No mapped segment from the elf file can be writable and
executable at the same time. This commit adds a check
for malformed PT_LOAD segments in the elf-files.
Bug: http://b/30146890
Test: run bionic-unit-tests --gtest_filter=dlfcn.*
Change-Id: Ia23acbe5a48780b65d7e4a50bbe024cd528079f4
open(2) can be used to open directories; use stat to
check that the file exists and is a regular file.
Addresses review comments for 5aa67675f8
Bug: http://b/30320104
Change-Id: Ia944db2f2f779a87ea01dd41dcd171e59c9bef01
This patch enables absolute path translation to instrumented library
when linker_asan is in use.
Test: adb shell cat /proc/<rlid pid>/maps | grep libril-qc-qmi-1.so
check that it is mapped from /data/vendor/lib64 and not /vendor/lib64
Bug: http://b/30320104
Change-Id: I3bc24754b192afc0a72d6f3801f7b42141ce715b
(cherry picked from commit 5aa67675f8)
Improve sanity-checks of elf-file by adding alignment check
of mapped sections and section headers.
Bug: http://b/30687964
Change-Id: I7f06ddaa56a13989ce7be847b3a73c352e32c008
(cherry picked from commit 7e2d49ae3e)
Move soinfo and globals out of linker.cpp to
separate files.
Breaking up huge linker.cpp into smaller peaces
in order to make it easier to extract part of the
code that belongs to libdl.so and remove parts of
the code that do not belong to linker
(refactoring part 2 of many)
Change-Id: I868417f4b8d2b84d0e8265e354bc7977161497e2
Breaking up huge linker.cpp into smaller peaces
in order to make it easier to extract part of the
code that belongs to libdl.so and remove parts of
the code that do not belong to linker
(refactoring part 1 of many)
Change-Id: I57ac36677a815800dc127c8c45c3ea806c37e247
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
This change includes dlwarning implementation and
the compatibility greylist for apps targeting pre-N.
Change-Id: Ibf02a07cc58cbbb1a5aef4ac34558c5d43e4305f
Test: Run bionic-unit-tests --gtest_filter=dl*:Dl*
Make linker_allocator independent of the order of global constructors.
Bug: http://b/30483811
Change-Id: I18a323175661b8e1c9e398f2d6112f7a08d2cceb
Test: boot the device with I3ac91758a1a043146c65f2ae0f36fcfbe372c30f
This helps us avoid situations when malformed elf-files
are mistakenly loaded, - which might result in unexpected
behavior.
Bug: http://b/30166532
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: Idd6b4fa20e1d69a9f8d8391ba69c724d930fee51
The glibc implementation of the loader passes argc/argv/envp
to all elf constructors. This change makes bionic linker
behave in the same way.
Bug: http://b/30145768
Change-Id: I1c65c42aa5305a5b133c64b5748205bbde869e0e
Test: run bionic-unit-tests --gtest_filter=dl*:Dl*
This change implements the following property:
Any 2**N aligned memory region on size 2**N contains no more than one DSO.
The value N can be configured, with 16 or 18 looking like a good choice.
Additionally, DSOs are loaded at random page-aligned address inside these large
regions.
This change has dual purpose:
1. Larger values of N allow a lot more compact CFI shadow implementation.
See change I14dfea630de468eb5620e7f55f92b1397ba06217.
For example, CFI shadow for the system_server process has the following size (RSS, KB):
152 for N = 12, 32 for N = 16, 16 for N = 18.
2. Extra randomization is good for security.
This change does not result in extra RAM usage, because everything is still page-aligned.
It does result in a bit more VM fragmentation because of the gaps between shared libraries.
As it turns out, this fragmentation is barely noticeable because the kernel creates new mapping
at the highest possible address, and we do enough small mappings to almost completely fill the
gaps (ex. in the Zygote the gaps are filled with .ttf file mappings and thread stacks).
I've measured VM fragmentation as the sum of all VM gaps (unmapped regions) that are larger
than 1MB according to /proc/$PID/maps. On aosp_angler-userdebug, the numbers are (in GB):
| N = 12 | N = 18
system_server | 521.9 | 521.1
zygote64 | 522.1 | 521.3
zygote32 | 2.55 | 2.55
mediaserver | 4.00 | 4.00
Change-Id: Ia6df840dd409c82837efd1f263be420d9723c84a
1. Make sure that the .dynamic section offset and size matches
PT_DYNAMIC segment offset and filesz
2. No section offset can be 0
Bug: http://b/16548758
Bug: http://b/29637134
Change-Id: I11bc2567b0cff89f48699ec74015991fee5b137b
Test: Install and start the app from http://b/29637134
To avoid initialization ordering problem avoid constructing
non-trivial global objects for linker_logger.
This patch also adds explicit check for bloc_size_ on alloc
Change-Id: I2cb3b13a10b7fac1f52a20038af77266d3e1da96
This patch lets developers tune logging of dlopen/dlerror with
setting system property.
Note that for security purposes this option is disabled on user build
for non-debuggable apps.
For starters there are 3 debug options:
dlerror - enables logging of all dlerrors
dlopen - traces dlopen calls
To enable system-wide logging (works only for userdebug/eng builds)
use debug.ld.all property.
To enable logging for particular app use debug.ld.app.<appname> property.
Example: Running "adb shell setprop debug.ld.all dlerror,dlopen" will log all
dlerror message as well as trace all calls to dlopen.
Bug: http://b/29458203
Change-Id: I2392c80a795509e16fe5689d0500d18b99772a64
If a public library is missing, make it clear that there is no
library with that soname that is missing. This can help diagnose
problems if a library exists, but the library doesn't have the right
soname.
Bug: 29400363
(cherry picked from commit 9a84d90c75)
Change-Id: Ie2306a2e28aff779d07441dc8af078256b184f8a
Add parentheses around macro arguments used beside operators,
or use constexpr for simple constants.
Bug: 28705665
Change-Id: I378c8aad92d3ec8e8c4b0440b5c2c99dfe01ce79
create_namespace resolves caller namespace only
when caller did not explicitly specify parent namespace.
This saves about 25 microseconds for the case when
parent_namepsace is not null (for example when creating
second classloader for the app).
Bug: http://b/28801010
Change-Id: I50ded272c931db701e5a1d8c88ed5ffb13416539
This operation is the most expensive one and since it is
unlikely that the zip-entry name is invalid (given that it
is constructed by the platform) - it can removed.
The worst case scenario is dlopen() of non-existing libraries
taking more time. And this use-case is not on the critical path.
Bug: http://b/28801010
Change-Id: I10a6b0bf342404ab72f0f5102ebf19f6c06ee6bf
(cherry picked from commit a5c1c8e820)
This CL adds initialization of inode for the main executable
which enables linker to resolve the correct soinfo when
application calls dlopen with absolute path to the
main executable.
Bug: http://b/28420266
Change-Id: I102e07bde454bd44c6e46075e3faeeb5092830d8
This change enables apps to share libraries opened
with RTLD_GLOBAL between different classloader namespaces.
The new parameter to create_namespace allows native_loader
to instruct the linker to share libraries belonging to
global group from a specified namespace instead of
using the caller_ns.
Bug: http://b/28560538
Bug: https://code.google.com/p/android/issues/detail?id=208458
Change-Id: I5d0c62730bbed19cdeb16c7559c74aa262a2475f
Also clean up some near-miss copyright headers in libm, and remove
some cruft in <grp.h>/<pwd.h> that the script can't automatically
ignore since we stripped all the tabs in those files.
Change-Id: I10796c54dda1ceba87822ae0de26b5d71b54972b
They are intended for platform use only and we shouldn't have them
in the public header file.
Bug: http://b/28174921
Change-Id: Ib9b3d0fa9442cfa2e784a693ad567d1444d774e5
Linker crashed if linking of the main executable fails
instead of aborting with readable error message.
This patch modifies unload to soinfo_unload it all at once
in this particular case. This helps avoid situations when
one of the libraries on the DT_NEEDED list of main executable
has gotten unloaded by previous library unload because it
DT_NEEDED it too.
Example (consider following dependency tree):
main_executable
|-> liba.so
|-> libb.so
|-> libb.so
The list of the libraries need to be unloaded in this case
is [liba.so, libb.so], but if linker does unload one by one
by the time it gets to libb.so - the soinfo for the library
is already unloaded (and the segments were unmapped).
Passing everything as an array helps soinfo_unload to check
if a library was already unloaded by looking into local_unload_list.
Bug: http://b/28565608
Change-Id: I7199290e10a186057dcf3b7b68dbce954af7dba1
linker didn't remove link to the soinfo from shared
namespaces on soinfo_unload, because it didn't keep
record of all namespaces the library is added to.
This change adds test for this and also fixes the
problem by introducing list of secondary namespaces
to soinfo, which is used to remove soinfo in
soinfo::remove_all_links().
Bug: http://b/28115950
Change-Id: Ifbf6e54f92fa6e88f86b6a8dd6dc22d4553afd22
linker doesn't call d-tors for RTLD_NODELETE libraries. There is
no need in reseting this flag in call_destructors (which is called
from soinfo_unload).
Change-Id: I3ed03fa7207b7acf598067276fbb8874e29b5e53
Linker was not unloading libraries marked with RTLD_NODELETE
even when there was a error on load. For example when one of
dt_needed libraries was not found.
Bug: http://b/27911891
Change-Id: Ibc0bf110aa41fbfdc9f327ad8c364f2e3600af71
(cherry picked from commit 79abce4214)
Add missing test for sleb128_decoder. Also remove
dependency to static library because it exposes malloc/free
which interfere with libc.so malloc/free causing test to crash.
Change-Id: Iedd3268011df9f67ed58c0b58c71f34e30370b23
Handle no longer is a pointer to soinfo of
a corresponding library. This is done to
prevent access to linker internal fields.
Bug: http://b/25593965
Change-Id: I62bff0d0e5b2dc842e6bf0babb30fcc4c000be24
This patch uses __kernel_vsyscall instead of "int 0x80"
as the syscall entry point. AT_SYSINFO points to
an adapter to mask the arch specific difference and gives a
performance boost on i386 architecture.
Change-ID: Ib340c604d02c6c25714a95793737e3cfdc3fc5d7
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
This reverts commit 0acb15ead6.
This workaround is not needed any more. Now ART generates
.MIPS.abiflags segments in its files. This is done in
Ie06a3c4e384a23a77db7d04a2508edbf3a6d3933.
Change-Id: I746289eed443a0fdbe8fd0b1199bcc5cd4d024e1
The previous code assumed that returning would be sufficient to rethrow
signals like SIGSEGV. This is not true, for example, in the case where a
SIGSEGV is sent via kill(2). We were previously only sending the signal
to ourselves in some cases, because using kill(2) would lose information
in the siginfo_t argument. Use rt_tgsigqueueinfo(2) instead to preserve
its contents.
Bug: http://b/27367422
Change-Id: I1be822818d5905461979c7e12dc4e9c25049273b
