crt0 uses a helper function in a MD src/libexec/ld.so .h file (rather than
reproducing the relevant defines and code in a different place) to perform
minor relocations. If things go very wrong, it would call _dl_exit() --
a locally defined crt0 function which is syscall exit(2). We don't need
to call exit(2) for this obscure case which doesn't happen and provides no
debugging information. An 'abort' is going to provide better information.
So let's change the function name to _dso_abort() and make it a single
illegal instruction.
ok guenther

static binaries self-mprotect their relro in crt0. mimmutable() also works
here.
ok kettenis

Lift the '#ifdef RCRT0' conditional out of boot*.h to crt0.c

Prep for dropping #includes from archdep.h: pull in <machine/reloc.h>
and declare _dl_exit() in boot*.h

ok kettenis@

Sync boot.h with ld.so's boot.c, getting rid of struct boot_dyn,
only initializing the variables we need to, and switching to a
"while < end-of-array" style for DT_REL/RELA processing

ok drahn@ kettenis@

Split out the hppa and mips64 versions of boot.h similar to how I
split ld.so/boot.c in 2019:
* delete extraneous #includes
* delete jmprel handling on non-hppa
* delete RELOC_GOT() and DT_PROC bits on non-mips64

ok visa@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

static binaries self-mprotect their relro in crt0. mimmutable() also works
here.
ok kettenis

Lift the '#ifdef RCRT0' conditional out of boot*.h to crt0.c

Prep for dropping #includes from archdep.h: pull in <machine/reloc.h>
and declare _dl_exit() in boot*.h

ok kettenis@

Sync boot.h with ld.so's boot.c, getting rid of struct boot_dyn,
only initializing the variables we need to, and switching to a
"while < end-of-array" style for DT_REL/RELA processing

ok drahn@ kettenis@

Split out the hppa and mips64 versions of boot.h similar to how I
split ld.so/boot.c in 2019:
* delete extraneous #includes
* delete jmprel handling on non-hppa
* delete RELOC_GOT() and DT_PROC bits on non-mips64

ok visa@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

Lift the '#ifdef RCRT0' conditional out of boot*.h to crt0.c

Prep for dropping #includes from archdep.h: pull in <machine/reloc.h>
and declare _dl_exit() in boot*.h

ok kettenis@

Sync boot.h with ld.so's boot.c, getting rid of struct boot_dyn,
only initializing the variables we need to, and switching to a
"while < end-of-array" style for DT_REL/RELA processing

ok drahn@ kettenis@

Split out the hppa and mips64 versions of boot.h similar to how I
split ld.so/boot.c in 2019:
* delete extraneous #includes
* delete jmprel handling on non-hppa
* delete RELOC_GOT() and DT_PROC bits on non-mips64

ok visa@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

Sync boot.h with ld.so's boot.c, getting rid of struct boot_dyn,
only initializing the variables we need to, and switching to a
"while < end-of-array" style for DT_REL/RELA processing

ok drahn@ kettenis@

Split out the hppa and mips64 versions of boot.h similar to how I
split ld.so/boot.c in 2019:
* delete extraneous #includes
* delete jmprel handling on non-hppa
* delete RELOC_GOT() and DT_PROC bits on non-mips64

ok visa@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

Split out the hppa and mips64 versions of boot.h similar to how I
split ld.so/boot.c in 2019:
* delete extraneous #includes
* delete jmprel handling on non-hppa
* delete RELOC_GOT() and DT_PROC bits on non-mips64

ok visa@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

Make alpha less special: _dl_boot_bind() is written to complete
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.

diff and muild baking by miod@
ok guenther@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@

remove unused variables

ok krw@ guenther@

Remove the (now unused) code to determine the page size. Also get rid of
the extern declaration of __got_{start,end}.

ok guenther@

Replace return by break; requested by guenther@

Remove code that reprotects the GOT based on the __got_start and __got_end
symbols. Either the PT_LOAD RWX->RX case ot PT_GNU_RELRO should cover this
already for anything we care about. And lld, the llvm linker, doesn't emit
the __got_start and __got_end symbols and there are good reasons to leave it
that way.

ok guenther@

A couple more unused variables.

tweak & ok kettenis@

retire sparc

Look for a PT_GNU_RELRO section and, if present, mprotect that range
instead of the [__got_start, __got_end) range.

Also, instead of mprotecting the [__plt_start, __plt_end) range,
just scan for sections which are both writable and executable and
mprotect them to read-only. (This part was stolen from kettenis@)

ok kettenis@

Teach mips64 to pass &_DYNAMIC to _dl_boot_bind().

mips64be testing by deraadt@

alpha already calculates &_DYNAMIC for the _reloc_alpha_got() call, so
save that and pass it to _dl_boot_bind() too

Teach i386 to pass &_DYNAMIC to _dl_boot_bind()

Psych: amd64 has been passing &_DYNAMIC to _dl_boot_bind() for 19 months

Flip the #ifdef logic: amd64, i386, and mips64 were the only static PIE
archs using the #else case

Missed a reference to dl_prebind.h

problem noted by Andrew Ngo (andrew.ngo (at) gmail.com)

Call mprotect() via its hidden _lib_mprotect alias to avoid accidental
overriding

ok deraadt@ kettenis@

Simplify the relocation code for the ld.so bootstrap and static pie: track
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.

testing and feedback from miod@
ok kettenis@

Make sure we set PROT_EXEC on the GOT for BSS-PLT binaries on powerpc.

ok guenther@

Do not include os-note-elf.h here, otherwise we end up with duplicate OS notes
in our binaries.

ok miod@

static pie support for sparc.

<sys/param.h> is not needed here either.
ok guenther millert doug

Make the PLT read-only on powerpc as well.

ok kurt@

Static PIE support for alpha.

This adds alpha-specific first-pass GOT relocation code to boot.h.
The assembly code is pure magic. The numeric register
names don't make it easier to understand (or compare with the
equivalent ld.so code). Unfortunately the assembler only understands
a few symbolic register names.

Renames the crt0.o entry point to __start. Our compiler was already using
__start and the linker will soon follow.

ok kurt@

Use archdep.h GOT_PERMS define for mprotect of GOT. okay kettenis@

Expand Elf_Rel relocations to include DT_JMPREL. Inspect DT_PLTREL value
to determine if DT_JMPREL relocations are REL or RELA and conditionally
perform DT_JMPREL in either REL or RELA as needed (idea from kettenis@).
Remove unneeded i386 RELA implementation. i386 static pie working now.

okay kettenis@

Fix previos. Pointed out by kurt@.

Use the page size passed by the kernel in the Auxilliary Vector to handle
architectures with variable page size.

Make sure the GOT and PLT are not writable.

Note that ommitting PROT_EXEC for the PLT is deliberate; static PIE
binaries should never actually hit the PLT.

We're still debating what to do when mprotect(2) fails. But that is no
excuse not to at least attempt to fix things up.

ok deraadt@

When skipping a relocation because the referenced symbol is undefined, make
sure we move on to the next relocation entry.

While there, also skip relocations for REL architectures.

Introduce new csu0 variant for -static -pie binaries to use called
rcsu0.o where the initial 'r' is for relocatable. rcsu0.o performs
self-relocation on static pie binaries by calling a slightly modified
copy of ld.so's _dl_boot_bind() in boot.h.

The first arch implementatation is also included for amd64 where
__start calls _dl_boot_bind() and then calls ___start(). Includes
parts from kettenis@ to help get R_X86_64_64 relocations working
and proper handling for undefined weak symbols.

This is the first part of several to get static pie self-relocating
binaries working. binutils, gcc and kernel changes are forthcoming
to complete the solution, then per-arch implementations are needed
for MD_RCRT0_START in csu.

okay kettenis@ pascal@ deraadt@