1 #include <linux/auxvec.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <unistd.h>
7 #include <fcntl.h>
8 #include <errno.h>
9 #include <dlfcn.h>
11 //#include <pthread.h>
13 #include <sys/mman.h>
15 #include <sys/atomics.h>
16 #include <sys/tls.h>
18 #include "linker.h"
19 #include "linker_debug.h"
21 #define SO_MAX 64
23 /* >>> IMPORTANT NOTE - READ ME BEFORE MODIFYING <<<
24 *
25 * Do NOT use malloc() and friends or pthread_*() code here.
26 * Don't use printf() either; it's caused mysterious memory
27 * corruption in the past.
28 * The linker runs before we bring up libc and it's easiest
29 * to make sure it does not depend on any complex libc features
30 *
31 * open issues / todo:
32 *
33 * - should we do anything special for STB_WEAK symbols?
34 * - are we doing everything we should for ARM_COPY relocations?
35 * - cleaner error reporting
36 * - configuration for paths (LD_LIBRARY_PATH?)
37 * - after linking, set as much stuff as possible to READONLY
38 * and NOEXEC
39 * - linker hardcodes PAGE_SIZE and PAGE_MASK because the kernel
40 * headers provide versions that are negative...
41 * - allocate space for soinfo structs dynamically instead of
42 * having a hard limit (64)
43 *
44 * features to add someday:
45 *
46 * - dlopen() and friends
47 *
48 */
51 static int link_image(soinfo *si, unsigned wr_offset);
53 static int socount = 0;
54 static soinfo sopool[SO_MAX];
55 static soinfo *freelist = NULL;
56 static soinfo *solist = &libdl_info;
57 static soinfo *sonext = &libdl_info;
59 int debug_verbosity;
60 static int pid;
62 #if STATS
63 struct _link_stats linker_stats;
64 #endif
66 #if COUNT_PAGES
67 unsigned bitmask[4096];
68 #endif
70 #ifndef PT_ARM_EXIDX
71 #define PT_ARM_EXIDX 0x70000001 /* .ARM.exidx segment */
72 #endif
74 /*
75 * This function is an empty stub where GDB locates a breakpoint to get notified
76 * about linker activity.
77 */
78 extern void __attribute__((noinline)) rtld_db_dlactivity(void);
80 extern void sched_yield(void);
82 static struct r_debug _r_debug = {1, NULL, &rtld_db_dlactivity, RT_CONSISTENT, 0};
83 static struct link_map *r_debug_tail = 0;
85 //static pthread_mutex_t _r_debug_lock = PTHREAD_MUTEX_INITIALIZER;
87 static volatile int loader_lock = 0;
89 static void insert_soinfo_into_debug_map(soinfo * info)
90 {
91 struct link_map * map;
93 /* Copy the necessary fields into the debug structure.
94 */
95 map = &(info->linkmap);
96 map->l_addr = info->base;
97 map->l_name = (char*) info->name;
99 /* Stick the new library at the end of the list.
100 * gdb tends to care more about libc than it does
101 * about leaf libraries, and ordering it this way
102 * reduces the back-and-forth over the wire.
103 */
104 if (r_debug_tail) {
105 r_debug_tail->l_next = map;
106 map->l_prev = r_debug_tail;
107 map->l_next = 0;
108 } else {
109 _r_debug.r_map = map;
110 map->l_prev = 0;
111 map->l_next = 0;
112 }
113 r_debug_tail = map;
114 }
116 void notify_gdb_of_load(soinfo * info)
117 {
118 if (info->flags & FLAG_EXE) {
119 // GDB already knows about the main executable
120 return;
121 }
123 /* yes, this is a little gross, but it does avoid
124 ** pulling in pthread_*() and at the moment we don't
125 ** dlopen() anything anyway
126 */
127 while(__atomic_swap(1, &loader_lock) != 0) {
128 sched_yield();
129 usleep(5000);
130 }
132 _r_debug.r_state = RT_ADD;
133 rtld_db_dlactivity();
135 insert_soinfo_into_debug_map(info);
137 _r_debug.r_state = RT_CONSISTENT;
138 rtld_db_dlactivity();
140 __atomic_swap(0, &loader_lock);
141 }
143 void notify_gdb_of_libraries()
144 {
145 _r_debug.r_state = RT_ADD;
146 rtld_db_dlactivity();
147 _r_debug.r_state = RT_CONSISTENT;
148 rtld_db_dlactivity();
149 }
151 static soinfo *alloc_info(const char *name)
152 {
153 soinfo *si;
155 if(strlen(name) >= SOINFO_NAME_LEN) {
156 ERROR("%5d library name %s too long\n", pid, name);
157 return 0;
158 }
160 /* The freelist is populated when we call free_info(), which in turn is
161 done only by dlclose(), which is not likely to be used.
162 */
163 if (!freelist) {
164 if(socount == SO_MAX) {
165 ERROR("%5d too many libraries when loading %s\n", pid, name);
166 return NULL;
167 }
168 freelist = sopool + socount++;
169 freelist->next = NULL;
170 }
172 si = freelist;
173 freelist = freelist->next;
175 /* Make sure we get a clean block of soinfo */
176 memset(si, 0, sizeof(soinfo));
177 strcpy((char*) si->name, name);
178 sonext->next = si;
179 si->next = NULL;
180 si->refcount = 0;
181 sonext = si;
183 TRACE("%5d name %s: allocated soinfo @ %p\n", pid, name, si);
184 return si;
185 }
187 static void free_info(soinfo *si)
188 {
189 soinfo *prev = NULL, *trav;
191 TRACE("%5d name %s: freeing soinfo @ %p\n", pid, si->name, si);
193 for(trav = solist; trav != NULL; trav = trav->next){
194 if (trav == si)
195 break;
196 prev = trav;
197 }
198 if (trav == NULL) {
199 /* si was not ni solist */
200 ERROR("%5d name %s is not in solist!\n", pid, si->name);
201 return;
202 }
204 /* prev will never be NULL, because the first entry in solist is
205 always the static libdl_info.
206 */
207 prev->next = si->next;
208 if (si == sonext) sonext = prev;
209 si->next = freelist;
210 freelist = si;
211 }
213 #ifndef LINKER_TEXT_BASE
214 #error "linker's makefile must define LINKER_TEXT_BASE"
215 #endif
216 #ifndef LINKER_AREA_SIZE
217 #error "linker's makefile must define LINKER_AREA_SIZE"
218 #endif
219 #define LINKER_BASE ((LINKER_TEXT_BASE) & 0xfff00000)
220 #define LINKER_TOP (LINKER_BASE + (LINKER_AREA_SIZE))
222 const char *addr_to_name(unsigned addr)
223 {
224 soinfo *si;
226 for(si = solist; si != 0; si = si->next){
227 if((addr >= si->base) && (addr < (si->base + si->size))) {
228 return si->name;
229 }
230 }
232 if((addr >= LINKER_BASE) && (addr < LINKER_TOP)){
233 return "linker";
234 }
236 return "";
237 }
239 /* For a given PC, find the .so that it belongs to.
240 * Returns the base address of the .ARM.exidx section
241 * for that .so, and the number of 8-byte entries
242 * in that section (via *pcount).
243 *
244 * Intended to be called by libc's __gnu_Unwind_Find_exidx().
245 *
246 * This function is exposed via dlfcn.c and libdl.so.
247 */
248 #ifdef ANDROID_ARM_LINKER
249 _Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int *pcount)
250 {
251 soinfo *si;
252 unsigned addr = (unsigned)pc;
254 if ((addr < LINKER_BASE) || (addr >= LINKER_TOP)) {
255 for (si = solist; si != 0; si = si->next){
256 if ((addr >= si->base) && (addr < (si->base + si->size))) {
257 *pcount = si->ARM_exidx_count;
258 return (_Unwind_Ptr)(si->base + (unsigned long)si->ARM_exidx);
259 }
260 }
261 }
262 *pcount = 0;
263 return NULL;
264 }
265 #elif defined(ANDROID_X86_LINKER)
266 /* Here, we only have to provide a callback to iterate across all the
267 * loaded libraries. gcc_eh does the rest. */
268 int
269 dl_iterate_phdr(int (*cb)(struct dl_phdr_info *info, size_t size, void *data),
270 void *data)
271 {
272 soinfo *si;
273 struct dl_phdr_info dl_info;
274 int rv = 0;
276 for (si = solist; si != NULL; si = si->next) {
277 dl_info.dlpi_addr = si->linkmap.l_addr;
278 dl_info.dlpi_name = si->linkmap.l_name;
279 dl_info.dlpi_phdr = si->phdr;
280 dl_info.dlpi_phnum = si->phnum;
281 rv = cb(&dl_info, sizeof (struct dl_phdr_info), data);
282 if (rv != 0)
283 break;
284 }
285 return rv;
286 }
287 #endif
289 static Elf32_Sym *_elf_lookup(soinfo *si, unsigned hash, const char *name)
290 {
291 Elf32_Sym *s;
292 Elf32_Sym *symtab = si->symtab;
293 const char *strtab = si->strtab;
294 unsigned n;
296 TRACE_TYPE(LOOKUP, "%5d SEARCH %s in %s@0x%08x %08x %d\n", pid,
297 name, si->name, si->base, hash, hash % si->nbucket);
298 n = hash % si->nbucket;
300 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){
301 s = symtab + n;
302 if(strcmp(strtab + s->st_name, name)) continue;
304 /* only concern ourselves with global symbols */
305 switch(ELF32_ST_BIND(s->st_info)){
306 case STB_GLOBAL:
307 /* no section == undefined */
308 if(s->st_shndx == 0) continue;
310 case STB_WEAK:
311 TRACE_TYPE(LOOKUP, "%5d FOUND %s in %s (%08x) %d\n", pid,
312 name, si->name, s->st_value, s->st_size);
313 return s;
314 }
315 }
317 return 0;
318 }
320 static unsigned elfhash(const char *_name)
321 {
322 const unsigned char *name = (const unsigned char *) _name;
323 unsigned h = 0, g;
325 while(*name) {
326 h = (h << 4) + *name++;
327 g = h & 0xf0000000;
328 h ^= g;
329 h ^= g >> 24;
330 }
331 return h;
332 }
334 static Elf32_Sym *
335 _do_lookup_in_so(soinfo *si, const char *name, unsigned *elf_hash)
336 {
337 if (*elf_hash == 0)
338 *elf_hash = elfhash(name);
339 return _elf_lookup (si, *elf_hash, name);
340 }
342 /* This is used by dl_sym() */
343 Elf32_Sym *lookup_in_library(soinfo *si, const char *name)
344 {
345 unsigned unused = 0;
346 return _do_lookup_in_so(si, name, &unused);
347 }
349 static Elf32_Sym *
350 _do_lookup(soinfo *user_si, const char *name, unsigned *base)
351 {
352 unsigned elf_hash = 0;
353 Elf32_Sym *s = NULL;
354 soinfo *si;
356 /* Look for symbols in the local scope first (the object who is
357 * searching). This happens with C++ templates on i386 for some
358 * reason. */
359 if (user_si) {
360 s = _do_lookup_in_so(user_si, name, &elf_hash);
361 if (s != NULL)
362 *base = user_si->base;
363 }
365 for(si = solist; (s == NULL) && (si != NULL); si = si->next)
366 {
367 if((si->flags & FLAG_ERROR) || (si == user_si))
368 continue;
369 s = _do_lookup_in_so(si, name, &elf_hash);
370 if (s != NULL) {
371 *base = si->base;
372 break;
373 }
374 }
376 if (s != NULL) {
377 TRACE_TYPE(LOOKUP, "%5d %s s->st_value = 0x%08x, "
378 "si->base = 0x%08x\n", pid, name, s->st_value, si->base);
379 return s;
380 }
382 return 0;
383 }
385 /* This is used by dl_sym() */
386 Elf32_Sym *lookup(const char *name, unsigned *base)
387 {
388 return _do_lookup(NULL, name, base);
389 }
391 #if 0
392 static void dump(soinfo *si)
393 {
394 Elf32_Sym *s = si->symtab;
395 unsigned n;
397 for(n = 0; n < si->nchain; n++) {
398 TRACE("%5d %04d> %08x: %02x %04x %08x %08x %s\n", pid, n, s,
399 s->st_info, s->st_shndx, s->st_value, s->st_size,
400 si->strtab + s->st_name);
401 s++;
402 }
403 }
404 #endif
406 static const char *sopaths[] = {
407 "/system/lib",
408 "/lib",
409 0
410 };
412 static int open_library(const char *name)
413 {
414 int fd;
415 char buf[512];
416 const char **path;
418 TRACE("[ %5d opening %s ]\n", pid, name);
420 if(strlen(name) > 256) return -1;
421 if(name == 0) return -1;
423 fd = open(name, O_RDONLY);
424 if(fd != -1) return fd;
426 for(path = sopaths; *path; path++){
427 sprintf(buf,"%s/%s", *path, name);
428 fd = open(buf, O_RDONLY);
429 if(fd != -1) return fd;
430 }
432 return -1;
433 }
435 static unsigned libbase = LIBBASE;
437 /* temporary space for holding the first page of the shared lib
438 * which contains the elf header (with the pht). */
439 static unsigned char __header[PAGE_SIZE];
441 typedef struct {
442 long mmap_addr;
443 char tag[4]; /* 'P', 'R', 'E', ' ' */
444 } prelink_info_t;
446 /* Returns the requested base address if the library is prelinked,
447 * and 0 otherwise. */
448 static unsigned long
449 is_prelinked(int fd, const char *name)
450 {
451 off_t sz;
452 prelink_info_t info;
454 sz = lseek(fd, -sizeof(prelink_info_t), SEEK_END);
455 if (sz < 0) {
456 ERROR("lseek() failed!\n");
457 return 0;
458 }
460 if (read(fd, &info, sizeof(info)) != sizeof(info)) {
461 WARN("Could not read prelink_info_t structure for `%s`\n", name);
462 return 0;
463 }
465 if (strncmp(info.tag, "PRE ", 4)) {
466 WARN("`%s` is not a prelinked library\n", name);
467 return 0;
468 }
470 return (unsigned long)info.mmap_addr;
471 }
473 /* verify_elf_object
474 * Verifies if the object @ base is a valid ELF object
475 *
476 * Args:
477 *
478 * Returns:
479 * 0 on success
480 * -1 if no valid ELF object is found @ base.
481 */
482 static int
483 verify_elf_object(void *base, const char *name)
484 {
485 Elf32_Ehdr *hdr = (Elf32_Ehdr *) base;
487 if (hdr->e_ident[EI_MAG0] != ELFMAG0) return -1;
488 if (hdr->e_ident[EI_MAG1] != ELFMAG1) return -1;
489 if (hdr->e_ident[EI_MAG2] != ELFMAG2) return -1;
490 if (hdr->e_ident[EI_MAG3] != ELFMAG3) return -1;
492 /* TODO: Should we verify anything else in the header? */
494 return 0;
495 }
498 /* get_lib_extents
499 * Retrieves the base (*base) address where the ELF object should be
500 * mapped and its overall memory size (*total_sz).
501 *
502 * Args:
503 * fd: Opened file descriptor for the library
504 * name: The name of the library
505 * _hdr: Pointer to the header page of the library
506 * total_sz: Total size of the memory that should be allocated for
507 * this library
508 *
509 * Returns:
510 * -1 if there was an error while trying to get the lib extents.
511 * The possible reasons are:
512 * - Could not determine if the library was prelinked.
513 * - The library provided is not a valid ELF object
514 * 0 if the library did not request a specific base offset (normal
515 * for non-prelinked libs)
516 * > 0 if the library requests a specific address to be mapped to.
517 * This indicates a pre-linked library.
518 */
519 static unsigned
520 get_lib_extents(int fd, const char *name, void *__hdr, unsigned *total_sz)
521 {
522 unsigned req_base;
523 unsigned min_vaddr = 0xffffffff;
524 unsigned max_vaddr = 0;
525 unsigned char *_hdr = (unsigned char *)__hdr;
526 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)_hdr;
527 Elf32_Phdr *phdr;
528 int cnt;
530 TRACE("[ %5d Computing extents for '%s'. ]\n", pid, name);
531 if (verify_elf_object(_hdr, name) < 0) {
532 ERROR("%5d - %s is not a valid ELF object\n", pid, name);
533 return (unsigned)-1;
534 }
536 req_base = (unsigned) is_prelinked(fd, name);
537 if (req_base == (unsigned)-1)
538 return -1;
539 else if (req_base != 0) {
540 TRACE("[ %5d - Prelinked library '%s' requesting base @ 0x%08x ]\n",
541 pid, name, req_base);
542 } else {
543 TRACE("[ %5d - Non-prelinked library '%s' found. ]\n", pid, name);
544 }
546 phdr = (Elf32_Phdr *)(_hdr + ehdr->e_phoff);
548 /* find the min/max p_vaddrs from all the PT_LOAD segments so we can
549 * get the range. */
550 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) {
551 if (phdr->p_type == PT_LOAD) {
552 if ((phdr->p_vaddr + phdr->p_memsz) > max_vaddr)
553 max_vaddr = phdr->p_vaddr + phdr->p_memsz;
554 if (phdr->p_vaddr < min_vaddr)
555 min_vaddr = phdr->p_vaddr;
556 }
557 }
559 if ((min_vaddr == 0xffffffff) && (max_vaddr == 0)) {
560 ERROR("%5d - No loadable segments found in %s.\n", pid, name);
561 return (unsigned)-1;
562 }
564 /* truncate min_vaddr down to page boundary */
565 min_vaddr &= ~PAGE_MASK;
567 /* round max_vaddr up to the next page */
568 max_vaddr = (max_vaddr + PAGE_SIZE - 1) & ~PAGE_MASK;
570 *total_sz = (max_vaddr - min_vaddr);
571 return (unsigned)req_base;
572 }
574 /* alloc_mem_region
575 *
576 * This function reserves a chunk of memory to be used for mapping in
577 * the shared library. We reserve the entire memory region here, and
578 * then the rest of the linker will relocate the individual loadable
579 * segments into the correct locations within this memory range.
580 *
581 * Args:
582 * req_base: The requested base of the allocation. If 0, a sane one will be
583 * chosen in the range LIBBASE <= base < LIBLAST.
584 * sz: The size of the allocation.
585 *
586 * Returns:
587 * NULL on failure, and non-NULL pointer to memory region on success.
588 */
589 static void *
590 alloc_mem_region(const char *name, unsigned req_base, unsigned sz)
591 {
592 void *base;
594 if (req_base) {
595 /* we should probably map it as PROT_NONE, but the init code needs
596 * to read the phdr, so mark everything as readable. */
597 base = mmap((void *)req_base, sz, PROT_READ | PROT_EXEC,
598 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
599 if (base == MAP_FAILED) {
600 WARN("%5d can NOT map (prelinked) library '%s' at 0x%08x "
601 "as requested, will try general pool: %d (%s)\n",
602 pid, name, req_base, errno, strerror(errno));
603 } else if (base != (void *)req_base) {
604 ERROR("OOPS: %5d prelinked library '%s' mapped at 0x%08x, "
605 "not at 0x%08x\n", pid, name, (unsigned)base, req_base);
606 munmap(base, sz);
607 return NULL;
608 }
610 /* Here we know that we got a valid allocation. Hooray! */
611 return base;
612 }
614 /* We either did not request a specific base address to map at
615 * (i.e. not-prelinked) OR we could not map at the requested address.
616 * Try to find a memory range in our "reserved" area that can be mapped.
617 */
618 while(libbase < LIBLAST) {
619 base = mmap((void*) libbase, sz, PROT_READ | PROT_EXEC,
620 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
622 if(((unsigned)base) == libbase) {
623 /* success -- got the address we wanted */
624 return base;
625 }
627 /* If we got a different address than requested (rather than
628 * just a failure), we need to unmap the mismapped library
629 * before trying again
630 */
631 if(base != MAP_FAILED)
632 munmap(base, sz);
634 libbase += LIBINC;
635 }
637 ERROR("OOPS: %5d cannot map library '%s'. no vspace available.\n",
638 pid, name);
639 return NULL;
640 }
642 #define MAYBE_MAP_FLAG(x,from,to) (((x) & (from)) ? (to) : 0)
643 #define PFLAGS_TO_PROT(x) (MAYBE_MAP_FLAG((x), PF_X, PROT_EXEC) | \
644 MAYBE_MAP_FLAG((x), PF_R, PROT_READ) | \
645 MAYBE_MAP_FLAG((x), PF_W, PROT_WRITE))
646 /* load_segments
647 *
648 * This function loads all the loadable (PT_LOAD) segments into memory
649 * at their appropriate memory offsets off the base address.
650 *
651 * Args:
652 * fd: Open file descriptor to the library to load.
653 * header: Pointer to a header page that contains the ELF header.
654 * This is needed since we haven't mapped in the real file yet.
655 * si: ptr to soinfo struct describing the shared object.
656 *
657 * Returns:
658 * 0 on success, -1 on failure.
659 */
660 static int
661 load_segments(int fd, void *header, soinfo *si)
662 {
663 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)header;
664 Elf32_Phdr *phdr = (Elf32_Phdr *)((unsigned char *)header + ehdr->e_phoff);
665 unsigned char *base = (unsigned char *)si->base;
666 int cnt;
667 unsigned len;
668 unsigned char *tmp;
669 unsigned char *pbase;
670 unsigned char *extra_base;
671 unsigned extra_len;
672 unsigned total_sz = 0;
674 si->wrprotect_start = 0xffffffff;
675 si->wrprotect_end = 0;
677 TRACE("[ %5d - Begin loading segments for '%s' @ 0x%08x ]\n",
678 pid, si->name, (unsigned)si->base);
679 /* Now go through all the PT_LOAD segments and map them into memory
680 * at the appropriate locations. */
681 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) {
682 if (phdr->p_type == PT_LOAD) {
683 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid);
684 /* we want to map in the segment on a page boundary */
685 tmp = base + (phdr->p_vaddr & (~PAGE_MASK));
686 /* add the # of bytes we masked off above to the total length. */
687 len = phdr->p_filesz + (phdr->p_vaddr & PAGE_MASK);
689 TRACE("[ %d - Trying to load segment from '%s' @ 0x%08x "
690 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x ]\n", pid, si->name,
691 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset);
692 pbase = mmap(tmp, len, PFLAGS_TO_PROT(phdr->p_flags),
693 MAP_PRIVATE | MAP_FIXED, fd,
694 phdr->p_offset & (~PAGE_MASK));
695 if (pbase == MAP_FAILED) {
696 ERROR("%d failed to map segment from '%s' @ 0x%08x (0x%08x). "
697 "p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name,
698 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset);
699 goto fail;
700 }
702 /* If 'len' didn't end on page boundary, and it's a writable
703 * segment, zero-fill the rest. */
704 if ((len & PAGE_MASK) && (phdr->p_flags & PF_W))
705 memset((void *)(pbase + len), 0, PAGE_SIZE - (len & PAGE_MASK));
707 /* Check to see if we need to extend the map for this segment to
708 * cover the diff between filesz and memsz (i.e. for bss).
709 *
710 * base _+---------------------+ page boundary
711 * . .
712 * | |
713 * . .
714 * pbase _+---------------------+ page boundary
715 * | |
716 * . .
717 * base + p_vaddr _| |
718 * . \ \ .
719 * . | filesz | .
720 * pbase + len _| / | |
721 * <0 pad> . . .
722 * extra_base _+------------|--------+ page boundary
723 * / . . .
724 * | . . .
725 * | +------------|--------+ page boundary
726 * extra_len-> | | | |
727 * | . | memsz .
728 * | . | .
729 * \ _| / |
730 * . .
731 * | |
732 * _+---------------------+ page boundary
733 */
734 tmp = (unsigned char *)(((unsigned)pbase + len + PAGE_SIZE - 1) &
735 (~PAGE_MASK));
736 if (tmp < (base + phdr->p_vaddr + phdr->p_memsz)) {
737 extra_len = base + phdr->p_vaddr + phdr->p_memsz - tmp;
738 TRACE("[ %5d - Need to extend segment from '%s' @ 0x%08x "
739 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp, extra_len);
740 /* map in the extra page(s) as anonymous into the range.
741 * This is probably not necessary as we already mapped in
742 * the entire region previously, but we just want to be
743 * sure. This will also set the right flags on the region
744 * (though we can probably accomplish the same thing with
745 * mprotect).
746 */
747 extra_base = mmap((void *)tmp, extra_len,
748 PFLAGS_TO_PROT(phdr->p_flags),
749 MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,
750 -1, 0);
751 if (extra_base == MAP_FAILED) {
752 ERROR("[ %5d - failed to extend segment from '%s' @ 0x%08x "
753 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp,
754 extra_len);
755 goto fail;
756 }
757 /* TODO: Check if we need to memset-0 this region.
758 * Anonymous mappings are zero-filled copy-on-writes, so we
759 * shouldn't need to. */
760 TRACE("[ %5d - Segment from '%s' extended @ 0x%08x "
761 "(0x%08x)\n", pid, si->name, (unsigned)extra_base,
762 extra_len);
763 }
764 /* set the len here to show the full extent of the segment we
765 * just loaded, mostly for debugging */
766 len = (((unsigned)base + phdr->p_vaddr + phdr->p_memsz +
767 PAGE_SIZE - 1) & (~PAGE_MASK)) - (unsigned)pbase;
768 TRACE("[ %5d - Successfully loaded segment from '%s' @ 0x%08x "
769 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name,
770 (unsigned)pbase, len, phdr->p_vaddr, phdr->p_offset);
771 total_sz += len;
772 /* Make the section writable just in case we'll have to write to
773 * it during relocation (i.e. text segment). However, we will
774 * remember what range of addresses should be write protected.
775 *
776 */
777 if (!(phdr->p_flags & PF_W)) {
778 if ((unsigned)pbase < si->wrprotect_start)
779 si->wrprotect_start = (unsigned)pbase;
780 if (((unsigned)pbase + len) > si->wrprotect_end)
781 si->wrprotect_end = (unsigned)pbase + len;
782 mprotect(pbase, len,
783 PFLAGS_TO_PROT(phdr->p_flags) | PROT_WRITE);
784 }
785 } else if (phdr->p_type == PT_DYNAMIC) {
786 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid);
787 /* this segment contains the dynamic linking information */
788 si->dynamic = (unsigned *)(base + phdr->p_vaddr);
789 } else {
790 #ifdef ANDROID_ARM_LINKER
791 if (phdr->p_type == PT_ARM_EXIDX) {
792 DEBUG_DUMP_PHDR(phdr, "PT_ARM_EXIDX", pid);
793 /* exidx entries (used for stack unwinding) are 8 bytes each.
794 */
795 si->ARM_exidx = (unsigned *)phdr->p_vaddr;
796 si->ARM_exidx_count = phdr->p_memsz / 8;
797 }
798 #endif
799 }
801 }
803 /* Sanity check */
804 if (total_sz > si->size) {
805 ERROR("%5d - Total length (0x%08x) of mapped segments from '%s' is "
806 "greater than what was allocated (0x%08x). THIS IS BAD!\n",
807 pid, total_sz, si->name, si->size);
808 goto fail;
809 }
811 TRACE("[ %5d - Finish loading segments for '%s' @ 0x%08x. "
812 "Total memory footprint: 0x%08x bytes ]\n", pid, si->name,
813 (unsigned)si->base, si->size);
814 return 0;
816 fail:
817 /* We can just blindly unmap the entire region even though some things
818 * were mapped in originally with anonymous and others could have been
819 * been mapped in from the file before we failed. The kernel will unmap
820 * all the pages in the range, irrespective of how they got there.
821 */
822 munmap((void *)si->base, si->size);
823 si->flags |= FLAG_ERROR;
824 return -1;
825 }
827 /* TODO: Implement this to take care of the fact that Android ARM
828 * ELF objects shove everything into a single loadable segment that has the
829 * write bit set. wr_offset is then used to set non-(data|bss) pages to be
830 * non-writable.
831 */
832 #if 0
833 static unsigned
834 get_wr_offset(int fd, const char *name, Elf32_Ehdr *ehdr)
835 {
836 Elf32_Shdr *shdr_start;
837 Elf32_Shdr *shdr;
838 int shdr_sz = ehdr->e_shnum * sizeof(Elf32_Shdr);
839 int cnt;
840 unsigned wr_offset = 0xffffffff;
842 shdr_start = mmap(0, shdr_sz, PROT_READ, MAP_PRIVATE, fd,
843 ehdr->e_shoff & (~PAGE_MASK));
844 if (shdr_start == MAP_FAILED) {
845 WARN("%5d - Could not read section header info from '%s'. Will not "
846 "not be able to determine write-protect offset.\n", pid, name);
847 return (unsigned)-1;
848 }
850 for(cnt = 0, shdr = shdr_start; cnt < ehdr->e_shnum; ++cnt, ++shdr) {
851 if ((shdr->sh_type != SHT_NULL) && (shdr->sh_flags & SHF_WRITE) &&
852 (shdr->sh_addr < wr_offset)) {
853 wr_offset = shdr->sh_addr;
854 }
855 }
857 munmap(shdr_start, shdr_sz);
858 return wr_offset;
859 }
860 #endif
862 static soinfo *
863 load_library(const char *name)
864 {
865 int fd = open_library(name);
866 int cnt;
867 unsigned ext_sz;
868 unsigned req_base;
869 void *base;
870 soinfo *si;
871 Elf32_Ehdr *hdr;
873 if(fd == -1)
874 return NULL;
876 /* We have to read the ELF header to figure out what to do with this image
877 */
878 if (lseek(fd, 0, SEEK_SET) < 0) {
879 ERROR("lseek() failed!\n");
880 goto fail;
881 }
883 if ((cnt = read(fd, &__header[0], PAGE_SIZE)) < 0) {
884 ERROR("read() failed!\n");
885 goto fail;
886 }
888 /* Parse the ELF header and get the size of the memory footprint for
889 * the library */
890 req_base = get_lib_extents(fd, name, &__header[0], &ext_sz);
891 if (req_base == (unsigned)-1)
892 goto fail;
893 TRACE("[ %5d - '%s' (%s) wants base=0x%08x sz=0x%08x ]\n", pid, name,
894 (req_base ? "prelinked" : "not pre-linked"), req_base, ext_sz);
896 /* Carve out a chunk of memory where we will map in the individual
897 * segments */
898 base = alloc_mem_region(name, req_base, ext_sz);
899 if (base == NULL)
900 goto fail;
901 TRACE("[ %5d allocated memory for %s @ %p (0x%08x) ]\n",
902 pid, name, base, (unsigned) ext_sz);
904 /* Now configure the soinfo struct where we'll store all of our data
905 * for the ELF object. If the loading fails, we waste the entry, but
906 * same thing would happen if we failed during linking. Configuring the
907 * soinfo struct here is a lot more convenient.
908 */
909 si = alloc_info(name);
910 if (si == NULL)
911 goto fail;
913 si->base = (unsigned)base;
914 si->size = ext_sz;
915 si->flags = 0;
916 si->entry = 0;
917 si->dynamic = (unsigned *)-1;
919 /* Now actually load the library's segments into right places in memory */
920 if (load_segments(fd, &__header[0], si) < 0)
921 goto fail;
923 /* this might not be right. Technically, we don't even need this info
924 * once we go through 'load_segments'. */
925 hdr = (Elf32_Ehdr *)base;
926 si->phdr = (Elf32_Phdr *)((unsigned char *)si->base + hdr->e_phoff);
927 si->phnum = hdr->e_phnum;
928 /**/
930 close(fd);
931 return si;
933 fail:
934 close(fd);
935 return NULL;
936 }
938 static soinfo *
939 init_library(soinfo *si)
940 {
941 unsigned wr_offset = 0xffffffff;
942 unsigned libbase_before = 0;
943 unsigned libbase_after = 0;
945 /* At this point we know that whatever is loaded @ base is a valid ELF
946 * shared library whose segments are properly mapped in. */
947 TRACE("[ %5d init_library base=0x%08x sz=0x%08x name='%s') ]\n",
948 pid, si->base, si->size, si->name);
950 if (si->base < LIBBASE || si->base >= LIBLAST)
951 si->flags |= FLAG_PRELINKED;
953 /* Adjust libbase for the size of this library, rounded up to
954 ** LIBINC alignment. Make note of the previous and current
955 ** value of libbase to allow us to roll back in the event of
956 ** a link failure.
957 */
958 if (!(si->flags & FLAG_PRELINKED)) {
959 libbase_before = libbase;
960 libbase += (si->size + (LIBINC - 1)) & (~(LIBINC - 1));
961 libbase_after = libbase;
962 }
964 if(link_image(si, wr_offset)) {
965 /* We failed to link. However, we can only restore libbase
966 ** if no additional libraries have moved it since we updated it.
967 */
968 if(!(si->flags & FLAG_PRELINKED) && (libbase == libbase_after)) {
969 libbase = libbase_before;
970 }
971 munmap((void *)si->base, si->size);
972 return NULL;
973 }
975 return si;
976 }
978 soinfo *find_library(const char *name)
979 {
980 soinfo *si;
982 for(si = solist; si != 0; si = si->next){
983 if(!strcmp(name, si->name)) {
984 if(si->flags & FLAG_ERROR) return 0;
985 if(si->flags & FLAG_LINKED) return si;
986 ERROR("OOPS: %5d recursive link to '%s'\n", pid, si->name);
987 return 0;
988 }
989 }
991 TRACE("[ %5d '%s' has not been loaded yet. Locating...]\n", pid, name);
992 si = load_library(name);
993 if(si == NULL)
994 return NULL;
995 return init_library(si);
996 }
998 /* TODO:
999 * notify gdb of unload
1000 * for non-prelinked libraries, find a way to decrement libbase
1001 */
1002 static void call_destructors(soinfo *si);
1003 unsigned unload_library(soinfo *si)
1004 {
1005 unsigned *d;
1006 if (si->refcount == 1) {
1007 TRACE("%5d unloading '%s'\n", pid, si->name);
1008 call_destructors(si);
1010 for(d = si->dynamic; *d; d += 2) {
1011 if(d[0] == DT_NEEDED){
1012 TRACE("%5d %s needs to unload %s\n", pid,
1013 si->name, si->strtab + d[1]);
1014 soinfo *lsi = find_library(si->strtab + d[1]);
1015 if(lsi)
1016 unload_library(lsi);
1017 else
1018 ERROR("%5d could not unload '%s'\n",
1019 pid, si->strtab + d[1]);
1020 }
1021 }
1023 munmap((char *)si->base, si->size);
1024 free_info(si);
1025 si->refcount = 0;
1026 }
1027 else {
1028 si->refcount--;
1029 ERROR("%5d not unloading '%s', decrementing refcount to %d\n",
1030 pid, si->name, si->refcount);
1031 }
1032 return si->refcount;
1033 }
1035 /* TODO: don't use unsigned for addrs below. It works, but is not
1036 * ideal. They should probably be either uint32_t, Elf32_Addr, or unsigned
1037 * long.
1038 */
1039 static int reloc_library(soinfo *si, Elf32_Rel *rel, unsigned count)
1040 {
1041 Elf32_Sym *symtab = si->symtab;
1042 const char *strtab = si->strtab;
1043 Elf32_Sym *s;
1044 unsigned base;
1045 Elf32_Rel *start = rel;
1046 unsigned idx;
1048 for (idx = 0; idx < count; ++idx) {
1049 unsigned type = ELF32_R_TYPE(rel->r_info);
1050 unsigned sym = ELF32_R_SYM(rel->r_info);
1051 unsigned reloc = (unsigned)(rel->r_offset + si->base);
1052 unsigned sym_addr = 0;
1053 char *sym_name = NULL;
1055 DEBUG("%5d Processing '%s' relocation at index %d\n", pid,
1056 si->name, idx);
1057 if(sym != 0) {
1058 s = _do_lookup(si, strtab + symtab[sym].st_name, &base);
1059 if(s == 0) {
1060 ERROR("%5d cannot locate '%s'...\n", pid, sym_name);
1061 return -1;
1062 }
1063 #if 0
1064 if((base == 0) && (si->base != 0)){
1065 /* linking from libraries to main image is bad */
1066 ERROR("%5d cannot locate '%s'...\n",
1067 pid, strtab + symtab[sym].st_name);
1068 return -1;
1069 }
1070 #endif
1071 if ((s->st_shndx == SHN_UNDEF) && (s->st_value != 0)) {
1072 ERROR("%5d In '%s', shndx=%d && value=0x%08x. We do not "
1073 "handle this yet\n", pid, si->name, s->st_shndx,
1074 s->st_value);
1075 return -1;
1076 }
1077 sym_addr = (unsigned)(s->st_value + base);
1078 sym_name = (char *)(strtab + symtab[sym].st_name);
1079 COUNT_RELOC(RELOC_SYMBOL);
1080 } else {
1081 s = 0;
1082 }
1084 /* TODO: This is ugly. Split up the relocations by arch into
1085 * different files.
1086 */
1087 switch(type){
1088 #if defined(ANDROID_ARM_LINKER)
1089 case R_ARM_JUMP_SLOT:
1090 case R_ARM_GLOB_DAT:
1091 case R_ARM_ABS32:
1092 COUNT_RELOC(RELOC_ABSOLUTE);
1093 MARK(rel->r_offset);
1094 TRACE_TYPE(RELO, "%5d RELO ABS %08x <- %08x %s\n", pid,
1095 reloc, sym_addr, sym_name);
1096 *((unsigned*)reloc) = sym_addr;
1097 break;
1098 #elif defined(ANDROID_X86_LINKER)
1099 case R_386_JUMP_SLOT:
1100 COUNT_RELOC(RELOC_ABSOLUTE);
1101 MARK(rel->r_offset);
1102 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid,
1103 reloc, sym_addr, sym_name);
1104 *((unsigned*)reloc) = sym_addr;
1105 break;
1106 case R_386_GLOB_DAT:
1107 COUNT_RELOC(RELOC_ABSOLUTE);
1108 MARK(rel->r_offset);
1109 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid,
1110 reloc, sym_addr, sym_name);
1111 *((unsigned*)reloc) = sym_addr;
1112 break;
1113 #endif /* ANDROID_*_LINKER */
1115 #if defined(ANDROID_ARM_LINKER)
1116 case R_ARM_RELATIVE:
1117 #elif defined(ANDROID_X86_LINKER)
1118 case R_386_RELATIVE:
1119 #endif /* ANDROID_*_LINKER */
1120 COUNT_RELOC(RELOC_RELATIVE);
1121 MARK(rel->r_offset);
1122 if(sym){
1123 ERROR("%5d odd RELATIVE form...\n", pid);
1124 return -1;
1125 }
1126 TRACE_TYPE(RELO, "%5d RELO RELATIVE %08x <- +%08x\n", pid,
1127 reloc, si->base);
1128 *((unsigned*)reloc) += si->base;
1129 break;
1131 #if defined(ANDROID_X86_LINKER)
1132 case R_386_32:
1133 COUNT_RELOC(RELOC_RELATIVE);
1134 MARK(rel->r_offset);
1136 TRACE_TYPE(RELO, "%5d RELO R_386_32 %08x <- +%08x %s\n", pid,
1137 reloc, sym_addr, sym_name);
1138 *((unsigned *)reloc) += (unsigned)sym_addr;
1139 break;
1141 case R_386_PC32:
1142 COUNT_RELOC(RELOC_RELATIVE);
1143 MARK(rel->r_offset);
1144 TRACE_TYPE(RELO, "%5d RELO R_386_PC32 %08x <- "
1145 "+%08x (%08x - %08x) %s\n", pid, reloc,
1146 (sym_addr - reloc), sym_addr, reloc, sym_name);
1147 *((unsigned *)reloc) += (unsigned)(sym_addr - reloc);
1148 break;
1149 #endif /* ANDROID_X86_LINKER */
1151 #ifdef ANDROID_ARM_LINKER
1152 case R_ARM_COPY:
1153 COUNT_RELOC(RELOC_COPY);
1154 MARK(rel->r_offset);
1155 TRACE_TYPE(RELO, "%5d RELO %08x <- %d @ %08x %s\n", pid,
1156 reloc, s->st_size, sym_addr, sym_name);
1157 memcpy((void*)reloc, (void*)sym_addr, s->st_size);
1158 break;
1159 #endif /* ANDROID_ARM_LINKER */
1161 default:
1162 ERROR("%5d unknown reloc type %d @ %p (%d)\n",
1163 pid, type, rel, (int) (rel - start));
1164 return -1;
1165 }
1166 rel++;
1167 }
1168 return 0;
1169 }
1171 static void call_array(unsigned *ctor, int count)
1172 {
1173 int n;
1174 for(n = count; n > 0; n--){
1175 TRACE("[ %5d Looking at ctor *0x%08x == 0x%08x ]\n", pid,
1176 (unsigned)ctor, (unsigned)*ctor);
1177 void (*func)() = (void (*)()) *ctor++;
1178 if(((int) func == 0) || ((int) func == -1)) continue;
1179 TRACE("[ %5d Calling func @ 0x%08x ]\n", pid, (unsigned)func);
1180 func();
1181 }
1182 }
1184 static void call_constructors(soinfo *si)
1185 {
1186 /* TODO: THE ORIGINAL CODE SEEMED TO CALL THE INIT FUNCS IN THE WRONG ORDER.
1187 * Old order: init, init_array, preinit_array..
1188 * Correct order: preinit_array, init, init_array.
1189 * Verify WHY.
1190 */
1192 if (si->flags & FLAG_EXE) {
1193 TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n",
1194 pid, (unsigned)si->preinit_array, si->preinit_array_count,
1195 si->name);
1196 call_array(si->preinit_array, si->preinit_array_count);
1197 TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name);
1198 } else {
1199 if (si->preinit_array) {
1200 ERROR("%5d Shared library '%s' has a preinit_array table @ 0x%08x."
1201 " This is INVALID.\n", pid, si->name,
1202 (unsigned)si->preinit_array);
1203 }
1204 }
1206 // If we have an init section, then we should call it now, to make sure
1207 // that all the funcs in the .ctors section get run.
1208 // Note: For ARM, we shouldn't have a .ctor section (should be empty)
1209 // when we have an (pre)init_array section, but let's be compatible with
1210 // old (non-eabi) binaries and try the _init (DT_INIT) anyway.
1211 if (si->init_func) {
1212 TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid,
1213 (unsigned)si->init_func, si->name);
1214 si->init_func();
1215 TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name);
1216 }
1218 if (si->init_array) {
1219 TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid,
1220 (unsigned)si->init_array, si->init_array_count, si->name);
1221 call_array(si->init_array, si->init_array_count);
1222 TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name);
1223 }
1224 }
1226 static void call_destructors(soinfo *si)
1227 {
1228 if (si->fini_array) {
1229 TRACE("[ %5d Calling fini_array @ 0x%08x [%d] for '%s' ]\n", pid,
1230 (unsigned)si->fini_array, si->fini_array_count, si->name);
1231 call_array(si->fini_array, si->fini_array_count);
1232 TRACE("[ %5d Done calling fini_array for '%s' ]\n", pid, si->name);
1233 }
1235 // If we have an fini section, then we should call it now, to make sure
1236 // that all the funcs in the .dtors section get run.
1237 // Note: For ARM, we shouldn't have a .dtor section (should be empty)
1238 // when we have an fini_array section, but let's be compatible with
1239 // old (non-eabi) binaries and try the _fini (DT_FINI) anyway.
1240 if (si->fini_func) {
1241 TRACE("[ %5d Calling fini_func @ 0x%08x for '%s' ]\n", pid,
1242 (unsigned)si->fini_func, si->name);
1243 si->fini_func();
1244 TRACE("[ %5d Done calling fini_func for '%s' ]\n", pid, si->name);
1245 }
1246 }
1248 /* Force any of the closed stdin, stdout and stderr to be associated with
1249 /dev/null. */
1250 static int nullify_closed_stdio (void)
1251 {
1252 int dev_null, i, status;
1253 int return_value = 0;
1255 dev_null = open("/dev/null", O_RDWR);
1256 if (dev_null < 0) {
1257 ERROR("Cannot open /dev/null.\n");
1258 return -1;
1259 }
1260 TRACE("[ %5d Opened /dev/null file-descriptor=%d]\n", pid, dev_null);
1262 /* If any of the stdio file descriptors is valid and not associated
1263 with /dev/null, dup /dev/null to it. */
1264 for (i = 0; i < 3; i++) {
1265 /* If it is /dev/null already, we are done. */
1266 if (i == dev_null)
1267 continue;
1269 TRACE("[ %5d Nullifying stdio file descriptor %d]\n", pid, i);
1270 /* The man page of fcntl does not say that fcntl(..,F_GETFL)
1271 can be interrupted but we do this just to be safe. */
1272 do {
1273 status = fcntl(i, F_GETFL);
1274 } while (status < 0 && errno == EINTR);
1276 /* If file is openned, we are good. */
1277 if (status >= 0)
1278 continue;
1280 /* The only error we allow is that the file descriptor does not
1281 exist, in which case we dup /dev/null to it. */
1282 if (errno != EBADF) {
1283 ERROR("nullify_stdio: unhandled error %s\n", strerror(errno));
1284 return_value = -1;
1285 continue;
1286 }
1288 /* Try dupping /dev/null to this stdio file descriptor and
1289 repeat if there is a signal. Note that any errors in closing
1290 the stdio descriptor are lost. */
1291 do {
1292 status = dup2(dev_null, i);
1293 } while (status < 0 && errno == EINTR);
1295 if (status < 0) {
1296 ERROR("nullify_stdio: dup2 error %s\n", strerror(errno));
1297 return_value = -1;
1298 continue;
1299 }
1300 }
1302 /* If /dev/null is not one of the stdio file descriptors, close it. */
1303 if (dev_null > 2) {
1304 TRACE("[ %5d Closing /dev/null file-descriptor=%d]\n", pid, dev_null);
1305 do {
1306 status = close(dev_null);
1307 } while (status < 0 && errno == EINTR);
1309 if (status < 0) {
1310 ERROR("nullify_stdio: close error %s\n", strerror(errno));
1311 return_value = -1;
1312 }
1313 }
1315 return return_value;
1316 }
1318 static int link_image(soinfo *si, unsigned wr_offset)
1319 {
1320 unsigned *d;
1321 Elf32_Phdr *phdr = si->phdr;
1322 int phnum = si->phnum;
1324 INFO("[ %5d linking %s ]\n", pid, si->name);
1325 DEBUG("%5d si->base = 0x%08x si->flags = 0x%08x\n", pid,
1326 si->base, si->flags);
1328 if (si->flags & FLAG_EXE) {
1329 /* Locate the needed program segments (DYNAMIC/ARM_EXIDX) for
1330 * linkage info if this is the executable. If this was a
1331 * dynamic lib, that would have been done at load time.
1332 *
1333 * TODO: It's unfortunate that small pieces of this are
1334 * repeated from the load_library routine. Refactor this just
1335 * slightly to reuse these bits.
1336 */
1337 si->size = 0;
1338 for(; phnum > 0; --phnum, ++phdr) {
1339 #ifdef ANDROID_ARM_LINKER
1340 if(phdr->p_type == PT_ARM_EXIDX) {
1341 /* exidx entries (used for stack unwinding) are 8 bytes each.
1342 */
1343 si->ARM_exidx = (unsigned *)phdr->p_vaddr;
1344 si->ARM_exidx_count = phdr->p_memsz / 8;
1345 }
1346 #endif
1347 if (phdr->p_type == PT_LOAD) {
1348 /* For the executable, we use the si->size field only in
1349 dl_unwind_find_exidx(), so the meaning of si->size
1350 is not the size of the executable; it is the last
1351 virtual address of the loadable part of the executable;
1352 since si->base == 0 for an executable, we use the
1353 range [0, si->size) to determine whether a PC value
1354 falls within the executable section. Of course, if
1355 a value is below phdr->p_vaddr, it's not in the
1356 executable section, but a) we shouldn't be asking for
1357 such a value anyway, and b) if we have to provide
1358 an EXIDX for such a value, then the executable's
1359 EXIDX is probably the better choice.
1360 */
1361 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid);
1362 if (phdr->p_vaddr + phdr->p_memsz > si->size)
1363 si->size = phdr->p_vaddr + phdr->p_memsz;
1364 /* try to remember what range of addresses should be write
1365 * protected */
1366 if (!(phdr->p_flags & PF_W)) {
1367 unsigned _end;
1369 if (phdr->p_vaddr < si->wrprotect_start)
1370 si->wrprotect_start = phdr->p_vaddr;
1371 _end = (((phdr->p_vaddr + phdr->p_memsz + PAGE_SIZE - 1) &
1372 (~PAGE_MASK)));
1373 if (_end > si->wrprotect_end)
1374 si->wrprotect_end = _end;
1375 }
1376 } else if (phdr->p_type == PT_DYNAMIC) {
1377 if (si->dynamic != (unsigned *)-1) {
1378 ERROR("%5d multiple PT_DYNAMIC segments found in '%s'. "
1379 "Segment at 0x%08x, previously one found at 0x%08x\n",
1380 pid, si->name, si->base + phdr->p_vaddr,
1381 (unsigned)si->dynamic);
1382 goto fail;
1383 }
1384 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid);
1385 si->dynamic = (unsigned *) (si->base + phdr->p_vaddr);
1386 }
1387 }
1388 }
1390 if (si->dynamic == (unsigned *)-1) {
1391 ERROR("%5d missing PT_DYNAMIC?!\n", pid);
1392 goto fail;
1393 }
1395 DEBUG("%5d dynamic = %p\n", pid, si->dynamic);
1397 /* extract useful information from dynamic section */
1398 for(d = si->dynamic; *d; d++){
1399 DEBUG("%5d d = %p, d[0] = 0x%08x d[1] = 0x%08x\n", pid, d, d[0], d[1]);
1400 switch(*d++){
1401 case DT_HASH:
1402 si->nbucket = ((unsigned *) (si->base + *d))[0];
1403 si->nchain = ((unsigned *) (si->base + *d))[1];
1404 si->bucket = (unsigned *) (si->base + *d + 8);
1405 si->chain = (unsigned *) (si->base + *d + 8 + si->nbucket * 4);
1406 break;
1407 case DT_STRTAB:
1408 si->strtab = (const char *) (si->base + *d);
1409 break;
1410 case DT_SYMTAB:
1411 si->symtab = (Elf32_Sym *) (si->base + *d);
1412 break;
1413 case DT_PLTREL:
1414 if(*d != DT_REL) {
1415 ERROR("DT_RELA not supported\n");
1416 goto fail;
1417 }
1418 break;
1419 case DT_JMPREL:
1420 si->plt_rel = (Elf32_Rel*) (si->base + *d);
1421 break;
1422 case DT_PLTRELSZ:
1423 si->plt_rel_count = *d / 8;
1424 break;
1425 case DT_REL:
1426 si->rel = (Elf32_Rel*) (si->base + *d);
1427 break;
1428 case DT_RELSZ:
1429 si->rel_count = *d / 8;
1430 break;
1431 case DT_PLTGOT:
1432 /* Save this in case we decide to do lazy binding. We don't yet. */
1433 si->plt_got = (unsigned *)(si->base + *d);
1434 break;
1435 case DT_DEBUG:
1436 // Set the DT_DEBUG entry to the addres of _r_debug for GDB
1437 *d = (int) &_r_debug;
1438 break;
1439 case DT_RELA:
1440 ERROR("%5d DT_RELA not supported\n", pid);
1441 goto fail;
1442 case DT_INIT:
1443 si->init_func = (void (*)(void))(si->base + *d);
1444 DEBUG("%5d %s constructors (init func) found at %p\n",
1445 pid, si->name, si->init_func);
1446 break;
1447 case DT_FINI:
1448 si->fini_func = (void (*)(void))(si->base + *d);
1449 DEBUG("%5d %s destructors (fini func) found at %p\n",
1450 pid, si->name, si->fini_func);
1451 break;
1452 case DT_INIT_ARRAY:
1453 si->init_array = (unsigned *)(si->base + *d);
1454 DEBUG("%5d %s constructors (init_array) found at %p\n",
1455 pid, si->name, si->init_array);
1456 break;
1457 case DT_INIT_ARRAYSZ:
1458 si->init_array_count = ((unsigned)*d) / sizeof(Elf32_Addr);
1459 break;
1460 case DT_FINI_ARRAY:
1461 si->fini_array = (unsigned *)(si->base + *d);
1462 DEBUG("%5d %s destructors (fini_array) found at %p\n",
1463 pid, si->name, si->fini_array);
1464 break;
1465 case DT_FINI_ARRAYSZ:
1466 si->fini_array_count = ((unsigned)*d) / sizeof(Elf32_Addr);
1467 break;
1468 case DT_PREINIT_ARRAY:
1469 si->preinit_array = (unsigned *)(si->base + *d);
1470 DEBUG("%5d %s constructors (preinit_array) found at %p\n",
1471 pid, si->name, si->preinit_array);
1472 break;
1473 case DT_PREINIT_ARRAYSZ:
1474 si->preinit_array_count = ((unsigned)*d) / sizeof(Elf32_Addr);
1475 break;
1476 case DT_TEXTREL:
1477 /* TODO: make use of this. */
1478 /* this means that we might have to write into where the text
1479 * segment was loaded during relocation... Do something with
1480 * it.
1481 */
1482 DEBUG("%5d Text segment should be writable during relocation.\n",
1483 pid);
1484 break;
1485 }
1486 }
1488 DEBUG("%5d si->base = 0x%08x, si->strtab = %p, si->symtab = %p\n",
1489 pid, si->base, si->strtab, si->symtab);
1491 if((si->strtab == 0) || (si->symtab == 0)) {
1492 ERROR("%5d missing essential tables\n", pid);
1493 goto fail;
1494 }
1496 for(d = si->dynamic; *d; d += 2) {
1497 if(d[0] == DT_NEEDED){
1498 DEBUG("%5d %s needs %s\n", pid, si->name, si->strtab + d[1]);
1499 soinfo *lsi = find_library(si->strtab + d[1]);
1500 if(lsi == 0) {
1501 ERROR("%5d could not load '%s'\n", pid, si->strtab + d[1]);
1502 goto fail;
1503 }
1504 lsi->refcount++;
1505 }
1506 }
1508 if(si->plt_rel) {
1509 DEBUG("[ %5d relocating %s plt ]\n", pid, si->name );
1510 if(reloc_library(si, si->plt_rel, si->plt_rel_count))
1511 goto fail;
1512 }
1513 if(si->rel) {
1514 DEBUG("[ %5d relocating %s ]\n", pid, si->name );
1515 if(reloc_library(si, si->rel, si->rel_count))
1516 goto fail;
1517 }
1519 si->flags |= FLAG_LINKED;
1520 DEBUG("[ %5d finished linking %s ]\n", pid, si->name);
1522 #if 0
1523 /* This is the way that the old dynamic linker did protection of
1524 * non-writable areas. It would scan section headers and find where
1525 * .text ended (rather where .data/.bss began) and assume that this is
1526 * the upper range of the non-writable area. This is too coarse,
1527 * and is kept here for reference until we fully move away from single
1528 * segment elf objects. See the code in get_wr_offset (also #if'd 0)
1529 * that made this possible.
1530 */
1531 if(wr_offset < 0xffffffff){
1532 mprotect((void*) si->base, wr_offset, PROT_READ | PROT_EXEC);
1533 }
1534 #else
1535 /* TODO: Verify that this does the right thing in all cases, as it
1536 * presently probably does not. It is possible that an ELF image will
1537 * come with multiple read-only segments. What we ought to do is scan
1538 * the program headers again and mprotect all the read-only segments.
1539 * To prevent re-scanning the program header, we would have to build a
1540 * list of loadable segments in si, and then scan that instead. */
1541 if (si->wrprotect_start != 0xffffffff && si->wrprotect_end != 0) {
1542 mprotect((void *)si->wrprotect_start,
1543 si->wrprotect_end - si->wrprotect_start,
1544 PROT_READ | PROT_EXEC);
1545 }
1546 #endif
1548 /* If this is a SETUID programme, dup /dev/null to openned stdin,
1549 stdout and stderr to close a security hole described in:
1551 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc
1553 */
1554 if (getuid() != geteuid())
1555 nullify_closed_stdio ();
1556 call_constructors(si);
1557 notify_gdb_of_load(si);
1558 return 0;
1560 fail:
1561 ERROR("failed to link %s\n", si->name);
1562 si->flags |= FLAG_ERROR;
1563 return -1;
1564 }
1566 int main(int argc, char **argv)
1567 {
1568 return 0;
1569 }
1571 #define ANDROID_TLS_SLOTS BIONIC_TLS_SLOTS
1573 static void * __tls_area[ANDROID_TLS_SLOTS];
1575 unsigned __linker_init(unsigned **elfdata)
1576 {
1577 static soinfo linker_soinfo;
1579 int argc = (int) *elfdata;
1580 char **argv = (char**) (elfdata + 1);
1581 unsigned *vecs = (unsigned*) (argv + argc + 1);
1582 soinfo *si;
1583 struct link_map * map;
1585 pid = getpid();
1587 #if TIMING
1588 struct timeval t0, t1;
1589 gettimeofday(&t0, 0);
1590 #endif
1592 __set_tls(__tls_area);
1593 ((unsigned *)__get_tls())[TLS_SLOT_THREAD_ID] = gettid();
1595 debugger_init();
1597 /* skip past the environment */
1598 while(vecs[0] != 0) {
1599 if(!strncmp((char*) vecs[0], "DEBUG=", 6)) {
1600 debug_verbosity = atoi(((char*) vecs[0]) + 6);
1601 }
1602 vecs++;
1603 }
1604 vecs++;
1606 INFO("[ android linker & debugger ]\n");
1607 DEBUG("%5d elfdata @ 0x%08x\n", pid, (unsigned)elfdata);
1609 si = alloc_info(argv[0]);
1610 if(si == 0) {
1611 exit(-1);
1612 }
1614 /* bootstrap the link map, the main exe always needs to be first */
1615 si->flags |= FLAG_EXE;
1616 map = &(si->linkmap);
1618 map->l_addr = 0;
1619 map->l_name = argv[0];
1620 map->l_prev = NULL;
1621 map->l_next = NULL;
1623 _r_debug.r_map = map;
1624 r_debug_tail = map;
1626 /* gdb expects the linker to be in the debug shared object list,
1627 * and we need to make sure that the reported load address is zero.
1628 * Without this, gdb gets the wrong idea of where rtld_db_dlactivity()
1629 * is. Don't use alloc_info(), because the linker shouldn't
1630 * be on the soinfo list.
1631 */
1632 strcpy((char*) linker_soinfo.name, "/system/bin/linker");
1633 linker_soinfo.flags = 0;
1634 linker_soinfo.base = 0; // This is the important part; must be zero.
1635 insert_soinfo_into_debug_map(&linker_soinfo);
1637 /* extract information passed from the kernel */
1638 while(vecs[0] != 0){
1639 switch(vecs[0]){
1640 case AT_PHDR:
1641 si->phdr = (Elf32_Phdr*) vecs[1];
1642 break;
1643 case AT_PHNUM:
1644 si->phnum = (int) vecs[1];
1645 break;
1646 case AT_ENTRY:
1647 si->entry = vecs[1];
1648 break;
1649 }
1650 vecs += 2;
1651 }
1653 si->base = 0;
1654 si->dynamic = (unsigned *)-1;
1655 si->wrprotect_start = 0xffffffff;
1656 si->wrprotect_end = 0;
1658 if(link_image(si, 0)){
1659 ERROR("CANNOT LINK EXECUTABLE '%s'\n", argv[0]);
1660 exit(-1);
1661 }
1663 #if TIMING
1664 gettimeofday(&t1,NULL);
1665 PRINT("LINKER TIME: %s: %d microseconds\n", argv[0], (int) (
1666 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) -
1667 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec)
1668 ));
1669 #endif
1670 #if STATS
1671 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol\n", argv[0],
1672 linker_stats.reloc[RELOC_ABSOLUTE],
1673 linker_stats.reloc[RELOC_RELATIVE],
1674 linker_stats.reloc[RELOC_COPY],
1675 linker_stats.reloc[RELOC_SYMBOL]);
1676 #endif
1677 #if COUNT_PAGES
1678 {
1679 unsigned n;
1680 unsigned i;
1681 unsigned count = 0;
1682 for(n = 0; n < 4096; n++){
1683 if(bitmask[n]){
1684 unsigned x = bitmask[n];
1685 for(i = 0; i < 8; i++){
1686 if(x & 1) count++;
1687 x >>= 1;
1688 }
1689 }
1690 }
1691 PRINT("PAGES MODIFIED: %s: %d (%dKB)\n", argv[0], count, count * 4);
1692 }
1693 #endif
1695 #if TIMING || STATS || COUNT_PAGES
1696 fflush(stdout);
1697 #endif
1699 TRACE("[ %5d Ready to execute '%s' @ 0x%08x ]\n", pid, si->name,
1700 si->entry);
1701 return si->entry;
1702 }