Commit Graph

568 Commits

Author SHA1 Message Date
Florian Weimer
0499a353a6 elf: Add elf/check-wx-segment, a test for the presence of WX segments
Writable, executable segments defeat security hardening.  The
existing check for DT_TEXTREL does not catch this.

hppa and SPARC currently keep the PLT in an RWX load segment.
2020-03-02 14:25:20 +01:00
Florian Weimer
3a0ecccb59 ld.so: Do not export free/calloc/malloc/realloc functions [BZ #25486]
Exporting functions and relying on symbol interposition from libc.so
makes the choice of implementation dependent on DT_NEEDED order, which
is not what some compiler drivers expect.

This commit replaces one magic mechanism (symbol interposition) with
another one (preprocessor-/compiler-based redirection).  This makes
the hand-over from the minimal malloc to the full malloc more
explicit.

Removing the ABI symbols is backwards-compatible because libc.so is
always in scope, and the dynamic loader will find the malloc-related
symbols there since commit f0b2132b35
("ld.so: Support moving versioned symbols between sonames
[BZ #24741]").

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2020-02-15 11:01:23 +01:00
Florian Weimer
abcc039d2e elf: Introduce the rtld-stubbed-symbols makefile variable
This generalizes a mechanism used for stack-protector support, so
that it can be applied to other symbols if required.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2020-02-15 11:00:27 +01:00
David Kilroy
eb447b7b4b elf: Allow dlopen of filter object to work [BZ #16272]
There are two fixes that are needed to be able to dlopen filter
objects. First _dl_map_object_deps cannot assume that map will be at
the beginning of l_searchlist.r_list[], as filtees are inserted before
map. Secondly dl_open_worker needs to ensure that filtees get
relocated.

In _dl_map_object_deps:

* avoiding removing relocation dependencies of map by setting
  l_reserved to 0 and otherwise processing the rest of the search
  list.

* ensure that map remains at the beginning of l_initfini - the list
  of things that need initialisation (and destruction). Do this by
  splitting the copy up. This may not be required, but matches the
  initialization order without dlopen.

Modify dl_open_worker to relocate the objects in new->l_inifini.
new->l_initfini is constructed in _dl_map_object_deps, and lists the
objects that need initialization and destruction. Originally the list
of objects in new->l_next are relocated. All of these objects should
also be included in new->l_initfini (both lists are populated with
dependencies in _dl_map_object_deps). We can't use new->l_prev to pick
up filtees, as during a recursive dlopen from an interposed malloc
call, l->prev can contain objects that are not ready for relocation.

Add tests to verify that symbols resolve to the filtee implementation
when auxiliary and filter objects are used, both as a normal link and
when dlopen'd.

Tested by running the testsuite on x86_64.
2020-02-12 14:29:48 -03:00
Joseph Myers
d01fd5f0ce Fix elf/tst-rtld-preload cross-testing.
As noted in
<https://sourceware.org/ml/libc-alpha/2019-06/msg00824.html>,
elf/tst-rtld-preload fails when cross-testing because it attempts to
run the test wrapper with itself.  Unfortunately, that thread never
resulted in a complete and correct patch for that test.

This patch addresses the issues with that test more thoroughly.  The
test is changed not to use the wrapper twice, including updating the
message it prints about the command it runs to be more complete and
accurate after the change; the Makefile is changed not to pass the
redundant '$(test-wrapper)' argument.

Tested for Arm that this fixes the failure seen for that test in
cross-testing.
2020-01-24 17:22:13 +00:00
Joseph Myers
00167b531d Fix cross-testing of tst-ifunc-fault-* tests.
The tests elf/tst-ifunc-fault-bindnow and elf/tst-ifunc-fault-lazy
fail in cross-testing because they run the dynamic linker directly
without using the test wrapper.  This patch fixes them to use the test
wrapper instead.

Tested that this fixes the failure of those two tests for powerpc
soft-float.
2020-01-23 14:34:59 +00:00
Florian Weimer
a332bd1518 elf: Add elf/tst-dlopenfail-2 [BZ #25396]
Without CET, a jump into a newly loaded object through an overwritten
link map often does not crash, it just executes some random code.
CET detects this in some cases because the function pointer does not
point to the start of a function in the replacement shared object,
so there is no ENDBR instruction.

The new test uses a small shared object and the existing dangling
link map to trigger the bug.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2020-01-16 16:53:58 +01:00
Alexandra Hájková
591236f1a3 elf: Add tst-ldconfig-ld_so_conf-update test
Test ldconfig after /etc/ld.so.conf update and verify a running process
 observes changes to /etc/ld.so.cache.
 The test uses the test-in-container framework.

 Reviewed-by: Arjun Shankar <arjun@redhat.com>
2020-01-09 20:47:19 +01:00
Joseph Myers
d614a75396 Update copyright dates with scripts/update-copyrights. 2020-01-01 00:14:33 +00:00
Florian Weimer
6a265e577e Fix test isolation for elf/tst-ifunc-fault-lazy, elf/tst-ifunc-fault-bindnow
Previously, ld.so was invoked only with the elf subdirectory on the
library search path.  Since the soname link for libc.so only exists in
the top-level build directory, this leaked the system libc into the
test.
2019-12-19 16:06:50 +01:00
Florian Weimer
365624e2d2 dlopen: Fix issues related to NODELETE handling and relocations
The assumption behind the assert in activate_nodelete was wrong:

Inconsistency detected by ld.so: dl-open.c: 459: activate_nodelete:
Assertion `!imap->l_init_called || imap->l_type != lt_loaded' failed! (edit)

It can happen that an already-loaded object that is in the local
scope is promoted to NODELETE status, via binding to a unique
symbol.

Similarly, it is possible that such NODELETE promotion occurs to
an already-loaded object from the global scope.  This is why the
loop in activate_nodelete has to cover all objects in the namespace
of the new object.

In do_lookup_unique, it could happen that the NODELETE status of
an already-loaded object was overwritten with a pending NODELETE
status.  As a result, if dlopen fails, this could cause a loss of
the NODELETE status of the affected object, eventually resulting
in an incorrect unload.

Fixes commit f63b73814f ("Remove all
loaded objects if dlopen fails, ignoring NODELETE [BZ #20839]").
2019-12-13 10:18:24 +01:00
Florian Weimer
8b196ac4b8 Expand $(as-needed) and $(no-as-needed) throughout the build system
Since commit a3cc4f48e9 ("Remove
--as-needed configure test."), --as-needed support is no longer
optional.

The macros are not much shorter and do not provide documentary
value, either, so this commit removes them.
2019-12-03 21:37:50 +01:00
Florian Weimer
4db71d2f98 elf: Do not run IFUNC resolvers for LD_DEBUG=unused [BZ #24214]
This commit adds missing skip_ifunc checks to aarch64, arm, i386,
sparc, and x86_64.  A new test case ensures that IRELATIVE IFUNC
resolvers do not run in various diagnostic modes of the dynamic
loader.

Reviewed-By: Szabolcs Nagy <szabolcs.nagy@arm.com>
2019-12-02 14:55:22 +01:00
Florian Weimer
61a7c9df71 elf/tst-dlopenfail: Disable --no-as-needed for tst-dlopenfailmod1.so
Otherwise, the shared object dependency which triggers the load
failure is dropped, invalidating the test.
2019-12-02 14:54:38 +01:00
Florian Weimer
f63b73814f Remove all loaded objects if dlopen fails, ignoring NODELETE [BZ #20839]
This introduces a “pending NODELETE” state in the link map, which is
flipped to the persistent NODELETE state late in dlopen, via
activate_nodelete.    During initial relocation, symbol binding
records pending NODELETE state only.  dlclose ignores pending NODELETE
state.  Taken together, this results that a partially completed dlopen
is rolled back completely because new NODELETE mappings are unloaded.

Tested on x86_64-linux-gnu and i386-linux-gnu.

Change-Id: Ib2a3d86af6f92d75baca65431d74783ee0dbc292
2019-11-27 20:55:35 +01:00
Florian Weimer
79e0cd7b3c Lazy binding failures during dlopen/dlclose must be fatal [BZ #24304]
If a lazy binding failure happens during the execution of an ELF
constructor or destructor, the dynamic loader catches the error
and reports it using the dlerror mechanism.  This is undesirable
because there could be other constructors and destructors that
need processing (which are skipped), and the process is in an
inconsistent state at this point.  Therefore, we have to issue
a fatal dynamic loader error error and terminate the process.

Note that the _dl_catch_exception in _dl_open is just an inner catch,
to roll back some state locally.  If called from dlopen, there is
still an outer catch, which is why calling _dl_init via call_dl_init
and a no-exception is required and cannot be avoiding by moving the
_dl_init call directly into _dl_open.

_dl_fini does not need changes because it does not install an error
handler, so errors are already fatal there.

Change-Id: I6b1addfe2e30f50a1781595f046f44173db9491a
2019-11-27 20:55:35 +01:00
Sandra Loosemore
c72e5cd87d Compile elf/rtld.c with -fno-tree-loop-distribute-patterns.
In GCC 10, the default at -O2 is now -ftree-loop-distribute-patterns.
This optimization causes GCC to "helpfully" convert the hand-written
loop in _dl_start into a call to memset, which is not available that
early in program startup.  Similar problems in other places in GLIBC
have been addressed by explicitly building with
-fno-tree-loop-distribute-patterns, but this one may have been
overlooked previously because it only affects targets where
HAVE_BUILTIN_MEMSET is not defined.

This patch fixes a bug observed on nios2-linux-gnu target that caused
all programs to segv on startup.
2019-11-26 19:18:23 +01:00
Florian Weimer
c7bf5ceab6 Properly initialize audit cookie for the dynamic loader [BZ #25157]
The l_audit array is indexed by audit module, not audit function.

Change-Id: I180eb3573dc1c57433750f5d8cb18271460ba5f2
2019-11-15 13:03:32 +01:00
Florian Weimer
7d3db434f9 Rename and split elf/tst-dlopen-aout collection of tests
From the beginning, elf/tst-dlopen-aout has exercised two different
bugs: (a) failure to report errors for a dlopen of the executable
itself in some cases (bug 24900) and (b) incorrect rollback of the
TLS modid allocation in case of a dlopen failure (bug 16634).

This commit replaces the test with elf/tst-dlopen-self for (a) and
elf/tst-dlopen-tlsmodid for (b).  The latter tests use the
elf/tst-dlopen-self binaries (or iconv) with dlopen, so they are
no longer self-dlopen tests.

Tested on x86_64-linux-gnu and i686-linux-gnu, with a toolchain that
does not default to PIE.
2019-10-17 08:51:21 +02:00
Florian Weimer
77523d5e43 elf: Assign TLS modid later during dlopen [BZ #24930]
Commit a42faf59d6 ("Fix BZ #16634.")
attempted to fix a TLS modid consistency issue by adding additional
checks to the open_verify function.  However, this is fragile
because open_verify cannot reliably predict whether
_dl_map_object_from_fd will later fail in the more complex cases
(such as memory allocation failures).  Therefore, this commit
assigns the TLS modid as late as possible.  At that point, the link
map pointer will eventually be passed to _dl_close, which will undo
the TLS modid assignment.

Reviewed-by: Gabriel F. T. Gomes <gabrielftg@linux.ibm.com>
2019-10-04 21:23:51 +02:00
Paul Eggert
5a82c74822 Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:

sed -ri '
  s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
  s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
  $(find $(git ls-files) -prune -type f \
      ! -name '*.po' \
      ! -name 'ChangeLog*' \
      ! -path COPYING ! -path COPYING.LIB \
      ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
      ! -path manual/texinfo.tex ! -path scripts/config.guess \
      ! -path scripts/config.sub ! -path scripts/install-sh \
      ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
      ! -path INSTALL ! -path  locale/programs/charmap-kw.h \
      ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
      ! '(' -name configure \
            -execdir test -f configure.ac -o -f configure.in ';' ')' \
      ! '(' -name preconfigure \
            -execdir test -f preconfigure.ac ';' ')' \
      -print)

and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:

  chmod a+x sysdeps/unix/sysv/linux/riscv/configure
  # Omit irrelevant whitespace and comment-only changes,
  # perhaps from a slightly-different Autoconf version.
  git checkout -f \
    sysdeps/csky/configure \
    sysdeps/hppa/configure \
    sysdeps/riscv/configure \
    sysdeps/unix/sysv/linux/csky/configure
  # Omit changes that caused a pre-commit check to fail like this:
  # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
  git checkout -f \
    sysdeps/powerpc/powerpc64/ppc-mcount.S \
    sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
  # Omit change that caused a pre-commit check to fail like this:
  # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
  git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 02:43:31 -07:00
Florian Weimer
23d2e5faf0 elf: Self-dlopen failure with explict loader invocation [BZ #24900]
In case of an explicit loader invocation, ld.so essentially performs
a dlopen call to load the main executable.  Since the pathname of
the executable is known at this point, it gets stored in the link
map.  In regular mode, the pathname is not known and "" is used
instead.

As a result, if a program calls dlopen on the pathname of the main
program, the dlopen call succeeds and returns a handle for the main
map.  This results in an unnecessary difference between glibc
testing (without --enable-hardcoded-path-in-tests) and production
usage.

This commit discards the names when building the link map in
_dl_new_object for the main executable, but it still determines
the origin at this point in case of an explict loader invocation.
The reason is that the specified pathname has to be used; the kernel
has a different notion of the main executable.
2019-08-15 18:53:32 +02:00
Florian Weimer
9b9670fcd8 elf: Support elf/tst-dlopen-aout in more configurations
dlopen can no longer open PIE binaries, so it is not necessary
to link the executable as non-PIE to trigger a dlopen failure.

If we hard-code the path to the real executable, we can run the test
with and without hard-coded paths because the dlopen path will not
be recognized as the main program in both cases.  (With an explict
loader invocation, the loader currently adds argv[0] to l_libname
for the main map and the dlopen call suceeds as a result; it does
not do that in standard mode.)
2019-08-12 17:59:13 +02:00
Florian Weimer
f0b2132b35 ld.so: Support moving versioned symbols between sonames [BZ #24741]
This change should be fully backwards-compatible because the old
code aborted the load if a soname mismatch was encountered
(instead of searching further for a matching symbol).  This means
that no different symbols are found.

The soname check was explicitly disabled for the skip_map != NULL
case.  However, this only happens with dl(v)sym and RTLD_NEXT,
and those lookups do not come with a verneed entry that could be used
for the check.

The error check was already explicitly disabled for the skip_map !=
NULL case, that is, when dl(v)sym was called with RTLD_NEXT.  But
_dl_vsym always sets filename in the struct r_found_version argument
to NULL, so the check was not active anyway.  This means that
symbol lookup results for the skip_map != NULL case do not change,
either.
2019-06-28 10:15:38 +02:00
Florian Weimer
2c75b545de elf: Refuse to dlopen PIE objects [BZ #24323]
Another executable has already been mapped, so the dynamic linker
cannot perform relocations correctly for the second executable.
2019-06-18 16:42:10 +02:00
Alexandra Hájková
481c30cb95 elf: Add tst-ldconfig-bad-aux-cache test [BZ #18093]
This test corrupts /var/cache/ldconfig/aux-cache and executes ldconfig
to check it will not segfault using the corrupted aux_cache. The test
uses the test-in-container framework. Verified no regressions on
x86_64.
2019-05-23 11:49:44 +02:00
Florian Weimer
c57afec0a9 elf: Link sotruss-lib.so with BIND_NOW for --enable-bind-now
The audit module itself can be linked with BIND_NOW; it does not
affect its functionality.

This should complete the leftovers from commit
2d6ab5df3b ("Document and fix
--enable-bind-now [BZ #21015]").
2019-04-26 07:16:56 +02:00
Adhemerval Zanella
1a4c27355e elf: Fix pldd (BZ#18035)
Since 9182aa6799 (Fix vDSO l_name for GDB's, BZ#387) the initial link_map
for executable itself and loader will have both l_name and l_libname->name
holding the same value due:

 elf/dl-object.c

 95   new->l_name = *realname ? realname : (char *) newname->name + libname_len - 1;

Since newname->name points to new->l_libname->name.

This leads to pldd to an infinite call at:

 elf/pldd-xx.c

203     again:
204       while (1)
205         {
206           ssize_t n = pread64 (memfd, tmpbuf.data, tmpbuf.length, name_offset);

228           /* Try the l_libname element.  */
229           struct E(libname_list) ln;
230           if (pread64 (memfd, &ln, sizeof (ln), m.l_libname) == sizeof (ln))
231             {
232               name_offset = ln.name;
233               goto again;
234             }

Since the value at ln.name (l_libname->name) will be the same as previously
read. The straightforward fix is just avoid the check and read the new list
entry.

I checked also against binaries issues with old loaders with fix for BZ#387,
and pldd could dump the shared objects.

Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, and
powerpc64le-linux-gnu.

	[BZ #18035]
	* elf/Makefile (tests-container): Add tst-pldd.
	* elf/pldd-xx.c: Use _Static_assert in of pldd_assert.
	(E(find_maps)): Avoid use alloca, use default read file operations
	instead of explicit LFS names, and fix infinite	loop.
	* elf/pldd.c: Explicit set _FILE_OFFSET_BITS, cleanup headers.
	(get_process_info): Use _Static_assert instead of assert, use default
	directory operations instead of explicit LFS names, and free some
	leadek pointers.
	* elf/tst-pldd.c: New file.
2019-04-23 18:13:08 -03:00
Florian Weimer
c259196b50 elf/tst-big-note: Improve accuracy of test [BZ #20419]
It is possible that the link editor injects an allocated ABI tag note
before the artificial, allocated large note in the test.  Note parsing
in open_verify stops when the first ABI tag note is encountered, so if
the ABI tag note comes first, the problematic code is not actually
exercised.

Also tweak the artificial note so that it is a syntactically valid
4-byte aligned note, in case the link editor tries to parse notes and
process them.

Improves the testing part of commit 0065aaaaae.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2019-03-01 18:53:42 +01:00
Florian Weimer
cc3e573ce3 elf: Add tests with a local IFUNC resolver [BZ #23937]
The existing tests all use global symbols (but with different
visibility).  Local symbols could be treated differently by the
compiler and linker (as was the case on POWER ELFv2, causing
bug 23937), and we did not have test coverage for this.

Tested on x86-64 and POWER ELFv2 little-endian, with and without
--disable-multi-arch.  On POWER, the test cases elf/ifuncmain9,
elf/ifuncmain9pic, elf/ifuncmain9pie reproduce bug 23937 with older
binutils.
2019-02-28 11:52:44 +01:00
H.J. Lu
92ad88fe72 elf/Makefile: Run IFUNC tests if binutils supports IFUNC
We should run IFUNC tests with --disable-multi-arch if the toolchain
supports IFUNCs.  For correctness, --disable-multi-arch must not
remove IFUNC support from the loader.

Tested on x86-64, x32 and i686 with and without --disable-multi-arch.

	* configure.ac (have-ifunc): New LIBC_CONFIG_VAR.
	* configure: Regenerated.
	* elf/Makefile: Run IFUNC tests if binutils supports IFUNC.

Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>
2019-02-27 13:21:55 -08:00
Jim Wilson
85bd1ddbdf
RISC-V: Fix elfutils testsuite unwind failures.
The clone.S patch fixes 2 elfutils testsuite unwind failures, where the
backtrace gets stuck repeating __thread_start until we hit the backtrace
limit.  This was confirmed by building and installing a patched glibc and
then building elfutils and running its testsuite.

Unfortunately, the testcase isn't working as expected and I don't know why.
The testcase passes even when my clone.S patch is not installed.  The testcase
looks logically similarly to the elfutils testcases that are failing.  Maybe
there is a subtle difference in how the glibc unwinding works versus the
elfutils unwinding?  I don't have good gdb pthread support yet, so I haven't
found a way to debug this.  Anyways, I don't know if the testcase is useful or
not.  If the testcase isn't useful then maybe the clone.S patch is OK without
a testcase?

Jim

	[BZ #24040]
	* elf/Makefile (CFLAGS-tst-unwind-main.c): Add -DUSE_PTHREADS=0.
	* elf/tst-unwind-main.c: If USE_PTHEADS, include pthread.h and error.h
	(func): New.
	(main): If USE_PTHREADS, call pthread_create to run func.  Otherwise
	call func directly.
	* nptl/Makefile (tests): Add tst-unwind-thread.
	(CFLAGS-tst-unwind-thread.c): Define.
	* nptl/tst-unwind-thread.c: New file.
	* sysdeps/unix/sysv/linux/riscv/clone.S (__thread_start): Mark ra
	as undefined.
2019-02-13 14:25:00 -08:00
Adhemerval Zanella
b3fbfe8196 elf: Test for LD_AUDIT module returning zero from la_version [BZ #24122]
This includes the original test case from commit
8e889c5da3 ("elf: Fix LD_AUDIT for
modules with invalid version (BZ#24122)).
2019-02-12 13:51:43 +01:00
David Newall
8692ebdb12 elf: Implement --preload option for the dynamic linker 2019-02-04 13:35:12 +01:00
Adhemerval Zanella
83e6b59625 [elf] Revert 8e889c5da3 (BZ#24122)
It triggers an invalid build issue on GCC8+ and does not covers all
corner cases.
2019-01-25 08:10:15 -02:00
Adhemerval Zanella
8e889c5da3 elf: Fix LD_AUDIT for modules with invalid version (BZ#24122)
The error handling patch for invalid audit modules version access
invalid memory:

elf/rtld.c:

1454               unsigned int (*laversion) (unsigned int);
1455               unsigned int lav;
1456               if  (err_str == NULL
1457                    && (laversion = largs.result) != NULL
1458                    && (lav = laversion (LAV_CURRENT)) > 0
1459                    && lav <= LAV_CURRENT)
1460                 {
[...]
1526               else
1527                 {
1528                   /* We cannot use the DSO, it does not have the
1529                      appropriate interfaces or it expects something
1530                      more recent.  */
1531 #ifndef NDEBUG
1532                   Lmid_t ns = dlmargs.map->l_ns;
1533 #endif
1534                   _dl_close (dlmargs.map);
1535
1536                   /* Make sure the namespace has been cleared entirely.  */
1537                   assert (GL(dl_ns)[ns]._ns_loaded == NULL);
1538                   assert (GL(dl_ns)[ns]._ns_nloaded == 0);
1539
1540                   GL(dl_tls_max_dtv_idx) = tls_idx;
1541                   goto not_loaded;
1542                 }

1431           const char *err_str = NULL;
1432           bool malloced;
1433           (void) _dl_catch_error (&objname, &err_str, &malloced, dlmopen_doit,
1434                                   &dlmargs);
1435           if (__glibc_unlikely (err_str != NULL))
1436             {
1437             not_loaded:
1438               _dl_error_printf ("\
1439 ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
1440                                 name, err_str);
1441               if (malloced)
1442                 free ((char *) err_str);
1443             }

On failure the err_str will be NULL and _dl_debug_vdprintf does not handle
it properly:

elf/dl-misc.c:
200             case 's':
201               /* Get the string argument.  */
202               iov[niov].iov_base = va_arg (arg, char *);
203               iov[niov].iov_len = strlen (iov[niov].iov_base);
204               if (prec != -1)
205                 iov[niov].iov_len = MIN ((size_t) prec, iov[niov].iov_len);
206               ++niov;
207               break;

This patch fixes the issues and improves the error message.

Checked on x86_64-linux-gnu and i686-linux-gnu

	[BZ #24122]
	* elf/Makefile (tests): Add tst-audit13.
	(modules-names): Add tst-audit13mod1.
	(tst-audit13.out, LDFLAGS-tst-audit13mod1.so, tst-audit13-ENV): New
	rule.
	* elf/rtld.c (dl_main): Handle invalid audit module version.
	* elf/tst-audit13.c: New file.
	* elf/tst-audit13mod1.c: Likewise.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2019-01-24 09:38:43 -02:00
Joseph Myers
04277e02d7 Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2019-01-01 00:11:28 +00:00
H.J. Lu
a5275ba537 _dl_exception_create_format: Support %x/%lx/%zx
Add support for %x, %lx and %zx to _dl_exception_create_format and pad
to the full width with 0.

	* elf/Makefile (tests-internal): Add tst-create_format1.
	* elf/dl-exception.c (_dl_exception_create_format): Support
	%x, %lx and %zx.
	* elf/tst-create_format1.c: New file.
2018-11-29 14:47:27 -08:00
Andreas Schwab
2dd12baa04 RISC-V: properly terminate call chain (bug 23125)
Mark the ra register as undefined in _start, so that unwinding through
main works correctly.  Also, don't use a tail call so that ra points after
the call to __libc_start_main, not after the previous call.
2018-10-30 12:07:25 +01:00
Zong Li
41432ebe15 elf: Fix the ld flags not be applied to tst-execstack-mod.so
The Makefile variable name lacked the file extension (.so).  As a
result, tst-execstack-mod.so was not linked with the -z execstack
flag.
2018-10-25 13:08:24 +02:00
Andreas Schwab
6ca8284e7a Add missing unwind information to ld.so on powerpc32 (bug 23707) 2018-09-26 16:49:30 +02:00
Adhemerval Zanella
b5c45e8375 Fix ifunc support with DT_TEXTREL segments (BZ#20480)
Currently, DT_TEXTREL is incompatible with IFUNC.  When DT_TEXTREL or
DF_TEXTREL is seen, the dynamic linker calls __mprotect on the segments
with PROT_READ|PROT_WRITE before applying dynamic relocations. It leads
to segfault when performing IFUNC resolution (which requires PROT_EXEC
as well for the IFUNC resolver).

This patch makes it call __mprotect with extra PROT_WRITE bit, which
will keep the PROT_EXEC bit if exists, and thus fixes the segfault.
FreeBSD rtld libexec/rtld-elf/rtld.c (reloc_textrel_prot) does the same.

Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu,
sparc64-linux-gnu, sparcv9-linux-gnu, and armv8-linux-gnueabihf.

	Adam J. Richte  <adam_richter2004@yahoo.com>
	Adhemerval Zanella  <adhemerval.zanella@linaro.org>
	Fangrui Song  <maskray@google.com>

	[BZ #20480]
	* config.h.in (CAN_TEXTREL_IFUNC): New define.
	* configure.ac: Add check if linker supports textrel relocation with
	ifunc.
	* elf/dl-reloc.c (_dl_relocate_object): Use all required flags on
	DT_TEXTREL segments, not only PROT_READ and PROT_WRITE.
	* elf/Makefile (ifunc-pie-tests): Add tst-ifunc-textrel.
	(CFLAGS-tst-ifunc-textrel.c): New rule.
	* elf/tst-ifunc-textrel.c: New file.
2018-09-25 16:27:50 -03:00
Joseph Myers
221e4babca Include most of elf/ modules-names in modules-names-tests.
I'm testing a patch to let the compiler expand calls to floor in libm
as built-in function calls as much as possible, instead of calling
__floor, so that no architecture-specific __floor inlines are needed,
and then to arrange for non-inlined calls to end up calling __floor,
as done with sqrt and __ieee754_sqrt.

This shows up elf/tst-relsort1mod2.c calling floor, which must not be
converted to a call to __floor.  Now, while an IS_IN (libm)
conditional could be added to the existing conditionals on such
redirections in include/math.h, the _ISOMAC conditional ought to
suffice (code in other glibc libraries shouldn't be calling floor or
sqrt anyway, as they aren't provided in libc and the other libraries
don't link with libm).  But while tests are mostly now built with
_ISOMAC defined, test modules in modules-names aren't unless also
listed in modules-names-tests.

As far as I can see, all the modules in modules-names in elf/ are in
fact parts of tests and so listing them in modules-names-tests is
appropriate, so they get built with something closer to the headers
used for user code, except in a few cases that actually rely on
something from internal headers.  This patch duly sets
modules-names-tests there accordingly (filtering out those tests that
fail to build without internal headers).

Tested for x86_64, and with build-many-glibcs.py.

	* elf/Makefile (modules-names-tests): New variable.
2018-09-12 20:31:24 +00:00
Samuel Thibault
2d5c41ded9 check-execstack: Permit sysdeps to xfail some libs
* scripts/check-execstack.awk: Consider `xfail' variable containing a
	list
	of libraries whose stack executability is expected.
	* elf/Makefile ($(objpfx)check-execstack.out): Pass
	$(check-execstack-xfail) to check-execstack.awk through `xfail'
	variable.
	* sysdeps/mach/hurd/i386/Makefile (check-execstack-xfail): Set to ld.so
	libc.so libpthread.so.
2018-07-20 03:28:14 +02:00
H.J. Lu
f753fa7dea x86: Support IBT and SHSTK in Intel CET [BZ #21598]
Intel Control-flow Enforcement Technology (CET) instructions:

https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-en
forcement-technology-preview.pdf

includes Indirect Branch Tracking (IBT) and Shadow Stack (SHSTK).

GNU_PROPERTY_X86_FEATURE_1_IBT is added to GNU program property to
indicate that all executable sections are compatible with IBT when
ENDBR instruction starts each valid target where an indirect branch
instruction can land.  Linker sets GNU_PROPERTY_X86_FEATURE_1_IBT on
output only if it is set on all relocatable inputs.

On an IBT capable processor, the following steps should be taken:

1. When loading an executable without an interpreter, enable IBT and
lock IBT if GNU_PROPERTY_X86_FEATURE_1_IBT is set on the executable.
2. When loading an executable with an interpreter, enable IBT if
GNU_PROPERTY_X86_FEATURE_1_IBT is set on the interpreter.
  a. If GNU_PROPERTY_X86_FEATURE_1_IBT isn't set on the executable,
     disable IBT.
  b. Lock IBT.
3. If IBT is enabled, when loading a shared object without
GNU_PROPERTY_X86_FEATURE_1_IBT:
  a. If legacy interwork is allowed, then mark all pages in executable
     PT_LOAD segments in legacy code page bitmap.  Failure of legacy code
     page bitmap allocation causes an error.
  b. If legacy interwork isn't allowed, it causes an error.

GNU_PROPERTY_X86_FEATURE_1_SHSTK is added to GNU program property to
indicate that all executable sections are compatible with SHSTK where
return address popped from shadow stack always matches return address
popped from normal stack.  Linker sets GNU_PROPERTY_X86_FEATURE_1_SHSTK
on output only if it is set on all relocatable inputs.

On a SHSTK capable processor, the following steps should be taken:

1. When loading an executable without an interpreter, enable SHSTK if
GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on the executable.
2. When loading an executable with an interpreter, enable SHSTK if
GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on interpreter.
  a. If GNU_PROPERTY_X86_FEATURE_1_SHSTK isn't set on the executable
     or any shared objects loaded via the DT_NEEDED tag, disable SHSTK.
  b. Otherwise lock SHSTK.
3. After SHSTK is enabled, it is an error to load a shared object
without GNU_PROPERTY_X86_FEATURE_1_SHSTK.

To enable CET support in glibc, --enable-cet is required to configure
glibc.  When CET is enabled, both compiler and assembler must support
CET.  Otherwise, it is a configure-time error.

To support CET run-time control,

1. _dl_x86_feature_1 is added to the writable ld.so namespace to indicate
if IBT or SHSTK are enabled at run-time.  It should be initialized by
init_cpu_features.
2. For dynamic executables:
   a. A l_cet field is added to struct link_map to indicate if IBT or
      SHSTK is enabled in an ELF module.  _dl_process_pt_note or
      _rtld_process_pt_note is called to process PT_NOTE segment for
      GNU program property and set l_cet.
   b. _dl_open_check is added to check IBT and SHSTK compatibilty when
      dlopening a shared object.
3. Replace i386 _dl_runtime_resolve and _dl_runtime_profile with
_dl_runtime_resolve_shstk and _dl_runtime_profile_shstk, respectively if
SHSTK is enabled.

CET run-time control can be changed via GLIBC_TUNABLES with

$ export GLIBC_TUNABLES=glibc.tune.x86_shstk=[permissive|on|off]
$ export GLIBC_TUNABLES=glibc.tune.x86_ibt=[permissive|on|off]

1. permissive: SHSTK is disabled when dlopening a legacy ELF module.
2. on: IBT or SHSTK are always enabled, regardless if there are IBT or
SHSTK bits in GNU program property.
3. off: IBT or SHSTK are always disabled, regardless if there are IBT or
SHSTK bits in GNU program property.

<cet.h> from CET-enabled GCC is automatically included by assembly codes
to add GNU_PROPERTY_X86_FEATURE_1_IBT and GNU_PROPERTY_X86_FEATURE_1_SHSTK
to GNU program property.  _CET_ENDBR is added at the entrance of all
assembly functions whose address may be taken.  _CET_NOTRACK is used to
insert NOTRACK prefix with indirect jump table to support IBT.  It is
defined as notrack when _CET_NOTRACK is defined in <cet.h>.

	 [BZ #21598]
	* configure.ac: Add --enable-cet.
	* configure: Regenerated.
	* elf/Makefille (all-built-dso): Add a comment.
	* elf/dl-load.c (filebuf): Moved before "dynamic-link.h".
	Include <dl-prop.h>.
	(_dl_map_object_from_fd): Call _dl_process_pt_note on PT_NOTE
	segment.
	* elf/dl-open.c: Include <dl-prop.h>.
	(dl_open_worker): Call _dl_open_check.
	* elf/rtld.c: Include <dl-prop.h>.
	(dl_main): Call _rtld_process_pt_note on PT_NOTE segment.  Call
	_rtld_main_check.
	* sysdeps/generic/dl-prop.h: New file.
	* sysdeps/i386/dl-cet.c: Likewise.
	* sysdeps/unix/sysv/linux/x86/cpu-features.c: Likewise.
	* sysdeps/unix/sysv/linux/x86/dl-cet.h: Likewise.
	* sysdeps/x86/cet-tunables.h: Likewise.
	* sysdeps/x86/check-cet.awk: Likewise.
	* sysdeps/x86/configure: Likewise.
	* sysdeps/x86/configure.ac: Likewise.
	* sysdeps/x86/dl-cet.c: Likewise.
	* sysdeps/x86/dl-procruntime.c: Likewise.
	* sysdeps/x86/dl-prop.h: Likewise.
	* sysdeps/x86/libc-start.h: Likewise.
	* sysdeps/x86/link_map.h: Likewise.
	* sysdeps/i386/dl-trampoline.S (_dl_runtime_resolve): Add
	_CET_ENDBR.
	(_dl_runtime_profile): Likewise.
	(_dl_runtime_resolve_shstk): New.
	(_dl_runtime_profile_shstk): Likewise.
	* sysdeps/linux/x86/Makefile (sysdep-dl-routines): Add dl-cet
	if CET is enabled.
	(CFLAGS-.o): Add -fcf-protection if CET is enabled.
	(CFLAGS-.os): Likewise.
	(CFLAGS-.op): Likewise.
	(CFLAGS-.oS): Likewise.
	(asm-CPPFLAGS): Add -fcf-protection -include cet.h if CET
	is enabled.
	(tests-special): Add $(objpfx)check-cet.out.
	(cet-built-dso): New.
	(+$(cet-built-dso:=.note)): Likewise.
	(common-generated): Add $(cet-built-dso:$(common-objpfx)%=%.note).
	($(objpfx)check-cet.out): New.
	(generated): Add check-cet.out.
	* sysdeps/x86/cpu-features.c: Include <dl-cet.h> and
	<cet-tunables.h>.
	(TUNABLE_CALLBACK (set_x86_ibt)): New prototype.
	(TUNABLE_CALLBACK (set_x86_shstk)): Likewise.
	(init_cpu_features): Call get_cet_status to check CET status
	and update dl_x86_feature_1 with CET status.  Call
	TUNABLE_CALLBACK (set_x86_ibt) and TUNABLE_CALLBACK
	(set_x86_shstk).  Disable and lock CET in libc.a.
	* sysdeps/x86/cpu-tunables.c: Include <cet-tunables.h>.
	(TUNABLE_CALLBACK (set_x86_ibt)): New function.
	(TUNABLE_CALLBACK (set_x86_shstk)): Likewise.
	* sysdeps/x86/sysdep.h (_CET_NOTRACK): New.
	(_CET_ENDBR): Define if not defined.
	(ENTRY): Add _CET_ENDBR.
	* sysdeps/x86/dl-tunables.list (glibc.tune): Add x86_ibt and
	x86_shstk.
	* sysdeps/x86_64/dl-trampoline.h (_dl_runtime_resolve): Add
	_CET_ENDBR.
	(_dl_runtime_profile): Likewise.
2018-07-16 14:08:27 -07:00
Maciej W. Rozycki
bac15a72fc elf: Accept absolute (SHN_ABS) symbols whose value is zero [BZ #23307]
We have this condition in `check_match' (in elf/dl-lookup.c):

  if (__glibc_unlikely ((sym->st_value == 0 /* No value.  */
                         && stt != STT_TLS)
                        || ELF_MACHINE_SYM_NO_MATCH (sym)
                        || (type_class & (sym->st_shndx == SHN_UNDEF))))
    return NULL;

which causes all !STT_TLS symbols whose value is zero to be silently
ignored in lookup.  This may make sense for regular symbols, however not
for absolute (SHN_ABS) ones, where zero is like any value, there's no
special meaning attached to it.

Consequently legitimate programs fail, for example taking the
`elf/tst-absolute-sym' test case, substituting 0 for 0x55aa in
`elf/tst-absolute-sym-lib.lds' and then trying to run the resulting
program we get this:

$ .../elf/tst-absolute-sym
.../elf/tst-absolute-sym: symbol lookup error: .../elf/tst-absolute-sym-lib.so: undefined symbol: absolute
$

even though the symbol clearly is there:

$ readelf --dyn-syms .../elf/tst-absolute-sym-lib.so | grep '\babsolute\b'
     7: 00000000     0 NOTYPE  GLOBAL DEFAULT  ABS absolute
$

The check for the zero value has been there since forever or commit
d66e34cd4234/08162fa88891 ("Implemented runtime dynamic linker to
support ELF shared libraries.") dating back to May 2nd 1995, and the
problem triggers regardless of commit e7feec374c ("elf: Correct
absolute (SHN_ABS) symbol run-time calculation [BZ #19818]") being
present or not.

Fix the issue then, by permitting `sym->st_value' to be 0 for SHN_ABS
symbols in lookup.

	[BZ #23307]
	* elf/dl-lookup.c (check_match): Do not reject a symbol whose
	`st_value' is 0 if `st_shndx' is SHN_ABS.
	* elf/tst-absolute-zero.c: New file.
	* elf/tst-absolute-zero-lib.c: New file.
	* elf/tst-absolute-zero-lib.lds: New file.
	* elf/Makefile (tests): Add `tst-absolute-zero'.
	(modules-names): Add `tst-absolute-zero-lib'.
	(LDLIBS-tst-absolute-zero-lib.so): New variable.
	($(objpfx)tst-absolute-zero-lib.so): New dependency.
	($(objpfx)tst-absolute-zero: New dependency.
2018-06-29 17:10:43 +01:00
Zack Weinberg
e69d994a63 New configure option --disable-crypt.
Some Linux distributions are experimenting with a new, separately
maintained and hopefully more agile implementation of the crypt
API.  To facilitate this, add a configure option which disables
glibc's embedded libcrypt.  When this option is given, libcrypt.*
and crypt.h will not be built nor installed.
2018-06-29 16:53:47 +02:00
H.J. Lu
67c0579669 Mark _init and _fini as hidden [BZ #23145]
_init and _fini are special functions provided by glibc for linker to
define DT_INIT and DT_FINI in executable and shared library.  They
should never be put in dynamic symbol table.  This patch marks them as
hidden to remove them from dynamic symbol table.

Tested with build-many-glibcs.py.

	[BZ #23145]
	* elf/Makefile (tests-special): Add $(objpfx)check-initfini.out.
	($(all-built-dso:=.dynsym): New target.
	(common-generated): Add $(all-built-dso:$(common-objpfx)%=%.dynsym).
	($(objpfx)check-initfini.out): New target.
	(generated): Add check-initfini.out.
	* scripts/check-initfini.awk: New file.
	* sysdeps/aarch64/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/alpha/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/arm/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/hppa/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/i386/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/ia64/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/m68k/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/microblaze/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/mips/mips32/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/mips/mips64/n32/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/mips/mips64/n64/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/nios2/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/powerpc/powerpc32/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/powerpc/powerpc64/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/s390/s390-32/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/s390/s390-64/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/sh/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/sparc/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
	* sysdeps/x86_64/crti.S (_init): Mark as hidden.
	(_fini): Likewise.
2018-06-08 10:28:52 -07:00
Paul Pluzhnikov
0065aaaaae Fix BZ 20419. A PT_NOTE in a binary could be arbitratily large, so using
alloca for it may cause stack overflow.  If the note is larger than
__MAX_ALLOCA_CUTOFF, use dynamically allocated memory to read it in.

2018-05-05  Paul Pluzhnikov  <ppluzhnikov@google.com>

	[BZ #20419]
	* elf/dl-load.c (open_verify): Fix stack overflow.
	* elf/Makefile (tst-big-note): New test.
	* elf/tst-big-note-lib.S: New.
	* elf/tst-big-note.c: New.
2018-05-05 18:08:27 -07:00
Maciej W. Rozycki
e7feec374c elf: Correct absolute (SHN_ABS) symbol run-time calculation [BZ #19818]
Do not relocate absolute symbols by the base address.  Such symbols have
SHN_ABS as the section index and their value is not supposed to be
affected by relocation as per the ELF gABI[1]:

"SHN_ABS
    The symbol has an absolute value that will not change because of
    relocation."

The reason for our non-conformance here seems to be an old SysV linker
bug causing symbols like _DYNAMIC to be incorrectly emitted as absolute
symbols[2].  However in a previous discussion it was pointed that this
is seriously flawed by preventing the lone purpose of the existence of
absolute symbols from being used[3]:

"On the contrary, the only interpretation that makes sense to me is that
it will not change because of relocation at link time or at load time.
Absolute symbols, from the days of the earliest linking loaders, have
been used to represent addresses that are outside the address space of
the module (e.g., memory-mapped addresses or kernel gateway pages).
They've even been used to represent true symbolic constants (e.g.,
system entry point numbers, sizes, version numbers).  There's no other
way to represent a true absolute symbol, while the meaning you seek is
easily represented by giving the symbol a non-negative st_shndx value."

and we ought to stop supporting our current broken interpretation.

Update processing for dladdr(3) and dladdr1(3) so that SHN_ABS symbols
are ignored, because under the corrected interpretation they do not
represent addresses within a mapped file and therefore are not supposed
to be considered.

References:

[1] "System V Application Binary Interface - DRAFT - 19 October 2010",
    The SCO Group, Section "Symbol Table",
    <http://www.sco.com/developers/gabi/2012-12-31/ch4.symtab.html>

[2] Alan Modra, "Absolute symbols"
    <https://sourceware.org/ml/binutils/2012-05/msg00019.html>

[3] Cary Coutant, "Re: Absolute symbols"
    <https://sourceware.org/ml/binutils/2012-05/msg00020.html>

	[BZ #19818]
	* sysdeps/generic/ldsodefs.h (SYMBOL_ADDRESS): Handle SHN_ABS
	symbols.
	* elf/dl-addr.c (determine_info): Ignore SHN_ABS symbols.
	* elf/tst-absolute-sym.c: New file.
	* elf/tst-absolute-sym-lib.c: New file.
	* elf/tst-absolute-sym-lib.lds: New file.
	* elf/Makefile (tests): Add `tst-absolute-sym'.
	(modules-names): Add `tst-absolute-sym-lib'.
	(LDLIBS-tst-absolute-sym-lib.so): New variable.
	($(objpfx)tst-absolute-sym-lib.so): New dependency.
	($(objpfx)tst-absolute-sym): New dependency.
2018-04-04 23:09:37 +01:00