Kilroy2020-02-121-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are two fixes that are needed to be able to dlopen filter objects. First _dl_map_object_deps cannot assume that map will be at the beginning of l_searchlist.r_list[], as filtees are inserted before map. Secondly dl_open_worker needs to ensure that filtees get relocated. In _dl_map_object_deps: * avoiding removing relocation dependencies of map by setting l_reserved to 0 and otherwise processing the rest of the search list. * ensure that map remains at the beginning of l_initfini - the list of things that need initialisation (and destruction). Do this by splitting the copy up. This may not be required, but matches the initialization order without dlopen. Modify dl_open_worker to relocate the objects in new->l_inifini. new->l_initfini is constructed in _dl_map_object_deps, and lists the objects that need initialization and destruction. Originally the list of objects in new->l_next are relocated. All of these objects should also be included in new->l_initfini (both lists are populated with dependencies in _dl_map_object_deps). We can't use new->l_prev to pick up filtees, as during a recursive dlopen from an interposed malloc call, l->prev can contain objects that are not ready for relocation. Add tests to verify that symbols resolve to the filtee implementation when auxiliary and filter objects are used, both as a normal link and when dlopen'd. Tested by running the testsuite on x86_64.
* Update copyright dates with scripts/update-copyrights.Joseph Myers2020-01-011-1/+1
|
* dlopen: Do not block signalsFlorian Weimer2019-12-131-26/+11
| | | | | | | | | | | | | | | | | | Blocking signals causes issues with certain anti-malware solutions which rely on an unblocked SIGSYS signal for system calls they intercept. This reverts commit a2e8aa0d9ea648068d8be52dd7b15f1b6a008e23 ("Block signals during the initial part of dlopen") and adds comments related to async signal safety to active_nodelete and its caller. Note that this does not make lazy binding async-signal-safe with regards to dlopen. It merely avoids introducing new async-signal-safety hazards as part of the NODELETE changes. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* dlopen: Rework handling of pending NODELETE statusFlorian Weimer2019-12-131-9/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit a2e8aa0d9ea648068d8be52dd7b15f1b6a008e23 ("Block signals during the initial part of dlopen") was deemed necessary because of read-modify-write operations like the one in add_dependency in elf/dl-lookup.c. In the old code, we check for any kind of NODELETE status and bail out: /* Redo the NODELETE check, as when dl_load_lock wasn't held yet this could have changed. */ if (map->l_nodelete != link_map_nodelete_inactive) goto out; And then set pending status (during relocation): if (flags & DL_LOOKUP_FOR_RELOCATE) map->l_nodelete = link_map_nodelete_pending; else map->l_nodelete = link_map_nodelete_active; If a signal arrives during relocation and the signal handler, through lazy binding, adds a global scope dependency on the same map, it will set map->l_nodelete to link_map_nodelete_active. This will be overwritten with link_map_nodelete_pending by the dlopen relocation code. To avoid such problems in relation to the l_nodelete member, this commit introduces two flags for active NODELETE status (irrevocable) and pending NODELETE status (revocable until activate_nodelete is invoked). As a result, NODELETE processing in dlopen does not introduce further reasons why lazy binding from signal handlers is unsafe during dlopen, and a subsequent commit can remove signal blocking from dlopen. This does not address pre-existing issues (unrelated to the NODELETE changes) which make lazy binding in a signal handler during dlopen unsafe, such as the use of malloc in both cases. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* dlopen: Fix issues related to NODELETE handling and relocationsFlorian Weimer2019-12-131-27/+14
| | | | | | | | | | | | | | | | | | | | | | | | | The assumption behind the assert in activate_nodelete was wrong: Inconsistency detected by ld.so: dl-open.c: 459: activate_nodelete: Assertion `!imap->l_init_called || imap->l_type != lt_loaded' failed! (edit) It can happen that an already-loaded object that is in the local scope is promoted to NODELETE status, via binding to a unique symbol. Similarly, it is possible that such NODELETE promotion occurs to an already-loaded object from the global scope. This is why the loop in activate_nodelete has to cover all objects in the namespace of the new object. In do_lookup_unique, it could happen that the NODELETE status of an already-loaded object was overwritten with a pending NODELETE status. As a result, if dlopen fails, this could cause a loss of the NODELETE status of the affected object, eventually resulting in an incorrect unload. Fixes commit f63b73814f74032c0e5d0a83300e3d864ef905e5 ("Remove all loaded objects if dlopen fails, ignoring NODELETE [BZ #20839]").
* Move _dl_open_check to its original place in dl_open_workerFlorian Weimer2019-11-271-6/+2
| | | | | | | | | | | | This reverts the non-test change from commit d0093c5cefb7f7a4143f ("Call _dl_open_check after relocation [BZ #24259]"), given that the underlying bug has been fixed properly in commit 61b74477fa7f63 ("Remove all loaded objects if dlopen fails, ignoring NODELETE [BZ #20839]"). Tested on x86-64-linux-gnu, with and without --enable-cet. Change-Id: I995a6cfb89f25d2b0cf5e606428c2a93eb48fc33
* Block signals during the initial part of dlopenFlorian Weimer2019-11-271-2/+26
| | | | | | | | | | | Lazy binding in a signal handler that interrupts a dlopen sees intermediate dynamic linker state. This has likely been always unsafe, but with the new pending NODELETE state, this is clearly incorrect. Other threads are excluded via the loader lock, but the current thread is not. Blocking signals until right before ELF constructors run is the safe thing to do. Change-Id: Iad079080ebe7442c13313ba11dc2797953faef35
* Remove all loaded objects if dlopen fails, ignoring NODELETE [BZ #20839]Florian Weimer2019-11-271-11/+71
| | | | | | | | | | | | | This introduces a “pending NODELETE” state in the link map, which is flipped to the persistent NODELETE state late in dlopen, via activate_nodelete. During initial relocation, symbol binding records pending NODELETE state only. dlclose ignores pending NODELETE state. Taken together, this results that a partially completed dlopen is rolled back completely because new NODELETE mappings are unloaded. Tested on x86_64-linux-gnu and i386-linux-gnu. Change-Id: Ib2a3d86af6f92d75baca65431d74783ee0dbc292
* Avoid late dlopen failure due to scope, TLS slotinfo updates [BZ #25112]Florian Weimer2019-11-271-124/+241
| | | | | | | | | | | | | | | | | | | | | | | | This change splits the scope and TLS slotinfo updates in dlopen into two parts: one to resize the data structures, and one to actually apply the update. The call to add_to_global_resize in dl_open_worker is moved before the demarcation point at which no further memory allocations are allowed. _dl_add_to_slotinfo is adjusted to make the list update optional. There is some optimization possibility here because we could grow the slotinfo list of arrays in a single call, one the largest TLS modid is known. This commit does not fix the fatal meory allocation failure in _dl_update_slotinfo. Ideally, this error during dlopen should be recoverable. The update order of scopes and TLS data structures is retained, although it appears to be more correct to fully initialize TLS first, and then expose symbols in the newly loaded objects via the scope update. Tested on x86_64-linux-gnu. Change-Id: I240c58387dabda3ca1bcab48b02115175fa83d6c
* Avoid late failure in dlopen in global scope update [BZ #25112]Florian Weimer2019-11-271-48/+106
| | | | | | | | | | | | | | | | | | | | | | | | | | | The call to add_to_global in dl_open_worker happens after running ELF constructors for new objects. At this point, proper recovery from malloc failure would be quite complicated: We would have to run the ELF destructors and close all opened objects, something that we currently do not do. Instead, this change splits add_to_global into two phases, add_to_global_resize (which can raise an exception, called before ELF constructors run), and add_to_global_update (which cannot, called after ELF constructors). A complication arises due to recursive dlopen: After the inner dlopen consumes some space, the pre-allocation in the outer dlopen may no longer be sufficient. A new member in the namespace structure, _ns_global_scope_pending_adds keeps track of the maximum number of objects that need to be added to the global scope. This enables the inner add_to_global_resize call to take into account the needs of an outer dlopen. Most code in the dynamic linker assumes that the number of global scope entries fits into an unsigned int (matching the r_nlist member of struct r_scop_elem). Therefore, change the type of _ns_global_scope_alloc to unsigned int (from size_t), and add overflow checks. Change-Id: Ie08e2f318510d5a6a4bcb1c315f46791b5b77524
* Lazy binding failures during dlopen/dlclose must be fatal [BZ #24304]Florian Weimer2019-11-271-2/+30
| | | | | | | | | | | | | | | | | | | | | If a lazy binding failure happens during the execution of an ELF constructor or destructor, the dynamic loader catches the error and reports it using the dlerror mechanism. This is undesirable because there could be other constructors and destructors that need processing (which are skipped), and the process is in an inconsistent state at this point. Therefore, we have to issue a fatal dynamic loader error error and terminate the process. Note that the _dl_catch_exception in _dl_open is just an inner catch, to roll back some state locally. If called from dlopen, there is still an outer catch, which is why calling _dl_init via call_dl_init and a no-exception is required and cannot be avoiding by moving the _dl_init call directly into _dl_open. _dl_fini does not need changes because it does not install an error handler, so errors are already fatal there. Change-Id: I6b1addfe2e30f50a1781595f046f44173db9491a
* Introduce link_map_audit_state accessor functionFlorian Weimer2019-11-151-1/+4
| | | | | | | | | | | | To improve GCC 10 compatibility, it is necessary to remove the l_audit zero-length array from the end of struct link_map. In preparation of that, this commit introduces an accessor function for the audit state, so that it is possible to change the representation of the audit state without adjusting the code that accesses it. Tested on x86_64-linux-gnu. Built on i686-gnu. Change-Id: Id815673c29950fc011ae5301d7cde12624f658df
* Prefer https to http for gnu.org and fsf.org URLsPaul Eggert2019-09-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also, change sources.redhat.com to sourceware.org. This patch was automatically generated by running the following shell script, which uses GNU sed, and which avoids modifying files imported from upstream: sed -ri ' s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g ' \ $(find $(git ls-files) -prune -type f \ ! -name '*.po' \ ! -name 'ChangeLog*' \ ! -path COPYING ! -path COPYING.LIB \ ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \ ! -path manual/texinfo.tex ! -path scripts/config.guess \ ! -path scripts/config.sub ! -path scripts/install-sh \ ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \ ! -path INSTALL ! -path locale/programs/charmap-kw.h \ ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \ ! '(' -name configure \ -execdir test -f configure.ac -o -f configure.in ';' ')' \ ! '(' -name preconfigure \ -execdir test -f preconfigure.ac ';' ')' \ -print) and then by running 'make dist-prepare' to regenerate files built from the altered files, and then executing the following to cleanup: chmod a+x sysdeps/unix/sysv/linux/riscv/configure # Omit irrelevant whitespace and comment-only changes, # perhaps from a slightly-different Autoconf version. git checkout -f \ sysdeps/csky/configure \ sysdeps/hppa/configure \ sysdeps/riscv/configure \ sysdeps/unix/sysv/linux/csky/configure # Omit changes that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines git checkout -f \ sysdeps/powerpc/powerpc64/ppc-mcount.S \ sysdeps/unix/sysv/linux/s390/s390-64/syscall.S # Omit change that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
* Call _dl_open_check after relocation [BZ #24259]H.J. Lu2019-07-011-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a workaround for [BZ #20839] which doesn't remove the NODELETE object when _dl_open_check throws an exception. Move it after relocation in dl_open_worker to avoid leaving the NODELETE object mapped without relocation. [BZ #24259] * elf/dl-open.c (dl_open_worker): Call _dl_open_check after relocation. * sysdeps/x86/Makefile (tests): Add tst-cet-legacy-5a, tst-cet-legacy-5b, tst-cet-legacy-6a and tst-cet-legacy-6b. (modules-names): Add tst-cet-legacy-mod-5a, tst-cet-legacy-mod-5b, tst-cet-legacy-mod-5c, tst-cet-legacy-mod-6a, tst-cet-legacy-mod-6b and tst-cet-legacy-mod-6c. (CFLAGS-tst-cet-legacy-5a.c): New. (CFLAGS-tst-cet-legacy-5b.c): Likewise. (CFLAGS-tst-cet-legacy-mod-5a.c): Likewise. (CFLAGS-tst-cet-legacy-mod-5b.c): Likewise. (CFLAGS-tst-cet-legacy-mod-5c.c): Likewise. (CFLAGS-tst-cet-legacy-6a.c): Likewise. (CFLAGS-tst-cet-legacy-6b.c): Likewise. (CFLAGS-tst-cet-legacy-mod-6a.c): Likewise. (CFLAGS-tst-cet-legacy-mod-6b.c): Likewise. (CFLAGS-tst-cet-legacy-mod-6c.c): Likewise. ($(objpfx)tst-cet-legacy-5a): Likewise. ($(objpfx)tst-cet-legacy-5a.out): Likewise. ($(objpfx)tst-cet-legacy-mod-5a.so): Likewise. ($(objpfx)tst-cet-legacy-mod-5b.so): Likewise. ($(objpfx)tst-cet-legacy-5b): Likewise. ($(objpfx)tst-cet-legacy-5b.out): Likewise. (tst-cet-legacy-5b-ENV): Likewise. ($(objpfx)tst-cet-legacy-6a): Likewise. ($(objpfx)tst-cet-legacy-6a.out): Likewise. ($(objpfx)tst-cet-legacy-mod-6a.so): Likewise. ($(objpfx)tst-cet-legacy-mod-6b.so): Likewise. ($(objpfx)tst-cet-legacy-6b): Likewise. ($(objpfx)tst-cet-legacy-6b.out): Likewise. (tst-cet-legacy-6b-ENV): Likewise. * sysdeps/x86/tst-cet-legacy-5.c: New file. * sysdeps/x86/tst-cet-legacy-5a.c: Likewise. * sysdeps/x86/tst-cet-legacy-5b.c: Likewise. * sysdeps/x86/tst-cet-legacy-6.c: Likewise. * sysdeps/x86/tst-cet-legacy-6a.c: Likewise. * sysdeps/x86/tst-cet-legacy-6b.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-5.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-5a.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-5b.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-5c.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-6.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-6a.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-6b.c: Likewise. * sysdeps/x86/tst-cet-legacy-mod-6c.c: Likewise.
* Update copyright dates with scripts/update-copyrights.Joseph Myers2019-01-011-1/+1
| | | | | | | * All files with FSF copyright notices: Update copyright dates using scripts/update-copyrights. * locale/programs/charmap-kw.h: Regenerated. * locale/programs/locfile-kw.h: Likewise.
* x86: Support IBT and SHSTK in Intel CET [BZ #21598]H.J. Lu2018-07-161-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Intel Control-flow Enforcement Technology (CET) instructions: https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-en forcement-technology-preview.pdf includes Indirect Branch Tracking (IBT) and Shadow Stack (SHSTK). GNU_PROPERTY_X86_FEATURE_1_IBT is added to GNU program property to indicate that all executable sections are compatible with IBT when ENDBR instruction starts each valid target where an indirect branch instruction can land. Linker sets GNU_PROPERTY_X86_FEATURE_1_IBT on output only if it is set on all relocatable inputs. On an IBT capable processor, the following steps should be taken: 1. When loading an executable without an interpreter, enable IBT and lock IBT if GNU_PROPERTY_X86_FEATURE_1_IBT is set on the executable. 2. When loading an executable with an interpreter, enable IBT if GNU_PROPERTY_X86_FEATURE_1_IBT is set on the interpreter. a. If GNU_PROPERTY_X86_FEATURE_1_IBT isn't set on the executable, disable IBT. b. Lock IBT. 3. If IBT is enabled, when loading a shared object without GNU_PROPERTY_X86_FEATURE_1_IBT: a. If legacy interwork is allowed, then mark all pages in executable PT_LOAD segments in legacy code page bitmap. Failure of legacy code page bitmap allocation causes an error. b. If legacy interwork isn't allowed, it causes an error. GNU_PROPERTY_X86_FEATURE_1_SHSTK is added to GNU program property to indicate that all executable sections are compatible with SHSTK where return address popped from shadow stack always matches return address popped from normal stack. Linker sets GNU_PROPERTY_X86_FEATURE_1_SHSTK on output only if it is set on all relocatable inputs. On a SHSTK capable processor, the following steps should be taken: 1. When loading an executable without an interpreter, enable SHSTK if GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on the executable. 2. When loading an executable with an interpreter, enable SHSTK if GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on interpreter. a. If GNU_PROPERTY_X86_FEATURE_1_SHSTK isn't set on the executable or any shared objects loaded via the DT_NEEDED tag, disable SHSTK. b. Otherwise lock SHSTK. 3. After SHSTK is enabled, it is an error to load a shared object without GNU_PROPERTY_X86_FEATURE_1_SHSTK. To enable CET support in glibc, --enable-cet is required to configure glibc. When CET is enabled, both compiler and assembler must support CET. Otherwise, it is a configure-time error. To support CET run-time control, 1. _dl_x86_feature_1 is added to the writable ld.so namespace to indicate if IBT or SHSTK are enabled at run-time. It should be initialized by init_cpu_features. 2. For dynamic executables: a. A l_cet field is added to struct link_map to indicate if IBT or SHSTK is enabled in an ELF module. _dl_process_pt_note or _rtld_process_pt_note is called to process PT_NOTE segment for GNU program property and set l_cet. b. _dl_open_check is added to check IBT and SHSTK compatibilty when dlopening a shared object. 3. Replace i386 _dl_runtime_resolve and _dl_runtime_profile with _dl_runtime_resolve_shstk and _dl_runtime_profile_shstk, respectively if SHSTK is enabled. CET run-time control can be changed via GLIBC_TUNABLES with $ export GLIBC_TUNABLES=glibc.tune.x86_shstk=[permissive|on|off] $ export GLIBC_TUNABLES=glibc.tune.x86_ibt=[permissive|on|off] 1. permissive: SHSTK is disabled when dlopening a legacy ELF module. 2. on: IBT or SHSTK are always enabled, regardless if there are IBT or SHSTK bits in GNU program property. 3. off: IBT or SHSTK are always disabled, regardless if there are IBT or SHSTK bits in GNU program property. <cet.h> from CET-enabled GCC is automatically included by assembly codes to add GNU_PROPERTY_X86_FEATURE_1_IBT and GNU_PROPERTY_X86_FEATURE_1_SHSTK to GNU program property. _CET_ENDBR is added at the entrance of all assembly functions whose address may be taken. _CET_NOTRACK is used to insert NOTRACK prefix with indirect jump table to support IBT. It is defined as notrack when _CET_NOTRACK is defined in <cet.h>. [BZ #21598] * configure.ac: Add --enable-cet. * configure: Regenerated. * elf/Makefille (all-built-dso): Add a comment. * elf/dl-load.c (filebuf): Moved before "dynamic-link.h". Include <dl-prop.h>. (_dl_map_object_from_fd): Call _dl_process_pt_note on PT_NOTE segment. * elf/dl-open.c: Include <dl-prop.h>. (dl_open_worker): Call _dl_open_check. * elf/rtld.c: Include <dl-prop.h>. (dl_main): Call _rtld_process_pt_note on PT_NOTE segment. Call _rtld_main_check. * sysdeps/generic/dl-prop.h: New file. * sysdeps/i386/dl-cet.c: Likewise. * sysdeps/unix/sysv/linux/x86/cpu-features.c: Likewise. * sysdeps/unix/sysv/linux/x86/dl-cet.h: Likewise. * sysdeps/x86/cet-tunables.h: Likewise. * sysdeps/x86/check-cet.awk: Likewise. * sysdeps/x86/configure: Likewise. * sysdeps/x86/configure.ac: Likewise. * sysdeps/x86/dl-cet.c: Likewise. * sysdeps/x86/dl-procruntime.c: Likewise. * sysdeps/x86/dl-prop.h: Likewise. * sysdeps/x86/libc-start.h: Likewise. * sysdeps/x86/link_map.h: Likewise. * sysdeps/i386/dl-trampoline.S (_dl_runtime_resolve): Add _CET_ENDBR. (_dl_runtime_profile): Likewise. (_dl_runtime_resolve_shstk): New. (_dl_runtime_profile_shstk): Likewise. * sysdeps/linux/x86/Makefile (sysdep-dl-routines): Add dl-cet if CET is enabled. (CFLAGS-.o): Add -fcf-protection if CET is enabled. (CFLAGS-.os): Likewise. (CFLAGS-.op): Likewise. (CFLAGS-.oS): Likewise. (asm-CPPFLAGS): Add -fcf-protection -include cet.h if CET is enabled. (tests-special): Add $(objpfx)check-cet.out. (cet-built-dso): New. (+$(cet-built-dso:=.note)): Likewise. (common-generated): Add $(cet-built-dso:$(common-objpfx)%=%.note). ($(objpfx)check-cet.out): New. (generated): Add check-cet.out. * sysdeps/x86/cpu-features.c: Include <dl-cet.h> and <cet-tunables.h>. (TUNABLE_CALLBACK (set_x86_ibt)): New prototype. (TUNABLE_CALLBACK (set_x86_shstk)): Likewise. (init_cpu_features): Call get_cet_status to check CET status and update dl_x86_feature_1 with CET status. Call TUNABLE_CALLBACK (set_x86_ibt) and TUNABLE_CALLBACK (set_x86_shstk). Disable and lock CET in libc.a. * sysdeps/x86/cpu-tunables.c: Include <cet-tunables.h>. (TUNABLE_CALLBACK (set_x86_ibt)): New function. (TUNABLE_CALLBACK (set_x86_shstk)): Likewise. * sysdeps/x86/sysdep.h (_CET_NOTRACK): New. (_CET_ENDBR): Define if not defined. (ENTRY): Add _CET_ENDBR. * sysdeps/x86/dl-tunables.list (glibc.tune): Add x86_ibt and x86_shstk. * sysdeps/x86_64/dl-trampoline.h (_dl_runtime_resolve): Add _CET_ENDBR. (_dl_runtime_profile): Likewise.
* elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]Florian Weimer2018-02-211-9/+0
| | | | | | | | | | | | | | | | | | | | | | This looks like a post-exploitation hardening measure: If an attacker is able to redirect execution flow, they could use that to load a DSO which contains additional code (or perhaps make the stack executable). However, the checks are not in the correct place to be effective: If they are performed before the critical operation, an attacker with sufficient control over execution flow could simply jump directly to the code which performs the operation, bypassing the check. The check would have to be executed unconditionally after the operation and terminate the process in case a caller violation was detected. Furthermore, in _dl_check_caller, there was a fallback reading global writable data (GL(dl_rtld_map).l_map_start and GL(dl_rtld_map).l_text_end), which could conceivably be targeted by an attacker to disable the check, too. Other critical functions (such as system) remain completely unprotected, so the value of these additional checks does not appear that large. Therefore this commit removes this functionality.
* Update copyright dates with scripts/update-copyrights.Joseph Myers2018-01-011-1/+1
| | | | | | | * All files with FSF copyright notices: Update copyright dates using scripts/update-copyrights. * locale/programs/charmap-kw.h: Regenerated. * locale/programs/locfile-kw.h: Likewise.
* Consolidate link map sortingAndreas Schwab2017-11-271-54/+3
| | | | | | Combine the four places where link maps are sorted into a single function. This also moves the logic to skip the first map (representing the main binary) to the callers.
* Mark __libc_multiple_libcs with attribute_hidden [BZ #18822]H.J. Lu2017-08-211-2/+1
| | | | | | | | | | | | | | | Since __libc_multiple_libcs is defined as hidden symbol in init-first.c, it should be always marked with attribute_hidden. [BZ #18822] * csu/libc-start.c (__libc_multiple_libcs): Removed. * elf/dl-open.c: Include <libc-internal.h>. (__libc_multiple_libcs): Removed. * elf/dl-sysdep.c: Include <libc-internal.h> instead of <hp-timing.h>. * include/libc-internal.h (__libc_multiple_libcs): New. * misc/sbrk.c: Include <libc-internal.h>. (__libc_multiple_libcs): Removed.
* ld.so: Remove internal_function attribute from various functionsFlorian Weimer2017-08-131-1/+0
| | | | | These functions are invoked from other DSOs and should therefore use the standard calling convention.
* ld.so: Introduce struct dl_exceptionFlorian Weimer2017-08-101-27/+4
| | | | | | This commit separates allocating and raising exceptions. This simplifies catching and re-raising them because it is no longer necessary to make a temporary, on-stack copy of the exception message.
* Update copyright dates with scripts/update-copyrights.Joseph Myers2017-01-011-1/+1
|
* Bug 20292 - Simplify and test _dl_addr_inside_objectCarlos O'Donell2016-09-301-18/+0
| | | | | | | | The function _dl_addr_inside_object is simplified by removing the conditional 'reladdr - l->l_phdr[n].p_vaddr >= 0' which is always true. The function is refactored into it's own object file and a unit test added to verify the correct behaviour of the function.
* Set NODELETE flag after checking for NULL pointerAurelien Jarno2016-09-031-6/+6
| | | | | | | | | | | | | | The commit b632bdd3 moved the setting of the DF_1_NODELETE flag earlier in the dl_open_worker function. However when calling dlopen with both RTLD_NODELETE and RTLD_NOLOAD, the pointer returned by _dl_map_object is NULL. This condition is checked just after setting the flag, while it should be done before. Fix that. Changelog: [BZ #19810] * elf/dl-open.c (dl_open_worker): Set DF_1_NODELETE flag later. * elf/tst-noload.c: New test case. * elf/Makefile (tests): Add tst-noload.
* Update copyright dates with scripts/update-copyrights.Joseph Myers2016-01-041-1/+1
|