Fix interactions of initial-exec TLS model and dlopen

(1) If an initial-exec relocation was used for a non-local symbol
(i.e. the definition of the symbol is in a different DSO), the
computation of the static TLS offset used the wrong DSO.
This would effectively mean the wrong address was computed
(PR toolchain/50277, PR pkg/57445).

Fix this by forcing the computation of the correct DSO (the one defining
the symbol).

This code uses __UNCONST to avoid the vast interface changes for this
special case.

(2) If symbols from a DSO loaded via dlopen are used with both
global-dynamic/local-dynamic and initial-exec relocations AND
a initial-exec relocation was resolved first in a thread, a split brain
situation could exist where the dynamic relocations would use one memory
block (separate allocation) and the initial-exec relocations the static
per-thread TLS space.

(3) If the initial-exec relocation in (2) is seen after any thread has
already used a GD/LD allocation, bail out. Since IE relocations are used
only in the GOT, this will prevent the dlopen. This is a bit more
aggressive than necessary, but a full blown reference counting doesn't
seem to be justified.

ld.elf_so: Sprinkle tls debug messages.

XXX pullup-10

fix the ldd build

Handle program headers properly; fixes c++ exceptions on arm32.

Remove the limitation of only being able to load binaries with 2 PT_LOAD
sections, like the kernel can. From FreeBSD.

_rtld_map_object(): no need to mmap an empty bss segment.

PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.

Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.

Fixes PR toolchain/55043.

XXX pullup-9

branches: 1.60.2;
When loading a non-PIE main binary, the virtual address must match.
Use MAP_TRYFIXED and verify that the result matches the expectation.

MAP_ALIGNED has existed for years, just assume it exists.

branches: 1.58.4; 1.58.6;
Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

branches: 1.57.4;
Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.

Align psections to their specified alignment (if possible). Use
mmap(2) MAP_ALIGNED.

If fstat info was passed, and from it it can be seen that the file size
is smaller than an ELF header, don't even bother to try to look at it.
Avoids coredumps with zero-sized files.

A bit speedup: in _rtld_load_object(), save the number of calls to
strcmp() by performing path name length comparison first. In the test
with Mozilla, the number was reduced to 1068 from 7182 (yes, we saved
6114 strcmp()!).

Minor cleanup.

Make this work for ldd again.

Rearrange _rtld_map_object() a little, so that we don't have to have the first
page of the object double-mapped. Not that it matters much, but someone was
whinging about it.
While I'm at it, nuke obj->phdr and obj->phsize; they're unused.

Change the munmap() of the text-data gap to mprotect(PROT_NONE). This avoids
having scattered little mappings, although it's probably not the best way...

Woops, unmap the first page in the `win' case, too.
Tidy up a bit.

Use _rtld_pagesz instead of PAGESIZE.

space -> tab.

Don't need to use union any longer.

Several small changes that shave 7-8% off the simple-exec-loop test:

* Rename _rtld_find_library() to _rtld_load_library(). It now calls
_rtld_load_object() if necessary to actually load the object, rather
than having the caller do it. To do this, it also takes the `mode'
argument that gets passed to _rtld_load_object().

* On a related note, remove _rtld_check_library(), and instead call
_rtld_load_object() to instead try actually loading the object. We
save two extra namei's and a bunch of redundant work (almost
literally the same code) this way.

* In _rtld_map_object(), mmap(2) the first page read-only, rather than
read(2)ing it.

* In _rtld_symlook_obj(), compare the *second* character of the symbol
name before calling strcmp(). (This first character is too
frequently `_', and turns out to not be helpful, in libc.)

* Also in _rtld_symlook_obj(), remove the bogus STT_FUNC special case
-- this also allows removing the `in_plt' argument to
_rtld_symlook_list() and _rtld_symlook_obj().

Also:

* In _rtld_obj_from_addr(), rather than trying to look up `_end' in
the each object, instead use obj->mapsize as the upper bound.

Nuke two frivolous assert()s.

Introduce a new flag, `isdynamic', which is used to remember whether the
executable was of type ET_DYN. Use this instead of `mainprog' to determine
whether we need to do base-relative fixups of the PLT. (This allows loading
non-relocatable objects, should we desire to do that at some point...)

SIMPLEQ rototill:
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups

branches: 1.12.2;
Return an error when there are too many segments rather than abort()ing.
This way `ldd /usr/libexec/ld.elf_so' doesn't core dump.

branches: 1.11.4;
switch back to using a file mapping for the initial mapping of a new object.
this allows the kernel to use PMAP_PREFER() to give us better alignment on
platforms that care.

Changes from msaitoh to fix local/global symbol confusion, and to fix weak
symbol support -- updated by me for elf.h changes.

Remove ELFNAME defines since they are defined in sys/exec_elf.h

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

Undo last change. While these macros are defined in exec_elf.h, they are
enclosed by `#ifdef _KERNEL'.

Remove ELFNAME macros which are already defines in exec_elf.h

branches: 1.5.2;
When allocating the entire address space of an object, map an anonymous
region first (using the data/bss protection) covering it, then overlay
the text and data regions at the appropriate offsets within the region,
and then unmap any gap between the text and data.

The previous method of maping the entire address space with the actual
file object itself is incorrect, as it may extend past the end of the
file if the section alignment is large enough.

This bug was the source of the libposix failure on the SPARC and another
similar failure (with libc!) on the Alpha (failure was accompanied by
a "uvn_io: size check fired" message on the console).

KNF

Fill in missing (default) mmap(2) flags.

Mipsel changes to ELF ldd/ld.so:
* don't abort() on NetBSD/pmax 1.1 elf binaries;
* Assume 32-bit elf unless compiling for Alpha;
* note bugs in ldd's README.

First cut at an ELF shared loader. Originally from John Polstra's FreeBSD elf
kit, then hacked on by Matt Thomas <matt@3am-software.com>, then by me (to
make it work with new versions of the toolchain, etc.). This runs, but it's
in serious need of cleaning and/or a fair bit of reworking. See the README
file for more information, and a list of things to do.

fix the ldd build

Handle program headers properly; fixes c++ exceptions on arm32.

Remove the limitation of only being able to load binaries with 2 PT_LOAD
sections, like the kernel can. From FreeBSD.

_rtld_map_object(): no need to mmap an empty bss segment.

PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.

Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.

Fixes PR toolchain/55043.

XXX pullup-9

branches: 1.60.2;
When loading a non-PIE main binary, the virtual address must match.
Use MAP_TRYFIXED and verify that the result matches the expectation.

MAP_ALIGNED has existed for years, just assume it exists.

branches: 1.58.4; 1.58.6;
Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

branches: 1.57.4;
Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.

Align psections to their specified alignment (if possible). Use
mmap(2) MAP_ALIGNED.

If fstat info was passed, and from it it can be seen that the file size
is smaller than an ELF header, don't even bother to try to look at it.
Avoids coredumps with zero-sized files.

A bit speedup: in _rtld_load_object(), save the number of calls to
strcmp() by performing path name length comparison first. In the test
with Mozilla, the number was reduced to 1068 from 7182 (yes, we saved
6114 strcmp()!).

Minor cleanup.

Make this work for ldd again.

Rearrange _rtld_map_object() a little, so that we don't have to have the first
page of the object double-mapped. Not that it matters much, but someone was
whinging about it.
While I'm at it, nuke obj->phdr and obj->phsize; they're unused.

Change the munmap() of the text-data gap to mprotect(PROT_NONE). This avoids
having scattered little mappings, although it's probably not the best way...

Woops, unmap the first page in the `win' case, too.
Tidy up a bit.

Use _rtld_pagesz instead of PAGESIZE.

space -> tab.

Don't need to use union any longer.

Several small changes that shave 7-8% off the simple-exec-loop test:

* Rename _rtld_find_library() to _rtld_load_library(). It now calls
_rtld_load_object() if necessary to actually load the object, rather
than having the caller do it. To do this, it also takes the `mode'
argument that gets passed to _rtld_load_object().

* On a related note, remove _rtld_check_library(), and instead call
_rtld_load_object() to instead try actually loading the object. We
save two extra namei's and a bunch of redundant work (almost
literally the same code) this way.

* In _rtld_map_object(), mmap(2) the first page read-only, rather than
read(2)ing it.

* In _rtld_symlook_obj(), compare the *second* character of the symbol
name before calling strcmp(). (This first character is too
frequently `_', and turns out to not be helpful, in libc.)

* Also in _rtld_symlook_obj(), remove the bogus STT_FUNC special case
-- this also allows removing the `in_plt' argument to
_rtld_symlook_list() and _rtld_symlook_obj().

Also:

* In _rtld_obj_from_addr(), rather than trying to look up `_end' in
the each object, instead use obj->mapsize as the upper bound.

Nuke two frivolous assert()s.

Introduce a new flag, `isdynamic', which is used to remember whether the
executable was of type ET_DYN. Use this instead of `mainprog' to determine
whether we need to do base-relative fixups of the PLT. (This allows loading
non-relocatable objects, should we desire to do that at some point...)

SIMPLEQ rototill:
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups

branches: 1.12.2;
Return an error when there are too many segments rather than abort()ing.
This way `ldd /usr/libexec/ld.elf_so' doesn't core dump.

branches: 1.11.4;
switch back to using a file mapping for the initial mapping of a new object.
this allows the kernel to use PMAP_PREFER() to give us better alignment on
platforms that care.

Changes from msaitoh to fix local/global symbol confusion, and to fix weak
symbol support -- updated by me for elf.h changes.

Remove ELFNAME defines since they are defined in sys/exec_elf.h

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

Undo last change. While these macros are defined in exec_elf.h, they are
enclosed by `#ifdef _KERNEL'.

Remove ELFNAME macros which are already defines in exec_elf.h

branches: 1.5.2;
When allocating the entire address space of an object, map an anonymous
region first (using the data/bss protection) covering it, then overlay
the text and data regions at the appropriate offsets within the region,
and then unmap any gap between the text and data.

The previous method of maping the entire address space with the actual
file object itself is incorrect, as it may extend past the end of the
file if the section alignment is large enough.

This bug was the source of the libposix failure on the SPARC and another
similar failure (with libc!) on the Alpha (failure was accompanied by
a "uvn_io: size check fired" message on the console).

KNF

Fill in missing (default) mmap(2) flags.

Mipsel changes to ELF ldd/ld.so:
* don't abort() on NetBSD/pmax 1.1 elf binaries;
* Assume 32-bit elf unless compiling for Alpha;
* note bugs in ldd's README.

First cut at an ELF shared loader. Originally from John Polstra's FreeBSD elf
kit, then hacked on by Matt Thomas <matt@3am-software.com>, then by me (to
make it work with new versions of the toolchain, etc.). This runs, but it's
in serious need of cleaning and/or a fair bit of reworking. See the README
file for more information, and a list of things to do.

Remove the limitation of only being able to load binaries with 2 PT_LOAD
sections, like the kernel can. From FreeBSD.

_rtld_map_object(): no need to mmap an empty bss segment.

PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.

Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.

Fixes PR toolchain/55043.

XXX pullup-9

branches: 1.60.2;
When loading a non-PIE main binary, the virtual address must match.
Use MAP_TRYFIXED and verify that the result matches the expectation.

MAP_ALIGNED has existed for years, just assume it exists.

branches: 1.58.4; 1.58.6;
Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

branches: 1.57.4;
Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.

Align psections to their specified alignment (if possible). Use
mmap(2) MAP_ALIGNED.

If fstat info was passed, and from it it can be seen that the file size
is smaller than an ELF header, don't even bother to try to look at it.
Avoids coredumps with zero-sized files.

A bit speedup: in _rtld_load_object(), save the number of calls to
strcmp() by performing path name length comparison first. In the test
with Mozilla, the number was reduced to 1068 from 7182 (yes, we saved
6114 strcmp()!).

Minor cleanup.

Make this work for ldd again.

Rearrange _rtld_map_object() a little, so that we don't have to have the first
page of the object double-mapped. Not that it matters much, but someone was
whinging about it.
While I'm at it, nuke obj->phdr and obj->phsize; they're unused.

Change the munmap() of the text-data gap to mprotect(PROT_NONE). This avoids
having scattered little mappings, although it's probably not the best way...

Woops, unmap the first page in the `win' case, too.
Tidy up a bit.

Use _rtld_pagesz instead of PAGESIZE.

space -> tab.

Don't need to use union any longer.

Several small changes that shave 7-8% off the simple-exec-loop test:

* Rename _rtld_find_library() to _rtld_load_library(). It now calls
_rtld_load_object() if necessary to actually load the object, rather
than having the caller do it. To do this, it also takes the `mode'
argument that gets passed to _rtld_load_object().

* On a related note, remove _rtld_check_library(), and instead call
_rtld_load_object() to instead try actually loading the object. We
save two extra namei's and a bunch of redundant work (almost
literally the same code) this way.

* In _rtld_map_object(), mmap(2) the first page read-only, rather than
read(2)ing it.

* In _rtld_symlook_obj(), compare the *second* character of the symbol
name before calling strcmp(). (This first character is too
frequently `_', and turns out to not be helpful, in libc.)

* Also in _rtld_symlook_obj(), remove the bogus STT_FUNC special case
-- this also allows removing the `in_plt' argument to
_rtld_symlook_list() and _rtld_symlook_obj().

Also:

* In _rtld_obj_from_addr(), rather than trying to look up `_end' in
the each object, instead use obj->mapsize as the upper bound.

Nuke two frivolous assert()s.

Introduce a new flag, `isdynamic', which is used to remember whether the
executable was of type ET_DYN. Use this instead of `mainprog' to determine
whether we need to do base-relative fixups of the PLT. (This allows loading
non-relocatable objects, should we desire to do that at some point...)

SIMPLEQ rototill:
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups

branches: 1.12.2;
Return an error when there are too many segments rather than abort()ing.
This way `ldd /usr/libexec/ld.elf_so' doesn't core dump.

branches: 1.11.4;
switch back to using a file mapping for the initial mapping of a new object.
this allows the kernel to use PMAP_PREFER() to give us better alignment on
platforms that care.

Changes from msaitoh to fix local/global symbol confusion, and to fix weak
symbol support -- updated by me for elf.h changes.

Remove ELFNAME defines since they are defined in sys/exec_elf.h

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

Undo last change. While these macros are defined in exec_elf.h, they are
enclosed by `#ifdef _KERNEL'.

Remove ELFNAME macros which are already defines in exec_elf.h

branches: 1.5.2;
When allocating the entire address space of an object, map an anonymous
region first (using the data/bss protection) covering it, then overlay
the text and data regions at the appropriate offsets within the region,
and then unmap any gap between the text and data.

The previous method of maping the entire address space with the actual
file object itself is incorrect, as it may extend past the end of the
file if the section alignment is large enough.

This bug was the source of the libposix failure on the SPARC and another
similar failure (with libc!) on the Alpha (failure was accompanied by
a "uvn_io: size check fired" message on the console).

KNF

Fill in missing (default) mmap(2) flags.

Mipsel changes to ELF ldd/ld.so:
* don't abort() on NetBSD/pmax 1.1 elf binaries;
* Assume 32-bit elf unless compiling for Alpha;
* note bugs in ldd's README.

First cut at an ELF shared loader. Originally from John Polstra's FreeBSD elf
kit, then hacked on by Matt Thomas <matt@3am-software.com>, then by me (to
make it work with new versions of the toolchain, etc.). This runs, but it's
in serious need of cleaning and/or a fair bit of reworking. See the README
file for more information, and a list of things to do.

_rtld_map_object(): no need to mmap an empty bss segment.

PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.

Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.

Fixes PR toolchain/55043.

XXX pullup-9

branches: 1.60.2;
When loading a non-PIE main binary, the virtual address must match.
Use MAP_TRYFIXED and verify that the result matches the expectation.

MAP_ALIGNED has existed for years, just assume it exists.

branches: 1.58.4; 1.58.6;
Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

branches: 1.57.4;
Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.

Align psections to their specified alignment (if possible). Use
mmap(2) MAP_ALIGNED.

If fstat info was passed, and from it it can be seen that the file size
is smaller than an ELF header, don't even bother to try to look at it.
Avoids coredumps with zero-sized files.

A bit speedup: in _rtld_load_object(), save the number of calls to
strcmp() by performing path name length comparison first. In the test
with Mozilla, the number was reduced to 1068 from 7182 (yes, we saved
6114 strcmp()!).

Minor cleanup.

Make this work for ldd again.

Rearrange _rtld_map_object() a little, so that we don't have to have the first
page of the object double-mapped. Not that it matters much, but someone was
whinging about it.
While I'm at it, nuke obj->phdr and obj->phsize; they're unused.

Change the munmap() of the text-data gap to mprotect(PROT_NONE). This avoids
having scattered little mappings, although it's probably not the best way...

Woops, unmap the first page in the `win' case, too.
Tidy up a bit.

Use _rtld_pagesz instead of PAGESIZE.

space -> tab.

Don't need to use union any longer.

Several small changes that shave 7-8% off the simple-exec-loop test:

* Rename _rtld_find_library() to _rtld_load_library(). It now calls
_rtld_load_object() if necessary to actually load the object, rather
than having the caller do it. To do this, it also takes the `mode'
argument that gets passed to _rtld_load_object().

* On a related note, remove _rtld_check_library(), and instead call
_rtld_load_object() to instead try actually loading the object. We
save two extra namei's and a bunch of redundant work (almost
literally the same code) this way.

* In _rtld_map_object(), mmap(2) the first page read-only, rather than
read(2)ing it.

* In _rtld_symlook_obj(), compare the *second* character of the symbol
name before calling strcmp(). (This first character is too
frequently `_', and turns out to not be helpful, in libc.)

* Also in _rtld_symlook_obj(), remove the bogus STT_FUNC special case
-- this also allows removing the `in_plt' argument to
_rtld_symlook_list() and _rtld_symlook_obj().

Also:

* In _rtld_obj_from_addr(), rather than trying to look up `_end' in
the each object, instead use obj->mapsize as the upper bound.

Nuke two frivolous assert()s.

Introduce a new flag, `isdynamic', which is used to remember whether the
executable was of type ET_DYN. Use this instead of `mainprog' to determine
whether we need to do base-relative fixups of the PLT. (This allows loading
non-relocatable objects, should we desire to do that at some point...)

SIMPLEQ rototill:
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups

branches: 1.12.2;
Return an error when there are too many segments rather than abort()ing.
This way `ldd /usr/libexec/ld.elf_so' doesn't core dump.

branches: 1.11.4;
switch back to using a file mapping for the initial mapping of a new object.
this allows the kernel to use PMAP_PREFER() to give us better alignment on
platforms that care.

Changes from msaitoh to fix local/global symbol confusion, and to fix weak
symbol support -- updated by me for elf.h changes.

Remove ELFNAME defines since they are defined in sys/exec_elf.h

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

Undo last change. While these macros are defined in exec_elf.h, they are
enclosed by `#ifdef _KERNEL'.

Remove ELFNAME macros which are already defines in exec_elf.h

branches: 1.5.2;
When allocating the entire address space of an object, map an anonymous
region first (using the data/bss protection) covering it, then overlay
the text and data regions at the appropriate offsets within the region,
and then unmap any gap between the text and data.

The previous method of maping the entire address space with the actual
file object itself is incorrect, as it may extend past the end of the
file if the section alignment is large enough.

This bug was the source of the libposix failure on the SPARC and another
similar failure (with libc!) on the Alpha (failure was accompanied by
a "uvn_io: size check fired" message on the console).

KNF

Fill in missing (default) mmap(2) flags.

Mipsel changes to ELF ldd/ld.so:
* don't abort() on NetBSD/pmax 1.1 elf binaries;
* Assume 32-bit elf unless compiling for Alpha;
* note bugs in ldd's README.

First cut at an ELF shared loader. Originally from John Polstra's FreeBSD elf
kit, then hacked on by Matt Thomas <matt@3am-software.com>, then by me (to
make it work with new versions of the toolchain, etc.). This runs, but it's
in serious need of cleaning and/or a fair bit of reworking. See the README
file for more information, and a list of things to do.

PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.

Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.

Fixes PR toolchain/55043.

XXX pullup-9

When loading a non-PIE main binary, the virtual address must match.
Use MAP_TRYFIXED and verify that the result matches the expectation.

MAP_ALIGNED has existed for years, just assume it exists.

branches: 1.58.4; 1.58.6;
Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

branches: 1.57.4;
Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.

Align psections to their specified alignment (if possible). Use
mmap(2) MAP_ALIGNED.

If fstat info was passed, and from it it can be seen that the file size
is smaller than an ELF header, don't even bother to try to look at it.
Avoids coredumps with zero-sized files.

A bit speedup: in _rtld_load_object(), save the number of calls to
strcmp() by performing path name length comparison first. In the test
with Mozilla, the number was reduced to 1068 from 7182 (yes, we saved
6114 strcmp()!).

Minor cleanup.

Make this work for ldd again.

Rearrange _rtld_map_object() a little, so that we don't have to have the first
page of the object double-mapped. Not that it matters much, but someone was
whinging about it.
While I'm at it, nuke obj->phdr and obj->phsize; they're unused.

Change the munmap() of the text-data gap to mprotect(PROT_NONE). This avoids
having scattered little mappings, although it's probably not the best way...

Woops, unmap the first page in the `win' case, too.
Tidy up a bit.

Use _rtld_pagesz instead of PAGESIZE.

space -> tab.

Don't need to use union any longer.

Several small changes that shave 7-8% off the simple-exec-loop test:

* Rename _rtld_find_library() to _rtld_load_library(). It now calls
_rtld_load_object() if necessary to actually load the object, rather
than having the caller do it. To do this, it also takes the `mode'
argument that gets passed to _rtld_load_object().

* On a related note, remove _rtld_check_library(), and instead call
_rtld_load_object() to instead try actually loading the object. We
save two extra namei's and a bunch of redundant work (almost
literally the same code) this way.

* In _rtld_map_object(), mmap(2) the first page read-only, rather than
read(2)ing it.

* In _rtld_symlook_obj(), compare the *second* character of the symbol
name before calling strcmp(). (This first character is too
frequently `_', and turns out to not be helpful, in libc.)

* Also in _rtld_symlook_obj(), remove the bogus STT_FUNC special case
-- this also allows removing the `in_plt' argument to
_rtld_symlook_list() and _rtld_symlook_obj().

Also:

* In _rtld_obj_from_addr(), rather than trying to look up `_end' in
the each object, instead use obj->mapsize as the upper bound.

Nuke two frivolous assert()s.

Introduce a new flag, `isdynamic', which is used to remember whether the
executable was of type ET_DYN. Use this instead of `mainprog' to determine
whether we need to do base-relative fixups of the PLT. (This allows loading
non-relocatable objects, should we desire to do that at some point...)

SIMPLEQ rototill:
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups

branches: 1.12.2;
Return an error when there are too many segments rather than abort()ing.
This way `ldd /usr/libexec/ld.elf_so' doesn't core dump.

branches: 1.11.4;
switch back to using a file mapping for the initial mapping of a new object.
this allows the kernel to use PMAP_PREFER() to give us better alignment on
platforms that care.

Changes from msaitoh to fix local/global symbol confusion, and to fix weak
symbol support -- updated by me for elf.h changes.

Remove ELFNAME defines since they are defined in sys/exec_elf.h

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

Undo last change. While these macros are defined in exec_elf.h, they are
enclosed by `#ifdef _KERNEL'.

Remove ELFNAME macros which are already defines in exec_elf.h

branches: 1.5.2;
When allocating the entire address space of an object, map an anonymous
region first (using the data/bss protection) covering it, then overlay
the text and data regions at the appropriate offsets within the region,
and then unmap any gap between the text and data.

The previous method of maping the entire address space with the actual
file object itself is incorrect, as it may extend past the end of the
file if the section alignment is large enough.

This bug was the source of the libposix failure on the SPARC and another
similar failure (with libc!) on the Alpha (failure was accompanied by
a "uvn_io: size check fired" message on the console).

KNF

Fill in missing (default) mmap(2) flags.

Mipsel changes to ELF ldd/ld.so:
* don't abort() on NetBSD/pmax 1.1 elf binaries;
* Assume 32-bit elf unless compiling for Alpha;
* note bugs in ldd's README.

First cut at an ELF shared loader. Originally from John Polstra's FreeBSD elf
kit, then hacked on by Matt Thomas <matt@3am-software.com>, then by me (to
make it work with new versions of the toolchain, etc.). This runs, but it's
in serious need of cleaning and/or a fair bit of reworking. See the README
file for more information, and a list of things to do.

When loading a non-PIE main binary, the virtual address must match.
Use MAP_TRYFIXED and verify that the result matches the expectation.

MAP_ALIGNED has existed for years, just assume it exists.

branches: 1.58.4;
Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

branches: 1.57.4;
Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.

Align psections to their specified alignment (if possible). Use
mmap(2) MAP_ALIGNED.

If fstat info was passed, and from it it can be seen that the file size
is smaller than an ELF header, don't even bother to try to look at it.
Avoids coredumps with zero-sized files.

A bit speedup: in _rtld_load_object(), save the number of calls to
strcmp() by performing path name length comparison first. In the test
with Mozilla, the number was reduced to 1068 from 7182 (yes, we saved
6114 strcmp()!).

Minor cleanup.

Make this work for ldd again.

Rearrange _rtld_map_object() a little, so that we don't have to have the first
page of the object double-mapped. Not that it matters much, but someone was
whinging about it.
While I'm at it, nuke obj->phdr and obj->phsize; they're unused.

Change the munmap() of the text-data gap to mprotect(PROT_NONE). This avoids
having scattered little mappings, although it's probably not the best way...

Woops, unmap the first page in the `win' case, too.
Tidy up a bit.

Use _rtld_pagesz instead of PAGESIZE.

space -> tab.

Don't need to use union any longer.

Several small changes that shave 7-8% off the simple-exec-loop test:

* Rename _rtld_find_library() to _rtld_load_library(). It now calls
_rtld_load_object() if necessary to actually load the object, rather
than having the caller do it. To do this, it also takes the `mode'
argument that gets passed to _rtld_load_object().

* On a related note, remove _rtld_check_library(), and instead call
_rtld_load_object() to instead try actually loading the object. We
save two extra namei's and a bunch of redundant work (almost
literally the same code) this way.

* In _rtld_map_object(), mmap(2) the first page read-only, rather than
read(2)ing it.

* In _rtld_symlook_obj(), compare the *second* character of the symbol
name before calling strcmp(). (This first character is too
frequently `_', and turns out to not be helpful, in libc.)

* Also in _rtld_symlook_obj(), remove the bogus STT_FUNC special case
-- this also allows removing the `in_plt' argument to
_rtld_symlook_list() and _rtld_symlook_obj().

Also:

* In _rtld_obj_from_addr(), rather than trying to look up `_end' in
the each object, instead use obj->mapsize as the upper bound.

Nuke two frivolous assert()s.

Introduce a new flag, `isdynamic', which is used to remember whether the
executable was of type ET_DYN. Use this instead of `mainprog' to determine
whether we need to do base-relative fixups of the PLT. (This allows loading
non-relocatable objects, should we desire to do that at some point...)

SIMPLEQ rototill:
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups

branches: 1.12.2;
Return an error when there are too many segments rather than abort()ing.
This way `ldd /usr/libexec/ld.elf_so' doesn't core dump.

branches: 1.11.4;
switch back to using a file mapping for the initial mapping of a new object.
this allows the kernel to use PMAP_PREFER() to give us better alignment on
platforms that care.

Changes from msaitoh to fix local/global symbol confusion, and to fix weak
symbol support -- updated by me for elf.h changes.

Remove ELFNAME defines since they are defined in sys/exec_elf.h

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

Undo last change. While these macros are defined in exec_elf.h, they are
enclosed by `#ifdef _KERNEL'.

Remove ELFNAME macros which are already defines in exec_elf.h

branches: 1.5.2;
When allocating the entire address space of an object, map an anonymous
region first (using the data/bss protection) covering it, then overlay
the text and data regions at the appropriate offsets within the region,
and then unmap any gap between the text and data.

The previous method of maping the entire address space with the actual
file object itself is incorrect, as it may extend past the end of the
file if the section alignment is large enough.

This bug was the source of the libposix failure on the SPARC and another
similar failure (with libc!) on the Alpha (failure was accompanied by
a "uvn_io: size check fired" message on the console).

KNF

Fill in missing (default) mmap(2) flags.

Mipsel changes to ELF ldd/ld.so:
* don't abort() on NetBSD/pmax 1.1 elf binaries;
* Assume 32-bit elf unless compiling for Alpha;
* note bugs in ldd's README.

First cut at an ELF shared loader. Originally from John Polstra's FreeBSD elf
kit, then hacked on by Matt Thomas <matt@3am-software.com>, then by me (to
make it work with new versions of the toolchain, etc.). This runs, but it's
in serious need of cleaning and/or a fair bit of reworking. See the README
file for more information, and a list of things to do.

Replace COMBREL with just-in-time check in _rtld_relocate_nonplt_objects.

The COMBREL logic predates thread-safety of the dynamic linker and
breaks the use of shared locks for the common symbol lookup case. It is
unlikely to provide any benefit for lazy binding or PLT lookups, so
provide equivalent functionality in the non-PLT relocation handling loop
by checking if the symbol used by the current relocation is the same as
the one used during the last lookup. No inter-object cachine is done as
it is also unlikely to be benefical.

Testing with Firefox startup on AMD64 shows a small performance gain by
the new method.

Revert to version 1.55 of map_object.c. This reverts:

"really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero."

As per toolchain/52054: src/libexec/ld.elf_so update breaks everything,
this commit is very broken for some people (but not others). chs mentioned
he has a fix, but best not to leave -current broken in the meantime.

really unmap the gap between the text and data rather than just removing
all access with mprotect(). the latter results in the kernel having to
keep track of that range separately since the permissions are different.
avoid calling mmap() with a size of zero.

branches: 1.55.2; 1.55.4;
Move relro after we've computed out relocbase and re-enable it.
(Matthias Weckbecker)

Add support for GNU RELRO headers from Matthias Weckbecker.

Avoid use after free, reported by the coverity scanner.

branches: 1.52.4;
Fix DEBUG build.

convert to SIMPLEQ like the rest of the queues.

need xfree() instead of free(). Using free() ends us up in an infinite loop.

Fixed handling of DT_SONAME:

- add function to add name aliases for shared libraries loaded
XXX[1]: we don't add a name during load time, only when DT_SONAME
is present.
- search already loaded objects in load_by_name for an already
loaded object that matches our name and return it.
- add missing initialization and cleanup for obj->names
XXX[2]: should we make them SIMPLEQ?
- Add XXX in rtld.c about getting the name of an object.

NB: This makes the jdk work again without resorting to a hack of putting
the build path of libjvm.so into the run path (which is a security
problem).
XXX: Pullup-6?

Trailing whitespace

Adjust exidx_start by relocbase

Handle PT_ARM_EXIDX when mapping objects.

Improve the diagnostic messages for invalid/non-ELF files. Proposed a
while back; I forget the context. Has been sitting in one of my trees
awaiting a test run since, apparently, August 2011.

branches: 1.44.2;
Try to make dbg() printfs realy ELFSIZE independent

branches: 1.43.2;
consistent debugging info for program headers

Add TLS support infrastructure. For dynamic binaries, ld.elf_so exports
_rtld_tls_allocate and _rtld_tls_free. libpthread uses this functions to
setup the thread private area of all new threads. ld.elf_so is
responsible for setting up the private area for the initial thread.
Similar functions are called from _libc_init for static binaries, using
dl_iterate_phdr to access the ELF Program Header.

Add test cases to exercise the different TLS storage models. Test cases
are compiled and installed on all platforms, but are skipped on
platforms not marked for TLS support.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

It is inspired by the TLS support in FreeBSD by Doug Rabson and the
clean ups of the DragonFly port of the original FreeBSD modifications.

Implement dl_iterate_phdr.

Somewhat taken from FreeBSD. Manual page from OpenBSD.

Wrap long line.

Reset the COMBRELOC cache Obj_Entry if it was freed.

Fixes PR 41482. Done slightly differently to the patch in the PR.

warns=4

add some (uintptr_t) to some casts, so these compile with ELFSIZE=32
*and _LP64. necessary for 32/64 bit combo ldd support.

branches: 1.36.4;
Don't bother unmapping the ELF header unless it overlaps the first load
section.

branches: 1.35.6; 1.35.8;
- Don't use the names malloc/free/etc, since we can end up pulling in libc's
malloc which is not what we want.
- Remove ancient memory compaction hack. Realloc on free memory is now an
error again (from joerg@).

Ok christos@.

branches: 1.34.10;
Coverity CID 2749: Fix another double free. Instead of removing that last
free() call, change the allocation policy to leave the responsibility for
allocation/freeing the pathname to _rtld_map_object(), instead of having
the caller allocate it and _rtld_map_object() free it. This simplifies the
code a lot and it is more efficient.

Fix some double frees / missing frees / use after freed all
relating to _rtld_load_object. Fix Coverity CID 2601, 2600.

appease gcc -Wuninitialized

Add __RCSIDs.

OK'd by mycroft.

ANSIfy and de-__P().

KNF- blank lines before code at start of functions.

make it compile in /usr/src/rescue directory.