1 /* This Source Code Form is subject to the terms of the Mozilla Public
2  * License, v. 2.0. If a copy of the MPL was not distributed with this
3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 
5 #include <stdint.h>
6 #include <stdlib.h>
7 #include <unistd.h>
8 #include <sys/mman.h>
9 #include <elf.h>
10 
11 /* The Android NDK headers define those */
12 #undef Elf_Ehdr
13 #undef Elf_Addr
14 
15 #if defined(__LP64__)
16 #  define Elf_Ehdr Elf64_Ehdr
17 #  define Elf_Addr Elf64_Addr
18 #else
19 #  define Elf_Ehdr Elf32_Ehdr
20 #  define Elf_Addr Elf32_Addr
21 #endif
22 
23 // On ARM, PC-relative function calls have a limit in how far they can jump,
24 // which might not be enough for e.g. libxul.so. The easy way out would be
25 // to use the long_call attribute, which forces the compiler to generate code
26 // that can call anywhere, but clang doesn't support the attribute yet
27 // (https://bugs.llvm.org/show_bug.cgi?id=40623), and while the command-line
28 // equivalent does exist, it's currently broken
29 // (https://bugs.llvm.org/show_bug.cgi?id=40624). So we create a manual
30 // trampoline, corresponding to the code GCC generates with long_call.
31 #ifdef __arm__
init_trampoline(int argc,char ** argv,char ** env)32 __attribute__((section(".text._init_trampoline"), naked)) int init_trampoline(
33     int argc, char** argv, char** env) {
34   __asm__ __volatile__(
35       // thumb doesn't allow to use r12/ip with ldr, and thus would require an
36       // additional push/pop to save/restore the modified register, which would
37       // also change the call into a blx. It's simpler to switch to arm.
38       ".arm\n"
39       "  ldr ip, .LADDR\n"
40       ".LAFTER:\n"
41       "  add ip, pc, ip\n"
42       "  bx ip\n"
43       ".LADDR:\n"
44       "  .word real_original_init-(.LAFTER+8)\n");
45 }
46 #endif
47 
48 extern __attribute__((visibility("hidden"))) void original_init(int argc,
49                                                                 char** argv,
50                                                                 char** env);
51 
52 extern __attribute__((visibility("hidden"))) Elf32_Rel relhack[];
53 extern __attribute__((visibility("hidden"))) Elf_Ehdr elf_header;
54 
55 extern __attribute__((visibility("hidden"))) int (*mprotect_cb)(void* addr,
56                                                                 size_t len,
57                                                                 int prot);
58 extern __attribute__((visibility("hidden"))) long (*sysconf_cb)(int name);
59 extern __attribute__((visibility("hidden"))) char relro_start[];
60 extern __attribute__((visibility("hidden"))) char relro_end[];
61 
do_relocations(void)62 static inline __attribute__((always_inline)) void do_relocations(void) {
63   Elf32_Rel* rel;
64   Elf_Addr *ptr, *start;
65   for (rel = relhack; rel->r_offset; rel++) {
66     start = (Elf_Addr*)((intptr_t)&elf_header + rel->r_offset);
67     for (ptr = start; ptr < &start[rel->r_info]; ptr++)
68       *ptr += (intptr_t)&elf_header;
69   }
70 }
71 
init_noinit(int argc,char ** argv,char ** env)72 __attribute__((section(".text._init_noinit"))) int init_noinit(int argc,
73                                                                char** argv,
74                                                                char** env) {
75   do_relocations();
76   return 0;
77 }
78 
init(int argc,char ** argv,char ** env)79 __attribute__((section(".text._init"))) int init(int argc, char** argv,
80                                                  char** env) {
81   do_relocations();
82   original_init(argc, argv, env);
83   // Ensure there is no tail-call optimization, avoiding the use of the
84   // B.W instruction in Thumb for the call above.
85   return 0;
86 }
87 
do_relocations_with_relro(void)88 static inline __attribute__((always_inline)) void do_relocations_with_relro(
89     void) {
90   long page_size = sysconf_cb(_SC_PAGESIZE);
91   uintptr_t aligned_relro_start = ((uintptr_t)relro_start) & ~(page_size - 1);
92   // The relro segment may not end at a page boundary. If that's the case, the
93   // remainder of the page needs to stay read-write, so the last page is never
94   // set read-only. Thus the aligned relro end is page-rounded down.
95   uintptr_t aligned_relro_end = ((uintptr_t)relro_end) & ~(page_size - 1);
96   // By the time the injected code runs, the relro segment is read-only. But
97   // we want to apply relocations in it, so we set it r/w first. We'll restore
98   // it to read-only in relro_post.
99   mprotect_cb((void*)aligned_relro_start,
100               aligned_relro_end - aligned_relro_start, PROT_READ | PROT_WRITE);
101 
102   do_relocations();
103 
104   mprotect_cb((void*)aligned_relro_start,
105               aligned_relro_end - aligned_relro_start, PROT_READ);
106   // mprotect_cb and sysconf_cb are allocated in .bss, so we need to restore
107   // them to a NULL value.
108   mprotect_cb = NULL;
109   sysconf_cb = NULL;
110 }
111 
init_noinit_relro(int argc,char ** argv,char ** env)112 __attribute__((section(".text._init_noinit_relro"))) int init_noinit_relro(
113     int argc, char** argv, char** env) {
114   do_relocations_with_relro();
115   return 0;
116 }
117 
init_relro(int argc,char ** argv,char ** env)118 __attribute__((section(".text._init_relro"))) int init_relro(int argc,
119                                                              char** argv,
120                                                              char** env) {
121   do_relocations_with_relro();
122   original_init(argc, argv, env);
123   return 0;
124 }
125