#
1.96 |
|
05-Apr-2024 |
deraadt |
ld.so should stop calling msyscall(2), since it is fully neutered and about to be removed. Please be careful building through this, you need a kernel at least March 29th or so to build through it, otherwise use snapshots to cross over. ok various people
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.95 |
|
17-Jan-2024 |
deraadt |
very ugly whitespaces
|
#
1.94 |
|
16-Jan-2024 |
deraadt |
Read PT_OPENBSD_SYSCALLS in libc.so, and convert it to a table for pinsyscalls(2). ok kettenis
|
#
1.93 |
|
19-Dec-2023 |
deraadt |
whitespaces
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.92 |
|
15-Aug-2023 |
guenther |
Skip the _dl_msyscall() invocation if tracing library loading.
Problem noted by gnezdo@ ok millert@
|
#
1.91 |
|
12-Jul-2023 |
jasper |
validate alignment of ELF program headers
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.90 |
|
29-Jan-2023 |
gnezdo |
Accumulate intermediate imutables locally before applying
OK deraadt
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.95 |
|
17-Jan-2024 |
deraadt |
very ugly whitespaces
|
#
1.94 |
|
16-Jan-2024 |
deraadt |
Read PT_OPENBSD_SYSCALLS in libc.so, and convert it to a table for pinsyscalls(2). ok kettenis
|
#
1.93 |
|
19-Dec-2023 |
deraadt |
whitespaces
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.92 |
|
15-Aug-2023 |
guenther |
Skip the _dl_msyscall() invocation if tracing library loading.
Problem noted by gnezdo@ ok millert@
|
#
1.91 |
|
12-Jul-2023 |
jasper |
validate alignment of ELF program headers
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.90 |
|
29-Jan-2023 |
gnezdo |
Accumulate intermediate imutables locally before applying
OK deraadt
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.93 |
|
19-Dec-2023 |
deraadt |
whitespaces
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.92 |
|
15-Aug-2023 |
guenther |
Skip the _dl_msyscall() invocation if tracing library loading.
Problem noted by gnezdo@ ok millert@
|
#
1.91 |
|
12-Jul-2023 |
jasper |
validate alignment of ELF program headers
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.90 |
|
29-Jan-2023 |
gnezdo |
Accumulate intermediate imutables locally before applying
OK deraadt
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.92 |
|
15-Aug-2023 |
guenther |
Skip the _dl_msyscall() invocation if tracing library loading.
Problem noted by gnezdo@ ok millert@
|
#
1.91 |
|
12-Jul-2023 |
jasper |
validate alignment of ELF program headers
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.90 |
|
29-Jan-2023 |
gnezdo |
Accumulate intermediate imutables locally before applying
OK deraadt
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.91 |
|
12-Jul-2023 |
jasper |
validate alignment of ELF program headers
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.90 |
|
29-Jan-2023 |
gnezdo |
Accumulate intermediate imutables locally before applying
OK deraadt
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.90 |
|
29-Jan-2023 |
gnezdo |
Accumulate intermediate imutables locally before applying
OK deraadt
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.89 |
|
04-Dec-2022 |
deraadt |
The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.88 |
|
07-Nov-2022 |
deraadt |
dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.87 |
|
20-Aug-2022 |
sthen |
Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.86 |
|
08-Jan-2022 |
guenther |
Prep .c files for removing the #includes from */archdep.h * replace #include "archdep.h" with #includes of what is used, pulling in "syscall.h", "util.h", and "archdep.h" as needed * delete #include <sys/syscall.h> from syscall.h * only pull in <sys/stat.h> to the three files that use _dl_fstat(), forward declare struct stat in syscall.h for the others * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c * <machine/vmparam.h> is only needed on i386; conditionalize it * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c) where necessary * delete other bogus #includes, order legit per style: <sys/*> then <*/*>, then <*>, then "*"
dir.c improvement from jsg@ ok and testing assistance deraadt@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.85 |
|
09-Dec-2019 |
deraadt |
print addresses upon msyscall failure, for now
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.84 |
|
29-Nov-2019 |
deraadt |
Repurpose the "syscalls must be on a writeable page" mechanism to enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read.
For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.83 |
|
04-Oct-2019 |
guenther |
Convert the child_list member from a linked list to a vector.
ok mpi@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|
#
1.82 |
|
08-Dec-2017 |
deraadt |
Everyone knows this as ld.so, nor by the ancient name rtld. ok guenther
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.81 |
|
08-Feb-2017 |
guenther |
Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead of ELFDEFNNAME(NO_ADDR)
ok jca@
|
#
1.80 |
|
24-Jan-2017 |
guenther |
On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom().
prompted by a complaint from jsing@ ok jsing@ deraadt@
|
#
1.79 |
|
12-Aug-2016 |
deraadt |
the slimmed down random functions inside ld.so are strict clones of the libc arc4random API, so call them _dl_{arc4random,arcrandombuf} ok tedu guenther
|
#
1.78 |
|
08-Aug-2016 |
guenther |
Look for a PT_GNU_RELRO section per object and, if present, mprotect that range instead of the [__got_start, __got_end) range. On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling to before relocations and the mprotect are done.
ok kettenis@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.77 |
|
04-Jul-2016 |
guenther |
Remove prebind support: binding to symbol table indices is too fragile for our development process.
ok kettenis@ deraadt@
|
#
1.76 |
|
08-Jun-2016 |
kettenis |
Some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. As a side-benefit this means we no longer depend on the __plt_start and __plt_end to make the PLT read-only after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some of our architectures.
ok deraadt@, guenther@
|
#
1.75 |
|
07-May-2016 |
guenther |
Use a Thread Information Block in both single and multi-threaded programs. This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@ ok kettenis@
|
#
1.74 |
|
20-Mar-2016 |
guenther |
Export environ and __progname, making the latter a copy of just the filename portion like crt0 does. This is prep for eliminating _dl_fixup_user_env() Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.73 |
|
22-Dec-2015 |
mmcc |
assign pointers to NULL rather than 0
|
#
1.72 |
|
06-Nov-2015 |
guenther |
Fix unloading of load groups when the last reference wasn't on the load_object but rather some descendent. Detect that case in _dl_unload_shlib() and switch to unloading the entire group.
Based on partial analyses by Henri Kemppainen (duclare (at) guu.fi) and Peter Hajdu (peter.ferenc.hajdu (at) gmail.com) ok millert@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.71 |
|
16-Jan-2015 |
deraadt |
<sys/param.h> to <limits.h> conversion. Verified binaries ok millert, thanks to doug for process advice
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.70 |
|
10-Jul-2014 |
otto |
check all memory allocations; ok miod@ guenther@
|
#
1.69 |
|
09-Jul-2014 |
guenther |
Use O_CLOEXEC to make sure fork+exec in a threaded process can't see the fds used by dlopen()
ok otto@ miod@
|
#
1.68 |
|
21-Jun-2014 |
otto |
Move to a non-zeroing _dl_malloc, a _dl_calloc and _dl_reallocarry and fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.67 |
|
20-Aug-2012 |
matthew |
Add support for .openbsd.randomdata sections and PT_OPENBSD_RANDOMIZE segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64, i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing. ok deraadt
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.66 |
|
12-Jun-2012 |
matthew |
Fix loaded object sod matching: when we load libfoo.so.X.Y into memory, we should be able to match other requests for libfoo.so.X.Z against that same object.
ok kurt, kettenis
|
#
1.65 |
|
08-May-2012 |
jsing |
Refuse to load ELF objects that contain a PT_TLS program header. Otherwise the binary assumes that the requested TLS storage has been allocated and will happily use it, resulting in unwanted memory corruption.
ok guenther@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.64 |
|
09-Jan-2012 |
ariane |
Don't mmap 0 byte areas, treat them as a noop instead.
ok miod@
|
#
1.63 |
|
28-Nov-2011 |
guenther |
Add support for getting some flags from DT_FLAGS_1: new flags DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.62 |
|
10-May-2011 |
otto |
Fix previous. On i386, library.c isn't compiled
|
#
1.61 |
|
09-May-2011 |
otto |
Outsmart gcc4 on mips* by moving the declaration of _dl_debug_state outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.60 |
|
16-Nov-2010 |
drahn |
Fix error message when ld.so ends up loading a different than expected library, but other library needs the one loaded. mostly ok kurt@
|
#
1.59 |
|
25-Oct-2010 |
kurt |
Search loaded libs first and add support for SONAME matching. ok drahn@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.58 |
|
02-Oct-2008 |
kurt |
Fix mmap() error checking to be correct 64-bit addresses. Consistently use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety.
okay millert@ drahn@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.57 |
|
05-May-2008 |
kurt |
Constantly fill in the program header pointer and count in elf_object_t for all objects which simplifies phdr usage in a few places. "go for it" drahn@
|
#
1.56 |
|
09-Apr-2008 |
kurt |
Improve support for shared libs linked at non-zero addreses: - rename private values in struct elf_object to better describe their meaning: s/load_offs/obj_base/ "object's address '0' base" s/load_addr/load_base/ "The base address of the loadable segments" - gdb needs the obj_base value so swap positions with load_base in struct elf_object - fix a few occurrences of where load_base was used instead of obj_base.
With help and okay drahn@
|
#
1.55 |
|
02-Apr-2008 |
drahn |
Use the proper define for this address, not a incorrect (on 64bit) define. ok kurt@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.54 |
|
08-May-2006 |
deraadt |
de-space
|
#
1.53 |
|
03-May-2006 |
drahn |
prebind - how to prelink a binary without throwing security out the window
Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns.
Still under development, now in-tree.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.52 |
|
09-Nov-2005 |
kurt |
add RTLD_NOW support to dlopen and propogate -z now to dep libs. ok drahn@
|
#
1.51 |
|
12-Oct-2005 |
kurt |
add missing grpref unload propogation (sync with library_mquery)
|
#
1.50 |
|
12-Oct-2005 |
kurt |
Split grpsym_list creation away from child_list creation and change grpsym_list order to match Sun's docs. Also corrects bugs where grpsym_list was either not created or partially created.
|
#
1.49 |
|
09-Oct-2005 |
kurt |
introduce object ref count macros (suggested by dale). no functional change.
|
#
1.48 |
|
06-Oct-2005 |
kurt |
separate load group references from dep lib child/dload lists. move load group refs to own per object ref counter (grprefcount) and list (grpref_list). corrects more complex load group ref cases and side effects from initial implementation. design ideas and ok drahn@
|
#
1.47 |
|
03-Oct-2005 |
kurt |
refcount corrections: count common dep libs once and centralize dep lib refcount increments to _dl_link_sub. adjust _dl_notify_unload_shlib to match new refcount method. ok drahn@
|
#
1.46 |
|
01-Oct-2005 |
drahn |
handle references to load groups caused by dlopen()ing of depenant members of the load group. work by kurt@ and myself
|
#
1.45 |
|
28-Sep-2005 |
drahn |
correct last commit, in both files.
|
#
1.44 |
|
28-Sep-2005 |
drahn |
keep a state flag if a library has been unloaded, and then free the list seperately ok kurt@
|
#
1.43 |
|
27-Sep-2005 |
kurt |
increment refcount when opening a lib that is already open (dev/inode case) ok drahn@
|
#
1.42 |
|
26-Sep-2005 |
drahn |
Fully unload dependant libraries, fixes gphoto2 bug.
|
#
1.41 |
|
16-Sep-2005 |
drahn |
Rework symbol lookup to more closely match sun's documentation, now treats dlopens as load groups. ok kurt@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.40 |
|
23-May-2005 |
drahn |
fixes for dlclose, ok kettenis@
|
#
1.39 |
|
10-May-2005 |
drahn |
Recommit the destructor order fix, now that the amd64 bug was fixed. 'no problem' pval@
|
#
1.38 |
|
06-Apr-2005 |
deraadt |
backout -- breaks at least amd64; spotted by marc
|
#
1.37 |
|
05-Apr-2005 |
drahn |
Do a better job of running destructors in the right order.
|
#
1.36 |
|
23-Mar-2005 |
drahn |
Code reorganization, move copied code in library.c and library_mquery.c into its own file. no functional change.
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.35 |
|
17-Oct-2004 |
drahn |
Fix some problems related to LD_LIBRARY_PATH parsing where it would not correctly deal with current directory searches specified by "::", ":foo" or "foo:"
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.34 |
|
05-Jul-2004 |
kjell |
Fix an issue where a shared library could be loaded at two different locations by resolving all dlopens back to a dev/inode.
i.e. Don't load a library if the dev/inode it stats back to matches one already in our list.
fix started (and ok'ed) drahn@. ok deraadt@. "doesn't break anything yet" pval@ art@ brad@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.33 |
|
02-Sep-2003 |
drahn |
Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@
|
#
1.32 |
|
18-Jul-2003 |
drahn |
Fix print if minor of library used is is less than requested. ok tdeval@
|
#
1.31 |
|
06-Jul-2003 |
deraadt |
various proto, ansi, and knf repair. tested on all architectures that use it. (build may require make cleandir because of .depend balony)
|
#
1.30 |
|
02-Jul-2003 |
niklas |
Correct library search algorithm, wrt versioned objects
|
#
1.29 |
|
22-Jun-2003 |
drahn |
Dynamic linking random order fixes. This enables random library ordering. Tested by naddy@ and others.
|
#
1.28 |
|
09-Jun-2003 |
deraadt |
pefo 3/4 licence cleanups
|
#
1.27 |
|
30-May-2003 |
drahn |
When loading a shared object or libraries dependant object, load them in random order. This will reduce the possiblity of a buffer overflow being able to predict the addresss of useful code. Can be disabled with the LD_NORANDOM environment variable for debugging purposes. ok deraadt.
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.26 |
|
02-Feb-2003 |
deraadt |
knf & ansi; drahn ok
|
#
1.25 |
|
30-Jan-2003 |
drahn |
Change the constructor execution order to initialize dependant libraries first. This mirrors the commit espie put in a.out ld.so recently.
|
#
1.24 |
|
13-Dec-2002 |
drahn |
Compare to ELFMAG byte by byte rather than using full fledged function. Also avoids a gas problem for the moment.
|
#
1.23 |
|
17-Nov-2002 |
drahn |
Terminate printed strings with newlines.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.22 |
|
08-Aug-2002 |
art |
There was a possible off-by-one in ld.so when loading shared libraries. In some (rare?) cases, where the bss was too small and fit entirely into the leftovers of the data segment we could map one extra page. This is slightly dangerous on PMAP_PREFER machines where mmaps allocations do not happen linearly in the virtual space and we could end up overwriting mappings that are already in use.
This also changes the initial allocation from being a MAP_ANON to a MAP_FILE so that we can pass the fd as a PMAP_PREFER hint.
|
#
1.21 |
|
24-Jul-2002 |
deraadt |
ok i found it
|
#
1.20 |
|
24-Jul-2002 |
deraadt |
back out broken stuff until it is fixed
|
#
1.19 |
|
24-Jul-2002 |
deraadt |
spacing
|
#
1.18 |
|
24-Jul-2002 |
deraadt |
cope with _dl_mmap() returning void *
|
#
1.17 |
|
23-Jul-2002 |
mickey |
match _dl_ syscall prototypes w/ the real syscalls prototypes, including args and return values; art@ ok
|
#
1.16 |
|
12-Jul-2002 |
drahn |
Change ld.so search order/method to match the a.out ld.so.
run destructors on dlclose()
Move more symbols into _dl_ private space, so that the proper (libc) version of the function will be used.
Add readdir() functionality to perform the proper library searching.
Support DL_PRELOAD
Do not relocate symbols if ld.so is being traced (and will exit).
Misc lint cleanup.
ok art@
|
#
1.15 |
|
05-Jun-2002 |
art |
Get rid of an unnecessary typedef (for future cleanup).
|
#
1.14 |
|
28-May-2002 |
deraadt |
more KNF
|
#
1.13 |
|
24-May-2002 |
drahn |
Change _dl_strcpy() to _dl_strlcpy(), implementation taken from libc.
|
#
1.12 |
|
24-May-2002 |
deraadt |
more KNF
|
#
1.11 |
|
24-May-2002 |
deraadt |
various KNF
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE
|
#
1.10 |
|
22-Sep-2001 |
drahn |
Do not check for ':' twice, otherwise the rpath loses the first character after the : in the list of paths.
|
#
1.9 |
|
21-Aug-2001 |
drahn |
Fix up comment to indicate order that libraries in which the libraries are actually searched.
|
#
1.8 |
|
06-Aug-2001 |
drahn |
Change the priority of LD_LIBRARY_PATH, -rpath, and ldconfig path in ELF ld.so to match the behavior in a.out ld.so. The given order is the new order, previously ldconfig had highest priority, which made it impossible to override.
|
#
1.7 |
|
31-May-2001 |
art |
random indentation fixes (needs much more work).
|
#
1.6 |
|
11-May-2001 |
art |
MAP_COPY -> MAP_PRIVATE
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
02-Apr-2001 |
drahn |
Cleanup for 64bit support. Pieces by art, niklas and me. Only tested on powerpc.
|
#
1.4 |
|
30-Mar-2001 |
drahn |
Add infrastructure to allow mapping of text sections which are normally RO, RW while ld.so is working. And then the information to set the sections back to RO (or appropriate mode).
PowerPC now supports the typical NON-PIC relocations in ld.so. I do not know how well this will work with large shared libraries. I seem to recall a possible problem with large data where data is located in a different shared library.
|
#
1.3 |
|
16-Feb-2001 |
drahn |
Now that powerpc is using UVM, this shared library hack is no longer necessary.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.2 |
|
06-Oct-2000 |
rahnds |
Work around a shared library/pmap bug on the powerpc arch. Somehow it seems that the instruction cache will not get properly initialized or a problem exists with mmaping code and being able to execute it. This workaround is excessive in that it flushes the cache for the entire mmaped library. This slows down program startup, but seems to eliminate the problem.
|
#
1.1 |
|
13-Jun-2000 |
rahnds |
branches: 1.1.1; Initial revision
|