xref: /titanic_44/usr/src/cmd/sgs/rtld/common/elf.c (revision c623edd31cf7c582de6a3f26cc42c651d6002f73)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  *	Copyright (c) 1988 AT&T
29  *	  All Rights Reserved
30  */
31 
32 /*
33  * Object file dependent support for ELF objects.
34  */
35 
36 #include	<stdio.h>
37 #include	<sys/procfs.h>
38 #include	<sys/mman.h>
39 #include	<sys/debug.h>
40 #include	<string.h>
41 #include	<limits.h>
42 #include	<dlfcn.h>
43 #include	<debug.h>
44 #include	<conv.h>
45 #include	"_rtld.h"
46 #include	"_audit.h"
47 #include	"_elf.h"
48 #include	"msg.h"
49 
50 /*
51  * Default and secure dependency search paths.
52  */
53 static Pnode		elf_dflt_dirs[] = {
54 #if	defined(_ELF64)
55 #ifndef	SGS_PRE_UNIFIED_PROCESS
56 	{ MSG_ORIG(MSG_PTH_LIB_64),		0,	MSG_PTH_LIB_64_SIZE,
57 		LA_SER_DEFAULT,			0,	&elf_dflt_dirs[1] },
58 #endif
59 	{ MSG_ORIG(MSG_PTH_USRLIB_64),		0,	MSG_PTH_USRLIB_64_SIZE,
60 		LA_SER_DEFAULT,			0, 0 }
61 #else
62 #ifndef	SGS_PRE_UNIFIED_PROCESS
63 	{ MSG_ORIG(MSG_PTH_LIB),		0,	MSG_PTH_LIB_SIZE,
64 		LA_SER_DEFAULT,			0,	&elf_dflt_dirs[1] },
65 #endif
66 	{ MSG_ORIG(MSG_PTH_USRLIB),		0,	MSG_PTH_USRLIB_SIZE,
67 		LA_SER_DEFAULT,			0, 0 }
68 #endif
69 };
70 
71 static Pnode		elf_secure_dirs[] = {
72 #if	defined(_ELF64)
73 #ifndef	SGS_PRE_UNIFIED_PROCESS
74 	{ MSG_ORIG(MSG_PTH_LIBSE_64),		0,	MSG_PTH_LIBSE_64_SIZE,
75 		LA_SER_SECURE,			0,	&elf_secure_dirs[1] },
76 #endif
77 	{ MSG_ORIG(MSG_PTH_USRLIBSE_64),	0,
78 		MSG_PTH_USRLIBSE_64_SIZE,
79 		LA_SER_SECURE,			0, 0 }
80 #else
81 #ifndef	SGS_PRE_UNIFIED_PROCESS
82 	{ MSG_ORIG(MSG_PTH_LIBSE),		0,	MSG_PTH_LIBSE_SIZE,
83 		LA_SER_SECURE,			0,	&elf_secure_dirs[1] },
84 #endif
85 	{ MSG_ORIG(MSG_PTH_USRLIBSE),		0,	MSG_PTH_USRLIBSE_SIZE,
86 		LA_SER_SECURE,			0, 0 }
87 #endif
88 };
89 
90 /*
91  * Defines for local functions.
92  */
93 static Pnode	*elf_fix_name(const char *, Rt_map *, uint_t);
94 static int	elf_are_u(Rej_desc *);
95 static void	elf_dladdr(ulong_t, Rt_map *, Dl_info *, void **, int);
96 static ulong_t	elf_entry_pt(void);
97 static char	*elf_get_so(const char *, const char *);
98 static Rt_map	*elf_map_so(Lm_list *, Aliste, const char *, const char *,
99 		    int, int *);
100 static int	elf_needed(Lm_list *, Aliste, Rt_map *, int *);
101 static void	elf_unmap_so(Rt_map *);
102 static int	elf_verify_vers(const char *, Rt_map *, Rt_map *);
103 
104 /*
105  * Functions and data accessed through indirect pointers.
106  */
107 Fct elf_fct = {
108 	elf_are_u,
109 	elf_entry_pt,
110 	elf_map_so,
111 	elf_unmap_so,
112 	elf_needed,
113 	lookup_sym,
114 	elf_reloc,
115 	elf_dflt_dirs,
116 	elf_secure_dirs,
117 	elf_fix_name,
118 	elf_get_so,
119 	elf_dladdr,
120 	dlsym_handle,
121 	elf_verify_vers,
122 	elf_set_prot
123 };
124 
125 
126 /*
127  * Redefine NEEDED name if necessary.
128  */
129 static Pnode *
130 elf_fix_name(const char *name, Rt_map *clmp, uint_t orig)
131 {
132 	/*
133 	 * For ABI compliance, if we are asked for ld.so.1, then really give
134 	 * them libsys.so.1 (the SONAME of libsys.so.1 is ld.so.1).
135 	 */
136 	if (((*name == '/') &&
137 	/* BEGIN CSTYLED */
138 #if	defined(_ELF64)
139 	    (strcmp(name, MSG_ORIG(MSG_PTH_RTLD_64)) == 0)) ||
140 #else
141 	    (strcmp(name, MSG_ORIG(MSG_PTH_RTLD)) == 0)) ||
142 #endif
143 	    (strcmp(name, MSG_ORIG(MSG_FIL_RTLD)) == 0)) {
144 		/* END CSTYLED */
145 		Pnode	*pnp;
146 
147 		DBG_CALL(Dbg_file_fixname(LIST(clmp), name,
148 		    MSG_ORIG(MSG_PTH_LIBSYS)));
149 		if (((pnp = calloc(sizeof (Pnode), 1)) == 0) ||
150 		    ((pnp->p_name = strdup(MSG_ORIG(MSG_PTH_LIBSYS))) == 0)) {
151 			if (pnp)
152 				free(pnp);
153 			return (0);
154 		}
155 		pnp->p_len = MSG_PTH_LIBSYS_SIZE;
156 		return (pnp);
157 	}
158 
159 	return (expand_paths(clmp, name, orig, 0));
160 }
161 
162 /*
163  * Determine if we have been given an ELF file and if so determine if the file
164  * is compatible.  Returns 1 if true, else 0 and sets the reject descriptor
165  * with associated error information.
166  */
167 static int
168 elf_are_u(Rej_desc *rej)
169 {
170 	Ehdr	*ehdr;
171 
172 	/*
173 	 * Determine if we're an elf file.  If not simply return, we don't set
174 	 * any rejection information as this test allows use to scroll through
175 	 * the objects we support (ELF, AOUT).
176 	 */
177 	if (fmap->fm_fsize < sizeof (Ehdr) ||
178 	    fmap->fm_maddr[EI_MAG0] != ELFMAG0 ||
179 	    fmap->fm_maddr[EI_MAG1] != ELFMAG1 ||
180 	    fmap->fm_maddr[EI_MAG2] != ELFMAG2 ||
181 	    fmap->fm_maddr[EI_MAG3] != ELFMAG3) {
182 		return (0);
183 	}
184 
185 	/*
186 	 * Check class and encoding.
187 	 */
188 	/* LINTED */
189 	ehdr = (Ehdr *)fmap->fm_maddr;
190 	if (ehdr->e_ident[EI_CLASS] != M_CLASS) {
191 		rej->rej_type = SGS_REJ_CLASS;
192 		rej->rej_info = (uint_t)ehdr->e_ident[EI_CLASS];
193 		return (0);
194 	}
195 	if (ehdr->e_ident[EI_DATA] != M_DATA) {
196 		rej->rej_type = SGS_REJ_DATA;
197 		rej->rej_info = (uint_t)ehdr->e_ident[EI_DATA];
198 		return (0);
199 	}
200 	if ((ehdr->e_type != ET_REL) && (ehdr->e_type != ET_EXEC) &&
201 	    (ehdr->e_type != ET_DYN)) {
202 		rej->rej_type = SGS_REJ_TYPE;
203 		rej->rej_info = (uint_t)ehdr->e_type;
204 		return (0);
205 	}
206 
207 	/*
208 	 * Verify machine specific flags, and hardware capability requirements.
209 	 */
210 	if ((elf_mach_flags_check(rej, ehdr) == 0) ||
211 	    (cap_check(rej, ehdr) == 0))
212 		return (0);
213 
214 	/*
215 	 * Verify ELF version.  ??? is this too restrictive ???
216 	 */
217 	if (ehdr->e_version > EV_CURRENT) {
218 		rej->rej_type = SGS_REJ_VERSION;
219 		rej->rej_info = (uint_t)ehdr->e_version;
220 		return (0);
221 	}
222 	return (1);
223 }
224 
225 /*
226  * The runtime linker employs lazy loading to provide the libraries needed for
227  * debugging, preloading .o's and dldump().  As these are seldom used, the
228  * standard startup of ld.so.1 doesn't initialize all the information necessary
229  * to perform plt relocation on ld.so.1's link-map.  The first time lazy loading
230  * is called we get here to perform these initializations:
231  *
232  *  o	elf_needed() is called to set up the DYNINFO() indexes for each lazy
233  *	dependency.  Typically, for all other objects, this is called during
234  *	analyze_so(), but as ld.so.1 is set-contained we skip this processing.
235  *
236  *  o	For intel, ld.so.1's JMPSLOT relocations need relative updates. These
237  *	are by default skipped thus delaying all relative relocation processing
238  * 	on every invocation of ld.so.1.
239  */
240 int
241 elf_rtld_load()
242 {
243 	Lm_list	*lml = &lml_rtld;
244 	Rt_map	*lmp = lml->lm_head;
245 
246 	if (lml->lm_flags & LML_FLG_PLTREL)
247 		return (1);
248 
249 	/*
250 	 * As we need to refer to the DYNINFO() information, insure that it has
251 	 * been initialized.
252 	 */
253 	if (elf_needed(lml, ALIST_OFF_DATA, lmp, NULL) == 0)
254 		return (0);
255 
256 #if	defined(__i386)
257 	/*
258 	 * This is a kludge to give ld.so.1 a performance benefit on i386.
259 	 * It's based around two factors.
260 	 *
261 	 *  o	JMPSLOT relocations (PLT's) actually need a relative relocation
262 	 *	applied to the GOT entry so that they can find PLT0.
263 	 *
264 	 *  o	ld.so.1 does not exercise *any* PLT's before it has made a call
265 	 *	to elf_lazy_load().  This is because all dynamic dependencies
266 	 * 	are recorded as lazy dependencies.
267 	 */
268 	(void) elf_reloc_relacount((ulong_t)JMPREL(lmp),
269 	    (ulong_t)(PLTRELSZ(lmp) / RELENT(lmp)), (ulong_t)RELENT(lmp),
270 	    (ulong_t)ADDR(lmp));
271 #endif
272 
273 	lml->lm_flags |= LML_FLG_PLTREL;
274 	return (1);
275 }
276 
277 /*
278  * Lazy load an object.
279  */
280 Rt_map *
281 elf_lazy_load(Rt_map *clmp, Slookup *slp, uint_t ndx, const char *sym,
282     int *in_nfavl)
283 {
284 	Rt_map		*nlmp, *hlmp;
285 	Dyninfo		*dip = &DYNINFO(clmp)[ndx], *pdip;
286 	uint_t		flags = 0;
287 	Pnode		*pnp;
288 	const char	*name;
289 	Lm_list		*lml = LIST(clmp);
290 	Lm_cntl		*lmc;
291 	Aliste		lmco;
292 
293 	/*
294 	 * If this dependency has already been processed, we're done.
295 	 */
296 	if (((nlmp = (Rt_map *)dip->di_info) != 0) ||
297 	    (dip->di_flags & FLG_DI_LDD_DONE))
298 		return (nlmp);
299 
300 	/*
301 	 * If we're running under ldd(1), indicate that this dependency has been
302 	 * processed (see test above).  It doesn't matter whether the object is
303 	 * successfully loaded or not, this flag simply ensures that we don't
304 	 * repeatedly attempt to load an object that has already failed to load.
305 	 * To do so would create multiple failure diagnostics for the same
306 	 * object under ldd(1).
307 	 */
308 	if (lml->lm_flags & LML_FLG_TRC_ENABLE)
309 		dip->di_flags |= FLG_DI_LDD_DONE;
310 
311 	/*
312 	 * Determine the initial dependency name.
313 	 */
314 	name = STRTAB(clmp) + DYN(clmp)[ndx].d_un.d_val;
315 	DBG_CALL(Dbg_file_lazyload(clmp, name, sym));
316 
317 	/*
318 	 * If this object needs to establish its own group, make sure a handle
319 	 * is created.
320 	 */
321 	if (dip->di_flags & FLG_DI_GROUP)
322 		flags |= (FLG_RT_SETGROUP | FLG_RT_HANDLE);
323 
324 	/*
325 	 * Lazy dependencies are identified as DT_NEEDED entries with a
326 	 * DF_P1_LAZYLOAD flag in the previous DT_POSFLAG_1 element.  The
327 	 * dynamic information element that corresponds to the DT_POSFLAG_1
328 	 * entry is free, and thus used to store the present entrance
329 	 * identifier.  This identifier is used to prevent multiple attempts to
330 	 * load a failed lazy loadable dependency within the same runtime linker
331 	 * operation.  However, future attempts to reload this dependency are
332 	 * still possible.
333 	 */
334 	if (ndx && (pdip = dip - 1) && (pdip->di_flags & FLG_DI_POSFLAG1))
335 		pdip->di_info = (void *)slp->sl_id;
336 
337 	/*
338 	 * Expand the requested name if necessary.
339 	 */
340 	if ((pnp = elf_fix_name(name, clmp, 0)) == 0)
341 		return (0);
342 
343 	/*
344 	 * Provided the object on the head of the link-map has completed its
345 	 * relocation, create a new link-map control list for this request.
346 	 */
347 	hlmp = lml->lm_head;
348 	if (FLAGS(hlmp) & FLG_RT_RELOCED) {
349 		if ((lmc = alist_append(&lml->lm_lists, 0, sizeof (Lm_cntl),
350 		    AL_CNT_LMLISTS)) == 0) {
351 			remove_pnode(pnp);
352 			return (0);
353 		}
354 		lmco = (Aliste)((char *)lmc - (char *)lml->lm_lists);
355 	} else {
356 		lmc = 0;
357 		lmco = ALIST_OFF_DATA;
358 	}
359 
360 	/*
361 	 * Load the associated object.
362 	 */
363 	dip->di_info = nlmp =
364 	    load_one(lml, lmco, pnp, clmp, MODE(clmp), flags, 0, in_nfavl);
365 
366 	/*
367 	 * Remove any expanded pathname infrastructure.  Reduce the pending lazy
368 	 * dependency count of the caller, together with the link-map lists
369 	 * count of objects that still have lazy dependencies pending.
370 	 */
371 	remove_pnode(pnp);
372 	if (--LAZY(clmp) == 0)
373 		LIST(clmp)->lm_lazy--;
374 
375 	/*
376 	 * Finish processing the objects associated with this request, and
377 	 * create an association between the caller and this dependency.
378 	 */
379 	if (nlmp && ((bind_one(clmp, nlmp, BND_NEEDED) == 0) ||
380 	    (analyze_lmc(lml, lmco, nlmp, in_nfavl) == 0) ||
381 	    (relocate_lmc(lml, lmco, clmp, nlmp, in_nfavl) == 0)))
382 		dip->di_info = nlmp = 0;
383 
384 	/*
385 	 * If this lazyload has failed, and we've created a new link-map
386 	 * control list to which this request has added objects, then remove
387 	 * all the objects that have been associated to this request.
388 	 */
389 	if ((nlmp == 0) && lmc && lmc->lc_head)
390 		remove_lmc(lml, clmp, lmc, lmco, name);
391 
392 	/*
393 	 * Finally, remove any link-map control list that was created.
394 	 */
395 	if (lmc)
396 		remove_cntl(lml, lmco);
397 
398 	/*
399 	 * If this lazy loading failed, record the fact, and bump the lazy
400 	 * counts.
401 	 */
402 	if (nlmp == 0) {
403 		dip->di_flags |= FLG_DI_LAZYFAIL;
404 		if (LAZY(clmp)++ == 0)
405 			LIST(clmp)->lm_lazy++;
406 	}
407 
408 	return (nlmp);
409 }
410 
411 /*
412  * Return the entry point of the ELF executable.
413  */
414 static ulong_t
415 elf_entry_pt(void)
416 {
417 	return (ENTRY(lml_main.lm_head));
418 }
419 
420 /*
421  * Unmap a given ELF shared object from the address space.
422  */
423 static void
424 elf_unmap_so(Rt_map *lmp)
425 {
426 	caddr_t	addr;
427 	size_t	size;
428 	Mmap	*mmaps;
429 
430 	/*
431 	 * If this link map represents a relocatable object concatenation, then
432 	 * the image was simply generated in allocated memory.  Free the memory.
433 	 *
434 	 * Note: the memory was originally allocated in the libelf:_elf_outmap
435 	 * routine and would normally have been free'd in elf_outsync(), but
436 	 * because we 'interpose' on that routine the memory  wasn't free'd at
437 	 * that time.
438 	 */
439 	if (FLAGS(lmp) & FLG_RT_IMGALLOC) {
440 		free((void *)ADDR(lmp));
441 		return;
442 	}
443 
444 	/*
445 	 * If padding was enabled via rtld_db, then we have at least one page
446 	 * in front of the image - and possibly a trailing page.
447 	 * Unmap the front page first:
448 	 */
449 	if (PADSTART(lmp) != ADDR(lmp)) {
450 		addr = (caddr_t)M_PTRUNC(PADSTART(lmp));
451 		size = ADDR(lmp) - (ulong_t)addr;
452 		(void) munmap(addr, size);
453 	}
454 
455 	/*
456 	 * Unmap any trailing padding.
457 	 */
458 	if (M_PROUND((PADSTART(lmp) + PADIMLEN(lmp))) >
459 	    M_PROUND(ADDR(lmp) + MSIZE(lmp))) {
460 		addr = (caddr_t)M_PROUND(ADDR(lmp) + MSIZE(lmp));
461 		size = M_PROUND(PADSTART(lmp) + PADIMLEN(lmp)) - (ulong_t)addr;
462 		(void) munmap(addr, size);
463 	}
464 
465 	/*
466 	 * Unmmap all mapped segments.
467 	 */
468 	for (mmaps = MMAPS(lmp); mmaps->m_vaddr; mmaps++)
469 		(void) munmap(mmaps->m_vaddr, mmaps->m_msize);
470 }
471 
472 /*
473  * Determine if a dependency requires a particular version and if so verify
474  * that the version exists in the dependency.
475  */
476 static int
477 elf_verify_vers(const char *name, Rt_map *clmp, Rt_map *nlmp)
478 {
479 	Verneed		*vnd = VERNEED(clmp);
480 	int		_num, num = VERNEEDNUM(clmp);
481 	char		*cstrs = (char *)STRTAB(clmp);
482 	Lm_list		*lml = LIST(clmp);
483 
484 	/*
485 	 * Traverse the callers version needed information and determine if any
486 	 * specific versions are required from the dependency.
487 	 */
488 	DBG_CALL(Dbg_ver_need_title(LIST(clmp), NAME(clmp)));
489 	for (_num = 1; _num <= num; _num++,
490 	    vnd = (Verneed *)((Xword)vnd + vnd->vn_next)) {
491 		Half		cnt = vnd->vn_cnt;
492 		Vernaux		*vnap;
493 		char		*nstrs, *need;
494 
495 		/*
496 		 * Determine if a needed entry matches this dependency.
497 		 */
498 		need = (char *)(cstrs + vnd->vn_file);
499 		if (strcmp(name, need) != 0)
500 			continue;
501 
502 		if ((lml->lm_flags & LML_FLG_TRC_VERBOSE) &&
503 		    ((FLAGS1(clmp) & FL1_RT_LDDSTUB) == 0))
504 			(void) printf(MSG_INTL(MSG_LDD_VER_FIND), name);
505 
506 		/*
507 		 * Validate that each version required actually exists in the
508 		 * dependency.
509 		 */
510 		nstrs = (char *)STRTAB(nlmp);
511 
512 		for (vnap = (Vernaux *)((Xword)vnd + vnd->vn_aux); cnt;
513 		    cnt--, vnap = (Vernaux *)((Xword)vnap + vnap->vna_next)) {
514 			char		*version, *define;
515 			Verdef		*vdf = VERDEF(nlmp);
516 			ulong_t		_num, num = VERDEFNUM(nlmp);
517 			int		found = 0;
518 
519 			/*
520 			 * Skip validation of versions that are marked
521 			 * INFO. This optimization is used for versions
522 			 * that are inherited by another version. Verification
523 			 * of the inheriting version is sufficient.
524 			 *
525 			 * Such versions are recorded in the object for the
526 			 * benefit of VERSYM entries that refer to them. This
527 			 * provides a purely diagnositic benefit.
528 			 */
529 			if (vnap->vna_flags & VER_FLG_INFO)
530 				continue;
531 
532 			version = (char *)(cstrs + vnap->vna_name);
533 			DBG_CALL(Dbg_ver_need_entry(lml, 0, need, version));
534 
535 			for (_num = 1; _num <= num; _num++,
536 			    vdf = (Verdef *)((Xword)vdf + vdf->vd_next)) {
537 				Verdaux		*vdap;
538 
539 				if (vnap->vna_hash != vdf->vd_hash)
540 					continue;
541 
542 				vdap = (Verdaux *)((Xword)vdf + vdf->vd_aux);
543 				define = (char *)(nstrs + vdap->vda_name);
544 				if (strcmp(version, define) != 0)
545 					continue;
546 
547 				found++;
548 				break;
549 			}
550 
551 			/*
552 			 * If we're being traced print out any matched version
553 			 * when the verbose (-v) option is in effect.  Always
554 			 * print any unmatched versions.
555 			 */
556 			if (lml->lm_flags & LML_FLG_TRC_ENABLE) {
557 				/* BEGIN CSTYLED */
558 				if (found) {
559 				    if (!(lml->lm_flags & LML_FLG_TRC_VERBOSE))
560 					continue;
561 
562 				    (void) printf(MSG_ORIG(MSG_LDD_VER_FOUND),
563 					need, version, NAME(nlmp));
564 				} else {
565 				    if (rtld_flags & RT_FL_SILENCERR)
566 					continue;
567 
568 				    (void) printf(MSG_INTL(MSG_LDD_VER_NFOUND),
569 					need, version);
570 				}
571 				/* END CSTYLED */
572 				continue;
573 			}
574 
575 			/*
576 			 * If the version hasn't been found then this is a
577 			 * candidate for a fatal error condition.  Weak
578 			 * version definition requirements are silently
579 			 * ignored.  Also, if the image inspected for a version
580 			 * definition has no versioning recorded at all then
581 			 * silently ignore this (this provides better backward
582 			 * compatibility to old images created prior to
583 			 * versioning being available).  Both of these skipped
584 			 * diagnostics are available under tracing (see above).
585 			 */
586 			if ((found == 0) && (num != 0) &&
587 			    (!(vnap->vna_flags & VER_FLG_WEAK))) {
588 				eprintf(lml, ERR_FATAL,
589 				    MSG_INTL(MSG_VER_NFOUND), need, version,
590 				    NAME(clmp));
591 				return (0);
592 			}
593 		}
594 	}
595 	DBG_CALL(Dbg_util_nl(lml, DBG_NL_STD));
596 	return (1);
597 }
598 
599 /*
600  * Search through the dynamic section for DT_NEEDED entries and perform one
601  * of two functions.  If only the first argument is specified then load the
602  * defined shared object, otherwise add the link map representing the defined
603  * link map the the dlopen list.
604  */
605 static int
606 elf_needed(Lm_list *lml, Aliste lmco, Rt_map *clmp, int *in_nfavl)
607 {
608 	Dyn		*dyn, *pdyn;
609 	ulong_t		ndx = 0;
610 	uint_t		lazy, flags;
611 	Word		lmflags = lml->lm_flags;
612 	Word		lmtflags = lml->lm_tflags;
613 
614 	/*
615 	 * Process each shared object on needed list.
616 	 */
617 	if (DYN(clmp) == 0)
618 		return (1);
619 
620 	for (dyn = (Dyn *)DYN(clmp), pdyn = NULL; dyn->d_tag != DT_NULL;
621 	    pdyn = dyn++, ndx++) {
622 		Dyninfo	*dip = &DYNINFO(clmp)[ndx];
623 		Rt_map	*nlmp = 0;
624 		char	*name;
625 		int	silent = 0;
626 		Pnode	*pnp;
627 
628 		switch (dyn->d_tag) {
629 		case DT_POSFLAG_1:
630 			dip->di_flags |= FLG_DI_POSFLAG1;
631 			continue;
632 		case DT_NEEDED:
633 		case DT_USED:
634 			lazy = flags = 0;
635 			dip->di_flags |= FLG_DI_NEEDED;
636 
637 			if (pdyn && (pdyn->d_tag == DT_POSFLAG_1)) {
638 				if ((pdyn->d_un.d_val & DF_P1_LAZYLOAD) &&
639 				    ((lmtflags & LML_TFLG_NOLAZYLD) == 0)) {
640 					dip->di_flags |= FLG_DI_LAZY;
641 					lazy = 1;
642 				}
643 				if (pdyn->d_un.d_val & DF_P1_GROUPPERM) {
644 					dip->di_flags |= FLG_DI_GROUP;
645 					flags =
646 					    (FLG_RT_SETGROUP | FLG_RT_HANDLE);
647 				}
648 			}
649 
650 			name = (char *)STRTAB(clmp) + dyn->d_un.d_val;
651 
652 			/*
653 			 * NOTE, libc.so.1 can't be lazy loaded.  Although a
654 			 * lazy position flag won't be produced when a RTLDINFO
655 			 * .dynamic entry is found (introduced with the UPM in
656 			 * Solaris 10), it was possible to mark libc for lazy
657 			 * loading on previous releases.  To reduce the overhead
658 			 * of testing for this occurrence, only carry out this
659 			 * check for the first object on the link-map list
660 			 * (there aren't many applications built without libc).
661 			 */
662 			if (lazy && (lml->lm_head == clmp) &&
663 			    (strcmp(name, MSG_ORIG(MSG_FIL_LIBC)) == 0))
664 				lazy = 0;
665 
666 			/*
667 			 * Don't bring in lazy loaded objects yet unless we've
668 			 * been asked to attempt to load all available objects
669 			 * (crle(1) sets LD_FLAGS=loadavail).  Even under
670 			 * RTLD_NOW we don't process this - RTLD_NOW will cause
671 			 * relocation processing which in turn might trigger
672 			 * lazy loading, but its possible that the object has a
673 			 * lazy loaded file with no bindings (i.e., it should
674 			 * never have been a dependency in the first place).
675 			 */
676 			if (lazy) {
677 				if ((lmflags & LML_FLG_LOADAVAIL) == 0) {
678 					LAZY(clmp)++;
679 					lazy = flags = 0;
680 					continue;
681 				}
682 
683 				/*
684 				 * Silence any error messages - see description
685 				 * under elf_lookup_filtee().
686 				 */
687 				if ((rtld_flags & RT_FL_SILENCERR) == 0) {
688 					rtld_flags |= RT_FL_SILENCERR;
689 					silent = 1;
690 				}
691 			}
692 			break;
693 		case DT_AUXILIARY:
694 			dip->di_flags |= FLG_DI_AUXFLTR;
695 			continue;
696 		case DT_SUNW_AUXILIARY:
697 			dip->di_flags |= (FLG_DI_AUXFLTR | FLG_DI_SYMFLTR);
698 			continue;
699 		case DT_FILTER:
700 			dip->di_flags |= FLG_DI_STDFLTR;
701 			continue;
702 		case DT_SUNW_FILTER:
703 			dip->di_flags |= (FLG_DI_STDFLTR | FLG_DI_SYMFLTR);
704 			continue;
705 		default:
706 			continue;
707 		}
708 
709 		DBG_CALL(Dbg_file_needed(clmp, name));
710 
711 		/*
712 		 * If we're running under ldd(1), indicate that this dependency
713 		 * has been processed.  It doesn't matter whether the object is
714 		 * successfully loaded or not, this flag simply ensures that we
715 		 * don't repeatedly attempt to load an object that has already
716 		 * failed to load.  To do so would create multiple failure
717 		 * diagnostics for the same object under ldd(1).
718 		 */
719 		if (lml->lm_flags & LML_FLG_TRC_ENABLE)
720 			dip->di_flags |= FLG_DI_LDD_DONE;
721 
722 		/*
723 		 * Establish the objects name, load it and establish a binding
724 		 * with the caller.
725 		 */
726 		if (((pnp = elf_fix_name(name, clmp, 0)) == 0) || ((nlmp =
727 		    load_one(lml, lmco, pnp, clmp, MODE(clmp), flags, 0,
728 		    in_nfavl)) == 0) || (bind_one(clmp, nlmp, BND_NEEDED) == 0))
729 			nlmp = 0;
730 
731 		/*
732 		 * Clean up any infrastructure, including the removal of the
733 		 * error suppression state, if it had been previously set in
734 		 * this routine.
735 		 */
736 		if (pnp)
737 			remove_pnode(pnp);
738 		if (silent)
739 			rtld_flags &= ~RT_FL_SILENCERR;
740 
741 		if ((dip->di_info = (void *)nlmp) == 0) {
742 			/*
743 			 * If the object could not be mapped, continue if error
744 			 * suppression is established or we're here with ldd(1).
745 			 */
746 			if ((MODE(clmp) & RTLD_CONFGEN) || (lmflags &
747 			    (LML_FLG_LOADAVAIL | LML_FLG_TRC_ENABLE)))
748 				continue;
749 			else
750 				return (0);
751 		}
752 	}
753 
754 	if (LAZY(clmp))
755 		lml->lm_lazy++;
756 
757 	return (1);
758 }
759 
760 static int
761 elf_map_check(Lm_list *lml, const char *name, caddr_t vaddr, Off size)
762 {
763 	prmap_t		*maps, *_maps;
764 	int		pfd, num, _num;
765 	caddr_t		eaddr = vaddr + size;
766 	int		err;
767 
768 	/*
769 	 * If memory reservations have been established for alternative objects
770 	 * determine if this object falls within the reservation, if it does no
771 	 * further checking is required.
772 	 */
773 	if (rtld_flags & RT_FL_MEMRESV) {
774 		Rtc_head	*head = (Rtc_head *)config->c_bgn;
775 
776 		if ((vaddr >= (caddr_t)(uintptr_t)head->ch_resbgn) &&
777 		    (eaddr <= (caddr_t)(uintptr_t)head->ch_resend))
778 			return (0);
779 	}
780 
781 	/*
782 	 * Determine the mappings presently in use by this process.
783 	 */
784 	if ((pfd = pr_open(lml)) == FD_UNAVAIL)
785 		return (1);
786 
787 	if (ioctl(pfd, PIOCNMAP, (void *)&num) == -1) {
788 		err = errno;
789 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_SYS_PROC), name,
790 		    strerror(err));
791 		return (1);
792 	}
793 
794 	if ((maps = malloc((num + 1) * sizeof (prmap_t))) == 0)
795 		return (1);
796 
797 	if (ioctl(pfd, PIOCMAP, (void *)maps) == -1) {
798 		err = errno;
799 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_SYS_PROC), name,
800 		    strerror(err));
801 		free(maps);
802 		return (1);
803 	}
804 
805 	/*
806 	 * Determine if the supplied address clashes with any of the present
807 	 * process mappings.
808 	 */
809 	for (_num = 0, _maps = maps; _num < num; _num++, _maps++) {
810 		caddr_t		_eaddr = _maps->pr_vaddr + _maps->pr_size;
811 		Rt_map		*lmp;
812 		const char	*str;
813 
814 		if ((eaddr < _maps->pr_vaddr) || (vaddr >= _eaddr))
815 			continue;
816 
817 		/*
818 		 * We have a memory clash.  See if one of the known dynamic
819 		 * dependency mappings represents this space so as to provide
820 		 * the user a more meaningful message.
821 		 */
822 		if ((lmp = _caller(vaddr, 0)) != 0)
823 			str = NAME(lmp);
824 		else
825 			str = MSG_INTL(MSG_STR_UNKNOWN);
826 
827 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_GEN_MAPINUSE), name,
828 		    EC_NATPTR(vaddr), EC_OFF(size), str);
829 		return (1);
830 	}
831 	free(maps);
832 	return (0);
833 }
834 
835 /*
836  * Obtain a memory reservation.  On newer systems, both MAP_ANON and MAP_ALIGN
837  * are used to obtained an aligned reservation from anonymous memory.  If
838  * MAP_ANON isn't available, then MAP_ALIGN isn't either, so obtain a standard
839  * reservation using the file as backing.
840  */
841 static Am_ret
842 elf_map_reserve(Lm_list *lml, const char *name, caddr_t *maddr, Off msize,
843     int mperm, int fd, Xword align)
844 {
845 	Am_ret	amret;
846 	int	mflag = MAP_PRIVATE | MAP_NORESERVE;
847 
848 #if defined(MAP_ALIGN)
849 	if ((rtld_flags2 & RT_FL2_NOMALIGN) == 0) {
850 		mflag |= MAP_ALIGN;
851 		*maddr = (caddr_t)align;
852 	}
853 #endif
854 	if ((amret = anon_map(lml, maddr, msize, PROT_NONE, mflag)) == AM_ERROR)
855 		return (amret);
856 
857 	if (amret == AM_OK)
858 		return (AM_OK);
859 
860 	/*
861 	 * If an anonymous memory request failed (which should only be the
862 	 * case if it is unsupported on the system we're running on), establish
863 	 * the initial mapping directly from the file.
864 	 */
865 	*maddr = 0;
866 	if ((*maddr = mmap(*maddr, msize, mperm, MAP_PRIVATE,
867 	    fd, 0)) == MAP_FAILED) {
868 		int	err = errno;
869 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_SYS_MMAP), name,
870 		    strerror(err));
871 		return (AM_ERROR);
872 	}
873 	return (AM_NOSUP);
874 }
875 
876 static void *
877 elf_map_textdata(caddr_t addr, Off flen, int mperm, int phdr_mperm, int mflag,
878     int fd, Off foff)
879 {
880 #if	defined(MAP_TEXT) && defined(MAP_INITDATA)
881 	static int	notd = 0;
882 
883 	/*
884 	 * If MAP_TEXT and MAP_INITDATA are available, select the appropriate
885 	 * flag.
886 	 */
887 	if (notd == 0) {
888 		if ((phdr_mperm & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC)
889 			mflag |= MAP_TEXT;
890 		else
891 			mflag |= MAP_INITDATA;
892 	}
893 #endif
894 	if (mmap((caddr_t)addr, flen, mperm, mflag, fd, foff) != MAP_FAILED)
895 		return (0);
896 
897 #if	defined(MAP_TEXT) && defined(MAP_INITDATA)
898 	if ((notd == 0) && (errno == EINVAL)) {
899 		/*
900 		 * MAP_TEXT and MAP_INITDATA may not be supported on this
901 		 * platform, try again without.
902 		 */
903 		notd = 1;
904 		mflag &= ~(MAP_TEXT | MAP_INITDATA);
905 
906 		return (mmap((caddr_t)addr, flen, mperm, mflag, fd, foff));
907 	}
908 #endif
909 	return (MAP_FAILED);
910 }
911 
912 /*
913  * Map in a file.
914  */
915 static caddr_t
916 elf_map_it(
917 	Lm_list		*lml,		/* link-map list */
918 	const char	*name,		/* actual name stored for pathname */
919 	Off		fsize,		/* total mapping claim of the file */
920 	Ehdr		*ehdr,		/* ELF header of file */
921 	Phdr		*fphdr,		/* first loadable Phdr */
922 	Phdr		*lphdr,		/* last loadable Phdr */
923 	Phdr		**rrphdr,	/* return first Phdr in reservation */
924 	caddr_t		*rraddr,	/* return start of reservation */
925 	Off		*rrsize,	/* return total size of reservation */
926 	int		fixed,		/* image is resolved to a fixed addr */
927 	int		fd,		/* images file descriptor */
928 	Xword		align,		/* image segments maximum alignment */
929 	Mmap		*mmaps,		/* mmap information array and */
930 	uint_t		*mmapcnt)	/* 	mapping count */
931 {
932 	caddr_t		raddr;		/* reservation address */
933 	Off		rsize;		/* reservation size */
934 	Phdr		*phdr;		/* working program header poiner */
935 	caddr_t		maddr;		/* working mmap address */
936 	caddr_t		faddr;		/* working file address */
937 	size_t		padsize;	/* object padding requirement */
938 	size_t		padpsize = 0;	/* padding size rounded to next page */
939 	size_t		padmsize = 0;	/* padding size rounded for alignment */
940 	int		skipfseg;	/* skip mapping first segment */
941 	int		mperm;		/* segment permissions */
942 	Am_ret		amret = AM_NOSUP;
943 
944 	/*
945 	 * If padding is required extend both the front and rear of the image.
946 	 * To insure the image itself is mapped at the correct alignment the
947 	 * initial padding is rounded up to the nearest page.  Once the image is
948 	 * mapped the excess can be pruned to the nearest page required for the
949 	 * actual padding itself.
950 	 */
951 	if ((padsize = r_debug.rtd_objpad) != 0) {
952 		padpsize = M_PROUND(padsize);
953 		if (fixed)
954 			padmsize = padpsize;
955 		else
956 			padmsize = S_ROUND(padsize, align);
957 	}
958 
959 	/*
960 	 * Determine the initial permissions used to map in the first segment.
961 	 * If this segments memsz is greater that its filesz then the difference
962 	 * must be zeroed.  Make sure this segment is writable.
963 	 */
964 	mperm = 0;
965 	if (fphdr->p_flags & PF_R)
966 		mperm |= PROT_READ;
967 	if (fphdr->p_flags & PF_X)
968 		mperm |= PROT_EXEC;
969 	if ((fphdr->p_flags & PF_W) || (fphdr->p_memsz > fphdr->p_filesz))
970 		mperm |= PROT_WRITE;
971 
972 	/*
973 	 * Determine whether or not to let system reserve address space based on
974 	 * whether this is a dynamic executable (addresses in object are fixed)
975 	 * or a shared object (addresses in object are relative to the objects'
976 	 * base).
977 	 */
978 	if (fixed) {
979 		/*
980 		 * Determine the reservation address and size, and insure that
981 		 * this reservation isn't already in use.
982 		 */
983 		faddr = maddr = (caddr_t)M_PTRUNC((ulong_t)fphdr->p_vaddr);
984 		raddr = maddr - padpsize;
985 		rsize = fsize + padpsize + padsize;
986 
987 		if (lml_main.lm_head) {
988 			if (elf_map_check(lml, name, raddr, rsize) != 0)
989 				return (0);
990 		}
991 
992 		/*
993 		 * As this is a fixed image, all segments must be individually
994 		 * mapped.
995 		 */
996 		skipfseg = 0;
997 
998 	} else {
999 		size_t	esize;
1000 
1001 		/*
1002 		 * If this isn't a fixed image, reserve enough address space for
1003 		 * the entire image to be mapped.  The amount of reservation is
1004 		 * the range between the beginning of the first, and end of the
1005 		 * last loadable segment, together with any padding, plus the
1006 		 * alignment of the first segment.
1007 		 *
1008 		 * The optimal reservation is made as a no-reserve mapping from
1009 		 * anonymous memory.  Each segment is then mapped into this
1010 		 * reservation.  If the anonymous mapping capability isn't
1011 		 * available, the reservation is obtained from the file itself.
1012 		 * In this case the first segment of the image is mapped as part
1013 		 * of the reservation, thus only the following segments need to
1014 		 * be remapped.
1015 		 */
1016 		rsize = fsize + padmsize + padsize;
1017 		if ((amret = elf_map_reserve(lml, name, &raddr, rsize, mperm,
1018 		    fd, align)) == AM_ERROR)
1019 			return (0);
1020 		maddr = raddr + padmsize;
1021 		faddr = (caddr_t)S_ROUND((Off)maddr, align);
1022 
1023 		/*
1024 		 * If this reservation has been obtained from anonymous memory,
1025 		 * then all segments must be individually mapped.  Otherwise,
1026 		 * the first segment heads the reservation.
1027 		 */
1028 		if (amret == AM_OK)
1029 			skipfseg = 0;
1030 		else
1031 			skipfseg = 1;
1032 
1033 		/*
1034 		 * For backward compatibility (where MAP_ALIGN isn't available),
1035 		 * insure the alignment of the reservation is adequate for this
1036 		 * object, and if not remap the object to obtain the correct
1037 		 * alignment.
1038 		 */
1039 		if (faddr != maddr) {
1040 			(void) munmap(raddr, rsize);
1041 
1042 			rsize += align;
1043 			if ((amret = elf_map_reserve(lml, name, &raddr, rsize,
1044 			    mperm, fd, align)) == AM_ERROR)
1045 				return (0);
1046 
1047 			maddr = faddr = (caddr_t)S_ROUND((Off)(raddr +
1048 			    padpsize), align);
1049 
1050 			esize = maddr - raddr + padpsize;
1051 
1052 			/*
1053 			 * As ths image has been realigned, the first segment
1054 			 * of the file needs to be remapped to its correct
1055 			 * location.
1056 			 */
1057 			skipfseg = 0;
1058 		} else
1059 			esize = padmsize - padpsize;
1060 
1061 		/*
1062 		 * If this reservation included padding, remove any excess for
1063 		 * the start of the image (the padding was adjusted to insure
1064 		 * the image was aligned appropriately).
1065 		 */
1066 		if (esize) {
1067 			(void) munmap(raddr, esize);
1068 			raddr += esize;
1069 			rsize -= esize;
1070 		}
1071 	}
1072 
1073 	/*
1074 	 * At this point we know the initial location of the image, and its
1075 	 * size.  Pass these back to the caller for inclusion in the link-map
1076 	 * that will eventually be created.
1077 	 */
1078 	*rraddr = raddr;
1079 	*rrsize = rsize;
1080 
1081 	/*
1082 	 * The first loadable segment is now pointed to by maddr.  This segment
1083 	 * will eventually contain the elf header and program headers, so reset
1084 	 * the program header.  Pass this  back to the caller for inclusion in
1085 	 * the link-map so it can be used for later unmapping operations.
1086 	 */
1087 	/* LINTED */
1088 	*rrphdr = (Phdr *)((char *)maddr + ehdr->e_phoff);
1089 
1090 	/*
1091 	 * If padding is required at the front of the image, obtain that now.
1092 	 * Note, if we've already obtained a reservation from anonymous memory
1093 	 * then this reservation will already include suitable padding.
1094 	 * Otherwise this reservation is backed by the file, or in the case of
1095 	 * a fixed image, doesn't yet exist.  Map the padding so that it is
1096 	 * suitably protected (PROT_NONE), and insure the first segment of the
1097 	 * file is mapped to its correct location.
1098 	 */
1099 	if (padsize) {
1100 		if (amret == AM_NOSUP) {
1101 			if (dz_map(lml, raddr, padpsize, PROT_NONE,
1102 			    (MAP_PRIVATE | MAP_FIXED | MAP_NORESERVE)) ==
1103 			    MAP_FAILED)
1104 				return (0);
1105 
1106 			skipfseg = 0;
1107 		}
1108 		rsize -= padpsize;
1109 	}
1110 
1111 	/*
1112 	 * Map individual segments.  For a fixed image, these will each be
1113 	 * unique mappings.  For a reservation these will fill in the
1114 	 * reservation.
1115 	 */
1116 	for (phdr = fphdr; phdr <= lphdr;
1117 	    phdr = (Phdr *)((Off)phdr + ehdr->e_phentsize)) {
1118 		caddr_t	addr;
1119 		Off	mlen, flen;
1120 		size_t	size;
1121 
1122 		/*
1123 		 * Skip non-loadable segments or segments that don't occupy
1124 		 * any memory.
1125 		 */
1126 		if ((phdr->p_type != PT_LOAD) || (phdr->p_memsz == 0))
1127 			continue;
1128 
1129 		/*
1130 		 * Establish this segments address relative to our base.
1131 		 */
1132 		addr = (caddr_t)M_PTRUNC((ulong_t)(phdr->p_vaddr +
1133 		    (fixed ? 0 : faddr)));
1134 
1135 		/*
1136 		 * Determine the mapping protection from the segment attributes.
1137 		 * Also determine the etext address from the last loadable
1138 		 * segment which has permissions but no write access.
1139 		 */
1140 		mperm = 0;
1141 		if (phdr->p_flags) {
1142 			if (phdr->p_flags & PF_R)
1143 				mperm |= PROT_READ;
1144 			if (phdr->p_flags & PF_X)
1145 				mperm |= PROT_EXEC;
1146 			if (phdr->p_flags & PF_W)
1147 				mperm |= PROT_WRITE;
1148 			else
1149 				fmap->fm_etext = phdr->p_vaddr + phdr->p_memsz +
1150 				    (ulong_t)(fixed ? 0 : faddr);
1151 		}
1152 
1153 		/*
1154 		 * Determine the type of mapping required.
1155 		 */
1156 		if ((phdr->p_filesz == 0) && (phdr->p_flags == 0)) {
1157 			/*
1158 			 * If this segment has no backing file and no flags
1159 			 * specified, then it defines a reservation.  At this
1160 			 * point all standard loadable segments will have been
1161 			 * processed.  The segment reservation is mapped
1162 			 * directly from /dev/null.
1163 			 */
1164 			if (nu_map(lml, (caddr_t)addr, phdr->p_memsz, PROT_NONE,
1165 			    MAP_FIXED | MAP_PRIVATE) == MAP_FAILED)
1166 				return (0);
1167 
1168 			mlen = phdr->p_memsz;
1169 			flen = 0;
1170 
1171 		} else if (phdr->p_filesz == 0) {
1172 			/*
1173 			 * If this segment has no backing file then it defines a
1174 			 * nobits segment and is mapped directly from /dev/zero.
1175 			 */
1176 			if (dz_map(lml, (caddr_t)addr, phdr->p_memsz, mperm,
1177 			    MAP_FIXED | MAP_PRIVATE) == MAP_FAILED)
1178 				return (0);
1179 
1180 			mlen = phdr->p_memsz;
1181 			flen = 0;
1182 
1183 		} else {
1184 			Off	foff;
1185 
1186 			/*
1187 			 * This mapping originates from the file.  Determine the
1188 			 * file offset to which the mapping will be directed
1189 			 * (must be aligned) and how much to map (might be more
1190 			 * than the file in the case of .bss).
1191 			 */
1192 			foff = M_PTRUNC((ulong_t)phdr->p_offset);
1193 			mlen = phdr->p_memsz + (phdr->p_offset - foff);
1194 			flen = phdr->p_filesz + (phdr->p_offset - foff);
1195 
1196 			/*
1197 			 * If this is a non-fixed, non-anonymous mapping, and no
1198 			 * padding is involved, then the first loadable segment
1199 			 * is already part of the initial reservation.  In this
1200 			 * case there is no need to remap this segment.
1201 			 */
1202 			if ((skipfseg == 0) || (phdr != fphdr)) {
1203 				int phdr_mperm = mperm;
1204 				/*
1205 				 * If this segments memsz is greater that its
1206 				 * filesz then the difference must be zeroed.
1207 				 * Make sure this segment is writable.
1208 				 */
1209 				if (phdr->p_memsz > phdr->p_filesz)
1210 					mperm |= PROT_WRITE;
1211 
1212 				if (elf_map_textdata((caddr_t)addr, flen,
1213 				    mperm, phdr_mperm,
1214 				    (MAP_FIXED | MAP_PRIVATE), fd, foff) ==
1215 				    MAP_FAILED) {
1216 					int	err = errno;
1217 					eprintf(lml, ERR_FATAL,
1218 					    MSG_INTL(MSG_SYS_MMAP), name,
1219 					    strerror(err));
1220 					return (0);
1221 				}
1222 			}
1223 
1224 			/*
1225 			 * If the memory occupancy of the segment overflows the
1226 			 * definition in the file, we need to "zero out" the end
1227 			 * of the mapping we've established, and if necessary,
1228 			 * map some more space from /dev/zero.  Note, zero'ed
1229 			 * memory must end on a double word boundary to satisfy
1230 			 * zero().
1231 			 */
1232 			if (phdr->p_memsz > phdr->p_filesz) {
1233 				caddr_t	zaddr;
1234 				size_t	zlen, zplen;
1235 				Off	fend;
1236 
1237 				foff = (Off)(phdr->p_vaddr + phdr->p_filesz +
1238 				    (fixed ? 0 : faddr));
1239 				zaddr = (caddr_t)M_PROUND(foff);
1240 				zplen = (size_t)(zaddr - foff);
1241 
1242 				fend = (Off)S_DROUND((size_t)(phdr->p_vaddr +
1243 				    phdr->p_memsz + (fixed ? 0 : faddr)));
1244 				zlen = (size_t)(fend - foff);
1245 
1246 				/*
1247 				 * Determine whether the number of bytes that
1248 				 * must be zero'ed overflow to the next page.
1249 				 * If not, simply clear the exact bytes
1250 				 * (filesz to memsz) from this page.  Otherwise,
1251 				 * clear the remaining bytes of this page, and
1252 				 * map an following pages from /dev/zero.
1253 				 */
1254 				if (zlen < zplen)
1255 					zero((caddr_t)foff, (long)zlen);
1256 				else {
1257 					zero((caddr_t)foff, (long)zplen);
1258 
1259 					if ((zlen = (fend - (Off)zaddr)) > 0) {
1260 						if (dz_map(lml, zaddr, zlen,
1261 						    mperm,
1262 						    MAP_FIXED | MAP_PRIVATE) ==
1263 						    MAP_FAILED)
1264 							return (0);
1265 					}
1266 				}
1267 			}
1268 		}
1269 
1270 		/*
1271 		 * Unmap anything from the last mapping address to this one and
1272 		 * update the mapping claim pointer.
1273 		 */
1274 		if ((fixed == 0) && ((size = addr - maddr) != 0)) {
1275 			(void) munmap(maddr, size);
1276 			rsize -= size;
1277 		}
1278 
1279 		/*
1280 		 * Retain this segments mapping information.
1281 		 */
1282 		mmaps[*mmapcnt].m_vaddr = addr;
1283 		mmaps[*mmapcnt].m_msize = mlen;
1284 		mmaps[*mmapcnt].m_fsize = flen;
1285 		mmaps[*mmapcnt].m_perm = mperm;
1286 		(*mmapcnt)++;
1287 
1288 		maddr = addr + M_PROUND(mlen);
1289 		rsize -= M_PROUND(mlen);
1290 	}
1291 
1292 	/*
1293 	 * If padding is required at the end of the image, obtain that now.
1294 	 * Note, if we've already obtained a reservation from anonymous memory
1295 	 * then this reservation will already include suitable padding.
1296 	 */
1297 	if (padsize) {
1298 		if (amret == AM_NOSUP) {
1299 			/*
1300 			 * maddr is currently page aligned from the last segment
1301 			 * mapping.
1302 			 */
1303 			if (dz_map(lml, maddr, padsize, PROT_NONE,
1304 			    (MAP_PRIVATE | MAP_FIXED | MAP_NORESERVE)) ==
1305 			    MAP_FAILED)
1306 				return (0);
1307 		}
1308 		maddr += padsize;
1309 		rsize -= padsize;
1310 	}
1311 
1312 	/*
1313 	 * Unmap any final reservation.
1314 	 */
1315 	if ((fixed == 0) && (rsize != 0))
1316 		(void) munmap(maddr, rsize);
1317 
1318 	return (faddr);
1319 }
1320 
1321 /*
1322  * A null symbol interpretor.  Used if a filter has no associated filtees.
1323  */
1324 /* ARGSUSED0 */
1325 static Sym *
1326 elf_null_find_sym(Slookup *slp, Rt_map **dlmp, uint_t *binfo, int *in_nfavl)
1327 {
1328 	return (NULL);
1329 }
1330 
1331 /*
1332  * Disable filtee use.
1333  */
1334 static void
1335 elf_disable_filtee(Rt_map *lmp, Dyninfo *dip)
1336 {
1337 	dip->di_info = 0;
1338 
1339 	if ((dip->di_flags & FLG_DI_SYMFLTR) == 0) {
1340 		/*
1341 		 * If this is an object filter, free the filtee's duplication.
1342 		 */
1343 		if (OBJFLTRNDX(lmp) != FLTR_DISABLED) {
1344 			free(REFNAME(lmp));
1345 			REFNAME(lmp) = NULL;
1346 			OBJFLTRNDX(lmp) = FLTR_DISABLED;
1347 
1348 			/*
1349 			 * Indicate that this filtee is no longer available.
1350 			 */
1351 			if (dip->di_flags & FLG_DI_STDFLTR)
1352 				SYMINTP(lmp) = elf_null_find_sym;
1353 
1354 		}
1355 	} else if (dip->di_flags & FLG_DI_STDFLTR) {
1356 		/*
1357 		 * Indicate that this standard filtee is no longer available.
1358 		 */
1359 		if (SYMSFLTRCNT(lmp))
1360 			SYMSFLTRCNT(lmp)--;
1361 	} else {
1362 		/*
1363 		 * Indicate that this auxiliary filtee is no longer available.
1364 		 */
1365 		if (SYMAFLTRCNT(lmp))
1366 			SYMAFLTRCNT(lmp)--;
1367 	}
1368 	dip->di_flags &= ~MSK_DI_FILTER;
1369 }
1370 
1371 /*
1372  * Find symbol interpreter - filters.
1373  * This function is called when the symbols from a shared object should
1374  * be resolved from the shared objects filtees instead of from within itself.
1375  *
1376  * A symbol name of 0 is used to trigger filtee loading.
1377  */
1378 static Sym *
1379 _elf_lookup_filtee(Slookup *slp, Rt_map **dlmp, uint_t *binfo, uint_t ndx,
1380     int *in_nfavl)
1381 {
1382 	const char	*name = slp->sl_name, *filtees;
1383 	Rt_map		*clmp = slp->sl_cmap;
1384 	Rt_map		*ilmp = slp->sl_imap;
1385 	Pnode		*pnp, **pnpp;
1386 	int		any;
1387 	Dyninfo		*dip = &DYNINFO(ilmp)[ndx];
1388 	Lm_list		*lml = LIST(ilmp);
1389 
1390 	/*
1391 	 * Indicate that the filter has been used.  If a binding already exists
1392 	 * to the caller, indicate that this object is referenced.  This insures
1393 	 * we don't generate false unreferenced diagnostics from ldd -u/U or
1394 	 * debugging.  Don't create a binding regardless, as this filter may
1395 	 * have been dlopen()'ed.
1396 	 */
1397 	if (name && (ilmp != clmp)) {
1398 		Word	tracing = (LIST(clmp)->lm_flags &
1399 		    (LML_FLG_TRC_UNREF | LML_FLG_TRC_UNUSED));
1400 
1401 		if (tracing || DBG_ENABLED) {
1402 			Bnd_desc 	*bdp;
1403 			Aliste		idx;
1404 
1405 			FLAGS1(ilmp) |= FL1_RT_USED;
1406 
1407 			if ((tracing & LML_FLG_TRC_UNREF) || DBG_ENABLED) {
1408 				for (APLIST_TRAVERSE(CALLERS(ilmp), idx, bdp)) {
1409 					if (bdp->b_caller == clmp) {
1410 						bdp->b_flags |= BND_REFER;
1411 						break;
1412 					}
1413 				}
1414 			}
1415 		}
1416 	}
1417 
1418 	/*
1419 	 * If this is the first call to process this filter, establish the
1420 	 * filtee list.  If a configuration file exists, determine if any
1421 	 * filtee associations for this filter, and its filtee reference, are
1422 	 * defined.  Otherwise, process the filtee reference.  Any token
1423 	 * expansion is also completed at this point (i.e., $PLATFORM).
1424 	 */
1425 	filtees = (char *)STRTAB(ilmp) + DYN(ilmp)[ndx].d_un.d_val;
1426 	if (dip->di_info == 0) {
1427 		if (rtld_flags2 & RT_FL2_FLTCFG)
1428 			dip->di_info = elf_config_flt(lml, PATHNAME(ilmp),
1429 			    filtees);
1430 
1431 		if (dip->di_info == 0) {
1432 			DBG_CALL(Dbg_file_filter(lml, NAME(ilmp), filtees, 0));
1433 			if ((lml->lm_flags &
1434 			    (LML_FLG_TRC_VERBOSE | LML_FLG_TRC_SEARCH)) &&
1435 			    ((FLAGS1(ilmp) & FL1_RT_LDDSTUB) == 0))
1436 				(void) printf(MSG_INTL(MSG_LDD_FIL_FILTER),
1437 				    NAME(ilmp), filtees);
1438 
1439 			if ((dip->di_info = (void *)expand_paths(ilmp,
1440 			    filtees, 0, 0)) == 0) {
1441 				elf_disable_filtee(ilmp, dip);
1442 				return (NULL);
1443 			}
1444 		}
1445 	}
1446 
1447 	/*
1448 	 * Traverse the filtee list, dlopen()'ing any objects specified and
1449 	 * using their group handle to lookup the symbol.
1450 	 */
1451 	for (any = 0, pnpp = (Pnode **)&(dip->di_info), pnp = *pnpp; pnp;
1452 	    pnpp = &pnp->p_next, pnp = *pnpp) {
1453 		int	mode;
1454 		Grp_hdl	*ghp;
1455 		Rt_map	*nlmp = 0;
1456 
1457 		if (pnp->p_len == 0)
1458 			continue;
1459 
1460 		/*
1461 		 * Establish the mode of the filtee from the filter.  As filtees
1462 		 * are loaded via a dlopen(), make sure that RTLD_GROUP is set
1463 		 * and the filtees aren't global.  It would be nice to have
1464 		 * RTLD_FIRST used here also, but as filters got out long before
1465 		 * RTLD_FIRST was introduced it's a little too late now.
1466 		 */
1467 		mode = MODE(ilmp) | RTLD_GROUP;
1468 		mode &= ~RTLD_GLOBAL;
1469 
1470 		/*
1471 		 * Insure that any auxiliary filter can locate symbols from its
1472 		 * caller.
1473 		 */
1474 		if (dip->di_flags & FLG_DI_AUXFLTR)
1475 			mode |= RTLD_PARENT;
1476 
1477 		/*
1478 		 * Process any hardware capability directory.  Establish a new
1479 		 * link-map control list from which to analyze any newly added
1480 		 * objects.
1481 		 */
1482 		if ((pnp->p_info == 0) && (pnp->p_orig & PN_TKN_HWCAP)) {
1483 			Lm_cntl	*lmc;
1484 			Aliste	lmco;
1485 
1486 			if (FLAGS(lml->lm_head) & FLG_RT_RELOCED) {
1487 				if ((lmc = alist_append(&lml->lm_lists, 0,
1488 				    sizeof (Lm_cntl), AL_CNT_LMLISTS)) == 0)
1489 					return (NULL);
1490 				lmco = (Aliste)((char *)lmc -
1491 				    (char *)lml->lm_lists);
1492 			} else {
1493 				lmc = 0;
1494 				lmco = ALIST_OFF_DATA;
1495 			}
1496 
1497 			pnp = hwcap_filtees(pnpp, lmco, lmc, dip, ilmp, filtees,
1498 			    mode, (FLG_RT_HANDLE | FLG_RT_HWCAP), in_nfavl);
1499 
1500 			/*
1501 			 * Now that any hardware capability objects have been
1502 			 * processed, remove any link-map control list.
1503 			 */
1504 			if (lmc)
1505 				remove_cntl(lml, lmco);
1506 		}
1507 
1508 		if (pnp->p_len == 0)
1509 			continue;
1510 
1511 		/*
1512 		 * Process an individual filtee.
1513 		 */
1514 		if (pnp->p_info == 0) {
1515 			const char	*filtee = pnp->p_name;
1516 			int		audit = 0;
1517 
1518 			DBG_CALL(Dbg_file_filtee(lml, NAME(ilmp), filtee, 0));
1519 
1520 			ghp = 0;
1521 
1522 			/*
1523 			 * Determine if the reference link map is already
1524 			 * loaded.  As an optimization compare the filtee with
1525 			 * our interpretor.  The most common filter is
1526 			 * libdl.so.1, which is a filter on ld.so.1.
1527 			 */
1528 #if	defined(_ELF64)
1529 			if (strcmp(filtee, MSG_ORIG(MSG_PTH_RTLD_64)) == 0) {
1530 #else
1531 			if (strcmp(filtee, MSG_ORIG(MSG_PTH_RTLD)) == 0) {
1532 #endif
1533 				/*
1534 				 * Create an association between ld.so.1 and the
1535 				 * filter.  As an optimization, a handle for
1536 				 * ld.so.1 itself (required for the dlopen()
1537 				 * family filtering mechanism) shouldn't search
1538 				 * any dependencies of ld.so.1.  Omitting
1539 				 * GPD_ADDEPS prevents the addition of any
1540 				 * ld.so.1 dependencies to this handle.
1541 				 */
1542 				nlmp = lml_rtld.lm_head;
1543 				if ((ghp = hdl_create(&lml_rtld, nlmp, ilmp,
1544 				    (GPH_LDSO | GPH_FIRST | GPH_FILTEE),
1545 				    (GPD_DLSYM | GPD_RELOC), GPD_PARENT)) == 0)
1546 					nlmp = 0;
1547 
1548 				/*
1549 				 * Establish the filter handle to prevent any
1550 				 * recursion.
1551 				 */
1552 				if (nlmp && ghp)
1553 					pnp->p_info = (void *)ghp;
1554 
1555 				/*
1556 				 * Audit the filter/filtee established.  Ignore
1557 				 * any return from the auditor, as we can't
1558 				 * allow ignore filtering to ld.so.1, otherwise
1559 				 * nothing is going to work.
1560 				 */
1561 				if (nlmp && ((lml->lm_tflags | FLAGS1(ilmp)) &
1562 				    LML_TFLG_AUD_OBJFILTER))
1563 					(void) audit_objfilter(ilmp, filtees,
1564 					    nlmp, 0);
1565 
1566 			} else {
1567 				Rej_desc	rej = { 0 };
1568 				Lm_cntl		*lmc;
1569 				Aliste		lmco;
1570 
1571 				/*
1572 				 * Establish a new link-map control list from
1573 				 * which to analyze any newly added objects.
1574 				 */
1575 				if (FLAGS(lml->lm_head) & FLG_RT_RELOCED) {
1576 					if ((lmc =
1577 					    alist_append(&lml->lm_lists, 0,
1578 					    sizeof (Lm_cntl),
1579 					    AL_CNT_LMLISTS)) == 0)
1580 						return (NULL);
1581 					lmco = (Aliste)((char *)lmc -
1582 					    (char *)lml->lm_lists);
1583 				} else {
1584 					lmc = 0;
1585 					lmco = ALIST_OFF_DATA;
1586 				}
1587 
1588 				/*
1589 				 * Load the filtee.  Note, an auditor can
1590 				 * provide an alternative name.
1591 				 */
1592 				if ((nlmp = load_path(lml, lmco, &(pnp->p_name),
1593 				    ilmp, mode, FLG_RT_HANDLE, &ghp, 0,
1594 				    &rej, in_nfavl)) == 0) {
1595 					file_notfound(LIST(ilmp), filtee, ilmp,
1596 					    FLG_RT_HANDLE, &rej);
1597 					remove_rej(&rej);
1598 				}
1599 				filtee = pnp->p_name;
1600 
1601 				/*
1602 				 * Establish the filter handle to prevent any
1603 				 * recursion.
1604 				 */
1605 				if (nlmp && ghp) {
1606 					ghp->gh_flags |= GPH_FILTEE;
1607 					pnp->p_info = (void *)ghp;
1608 
1609 					FLAGS1(nlmp) |= FL1_RT_USED;
1610 				}
1611 
1612 				/*
1613 				 * Audit the filter/filtee established.  A
1614 				 * return of 0 indicates the auditor wishes to
1615 				 * ignore this filtee.
1616 				 */
1617 				if (nlmp && ((lml->lm_tflags | FLAGS1(ilmp)) &
1618 				    LML_TFLG_AUD_OBJFILTER)) {
1619 					if (audit_objfilter(ilmp, filtees,
1620 					    nlmp, 0) == 0) {
1621 						audit = 1;
1622 						nlmp = 0;
1623 					}
1624 				}
1625 
1626 				/*
1627 				 * Finish processing the objects associated with
1628 				 * this request.  Create an association between
1629 				 * this object and the originating filter to
1630 				 * provide sufficient information to tear down
1631 				 * this filtee if necessary.
1632 				 */
1633 				if (nlmp && ghp && ((analyze_lmc(lml, lmco,
1634 				    nlmp, in_nfavl) == 0) || (relocate_lmc(lml,
1635 				    lmco, ilmp, nlmp, in_nfavl) == 0)))
1636 					nlmp = 0;
1637 
1638 				/*
1639 				 * If the filtee has been successfully
1640 				 * processed, then create an association
1641 				 * between the filter and filtee.  This
1642 				 * association provides sufficient information
1643 				 * to tear down the filter and filtee if
1644 				 * necessary.
1645 				 */
1646 				DBG_CALL(Dbg_file_hdl_title(DBG_HDL_ADD));
1647 				if (nlmp && ghp &&
1648 				    (hdl_add(ghp, ilmp, GPD_FILTER) == 0))
1649 					nlmp = 0;
1650 
1651 				/*
1652 				 * If this filtee loading has failed, and we've
1653 				 * created a new link-map control list to which
1654 				 * this request has added objects, then remove
1655 				 * all the objects that have been associated to
1656 				 * this request.
1657 				 */
1658 				if ((nlmp == 0) && lmc && lmc->lc_head)
1659 					remove_lmc(lml, clmp, lmc, lmco, name);
1660 
1661 				/*
1662 				 * Remove any link-map control list that was
1663 				 * created.
1664 				 */
1665 				if (lmc)
1666 					remove_cntl(lml, lmco);
1667 			}
1668 
1669 			/*
1670 			 * Generate a diagnostic if the filtee couldn't be
1671 			 * loaded, null out the pnode entry, and continue
1672 			 * the search.  Otherwise, retain this group handle
1673 			 * for future symbol searches.
1674 			 */
1675 			if (nlmp == 0) {
1676 				DBG_CALL(Dbg_file_filtee(lml, 0, filtee,
1677 				    audit));
1678 
1679 				pnp->p_info = 0;
1680 				pnp->p_len = 0;
1681 				continue;
1682 			}
1683 		}
1684 
1685 		ghp = (Grp_hdl *)pnp->p_info;
1686 
1687 		/*
1688 		 * If we're just here to trigger filtee loading skip the symbol
1689 		 * lookup so we'll continue looking for additional filtees.
1690 		 */
1691 		if (name) {
1692 			Grp_desc	*gdp;
1693 			Sym		*sym = NULL;
1694 			Aliste		idx;
1695 			Slookup		sl = *slp;
1696 
1697 			sl.sl_flags |= LKUP_FIRST;
1698 			any++;
1699 
1700 			/*
1701 			 * Look for the symbol in the handles dependencies.
1702 			 */
1703 			for (ALIST_TRAVERSE(ghp->gh_depends, idx, gdp)) {
1704 				if ((gdp->gd_flags & GPD_DLSYM) == 0)
1705 					continue;
1706 
1707 				/*
1708 				 * If our parent is a dependency don't look at
1709 				 * it (otherwise we are in a recursive loop).
1710 				 * This situation can occur with auxiliary
1711 				 * filters if the filtee has a dependency on the
1712 				 * filter.  This dependency isn't necessary as
1713 				 * auxiliary filters are opened RTLD_PARENT, but
1714 				 * users may still unknowingly add an explicit
1715 				 * dependency to the parent.
1716 				 */
1717 				if ((sl.sl_imap = gdp->gd_depend) == ilmp)
1718 					continue;
1719 
1720 				if (((sym = SYMINTP(sl.sl_imap)(&sl, dlmp,
1721 				    binfo, in_nfavl)) != 0) ||
1722 				    (ghp->gh_flags & GPH_FIRST))
1723 					break;
1724 			}
1725 
1726 			/*
1727 			 * If a symbol has been found, indicate the binding
1728 			 * and return the symbol.
1729 			 */
1730 			if (sym) {
1731 				*binfo |= DBG_BINFO_FILTEE;
1732 				return (sym);
1733 			}
1734 		}
1735 
1736 		/*
1737 		 * If this object is tagged to terminate filtee processing we're
1738 		 * done.
1739 		 */
1740 		if (FLAGS1(ghp->gh_ownlmp) & FL1_RT_ENDFILTE)
1741 			break;
1742 	}
1743 
1744 	/*
1745 	 * If we're just here to trigger filtee loading then we're done.
1746 	 */
1747 	if (name == 0)
1748 		return (NULL);
1749 
1750 	/*
1751 	 * If no filtees have been found for a filter, clean up any Pnode
1752 	 * structures and disable their search completely.  For auxiliary
1753 	 * filters we can reselect the symbol search function so that we never
1754 	 * enter this routine again for this object.  For standard filters we
1755 	 * use the null symbol routine.
1756 	 */
1757 	if (any == 0) {
1758 		remove_pnode((Pnode *)dip->di_info);
1759 		elf_disable_filtee(ilmp, dip);
1760 		return (NULL);
1761 	}
1762 
1763 	return (NULL);
1764 }
1765 
1766 /*
1767  * Focal point for disabling error messages for auxiliary filters.  As an
1768  * auxiliary filter allows for filtee use, but provides a fallback should a
1769  * filtee not exist (or fail to load), any errors generated as a consequence of
1770  * trying to load the filtees are typically suppressed.  Setting RT_FL_SILENCERR
1771  * suppresses errors generated by eprint(), but insures a debug diagnostic is
1772  * produced.  ldd(1) employs printf(), and here, the selection of whether to
1773  * print a diagnostic in regards to auxiliary filters is a little more complex.
1774  *
1775  *   .	The determination of whether to produce an ldd message, or a fatal
1776  *	error message is driven by LML_FLG_TRC_ENABLE.
1777  *   .	More detailed ldd messages may also be driven off of LML_FLG_TRC_WARN,
1778  *	(ldd -d/-r), LML_FLG_TRC_VERBOSE (ldd -v), LML_FLG_TRC_SEARCH (ldd -s),
1779  *	and LML_FLG_TRC_UNREF/LML_FLG_TRC_UNUSED (ldd -U/-u).
1780  *
1781  *   .	If the calling object is lddstub, then several classes of message are
1782  *	suppressed.  The user isn't trying to diagnose lddstub, this is simply
1783  *	a stub executable employed to preload a user specified library against.
1784  *
1785  *   .	If RT_FL_SILENCERR is in effect then any generic ldd() messages should
1786  *	be suppressed.  All detailed ldd messages should still be produced.
1787  */
1788 Sym *
1789 elf_lookup_filtee(Slookup *slp, Rt_map **dlmp, uint_t *binfo, uint_t ndx,
1790     int *in_nfavl)
1791 {
1792 	Sym	*sym;
1793 	Dyninfo	*dip = &DYNINFO(slp->sl_imap)[ndx];
1794 	int	silent = 0;
1795 
1796 	/*
1797 	 * Make sure this entry is still acting as a filter.  We may have tried
1798 	 * to process this previously, and disabled it if the filtee couldn't
1799 	 * be processed.  However, other entries may provide different filtees
1800 	 * that are yet to be completed.
1801 	 */
1802 	if (dip->di_flags == 0)
1803 		return (NULL);
1804 
1805 	/*
1806 	 * Indicate whether an error message is required should this filtee not
1807 	 * be found, based on the type of filter.
1808 	 */
1809 	if ((dip->di_flags & FLG_DI_AUXFLTR) &&
1810 	    ((rtld_flags & (RT_FL_WARNFLTR | RT_FL_SILENCERR)) == 0)) {
1811 		rtld_flags |= RT_FL_SILENCERR;
1812 		silent = 1;
1813 	}
1814 
1815 	sym = _elf_lookup_filtee(slp, dlmp, binfo, ndx, in_nfavl);
1816 
1817 	if (silent)
1818 		rtld_flags &= ~RT_FL_SILENCERR;
1819 
1820 	return (sym);
1821 }
1822 
1823 /*
1824  * Compute the elf hash value (as defined in the ELF access library).
1825  * The form of the hash table is:
1826  *
1827  *	|--------------|
1828  *	| # of buckets |
1829  *	|--------------|
1830  *	| # of chains  |
1831  *	|--------------|
1832  *	|   bucket[]   |
1833  *	|--------------|
1834  *	|   chain[]    |
1835  *	|--------------|
1836  */
1837 ulong_t
1838 elf_hash(const char *name)
1839 {
1840 	uint_t	hval = 0;
1841 
1842 	while (*name) {
1843 		uint_t	g;
1844 		hval = (hval << 4) + *name++;
1845 		if ((g = (hval & 0xf0000000)) != 0)
1846 			hval ^= g >> 24;
1847 		hval &= ~g;
1848 	}
1849 	return ((ulong_t)hval);
1850 }
1851 
1852 /*
1853  * If flag argument has LKUP_SPEC set, we treat undefined symbols of type
1854  * function specially in the executable - if they have a value, even though
1855  * undefined, we use that value.  This allows us to associate all references
1856  * to a function's address to a single place in the process: the plt entry
1857  * for that function in the executable.  Calls to lookup from plt binding
1858  * routines do NOT set LKUP_SPEC in the flag.
1859  */
1860 Sym *
1861 elf_find_sym(Slookup *slp, Rt_map **dlmp, uint_t *binfo, int *in_nfavl)
1862 {
1863 	const char	*name = slp->sl_name;
1864 	Rt_map		*ilmp = slp->sl_imap;
1865 	ulong_t		hash = slp->sl_hash;
1866 	uint_t		ndx, htmp, buckets, *chainptr;
1867 	Sym		*sym, *symtabptr;
1868 	char		*strtabptr, *strtabname;
1869 	uint_t		flags1;
1870 	Syminfo		*sip;
1871 
1872 	/*
1873 	 * If we're only here to establish a symbols index, skip the diagnostic
1874 	 * used to trace a symbol search.
1875 	 */
1876 	if ((slp->sl_flags & LKUP_SYMNDX) == 0)
1877 		DBG_CALL(Dbg_syms_lookup(ilmp, name, MSG_ORIG(MSG_STR_ELF)));
1878 
1879 	if (HASH(ilmp) == 0)
1880 		return (NULL);
1881 
1882 	buckets = HASH(ilmp)[0];
1883 	/* LINTED */
1884 	htmp = (uint_t)hash % buckets;
1885 
1886 	/*
1887 	 * Get the first symbol on hash chain and initialize the string
1888 	 * and symbol table pointers.
1889 	 */
1890 	if ((ndx = HASH(ilmp)[htmp + 2]) == 0)
1891 		return (NULL);
1892 
1893 	chainptr = HASH(ilmp) + 2 + buckets;
1894 	strtabptr = STRTAB(ilmp);
1895 	symtabptr = SYMTAB(ilmp);
1896 
1897 	while (ndx) {
1898 		sym = symtabptr + ndx;
1899 		strtabname = strtabptr + sym->st_name;
1900 
1901 		/*
1902 		 * Compare the symbol found with the name required.  If the
1903 		 * names don't match continue with the next hash entry.
1904 		 */
1905 		if ((*strtabname++ != *name) || strcmp(strtabname, &name[1])) {
1906 			if ((ndx = chainptr[ndx]) != 0)
1907 				continue;
1908 			return (NULL);
1909 		}
1910 
1911 		/*
1912 		 * The Solaris ld does not put DT_VERSYM in the dynamic
1913 		 * section, but the GNU ld does. The GNU runtime linker
1914 		 * interprets the top bit of the 16-bit Versym value
1915 		 * (0x8000) as the "hidden" bit. If this bit is set,
1916 		 * the linker is supposed to act as if that symbol does
1917 		 * not exist. The hidden bit supports their versioning
1918 		 * scheme, which allows multiple incompatible functions
1919 		 * with the same name to exist at different versions
1920 		 * within an object. The Solaris linker does not support this
1921 		 * mechanism, or the model of interface evolution that
1922 		 * it allows, but we honor the hidden bit in GNU ld
1923 		 * produced objects in order to interoperate with them.
1924 		 */
1925 		if ((VERSYM(ilmp) != NULL) &&
1926 		    ((VERSYM(ilmp)[ndx] & 0x8000) != 0)) {
1927 			DBG_CALL(Dbg_syms_ignore_gnuver(ilmp, name,
1928 			    ndx, VERSYM(ilmp)[ndx]));
1929 			if ((ndx = chainptr[ndx]) != 0)
1930 				continue;
1931 			return (NULL);
1932 		}
1933 
1934 		/*
1935 		 * If we're only here to establish a symbols index, we're done.
1936 		 */
1937 		if (slp->sl_flags & LKUP_SYMNDX)
1938 			return (sym);
1939 
1940 		/*
1941 		 * If we find a match and the symbol is defined, return the
1942 		 * symbol pointer and the link map in which it was found.
1943 		 */
1944 		if (sym->st_shndx != SHN_UNDEF) {
1945 			*dlmp = ilmp;
1946 			*binfo |= DBG_BINFO_FOUND;
1947 			if ((FLAGS(ilmp) & FLG_RT_OBJINTPO) ||
1948 			    ((FLAGS(ilmp) & FLG_RT_SYMINTPO) &&
1949 			    is_sym_interposer(ilmp, sym)))
1950 				*binfo |= DBG_BINFO_INTERPOSE;
1951 			break;
1952 
1953 		/*
1954 		 * If we find a match and the symbol is undefined, the
1955 		 * symbol type is a function, and the value of the symbol
1956 		 * is non zero, then this is a special case.  This allows
1957 		 * the resolution of a function address to the plt[] entry.
1958 		 * See SPARC ABI, Dynamic Linking, Function Addresses for
1959 		 * more details.
1960 		 */
1961 		} else if ((slp->sl_flags & LKUP_SPEC) &&
1962 		    (FLAGS(ilmp) & FLG_RT_ISMAIN) && (sym->st_value != 0) &&
1963 		    (ELF_ST_TYPE(sym->st_info) == STT_FUNC)) {
1964 			*dlmp = ilmp;
1965 			*binfo |= (DBG_BINFO_FOUND | DBG_BINFO_PLTADDR);
1966 			if ((FLAGS(ilmp) & FLG_RT_OBJINTPO) ||
1967 			    ((FLAGS(ilmp) & FLG_RT_SYMINTPO) &&
1968 			    is_sym_interposer(ilmp, sym)))
1969 				*binfo |= DBG_BINFO_INTERPOSE;
1970 			return (sym);
1971 		}
1972 
1973 		/*
1974 		 * Undefined symbol.
1975 		 */
1976 		return (NULL);
1977 	}
1978 
1979 	/*
1980 	 * We've found a match.  Determine if the defining object contains
1981 	 * symbol binding information.
1982 	 */
1983 	if ((sip = SYMINFO(ilmp)) != 0)
1984 		sip += ndx;
1985 
1986 	/*
1987 	 * If this definition is a singleton, and we haven't followed a default
1988 	 * symbol search knowing that we're looking for a singleton (presumably
1989 	 * because the symbol definition has been changed since the referring
1990 	 * object was built), then reject this binding so that the caller can
1991 	 * fall back to a standard symbol search.
1992 	 */
1993 	if ((ELF_ST_VISIBILITY(sym->st_other) == STV_SINGLETON) &&
1994 	    (((slp->sl_flags & LKUP_STANDARD) == 0) ||
1995 	    (((slp->sl_flags & LKUP_SINGLETON) == 0) &&
1996 	    (LIST(ilmp)->lm_flags & LML_FLG_GROUPSEXIST)))) {
1997 		DBG_CALL(Dbg_bind_reject(slp->sl_cmap, ilmp, name,
1998 		    DBG_BNDREJ_SINGLE));
1999 		*binfo |= BINFO_REJSINGLE;
2000 		*binfo &= ~DBG_BINFO_MSK;
2001 		return (NULL);
2002 	}
2003 
2004 	/*
2005 	 * If this is a direct binding request, but the symbol definition has
2006 	 * disabled directly binding to it (presumably because the symbol
2007 	 * definition has been changed since the referring object was built),
2008 	 * reject this binding so that the caller can fall back to a standard
2009 	 * symbol search.
2010 	 */
2011 	if (sip && (slp->sl_flags & LKUP_DIRECT) &&
2012 	    (sip->si_flags & SYMINFO_FLG_NOEXTDIRECT)) {
2013 		DBG_CALL(Dbg_bind_reject(slp->sl_cmap, ilmp, name,
2014 		    DBG_BNDREJ_DIRECT));
2015 		*binfo |= BINFO_REJDIRECT;
2016 		*binfo &= ~DBG_BINFO_MSK;
2017 		return (NULL);
2018 	}
2019 
2020 	/*
2021 	 * If this is a binding request within an RTLD_GROUP family, and the
2022 	 * symbol has disabled directly binding to it, reject this binding so
2023 	 * that the caller can fall back to a standard symbol search.
2024 	 *
2025 	 * Effectively, an RTLD_GROUP family achieves what can now be
2026 	 * established with direct bindings.  However, various symbols have
2027 	 * been tagged as inappropriate for direct binding to (ie. libc:malloc).
2028 	 *
2029 	 * A symbol marked as no-direct cannot be used within a group without
2030 	 * first ensuring that the symbol has not been interposed upon outside
2031 	 * of the group.  A common example occurs when users implement their own
2032 	 * version of malloc() in the executable.  Such a malloc() interposes on
2033 	 * the libc:malloc, and this interposition must be honored within the
2034 	 * group as well.
2035 	 *
2036 	 * Following any rejection, LKUP_WORLD is established as a means of
2037 	 * overriding this test as we return to a standard search.
2038 	 */
2039 	if (sip && (sip->si_flags & SYMINFO_FLG_NOEXTDIRECT) &&
2040 	    ((MODE(slp->sl_cmap) & (RTLD_GROUP | RTLD_WORLD)) == RTLD_GROUP) &&
2041 	    ((slp->sl_flags & LKUP_WORLD) == 0)) {
2042 		DBG_CALL(Dbg_bind_reject(slp->sl_cmap, ilmp, name,
2043 		    DBG_BNDREJ_GROUP));
2044 		*binfo |= BINFO_REJGROUP;
2045 		*binfo &= ~DBG_BINFO_MSK;
2046 		return (NULL);
2047 	}
2048 
2049 	/*
2050 	 * Determine whether this object is acting as a filter.
2051 	 */
2052 	if (((flags1 = FLAGS1(ilmp)) & MSK_RT_FILTER) == 0)
2053 		return (sym);
2054 
2055 	/*
2056 	 * Determine if this object offers per-symbol filtering, and if so,
2057 	 * whether this symbol references a filtee.
2058 	 */
2059 	if (sip && (flags1 & (FL1_RT_SYMSFLTR | FL1_RT_SYMAFLTR))) {
2060 		/*
2061 		 * If this is a standard filter reference, and no standard
2062 		 * filtees remain to be inspected, we're done.  If this is an
2063 		 * auxiliary filter reference, and no auxiliary filtees remain,
2064 		 * we'll fall through in case any object filtering is available.
2065 		 */
2066 		if ((sip->si_flags & SYMINFO_FLG_FILTER) &&
2067 		    (SYMSFLTRCNT(ilmp) == 0))
2068 			return (NULL);
2069 
2070 		if ((sip->si_flags & SYMINFO_FLG_FILTER) ||
2071 		    ((sip->si_flags & SYMINFO_FLG_AUXILIARY) &&
2072 		    SYMAFLTRCNT(ilmp))) {
2073 			Sym	*fsym;
2074 
2075 			/*
2076 			 * This symbol has an associated filtee.  Lookup the
2077 			 * symbol in the filtee, and if it is found return it.
2078 			 * If the symbol doesn't exist, and this is a standard
2079 			 * filter, return an error, otherwise fall through to
2080 			 * catch any object filtering that may be available.
2081 			 */
2082 			if ((fsym = elf_lookup_filtee(slp, dlmp, binfo,
2083 			    sip->si_boundto, in_nfavl)) != 0)
2084 				return (fsym);
2085 			if (sip->si_flags & SYMINFO_FLG_FILTER)
2086 				return (NULL);
2087 		}
2088 	}
2089 
2090 	/*
2091 	 * Determine if this object provides global filtering.
2092 	 */
2093 	if (flags1 & (FL1_RT_OBJSFLTR | FL1_RT_OBJAFLTR)) {
2094 		Sym	*fsym;
2095 
2096 		if (OBJFLTRNDX(ilmp) != FLTR_DISABLED) {
2097 			/*
2098 			 * This object has an associated filtee.  Lookup the
2099 			 * symbol in the filtee, and if it is found return it.
2100 			 * If the symbol doesn't exist, and this is a standard
2101 			 * filter, return and error, otherwise return the symbol
2102 			 * within the filter itself.
2103 			 */
2104 			if ((fsym = elf_lookup_filtee(slp, dlmp, binfo,
2105 			    OBJFLTRNDX(ilmp), in_nfavl)) != 0)
2106 				return (fsym);
2107 		}
2108 
2109 		if (flags1 & FL1_RT_OBJSFLTR)
2110 			return (NULL);
2111 	}
2112 	return (sym);
2113 }
2114 
2115 /*
2116  * Create a new Rt_map structure for an ELF object and initialize
2117  * all values.
2118  */
2119 Rt_map *
2120 elf_new_lm(Lm_list *lml, const char *pname, const char *oname, Dyn *ld,
2121     ulong_t addr, ulong_t etext, Aliste lmco, ulong_t msize, ulong_t entry,
2122     ulong_t paddr, ulong_t padimsize, Mmap *mmaps, uint_t mmapcnt,
2123     int *in_nfavl)
2124 {
2125 	Rt_map		*lmp;
2126 	ulong_t		base, fltr = 0, audit = 0, cfile = 0, crle = 0;
2127 	Xword		rpath = 0;
2128 	Ehdr		*ehdr = (Ehdr *)addr;
2129 
2130 	DBG_CALL(Dbg_file_elf(lml, pname, (ulong_t)ld, addr, msize, entry,
2131 	    lml->lm_lmidstr, lmco));
2132 
2133 	/*
2134 	 * Allocate space for the link-map and private elf information.  Once
2135 	 * these are allocated and initialized, we can use remove_so(0, lmp) to
2136 	 * tear down the link-map should any failures occur.
2137 	 */
2138 	if ((lmp = calloc(sizeof (Rt_map), 1)) == 0)
2139 		return (0);
2140 	if ((ELFPRV(lmp) = calloc(sizeof (Rt_elfp), 1)) == 0) {
2141 		free(lmp);
2142 		return (0);
2143 	}
2144 
2145 	/*
2146 	 * All fields not filled in were set to 0 by calloc.
2147 	 */
2148 	ORIGNAME(lmp) = PATHNAME(lmp) = NAME(lmp) = (char *)pname;
2149 	DYN(lmp) = ld;
2150 	ADDR(lmp) = addr;
2151 	MSIZE(lmp) = msize;
2152 	ENTRY(lmp) = (Addr)entry;
2153 	SYMINTP(lmp) = elf_find_sym;
2154 	ETEXT(lmp) = etext;
2155 	FCT(lmp) = &elf_fct;
2156 	LIST(lmp) = lml;
2157 	PADSTART(lmp) = paddr;
2158 	PADIMLEN(lmp) = padimsize;
2159 	THREADID(lmp) = rt_thr_self();
2160 	OBJFLTRNDX(lmp) = FLTR_DISABLED;
2161 	SORTVAL(lmp) = -1;
2162 
2163 	MMAPS(lmp) = mmaps;
2164 	MMAPCNT(lmp) = mmapcnt;
2165 	ASSERT(mmapcnt != 0);
2166 
2167 	/*
2168 	 * If this is a shared object, add the base address to each address.
2169 	 * if this is an executable, use address as is.
2170 	 */
2171 	if (ehdr->e_type == ET_EXEC) {
2172 		base = 0;
2173 		FLAGS(lmp) |= FLG_RT_FIXED;
2174 	} else
2175 		base = addr;
2176 
2177 	/*
2178 	 * Fill in rest of the link map entries with information from the file's
2179 	 * dynamic structure.
2180 	 */
2181 	if (ld) {
2182 		uint_t		dynndx = 0;
2183 		Xword		pltpadsz = 0;
2184 		Rti_desc	*rti;
2185 
2186 		/* CSTYLED */
2187 		for ( ; ld->d_tag != DT_NULL; ++ld, dynndx++) {
2188 			switch ((Xword)ld->d_tag) {
2189 			case DT_SYMTAB:
2190 				SYMTAB(lmp) = (void *)(ld->d_un.d_ptr + base);
2191 				break;
2192 			case DT_SUNW_SYMTAB:
2193 				SUNWSYMTAB(lmp) =
2194 				    (void *)(ld->d_un.d_ptr + base);
2195 				break;
2196 			case DT_SUNW_SYMSZ:
2197 				SUNWSYMSZ(lmp) = ld->d_un.d_val;
2198 				break;
2199 			case DT_STRTAB:
2200 				STRTAB(lmp) = (void *)(ld->d_un.d_ptr + base);
2201 				break;
2202 			case DT_SYMENT:
2203 				SYMENT(lmp) = ld->d_un.d_val;
2204 				break;
2205 			case DT_FEATURE_1:
2206 				ld->d_un.d_val |= DTF_1_PARINIT;
2207 				if (ld->d_un.d_val & DTF_1_CONFEXP)
2208 					crle = 1;
2209 				break;
2210 			case DT_MOVESZ:
2211 				MOVESZ(lmp) = ld->d_un.d_val;
2212 				FLAGS(lmp) |= FLG_RT_MOVE;
2213 				break;
2214 			case DT_MOVEENT:
2215 				MOVEENT(lmp) = ld->d_un.d_val;
2216 				break;
2217 			case DT_MOVETAB:
2218 				MOVETAB(lmp) = (void *)(ld->d_un.d_ptr + base);
2219 				break;
2220 			case DT_REL:
2221 			case DT_RELA:
2222 				/*
2223 				 * At this time, ld.so. can only handle one
2224 				 * type of relocation per object.
2225 				 */
2226 				REL(lmp) = (void *)(ld->d_un.d_ptr + base);
2227 				break;
2228 			case DT_RELSZ:
2229 			case DT_RELASZ:
2230 				RELSZ(lmp) = ld->d_un.d_val;
2231 				break;
2232 			case DT_RELENT:
2233 			case DT_RELAENT:
2234 				RELENT(lmp) = ld->d_un.d_val;
2235 				break;
2236 			case DT_RELCOUNT:
2237 			case DT_RELACOUNT:
2238 				RELACOUNT(lmp) = (uint_t)ld->d_un.d_val;
2239 				break;
2240 			case DT_TEXTREL:
2241 				FLAGS1(lmp) |= FL1_RT_TEXTREL;
2242 				break;
2243 			case DT_HASH:
2244 				HASH(lmp) = (uint_t *)(ld->d_un.d_ptr + base);
2245 				break;
2246 			case DT_PLTGOT:
2247 				PLTGOT(lmp) = (uint_t *)(ld->d_un.d_ptr + base);
2248 				break;
2249 			case DT_PLTRELSZ:
2250 				PLTRELSZ(lmp) = ld->d_un.d_val;
2251 				break;
2252 			case DT_JMPREL:
2253 				JMPREL(lmp) = (void *)(ld->d_un.d_ptr + base);
2254 				break;
2255 			case DT_INIT:
2256 				if (ld->d_un.d_ptr != NULL)
2257 					INIT(lmp) =
2258 					    (void (*)())(ld->d_un.d_ptr + base);
2259 				break;
2260 			case DT_FINI:
2261 				if (ld->d_un.d_ptr != NULL)
2262 					FINI(lmp) =
2263 					    (void (*)())(ld->d_un.d_ptr + base);
2264 				break;
2265 			case DT_INIT_ARRAY:
2266 				INITARRAY(lmp) = (Addr *)(ld->d_un.d_ptr +
2267 				    base);
2268 				break;
2269 			case DT_INIT_ARRAYSZ:
2270 				INITARRAYSZ(lmp) = (uint_t)ld->d_un.d_val;
2271 				break;
2272 			case DT_FINI_ARRAY:
2273 				FINIARRAY(lmp) = (Addr *)(ld->d_un.d_ptr +
2274 				    base);
2275 				break;
2276 			case DT_FINI_ARRAYSZ:
2277 				FINIARRAYSZ(lmp) = (uint_t)ld->d_un.d_val;
2278 				break;
2279 			case DT_PREINIT_ARRAY:
2280 				PREINITARRAY(lmp) = (Addr *)(ld->d_un.d_ptr +
2281 				    base);
2282 				break;
2283 			case DT_PREINIT_ARRAYSZ:
2284 				PREINITARRAYSZ(lmp) = (uint_t)ld->d_un.d_val;
2285 				break;
2286 			case DT_RPATH:
2287 			case DT_RUNPATH:
2288 				rpath = ld->d_un.d_val;
2289 				break;
2290 			case DT_FILTER:
2291 				fltr = ld->d_un.d_val;
2292 				OBJFLTRNDX(lmp) = dynndx;
2293 				FLAGS1(lmp) |= FL1_RT_OBJSFLTR;
2294 				break;
2295 			case DT_AUXILIARY:
2296 				if (!(rtld_flags & RT_FL_NOAUXFLTR)) {
2297 					fltr = ld->d_un.d_val;
2298 					OBJFLTRNDX(lmp) = dynndx;
2299 				}
2300 				FLAGS1(lmp) |= FL1_RT_OBJAFLTR;
2301 				break;
2302 			case DT_SUNW_FILTER:
2303 				SYMSFLTRCNT(lmp)++;
2304 				FLAGS1(lmp) |= FL1_RT_SYMSFLTR;
2305 				break;
2306 			case DT_SUNW_AUXILIARY:
2307 				if (!(rtld_flags & RT_FL_NOAUXFLTR)) {
2308 					SYMAFLTRCNT(lmp)++;
2309 				}
2310 				FLAGS1(lmp) |= FL1_RT_SYMAFLTR;
2311 				break;
2312 			case DT_DEPAUDIT:
2313 				if (!(rtld_flags & RT_FL_NOAUDIT))
2314 					audit = ld->d_un.d_val;
2315 				break;
2316 			case DT_CONFIG:
2317 				cfile = ld->d_un.d_val;
2318 				break;
2319 			case DT_DEBUG:
2320 				/*
2321 				 * DT_DEBUG entries are only created in
2322 				 * dynamic objects that require an interpretor
2323 				 * (ie. all dynamic executables and some shared
2324 				 * objects), and provide for a hand-shake with
2325 				 * debuggers.  This entry is initialized to
2326 				 * zero by the link-editor.  If a debugger has
2327 				 * us and updated this entry set the debugger
2328 				 * flag, and finish initializing the debugging
2329 				 * structure (see setup() also).  Switch off any
2330 				 * configuration object use as most debuggers
2331 				 * can't handle fixed dynamic executables as
2332 				 * dependencies, and we can't handle requests
2333 				 * like object padding for alternative objects.
2334 				 */
2335 				if (ld->d_un.d_ptr)
2336 					rtld_flags |=
2337 					    (RT_FL_DEBUGGER | RT_FL_NOOBJALT);
2338 				ld->d_un.d_ptr = (Addr)&r_debug;
2339 				break;
2340 			case DT_VERNEED:
2341 				VERNEED(lmp) = (Verneed *)(ld->d_un.d_ptr +
2342 				    base);
2343 				break;
2344 			case DT_VERNEEDNUM:
2345 				/* LINTED */
2346 				VERNEEDNUM(lmp) = (int)ld->d_un.d_val;
2347 				break;
2348 			case DT_VERDEF:
2349 				VERDEF(lmp) = (Verdef *)(ld->d_un.d_ptr + base);
2350 				break;
2351 			case DT_VERDEFNUM:
2352 				/* LINTED */
2353 				VERDEFNUM(lmp) = (int)ld->d_un.d_val;
2354 				break;
2355 			case DT_VERSYM:
2356 				/*
2357 				 * The Solaris ld does not produce DT_VERSYM,
2358 				 * but the GNU ld does, in order to support
2359 				 * their style of versioning, which differs
2360 				 * from ours in some ways, while using the
2361 				 * same data structures. The presence of
2362 				 * DT_VERSYM therefore means that GNU
2363 				 * versioning rules apply to the given file.
2364 				 * If DT_VERSYM is not present, then Solaris
2365 				 * versioning rules apply.
2366 				 */
2367 				VERSYM(lmp) = (Versym *)(ld->d_un.d_ptr + base);
2368 				break;
2369 			case DT_BIND_NOW:
2370 				if ((rtld_flags2 & RT_FL2_BINDLAZY) == 0) {
2371 					MODE(lmp) |= RTLD_NOW;
2372 					MODE(lmp) &= ~RTLD_LAZY;
2373 				}
2374 				break;
2375 			case DT_FLAGS:
2376 				FLAGS2(lmp) |= FL2_RT_DTFLAGS;
2377 				if (ld->d_un.d_val & DF_SYMBOLIC)
2378 					FLAGS1(lmp) |= FL1_RT_SYMBOLIC;
2379 				if (ld->d_un.d_val & DF_TEXTREL)
2380 					FLAGS1(lmp) |= FL1_RT_TEXTREL;
2381 				if ((ld->d_un.d_val & DF_BIND_NOW) &&
2382 				    ((rtld_flags2 & RT_FL2_BINDLAZY) == 0)) {
2383 					MODE(lmp) |= RTLD_NOW;
2384 					MODE(lmp) &= ~RTLD_LAZY;
2385 				}
2386 				/*
2387 				 * Capture any static TLS use, and enforce that
2388 				 * this object be non-deletable.
2389 				 */
2390 				if (ld->d_un.d_val & DF_STATIC_TLS) {
2391 					FLAGS1(lmp) |= FL1_RT_TLSSTAT;
2392 					MODE(lmp) |= RTLD_NODELETE;
2393 				}
2394 				break;
2395 			case DT_FLAGS_1:
2396 				if (ld->d_un.d_val & DF_1_DISPRELPND)
2397 					FLAGS1(lmp) |= FL1_RT_DISPREL;
2398 				if (ld->d_un.d_val & DF_1_GROUP)
2399 					FLAGS(lmp) |=
2400 					    (FLG_RT_SETGROUP | FLG_RT_HANDLE);
2401 				if ((ld->d_un.d_val & DF_1_NOW) &&
2402 				    ((rtld_flags2 & RT_FL2_BINDLAZY) == 0)) {
2403 					MODE(lmp) |= RTLD_NOW;
2404 					MODE(lmp) &= ~RTLD_LAZY;
2405 				}
2406 				if (ld->d_un.d_val & DF_1_NODELETE)
2407 					MODE(lmp) |= RTLD_NODELETE;
2408 				if (ld->d_un.d_val & DF_1_INITFIRST)
2409 					FLAGS(lmp) |= FLG_RT_INITFRST;
2410 				if (ld->d_un.d_val & DF_1_NOOPEN)
2411 					FLAGS(lmp) |= FLG_RT_NOOPEN;
2412 				if (ld->d_un.d_val & DF_1_LOADFLTR)
2413 					FLAGS(lmp) |= FLG_RT_LOADFLTR;
2414 				if (ld->d_un.d_val & DF_1_NODUMP)
2415 					FLAGS(lmp) |= FLG_RT_NODUMP;
2416 				if (ld->d_un.d_val & DF_1_CONFALT)
2417 					crle = 1;
2418 				if (ld->d_un.d_val & DF_1_DIRECT)
2419 					FLAGS1(lmp) |= FL1_RT_DIRECT;
2420 				if (ld->d_un.d_val & DF_1_NODEFLIB)
2421 					FLAGS1(lmp) |= FL1_RT_NODEFLIB;
2422 				if (ld->d_un.d_val & DF_1_ENDFILTEE)
2423 					FLAGS1(lmp) |= FL1_RT_ENDFILTE;
2424 				if (ld->d_un.d_val & DF_1_TRANS)
2425 					FLAGS(lmp) |= FLG_RT_TRANS;
2426 #ifndef	EXPAND_RELATIVE
2427 				if (ld->d_un.d_val & DF_1_ORIGIN)
2428 					FLAGS1(lmp) |= FL1_RT_RELATIVE;
2429 #endif
2430 				/*
2431 				 * Global auditing is only meaningful when
2432 				 * specified by the initiating object of the
2433 				 * process - typically the dynamic executable.
2434 				 * If this is the initiaiting object, its link-
2435 				 * map will not yet have been added to the
2436 				 * link-map list, and consequently the link-map
2437 				 * list is empty.  (see setup()).
2438 				 */
2439 				if (ld->d_un.d_val & DF_1_GLOBAUDIT) {
2440 					if (lml_main.lm_head == 0)
2441 						FLAGS1(lmp) |= FL1_RT_GLOBAUD;
2442 					else
2443 						DBG_CALL(Dbg_audit_ignore(lmp));
2444 				}
2445 
2446 				/*
2447 				 * If this object identifies itself as an
2448 				 * interposer, but relocation processing has
2449 				 * already started, then demote it.  It's too
2450 				 * late to guarantee complete interposition.
2451 				 */
2452 				/* BEGIN CSTYLED */
2453 				if (ld->d_un.d_val &
2454 				    (DF_1_INTERPOSE | DF_1_SYMINTPOSE)) {
2455 				    if (lml->lm_flags & LML_FLG_STARTREL) {
2456 					DBG_CALL(Dbg_util_intoolate(lmp));
2457 					if (lml->lm_flags & LML_FLG_TRC_ENABLE)
2458 					    (void) printf(
2459 						MSG_INTL(MSG_LDD_REL_ERR2),
2460 						NAME(lmp));
2461 				    } else if (ld->d_un.d_val & DF_1_INTERPOSE)
2462 					FLAGS(lmp) |= FLG_RT_OBJINTPO;
2463 				    else
2464 					FLAGS(lmp) |= FLG_RT_SYMINTPO;
2465 				}
2466 				/* END CSTYLED */
2467 				break;
2468 			case DT_SYMINFO:
2469 				SYMINFO(lmp) = (Syminfo *)(ld->d_un.d_ptr +
2470 				    base);
2471 				break;
2472 			case DT_SYMINENT:
2473 				SYMINENT(lmp) = ld->d_un.d_val;
2474 				break;
2475 			case DT_PLTPAD:
2476 				PLTPAD(lmp) = (void *)(ld->d_un.d_ptr + base);
2477 				break;
2478 			case DT_PLTPADSZ:
2479 				pltpadsz = ld->d_un.d_val;
2480 				break;
2481 			case DT_SUNW_RTLDINF:
2482 				/*
2483 				 * Maintain a list of RTLDINFO structures.
2484 				 * Typically, libc is the only supplier, and
2485 				 * only one structure is provided.  However,
2486 				 * multiple suppliers and multiple structures
2487 				 * are supported.  For example, one structure
2488 				 * may provide thread_init, and another
2489 				 * structure may provide atexit reservations.
2490 				 */
2491 				if ((rti = alist_append(&lml->lm_rti, 0,
2492 				    sizeof (Rti_desc), AL_CNT_RTLDINFO)) == 0) {
2493 					remove_so(0, lmp);
2494 					return (0);
2495 				}
2496 				rti->rti_lmp = lmp;
2497 				rti->rti_info = (void *)(ld->d_un.d_ptr + base);
2498 				break;
2499 			case DT_SUNW_SORTENT:
2500 				SUNWSORTENT(lmp) = ld->d_un.d_val;
2501 				break;
2502 			case DT_SUNW_SYMSORT:
2503 				SUNWSYMSORT(lmp) =
2504 				    (void *)(ld->d_un.d_ptr + base);
2505 				break;
2506 			case DT_SUNW_SYMSORTSZ:
2507 				SUNWSYMSORTSZ(lmp) = ld->d_un.d_val;
2508 				break;
2509 			case DT_DEPRECATED_SPARC_REGISTER:
2510 			case M_DT_REGISTER:
2511 				FLAGS(lmp) |= FLG_RT_REGSYMS;
2512 				break;
2513 			}
2514 		}
2515 
2516 		if (PLTPAD(lmp)) {
2517 			if (pltpadsz == (Xword)0)
2518 				PLTPAD(lmp) = 0;
2519 			else
2520 				PLTPADEND(lmp) = (void *)((Addr)PLTPAD(lmp) +
2521 				    pltpadsz);
2522 		}
2523 
2524 		/*
2525 		 * Allocate a Dynamic Info structure.
2526 		 */
2527 		if ((DYNINFO(lmp) = calloc((size_t)dynndx,
2528 		    sizeof (Dyninfo))) == 0) {
2529 			remove_so(0, lmp);
2530 			return (0);
2531 		}
2532 		DYNINFOCNT(lmp) = dynndx;
2533 	}
2534 
2535 	/*
2536 	 * A dynsym contains only global functions. We want to have
2537 	 * a version of it that also includes local functions, so that
2538 	 * dladdr() will be able to report names for local functions
2539 	 * when used to generate a stack trace for a stripped file.
2540 	 * This version of the dynsym is provided via DT_SUNW_SYMTAB.
2541 	 *
2542 	 * In producing DT_SUNW_SYMTAB, ld uses a non-obvious trick
2543 	 * in order to avoid having to have two copies of the global
2544 	 * symbols held in DT_SYMTAB: The local symbols are placed in
2545 	 * a separate section than the globals in the dynsym, but the
2546 	 * linker conspires to put the data for these two sections adjacent
2547 	 * to each other. DT_SUNW_SYMTAB points at the top of the local
2548 	 * symbols, and DT_SUNW_SYMSZ is the combined length of both tables.
2549 	 *
2550 	 * If the two sections are not adjacent, then something went wrong
2551 	 * at link time. We use ASSERT to kill the process if this is
2552 	 * a debug build. In a production build, we will silently ignore
2553 	 * the presence of the .ldynsym and proceed. We can detect this
2554 	 * situation by checking to see that DT_SYMTAB lies in
2555 	 * the range given by DT_SUNW_SYMTAB/DT_SUNW_SYMSZ.
2556 	 */
2557 	if ((SUNWSYMTAB(lmp) != NULL) &&
2558 	    (((char *)SYMTAB(lmp) <= (char *)SUNWSYMTAB(lmp)) ||
2559 	    (((char *)SYMTAB(lmp) >=
2560 	    (SUNWSYMSZ(lmp) + (char *)SUNWSYMTAB(lmp)))))) {
2561 		ASSERT(0);
2562 		SUNWSYMTAB(lmp) = NULL;
2563 		SUNWSYMSZ(lmp) = 0;
2564 	}
2565 
2566 	/*
2567 	 * If configuration file use hasn't been disabled, and a configuration
2568 	 * file hasn't already been set via an environment variable, see if any
2569 	 * application specific configuration file is specified.  An LD_CONFIG
2570 	 * setting is used first, but if this image was generated via crle(1)
2571 	 * then a default configuration file is a fall-back.
2572 	 */
2573 	if ((!(rtld_flags & RT_FL_NOCFG)) && (config->c_name == 0)) {
2574 		if (cfile)
2575 			config->c_name = (const char *)(cfile +
2576 			    (char *)STRTAB(lmp));
2577 		else if (crle) {
2578 			rtld_flags |= RT_FL_CONFAPP;
2579 #ifndef	EXPAND_RELATIVE
2580 			FLAGS1(lmp) |= FL1_RT_RELATIVE;
2581 #endif
2582 		}
2583 	}
2584 
2585 	if (rpath)
2586 		RPATH(lmp) = (char *)(rpath + (char *)STRTAB(lmp));
2587 	if (fltr) {
2588 		/*
2589 		 * If this object is a global filter, duplicate the filtee
2590 		 * string name(s) so that REFNAME() is available in core files.
2591 		 * This cludge was useful for debuggers at one point, but only
2592 		 * when the filtee name was an individual full path.
2593 		 */
2594 		if ((REFNAME(lmp) = strdup(fltr + (char *)STRTAB(lmp))) == 0) {
2595 			remove_so(0, lmp);
2596 			return (0);
2597 		}
2598 	}
2599 
2600 	if (rtld_flags & RT_FL_RELATIVE)
2601 		FLAGS1(lmp) |= FL1_RT_RELATIVE;
2602 
2603 	/*
2604 	 * For Intel ABI compatibility.  It's possible that a JMPREL can be
2605 	 * specified without any other relocations (e.g. a dynamic executable
2606 	 * normally only contains .plt relocations).  If this is the case then
2607 	 * no REL, RELSZ or RELENT will have been created.  For us to be able
2608 	 * to traverse the .plt relocations under LD_BIND_NOW we need to know
2609 	 * the RELENT for these relocations.  Refer to elf_reloc() for more
2610 	 * details.
2611 	 */
2612 	if (!RELENT(lmp) && JMPREL(lmp))
2613 		RELENT(lmp) = sizeof (Rel);
2614 
2615 	/*
2616 	 * Establish any per-object auditing.  If we're establishing `main's
2617 	 * link-map its too early to go searching for audit objects so just
2618 	 * hold the object name for later (see setup()).
2619 	 */
2620 	if (audit) {
2621 		char	*cp = audit + (char *)STRTAB(lmp);
2622 
2623 		if (*cp) {
2624 			if (((AUDITORS(lmp) =
2625 			    calloc(1, sizeof (Audit_desc))) == 0) ||
2626 			    ((AUDITORS(lmp)->ad_name = strdup(cp)) == 0)) {
2627 				remove_so(0, lmp);
2628 				return (0);
2629 			}
2630 			if (lml_main.lm_head) {
2631 				if (audit_setup(lmp, AUDITORS(lmp), 0,
2632 				    in_nfavl) == 0) {
2633 					remove_so(0, lmp);
2634 					return (0);
2635 				}
2636 				FLAGS1(lmp) |= AUDITORS(lmp)->ad_flags;
2637 				lml->lm_flags |= LML_FLG_LOCAUDIT;
2638 			}
2639 		}
2640 	}
2641 
2642 	if ((CONDVAR(lmp) = rt_cond_create()) == 0) {
2643 		remove_so(0, lmp);
2644 		return (0);
2645 	}
2646 	if (oname && ((append_alias(lmp, oname, 0)) == 0)) {
2647 		remove_so(0, lmp);
2648 		return (0);
2649 	}
2650 
2651 	/*
2652 	 * Add the mapped object to the end of the link map list.
2653 	 */
2654 	lm_append(lml, lmco, lmp);
2655 	return (lmp);
2656 }
2657 
2658 /*
2659  * Assign hardware/software capabilities.
2660  */
2661 void
2662 cap_assign(Cap *cap, Rt_map *lmp)
2663 {
2664 	while (cap->c_tag != CA_SUNW_NULL) {
2665 		switch (cap->c_tag) {
2666 		case CA_SUNW_HW_1:
2667 			HWCAP(lmp) = cap->c_un.c_val;
2668 			break;
2669 		case CA_SUNW_SF_1:
2670 			SFCAP(lmp) = cap->c_un.c_val;
2671 		}
2672 		cap++;
2673 	}
2674 }
2675 
2676 /*
2677  * Map in an ELF object.
2678  * Takes an open file descriptor for the object to map and its pathname; returns
2679  * a pointer to a Rt_map structure for this object, or 0 on error.
2680  */
2681 static Rt_map *
2682 elf_map_so(Lm_list *lml, Aliste lmco, const char *pname, const char *oname,
2683     int fd, int *in_nfavl)
2684 {
2685 	int		i; 		/* general temporary */
2686 	Off		memsize = 0;	/* total memory size of pathname */
2687 	Off		mentry;		/* entry point */
2688 	Ehdr		*ehdr;		/* ELF header of ld.so */
2689 	Phdr		*phdr;		/* first Phdr in file */
2690 	Phdr		*phdr0;		/* Saved first Phdr in file */
2691 	Phdr		*pptr;		/* working Phdr */
2692 	Phdr		*fph = 0;	/* first loadable Phdr */
2693 	Phdr		*lph;		/* last loadable Phdr */
2694 	Phdr		*lfph = 0;	/* last loadable (filesz != 0) Phdr */
2695 	Phdr		*lmph = 0;	/* last loadable (memsz != 0) Phdr */
2696 	Phdr		*tlph = 0;	/* program header for PT_TLS */
2697 	Phdr		*unwindph = 0;	/* program header for PT_SUNW_UNWIND */
2698 	Cap		*cap = 0;	/* program header for SUNWCAP */
2699 	Dyn		*mld = 0;	/* DYNAMIC structure for pathname */
2700 	size_t		size;		/* size of elf and program headers */
2701 	caddr_t		faddr = 0;	/* mapping address of pathname */
2702 	Rt_map		*lmp;		/* link map created */
2703 	caddr_t		paddr;		/* start of padded image */
2704 	Off		plen;		/* size of image including padding */
2705 	Half		etype;
2706 	int		fixed;
2707 	Mmap		*mmaps;
2708 	uint_t		mmapcnt = 0;
2709 	Xword		align = 0;
2710 
2711 	/* LINTED */
2712 	ehdr = (Ehdr *)fmap->fm_maddr;
2713 
2714 	/*
2715 	 * If this a relocatable object then special processing is required.
2716 	 */
2717 	if ((etype = ehdr->e_type) == ET_REL)
2718 		return (elf_obj_file(lml, lmco, pname, fd));
2719 
2720 	/*
2721 	 * If this isn't a dynamic executable or shared object we can't process
2722 	 * it.  If this is a dynamic executable then all addresses are fixed.
2723 	 */
2724 	if (etype == ET_EXEC) {
2725 		fixed = 1;
2726 	} else if (etype == ET_DYN) {
2727 		fixed = 0;
2728 	} else {
2729 		Conv_inv_buf_t inv_buf;
2730 
2731 		eprintf(lml, ERR_ELF, MSG_INTL(MSG_GEN_BADTYPE), pname,
2732 		    conv_ehdr_type(etype, 0, &inv_buf));
2733 		return (0);
2734 	}
2735 
2736 	/*
2737 	 * If our original mapped page was not large enough to hold all the
2738 	 * program headers remap them.
2739 	 */
2740 	size = (size_t)((char *)ehdr->e_phoff +
2741 	    (ehdr->e_phnum * ehdr->e_phentsize));
2742 	if (size > fmap->fm_fsize) {
2743 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_GEN_CORTRUNC), pname);
2744 		return (0);
2745 	}
2746 	if (size > fmap->fm_msize) {
2747 		fmap_setup();
2748 		if ((fmap->fm_maddr = mmap(fmap->fm_maddr, size, PROT_READ,
2749 		    fmap->fm_mflags, fd, 0)) == MAP_FAILED) {
2750 			int	err = errno;
2751 			eprintf(lml, ERR_FATAL, MSG_INTL(MSG_SYS_MMAP), pname,
2752 			    strerror(err));
2753 			return (0);
2754 		}
2755 		fmap->fm_msize = size;
2756 		/* LINTED */
2757 		ehdr = (Ehdr *)fmap->fm_maddr;
2758 	}
2759 	/* LINTED */
2760 	phdr0 = phdr = (Phdr *)((char *)ehdr + ehdr->e_ehsize);
2761 
2762 	/*
2763 	 * Get entry point.
2764 	 */
2765 	mentry = ehdr->e_entry;
2766 
2767 	/*
2768 	 * Point at program headers and perform some basic validation.
2769 	 */
2770 	for (i = 0, pptr = phdr; i < (int)ehdr->e_phnum; i++,
2771 	    pptr = (Phdr *)((Off)pptr + ehdr->e_phentsize)) {
2772 		if (pptr->p_type == PT_LOAD) {
2773 
2774 			if (fph == 0) {
2775 				fph = pptr;
2776 			/* LINTED argument lph is initialized in first pass */
2777 			} else if (pptr->p_vaddr <= lph->p_vaddr) {
2778 				eprintf(lml, ERR_ELF,
2779 				    MSG_INTL(MSG_GEN_INVPRGHDR), pname);
2780 				return (0);
2781 			}
2782 
2783 			lph = pptr;
2784 
2785 			if (pptr->p_memsz)
2786 				lmph = pptr;
2787 			if (pptr->p_filesz)
2788 				lfph = pptr;
2789 			if (pptr->p_align > align)
2790 				align = pptr->p_align;
2791 
2792 		} else if (pptr->p_type == PT_DYNAMIC) {
2793 			mld = (Dyn *)(pptr->p_vaddr);
2794 		} else if ((pptr->p_type == PT_TLS) && pptr->p_memsz) {
2795 			tlph = pptr;
2796 		} else if (pptr->p_type == PT_SUNWCAP) {
2797 			cap = (Cap *)(pptr->p_vaddr);
2798 		} else if (pptr->p_type == PT_SUNW_UNWIND) {
2799 			unwindph = pptr;
2800 		}
2801 	}
2802 
2803 #if defined(MAP_ALIGN)
2804 	/*
2805 	 * Make sure the maximum page alignment is a power of 2 >= the default
2806 	 * segment alignment, for use with MAP_ALIGN.
2807 	 */
2808 	align = S_ROUND(align, M_SEGM_ALIGN);
2809 #endif
2810 
2811 	/*
2812 	 * We'd better have at least one loadable segment, together with some
2813 	 * specified file and memory size.
2814 	 */
2815 	if ((fph == 0) || (lmph == 0) || (lfph == 0)) {
2816 		eprintf(lml, ERR_ELF, MSG_INTL(MSG_GEN_NOLOADSEG), pname);
2817 		return (0);
2818 	}
2819 
2820 	/*
2821 	 * Check that the files size accounts for the loadable sections
2822 	 * we're going to map in (failure to do this may cause spurious
2823 	 * bus errors if we're given a truncated file).
2824 	 */
2825 	if (fmap->fm_fsize < ((size_t)lfph->p_offset + lfph->p_filesz)) {
2826 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_GEN_CORTRUNC), pname);
2827 		return (0);
2828 	}
2829 
2830 	/*
2831 	 * Memsize must be page rounded so that if we add object padding
2832 	 * at the end it will start at the beginning of a page.
2833 	 */
2834 	plen = memsize = M_PROUND((lmph->p_vaddr + lmph->p_memsz) -
2835 	    M_PTRUNC((ulong_t)fph->p_vaddr));
2836 
2837 	/*
2838 	 * Determine if an existing mapping is acceptable.
2839 	 */
2840 	if (interp && (lml->lm_flags & LML_FLG_BASELM) &&
2841 	    (strcmp(pname, interp->i_name) == 0)) {
2842 		/*
2843 		 * If this is the interpreter then it has already been mapped
2844 		 * and we have the address so don't map it again.  Note that
2845 		 * the common occurrence of a reference to the interpretor
2846 		 * (libdl -> ld.so.1) will have been caught during filter
2847 		 * initialization (see elf_lookup_filtee()).  However, some
2848 		 * ELF implementations are known to record libc.so.1 as the
2849 		 * interpretor, and thus this test catches this behavior.
2850 		 */
2851 		paddr = faddr = interp->i_faddr;
2852 
2853 	} else if ((fixed == 0) && (r_debug.rtd_objpad == 0) &&
2854 	    (memsize <= fmap->fm_msize) && ((fph->p_flags & PF_W) == 0) &&
2855 	    (fph == lph) && (fph->p_filesz == fph->p_memsz) &&
2856 	    (((Xword)fmap->fm_maddr % align) == 0)) {
2857 		size_t	rsize;
2858 
2859 		/*
2860 		 * If the file contains a single segment, and the mapping
2861 		 * required has already been established from the initial fmap
2862 		 * mapping, then we don't need to do anything more.  Reset the
2863 		 * fmap address so that any later files start a new fmap.  This
2864 		 * is really an optimization for filters, such as libdl.so,
2865 		 * libthread, etc. that are constructed to be a single text
2866 		 * segment.
2867 		 */
2868 		paddr = faddr = fmap->fm_maddr;
2869 
2870 		/*
2871 		 * Free any unused mapping by assigning the fmap buffer to the
2872 		 * unused region.  fmap_setup() will unmap this area and
2873 		 * establish defaults for future mappings.
2874 		 */
2875 		rsize = M_PROUND(fph->p_filesz);
2876 		fmap->fm_maddr += rsize;
2877 		fmap->fm_msize -= rsize;
2878 		fmap_setup();
2879 	}
2880 
2881 	/*
2882 	 * Allocate a mapping array to retain mapped segment information.
2883 	 */
2884 	if ((mmaps = calloc(ehdr->e_phnum, sizeof (Mmap))) == 0)
2885 		return (0);
2886 
2887 	/*
2888 	 * If we're reusing an existing mapping determine the objects etext
2889 	 * address.  Otherwise map the file (which will calculate the etext
2890 	 * address as part of the mapping process).
2891 	 */
2892 	if (faddr) {
2893 		caddr_t	base;
2894 
2895 		if (fixed)
2896 			base = 0;
2897 		else
2898 			base = faddr;
2899 
2900 		/* LINTED */
2901 		phdr0 = phdr = (Phdr *)((char *)faddr + ehdr->e_ehsize);
2902 
2903 		for (i = 0, pptr = phdr; i < (int)ehdr->e_phnum; i++,
2904 		    pptr = (Phdr *)((Off)pptr + ehdr->e_phentsize)) {
2905 			if (pptr->p_type != PT_LOAD)
2906 				continue;
2907 
2908 			mmaps[mmapcnt].m_vaddr = (pptr->p_vaddr + base);
2909 			mmaps[mmapcnt].m_msize = pptr->p_memsz;
2910 			mmaps[mmapcnt].m_fsize = pptr->p_filesz;
2911 			mmaps[mmapcnt].m_perm = (PROT_READ | PROT_EXEC);
2912 			mmapcnt++;
2913 
2914 			if (!(pptr->p_flags & PF_W)) {
2915 				fmap->fm_etext = (ulong_t)pptr->p_vaddr +
2916 				    (ulong_t)pptr->p_memsz +
2917 				    (ulong_t)(fixed ? 0 : faddr);
2918 			}
2919 		}
2920 	} else {
2921 		/*
2922 		 * Map the file.
2923 		 */
2924 		if (!(faddr = elf_map_it(lml, pname, memsize, ehdr, fph, lph,
2925 		    &phdr, &paddr, &plen, fixed, fd, align, mmaps, &mmapcnt)))
2926 			return (0);
2927 	}
2928 
2929 	/*
2930 	 * Calculate absolute base addresses and entry points.
2931 	 */
2932 	if (!fixed) {
2933 		if (mld)
2934 			/* LINTED */
2935 			mld = (Dyn *)((Off)mld + faddr);
2936 		if (cap)
2937 			/* LINTED */
2938 			cap = (Cap *)((Off)cap + faddr);
2939 		mentry += (Off)faddr;
2940 	}
2941 
2942 	/*
2943 	 * Create new link map structure for newly mapped shared object.
2944 	 */
2945 	if (!(lmp = elf_new_lm(lml, pname, oname, mld, (ulong_t)faddr,
2946 	    fmap->fm_etext, lmco, memsize, mentry, (ulong_t)paddr, plen, mmaps,
2947 	    mmapcnt, in_nfavl))) {
2948 		(void) munmap((caddr_t)faddr, memsize);
2949 		return (0);
2950 	}
2951 
2952 	/*
2953 	 * Start the system loading in the ELF information we'll be processing.
2954 	 */
2955 	if (REL(lmp)) {
2956 		(void) madvise((void *)ADDR(lmp), (uintptr_t)REL(lmp) +
2957 		    (uintptr_t)RELSZ(lmp) - (uintptr_t)ADDR(lmp),
2958 		    MADV_WILLNEED);
2959 	}
2960 
2961 	/*
2962 	 * If this shared object contains any special segments, record them.
2963 	 */
2964 	if (tlph && (tls_assign(lml, lmp, (phdr + (tlph - phdr0))) == 0)) {
2965 		remove_so(lml, lmp);
2966 		return (0);
2967 	}
2968 
2969 	if (unwindph)
2970 		PTUNWIND(lmp) = phdr + (unwindph - phdr0);
2971 
2972 	if (cap)
2973 		cap_assign(cap, lmp);
2974 
2975 	return (lmp);
2976 }
2977 
2978 /*
2979  * Function to correct protection settings.  Segments are all mapped initially
2980  * with permissions as given in the segment header.  We need to turn on write
2981  * permissions on a text segment if there are any relocations against that
2982  * segment, and them turn write permission back off again before returning
2983  * control to the user.  This function turns the permission on or off depending
2984  * on the value of the argument.
2985  */
2986 int
2987 elf_set_prot(Rt_map *lmp, int permission)
2988 {
2989 	Mmap	*mmaps;
2990 
2991 	/*
2992 	 * If this is an allocated image (ie. a relocatable object) we can't
2993 	 * mprotect() anything.
2994 	 */
2995 	if (FLAGS(lmp) & FLG_RT_IMGALLOC)
2996 		return (1);
2997 
2998 	DBG_CALL(Dbg_file_prot(lmp, permission));
2999 
3000 	for (mmaps = MMAPS(lmp); mmaps->m_vaddr; mmaps++) {
3001 		if (mmaps->m_perm & PROT_WRITE)
3002 			continue;
3003 
3004 		if (mprotect(mmaps->m_vaddr, mmaps->m_msize,
3005 		    (mmaps->m_perm | permission)) == -1) {
3006 			int	err = errno;
3007 			eprintf(LIST(lmp), ERR_FATAL, MSG_INTL(MSG_SYS_MPROT),
3008 			    NAME(lmp), strerror(err));
3009 			return (0);
3010 		}
3011 	}
3012 	return (1);
3013 }
3014 
3015 /*
3016  * Build full pathname of shared object from given directory name and filename.
3017  */
3018 static char *
3019 elf_get_so(const char *dir, const char *file)
3020 {
3021 	static char	pname[PATH_MAX];
3022 
3023 	(void) snprintf(pname, PATH_MAX, MSG_ORIG(MSG_FMT_PATH), dir, file);
3024 	return (pname);
3025 }
3026 
3027 /*
3028  * The copy relocation is recorded in a copy structure which will be applied
3029  * after all other relocations are carried out.  This provides for copying data
3030  * that must be relocated itself (ie. pointers in shared objects).  This
3031  * structure also provides a means of binding RTLD_GROUP dependencies to any
3032  * copy relocations that have been taken from any group members.
3033  *
3034  * If the size of the .bss area available for the copy information is not the
3035  * same as the source of the data inform the user if we're under ldd(1) control
3036  * (this checking was only established in 5.3, so by only issuing an error via
3037  * ldd(1) we maintain the standard set by previous releases).
3038  */
3039 int
3040 elf_copy_reloc(char *name, Sym *rsym, Rt_map *rlmp, void *radd, Sym *dsym,
3041     Rt_map *dlmp, const void *dadd)
3042 {
3043 	Rel_copy	rc;
3044 	Lm_list		*lml = LIST(rlmp);
3045 
3046 	rc.r_name = name;
3047 	rc.r_rsym = rsym;		/* the new reference symbol and its */
3048 	rc.r_rlmp = rlmp;		/*	associated link-map */
3049 	rc.r_dlmp = dlmp;		/* the defining link-map */
3050 	rc.r_dsym = dsym;		/* the original definition */
3051 	rc.r_radd = radd;
3052 	rc.r_dadd = dadd;
3053 
3054 	if (rsym->st_size > dsym->st_size)
3055 		rc.r_size = (size_t)dsym->st_size;
3056 	else
3057 		rc.r_size = (size_t)rsym->st_size;
3058 
3059 	if (alist_append(&COPY_R(dlmp), &rc, sizeof (Rel_copy),
3060 	    AL_CNT_COPYREL) == 0) {
3061 		if (!(lml->lm_flags & LML_FLG_TRC_WARN))
3062 			return (0);
3063 		else
3064 			return (1);
3065 	}
3066 	if (!(FLAGS1(dlmp) & FL1_RT_COPYTOOK)) {
3067 		if (aplist_append(&COPY_S(rlmp), dlmp,
3068 		    AL_CNT_COPYREL) == NULL) {
3069 			if (!(lml->lm_flags & LML_FLG_TRC_WARN))
3070 				return (0);
3071 			else
3072 				return (1);
3073 		}
3074 		FLAGS1(dlmp) |= FL1_RT_COPYTOOK;
3075 	}
3076 
3077 	/*
3078 	 * If we are tracing (ldd), warn the user if
3079 	 *	1) the size from the reference symbol differs from the
3080 	 *	   copy definition. We can only copy as much data as the
3081 	 *	   reference (dynamic executables) entry allows.
3082 	 *	2) the copy definition has STV_PROTECTED visibility.
3083 	 */
3084 	if (lml->lm_flags & LML_FLG_TRC_WARN) {
3085 		if (rsym->st_size != dsym->st_size) {
3086 			(void) printf(MSG_INTL(MSG_LDD_CPY_SIZDIF),
3087 			    _conv_reloc_type(M_R_COPY), demangle(name),
3088 			    NAME(rlmp), EC_XWORD(rsym->st_size),
3089 			    NAME(dlmp), EC_XWORD(dsym->st_size));
3090 			if (rsym->st_size > dsym->st_size)
3091 				(void) printf(MSG_INTL(MSG_LDD_CPY_INSDATA),
3092 				    NAME(dlmp));
3093 			else
3094 				(void) printf(MSG_INTL(MSG_LDD_CPY_DATRUNC),
3095 				    NAME(rlmp));
3096 		}
3097 
3098 		if (ELF_ST_VISIBILITY(dsym->st_other) == STV_PROTECTED) {
3099 			(void) printf(MSG_INTL(MSG_LDD_CPY_PROT),
3100 			    _conv_reloc_type(M_R_COPY), demangle(name),
3101 			    NAME(dlmp));
3102 		}
3103 	}
3104 
3105 	DBG_CALL(Dbg_reloc_apply_val(lml, ELF_DBG_RTLD, (Xword)radd,
3106 	    (Xword)rc.r_size));
3107 	return (1);
3108 }
3109 
3110 /*
3111  * Determine the symbol location of an address within a link-map.  Look for
3112  * the nearest symbol (whose value is less than or equal to the required
3113  * address).  This is the object specific part of dladdr().
3114  */
3115 static void
3116 elf_dladdr(ulong_t addr, Rt_map *lmp, Dl_info *dlip, void **info, int flags)
3117 {
3118 	ulong_t		ndx, cnt, base, _value;
3119 	Sym		*sym, *_sym = NULL;
3120 	const char	*str;
3121 	int		_flags;
3122 	uint_t		*dynaddr_ndx;
3123 	uint_t		dynaddr_n = 0;
3124 	ulong_t		value;
3125 
3126 	/*
3127 	 * If SUNWSYMTAB() is non-NULL, then it sees a special version of
3128 	 * the dynsym that starts with any local function symbols that exist in
3129 	 * the library and then moves to the data held in SYMTAB(). In this
3130 	 * case, SUNWSYMSZ tells us how long the symbol table is. The
3131 	 * availability of local function symbols will enhance the results
3132 	 * we can provide.
3133 	 *
3134 	 * If SUNWSYMTAB() is non-NULL, then there might also be a
3135 	 * SUNWSYMSORT() vector associated with it. SUNWSYMSORT() contains
3136 	 * an array of indices into SUNWSYMTAB, sorted by increasing
3137 	 * address. We can use this to do an O(log N) search instead of a
3138 	 * brute force search.
3139 	 *
3140 	 * If SUNWSYMTAB() is NULL, then SYMTAB() references a dynsym that
3141 	 * contains only global symbols. In that case, the length of
3142 	 * the symbol table comes from the nchain field of the related
3143 	 * symbol lookup hash table.
3144 	 */
3145 	str = STRTAB(lmp);
3146 	if (SUNWSYMSZ(lmp) == NULL) {
3147 		sym = SYMTAB(lmp);
3148 		/*
3149 		 * If we don't have a .hash table there are no symbols
3150 		 * to look at.
3151 		 */
3152 		if (HASH(lmp) == 0)
3153 			return;
3154 		cnt = HASH(lmp)[1];
3155 	} else {
3156 		sym = SUNWSYMTAB(lmp);
3157 		cnt = SUNWSYMSZ(lmp) / SYMENT(lmp);
3158 		dynaddr_ndx = SUNWSYMSORT(lmp);
3159 		if (dynaddr_ndx != NULL)
3160 			dynaddr_n = SUNWSYMSORTSZ(lmp) / SUNWSORTENT(lmp);
3161 	}
3162 
3163 	if (FLAGS(lmp) & FLG_RT_FIXED)
3164 		base = 0;
3165 	else
3166 		base = ADDR(lmp);
3167 
3168 	if (dynaddr_n > 0) {		/* Binary search */
3169 		long	low = 0, low_bnd;
3170 		long	high = dynaddr_n - 1, high_bnd;
3171 		long	mid;
3172 		Sym	*mid_sym;
3173 
3174 		/*
3175 		 * Note that SUNWSYMSORT only contains symbols types that
3176 		 * supply memory addresses, so there's no need to check and
3177 		 * filter out any other types.
3178 		 */
3179 		low_bnd = low;
3180 		high_bnd = high;
3181 		while (low <= high) {
3182 			mid = (low + high) / 2;
3183 			mid_sym = &sym[dynaddr_ndx[mid]];
3184 			value = mid_sym->st_value + base;
3185 			if (addr < value) {
3186 				if ((sym[dynaddr_ndx[high]].st_value + base) >=
3187 				    addr)
3188 					high_bnd = high;
3189 				high = mid - 1;
3190 			} else if (addr > value) {
3191 				if ((sym[dynaddr_ndx[low]].st_value + base) <=
3192 				    addr)
3193 					low_bnd = low;
3194 				low = mid + 1;
3195 			} else {
3196 				_sym = mid_sym;
3197 				_value = value;
3198 				break;
3199 			}
3200 		}
3201 		/*
3202 		 * If the above didn't find it exactly, then we must
3203 		 * return the closest symbol with a value that doesn't
3204 		 * exceed the one we are looking for. If that symbol exists,
3205 		 * it will lie in the range bounded by low_bnd and
3206 		 * high_bnd. This is a linear search, but a short one.
3207 		 */
3208 		if (_sym == NULL) {
3209 			for (mid = low_bnd; mid <= high_bnd; mid++) {
3210 				mid_sym = &sym[dynaddr_ndx[mid]];
3211 				value = mid_sym->st_value + base;
3212 				if (addr >= value) {
3213 					_sym = mid_sym;
3214 					_value = value;
3215 				} else {
3216 					break;
3217 				}
3218 			}
3219 		}
3220 	} else {			/* Linear search */
3221 		for (_value = 0, sym++, ndx = 1; ndx < cnt; ndx++, sym++) {
3222 			/*
3223 			 * Skip expected symbol types that are not functions
3224 			 * or data:
3225 			 *	- A symbol table starts with an undefined symbol
3226 			 *		in slot 0. If we are using SUNWSYMTAB(),
3227 			 *		there will be a second undefined symbol
3228 			 *		right before the globals.
3229 			 *	- The local part of SUNWSYMTAB() contains a
3230 			 *		series of function symbols. Each section
3231 			 *		starts with an initial STT_FILE symbol.
3232 			 */
3233 			if ((sym->st_shndx == SHN_UNDEF) ||
3234 			    (ELF_ST_TYPE(sym->st_info) == STT_FILE))
3235 				continue;
3236 
3237 			value = sym->st_value + base;
3238 			if (value > addr)
3239 				continue;
3240 			if (value < _value)
3241 				continue;
3242 
3243 			_sym = sym;
3244 			_value = value;
3245 
3246 			/*
3247 			 * Note, because we accept local and global symbols
3248 			 * we could find a section symbol that matches the
3249 			 * associated address, which means that the symbol
3250 			 * name will be null.  In this case continue the
3251 			 * search in case we can find a global symbol of
3252 			 * the same value.
3253 			 */
3254 			if ((value == addr) &&
3255 			    (ELF_ST_TYPE(sym->st_info) != STT_SECTION))
3256 				break;
3257 		}
3258 	}
3259 
3260 	_flags = flags & RTLD_DL_MASK;
3261 	if (_sym) {
3262 		if (_flags == RTLD_DL_SYMENT)
3263 			*info = (void *)_sym;
3264 		else if (_flags == RTLD_DL_LINKMAP)
3265 			*info = (void *)lmp;
3266 
3267 		dlip->dli_sname = str + _sym->st_name;
3268 		dlip->dli_saddr = (void *)_value;
3269 	} else {
3270 		/*
3271 		 * addr lies between the beginning of the mapped segment and
3272 		 * the first global symbol. We have no symbol to return
3273 		 * and the caller requires one. We use _START_, the base
3274 		 * address of the mapping.
3275 		 */
3276 
3277 		if (_flags == RTLD_DL_SYMENT) {
3278 			/*
3279 			 * An actual symbol struct is needed, so we
3280 			 * construct one for _START_. To do this in a
3281 			 * fully accurate way requires a different symbol
3282 			 * for each mapped segment. This requires the
3283 			 * use of dynamic memory and a mutex. That's too much
3284 			 * plumbing for a fringe case of limited importance.
3285 			 *
3286 			 * Fortunately, we can simplify:
3287 			 *    - Only the st_size and st_info fields are useful
3288 			 *	outside of the linker internals. The others
3289 			 *	reference things that outside code cannot see,
3290 			 *	and can be set to 0.
3291 			 *    - It's just a label and there is no size
3292 			 *	to report. So, the size should be 0.
3293 			 * This means that only st_info needs a non-zero
3294 			 * (constant) value. A static struct will suffice.
3295 			 * It must be const (readonly) so the caller can't
3296 			 * change its meaning for subsequent callers.
3297 			 */
3298 			static const Sym fsym = { 0, 0, 0,
3299 			    ELF_ST_INFO(STB_LOCAL, STT_OBJECT) };
3300 			*info = (void *) &fsym;
3301 		}
3302 
3303 		dlip->dli_sname = MSG_ORIG(MSG_SYM_START);
3304 		dlip->dli_saddr = (void *) ADDR(lmp);
3305 	}
3306 }
3307 
3308 static void
3309 elf_lazy_cleanup(APlist *alp)
3310 {
3311 	Rt_map	*lmp;
3312 	Aliste	idx;
3313 
3314 	/*
3315 	 * Cleanup any link-maps added to this dynamic list and free it.
3316 	 */
3317 	for (APLIST_TRAVERSE(alp, idx, lmp))
3318 		FLAGS(lmp) &= ~FLG_RT_TMPLIST;
3319 	free(alp);
3320 }
3321 
3322 /*
3323  * This routine is called as a last fall-back to search for a symbol from a
3324  * standard relocation.  To maintain lazy loadings goal of reducing the number
3325  * of objects mapped, any symbol search is first carried out using the objects
3326  * that already exist in the process (either on a link-map list or handle).
3327  * If a symbol can't be found, and lazy dependencies are still pending, this
3328  * routine loads the dependencies in an attempt to locate the symbol.
3329  *
3330  * Only new objects are inspected as we will have already inspected presently
3331  * loaded objects before calling this routine.  However, a new object may not
3332  * be new - although the di_lmp might be zero, the object may have been mapped
3333  * as someone elses dependency.  Thus there's a possibility of some symbol
3334  * search duplication.
3335  */
3336 Sym *
3337 elf_lazy_find_sym(Slookup *slp, Rt_map **_lmp, uint_t *binfo, int *in_nfavl)
3338 {
3339 	Sym		*sym = NULL;
3340 	APlist		*alist = NULL;
3341 	Aliste		idx;
3342 	Rt_map		*lmp1, *lmp = slp->sl_imap;
3343 	const char	*name = slp->sl_name;
3344 
3345 	/*
3346 	 * Generate a local list of new objects to process.  This list can grow
3347 	 * as each object supplies its own lazy dependencies.
3348 	 */
3349 	if (aplist_append(&alist, lmp, AL_CNT_LAZYFIND) == NULL)
3350 		return (NULL);
3351 	FLAGS(lmp) |= FLG_RT_TMPLIST;
3352 
3353 	for (APLIST_TRAVERSE(alist, idx, lmp1)) {
3354 		uint_t	cnt = 0;
3355 		Slookup	sl = *slp;
3356 		Dyninfo	*dip, *pdip;
3357 
3358 		/*
3359 		 * Discard any relocation index from further symbol searches.
3360 		 * This index will have already been used to trigger any
3361 		 * necessary lazy-loads, and it might be because one of these
3362 		 * lazy loads have failed that we're here performing this
3363 		 * fallback.  By removing the relocation index we don't try
3364 		 * and perform the same failed lazy loading activity again.
3365 		 */
3366 		sl.sl_rsymndx = 0;
3367 
3368 		/*
3369 		 * Loop through the lazy DT_NEEDED entries examining each object
3370 		 * for the required symbol.  If the symbol is not found, the
3371 		 * object is in turn added to the local alist, so that the
3372 		 * objects lazy DT_NEEDED entries can be examined.
3373 		 */
3374 		lmp = lmp1;
3375 		for (dip = DYNINFO(lmp), pdip = NULL; cnt < DYNINFOCNT(lmp);
3376 		    cnt++, pdip = dip++) {
3377 			Rt_map *nlmp;
3378 
3379 			if (((dip->di_flags & FLG_DI_LAZY) == 0) ||
3380 			    dip->di_info)
3381 				continue;
3382 
3383 			/*
3384 			 * If this object has already failed to lazy load, and
3385 			 * we're still processing the same runtime linker
3386 			 * operation that produced the failure, don't bother
3387 			 * to try and load the object again.
3388 			 */
3389 			if ((dip->di_flags & FLG_DI_LAZYFAIL) && pdip &&
3390 			    (pdip->di_flags & FLG_DI_POSFLAG1)) {
3391 				if (pdip->di_info == (void *)ld_entry_cnt)
3392 					continue;
3393 
3394 				dip->di_flags &= ~FLG_DI_LAZYFAIL;
3395 				pdip->di_info = NULL;
3396 			}
3397 
3398 			/*
3399 			 * Try loading this lazy dependency.  If the object
3400 			 * can't be loaded, consider this non-fatal and continue
3401 			 * the search.  Lazy loaded dependencies need not exist
3402 			 * and their loading should only turn out to be fatal
3403 			 * if they are required to satisfy a relocation.
3404 			 *
3405 			 * If the file is already loaded and relocated we must
3406 			 * still inspect it for symbols, even though it might
3407 			 * have already been searched.  This lazy load operation
3408 			 * might have promoted the permissions of the object,
3409 			 * and thus made the object applicable for this symbol
3410 			 * search, whereas before the object might have been
3411 			 * skipped.
3412 			 */
3413 			if ((nlmp = elf_lazy_load(lmp, &sl, cnt,
3414 			    name, in_nfavl)) == 0)
3415 				continue;
3416 
3417 			/*
3418 			 * If this object isn't yet a part of the dynamic list
3419 			 * then inspect it for the symbol.  If the symbol isn't
3420 			 * found add the object to the dynamic list so that we
3421 			 * can inspect its dependencies.
3422 			 */
3423 			if (FLAGS(nlmp) & FLG_RT_TMPLIST)
3424 				continue;
3425 
3426 			sl.sl_imap = nlmp;
3427 			if (sym = LM_LOOKUP_SYM(sl.sl_cmap)(&sl, _lmp,
3428 			    binfo, in_nfavl))
3429 				break;
3430 
3431 			/*
3432 			 * Some dlsym() operations are already traversing a
3433 			 * link-map (dlopen(0)), and thus there's no need to
3434 			 * build our own dynamic dependency list.
3435 			 */
3436 			if ((sl.sl_flags & LKUP_NODESCENT) == 0) {
3437 				if (aplist_append(&alist, nlmp,
3438 				    AL_CNT_LAZYFIND) == 0) {
3439 					elf_lazy_cleanup(alist);
3440 					return (0);
3441 				}
3442 				FLAGS(nlmp) |= FLG_RT_TMPLIST;
3443 			}
3444 		}
3445 		if (sym)
3446 			break;
3447 	}
3448 
3449 	elf_lazy_cleanup(alist);
3450 	return (sym);
3451 }
3452 
3453 /*
3454  * Warning message for bad r_offset.
3455  */
3456 void
3457 elf_reloc_bad(Rt_map *lmp, void *rel, uchar_t rtype, ulong_t roffset,
3458     ulong_t rsymndx)
3459 {
3460 	const char	*name = NULL;
3461 	Lm_list		*lml = LIST(lmp);
3462 	int		trace;
3463 
3464 	if ((lml->lm_flags & LML_FLG_TRC_ENABLE) &&
3465 	    (((rtld_flags & RT_FL_SILENCERR) == 0) ||
3466 	    (lml->lm_flags & LML_FLG_TRC_VERBOSE)))
3467 		trace = 1;
3468 	else
3469 		trace = 0;
3470 
3471 	if ((trace == 0) && (DBG_ENABLED == 0))
3472 		return;
3473 
3474 	if (rsymndx) {
3475 		Sym	*symref = (Sym *)((ulong_t)SYMTAB(lmp) +
3476 		    (rsymndx * SYMENT(lmp)));
3477 
3478 		if (ELF_ST_BIND(symref->st_info) != STB_LOCAL)
3479 			name = (char *)(STRTAB(lmp) + symref->st_name);
3480 	}
3481 
3482 	if (name == 0)
3483 		name = MSG_ORIG(MSG_STR_EMPTY);
3484 
3485 	if (trace) {
3486 		const char *rstr;
3487 
3488 		rstr = _conv_reloc_type((uint_t)rtype);
3489 		(void) printf(MSG_INTL(MSG_LDD_REL_ERR1), rstr, name,
3490 		    EC_ADDR(roffset));
3491 		return;
3492 	}
3493 
3494 	Dbg_reloc_error(lml, ELF_DBG_RTLD, M_MACH, M_REL_SHT_TYPE, rel, name);
3495 }
3496 
3497 /*
3498  * Resolve a static TLS relocation.
3499  */
3500 long
3501 elf_static_tls(Rt_map *lmp, Sym *sym, void *rel, uchar_t rtype, char *name,
3502     ulong_t roffset, long value)
3503 {
3504 	Lm_list	*lml = LIST(lmp);
3505 
3506 	/*
3507 	 * Relocations against a static TLS block have limited support once
3508 	 * process initialization has completed.  Any error condition should be
3509 	 * discovered by testing for DF_STATIC_TLS as part of loading an object,
3510 	 * however individual relocations are tested in case the dynamic flag
3511 	 * had not been set when this object was built.
3512 	 */
3513 	if (PTTLS(lmp) == 0) {
3514 		DBG_CALL(Dbg_reloc_in(lml, ELF_DBG_RTLD, M_MACH,
3515 		    M_REL_SHT_TYPE, rel, NULL, name));
3516 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_BADTLS),
3517 		    _conv_reloc_type((uint_t)rtype), NAME(lmp),
3518 		    name ? demangle(name) : MSG_INTL(MSG_STR_UNKNOWN));
3519 		return (0);
3520 	}
3521 
3522 	/*
3523 	 * If no static TLS has been set aside for this object, determine if
3524 	 * any can be obtained.  Enforce that any object using static TLS is
3525 	 * non-deletable.
3526 	 */
3527 	if (TLSSTATOFF(lmp) == 0) {
3528 		FLAGS1(lmp) |= FL1_RT_TLSSTAT;
3529 		MODE(lmp) |= RTLD_NODELETE;
3530 
3531 		if (tls_assign(lml, lmp, PTTLS(lmp)) == 0) {
3532 			DBG_CALL(Dbg_reloc_in(lml, ELF_DBG_RTLD, M_MACH,
3533 			    M_REL_SHT_TYPE, rel, NULL, name));
3534 			eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_BADTLS),
3535 			    _conv_reloc_type((uint_t)rtype), NAME(lmp),
3536 			    name ? demangle(name) : MSG_INTL(MSG_STR_UNKNOWN));
3537 			return (0);
3538 		}
3539 	}
3540 
3541 	/*
3542 	 * Typically, a static TLS offset is maintained as a symbols value.
3543 	 * For local symbols that are not apart of the dynamic symbol table,
3544 	 * the TLS relocation points to a section symbol, and the static TLS
3545 	 * offset was deposited in the associated GOT table.  Make sure the GOT
3546 	 * is cleared, so that the value isn't reused in do_reloc().
3547 	 */
3548 	if (ELF_ST_BIND(sym->st_info) == STB_LOCAL) {
3549 		if ((ELF_ST_TYPE(sym->st_info) == STT_SECTION)) {
3550 			value = *(long *)roffset;
3551 			*(long *)roffset = 0;
3552 		} else {
3553 			value = sym->st_value;
3554 		}
3555 	}
3556 	return (-(TLSSTATOFF(lmp) - value));
3557 }
3558 
3559 /*
3560  * If the symbol is not found and the reference was not to a weak symbol, report
3561  * an error.  Weak references may be unresolved.
3562  */
3563 int
3564 elf_reloc_error(Rt_map *lmp, const char *name, void *rel, uint_t binfo)
3565 {
3566 	Lm_list	*lml = LIST(lmp);
3567 
3568 	/*
3569 	 * Under crle(1), relocation failures are ignored.
3570 	 */
3571 	if (lml->lm_flags & LML_FLG_IGNRELERR)
3572 		return (1);
3573 
3574 	/*
3575 	 * Under ldd(1), unresolved references are reported.  However, if the
3576 	 * original reference is EXTERN or PARENT these references are ignored
3577 	 * unless ldd's -p option is in effect.
3578 	 */
3579 	if (lml->lm_flags & LML_FLG_TRC_WARN) {
3580 		if (((binfo & DBG_BINFO_REF_MSK) == 0) ||
3581 		    ((lml->lm_flags & LML_FLG_TRC_NOPAREXT) != 0)) {
3582 			(void) printf(MSG_INTL(MSG_LDD_SYM_NFOUND),
3583 			    demangle(name), NAME(lmp));
3584 		}
3585 		return (1);
3586 	}
3587 
3588 	/*
3589 	 * Otherwise, the unresolved references is fatal.
3590 	 */
3591 	DBG_CALL(Dbg_reloc_in(lml, ELF_DBG_RTLD, M_MACH, M_REL_SHT_TYPE, rel,
3592 	    NULL, name));
3593 	eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_NOSYM), NAME(lmp),
3594 	    demangle(name));
3595 
3596 	return (0);
3597 }
3598