Commit graph

75 commits

Author SHA1 Message Date
Evgenii Stepanov
e0848bbf89 Pagetable-friendly shared library address randomization.
Add inaccessible gaps between shared libraries to make it harder for the
attackers to defeat ASLR by random probing.

To avoid excessive page table bloat, only do this when a library is
about to cross a huge page boundary, effectively allowing several
smaller libraries to be lumped together.

Bug: 158113540
Test: look at /proc/$$/maps
Change-Id: I39c0100b81f72447e8b3c6faafa561111492bf8c
2020-07-16 13:57:20 -07:00
Evgenii Stepanov
474f2f5c8b Revert "Add randomized padding around shared library mappings."
This reverts commit a8cf3fef2a.

Reason for revert: memory regression due to the fragmentation of the page tables
Bug: 159810641
Bug: 158113540

Change-Id: I6212c623ff440c7f6889f0a1e82cf7a96200a411
2020-07-06 19:27:55 +00:00
Evgenii Stepanov
a8cf3fef2a Add randomized padding around shared library mappings.
Improve ASLR by increasing the randomly sized gaps between shared
library mappings, and keep them mapped PROT_NONE.

Bug: 158113540
Test: look at /proc/$$/maps
Change-Id: Ie72c84047fb624fe2ac8b7744b2a2d0d255ea974
2020-06-17 17:28:28 -07:00
Elliott Hughes
14798930ec Remove unused mips/mips64 code from the linker.
Test: treehugger
Change-Id: I42f1e4c492ac644cf78e7c1196ba9b3518f9c8f8
2020-02-13 15:58:48 -08:00
Elliott Hughes
95c6cd753f Stop using the __ANDROID_API_x__ constants.
Historically we've made a few mistakes where they haven't matched the
right number. And most non-Googlers are much more familiar with the
numbers, so it seems to make sense to rely more on them. Especially in
header files, which we actually expect real people to have to read from
time to time.

Test: treehugger
Change-Id: I0d4a97454ee108de1d32f21df285315c5488d886
2019-12-20 13:26:14 -08:00
Torne (Richard Coles)
fa9f7f28d4 Fix DLEXT_WRITE_RELRO when loading multiple libs.
ANDROID_DLEXT_WRITE_RELRO was causing the GNU RELRO sections of
libraries to become corrupted if more than one library was being loaded
at once (i.e. if the root library has DT_NEEDED entries for libraries
that weren't already loaded). The file offset was not being correctly
propagated between calls, so after writing out the (correct) RELRO data
to the file, it was mapping the data at file offset 0 for all libraries,
which corrupted the data for all but one of the libraries.

Fix this by passing file_offset as a pointer the same way that
phdr_table_map_gnu_relro does.

Bug: 128623590
Test: tbd
Change-Id: I196cd336bd5a67454e89fd85487356b1c7856871
2019-04-02 18:06:12 -04:00
Torne (Richard Coles)
efbe9a5eef linker: allow using reserved space for multiple libraries.
Introduce a new flag ANDROID_DLEXT_RESERVED_ADDRESS_RECURSIVE which
instructs the linker to use the reserved address space to load all of
the newly-loaded libraries required by a dlopen() call instead of only
the main library. They will be loaded consecutively into that region if
they fit. The RELRO sections of all the loaded libraries will also be
considered for reading/writing shared RELRO data.

This will allow the WebView implementation to potentially consist of
more than one .so file while still benefiting from the RELRO sharing
optimisation, which would otherwise only apply to the "root" .so file.

Test: bionic-unit-tests (existing and newly added)
Bug: 110790153
Change-Id: I61da775c29fd5017d9a1e2b6b3757c3d20a355b3
2019-02-20 17:29:36 -05:00
Tom Cherry
c7cbef4f2d Merge "linker: changes to init work arounds" 2018-11-29 16:50:37 +00:00
Tom Cherry
66bc428f93 linker: changes to init work arounds
Change three things regarding the work around to the fact that init is
special:

1) Only first stage init is special, so we change the check to include
   accessing /proc/self/exe, which if is available, means that we're
   not first stage init and do not need any work arounds.
2) Fix the fact that /init may be a symlink and may need readlink()
3) Suppress errors from realpath_fd() since these are expected to fail
   due to /proc not being mounted.

Bug: 80395578
Test: sailfish boots without the audit generated from calling stat()
      on /init and without the errors from realpath_fd()

Change-Id: I266f1486b142cb9a41ec791eba74122bdf38cf12
2018-11-08 21:50:19 +00:00
Elliott Hughes
8178c417f6 ART isn't using the ART-specific linker features any more.
Bug: N/A
Test: ran tests
Change-Id: Ide3c295035687019608a2c4716a4a21cb889d121
2018-11-06 11:15:17 -08:00
Elliott Hughes
d16cface55 State clearly that an ELF file has the wrong architecture.
Before:

  "libx.so" has unexpected e_machine: 40 (EM_ARM)

After:

  "libx.so" is for EM_X86_64 (62) instead of EM_AARCH64 (183)

Bug: N/A
Test: `LD_PRELOAD=/system/lib64/libm-x86_64.so date` on arm64
Change-Id: I5bb40c435bd22b4e11fe802615925e10db7fb631
2018-09-17 15:50:09 -07:00
Elliott Hughes
99d54656bd Add PR_SET_VMA and PR_SET_VMA_ANON_NAME to <sys/prctl.h>.
We've copied & pasted these to too many places. And if we're going to
have another go at upstreaming these, that's probably yet another reason
to have the *values* in just one place. (Even if upstream wants different
names, we'll likely keep the legacy names around for a while for source
compatibility.)

Bug: http://b/111903542
Test: ran tests
Change-Id: I8ccc557453d69530e5b74f865cbe0b458c84e3ba
2018-08-22 10:36:23 -07:00
Elliott Hughes
a897151426 linker: improve "bad ELF magic" error.
Include what we actually saw.

Bug: http://b/79463184
Test: ran tests
Change-Id: Id5f8aa3ab94b411ea839b0a1ada9beda9053a10f
2018-06-27 14:39:06 -07:00
Jiyong Park
31cd08f9eb dynamic linker is running for init
init is now built as a dynamic executable, so the dynamic linker has to
be able to run in the init process. However, since init is launched so
early, even /dev/* and /proc/* file systems are not mounted and thus
some APIs that rely on the paths do not work. The dynamic linker now
goes alternative path when it is running in the init process.

For example, /proc/self/exe is not read for the init since we always now
the path of the init (/init). Also, arc4random* APIs are not used since
the APIs rely on /dev/urandom. Linker now does not randomize library
loading order and addresses when running in the init process.

Bug: 80454183
Test: `adb reboot recovery; adb devices` shows the device ID
Change-Id: I29b6d70e4df5f7f690876126d5fe81258c1d3115
2018-06-08 14:50:14 +09:00
Elliott Hughes
9076b0c4e7 Be clearer about linker warnings.
Explicitly say "warning" for warnings, explicitly say what action
we're going to take (such as "(ignoring)"), always provide a link to
our documentation when there is one, explicitly say what API level the
behavior changes at, and explicitly say why we're allowing the misbehavior
for now.

Bug: http://b/71852862
Test: ran tests, looked at logcat
Change-Id: I1795a5af45deb904332b866d7d666690dae4340b
2018-02-28 12:37:28 -08:00
Jiyong Park
02586a2a34 linker: the global group is added to all built-in namespaces
With ld.config.txt, we now have multiple built-in namespaces other than
the default namespace. Libs (and their dependents) listed in LD_PRELOAD
must be visible to those additional namespaces as well.

This also adds a debugging only feature: path to the linker config file
can be customized via LD_CONFIG_FILE environment variable. This works
only for debuggable builds.

Bug: 38114603
Bug: 62815515
Test: 1. ./external/compiler-rt/lib/asan/scripts/asan_device_setup --lib
prebuilts/clang/host/linux-x86/clang-stable/lib64/clang/5.0/lib/linux
2. enable talkback shortcut
3. in the home screen, hold vol-up/down together
4. device does not reboots and talkback shortcut is toggled
Test: bionic-unit-tests and linker-unit-tests successful

Change-Id: I9a03591053f4a9caea82f0dcb23e7a3d324bb9bd
2017-08-03 01:02:07 +09:00
Elliott Hughes
72007ee68f Decode the common EM_ values.
We know what "3" and "40" are, but most folks not on our team don't.

I don't think we need to support all the weird values, because only the
supported architectures actually occur in practice.

Bug: N/A
Test: manually overwrote aarch64 libcrypto.so with an x86-64 .so and ran "date"
Test: CANNOT LINK EXECUTABLE "date": "/system/lib64/libcrypto.so" has unexpected e_machine: 62 (EM_X86_64)
Change-Id: Ic4c6325fe7968f0c96fc0bfe15a50ed922a5ba55
2017-04-19 17:49:43 -07:00
Evgenii Stepanov
0a3637d3eb Runtime support for CFI
Control Flow Integrity support in bionic.

General design:
http://clang.llvm.org/docs/ControlFlowIntegrityDesign.html#shared-library-support

This CL implements subsections "CFI Shadow" and "CFI_SlowPath" in the above document.

Bug: 22033465
Test: bionic device tests
Change-Id: I14dfea630de468eb5620e7f55f92b1397ba06217
2017-01-18 13:13:52 -08:00
Dimitry Ivanov
e30c17fb6e Downgrade dynamic section checks to warning
For apps targeting pre-O releases print warn about
invalid dynamic section.

Bug: http://b/33842263
Test: Start an app in question and check logs for warning.
Test: Run bionic-unit-test --gtest_filter=dl*:Dl*
Change-Id: I80bd51f2133b956fc04e20a6538cccd50118c1b8
2016-12-28 16:21:49 -08:00
Dimitry Ivanov
12b918743d Relax ELF header checks - warn for apps targeting pre-O
Bug: http://b/32581440
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: I2fe356c67eb9665c671758117679a29b207219e4
2016-11-16 18:43:06 -08:00
Elliott Hughes
5bc78c8bcd Add and use constants for the Android API levels.
Test: bionic tests still pass
Change-Id: If1b619cfc9db1d3f5d91f14f2ace71058dca0c4a
2016-11-16 16:55:42 -08:00
Elliott Hughes
4cc5a60f91 Downgrade W+E load segments to a warning unless targeting O.
I don't think we're getting any value from more dupes of the same dodgy
middleware, and I worry that we're hiding other, more subtle, compatibility
issues behind this one.

Test: bionic tests
Change-Id: I556cf36eac96c90976bae32621d1c133bbb8fcc7
2016-11-15 16:59:33 -08:00
Dimitry Ivanov
9700babc05 linker: disallow W + E PT_LOAD segments
No mapped segment from the elf file can be writable and
executable at the same time. This commit adds a check
for malformed PT_LOAD segments in the elf-files.

Bug: http://b/30146890
Test: run bionic-unit-tests --gtest_filter=dlfcn.*
Change-Id: Ia23acbe5a48780b65d7e4a50bbe024cd528079f4
2016-08-11 17:24:47 -07:00
Dimitry Ivanov
bd90675111 Check alignment along with range of mapped file fragments
Improve sanity-checks of elf-file by adding alignment check
of mapped sections and section headers.

Bug: http://b/30687964
Change-Id: I7f06ddaa56a13989ce7be847b3a73c352e32c008
(cherry picked from commit 7e2d49ae3e)
2016-08-10 10:52:55 -07:00
Dimitry Ivanov
48ec288d40 Extract soinfo and globals to separate files.
Move soinfo and globals out of linker.cpp to
separate files.

Breaking up huge linker.cpp into smaller peaces
in order to make it easier to extract part of the
code that belongs to libdl.so and remove parts of
the code that do not belong to linker

(refactoring part 2 of many)

Change-Id: I868417f4b8d2b84d0e8265e354bc7977161497e2
2016-08-08 16:12:53 -07:00
Dimitry Ivanov
c73eec159f Add sanity checks for e_shentsize and e_shstrndx
This helps us avoid situations when malformed elf-files
are mistakenly loaded, - which might result in unexpected
behavior.

Bug: http://b/30166532
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: Idd6b4fa20e1d69a9f8d8391ba69c724d930fee51
2016-07-22 12:53:28 -07:00
Evgenii Stepanov
d13e9a603f Align-up and randomize shared libraries.
This change implements the following property:
  Any 2**N aligned memory region on size 2**N contains no more than one DSO.

The value N can be configured, with 16 or 18 looking like a good choice.
Additionally, DSOs are loaded at random page-aligned address inside these large
regions.

This change has dual purpose:
1. Larger values of N allow a lot more compact CFI shadow implementation.
   See change I14dfea630de468eb5620e7f55f92b1397ba06217.
   For example, CFI shadow for the system_server process has the following size (RSS, KB):
   152 for N = 12, 32 for N = 16, 16 for N = 18.
2. Extra randomization is good for security.

This change does not result in extra RAM usage, because everything is still page-aligned.
It does result in a bit more VM fragmentation because of the gaps between shared libraries.
As it turns out, this fragmentation is barely noticeable because the kernel creates new mapping
at the highest possible address, and we do enough small mappings to almost completely fill the
gaps (ex. in the Zygote the gaps are filled with .ttf file mappings and thread stacks).

I've measured VM fragmentation as the sum of all VM gaps (unmapped regions) that are larger
than 1MB according to /proc/$PID/maps. On aosp_angler-userdebug, the numbers are (in GB):

                |   N = 12  |  N = 18
system_server   |   521.9   |  521.1
zygote64        |   522.1   |  521.3
zygote32        |   2.55    |  2.55
mediaserver     |   4.00    |  4.00

Change-Id: Ia6df840dd409c82837efd1f263be420d9723c84a
2016-07-19 18:18:22 -07:00
Dimitry Ivanov
ebe5af7536 Fix typo in the comment
Addressing review comment from change I11bc2567b0cff89f48699ec74015991fee5b137b

Change-Id: I5d479ef61421c86fae06167815aa0a2681d9142d
2016-07-14 11:15:44 -07:00
Dimitry Ivanov
0c9d30f3c8 linker: Improve elf-file validation
1. Make sure that the .dynamic section offset and size matches
   PT_DYNAMIC segment offset and filesz
2. No section offset can be 0

Bug: http://b/16548758
Bug: http://b/29637134
Change-Id: I11bc2567b0cff89f48699ec74015991fee5b137b
Test: Install and start the app from http://b/29637134
2016-07-13 17:06:36 -07:00
Dimitry Ivanov
1b84afcfb1 linker: mark library .bss pages with anon:.bss
Bug: http://b/26778774
Change-Id: Ie2cdd841b7238de50ef389a897d79f915229616b
2016-01-27 18:12:03 -08:00
Dimitry Ivanov
f45b0e9ede Do not unmap reserved region on dlclose
dlclose used to unmap the part of the reserved region
for ANDROID_DLEXT_RESERVED_ADDRESS that was neccessary
to map PT_LOAD segments. With this change dlclose
replaces mapped PT_LOAD segments with a PROT_NONE,
MAP_ANONYMOUS | MAP_NORESERVE.

Previously caller was unmapping the reserved region after
the failed dlclose which led to race condition when someone
else reused the region freed by dlclose but before the unmap
by the chromium code.

Bug: http://code.google.com/p/chromium/issues/detail?id=568880
Change-Id: I0f5eaa2bf6641f83dde469b631c518482acc59a2
2016-01-20 20:57:47 -08:00
Dmitriy Ivanov
3c5248182e Handling invalid section headers
The linker crashes if native library has invalid section
headers. This change adds boundary checks on target offsets
and generates dlerror instead of crash.

Bug: http://b/25800330
Change-Id: Ibe282029997302b9b557637c3aad064d7d0febc5
2015-11-22 23:25:06 -08:00
Dmitriy Ivanov
b76123fed8 Improve error message for files with no sections
Bug: http://b/25801618
Change-Id: I4f4f368e727ff48c84781279e3d17d4ac2d1b6b0
2015-11-20 10:49:12 -08:00
Dmitriy Ivanov
126af757c6 Implement load at fixed address feature
Bug: http://b/24683631
Change-Id: I3a39ab526c8f9e213339b60e135e5459d0f41381
2015-10-27 11:27:34 -07:00
Dmitriy Ivanov
4f7a7ad3fe Implement Library Load Order Randomization
Bug: http://b/24047022
Change-Id: I36e05b403bfbaae8542a95147f9114a8b9c8ac0e
2015-10-22 18:26:07 -07:00
Dmitriy Ivanov
cf1cbbe432 refactoring: introduce MappedFileFragment
Change-Id: I97b0c1131711ed0ac13ab33e3357e99e0b6b1a4e
2015-10-22 18:01:56 -07:00
skvalex
93ce35434c Fix a mistype in segment overrange checking
Change-Id: Ibea93514aa7ba3b1ac2bc00420f5124fb34f5f66
Signed-off-by: skvalex <skvalex@gmail.com>
2015-08-20 01:06:42 +03:00
Evgenii Stepanov
d640b225ec A special linker for ASan executables.
Setup a /system/bin/linker_asan as a symlink to "linker".
Read the linker name from PT_INTERP, and if it is linker_asan,
switch default library lookup paths to the ASan set, which
starts with the path to the instrumented libraries
(/data/lib), followed by /system/lib as a fallback.

This ensures that ASan binaries prefer ASan libraries, when
available. This approach is way better then RPATH/RUNPATH and even
better than LD_LIBRARY_PATH:
- RUNPATH is per-DSO, while default paths are global.
- LD_LIBRARY_PATH is overwritten by android_update_LD_LIBRARY_PATH.
- neither RUNPATH nor LD_LIBRARY_PATH appear in
  android_get_LD_LIBRARY_PATH which is used to build java.lang.path.
  Having ASan libraries in java.lang.path is a good thing.

Bug: 22355945
Change-Id: I1d2791fbf5740618f18f71a3ae3d873714669d3f
2015-07-14 16:12:27 -07:00
Dmitriy Ivanov
3f987f5b3e Fix crash when trying to load invalid ELF file.
Bug: http://b/22047255
Bug: http://b/22091640
Change-Id: I6c51cff43287a6ac4b25fa9ce6a6fc3d232fd047
(cherry picked from commit 06700b2b5e)
2015-06-25 20:05:50 -07:00
Dmitriy Ivanov
8a11628355 Add flag that makes linker honor min(p_vaddr)
Bug: http://b/21523078
Change-Id: Ice72766fb6ad3bd333c32b496e7870121e17a763
2015-06-09 13:44:31 -07:00
Nick Kralevich
8fdb3419a5 linker: never mark pages simultaneously writable / executable
When the Android dynamic linker handles a text relocation,
it first relaxes the permissions on the segment being modified,
performs the modifications, and then restores the page permissions.
The relaxation worked by adding PROT_WRITE to whatever protection
bits were set in the section. In effect, the pages were getting set
to PROT_READ|PROT_WRITE|PROT_EXEC, modified, then restored to
PROT_READ|PROT_EXEC

The SELinux kernel code differentiates between 4 different kinds
of executable memory:
* Executable stack (execstack)
* Executable heap (execheap)
* File-based executable code which has been modified (execmod)
* All other executable memory (execmem)

The execmod capability is only triggered by the kernel when a
dirty but non-executable mmap()ed page becomes executable. When that
occurs, an SELinux policy check is done to see if the execmod capability
is provided by policy.

However, if the page is already executable, and PROT_WRITE is added
to the page, it's considered an execmem permission check, not an execmod
permission check.

There are certain circumstances where we may want to distinguish between
execmod and execmem. This change adjusts the dynamic linker to avoid
using RWX pages, so that an RX -> RW -> RX transition will properly
be detected as an execmod permission check instead of an execmem permission
check.

Bug: 20013628
Change-Id: I14d7be29170b156942f9809023f3b2fc1f37846c
2015-04-01 18:05:19 -07:00
Dimitry Ivanov
56be6ed9e4 Revert "Remove text-relocation support for lp32"
This reverts commit cb00add1b3.

Bug: 20020312
Bug: 20013628
Change-Id: I8baa3d4b6c7fef50c9e2531257d5b96762099eb3
2015-04-01 21:18:48 +00:00
Dmitriy Ivanov
cb00add1b3 Remove text-relocation support for lp32
Bug: 20013628
Change-Id: Idaf8012f00ee1304d429c3b42f9ebc6b648c55b8
2015-03-31 17:42:45 -07:00
Dmitriy Ivanov
20d89cb5b0 Fix long lines and replace macros with functions.
Change-Id: I4e1cab488d5b2c8e4289da617350a86e72a4ba12
2015-03-31 11:49:25 -07:00
Dmitriy Ivanov
18a6956b76 Add support for packed relocations.
Change-Id: I796a4ce86d3fccb8361c19889419c96147ee3c9f
2015-03-06 17:12:47 -08:00
Elliott Hughes
05fc1d7050 Add missing includes.
Change-Id: Ibf549266a19a67eb9158d341a69dddfb654be669
2015-01-28 19:23:11 -08:00
Dmitriy Ivanov
1649e7ee5b Enable -Wold-style-cast warnings for linker
And fix old style casts.

Change-Id: I37e7a3e3fd852528ea76f02d967c7bd8cd5b06c9
2015-01-22 16:33:30 -08:00
Elliott Hughes
b514026eb2 Kill <machine/exec.h>.
Bug: 18546535
Change-Id: I479e003deab21e31eb5caa5393067ed1dc558387
2014-12-02 16:16:29 -08:00
Dmitriy Ivanov
a6c1279098 Rename library_offset to library_fd_offset
replace lseek() and use pread() instead
 add test for library_fd_offset > file_size case

Bug: 17762003
Change-Id: I4555f0be635124efe849c1f226985bcba72ffcbd
2014-10-21 13:51:08 -07:00
Robert Grosse
4544d9f9bf Fix misleading comment.
Change-Id: I9e2aa6c2ba938c8f8d7c74eba32d313c866c77b2
2014-10-15 14:32:19 -07:00