1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2012, Joyent, Inc. All rights reserved.
25 */
26
27 /*
28 * amd64 machine dependent and ELF file class dependent functions.
29 * Contains routines for performing function binding and symbol relocations.
30 */
31
32 #include <stdio.h>
33 #include <sys/elf.h>
34 #include <sys/elf_amd64.h>
35 #include <sys/mman.h>
36 #include <dlfcn.h>
37 #include <synch.h>
38 #include <string.h>
39 #include <debug.h>
40 #include <reloc.h>
41 #include <conv.h>
42 #include "_rtld.h"
43 #include "_audit.h"
44 #include "_elf.h"
45 #include "_inline_gen.h"
46 #include "_inline_reloc.h"
47 #include "msg.h"
48
49 extern void elf_rtbndr(Rt_map *, ulong_t, caddr_t);
50
51 int
elf_mach_flags_check(Rej_desc * rej,Ehdr * ehdr)52 elf_mach_flags_check(Rej_desc *rej, Ehdr *ehdr)
53 {
54 /*
55 * Check machine type and flags.
56 */
57 if (ehdr->e_flags != 0) {
58 rej->rej_type = SGS_REJ_BADFLAG;
59 rej->rej_info = (uint_t)ehdr->e_flags;
60 return (0);
61 }
62 return (1);
63 }
64
65 void
ldso_plt_init(Rt_map * lmp)66 ldso_plt_init(Rt_map *lmp)
67 {
68 /*
69 * There is no need to analyze ld.so because we don't map in any of
70 * its dependencies. However we may map these dependencies in later
71 * (as if ld.so had dlopened them), so initialize the plt and the
72 * permission information.
73 */
74 if (PLTGOT(lmp))
75 elf_plt_init((PLTGOT(lmp)), (caddr_t)lmp);
76 }
77
78 static const uchar_t dyn_plt_template[] = {
79 /* 0x00 */ 0x55, /* pushq %rbp */
80 /* 0x01 */ 0x48, 0x89, 0xe5, /* movq %rsp, %rbp */
81 /* 0x04 */ 0x48, 0x83, 0xec, 0x10, /* subq $0x10, %rsp */
82 /* 0x08 */ 0x4c, 0x8d, 0x1d, 0x00, /* leaq trace_fields(%rip), %r11 */
83 0x00, 0x00, 0x00,
84 /* 0x0f */ 0x4c, 0x89, 0x5d, 0xf8, /* movq %r11, -0x8(%rbp) */
85 /* 0x13 */ 0x49, 0xbb, 0x00, 0x00, /* movq $elf_plt_trace, %r11 */
86 0x00, 0x00, 0x00,
87 0x00, 0x00, 0x00,
88 /* 0x1d */ 0x41, 0xff, 0xe3 /* jmp *%r11 */
89 /* 0x20 */
90 };
91
92 /*
93 * And the virutal outstanding relocations against the
94 * above block are:
95 *
96 * reloc offset Addend symbol
97 * R_AMD64_PC32 0x0b -4 trace_fields
98 * R_AMD64_64 0x15 0 elf_plt_trace
99 */
100
101 #define TRCREL1OFF 0x0b
102 #define TRCREL2OFF 0x15
103
104 int dyn_plt_ent_size = sizeof (dyn_plt_template);
105
106 /*
107 * the dynamic plt entry is:
108 *
109 * pushq %rbp
110 * movq %rsp, %rbp
111 * subq $0x10, %rsp
112 * leaq trace_fields(%rip), %r11
113 * movq %r11, -0x8(%rbp)
114 * movq $elf_plt_trace, %r11
115 * jmp *%r11
116 * dyn_data:
117 * .align 8
118 * uintptr_t reflmp
119 * uintptr_t deflmp
120 * uint_t symndx
121 * uint_t sb_flags
122 * Sym symdef
123 */
124 static caddr_t
elf_plt_trace_write(ulong_t roffset,Rt_map * rlmp,Rt_map * dlmp,Sym * sym,uint_t symndx,uint_t pltndx,caddr_t to,uint_t sb_flags,int * fail)125 elf_plt_trace_write(ulong_t roffset, Rt_map *rlmp, Rt_map *dlmp, Sym *sym,
126 uint_t symndx, uint_t pltndx, caddr_t to, uint_t sb_flags, int *fail)
127 {
128 extern int elf_plt_trace();
129 ulong_t got_entry;
130 uchar_t *dyn_plt;
131 uintptr_t *dyndata;
132
133 /*
134 * We only need to add the glue code if there is an auditing
135 * library that is interested in this binding.
136 */
137 dyn_plt = (uchar_t *)((uintptr_t)AUDINFO(rlmp)->ai_dynplts +
138 (pltndx * dyn_plt_ent_size));
139
140 /*
141 * Have we initialized this dynamic plt entry yet? If we haven't do it
142 * now. Otherwise this function has been called before, but from a
143 * different plt (ie. from another shared object). In that case
144 * we just set the plt to point to the new dyn_plt.
145 */
146 if (*dyn_plt == 0) {
147 Sym *symp;
148 Xword symvalue;
149 Lm_list *lml = LIST(rlmp);
150
151 (void) memcpy((void *)dyn_plt, dyn_plt_template,
152 sizeof (dyn_plt_template));
153 dyndata = (uintptr_t *)((uintptr_t)dyn_plt +
154 ROUND(sizeof (dyn_plt_template), M_WORD_ALIGN));
155
156 /*
157 * relocate:
158 * leaq trace_fields(%rip), %r11
159 * R_AMD64_PC32 0x0b -4 trace_fields
160 */
161 symvalue = (Xword)((uintptr_t)dyndata -
162 (uintptr_t)(&dyn_plt[TRCREL1OFF]) - 4);
163 if (do_reloc_rtld(R_AMD64_PC32, &dyn_plt[TRCREL1OFF],
164 &symvalue, MSG_ORIG(MSG_SYM_LADYNDATA),
165 MSG_ORIG(MSG_SPECFIL_DYNPLT), lml) == 0) {
166 *fail = 1;
167 return (0);
168 }
169
170 /*
171 * relocating:
172 * movq $elf_plt_trace, %r11
173 * R_AMD64_64 0x15 0 elf_plt_trace
174 */
175 symvalue = (Xword)elf_plt_trace;
176 if (do_reloc_rtld(R_AMD64_64, &dyn_plt[TRCREL2OFF],
177 &symvalue, MSG_ORIG(MSG_SYM_ELFPLTTRACE),
178 MSG_ORIG(MSG_SPECFIL_DYNPLT), lml) == 0) {
179 *fail = 1;
180 return (0);
181 }
182
183 *dyndata++ = (uintptr_t)rlmp;
184 *dyndata++ = (uintptr_t)dlmp;
185 *dyndata = (uintptr_t)(((uint64_t)sb_flags << 32) | symndx);
186 dyndata++;
187 symp = (Sym *)dyndata;
188 *symp = *sym;
189 symp->st_value = (Addr)to;
190 }
191
192 got_entry = (ulong_t)roffset;
193 *(ulong_t *)got_entry = (ulong_t)dyn_plt;
194 return ((caddr_t)dyn_plt);
195 }
196
197 /*
198 * Function binding routine - invoked on the first call to a function through
199 * the procedure linkage table;
200 * passes first through an assembly language interface.
201 *
202 * Takes the offset into the relocation table of the associated
203 * relocation entry and the address of the link map (rt_private_map struct)
204 * for the entry.
205 *
206 * Returns the address of the function referenced after re-writing the PLT
207 * entry to invoke the function directly.
208 *
209 * On error, causes process to terminate with a signal.
210 */
211 ulong_t
elf_bndr(Rt_map * lmp,ulong_t pltndx,caddr_t from)212 elf_bndr(Rt_map *lmp, ulong_t pltndx, caddr_t from)
213 {
214 Rt_map *nlmp, *llmp;
215 ulong_t addr, reloff, symval, rsymndx;
216 char *name;
217 Rela *rptr;
218 Sym *rsym, *nsym;
219 uint_t binfo, sb_flags = 0, dbg_class;
220 Slookup sl;
221 Sresult sr;
222 int entry, lmflags;
223 Lm_list *lml;
224
225 /*
226 * For compatibility with libthread (TI_VERSION 1) we track the entry
227 * value. A zero value indicates we have recursed into ld.so.1 to
228 * further process a locking request. Under this recursion we disable
229 * tsort and cleanup activities.
230 */
231 entry = enter(0);
232
233 lml = LIST(lmp);
234 if ((lmflags = lml->lm_flags) & LML_FLG_RTLDLM) {
235 dbg_class = dbg_desc->d_class;
236 dbg_desc->d_class = 0;
237 }
238
239 /*
240 * Perform some basic sanity checks. If we didn't get a load map or
241 * the relocation offset is invalid then its possible someone has walked
242 * over the .got entries or jumped to plt0 out of the blue.
243 */
244 if ((!lmp) && (pltndx <=
245 (ulong_t)PLTRELSZ(lmp) / (ulong_t)RELENT(lmp))) {
246 Conv_inv_buf_t inv_buf;
247
248 eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_PLTREF),
249 conv_reloc_amd64_type(R_AMD64_JUMP_SLOT, 0, &inv_buf),
250 EC_NATPTR(lmp), EC_XWORD(pltndx), EC_NATPTR(from));
251 rtldexit(lml, 1);
252 }
253 reloff = pltndx * (ulong_t)RELENT(lmp);
254
255 /*
256 * Use relocation entry to get symbol table entry and symbol name.
257 */
258 addr = (ulong_t)JMPREL(lmp);
259 rptr = (Rela *)(addr + reloff);
260 rsymndx = ELF_R_SYM(rptr->r_info);
261 rsym = (Sym *)((ulong_t)SYMTAB(lmp) + (rsymndx * SYMENT(lmp)));
262 name = (char *)(STRTAB(lmp) + rsym->st_name);
263
264 /*
265 * Determine the last link-map of this list, this'll be the starting
266 * point for any tsort() processing.
267 */
268 llmp = lml->lm_tail;
269
270 /*
271 * Find definition for symbol. Initialize the symbol lookup, and
272 * symbol result, data structures.
273 */
274 SLOOKUP_INIT(sl, name, lmp, lml->lm_head, ld_entry_cnt, 0,
275 rsymndx, rsym, 0, LKUP_DEFT);
276 SRESULT_INIT(sr, name);
277
278 if (lookup_sym(&sl, &sr, &binfo, NULL) == 0) {
279 eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_NOSYM), NAME(lmp),
280 demangle(name));
281 rtldexit(lml, 1);
282 }
283
284 name = (char *)sr.sr_name;
285 nlmp = sr.sr_dmap;
286 nsym = sr.sr_sym;
287
288 symval = nsym->st_value;
289
290 if (!(FLAGS(nlmp) & FLG_RT_FIXED) &&
291 (nsym->st_shndx != SHN_ABS))
292 symval += ADDR(nlmp);
293 if ((lmp != nlmp) && ((FLAGS1(nlmp) & FL1_RT_NOINIFIN) == 0)) {
294 /*
295 * Record that this new link map is now bound to the caller.
296 */
297 if (bind_one(lmp, nlmp, BND_REFER) == 0)
298 rtldexit(lml, 1);
299 }
300
301 if ((lml->lm_tflags | AFLAGS(lmp) | AFLAGS(nlmp)) &
302 LML_TFLG_AUD_SYMBIND) {
303 uint_t symndx = (((uintptr_t)nsym -
304 (uintptr_t)SYMTAB(nlmp)) / SYMENT(nlmp));
305 symval = audit_symbind(lmp, nlmp, nsym, symndx, symval,
306 &sb_flags);
307 }
308
309 if (!(rtld_flags & RT_FL_NOBIND)) {
310 addr = rptr->r_offset;
311 if (!(FLAGS(lmp) & FLG_RT_FIXED))
312 addr += ADDR(lmp);
313 if (((lml->lm_tflags | AFLAGS(lmp)) &
314 (LML_TFLG_AUD_PLTENTER | LML_TFLG_AUD_PLTEXIT)) &&
315 AUDINFO(lmp)->ai_dynplts) {
316 int fail = 0;
317 uint_t pltndx = reloff / sizeof (Rela);
318 uint_t symndx = (((uintptr_t)nsym -
319 (uintptr_t)SYMTAB(nlmp)) / SYMENT(nlmp));
320
321 symval = (ulong_t)elf_plt_trace_write(addr, lmp, nlmp,
322 nsym, symndx, pltndx, (caddr_t)symval, sb_flags,
323 &fail);
324 if (fail)
325 rtldexit(lml, 1);
326 } else {
327 /*
328 * Write standard PLT entry to jump directly
329 * to newly bound function.
330 */
331 *(ulong_t *)addr = symval;
332 }
333 }
334
335 /*
336 * Print binding information and rebuild PLT entry.
337 */
338 DBG_CALL(Dbg_bind_global(lmp, (Addr)from, (Off)(from - ADDR(lmp)),
339 (Xword)(reloff / sizeof (Rela)), PLT_T_FULL, nlmp, (Addr)symval,
340 nsym->st_value, name, binfo));
341
342 /*
343 * Complete any processing for newly loaded objects. Note we don't
344 * know exactly where any new objects are loaded (we know the object
345 * that supplied the symbol, but others may have been loaded lazily as
346 * we searched for the symbol), so sorting starts from the last
347 * link-map know on entry to this routine.
348 */
349 if (entry)
350 load_completion(llmp);
351
352 /*
353 * Some operations like dldump() or dlopen()'ing a relocatable object
354 * result in objects being loaded on rtld's link-map, make sure these
355 * objects are initialized also.
356 */
357 if ((LIST(nlmp)->lm_flags & LML_FLG_RTLDLM) && LIST(nlmp)->lm_init)
358 load_completion(nlmp);
359
360 /*
361 * Make sure the object to which we've bound has had it's .init fired.
362 * Cleanup before return to user code.
363 */
364 if (entry) {
365 is_dep_init(nlmp, lmp);
366 leave(lml, 0);
367 }
368
369 if (lmflags & LML_FLG_RTLDLM)
370 dbg_desc->d_class = dbg_class;
371
372 return (symval);
373 }
374
375 /*
376 * Read and process the relocations for one link object, we assume all
377 * relocation sections for loadable segments are stored contiguously in
378 * the file.
379 */
380 int
elf_reloc(Rt_map * lmp,uint_t plt,int * in_nfavl,APlist ** textrel)381 elf_reloc(Rt_map *lmp, uint_t plt, int *in_nfavl, APlist **textrel)
382 {
383 ulong_t relbgn, relend, relsiz, basebgn;
384 ulong_t pltbgn, pltend, _pltbgn, _pltend;
385 ulong_t roffset, rsymndx, psymndx = 0;
386 ulong_t dsymndx;
387 uchar_t rtype;
388 long reladd, value, pvalue;
389 Sym *symref, *psymref, *symdef, *psymdef;
390 Syminfo *sip;
391 char *name, *pname;
392 Rt_map *_lmp, *plmp;
393 int ret = 1, noplt = 0;
394 int relacount = RELACOUNT(lmp), plthint = 0;
395 Rela *rel;
396 uint_t binfo, pbinfo;
397 APlist *bound = NULL;
398
399 /*
400 * Although only necessary for lazy binding, initialize the first
401 * global offset entry to go to elf_rtbndr(). dbx(1) seems
402 * to find this useful.
403 */
404 if ((plt == 0) && PLTGOT(lmp)) {
405 mmapobj_result_t *mpp;
406
407 /*
408 * Make sure the segment is writable.
409 */
410 if ((((mpp =
411 find_segment((caddr_t)PLTGOT(lmp), lmp)) != NULL) &&
412 ((mpp->mr_prot & PROT_WRITE) == 0)) &&
413 ((set_prot(lmp, mpp, 1) == 0) ||
414 (aplist_append(textrel, mpp, AL_CNT_TEXTREL) == NULL)))
415 return (0);
416
417 elf_plt_init(PLTGOT(lmp), (caddr_t)lmp);
418 }
419
420 /*
421 * Initialize the plt start and end addresses.
422 */
423 if ((pltbgn = (ulong_t)JMPREL(lmp)) != 0)
424 pltend = pltbgn + (ulong_t)(PLTRELSZ(lmp));
425
426 relsiz = (ulong_t)(RELENT(lmp));
427 basebgn = ADDR(lmp);
428
429 if (PLTRELSZ(lmp))
430 plthint = PLTRELSZ(lmp) / relsiz;
431
432 /*
433 * If we've been called upon to promote an RTLD_LAZY object to an
434 * RTLD_NOW then we're only interested in scaning the .plt table.
435 * An uninitialized .plt is the case where the associated got entry
436 * points back to the plt itself. Determine the range of the real .plt
437 * entries using the _PROCEDURE_LINKAGE_TABLE_ symbol.
438 */
439 if (plt) {
440 Slookup sl;
441 Sresult sr;
442
443 relbgn = pltbgn;
444 relend = pltend;
445 if (!relbgn || (relbgn == relend))
446 return (1);
447
448 /*
449 * Initialize the symbol lookup, and symbol result, data
450 * structures.
451 */
452 SLOOKUP_INIT(sl, MSG_ORIG(MSG_SYM_PLT), lmp, lmp, ld_entry_cnt,
453 elf_hash(MSG_ORIG(MSG_SYM_PLT)), 0, 0, 0, LKUP_DEFT);
454 SRESULT_INIT(sr, MSG_ORIG(MSG_SYM_PLT));
455
456 if (elf_find_sym(&sl, &sr, &binfo, NULL) == 0)
457 return (1);
458
459 symdef = sr.sr_sym;
460 _pltbgn = symdef->st_value;
461 if (!(FLAGS(lmp) & FLG_RT_FIXED) &&
462 (symdef->st_shndx != SHN_ABS))
463 _pltbgn += basebgn;
464 _pltend = _pltbgn + (((PLTRELSZ(lmp) / relsiz)) *
465 M_PLT_ENTSIZE) + M_PLT_RESERVSZ;
466
467 } else {
468 /*
469 * The relocation sections appear to the run-time linker as a
470 * single table. Determine the address of the beginning and end
471 * of this table. There are two different interpretations of
472 * the ABI at this point:
473 *
474 * o The REL table and its associated RELSZ indicate the
475 * concatenation of *all* relocation sections (this is the
476 * model our link-editor constructs).
477 *
478 * o The REL table and its associated RELSZ indicate the
479 * concatenation of all *but* the .plt relocations. These
480 * relocations are specified individually by the JMPREL and
481 * PLTRELSZ entries.
482 *
483 * Determine from our knowledege of the relocation range and
484 * .plt range, the range of the total relocation table. Note
485 * that one other ABI assumption seems to be that the .plt
486 * relocations always follow any other relocations, the
487 * following range checking drops that assumption.
488 */
489 relbgn = (ulong_t)(REL(lmp));
490 relend = relbgn + (ulong_t)(RELSZ(lmp));
491 if (pltbgn) {
492 if (!relbgn || (relbgn > pltbgn))
493 relbgn = pltbgn;
494 if (!relbgn || (relend < pltend))
495 relend = pltend;
496 }
497 }
498 if (!relbgn || (relbgn == relend)) {
499 DBG_CALL(Dbg_reloc_run(lmp, 0, plt, DBG_REL_NONE));
500 return (1);
501 }
502 DBG_CALL(Dbg_reloc_run(lmp, M_REL_SHT_TYPE, plt, DBG_REL_START));
503
504 /*
505 * If we're processing a dynamic executable in lazy mode there is no
506 * need to scan the .rel.plt table, however if we're processing a shared
507 * object in lazy mode the .got addresses associated to each .plt must
508 * be relocated to reflect the location of the shared object.
509 */
510 if (pltbgn && ((MODE(lmp) & RTLD_NOW) == 0) &&
511 (FLAGS(lmp) & FLG_RT_FIXED))
512 noplt = 1;
513
514 sip = SYMINFO(lmp);
515 /*
516 * Loop through relocations.
517 */
518 while (relbgn < relend) {
519 mmapobj_result_t *mpp;
520 uint_t sb_flags = 0;
521
522 rtype = ELF_R_TYPE(((Rela *)relbgn)->r_info, M_MACH);
523
524 /*
525 * If this is a RELATIVE relocation in a shared object (the
526 * common case), and if we are not debugging, then jump into a
527 * tighter relocation loop (elf_reloc_relative).
528 */
529 if ((rtype == R_AMD64_RELATIVE) &&
530 ((FLAGS(lmp) & FLG_RT_FIXED) == 0) && (DBG_ENABLED == 0)) {
531 if (relacount) {
532 relbgn = elf_reloc_relative_count(relbgn,
533 relacount, relsiz, basebgn, lmp,
534 textrel, 0);
535 relacount = 0;
536 } else {
537 relbgn = elf_reloc_relative(relbgn, relend,
538 relsiz, basebgn, lmp, textrel, 0);
539 }
540 if (relbgn >= relend)
541 break;
542 rtype = ELF_R_TYPE(((Rela *)relbgn)->r_info, M_MACH);
543 }
544
545 roffset = ((Rela *)relbgn)->r_offset;
546
547 /*
548 * If this is a shared object, add the base address to offset.
549 */
550 if (!(FLAGS(lmp) & FLG_RT_FIXED)) {
551 /*
552 * If we're processing lazy bindings, we have to step
553 * through the plt entries and add the base address
554 * to the corresponding got entry.
555 */
556 if (plthint && (plt == 0) &&
557 (rtype == R_AMD64_JUMP_SLOT) &&
558 ((MODE(lmp) & RTLD_NOW) == 0)) {
559 relbgn = elf_reloc_relative_count(relbgn,
560 plthint, relsiz, basebgn, lmp, textrel, 1);
561 plthint = 0;
562 continue;
563 }
564 roffset += basebgn;
565 }
566
567 reladd = (long)(((Rela *)relbgn)->r_addend);
568 rsymndx = ELF_R_SYM(((Rela *)relbgn)->r_info);
569 rel = (Rela *)relbgn;
570 relbgn += relsiz;
571
572 /*
573 * Optimizations.
574 */
575 if (rtype == R_AMD64_NONE)
576 continue;
577 if (noplt && ((ulong_t)rel >= pltbgn) &&
578 ((ulong_t)rel < pltend)) {
579 relbgn = pltend;
580 continue;
581 }
582
583 /*
584 * If we're promoting plts, determine if this one has already
585 * been written.
586 */
587 if (plt && ((*(ulong_t *)roffset < _pltbgn) ||
588 (*(ulong_t *)roffset > _pltend)))
589 continue;
590
591 /*
592 * If this relocation is not against part of the image
593 * mapped into memory we skip it.
594 */
595 if ((mpp = find_segment((caddr_t)roffset, lmp)) == NULL) {
596 elf_reloc_bad(lmp, (void *)rel, rtype, roffset,
597 rsymndx);
598 continue;
599 }
600
601 binfo = 0;
602 /*
603 * If a symbol index is specified then get the symbol table
604 * entry, locate the symbol definition, and determine its
605 * address.
606 */
607 if (rsymndx) {
608 /*
609 * If a Syminfo section is provided, determine if this
610 * symbol is deferred, and if so, skip this relocation.
611 */
612 if (sip && is_sym_deferred((ulong_t)rel, basebgn, lmp,
613 textrel, sip, rsymndx))
614 continue;
615
616 /*
617 * Get the local symbol table entry.
618 */
619 symref = (Sym *)((ulong_t)SYMTAB(lmp) +
620 (rsymndx * SYMENT(lmp)));
621
622 /*
623 * If this is a local symbol, just use the base address.
624 * (we should have no local relocations in the
625 * executable).
626 */
627 if (ELF_ST_BIND(symref->st_info) == STB_LOCAL) {
628 value = basebgn;
629 name = NULL;
630
631 /*
632 * Special case TLS relocations.
633 */
634 if (rtype == R_AMD64_DTPMOD64) {
635 /*
636 * Use the TLS modid.
637 */
638 value = TLSMODID(lmp);
639
640 } else if ((rtype == R_AMD64_TPOFF64) ||
641 (rtype == R_AMD64_TPOFF32)) {
642 if ((value = elf_static_tls(lmp, symref,
643 rel, rtype, 0, roffset, 0)) == 0) {
644 ret = 0;
645 break;
646 }
647 }
648 } else {
649 /*
650 * If the symbol index is equal to the previous
651 * symbol index relocation we processed then
652 * reuse the previous values. (Note that there
653 * have been cases where a relocation exists
654 * against a copy relocation symbol, our ld(1)
655 * should optimize this away, but make sure we
656 * don't use the same symbol information should
657 * this case exist).
658 */
659 if ((rsymndx == psymndx) &&
660 (rtype != R_AMD64_COPY)) {
661 /* LINTED */
662 if (psymdef == 0) {
663 DBG_CALL(Dbg_bind_weak(lmp,
664 (Addr)roffset, (Addr)
665 (roffset - basebgn), name));
666 continue;
667 }
668 /* LINTED */
669 value = pvalue;
670 /* LINTED */
671 name = pname;
672 /* LINTED */
673 symdef = psymdef;
674 /* LINTED */
675 symref = psymref;
676 /* LINTED */
677 _lmp = plmp;
678 /* LINTED */
679 binfo = pbinfo;
680
681 if ((LIST(_lmp)->lm_tflags |
682 AFLAGS(_lmp)) &
683 LML_TFLG_AUD_SYMBIND) {
684 value = audit_symbind(lmp, _lmp,
685 /* LINTED */
686 symdef, dsymndx, value,
687 &sb_flags);
688 }
689 } else {
690 Slookup sl;
691 Sresult sr;
692
693 /*
694 * Lookup the symbol definition.
695 * Initialize the symbol lookup, and
696 * symbol result, data structure.
697 */
698 name = (char *)(STRTAB(lmp) +
699 symref->st_name);
700
701 SLOOKUP_INIT(sl, name, lmp, 0,
702 ld_entry_cnt, 0, rsymndx, symref,
703 rtype, LKUP_STDRELOC);
704 SRESULT_INIT(sr, name);
705 symdef = NULL;
706
707 if (lookup_sym(&sl, &sr, &binfo,
708 in_nfavl)) {
709 name = (char *)sr.sr_name;
710 _lmp = sr.sr_dmap;
711 symdef = sr.sr_sym;
712 }
713
714 /*
715 * If the symbol is not found and the
716 * reference was not to a weak symbol,
717 * report an error. Weak references
718 * may be unresolved.
719 */
720 /* BEGIN CSTYLED */
721 if (symdef == 0) {
722 if (sl.sl_bind != STB_WEAK) {
723 if (elf_reloc_error(lmp, name,
724 rel, binfo))
725 continue;
726
727 ret = 0;
728 break;
729
730 } else {
731 psymndx = rsymndx;
732 psymdef = 0;
733
734 DBG_CALL(Dbg_bind_weak(lmp,
735 (Addr)roffset, (Addr)
736 (roffset - basebgn), name));
737 continue;
738 }
739 }
740 /* END CSTYLED */
741
742 /*
743 * If symbol was found in an object
744 * other than the referencing object
745 * then record the binding.
746 */
747 if ((lmp != _lmp) && ((FLAGS1(_lmp) &
748 FL1_RT_NOINIFIN) == 0)) {
749 if (aplist_test(&bound, _lmp,
750 AL_CNT_RELBIND) == 0) {
751 ret = 0;
752 break;
753 }
754 }
755
756 /*
757 * Calculate the location of definition;
758 * symbol value plus base address of
759 * containing shared object.
760 */
761 if (IS_SIZE(rtype))
762 value = symdef->st_size;
763 else
764 value = symdef->st_value;
765
766 if (!(FLAGS(_lmp) & FLG_RT_FIXED) &&
767 !(IS_SIZE(rtype)) &&
768 (symdef->st_shndx != SHN_ABS) &&
769 (ELF_ST_TYPE(symdef->st_info) !=
770 STT_TLS))
771 value += ADDR(_lmp);
772
773 /*
774 * Retain this symbol index and the
775 * value in case it can be used for the
776 * subsequent relocations.
777 */
778 if (rtype != R_AMD64_COPY) {
779 psymndx = rsymndx;
780 pvalue = value;
781 pname = name;
782 psymdef = symdef;
783 psymref = symref;
784 plmp = _lmp;
785 pbinfo = binfo;
786 }
787 if ((LIST(_lmp)->lm_tflags |
788 AFLAGS(_lmp)) &
789 LML_TFLG_AUD_SYMBIND) {
790 dsymndx = (((uintptr_t)symdef -
791 (uintptr_t)SYMTAB(_lmp)) /
792 SYMENT(_lmp));
793 value = audit_symbind(lmp, _lmp,
794 symdef, dsymndx, value,
795 &sb_flags);
796 }
797 }
798
799 /*
800 * If relocation is PC-relative, subtract
801 * offset address.
802 */
803 if (IS_PC_RELATIVE(rtype))
804 value -= roffset;
805
806 /*
807 * Special case TLS relocations.
808 */
809 if (rtype == R_AMD64_DTPMOD64) {
810 /*
811 * Relocation value is the TLS modid.
812 */
813 value = TLSMODID(_lmp);
814
815 } else if ((rtype == R_AMD64_TPOFF64) ||
816 (rtype == R_AMD64_TPOFF32)) {
817 if ((value = elf_static_tls(_lmp,
818 symdef, rel, rtype, name, roffset,
819 value)) == 0) {
820 ret = 0;
821 break;
822 }
823 }
824 }
825 } else {
826 /*
827 * Special cases.
828 */
829 if (rtype == R_AMD64_DTPMOD64) {
830 /*
831 * TLS relocation value is the TLS modid.
832 */
833 value = TLSMODID(lmp);
834 } else
835 value = basebgn;
836
837 name = NULL;
838 }
839
840 DBG_CALL(Dbg_reloc_in(LIST(lmp), ELF_DBG_RTLD, M_MACH,
841 M_REL_SHT_TYPE, rel, NULL, 0, name));
842
843 /*
844 * Make sure the segment is writable.
845 */
846 if (((mpp->mr_prot & PROT_WRITE) == 0) &&
847 ((set_prot(lmp, mpp, 1) == 0) ||
848 (aplist_append(textrel, mpp, AL_CNT_TEXTREL) == NULL))) {
849 ret = 0;
850 break;
851 }
852
853 /*
854 * Call relocation routine to perform required relocation.
855 */
856 switch (rtype) {
857 case R_AMD64_COPY:
858 if (elf_copy_reloc(name, symref, lmp, (void *)roffset,
859 symdef, _lmp, (const void *)value) == 0)
860 ret = 0;
861 break;
862 case R_AMD64_JUMP_SLOT:
863 if (((LIST(lmp)->lm_tflags | AFLAGS(lmp)) &
864 (LML_TFLG_AUD_PLTENTER | LML_TFLG_AUD_PLTEXIT)) &&
865 AUDINFO(lmp)->ai_dynplts) {
866 int fail = 0;
867 int pltndx = (((ulong_t)rel -
868 (uintptr_t)JMPREL(lmp)) / relsiz);
869 int symndx = (((uintptr_t)symdef -
870 (uintptr_t)SYMTAB(_lmp)) / SYMENT(_lmp));
871
872 (void) elf_plt_trace_write(roffset, lmp, _lmp,
873 symdef, symndx, pltndx, (caddr_t)value,
874 sb_flags, &fail);
875 if (fail)
876 ret = 0;
877 } else {
878 /*
879 * Write standard PLT entry to jump directly
880 * to newly bound function.
881 */
882 DBG_CALL(Dbg_reloc_apply_val(LIST(lmp),
883 ELF_DBG_RTLD, (Xword)roffset,
884 (Xword)value));
885 *(ulong_t *)roffset = value;
886 }
887 break;
888 default:
889 value += reladd;
890 /*
891 * Write the relocation out.
892 */
893 if (do_reloc_rtld(rtype, (uchar_t *)roffset,
894 (Xword *)&value, name, NAME(lmp), LIST(lmp)) == 0)
895 ret = 0;
896
897 DBG_CALL(Dbg_reloc_apply_val(LIST(lmp), ELF_DBG_RTLD,
898 (Xword)roffset, (Xword)value));
899 }
900
901 if ((ret == 0) &&
902 ((LIST(lmp)->lm_flags & LML_FLG_TRC_WARN) == 0))
903 break;
904
905 if (binfo) {
906 DBG_CALL(Dbg_bind_global(lmp, (Addr)roffset,
907 (Off)(roffset - basebgn), (Xword)(-1), PLT_T_FULL,
908 _lmp, (Addr)value, symdef->st_value, name, binfo));
909 }
910 }
911
912 return (relocate_finish(lmp, bound, ret));
913 }
914
915 /*
916 * Initialize the first few got entries so that function calls go to
917 * elf_rtbndr:
918 *
919 * GOT[GOT_XLINKMAP] = the address of the link map
920 * GOT[GOT_XRTLD] = the address of rtbinder
921 */
922 void
elf_plt_init(void * got,caddr_t l)923 elf_plt_init(void *got, caddr_t l)
924 {
925 uint64_t *_got;
926 /* LINTED */
927 Rt_map *lmp = (Rt_map *)l;
928
929 _got = (uint64_t *)got + M_GOT_XLINKMAP;
930 *_got = (uint64_t)lmp;
931 _got = (uint64_t *)got + M_GOT_XRTLD;
932 *_got = (uint64_t)elf_rtbndr;
933 }
934
935 /*
936 * Plt writing interface to allow debugging initialization to be generic.
937 */
938 Pltbindtype
939 /* ARGSUSED1 */
elf_plt_write(uintptr_t addr,uintptr_t vaddr,void * rptr,uintptr_t symval,Xword pltndx)940 elf_plt_write(uintptr_t addr, uintptr_t vaddr, void *rptr, uintptr_t symval,
941 Xword pltndx)
942 {
943 Rela *rel = (Rela*)rptr;
944 uintptr_t pltaddr;
945
946 pltaddr = addr + rel->r_offset;
947 *(ulong_t *)pltaddr = (ulong_t)symval + rel->r_addend;
948 DBG_CALL(pltcntfull++);
949 return (PLT_T_FULL);
950 }
951
952 /*
953 * Provide a machine specific interface to the conversion routine. By calling
954 * the machine specific version, rather than the generic version, we insure that
955 * the data tables/strings for all known machine versions aren't dragged into
956 * ld.so.1.
957 */
958 const char *
_conv_reloc_type(uint_t rel)959 _conv_reloc_type(uint_t rel)
960 {
961 static Conv_inv_buf_t inv_buf;
962
963 return (conv_reloc_amd64_type(rel, 0, &inv_buf));
964 }
965