1 /* $OpenBSD: library_mquery.c,v 1.64 2019/12/09 23:15:03 bluhm Exp $ */ 2 3 /* 4 * Copyright (c) 2002 Dale Rahn 5 * Copyright (c) 1998 Per Fogelstrom, Opsycon AB 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS 17 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 */ 29 30 #define _DYN_LOADER 31 32 #include <sys/types.h> 33 #include <fcntl.h> 34 #include <sys/mman.h> 35 36 #include "syscall.h" 37 #include "archdep.h" 38 #include "resolve.h" 39 #include "sod.h" 40 41 #define PFLAGS(X) ((((X) & PF_R) ? PROT_READ : 0) | \ 42 (((X) & PF_W) ? PROT_WRITE : 0) | \ 43 (((X) & PF_X) ? PROT_EXEC : 0)) 44 45 void 46 _dl_load_list_free(struct load_list *load_list) 47 { 48 struct load_list *next; 49 Elf_Addr align = _dl_pagesz - 1; 50 51 while (load_list != NULL) { 52 if (load_list->start != NULL) 53 _dl_munmap(load_list->start, 54 ((load_list->size) + align) & ~align); 55 next = load_list->next; 56 _dl_free(load_list); 57 load_list = next; 58 } 59 } 60 61 62 void 63 _dl_unload_shlib(elf_object_t *object) 64 { 65 struct dep_node *n; 66 elf_object_t *load_object = object->load_object; 67 68 /* 69 * If our load object has become unreferenced then we lost the 70 * last group reference to it, so the entire group should be taken 71 * down. The current object is somewhere below load_object in 72 * the child_vec tree, so it'll get cleaned up by the recursion. 73 * That means we can just switch here to the load object. 74 */ 75 if (load_object != object && OBJECT_REF_CNT(load_object) == 0 && 76 (load_object->status & STAT_UNLOADED) == 0) { 77 DL_DEB(("unload_shlib switched from %s to %s\n", 78 object->load_name, load_object->load_name)); 79 object = load_object; 80 goto unload; 81 } 82 83 DL_DEB(("unload_shlib called on %s\n", object->load_name)); 84 if (OBJECT_REF_CNT(object) == 0 && 85 (object->status & STAT_UNLOADED) == 0) { 86 struct object_vector vec; 87 int i; 88 unload: 89 object->status |= STAT_UNLOADED; 90 for (vec = object->child_vec, i = 0; i < vec.len; i++) 91 _dl_unload_shlib(vec.vec[i]); 92 TAILQ_FOREACH(n, &object->grpref_list, next_sib) 93 _dl_unload_shlib(n->data); 94 DL_DEB(("unload_shlib unloading on %s\n", object->load_name)); 95 _dl_load_list_free(object->load_list); 96 _dl_remove_object(object); 97 } 98 } 99 100 101 elf_object_t * 102 _dl_tryload_shlib(const char *libname, int type, int flags) 103 { 104 int libfile, i; 105 struct load_list *ld, *lowld = NULL; 106 elf_object_t *object; 107 Elf_Dyn *dynp = NULL; 108 Elf_Ehdr *ehdr; 109 Elf_Phdr *phdp; 110 Elf_Addr load_end = 0; 111 Elf_Addr align = _dl_pagesz - 1, off, size; 112 Elf_Phdr *ptls = NULL; 113 Elf_Addr relro_addr = 0, relro_size = 0; 114 struct stat sb; 115 char hbuf[4096], *exec_start; 116 size_t exec_size; 117 118 #define ROUND_PG(x) (((x) + align) & ~(align)) 119 #define TRUNC_PG(x) ((x) & ~(align)) 120 121 libfile = _dl_open(libname, O_RDONLY | O_CLOEXEC); 122 if (libfile < 0) { 123 _dl_errno = DL_CANT_OPEN; 124 return(0); 125 } 126 127 if ( _dl_fstat(libfile, &sb) < 0) { 128 _dl_errno = DL_CANT_OPEN; 129 return(0); 130 } 131 132 for (object = _dl_objects; object != NULL; object = object->next) { 133 if (object->dev == sb.st_dev && 134 object->inode == sb.st_ino) { 135 object->obj_flags |= flags & DF_1_GLOBAL; 136 _dl_close(libfile); 137 if (_dl_loading_object == NULL) 138 _dl_loading_object = object; 139 if (object->load_object != _dl_objects && 140 object->load_object != _dl_loading_object) { 141 _dl_link_grpref(object->load_object, 142 _dl_loading_object); 143 } 144 return(object); 145 } 146 } 147 148 _dl_read(libfile, hbuf, sizeof(hbuf)); 149 ehdr = (Elf_Ehdr *)hbuf; 150 if (ehdr->e_ident[0] != ELFMAG0 || ehdr->e_ident[1] != ELFMAG1 || 151 ehdr->e_ident[2] != ELFMAG2 || ehdr->e_ident[3] != ELFMAG3 || 152 ehdr->e_type != ET_DYN || ehdr->e_machine != MACHID) { 153 _dl_close(libfile); 154 _dl_errno = DL_NOT_ELF; 155 return(0); 156 } 157 158 /* Insertion sort */ 159 #define LDLIST_INSERT(ld) do { \ 160 struct load_list **_ld; \ 161 for (_ld = &lowld; *_ld != NULL; _ld = &(*_ld)->next) \ 162 if ((*_ld)->moff > ld->moff) \ 163 break; \ 164 ld->next = *_ld; \ 165 *_ld = ld; \ 166 } while (0) 167 /* 168 * Alright, we might have a winner! 169 * Figure out how much VM space we need and set up the load 170 * list that we'll use to find free VM space. 171 */ 172 phdp = (Elf_Phdr *)(hbuf + ehdr->e_phoff); 173 for (i = 0; i < ehdr->e_phnum; i++, phdp++) { 174 switch (phdp->p_type) { 175 case PT_LOAD: 176 off = (phdp->p_vaddr & align); 177 size = off + phdp->p_filesz; 178 179 if (size != 0) { 180 ld = _dl_malloc(sizeof(struct load_list)); 181 if (ld == NULL) 182 _dl_oom(); 183 ld->start = NULL; 184 ld->size = size; 185 ld->moff = TRUNC_PG(phdp->p_vaddr); 186 ld->foff = TRUNC_PG(phdp->p_offset); 187 ld->prot = PFLAGS(phdp->p_flags); 188 LDLIST_INSERT(ld); 189 } 190 191 if ((PFLAGS(phdp->p_flags) & PROT_WRITE) == 0 || 192 ROUND_PG(size) == ROUND_PG(off + phdp->p_memsz)) 193 break; 194 /* This phdr has a zfod section */ 195 ld = _dl_calloc(1, sizeof(struct load_list)); 196 if (ld == NULL) 197 _dl_oom(); 198 ld->start = NULL; 199 ld->size = ROUND_PG(off + phdp->p_memsz) - 200 ROUND_PG(size); 201 ld->moff = TRUNC_PG(phdp->p_vaddr) + 202 ROUND_PG(size); 203 ld->foff = -1; 204 ld->prot = PFLAGS(phdp->p_flags); 205 LDLIST_INSERT(ld); 206 break; 207 case PT_DYNAMIC: 208 dynp = (Elf_Dyn *)phdp->p_vaddr; 209 break; 210 case PT_TLS: 211 if (phdp->p_filesz > phdp->p_memsz) { 212 _dl_printf("%s: invalid tls data in %s.\n", 213 __progname, libname); 214 _dl_close(libfile); 215 _dl_errno = DL_CANT_LOAD_OBJ; 216 return(0); 217 } 218 if (!_dl_tib_static_done) { 219 ptls = phdp; 220 break; 221 } 222 _dl_printf("%s: unsupported TLS program header in %s\n", 223 __progname, libname); 224 _dl_close(libfile); 225 _dl_errno = DL_CANT_LOAD_OBJ; 226 return(0); 227 default: 228 break; 229 } 230 } 231 232 #define LOFF ((Elf_Addr)lowld->start - lowld->moff) 233 234 retry: 235 exec_start = NULL; 236 exec_size = 0; 237 for (ld = lowld; ld != NULL; ld = ld->next) { 238 off_t foff; 239 int fd, flags; 240 void *res; 241 242 flags = MAP_PRIVATE; 243 244 if (ld->foff < 0) { 245 fd = -1; 246 foff = 0; 247 flags |= MAP_ANON; 248 } else { 249 fd = libfile; 250 foff = ld->foff; 251 } 252 253 if (ld == lowld) { 254 /* 255 * Add PROT_EXEC to force the first allocation in 256 * EXEC region unless it is writable. 257 */ 258 int exec = (ld->prot & PROT_WRITE) ? 0 : PROT_EXEC; 259 res = _dl_mquery((void *)(LOFF + ld->moff), 260 ROUND_PG(ld->size), ld->prot | exec, flags, 261 fd, foff); 262 if (_dl_mmap_error(res)) 263 goto fail; 264 lowld->start = res; 265 } 266 267 res = _dl_mmap((void *)(LOFF + ld->moff), ROUND_PG(ld->size), 268 ld->prot, flags | MAP_FIXED | __MAP_NOREPLACE, fd, foff); 269 if (_dl_mmap_error(res)) { 270 struct load_list *ll; 271 272 /* Unmap any mappings that we did get in. */ 273 for (ll = lowld; ll != NULL && ll != ld; 274 ll = ll->next) { 275 _dl_munmap(ll->start, ROUND_PG(ll->size)); 276 } 277 278 lowld->start += ROUND_PG(ld->size); 279 goto retry; 280 } 281 282 if ((ld->prot & PROT_EXEC) && exec_start == NULL) { 283 exec_start = (void *)(LOFF + ld->moff); 284 exec_size = ROUND_PG(ld->size); 285 } 286 287 ld->start = res; 288 } 289 290 for (ld = lowld; ld != NULL; ld = ld->next) { 291 /* Zero out everything past the EOF */ 292 if ((ld->prot & PROT_WRITE) != 0 && (ld->size & align) != 0) 293 _dl_memset((char *)ld->start + ld->size, 0, 294 _dl_pagesz - (ld->size & align)); 295 load_end = (Elf_Addr)ld->start + ROUND_PG(ld->size); 296 } 297 298 phdp = (Elf_Phdr *)(hbuf + ehdr->e_phoff); 299 for (i = 0; i < ehdr->e_phnum; i++, phdp++) { 300 if (phdp->p_type == PT_OPENBSD_RANDOMIZE) 301 _dl_arc4randombuf((char *)(phdp->p_vaddr + LOFF), 302 phdp->p_memsz); 303 else if (phdp->p_type == PT_GNU_RELRO) { 304 relro_addr = phdp->p_vaddr + LOFF; 305 relro_size = phdp->p_memsz; 306 } 307 } 308 309 _dl_close(libfile); 310 311 dynp = (Elf_Dyn *)((unsigned long)dynp + LOFF); 312 object = _dl_finalize_object(libname, dynp, 313 (Elf_Phdr *)((char *)lowld->start + ehdr->e_phoff), ehdr->e_phnum, 314 type, (Elf_Addr)lowld->start, LOFF); 315 if (object) { 316 char *soname = (char *)object->Dyn.info[DT_SONAME]; 317 318 object->load_size = (Elf_Addr)load_end - (Elf_Addr)lowld->start; 319 object->load_list = lowld; 320 /* set inode, dev from stat info */ 321 object->dev = sb.st_dev; 322 object->inode = sb.st_ino; 323 object->obj_flags |= flags; 324 object->relro_addr = relro_addr; 325 object->relro_size = relro_size; 326 _dl_set_sod(object->load_name, &object->sod); 327 if (ptls != NULL && ptls->p_memsz) 328 _dl_set_tls(object, ptls, (Elf_Addr)lowld->start, 329 libname); 330 331 /* Request permission for system calls in libc.so's text segment */ 332 if (soname != NULL && 333 _dl_strncmp(soname, "libc.so.", 8) == 0) { 334 if (_dl_msyscall(exec_start, exec_size) == -1) 335 _dl_printf("msyscall %lx %lx error\n", 336 exec_start, exec_size); 337 } 338 } else { 339 _dl_load_list_free(lowld); 340 } 341 return(object); 342 fail: 343 _dl_printf("%s: ld.so mmap failed mapping %s.\n", __progname, libname); 344 _dl_close(libfile); 345 _dl_errno = DL_CANT_MMAP; 346 _dl_load_list_free(lowld); 347 return(0); 348 } 349