diff options
| author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2018-12-27 14:12:05 +0000 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2018-12-27 14:12:05 +0000 |
| commit | 963c37d5c0eb62b38f8764b23931c0dcdd497a13 (patch) | |
| tree | 12a521ddf17b3e1bb26594656bbb05903c54afd0 /elf/dl-load.c | |
| parent | 7bb5f8a836b916d6ebf7b6921b136e99cea2442d (diff) | |
| parent | 3c03baca37fdcb52c3881e653ca392bba7a99c2b (diff) | |
Merge tag 'glibc-2.28' into baseline-2.28baseline
The GNU C Library
=================
The GNU C Library version 2.28 is now available.
The GNU C Library is used as *the* C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.
The GNU C Library is primarily designed to be a portable
and high performance C library. It follows all relevant
standards including ISO C11 and POSIX.1-2008. It is also
internationalized and has one of the most complete
internationalization interfaces known.
The GNU C Library webpage is at http://www.gnu.org/software/libc/
Packages for the 2.28 release may be downloaded from:
http://ftpmirror.gnu.org/libc/
http://ftp.gnu.org/gnu/libc/
The mirror list is at http://www.gnu.org/order/ftp.html
NEWS for version 2.28
=====================
Major new features:
* The localization data for ISO 14651 is updated to match the 2016
Edition 4 release of the standard, this matches data provided by
Unicode 9.0.0. This update introduces significant improvements to the
collation of Unicode characters. This release deviates slightly from
the standard in that the collation element ordering for lowercase and
uppercase LATIN script characters is adjusted to ensure that regular
expressions with ranges like [a-z] and [A-Z] don't interleave e.g. A
is not matched by [a-z]. With the update many locales have been
updated to take advantage of the new collation information. The new
collation information has increased the size of the compiled locale
archive or binary locales.
* The GNU C Library can now be compiled with support for Intel CET, AKA
Intel Control-flow Enforcement Technology. When the library is built
with --enable-cet, the resulting glibc is protected with indirect
branch tracking (IBT) and shadow stack (SHSTK). CET-enabled glibc is
compatible with all existing executables and shared libraries. This
feature is currently supported on i386, x86_64 and x32 with GCC 8 and
binutils 2.29 or later. Note that CET-enabled glibc requires CPUs
capable of multi-byte NOPs, like x86-64 processors as well as Intel
Pentium Pro or newer. NOTE: --enable-cet has been tested for i686,
x86_64 and x32 on non-CET processors. --enable-cet has been tested
for x86_64 and x32 on CET SDVs, but Intel CET support hasn't been
validated for i686.
* The GNU C Library now has correct support for ABSOLUTE symbols
(SHN_ABS-relative symbols). Previously such ABSOLUTE symbols were
relocated incorrectly or in some cases discarded. The GNU linker can
make use of the newer semantics, but it must communicate it to the
dynamic loader by setting the ELF file's identification (EI_ABIVERSION
field) to indicate such support is required.
* Unicode 11.0.0 Support: Character encoding, character type info, and
transliteration tables are all updated to Unicode 11.0.0, using
generator scripts contributed by Mike FABIAN (Red Hat).
* <math.h> functions that round their results to a narrower type are added
from TS 18661-1:2014 and TS 18661-3:2015:
- fadd, faddl, daddl and corresponding fMaddfN, fMaddfNx, fMxaddfN and
fMxaddfNx functions.
- fsub, fsubl, dsubl and corresponding fMsubfN, fMsubfNx, fMxsubfN and
fMxsubfNx functions.
- fmul, fmull, dmull and corresponding fMmulfN, fMmulfNx, fMxmulfN and
fMxmulfNx functions.
- fdiv, fdivl, ddivl and corresponding fMdivfN, fMdivfNx, fMxdivfN and
fMxdivfNx functions.
* Two grammatical forms of month names are now supported for the following
languages: Armenian, Asturian, Catalan, Czech, Kashubian, Occitan, Ossetian,
Scottish Gaelic, Upper Sorbian, and Walloon. The following languages now
support two grammatical forms in abbreviated month names: Catalan, Greek,
and Kashubian.
* Newly added locales: Lower Sorbian (dsb_DE) and Yakut (sah_RU) also
include the support for two grammatical forms of month names.
* Building and running on GNU/Hurd systems now works without out-of-tree
patches.
* The renameat2 function has been added, a variant of the renameat function
which has a flags argument. If the flags are zero, the renameat2 function
acts like renameat. If the flag is not zero and there is no kernel
support for renameat2, the function will fail with an errno value of
EINVAL. This is different from the existing gnulib function renameatu,
which performs a plain rename operation in case of a RENAME_NOREPLACE
flags and a non-existing destination (and therefore has a race condition
that can clobber the destination inadvertently).
* The statx function has been added, a variant of the fstatat64
function with an additional flags argument. If there is no direct
kernel support for statx, glibc provides basic stat support based on
the fstatat64 function.
* IDN domain names in getaddrinfo and getnameinfo now use the system libidn2
library if installed. libidn2 version 2.0.5 or later is recommended. If
libidn2 is not available, internationalized domain names are not encoded
or decoded even if the AI_IDN or NI_IDN flags are passed to getaddrinfo or
getnameinfo. (getaddrinfo calls with non-ASCII names and AI_IDN will fail
with an encoding error.) Flags which used to change the IDN encoding and
decoding behavior (AI_IDN_ALLOW_UNASSIGNED, AI_IDN_USE_STD3_ASCII_RULES,
NI_IDN_ALLOW_UNASSIGNED, NI_IDN_USE_STD3_ASCII_RULES) have been
deprecated. They no longer have any effect.
* Parsing of dynamic string tokens in DT_RPATH, DT_RUNPATH, DT_NEEDED,
DT_AUXILIARY, and DT_FILTER has been expanded to support the full
range of ELF gABI expressions including such constructs as
'$ORIGIN$ORIGIN' (if valid). For SUID/GUID applications the rules
have been further restricted, and where in the past a dynamic string
token sequence may have been interpreted as a literal string it will
now cause a load failure. These load failures were always considered
unspecified behaviour from the perspective of the dynamic loader, and
for safety are now load errors e.g. /foo/${ORIGIN}.so in DT_NEEDED
results in a load failure now.
* Support for ISO C threads (ISO/IEC 9899:2011) has been added. The
implementation includes all the standard functions provided by
<threads.h>:
- thrd_current, thrd_equal, thrd_sleep, thrd_yield, thrd_create,
thrd_detach, thrd_exit, and thrd_join for thread management.
- mtx_init, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, and
mtx_destroy for mutual exclusion.
- call_once for function call synchronization.
- cnd_broadcast, cnd_destroy, cnd_init, cnd_signal, cnd_timedwait, and
cnd_wait for conditional variables.
- tss_create, tss_delete, tss_get, and tss_set for thread-local storage.
Application developers must link against libpthread to use ISO C threads.
Deprecated and removed features, and other changes affecting compatibility:
* The nonstandard header files <libio.h> and <_G_config.h> are no longer
installed. Software that was using either header should be updated to
use standard <stdio.h> interfaces instead.
* The stdio functions 'getc' and 'putc' are no longer defined as macros.
This was never required by the C standard, and the macros just expanded
to call alternative names for the same functions. If you hoped getc and
putc would provide performance improvements over fgetc and fputc, instead
investigate using (f)getc_unlocked and (f)putc_unlocked, and, if
necessary, flockfile and funlockfile.
* All stdio functions now treat end-of-file as a sticky condition. If you
read from a file until EOF, and then the file is enlarged by another
process, you must call clearerr or another function with the same effect
(e.g. fseek, rewind) before you can read the additional data. This
corrects a longstanding C99 conformance bug. It is most likely to affect
programs that use stdio to read interactive input from a terminal.
(Bug #1190.)
* The macros 'major', 'minor', and 'makedev' are now only available from
the header <sys/sysmacros.h>; not from <sys/types.h> or various other
headers that happen to include <sys/types.h>. These macros are rarely
used, not part of POSIX nor XSI, and their names frequently collide with
user code; see https://sourceware.org/bugzilla/show_bug.cgi?id=19239 for
further explanation.
<sys/sysmacros.h> is a GNU extension. Portable programs that require
these macros should first include <sys/types.h>, and then include
<sys/sysmacros.h> if __GNU_LIBRARY__ is defined.
* The tilegx*-*-linux-gnu configurations are no longer supported.
* The obsolete function ustat is no longer available to newly linked
binaries; the headers <ustat.h> and <sys/ustat.h> have been removed. This
function has been deprecated in favor of fstatfs and statfs.
* The obsolete function nfsservctl is no longer available to newly linked
binaries. This function was specific to systems using the Linux kernel
and could not usefully be used with the GNU C Library on systems with
version 3.1 or later of the Linux kernel.
* The obsolete function name llseek is no longer available to newly linked
binaries. This function was specific to systems using the Linux kernel
and was not declared in a header. Programs should use the lseek64 name
for this function instead.
* The AI_IDN_ALLOW_UNASSIGNED and NI_IDN_ALLOW_UNASSIGNED flags for the
getaddrinfo and getnameinfo functions have been deprecated. The behavior
previously selected by them is now always enabled.
* The AI_IDN_USE_STD3_ASCII_RULES and NI_IDN_USE_STD3_ASCII_RULES flags for
the getaddrinfo and getnameinfo functions have been deprecated. The STD3
restriction (rejecting '_' in host names, among other things) has been
removed, for increased compatibility with non-IDN name resolution.
* The fcntl function now have a Long File Support variant named fcntl64. It
is added to fix some Linux Open File Description (OFD) locks usage on non
LFS mode. As for others *64 functions, fcntl64 semantics are analogous with
fcntl and LFS support is handled transparently. Also for Linux, the OFD
locks act as a cancellation entrypoint.
* The obsolete functions encrypt, encrypt_r, setkey, setkey_r, cbc_crypt,
ecb_crypt, and des_setparity are no longer available to newly linked
binaries, and the headers <rpc/des_crypt.h> and <rpc/rpc_des.h> are no
longer installed. These functions encrypted and decrypted data with the
DES block cipher, which is no longer considered secure. Software that
still uses these functions should switch to a modern cryptography library,
such as libgcrypt.
* Reflecting the removal of the encrypt and setkey functions above, the
macro _XOPEN_CRYPT is no longer defined. As a consequence, the crypt
function is no longer declared unless _DEFAULT_SOURCE or _GNU_SOURCE is
enabled.
* The obsolete function fcrypt is no longer available to newly linked
binaries. It was just another name for the standard function crypt,
and it has not appeared in any header file in many years.
* We have tentative plans to hand off maintenance of the passphrase-hashing
library, libcrypt, to a separate development project that will, we hope,
keep up better with new passphrase-hashing algorithms. We will continue
to declare 'crypt' in <unistd.h>, and programs that use 'crypt' or
'crypt_r' should not need to change at all; however, distributions will
need to install <crypt.h> and libcrypt from a separate project.
In this release, if the configure option --disable-crypt is used, glibc
will not install <crypt.h> or libcrypt, making room for the separate
project's versions of these files. The plan is to make this the default
behavior in a future release.
Changes to build and runtime requirements:
GNU make 4.0 or later is now required to build glibc.
Security related changes:
CVE-2016-6261, CVE-2016-6263, CVE-2017-14062: Various vulnerabilities have
been fixed by removing the glibc-internal IDNA implementation and using
the system-provided libidn2 library instead. Originally reported by Hanno
Böck and Christian Weisgerber.
CVE-2017-18269: An SSE2-based memmove implementation for the i386
architecture could corrupt memory. Reported by Max Horn.
CVE-2018-11236: Very long pathname arguments to realpath function could
result in an integer overflow and buffer overflow. Reported by Alexey
Izbyshev.
CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
architecture could write beyond the target buffer, resulting in a buffer
overflow. Reported by Andreas Schwab.
The following bugs are resolved with this release:
[1190] stdio: fgetc()/fread() behaviour is not POSIX compliant
[6889] manual: 'PWD' mentioned but not specified
[13575] libc: SSIZE_MAX defined as LONG_MAX is inconsistent with ssize_t,
when __WORDSIZE != 64
[13762] regex: re_search etc. should return -2 on memory exhaustion
[13888] build: /tmp usage during testing
[13932] math: dbl-64 pow unexpectedly slow for some inputs
[14092] nptl: Support C11 threads
[14095] localedata: Review / update collation data from Unicode / ISO
14651
[14508] libc: -Wformat warnings
[14553] libc: Namespace pollution loff_t in sys/types.h
[14890] libc: Make NT_PRFPREG canonical.
[15105] libc: Extra PLT references with -Os
[15512] libc: __bswap_constant_16 not compiled when -Werror -Wsign-
conversion is given
[16335] manual: Feature test macro documentation incomplete and out of
date
[16552] libc: Unify umount implementations in terms of umount2
[17082] libc: htons et al.: statement-expressions prevent use on global
scope with -O1 and higher
[17343] libc: Signed integer overflow in /stdlib/random_r.c
[17438] localedata: pt_BR: wrong d_fmt delimiter
[17662] libc: please implement binding for the new renameat2 syscall
[17721] libc: __restrict defined as /* Ignore */ even in c11
[17979] libc: inconsistency between uchar.h and stdint.h
[18018] dynamic-link: Additional $ORIGIN handling issues (CVE-2011-0536)
[18023] libc: extend_alloca is broken (questionable pointer comparison,
horrible machine code)
[18124] libc: hppa: setcontext erroneously returns -1 as exit code for
last constant.
[18471] libc: llseek should be a compat symbol
[18473] soft-fp: [powerpc-nofpu] __sqrtsf2, __sqrtdf2 should be compat
symbols
[18991] nss: nss_files skips large entry in database
[19239] libc: Including stdlib.h ends up with macros major and minor being
defined
[19463] libc: linknamespace failures when compiled with -Os
[19485] localedata: csb_PL: Update month translations + add yesstr/nostr
[19527] locale: Normalized charset name not recognized by setlocale
[19667] string: Missing Sanity Check for malloc calls in file 'testcopy.c'
[19668] libc: Missing Sanity Check for malloc() in file 'tst-setcontext-
fpscr.c'
[19728] network: out of bounds stack read in libidn function
idna_to_ascii_4i (CVE-2016-6261)
[19729] network: out of bounds heap read on invalid utf-8 inputs in
stringprep_utf8_nfkc_normalize (CVE-2016-6263)
[19818] dynamic-link: Absolute (SHN_ABS) symbols incorrectly relocated by
the base address
[20079] libc: Add SHT_X86_64_UNWIND to elf.h
[20251] libc: 32bit programs pass garbage in struct flock for OFD locks
[20419] dynamic-link: files with large allocated notes crash in
open_verify
[20530] libc: bswap_16 should use __builtin_bswap16() when available
[20890] dynamic-link: ldconfig: fsync the files before atomic rename
[20980] manual: CFLAGS environment variable replaces vital options
[21163] regex: Assertion failure in pop_fail_stack when executing a
malformed regexp (CVE-2015-8985)
[21234] manual: use of CFLAGS makes glibc detect no optimization
[21269] dynamic-link: i386 sigaction sa_restorer handling is wrong
[21313] build: Compile Error GCC 5.4.0 MIPS with -0S
[21314] build: Compile Error GCC 5.2.0 MIPS with -0s
[21508] locale: intl/tst-gettext failure with latest msgfmt
[21547] localedata: Tibetan script collation broken (Dzongkha and Tibetan)
[21812] network: getifaddrs() returns entries with ifa_name == NULL
[21895] libc: ppc64 setjmp/longjmp not fully interoperable with static
dlopen
[21942] dynamic-link: _dl_dst_substitute incorrectly handles $ORIGIN: with
AT_SECURE=1
[22241] localedata: New locale: Yakut (Sakha) locale for Russia (sah_RU)
[22247] network: Integer overflow in the decode_digit function in
puny_decode.c in libidn (CVE-2017-14062)
[22342] nscd: NSCD not properly caching netgroup
[22391] nptl: Signal function clear NPTL internal symbols inconsistently
[22550] localedata: es_ES locale (and other es_* locales): collation
should treat ñ as a primary different character, sync the collation
for Spanish with CLDR
[22638] dynamic-link: sparc: static binaries are broken if glibc is built
by gcc configured with --enable-default-pie
[22639] time: year 2039 bug for localtime etc. on 64-bit platforms
[22644] string: memmove-sse2-unaligned on 32bit x86 produces garbage when
crossing 2GB threshold (CVE-2017-18269)
[22646] localedata: redundant data (LC_TIME) for es_CL, es_CU, es_EC and
es_BO
[22735] time: Misleading typo in time.h source comment regarding
CLOCKS_PER_SECOND
[22753] libc: preadv2/pwritev2 fallback code should handle offset=-1
[22761] libc: No trailing `%n' conversion specifier in FMT passed from
`__assert_perror_fail ()' to `__assert_fail_base ()'
[22766] libc: all glibc internal dlopen should use RTLD_NOW for robust
dlopen failures
[22786] libc: Stack buffer overflow in realpath() if input size is close
to SSIZE_MAX (CVE-2018-11236)
[22787] dynamic-link: _dl_check_caller returns false when libc is linked
through an absolute DT_NEEDED path
[22792] build: tcb-offsets.h dependency dropped
[22797] libc: pkey_get() uses non-reserved name of argument
[22807] libc: PTRACE_* constants missing for powerpc
[22818] glob: posix/tst-glob_lstat_compat failure on alpha
[22827] dynamic-link: RISC-V ELF64 parser mis-reads flag in ldconfig
[22830] malloc: malloc_stats doesn't restore cancellation state on stderr
[22848] localedata: ca_ES: update date definitions from CLDR
[22862] build: _DEFAULT_SOURCE is defined even when _ISOC11_SOURCE is
[22884] math: RISCV fmax/fmin handle signalling NANs incorrectly
[22896] localedata: Update locale data for an_ES
[22902] math: float128 test failures with GCC 8
[22918] libc: multiple common of `__nss_shadow_database'
[22919] libc: sparc32: backtrace yields infinite backtrace with
makecontext
[22926] libc: FTBFS on powerpcspe
[22932] localedata: lt_LT: Update of abbreviated month names from CLDR
required
[22937] localedata: Greek (el_GR, el_CY) locales actually need ab_alt_mon
[22947] libc: FAIL: misc/tst-preadvwritev2
[22963] localedata: cs_CZ: Add alternative month names
[22987] math: [powerpc/sparc] fdim inlines errno, exceptions handling
[22996] localedata: change LC_PAPER to en_US in es_BO locale
[22998] dynamic-link: execstack tests are disabled when SELinux is
disabled
[23005] network: Crash in __res_context_send after memory allocation
failure
[23007] math: strtod cannot handle -nan
[23024] nss: getlogin_r is performing NSS lookups when loginid isn't set
[23036] regex: regex equivalence class regression
[23037] libc: initialize msg_flags to zero for sendmmsg() calls
[23069] libc: sigaction broken on riscv64-linux-gnu
[23094] localedata: hr_HR: wrong thousands_sep and mon_thousands_sep
[23102] dynamic-link: Incorrect parsing of multiple consecutive $variable
patterns in runpath entries (e.g. $ORIGIN$ORIGIN)
[23137] nptl: s390: pthread_join sometimes block indefinitely (on 31bit
and libc build with -Os)
[23140] localedata: More languages need two forms of month names
[23145] libc: _init/_fini aren't marked as hidden
[23152] localedata: gd_GB: Fix typo in "May" (abbreviated)
[23171] math: C++ iseqsig for long double converts arguments to double
[23178] nscd: sudo will fail when it is run in concurrent with commands
that changes /etc/passwd
[23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies
(CVE-2018-11237)
[23206] dynamic-link: static-pie + dlopen breaks debugger interaction
[23208] localedata: New locale - Lower Sorbian (dsb)
[23233] regex: Memory leak in build_charclass_op function in file
posix/regcomp.c
[23236] stdio: Harden function pointers in _IO_str_fields
[23250] nptl: Offset of __private_ss differs from GCC
[23253] math: tgamma test suite failures on i686 with -march=x86-64
-mtune=generic -mfpmath=sse
[23259] dynamic-link: Unsubstituted ${ORIGIN} remains in DT_NEEDED for
AT_SECURE
[23264] libc: posix_spawnp wrongly executes ENOEXEC in non compat mode
[23266] nis: stringop-truncation warning with new gcc8.1 in nisplus-
parser.c
[23272] math: fma(INFINITY,INFIITY,0.0) should be INFINITY
[23277] math: nan function should not have const attribute
[23279] math: scanf and strtod wrong for some hex floating-point
[23280] math: wscanf rounds wrong; wcstod is ok for negative numbers and
directed rounding
[23290] localedata: IBM273 is not equivalent to ISO-8859-1
[23303] build: undefined reference to symbol
'__parse_hwcap_and_convert_at_platform@@GLIBC_2.23'
[23307] dynamic-link: Absolute symbols whose value is zero ignored in
lookup
[23313] stdio: libio vtables validation and standard file object
interposition
[23329] libc: The __libc_freeres infrastructure is not properly run across
DSO boundaries.
[23349] libc: Various glibc headers no longer compatible with
<linux/time.h>
[23351] malloc: Remove unused code related to heap dumps and malloc
checking
[23363] stdio: stdio-common/tst-printf.c has non-free license
[23396] regex: Regex equivalence regression in single-byte locales
[23422] localedata: oc_FR: More updates of locale data
[23442] build: New warning with GCC 8
[23448] libc: Out of bounds access in IBM-1390 converter
[23456] libc: Wrong index_cpu_LZCNT
[23458] build: tst-get-cpu-features-static isn't added to tests
[23459] libc: COMMON_CPUID_INDEX_80000001 isn't populated for Intel
processors
[23467] dynamic-link: x86/CET: A property note parser bug
Release Notes
=============
https://sourceware.org/glibc/wiki/Release/2.28
Contributors
============
This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports. These include:
Adhemerval Zanella
Agustina Arzille
Alan Modra
Alexandre Oliva
Amit Pawar
Andreas Schwab
Andrew Senkevich
Andrew Waterman
Aurelien Jarno
Carlos O'Donell
Chung-Lin Tang
DJ Delorie
Daniel Alvarez
David Michael
Dmitry V. Levin
Dragan Stanojevic - Nevidljivi
Florian Weimer
Flávio Cruz
Francois Goichon
Gabriel F. T. Gomes
H.J. Lu
Herman ten Brugge
Hongbo Zhang
Igor Gnatenko
Jesse Hathaway
John David Anglin
Joseph Myers
Leonardo Sandoval
Maciej W. Rozycki
Mark Wielaard
Martin Sebor
Michael Wolf
Mike FABIAN
Patrick McGehearty
Patsy Franklin
Paul Pluzhnikov
Quentin PAGÈS
Rafal Luzynski
Rajalakshmi Srinivasaraghavan
Raymond Nicholson
Rical Jasan
Richard Braun
Robert Buj
Rogerio Alves
Samuel Thibault
Sean McKean
Siddhesh Poyarekar
Stefan Liebler
Steve Ellcey
Sylvain Lesage
Szabolcs Nagy
Thomas Schwinge
Tulio Magno Quites Machado Filho
Valery Timiriliyev
Vincent Chen
Wilco Dijkstra
Zack Weinberg
Zong Li
Diffstat (limited to 'elf/dl-load.c')
| -rw-r--r-- | elf/dl-load.c | 602 |
1 files changed, 296 insertions, 306 deletions
diff --git a/elf/dl-load.c b/elf/dl-load.c index c0d6249373..c51e4b3718 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -1,5 +1,5 @@ /* Map in a shared object's segments from the file. - Copyright (C) 1995-2016 Free Software Foundation, Inc. + Copyright (C) 1995-2018 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -30,13 +30,39 @@ #include <sys/param.h> #include <sys/stat.h> #include <sys/types.h> + +/* Type for the buffer we put the ELF header and hopefully the program + header. This buffer does not really have to be too large. In most + cases the program header follows the ELF header directly. If this + is not the case all bets are off and we can make the header + arbitrarily large and still won't get it read. This means the only + question is how large are the ELF and program header combined. The + ELF header 32-bit files is 52 bytes long and in 64-bit files is 64 + bytes long. Each program header entry is again 32 and 56 bytes + long respectively. I.e., even with a file which has 10 program + header entries we only have to read 372B/624B respectively. Add to + this a bit of margin for program notes and reading 512B and 832B + for 32-bit and 64-bit files respecitvely is enough. If this + heuristic should really fail for some file the code in + `_dl_map_object_from_fd' knows how to recover. */ +struct filebuf +{ + ssize_t len; +#if __WORDSIZE == 32 +# define FILEBUF_SIZE 512 +#else +# define FILEBUF_SIZE 832 +#endif + char buf[FILEBUF_SIZE] __attribute__ ((aligned (__alignof (ElfW(Ehdr))))); +}; + #include "dynamic-link.h" #include <abi-tag.h> #include <stackinfo.h> -#include <caller.h> #include <sysdep.h> #include <stap-probe.h> -#include <libc-internal.h> +#include <libc-pointer-arith.h> +#include <array_length.h> #include <dl-dst.h> #include <dl-load.h> @@ -44,7 +70,8 @@ #include <dl-unmap-segments.h> #include <dl-machine-reject-phdr.h> #include <dl-sysdep-open.h> - +#include <dl-prop.h> +#include <not-cancel.h> #include <endian.h> #if BYTE_ORDER == BIG_ENDIAN @@ -69,31 +96,6 @@ int __stack_prot attribute_hidden attribute_relro #endif -/* Type for the buffer we put the ELF header and hopefully the program - header. This buffer does not really have to be too large. In most - cases the program header follows the ELF header directly. If this - is not the case all bets are off and we can make the header - arbitrarily large and still won't get it read. This means the only - question is how large are the ELF and program header combined. The - ELF header 32-bit files is 52 bytes long and in 64-bit files is 64 - bytes long. Each program header entry is again 32 and 56 bytes - long respectively. I.e., even with a file which has 10 program - header entries we only have to read 372B/624B respectively. Add to - this a bit of margin for program notes and reading 512B and 832B - for 32-bit and 64-bit files respecitvely is enough. If this - heuristic should really fail for some file the code in - `_dl_map_object_from_fd' knows how to recover. */ -struct filebuf -{ - ssize_t len; -#if __WORDSIZE == 32 -# define FILEBUF_SIZE 512 -#else -# define FILEBUF_SIZE 832 -#endif - char buf[FILEBUF_SIZE] __attribute__ ((aligned (__alignof (ElfW(Ehdr))))); -}; - /* This is the decomposed LD_LIBRARY_PATH search path. */ static struct r_search_path_struct env_path_list attribute_relro; @@ -103,7 +105,9 @@ static size_t ncapstr attribute_relro; static size_t max_capstrlen attribute_relro; -/* Get the generated information about the trusted directories. */ +/* Get the generated information about the trusted directories. Use + an array of concatenated strings to avoid relocations. See + gen-trusted-dirs.awk. */ #include "trusted-dirs.h" static const char system_dirs[] = SYSTEM_DIRS; @@ -111,27 +115,7 @@ static const size_t system_dirs_len[] = { SYSTEM_DIRS_LEN }; -#define nsystem_dirs_len \ - (sizeof (system_dirs_len) / sizeof (system_dirs_len[0])) - - -static bool -is_trusted_path (const char *path, size_t len) -{ - const char *trun = system_dirs; - - for (size_t idx = 0; idx < nsystem_dirs_len; ++idx) - { - if (len == system_dirs_len[idx] && memcmp (trun, path, len) == 0) - /* Found it. */ - return true; - - trun += system_dirs_len[idx] + 1; - } - - return false; -} - +#define nsystem_dirs_len array_length (system_dirs_len) static bool is_trusted_path_normalize (const char *path, size_t len) @@ -139,12 +123,6 @@ is_trusted_path_normalize (const char *path, size_t len) if (len == 0) return false; - if (*path == ':') - { - ++path; - --len; - } - char *npath = (char *) alloca (len + 2); char *wnp = npath; while (*path != '\0') @@ -195,126 +173,167 @@ is_trusted_path_normalize (const char *path, size_t len) return false; } +/* Given a substring starting at INPUT, just after the DST '$' start + token, determine if INPUT contains DST token REF, following the + ELF gABI rules for DSTs: + + * Longest possible sequence using the rules (greedy). + + * Must start with a $ (enforced by caller). + + * Must follow $ with one underscore or ASCII [A-Za-z] (caller + follows these rules for REF) or '{' (start curly quoted name). + + * Must follow first two characters with zero or more [A-Za-z0-9_] + (enforced by caller) or '}' (end curly quoted name). + If the sequence is a DST matching REF then the length of the DST + (excluding the $ sign but including curly braces, if any) is + returned, otherwise 0. */ static size_t -is_dst (const char *start, const char *name, const char *str, - int is_path, int secure) +is_dst (const char *input, const char *ref) { - size_t len; bool is_curly = false; - if (name[0] == '{') + /* Is a ${...} input sequence? */ + if (input[0] == '{') { is_curly = true; - ++name; + ++input; } - len = 0; - while (name[len] == str[len] && name[len] != '\0') - ++len; - - if (is_curly) - { - if (name[len] != '}') - return 0; - - /* Point again at the beginning of the name. */ - --name; - /* Skip over closing curly brace and adjust for the --name. */ - len += 2; - } - else if (name[len] != '\0' && name[len] != '/' - && (!is_path || name[len] != ':')) + /* Check for matching name, following closing curly brace (if + required), or trailing characters which are part of an + identifier. */ + size_t rlen = strlen (ref); + if (strncmp (input, ref, rlen) != 0 + || (is_curly && input[rlen] != '}') + || ((input[rlen] >= 'A' && input[rlen] <= 'Z') + || (input[rlen] >= 'a' && input[rlen] <= 'z') + || (input[rlen] >= '0' && input[rlen] <= '9') + || (input[rlen] == '_'))) return 0; - if (__glibc_unlikely (secure) - && ((name[len] != '\0' && name[len] != '/' - && (!is_path || name[len] != ':')) - || (name != start + 1 && (!is_path || name[-2] != ':')))) - return 0; - - return len; + if (is_curly) + /* Count the two curly braces. */ + return rlen + 2; + else + return rlen; } - +/* INPUT should be the start of a path e.g DT_RPATH or name e.g. + DT_NEEDED. The return value is the number of known DSTs found. We + count all known DSTs regardless of __libc_enable_secure; the caller + is responsible for enforcing the security of the substitution rules + (usually _dl_dst_substitute). */ size_t -_dl_dst_count (const char *name, int is_path) +_dl_dst_count (const char *input) { - const char *const start = name; size_t cnt = 0; + input = strchr (input, '$'); + + /* Most likely there is no DST. */ + if (__glibc_likely (input == NULL)) + return 0; + do { size_t len; - /* $ORIGIN is not expanded for SUID/GUID programs (except if it - is $ORIGIN alone) and it must always appear first in path. */ - ++name; - if ((len = is_dst (start, name, "ORIGIN", is_path, - __libc_enable_secure)) != 0 - || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0 - || (len = is_dst (start, name, "LIB", is_path, 0)) != 0) + ++input; + /* All DSTs must follow ELF gABI rules, see is_dst (). */ + if ((len = is_dst (input, "ORIGIN")) != 0 + || (len = is_dst (input, "PLATFORM")) != 0 + || (len = is_dst (input, "LIB")) != 0) ++cnt; - name = strchr (name + len, '$'); + /* There may be more than one DST in the input. */ + input = strchr (input + len, '$'); } - while (name != NULL); + while (input != NULL); return cnt; } - +/* Process INPUT for DSTs and store in RESULT using the information + from link map L to resolve the DSTs. This function only handles one + path at a time and does not handle colon-separated path lists (see + fillin_rpath ()). Lastly the size of result in bytes should be at + least equal to the value returned by DL_DST_REQUIRED. Note that it + is possible for a DT_NEEDED, DT_AUXILIARY, and DT_FILTER entries to + have colons, but we treat those as literal colons here, not as path + list delimeters. */ char * -_dl_dst_substitute (struct link_map *l, const char *name, char *result, - int is_path) +_dl_dst_substitute (struct link_map *l, const char *input, char *result) { - const char *const start = name; - - /* Now fill the result path. While copying over the string we keep - track of the start of the last path element. When we come across - a DST we copy over the value or (if the value is not available) - leave the entire path element out. */ + /* Copy character-by-character from input into the working pointer + looking for any DSTs. We track the start of input and if we are + going to check for trusted paths, all of which are part of $ORIGIN + handling in SUID/SGID cases (see below). In some cases, like when + a DST cannot be replaced, we may set result to an empty string and + return. */ char *wp = result; - char *last_elem = result; + const char *start = input; bool check_for_trusted = false; do { - if (__glibc_unlikely (*name == '$')) + if (__glibc_unlikely (*input == '$')) { const char *repl = NULL; size_t len; - ++name; - if ((len = is_dst (start, name, "ORIGIN", is_path, - __libc_enable_secure)) != 0) + ++input; + if ((len = is_dst (input, "ORIGIN")) != 0) { - repl = l->l_origin; + /* For SUID/GUID programs we normally ignore the path with + $ORIGIN in DT_RUNPATH, or DT_RPATH. However, there is + one exception to this rule, and it is: + + * $ORIGIN appears as the first path element, and is + the only string in the path or is immediately + followed by a path separator and the rest of the + path, + + and ... + + * The path is rooted in a trusted directory. + + This exception allows such programs to reference + shared libraries in subdirectories of trusted + directories. The use case is one of general + organization and deployment flexibility. + Trusted directories are usually such paths as "/lib64" + or "/usr/lib64", and the usual RPATHs take the form of + [$ORIGIN/../$LIB/somedir]. */ + if (__glibc_unlikely (__libc_enable_secure) + && !(input == start + 1 + && (input[len] == '\0' || input[len] == '/'))) + repl = (const char *) -1; + else + repl = l->l_origin; + check_for_trusted = (__libc_enable_secure && l->l_type == lt_executable); } - else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) + else if ((len = is_dst (input, "PLATFORM")) != 0) repl = GLRO(dl_platform); - else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0) + else if ((len = is_dst (input, "LIB")) != 0) repl = DL_DST_LIB; if (repl != NULL && repl != (const char *) -1) { wp = __stpcpy (wp, repl); - name += len; + input += len; } - else if (len > 1) + else if (len != 0) { - /* We cannot use this path element, the value of the - replacement is unknown. */ - wp = last_elem; - name += len; - while (*name != '\0' && (!is_path || *name != ':')) - ++name; - /* Also skip following colon if this is the first rpath - element, but keep an empty element at the end. */ - if (wp == result && is_path && *name == ':' && name[1] != '\0') - ++name; + /* We found a valid DST that we know about, but we could + not find a replacement value for it, therefore we + cannot use this path and discard it. */ + *result = '\0'; + return result; } else /* No DST we recognize. */ @@ -322,29 +341,26 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, } else { - *wp++ = *name++; - if (is_path && *name == ':') - { - /* In SUID/SGID programs, after $ORIGIN expansion the - normalized path must be rooted in one of the trusted - directories. */ - if (__glibc_unlikely (check_for_trusted) - && !is_trusted_path_normalize (last_elem, wp - last_elem)) - wp = last_elem; - else - last_elem = wp; - - check_for_trusted = false; - } + *wp++ = *input++; } } - while (*name != '\0'); + while (*input != '\0'); /* In SUID/SGID programs, after $ORIGIN expansion the normalized - path must be rooted in one of the trusted directories. */ + path must be rooted in one of the trusted directories. The $LIB + and $PLATFORM DST cannot in any way be manipulated by the caller + because they are fixed values that are set by the dynamic loader + and therefore any paths using just $LIB or $PLATFORM need not be + checked for trust, the authors of the binaries themselves are + trusted to have designed this correctly. Only $ORIGIN is tested in + this way because it may be manipulated in some ways with hard + links. */ if (__glibc_unlikely (check_for_trusted) - && !is_trusted_path_normalize (last_elem, wp - last_elem)) - wp = last_elem; + && !is_trusted_path_normalize (result, wp - result)) + { + *result = '\0'; + return result; + } *wp = '\0'; @@ -352,13 +368,13 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, } -/* Return copy of argument with all recognized dynamic string tokens - ($ORIGIN and $PLATFORM for now) replaced. On some platforms it - might not be possible to determine the path from which the object - belonging to the map is loaded. In this case the path element - containing $ORIGIN is left out. */ +/* Return a malloc allocated copy of INPUT with all recognized DSTs + replaced. On some platforms it might not be possible to determine the + path from which the object belonging to the map is loaded. In this + case the path containing the DST is left out. On error NULL + is returned. */ static char * -expand_dynamic_string_token (struct link_map *l, const char *s, int is_path) +expand_dynamic_string_token (struct link_map *l, const char *input) { /* We make two runs over the string. First we determine how large the resulting string is and then we copy it over. Since this is no @@ -368,22 +384,22 @@ expand_dynamic_string_token (struct link_map *l, const char *s, int is_path) size_t total; char *result; - /* Determine the number of DST elements. */ - cnt = DL_DST_COUNT (s, is_path); + /* Determine the number of DSTs. */ + cnt = _dl_dst_count (input); /* If we do not have to replace anything simply copy the string. */ if (__glibc_likely (cnt == 0)) - return __strdup (s); + return __strdup (input); /* Determine the length of the substituted string. */ - total = DL_DST_REQUIRED (l, s, strlen (s), cnt); + total = DL_DST_REQUIRED (l, input, strlen (input), cnt); /* Allocate the necessary memory. */ result = (char *) malloc (total + 1); if (result == NULL) return NULL; - return _dl_dst_substitute (l, s, result, is_path); + return _dl_dst_substitute (l, input, result); } @@ -392,7 +408,6 @@ expand_dynamic_string_token (struct link_map *l, const char *s, int is_path) be freed if the shared object already has this name. Returns false if the object already had this name. */ static void -internal_function add_name_to_object (struct link_map *l, const char *name) { struct libname_list *lnp, *lastp; @@ -428,42 +443,43 @@ static size_t max_dirnamelen; static struct r_search_path_elem ** fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, - int check_trusted, const char *what, const char *where, - struct link_map *l) + const char *what, const char *where, struct link_map *l) { char *cp; size_t nelems = 0; - char *to_free; while ((cp = __strsep (&rpath, sep)) != NULL) { struct r_search_path_elem *dirp; + char *to_free = NULL; + size_t len = 0; - to_free = cp = expand_dynamic_string_token (l, cp, 1); - - size_t len = strlen (cp); - - /* `strsep' can pass an empty string. This has to be - interpreted as `use the current directory'. */ - if (len == 0) + /* `strsep' can pass an empty string. */ + if (*cp != '\0') { - static const char curwd[] = "./"; - cp = (char *) curwd; - } + to_free = cp = expand_dynamic_string_token (l, cp); - /* Remove trailing slashes (except for "/"). */ - while (len > 1 && cp[len - 1] == '/') - --len; + /* expand_dynamic_string_token can return NULL in case of empty + path or memory allocation failure. */ + if (cp == NULL) + continue; - /* Now add one if there is none so far. */ - if (len > 0 && cp[len - 1] != '/') - cp[len++] = '/'; + /* Compute the length after dynamic string token expansion and + ignore empty paths. */ + len = strlen (cp); + if (len == 0) + { + free (to_free); + continue; + } - /* Make sure we don't use untrusted directories if we run SUID. */ - if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) - { - free (to_free); - continue; + /* Remove trailing slashes (except for "/"). */ + while (len > 1 && cp[len - 1] == '/') + --len; + + /* Now add one if there is none so far. */ + if (len > 0 && cp[len - 1] != '/') + cp[len++] = '/'; } /* See if this directory is already known. */ @@ -536,13 +552,11 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, static bool -internal_function decompose_rpath (struct r_search_path_struct *sps, const char *rpath, struct link_map *l, const char *what) { /* Make a copy we can work with. */ const char *where = l->l_name; - char *copy; char *cp; struct r_search_path_elem **result; size_t nelems; @@ -581,22 +595,21 @@ decompose_rpath (struct r_search_path_struct *sps, while (*inhp != '\0'); } + /* Ignore empty rpaths. */ + if (*rpath == '\0') + { + sps->dirs = (struct r_search_path_elem **) -1; + return false; + } + /* Make a writable copy. */ - copy = __strdup (rpath); + char *copy = __strdup (rpath); if (copy == NULL) { errstring = N_("cannot create RUNPATH/RPATH copy"); goto signal_error; } - /* Ignore empty rpaths. */ - if (*copy == 0) - { - free (copy); - sps->dirs = (struct r_search_path_elem **) -1; - return false; - } - /* Count the number of necessary elements in the result array. */ nelems = 0; for (cp = copy; *cp != '\0'; ++cp) @@ -615,12 +628,20 @@ decompose_rpath (struct r_search_path_struct *sps, _dl_signal_error (ENOMEM, NULL, NULL, errstring); } - fillin_rpath (copy, result, ":", 0, what, where, l); + fillin_rpath (copy, result, ":", what, where, l); /* Free the copied RPATH string. `fillin_rpath' make own copies if necessary. */ free (copy); + /* There is no path after expansion. */ + if (result[0] == NULL) + { + free (result); + sps->dirs = (struct r_search_path_elem **) -1; + return false; + } + sps->dirs = result; /* The caller will change this value if we haven't used a real malloc. */ sps->malloced = 1; @@ -656,7 +677,6 @@ cache_rpath (struct link_map *l, void -internal_function _dl_init_paths (const char *llp) { size_t idx; @@ -688,9 +708,8 @@ _dl_init_paths (const char *llp) + ncapstr * sizeof (enum r_dir_status)) / sizeof (struct r_search_path_elem)); - rtld_search_dirs.dirs[0] = (struct r_search_path_elem *) - malloc ((sizeof (system_dirs) / sizeof (system_dirs[0])) - * round_size * sizeof (struct r_search_path_elem)); + rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size + * sizeof (*rtld_search_dirs.dirs[0])); if (rtld_search_dirs.dirs[0] == NULL) { errstring = N_("cannot create cache for search path"); @@ -776,37 +795,14 @@ _dl_init_paths (const char *llp) if (llp != NULL && *llp != '\0') { - size_t nllp; - const char *cp = llp; - char *llp_tmp; - -#ifdef SHARED - /* Expand DSTs. */ - size_t cnt = DL_DST_COUNT (llp, 1); - if (__glibc_likely (cnt == 0)) - llp_tmp = strdupa (llp); - else - { - /* Determine the length of the substituted string. */ - size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt); - - /* Allocate the necessary memory. */ - llp_tmp = (char *) alloca (total + 1); - llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1); - } -#else - llp_tmp = strdupa (llp); -#endif + char *llp_tmp = strdupa (llp); /* Decompose the LD_LIBRARY_PATH contents. First determine how many elements it has. */ - nllp = 1; - while (*cp) - { - if (*cp == ':' || *cp == ';') - ++nllp; - ++cp; - } + size_t nllp = 1; + for (const char *cp = llp_tmp; *cp != '\0'; ++cp) + if (*cp == ':' || *cp == ';') + ++nllp; env_path_list.dirs = (struct r_search_path_elem **) malloc ((nllp + 1) * sizeof (struct r_search_path_elem *)); @@ -817,8 +813,7 @@ _dl_init_paths (const char *llp) } (void) fillin_rpath (llp_tmp, env_path_list.dirs, ":;", - __libc_enable_secure, "LD_LIBRARY_PATH", - NULL, l); + "LD_LIBRARY_PATH", NULL, l); if (env_path_list.dirs[0] == NULL) { @@ -840,7 +835,7 @@ lose (int code, int fd, const char *name, char *realname, struct link_map *l, { /* The file might already be closed. */ if (fd != -1) - (void) __close (fd); + (void) __close_nocancel (fd); if (l != NULL && l->l_origin != (char *) -1l) free ((char *) l->l_origin); free (l); @@ -899,7 +894,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, { /* The object is already loaded. Just bump its reference count and return it. */ - __close (fd); + __close_nocancel (fd); /* If the name is not in the list of names for this object add it. */ @@ -927,7 +922,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, /* No need to bump the refcount of the real object, ld.so will never be unloaded. */ - __close (fd); + __close_nocancel (fd); /* Add the map for the mirrored object to the object list. */ _dl_add_to_namespace_list (l, nsid); @@ -941,7 +936,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, /* We are not supposed to load the object unless it is already loaded. So return now. */ free (realname); - __close (fd); + __close_nocancel (fd); return NULL; } @@ -960,7 +955,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, if (_dl_zerofd == -1) { free (realname); - __close (fd); + __close_nocancel (fd); _dl_signal_error (errno, NULL, NULL, N_("cannot open zero fill device")); } @@ -1026,7 +1021,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, { phdr = alloca (maplength); __lseek (fd, header->e_phoff, SEEK_SET); - if ((size_t) __libc_read (fd, (void *) phdr, maplength) != maplength) + if ((size_t) __read_nocancel (fd, (void *) phdr, maplength) != maplength) { errstring = N_("cannot read file data"); goto call_lose_errno; @@ -1055,8 +1050,14 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, segments are mapped in. We record the addresses it says verbatim, and later correct for the run-time load address. */ case PT_DYNAMIC: - l->l_ld = (void *) ph->p_vaddr; - l->l_ldnum = ph->p_memsz / sizeof (ElfW(Dyn)); + if (ph->p_filesz) + { + /* Debuginfo only files from "objcopy --only-keep-debug" + contain a PT_DYNAMIC segment with p_filesz == 0. Skip + such a segment to avoid a crash later. */ + l->l_ld = (void *) ph->p_vaddr; + l->l_ldnum = ph->p_memsz / sizeof (ElfW(Dyn)); + } break; case PT_PHDR: @@ -1135,54 +1136,14 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, } #ifdef SHARED - if (l->l_prev == NULL || (mode & __RTLD_AUDIT) != 0) - /* We are loading the executable itself when the dynamic linker - was executed directly. The setup will happen later. */ - break; - -# ifdef _LIBC_REENTRANT - /* In a static binary there is no way to tell if we dynamically - loaded libpthread. */ - if (GL(dl_error_catch_tsd) == &_dl_initial_error_catch_tsd) -# endif + /* We are loading the executable itself when the dynamic + linker was executed directly. The setup will happen + later. Otherwise, the TLS data structures are already + initialized, and we assigned a TLS modid above. */ + assert (l->l_prev == NULL || (mode & __RTLD_AUDIT) != 0); +#else + assert (false && "TLS not initialized in static application"); #endif - { - /* We have not yet loaded libpthread. - We can do the TLS setup right now! */ - - void *tcb; - - /* The first call allocates TLS bookkeeping data structures. - Then we allocate the TCB for the initial thread. */ - if (__glibc_unlikely (_dl_tls_setup ()) - || __glibc_unlikely ((tcb = _dl_allocate_tls (NULL)) == NULL)) - { - errval = ENOMEM; - errstring = N_("\ -cannot allocate TLS data structures for initial thread"); - goto call_lose; - } - - /* Now we install the TCB in the thread register. */ - errstring = TLS_INIT_TP (tcb); - if (__glibc_likely (errstring == NULL)) - { - /* Now we are all good. */ - l->l_tls_modid = ++GL(dl_tls_max_dtv_idx); - break; - } - - /* The kernel is too old or somesuch. */ - errval = 0; - _dl_deallocate_tls (tcb, 1); - goto call_lose; - } - - /* Uh-oh, the binary expects TLS support but we cannot - provide it. */ - errval = 0; - errstring = N_("cannot handle TLS data"); - goto call_lose; break; case PT_GNU_STACK: @@ -1193,6 +1154,14 @@ cannot allocate TLS data structures for initial thread"); l->l_relro_addr = ph->p_vaddr; l->l_relro_size = ph->p_memsz; break; + + case PT_NOTE: + if (_dl_process_pt_note (l, ph, fd, fbp)) + { + errstring = N_("cannot process note segment"); + goto call_lose; + } + break; } if (__glibc_unlikely (nloadcmds == 0)) @@ -1280,12 +1249,6 @@ cannot allocate TLS data structures for initial thread"); if (__glibc_unlikely ((stack_flags &~ GL(dl_stack_flags)) & PF_X)) { - if (__glibc_unlikely (__check_caller (RETURN_ADDRESS (0), allow_ldso) != 0)) - { - errstring = N_("invalid caller"); - goto call_lose; - } - /* The stack is presently not executable, but this module requires that it be executable. We must change the protection of the variable which contains the flags used in @@ -1336,7 +1299,7 @@ cannot enable executable stack as shared object requires"); l->l_tls_initimage = (char *) l->l_tls_initimage + l->l_addr; /* We are done mapping in the file. We no longer need the descriptor. */ - if (__glibc_unlikely (__close (fd) != 0)) + if (__glibc_unlikely (__close_nocancel (fd) != 0)) { errstring = N_("cannot close file descriptor"); goto call_lose_errno; @@ -1551,7 +1514,7 @@ open_verify (const char *name, int fd, { /* An audit library changed what we're supposed to open, so FD no longer matches it. */ - __close (fd); + __close_nocancel (fd); fd = -1; } } @@ -1559,13 +1522,14 @@ open_verify (const char *name, int fd, if (fd == -1) /* Open the file. We always open files read-only. */ - fd = __open (name, O_RDONLY | O_CLOEXEC); + fd = __open64_nocancel (name, O_RDONLY | O_CLOEXEC); if (fd != -1) { ElfW(Ehdr) *ehdr; ElfW(Phdr) *phdr, *ph; ElfW(Word) *abi_note; + ElfW(Word) *abi_note_malloced = NULL; unsigned int osversion; size_t maplength; @@ -1577,8 +1541,8 @@ open_verify (const char *name, int fd, /* Read in the header. */ do { - ssize_t retlen = __libc_read (fd, fbp->buf + fbp->len, - sizeof (fbp->buf) - fbp->len); + ssize_t retlen = __read_nocancel (fd, fbp->buf + fbp->len, + sizeof (fbp->buf) - fbp->len); if (retlen <= 0) break; fbp->len += retlen; @@ -1701,7 +1665,8 @@ open_verify (const char *name, int fd, { phdr = alloca (maplength); __lseek (fd, ehdr->e_phoff, SEEK_SET); - if ((size_t) __libc_read (fd, (void *) phdr, maplength) != maplength) + if ((size_t) __read_nocancel (fd, (void *) phdr, maplength) + != maplength) { read_error: errval = errno; @@ -1720,23 +1685,49 @@ open_verify (const char *name, int fd, if (ph->p_type == PT_NOTE && ph->p_filesz >= 32 && ph->p_align >= 4) { ElfW(Addr) size = ph->p_filesz; + /* NB: Some PT_NOTE segment may have alignment value of 0 + or 1. gABI specifies that PT_NOTE segments should be + aligned to 4 bytes in 32-bit objects and to 8 bytes in + 64-bit objects. As a Linux extension, we also support + 4 byte alignment in 64-bit objects. If p_align is less + than 4, we treate alignment as 4 bytes since some note + segments have 0 or 1 byte alignment. */ + ElfW(Addr) align = ph->p_align; + if (align < 4) + align = 4; + else if (align != 4 && align != 8) + continue; if (ph->p_offset + size <= (size_t) fbp->len) abi_note = (void *) (fbp->buf + ph->p_offset); else { - abi_note = alloca (size); + /* Note: __libc_use_alloca is not usable here, because + thread info may not have been set up yet. */ + if (size < __MAX_ALLOCA_CUTOFF) + abi_note = alloca (size); + else + { + /* There could be multiple PT_NOTEs. */ + abi_note_malloced = realloc (abi_note_malloced, size); + if (abi_note_malloced == NULL) + goto read_error; + + abi_note = abi_note_malloced; + } __lseek (fd, ph->p_offset, SEEK_SET); - if (__libc_read (fd, (void *) abi_note, size) != size) - goto read_error; + if (__read_nocancel (fd, (void *) abi_note, size) != size) + { + free (abi_note_malloced); + goto read_error; + } } while (memcmp (abi_note, &expected_note, sizeof (expected_note))) { -#define ROUND(len) (((len) + sizeof (ElfW(Word)) - 1) & -sizeof (ElfW(Word))) - ElfW(Addr) note_size = 3 * sizeof (ElfW(Word)) - + ROUND (abi_note[0]) - + ROUND (abi_note[1]); + ElfW(Addr) note_size + = ELF_NOTE_NEXT_OFFSET (abi_note[0], abi_note[1], + align); if (size - 32 < note_size) { @@ -1757,13 +1748,14 @@ open_verify (const char *name, int fd, || (GLRO(dl_osversion) && GLRO(dl_osversion) < osversion)) { close_and_out: - __close (fd); + __close_nocancel (fd); __set_errno (ENOENT); fd = -1; } break; } + free (abi_note_malloced); } return fd; @@ -1873,7 +1865,7 @@ open_path (const char *name, size_t namelen, int mode, /* The shared object cannot be tested for being SUID or this bit is not set. In this case we must not use this object. */ - __close (fd); + __close_nocancel (fd); fd = -1; /* We simply ignore the file, signal this by setting the error value which would have been set by `open'. */ @@ -1894,7 +1886,7 @@ open_path (const char *name, size_t namelen, int mode, { /* No memory for the name, we certainly won't be able to load and link it. */ - __close (fd); + __close_nocancel (fd); return -1; } } @@ -1927,7 +1919,6 @@ open_path (const char *name, size_t namelen, int mode, /* Map in the shared object file NAME. */ struct link_map * -internal_function _dl_map_object (struct link_map *loader, const char *name, int type, int trace_mode, int mode, Lmid_t nsid) { @@ -2168,7 +2159,7 @@ _dl_map_object (struct link_map *loader, const char *name, { /* The path may contain dynamic string tokens. */ realname = (loader - ? expand_dynamic_string_token (loader, name, 0) + ? expand_dynamic_string_token (loader, name) : __strdup (name)); if (realname == NULL) fd = -1; @@ -2281,7 +2272,6 @@ add_path (struct add_path_state *p, const struct r_search_path_struct *sps, } void -internal_function _dl_rtld_di_serinfo (struct link_map *loader, Dl_serinfo *si, bool counting) { if (counting) |