| Age | Commit message (Collapse) | Author |
|---|
|
In dl_iterate_phdr phdr is the only capability passed to the callback
that may be used to derive pointers of the elf module, so ensure it
has wide bounds.
|
|
The dlpi_addr field is a capability that has value l_addr, but we can
only do this for libraries (ET_DYN) where l_addr == l_map_start,
otherwise we return l_addr which is normally 0 then (ET_EXEC) so the
caller can detect and special case it.
For now l_addr != 0 and l_addr != l_map_start case is not supported.
Note: this api may be used by the unwinder to find and read .eh_frame
data.
TODO: dlpi_addr could be address only, but requires unwinder update
and agreement about the abi.
|
|
TODO: needs agreement across cheri libcs
|
|
TODO: not needed with full pcuabi
|
|
Larger requirement because pointers are bigger.
|
|
There is no traditional TLS support in morello that would explicitly
call __tls_get_addr, but the libc uses it internally and the returned
pointer escapes to user code. So bound the pointers according to
the tls symbol size instead of doing so in each caller.
(Affects dlsym and dynamic TLSDESC.)
|
|
The dynamic section of an executable needs to be written to set the
DT_DEBUG entry for debuggers (unless the target has some other place
to store r_debug). For this reason we make l_ld writable whenever
the dynamic section is writable.
The ld.so l_ld is kept RX, since it does not have DT_DEBUG.
(Note: relocating the dynamic section is not allowed on cheri and
that's the only other reason glibc would write to it.)
|
|
Propagate capabilities during lazy binding and IFUNC fixup in dlsym.
|
|
Type of relocation addresses must be changed from ElfW(Addr) to
elfptr_t to cover both traditional and CHERI ABIs.
And relative relocation processing must have access to the link_map
to derive pointers from the right per module capability.
|
|
This is needed now to avoid referencing abort in ld.so.
TODO: Fixing shared library profiling for capabilities requires
type fixes so capabilities are not stored into shared memory
(maybe purecap layout can match the lp64 one and then no file format
and external tooling change is required.)
TODO: Proper fix also depends on _dl_runtime_profile plt entry
|
|
Adjust types in the E(*) structs to support capabilities.
TODO: purecap pldd should refuse to deal with lp64 and ELF32 processes.
the code for the 32bit case should be disabled.
TODO: a correct fix requires support for all abis that can run on the
same system (purecap, lp64 and ELF32 too).
|
|
Instead of
map->l_addr + offset
use
dl_rx_ptr (map, offset)
dl_rw_ptr (map, offset)
depending on RX or RW permission requirement.
|
|
Ensure mmap returns pointers with RWX permission covering all segments.
These pointers later get restricted to RX and RW permission.
|
|
_dl_map_segments must use capabilities, this required changes beyond
the obvious elfptr_t changes:
- Ensure map_end is derived from map_start,
- Use strict mmap bounds with MAP_FIXED: c->mapend is aligned up to
pagesize which may be out of bounds of l_map_start (covering the
load segments, but bounds are not aligned up), so use c->dataend
instead.
Propagate l_map_start and l_rw_start capabilities of ld.so and exe that
come from auxv, and ensure they are not recomputed incorrectly by ld.so.
The l_rw_range should exclude the relro region, but in libc.so and
ld.so this does not work: symbols are accessed before relro is applied
and then the permission should be writable.
|
|
It is simpler and more consistent to make l_entry a capability
throughout instead of leaving it as an address and converting before
use:
The AT_ENTRY auxv entry is specified to be a capability and a number
if internal l_entry usage is simpler if it is elfptr_t.
Functions returning a pointer to the user entry are also changed to
use elfptr_t.
|
|
Add purecap ld cache flag. Add the purecap ld.so name to known names.
Handle lib64c system library paths. And set the purecap abi flag on
cache entries.
|
|
Derive the start of the relro area from the RW capability of the dso.
|
|
According to the ELF spec:
"Each element of this array is a pointer to a function to be executed
by the dynamic linker."
"Note that the address of a function need not be the same as a pointer
to a function as defined by the processor supplement."
so these should be accessed via uintptr_t type instead of ElfW(Addr) and
the pointers are derived from the RX pointer of the elf module.
|
|
At least tls image access requires RX capability of the main link_map.
|
|
Use elfptr_t when ElfW(Addr) represents a runtime pointer (may be
dereferenced or pointers may be derived from it).
|
|
The linker created _end symbol does not have the right bounds, so
don't try to reuse leftover memory at the end of the .data section.
|
|
The Elf64_auxv_t needs to be adjusted for the new capability size.
|
|
Follows the morello pure capability user ABI of linux.
|
|
|
|
|
|
switch statement does not work for intptr_t, use a large int type
that's guaranteed to work.
|
|
The test dlmopens 10 namespaces recursively, which requires a glibc
tunable setting, otherwise it may run out of static TLS.
|
|
The int mods[nmods] array on the stack was overread by one.
|
|
The alloca size did not consider the optional width parameter for
padding which could cause buffer underflow. The width is currently used
e.g. by _dl_map_object_from_fd which passes 2 * sizeof(void *) which
can be larger than the alloca buffer size on targets where
sizeof(void *) >= 2 * sizeof(unsigned long).
Even if large width is not used on existing targets it is better to fix
the formatting code to avoid surprises.
|
|
The prelink removal done by 6628c742b2c16e wrongly removed the debug
support.
Checked on x86_64-linux-gnu.
(cherry picked from commit 891a7958a28eac6d4af1517dd2896fef5e4951d4)
|
|
The data in the _ns_debug member must be preserved, otherwise
_dl_debug_initialize enters an infinite loop. To be conservative,
only clear the libc_map member for now, to fix bug 29528.
Fixes commit d0e357ff45a75553dee3b17ed7d303bfa544f6fe
("elf: Call __libc_early_init for reused namespaces (bug 29528)"),
by reverting most of it.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 2c42257314536b94cc8d52edede86e94e98c1436)
|
|
The implementation in _dl_close_worker requires that the first
element of l_initfini is always this very map (“We are always the
zeroth entry, and since we don't include ourselves in the
dependency analysis start at 1.”). Rather than fixing that
assumption, this commit adds an implementation of the force_first
argument to the new dependency sorting algorithm. This also means
that the directly dlopen'ed shared object is always initialized last,
which is the least surprising behavior in the presence of cycles.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 1df71d32fe5f5905ffd5d100e5e9ca8ad6210891)
|
|
The new implementation will not be able to skip an arbitrary number
of objects.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit dbb75513f5cf9285c77c9e55777c5c35b653f890)
|
|
Commit dad90d528259b669342757c37dedefa8577e2636 added glibc-hwcaps
support for LD_LIBRARY_PATH and, for this, it adjusted the total
string size required in _dl_important_hwcaps. However, in doing so
it inadvertently altered the calculation of the size required for
the power set strings, as the computation of the power set string
size depended on the first value assigned to the total variable,
which is later shifted, resulting in overallocation of string
space. Fix this now by using a different variable to hold the
string size required for glibc-hwcaps.
Signed-off-by: Javier Pello <devel@otheo.eu>
(cherry picked from commit a23820f6052a740246fdc7dcd9c43ce8eed0c45a)
|
|
The test is valid for all TLS models, but we want to make a reasonable
effort to test the GNU2 model specifically. For example, aarch64
defaults to GNU2, but does not have -mtls-dialect=gnu2, and the test
was not run there.
Suggested-by: Martin Coufal <mcoufal@redhat.com>
(cherry picked from commit dd2315a866a4ac2b838ea1cb10c5ea1c35d51a2f)
Fixes early backport commit 924e4f3eaa502ce82fccf8537f021a796d158771
("elf: Call __libc_early_init for reused namespaces (bug 29528)");
it had a wrong conflict resolution.
|
|
#29539)
The d7703d3176d225d5743b21811d888619eba39e82 changed how vDSO like
dependencies are printed, instead of just the name and address it
follows other libraries mode and prints 'name => path'.
Unfortunately, this broke some ldd consumer that uses the output to
filter out the program's dependencies. For instance CMake
bundleutilities module [1], where GetPrequirite uses the regex to filter
out 'name => path' [2].
This patch restore the previous way to print just the name and the
mapping address.
Checked on x86_64-linux-gnu.
[1] https://github.com/Kitware/CMake/tree/master/Tests/BundleUtilities
[2] https://github.com/Kitware/CMake/blob/master/Modules/GetPrerequisites.cmake#L733
Reviewed-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 1e903124cec4492463d075c6c061a2a772db77bf)
|
|
libc_map is never reset to NULL, neither during dlclose nor on a
dlopen call which reuses the namespace structure. As a result, if a
namespace is reused, its libc is not initialized properly. The most
visible result is a crash in the <ctype.h> functions.
To prevent similar bugs on namespace reuse from surfacing,
unconditionally initialize the chosen namespace to zero using memset.
(cherry picked from commit d0e357ff45a75553dee3b17ed7d303bfa544f6fe)
|
|
GCC normally does this optimization for us in
strlen_pass::handle_builtin_strcpy but only for optimized
build. To avoid needing to include strcpy.S in the rtld build to
support the debug build, just do the optimization by hand.
(cherry picked from commit 483cfe1a6a33d6335b1901581b41040d2d412511)
|
|
|
|
The fix done b2cd93fce666fdc8c9a5c64af2741a8a6940ac99 does not really
work since macro strification does not expand the sizeof nor the
arithmetic operation.
Checked on x86_64-linux-gnu.
|
|
tst-audit26 and tst-audit27 are already used by aarch64.
Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
|
NODELETE status is propagated from the referencing object to the
referenced object, not the other way round. The code is correct, only
the log message has the wrong direction.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
|
This is another blocker for building glibc with the default
-Werror setting and -DNDEBUG.
|
|
Using -Werror and -DNDEBUG at the same time will trigger the
following compiler error:
cache.c: In function 'save_cache':
cache.c:758:15: error: unused variable 'old_offset' [-Werror=unused-variable]
758 | off64_t old_offset = lseek64 (fd, extension_offset, SEEK_SET);
| ^~~~~~~~~~
-DNDEBUG disables the assertion, making old_offset unused.
Use __attribute__ ((unused)) to disable this warning.
|
|
By adding an internal alias to avoid the GOT indirection.
On some architecture, __libc_single_thread may be accessed through
copy relocations and thus it requires to update also the copies
default copy.
This is done by adding a new internal macro,
libc_hidden_data_{proto,def}, which has an addition argument that
specifies the alias name (instead of default __GI_ one).
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Fangrui Song <maskray@google.com>
|
|
Silence GCC 11/12 false positive warning with -mavx512f on dl-load.c:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106008
$ gcc -O2 -fPIC -march=x86-64 -mavx512f -S -Wall ...
dl-load.c: In function ‘_dl_map_object_from_fd.constprop’:
dl-load.c:1158:30: warning: ‘(((char *)loadcmds.113_68 + _933 + 16))[329406144173384849].mapend’ may be used uninitialized [-Wmaybe-uninitialized]
|
|
If an executable has copy relocations for extern protected data, that
can only work if the library containing the definition is built with
assumptions (a) the compiler emits GOT-generating relocations (b) the
linker produces R_*_GLOB_DAT instead of R_*_RELATIVE. Otherwise the
library uses its own definition directly and the executable accesses a
stale copy. Note: the GOT relocations defeat the purpose of protected
visibility as an optimization, but allow rtld to make the executable and
library use the same copy when copy relocations are present, but it
turns out this never worked perfectly.
ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA has strange semantics when both
a.so and b.so define protected var and the executable copy relocates
var: b.so accesses its own copy even with GLOB_DAT. The behavior change
is from commit 62da1e3b00b51383ffa7efc89d8addda0502e107 (x86) and then
copied to nios2 (ae5eae7cfc9c4a8297ff82ec6b794faca1976ecc) and arc
(0e7d930c4c11de896fe807f67fa1eb756c9c1e05).
Without ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, b.so accesses the copy
relocated data like a.so.
There is now a warning for copy relocation on protected symbol since
commit 7374c02b683b7110b853a32496a619410364d70b. It's extremely
unlikely anyone relies on the ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA
behavior, so let's remove it: this removes a check in the symbol lookup
code.
|
|
|
|
Linux 5.18 defines a new AArch64 ELF segment type
PT_AARCH64_MEMTAG_MTE; add it to elf.h.
Tested with build-many-glibcs.py for aarch64-linux-gnu.
|
|
Newer versions of GNU grep (after grep 3.7, not inclusive) will warn on
'egrep' and 'fgrep' invocations.
Convert usages within the tree to their expanded non-aliased counterparts
to avoid irritating warnings during ./configure and the test suite.
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Fangrui Song <maskray@google.com>
|
