| Age | Commit message (Collapse) | Author |
|---|
|
just delete them without looking.
ok millert@
|
|
set-user-ID and set-group-ID executables in low memory conditions.
Reported by Qualys
|
|
that was deletes the lazy relocation trampoline which ltrace currently
depends on
problem reported by tb@
directional feedback kettenis@
ok mpi@
|
|
ok mpi@
|
|
The existing code did a full recursive walk for O(horrible). Instead,
keep a single list of nodes plus the index of the first node whose
children haven't been scanned; lookup until that index catches the
end, appending the unscanned children of the node at the index. This
also makes the grpsym list order match that calculated by FreeBSD and
glibc in dependency trees with inconsistent ordering of dependent libs.
To make this easier and more cache friendly, convert grpsym_list
to a vector: the size is bounded by the number of objects currently
loaded.
Other, related fixes:
* increment the grpsym generation number _after_ pushing the loading
object onto its grpsym list, to avoid double counting it
* increment the grpsym generation number when building the grpsym list
for an already loaded object that's being dlopen()ed, to avoid
incomplete grpsym lists
* use a more accurate test of whether an object already has a grpsym list
Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com)
that pointed to _dl_cache_grpsym_list() as a performance bottleneck.
Much proding from robert@, sthen@, aja@, jca@
no problem reports after being in snaps
ok mpi@
|
|
hiding the actual grotty bits in inline functions
ok mpi@
|
|
- the symbol it found, returned via the second argument
- the base offset of the the object it was found in, via the return value
- optionally: the object it was found in, returned via the last argument
Instead, return a struct with the symbol and object pointers and let the
caller get the base offset from the object's obj_base member. On at least
aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this
is passed in registers.
ok mpi@, kettenis@
|
|
In 2013, I implemented the single-entry LRU cache that gets the maximal
symbol reuse from combreloc. Since then, the ld.so generic relocation
symcache has been a waste of CPU and memory with 0% hit-rate, so kill it.
ok mpi@
|
|
|
|
follows some pointer into the middle of it. Best to keep things working
while tracking down the wonkiness.
problem noted by naddy@
|
|
|
|
topological sort order, reducing it to O(n) from O(2^n) (ouch!)
diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com)
Much testing and pleading by robert@ and ajacoutot@
ok drahn@ mpi@
|
|
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later
ok kettenis@
|
|
This fixes handling of lld-linked executables on mips64.
problem reported by visa@ and worked out with him
|
|
ok visa@
|
|
__got_{start,end} to find a region to mark read-only. It was only used
for binaries that didn't have a GNU_RELRO segment, but all archs have
been using that for over a year. Since support for insecure-PLT layouts
on powerpc and alpha have been removed, all archs handle GNU_RELRO the
same way and the support can be moved from the MD code to the MI code.
ok mpi@
|
|
processing and malloc initialization, and then move variables set by those
steps, including malloc's mopts structure, into the .data.rel.ro segment.
This protects more data and eliminates the extra padding of the mopts.
ok kettenis@
|
|
ok millert@
|
|
ok guenther
|
|
when the object is loaded. Since kbind(2) will never be used in that
case, disable it early, before invoking any library or application code.
ok deraadt@ kettenis@
|
|
of ELFDEFNNAME(NO_ADDR)
ok jca@
|
|
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().
prompted by a complaint from jsing@
ok jsing@ deraadt@
|
|
instead. Result in a few more pages that aren't writable on some platforms
(such as hppa). Based on an initial diff from guenther@.
Thanks to deraadt@ for testing.
ok guenther@
|
|
|
|
Don't skip DT_INIT and DT_FINI for the main executable. This matches what
Linux and Solaris do.
ok guenther@
|
|
to minimize the amount of code run without it RO.
|
|
libc arc4random API, so call them _dl_{arc4random,arcrandombuf}
ok tedu guenther
|
|
range instead of the [__got_start, __got_end) range.
On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling
to before relocations and the mprotect are done.
ok kettenis@
|
|
for our development process.
ok kettenis@ deraadt@
|
|
avoid W^X violations, initially map such segments as writable and
non-executable, and change the mapping to non-writable and executable
after initial relocation processing. As a side-benefit this means we no
longer depend on the __plt_start and __plt_end to make the PLT read-only
after relocation processing.
This will break binaries linked with ld -Z, most notably emacs, on some
of our architectures.
ok deraadt@, guenther@
|
|
ok deraadt@
|
|
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@
ok kettenis@
|
|
with strong symbols in ld.so don't do what we need, so put definitions back
in crt0 and make ld.so update __progname like it does environ.
report and testing patrick@ jsg@
|
|
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.
ok kettenis@ mpi@ "good time" deraadt@
|
|
that it should show information about the program it loads, rather than
run it. In that specific case, ld.so can pledge to "stdio rpath" to
ensure that code path in ld.so has no bugs.
Yes, a pledge in ld.so.... who'd have thought!
ok guenther
|
|
|
|
ok otto@ guenther@
|
|
|
|
ok millert, thanks to doug for process advice
|
|
PLT is empty/unused. On at least macppc and sparc64, ld.so's attempt
to mprotect its PLT could instead hit its own allocated data and
cause a segfault shortly there after.
While here, take a shot at preventing the same issue with the GOT
by checking for __got_start != __got_end.
reproduction *with ktracing* by afresh1@ provided the key data
ok miod@ deraadt@
|
|
|
|
|
|
fix _dl_strdup to return NULL instead of crash; ok deraadt@
|
|
new SSP logic it additionally protects functions which have their
local addresses taken of, and _dl_boot_bind() gets selected.
We have to go through GOT to reach __guard_local, however it hasn't
been relocated yet. So add boot.c and don't protect everything up
to the point until it has been relocated and no longer needs the
loff adjustment.
OK matthew@. Full build done & tested by florian@.
|
|
in this one specific area is not going to help debugging, because so
many other parts are non-deterministic.
ok guenthre matthew jsing
|
|
ABI, and completely remove the code that attempts to call atexit(3) directly.
|
|
|
|
|
|
conditional in the MI code to only list the architectures left to adapt.
|
|
ABI, and stop calling atexit(4) directly from ld.so on sparc.
|
