2017-11-25 17:12:48 +00:00
|
|
|
/*-
|
|
|
|
|
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
|
|
|
|
*
|
2010-08-23 15:38:02 +00:00
|
|
|
* Copyright (c) 2010 Konstantin Belousov <kib@freebsd.org>
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Neither the name of the author nor the names of any co-contributors
|
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
|
* without specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
|
*
|
|
|
|
|
* $FreeBSD$
|
|
|
|
|
*/
|
|
|
|
|
|
2011-01-08 17:13:43 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/mman.h>
|
|
|
|
|
#include <sys/resource.h>
|
|
|
|
|
#include <sys/sysctl.h>
|
2010-08-23 15:38:02 +00:00
|
|
|
#include <link.h>
|
2011-01-08 17:13:43 +00:00
|
|
|
#include <stddef.h>
|
2019-03-29 17:52:57 +00:00
|
|
|
#include <string.h>
|
2016-02-08 19:24:13 +00:00
|
|
|
#include "libc_private.h"
|
2019-03-29 17:52:57 +00:00
|
|
|
#include "static_tls.h"
|
2010-08-23 15:38:02 +00:00
|
|
|
|
2015-09-20 03:58:27 +00:00
|
|
|
void __pthread_map_stacks_exec(void);
|
2019-03-29 17:52:57 +00:00
|
|
|
void __pthread_distribute_static_tls(size_t, void *, size_t, size_t);
|
2015-09-20 03:58:27 +00:00
|
|
|
|
2010-08-23 15:38:02 +00:00
|
|
|
int
|
|
|
|
|
__elf_phdr_match_addr(struct dl_phdr_info *phdr_info, void *addr)
|
|
|
|
|
{
|
|
|
|
|
const Elf_Phdr *ph;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < phdr_info->dlpi_phnum; i++) {
|
|
|
|
|
ph = &phdr_info->dlpi_phdr[i];
|
Fix PowerPC64 ELFv1-specific problem in __elf_phdr_match_addr() leading to crash
in threaded programs that unload libraries.
Summary:
The GNOME update to 3.28 exposed a bug in __elf_phdr_match_addr(), which leads
to a crash when building devel/libsoup on powerpc64.
Due to __elf_phdr_match_addr() limiting its search to PF_X sections, on the
PPC64 ELFv1 ABI, it was never matching function pointers properly.
This meant that libthr was never cleaning up its atfork list in
__pthread_cxa_finalize(), so if a library with an atfork handler was unloaded,
libthr would crash on the next fork.
Normally, the null pointer check it does before calling the handler would avoid
this crash, but, due to PPC64 ELFv1 using function descriptors instead of raw
function pointers, a null check against the pointer itself is insufficient, as
the pointer itself was not null, it was just pointing at a function descriptor
that had been zeroed. (Which is an ABI violation.)
Calling a zeroed function descriptor on PPC64 ELFv1 causes a jump to address 0
with a zeroed r2 and r11.
Submitted by: git_bdragon.rtk0.net
Reviewed By: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18364
2018-12-01 20:39:20 +00:00
|
|
|
if (ph->p_type != PT_LOAD)
|
2010-08-23 15:38:02 +00:00
|
|
|
continue;
|
Fix PowerPC64 ELFv1-specific problem in __elf_phdr_match_addr() leading to crash
in threaded programs that unload libraries.
Summary:
The GNOME update to 3.28 exposed a bug in __elf_phdr_match_addr(), which leads
to a crash when building devel/libsoup on powerpc64.
Due to __elf_phdr_match_addr() limiting its search to PF_X sections, on the
PPC64 ELFv1 ABI, it was never matching function pointers properly.
This meant that libthr was never cleaning up its atfork list in
__pthread_cxa_finalize(), so if a library with an atfork handler was unloaded,
libthr would crash on the next fork.
Normally, the null pointer check it does before calling the handler would avoid
this crash, but, due to PPC64 ELFv1 using function descriptors instead of raw
function pointers, a null check against the pointer itself is insufficient, as
the pointer itself was not null, it was just pointing at a function descriptor
that had been zeroed. (Which is an ABI violation.)
Calling a zeroed function descriptor on PPC64 ELFv1 causes a jump to address 0
with a zeroed r2 and r11.
Submitted by: git_bdragon.rtk0.net
Reviewed By: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18364
2018-12-01 20:39:20 +00:00
|
|
|
|
|
|
|
|
/* ELFv1 ABI for powerpc64 passes function descriptor
|
|
|
|
|
* pointers around, not function pointers. The function
|
|
|
|
|
* descriptors live in .opd, which is a non-executable segment.
|
|
|
|
|
* The PF_X check would therefore make all address checks fail,
|
|
|
|
|
* causing a crash in some instances. Don't skip over
|
|
|
|
|
* non-executable segments in the ELFv1 powerpc64 case.
|
|
|
|
|
*/
|
|
|
|
|
#if !defined(__powerpc64__) || (defined(_CALL_ELF) && _CALL_ELF == 2)
|
|
|
|
|
if ((ph->p_flags & PF_X) == 0)
|
|
|
|
|
continue;
|
|
|
|
|
#endif
|
|
|
|
|
|
2010-08-23 15:38:02 +00:00
|
|
|
if (phdr_info->dlpi_addr + ph->p_vaddr <= (uintptr_t)addr &&
|
2020-09-02 20:43:08 +00:00
|
|
|
(uintptr_t)addr < phdr_info->dlpi_addr +
|
2010-08-23 15:38:02 +00:00
|
|
|
ph->p_vaddr + ph->p_memsz)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return (i != phdr_info->dlpi_phnum);
|
|
|
|
|
}
|
2011-01-08 17:13:43 +00:00
|
|
|
|
|
|
|
|
void
|
2016-02-08 19:24:13 +00:00
|
|
|
__libc_map_stacks_exec(void)
|
2011-01-08 17:13:43 +00:00
|
|
|
{
|
|
|
|
|
int mib[2];
|
|
|
|
|
struct rlimit rlim;
|
|
|
|
|
u_long usrstack;
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
mib[0] = CTL_KERN;
|
|
|
|
|
mib[1] = KERN_USRSTACK;
|
|
|
|
|
len = sizeof(usrstack);
|
|
|
|
|
if (sysctl(mib, sizeof(mib) / sizeof(mib[0]), &usrstack, &len, NULL, 0)
|
|
|
|
|
== -1)
|
|
|
|
|
return;
|
|
|
|
|
if (getrlimit(RLIMIT_STACK, &rlim) == -1)
|
|
|
|
|
return;
|
|
|
|
|
mprotect((void *)(uintptr_t)(usrstack - rlim.rlim_cur),
|
|
|
|
|
rlim.rlim_cur, _rtld_get_stack_prot());
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-08 19:24:13 +00:00
|
|
|
#pragma weak __pthread_map_stacks_exec
|
|
|
|
|
void
|
|
|
|
|
__pthread_map_stacks_exec(void)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
((void (*)(void))__libc_interposing[INTERPOS_map_stacks_exec])();
|
|
|
|
|
}
|
2019-03-29 17:52:57 +00:00
|
|
|
|
|
|
|
|
void
|
|
|
|
|
__libc_distribute_static_tls(size_t offset, void *src, size_t len,
|
|
|
|
|
size_t total_len)
|
|
|
|
|
{
|
|
|
|
|
uintptr_t tlsbase;
|
|
|
|
|
|
|
|
|
|
tlsbase = _libc_get_static_tls_base(offset);
|
|
|
|
|
memcpy((void *)tlsbase, src, len);
|
|
|
|
|
memset((char *)tlsbase + len, 0, total_len - len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#pragma weak __pthread_distribute_static_tls
|
|
|
|
|
void
|
|
|
|
|
__pthread_distribute_static_tls(size_t offset, void *src, size_t len,
|
|
|
|
|
size_t total_len)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
((void (*)(size_t, void *, size_t, size_t))__libc_interposing[
|
|
|
|
|
INTERPOS_distribute_static_tls])(offset, src, len, total_len);
|
|
|
|
|
}
|
