We know what "3" and "40" are, but most folks not on our team don't.
I don't think we need to support all the weird values, because only the
supported architectures actually occur in practice.
Bug: N/A
Test: manually overwrote aarch64 libcrypto.so with an x86-64 .so and ran "date"
Test: CANNOT LINK EXECUTABLE "date": "/system/lib64/libcrypto.so" has unexpected e_machine: 62 (EM_X86_64)
Change-Id: Ic4c6325fe7968f0c96fc0bfe15a50ed922a5ba55
For apps targeting pre-O releases print warn about
invalid dynamic section.
Bug: http://b/33842263
Test: Start an app in question and check logs for warning.
Test: Run bionic-unit-test --gtest_filter=dl*:Dl*
Change-Id: I80bd51f2133b956fc04e20a6538cccd50118c1b8
I don't think we're getting any value from more dupes of the same dodgy
middleware, and I worry that we're hiding other, more subtle, compatibility
issues behind this one.
Test: bionic tests
Change-Id: I556cf36eac96c90976bae32621d1c133bbb8fcc7
No mapped segment from the elf file can be writable and
executable at the same time. This commit adds a check
for malformed PT_LOAD segments in the elf-files.
Bug: http://b/30146890
Test: run bionic-unit-tests --gtest_filter=dlfcn.*
Change-Id: Ia23acbe5a48780b65d7e4a50bbe024cd528079f4
Improve sanity-checks of elf-file by adding alignment check
of mapped sections and section headers.
Bug: http://b/30687964
Change-Id: I7f06ddaa56a13989ce7be847b3a73c352e32c008
(cherry picked from commit 7e2d49ae3e)
Move soinfo and globals out of linker.cpp to
separate files.
Breaking up huge linker.cpp into smaller peaces
in order to make it easier to extract part of the
code that belongs to libdl.so and remove parts of
the code that do not belong to linker
(refactoring part 2 of many)
Change-Id: I868417f4b8d2b84d0e8265e354bc7977161497e2
This helps us avoid situations when malformed elf-files
are mistakenly loaded, - which might result in unexpected
behavior.
Bug: http://b/30166532
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: Idd6b4fa20e1d69a9f8d8391ba69c724d930fee51
This change implements the following property:
Any 2**N aligned memory region on size 2**N contains no more than one DSO.
The value N can be configured, with 16 or 18 looking like a good choice.
Additionally, DSOs are loaded at random page-aligned address inside these large
regions.
This change has dual purpose:
1. Larger values of N allow a lot more compact CFI shadow implementation.
See change I14dfea630de468eb5620e7f55f92b1397ba06217.
For example, CFI shadow for the system_server process has the following size (RSS, KB):
152 for N = 12, 32 for N = 16, 16 for N = 18.
2. Extra randomization is good for security.
This change does not result in extra RAM usage, because everything is still page-aligned.
It does result in a bit more VM fragmentation because of the gaps between shared libraries.
As it turns out, this fragmentation is barely noticeable because the kernel creates new mapping
at the highest possible address, and we do enough small mappings to almost completely fill the
gaps (ex. in the Zygote the gaps are filled with .ttf file mappings and thread stacks).
I've measured VM fragmentation as the sum of all VM gaps (unmapped regions) that are larger
than 1MB according to /proc/$PID/maps. On aosp_angler-userdebug, the numbers are (in GB):
| N = 12 | N = 18
system_server | 521.9 | 521.1
zygote64 | 522.1 | 521.3
zygote32 | 2.55 | 2.55
mediaserver | 4.00 | 4.00
Change-Id: Ia6df840dd409c82837efd1f263be420d9723c84a
1. Make sure that the .dynamic section offset and size matches
PT_DYNAMIC segment offset and filesz
2. No section offset can be 0
Bug: http://b/16548758
Bug: http://b/29637134
Change-Id: I11bc2567b0cff89f48699ec74015991fee5b137b
Test: Install and start the app from http://b/29637134
dlclose used to unmap the part of the reserved region
for ANDROID_DLEXT_RESERVED_ADDRESS that was neccessary
to map PT_LOAD segments. With this change dlclose
replaces mapped PT_LOAD segments with a PROT_NONE,
MAP_ANONYMOUS | MAP_NORESERVE.
Previously caller was unmapping the reserved region after
the failed dlclose which led to race condition when someone
else reused the region freed by dlclose but before the unmap
by the chromium code.
Bug: http://code.google.com/p/chromium/issues/detail?id=568880
Change-Id: I0f5eaa2bf6641f83dde469b631c518482acc59a2
The linker crashes if native library has invalid section
headers. This change adds boundary checks on target offsets
and generates dlerror instead of crash.
Bug: http://b/25800330
Change-Id: Ibe282029997302b9b557637c3aad064d7d0febc5
Setup a /system/bin/linker_asan as a symlink to "linker".
Read the linker name from PT_INTERP, and if it is linker_asan,
switch default library lookup paths to the ASan set, which
starts with the path to the instrumented libraries
(/data/lib), followed by /system/lib as a fallback.
This ensures that ASan binaries prefer ASan libraries, when
available. This approach is way better then RPATH/RUNPATH and even
better than LD_LIBRARY_PATH:
- RUNPATH is per-DSO, while default paths are global.
- LD_LIBRARY_PATH is overwritten by android_update_LD_LIBRARY_PATH.
- neither RUNPATH nor LD_LIBRARY_PATH appear in
android_get_LD_LIBRARY_PATH which is used to build java.lang.path.
Having ASan libraries in java.lang.path is a good thing.
Bug: 22355945
Change-Id: I1d2791fbf5740618f18f71a3ae3d873714669d3f
When the Android dynamic linker handles a text relocation,
it first relaxes the permissions on the segment being modified,
performs the modifications, and then restores the page permissions.
The relaxation worked by adding PROT_WRITE to whatever protection
bits were set in the section. In effect, the pages were getting set
to PROT_READ|PROT_WRITE|PROT_EXEC, modified, then restored to
PROT_READ|PROT_EXEC
The SELinux kernel code differentiates between 4 different kinds
of executable memory:
* Executable stack (execstack)
* Executable heap (execheap)
* File-based executable code which has been modified (execmod)
* All other executable memory (execmem)
The execmod capability is only triggered by the kernel when a
dirty but non-executable mmap()ed page becomes executable. When that
occurs, an SELinux policy check is done to see if the execmod capability
is provided by policy.
However, if the page is already executable, and PROT_WRITE is added
to the page, it's considered an execmem permission check, not an execmod
permission check.
There are certain circumstances where we may want to distinguish between
execmod and execmem. This change adjusts the dynamic linker to avoid
using RWX pages, so that an RX -> RW -> RX transition will properly
be detected as an execmod permission check instead of an execmem permission
check.
Bug: 20013628
Change-Id: I14d7be29170b156942f9809023f3b2fc1f37846c
replace lseek() and use pread() instead
add test for library_fd_offset > file_size case
Bug: 17762003
Change-Id: I4555f0be635124efe849c1f226985bcba72ffcbd
Get dynamic flags from phdr table's correct entry rather the first
entry, so that the following DT_DEBUG entry can be set.
Also fix the undefined reference to LoadTask::deleter issue under gcc
-O0 option.
Bug: 17524778
Change-Id: I9c679af197b034761fb739d6c980e628ff2ab84c
This patch fixes the problem with symbol search order
for dlsym(RTLD_DEFAULT/RTLD_NEXT, .) by loading libraries
and ld_preloads in correct order.
Bug: https://code.google.com/p/android/issues/detail?id=74255
Change-Id: If1ba5c807322409faa914e27ecb675e2c4541f0d
Attempt: 2
This patch fixes the problem with symbol search order
for dlsym(RTLD_DEFAULT/RTLD_NEXT, .) by loading libraries
and ld_preloads in correct order.
Bug: https://code.google.com/p/android/issues/detail?id=74255
Change-Id: I4cf84c70dbaabe99310230dfda12385ae5401859
If the file has no relro segment, the generated relro file will have
length 0, which caused mmap to fail. If the relro file has nonzero size,
but is too short (e.g. because it's for the wrong version of the
library), the linker would segfault while comparing the data. Fix both
these issues: don't try to map a zero length file, and don't try to
compare data that would be beyond the end of the file.
Improve test to explicitly generate two versions of the library: one
with -z relro, and one with -z norelro, so we can test both cases; also
explicitly test the case where the relro file has length 0.
Bug: 14299541
Change-Id: Id8b95585edda90e8bb5de452a35b70ed2d224934
Add flags and a file descriptor to android_dlopen_ext() to allow writing
the RELRO section of the loaded library to a file after relocation
processing, and to allow mapping identical pages from the file over the
top of relocated memory in another process. Explicitly comparing the
pages is required in case a page contains a reference to a symbol
defined in another library loaded at a random base address.
Bug: 13005501
Change-Id: Ibb5b2d384edfaa5acf3e97a5f8b6115c10497a1e
Add flags and parameters to android_dlopen_ext() to allow loading a
library at an already-reserved fixed address. If the library to be
loaded will not fit within the space reserved, then the linker will
either fail, or allocate its own address space as usual, according to
which flag has been specified. This behaviour only applies to the
specific library requested; any other libraries loaded as dependencies
will be loaded in the normal fashion.
There is a new gtest included to cover the functionality added.
Bug: 13005501
Change-Id: I5d1810375b20fc51ba6a9b3191a25f9792c687f1
Remove the linker's reliance on BSD cruft and use the glibc-style
ElfW macro. (Other code too, but the linker contains the majority
of the code that needs to work for Elf32 and Elf64.)
All platforms need dl_iterate_phdr_static, so it doesn't make sense
to have that part of the per-architecture configuration.
Bug: 12476126
Change-Id: I1d7f918f1303a392794a6cd8b3512ff56bd6e487
Do not use the magic number 0xFFFFFFFFU to represent the max value of an address
as it's not correct on 64bit platform. We should use UINTPTR_MAX instead.
Change-Id: I1fc6f5864a651b2eddea2333cb0788f9d9223270
Signed-off-by: Qiming Shi <qiming.shi@intel.com>
Signed-off-by: Weiwu Chen <weiwu.chen@intel.com>
Addition of support for AArch64 in the linker64 target.
Change-Id: I8dfd9711278f6706063e91f626b6007ea7a3dd6e
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
We don't need our own architecture macros; the standard ones will do.
This patch also fixes some __x86_64__ tests to be USE_RELA tests instead,
because they're not actually x86_64-specific.
I've cleaned up architecture-specific code slightly so where possible
all the code corresponding to a particular architecture is together.
This patch also fixes a bug in LP64 DT_PLTGOT handling, which should be
an error rather than falling through into DT_DEBUG! There was another #ifdef
bug where we'd only report unexpected DT_ entries on MIPS.
Change-Id: Id1d04e372611f641c1aa278a18e379f28af9eaf5
