Read PT_OPENBSD_SYSCALLS in libc.so, and convert it to a table for
pinsyscalls(2).
ok kettenis

whitespaces

Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that
is already loaded:
* add a 'trace' argument to _dl_show_objects() and exit the
walk-the-objects loop if you hit that traced object
* in dlopen(), pass the trace object to _dl_show_objects()
* also, invoke _dl_show_objects() + exit if the object was
already opened
* pass NULL to _dl_show_objects() for all the other calls
* oh hey, _dl_tracelib is now superfluous: _dl_show_objects()
should do the walk-the-objects loop only if trace is not NULL.

Problem noted by gnezdo@
ok millert@

Accumulate intermediate imutables locally before applying

OK deraadt

The next step for mimmutable(). ld.so figures out what regions of memory
of startup shared library mappings can be made immutable, and also does
this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this
diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections.
Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports
ok kettenis, much help from others.

dtors were broken by trying to reuse DF_1_NODELETE to hint that this
library would never unload, and could be immutable. Pass a seperate
flag for our purposes
Noticed from regress tests by anton, ok kettenis

Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@

Update comment: struct link_map is defined in <link_elf.h>

noted by miod

Add support for RELR relocations in the executable and share objects.
This doesn't affect ld.so's self-reloc, which still requires DT_REL/DT_RELA

ok kettenis@

add RTLD_NODELETE support

if RTLD_NODELETE isn't POSIX, it is widely deployed: at least linux,
freebsd, dragonfly, netbsd, solaris, illumos, apple, and fuchsia have
it.

ok kettenis@ on previous version
with help from and ok guenther@

diff partially inspired from a diff from brad@

On i386 don't attempt to map shared libraries in low memory when
a large executable's .text section crosses the 512MB exec line.

Executables that have MAXTSIZ > 64MB can map above the default
512MB exec line. When this happens, shared libs that attempt to map
into low memory will find their .data section can not be mapped. ld.so
will attempt to remap the share lib at higher addresses until it can be
mapped. For very large executables like chrome this process is very
time consuming. This change detects how much of the executable's
.text section exceeds 512MB and uses that as the initial hint for
shared libs to map into which avoids attempting to map into blocked
memory.

okay deraadt@

Convert the child_list member from a linked list to a vector.

ok mpi@

Use a better algorithm for calculating the grpsym library order.
The existing code did a full recursive walk for O(horrible). Instead,
keep a single list of nodes plus the index of the first node whose
children haven't been scanned; lookup until that index catches the
end, appending the unscanned children of the node at the index. This
also makes the grpsym list order match that calculated by FreeBSD and
glibc in dependency trees with inconsistent ordering of dependent libs.

To make this easier and more cache friendly, convert grpsym_list
to a vector: the size is bounded by the number of objects currently
loaded.

Other, related fixes:
* increment the grpsym generation number _after_ pushing the loading
object onto its grpsym list, to avoid double counting it
* increment the grpsym generation number when building the grpsym list
for an already loaded object that's being dlopen()ed, to avoid
incomplete grpsym lists
* use a more accurate test of whether an object already has a grpsym list

Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com)
that pointed to _dl_cache_grpsym_list() as a performance bottleneck.

Much proding from robert@, sthen@, aja@, jca@
no problem reports after being in snaps
ok mpi@

Simplify _dl_find_symbol(). Currently, it returns three values:
- the symbol it found, returned via the second argument
- the base offset of the the object it was found in, via the return value
- optionally: the object it was found in, returned via the last argument

Instead, return a struct with the symbol and object pointers and let the
caller get the base offset from the object's obj_base member. On at least
aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this
is passed in registers.

ok mpi@, kettenis@

In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default.
In 2013, I implemented the single-entry LRU cache that gets the maximal
symbol reuse from combreloc. Since then, the ld.so generic relocation
symcache has been a waste of CPU and memory with 0% hit-rate, so kill it.

ok mpi@

Prune visited leaves when walking dependencies to call init functions in
topological sort order, reducing it to O(n) from O(2^n) (ouch!)

diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com)
Much testing and pleading by robert@ and ajacoutot@
ok drahn@ mpi@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Now that all Elf_foo types are correct, we don't need to use Elf32_Word
anywhere and can use Elf_Word instead.
ok guenther

On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This was
previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h>
vary, but that doesn't match the spec and breaks libelf so it's gone away.
Implement the variation here by defining our own type locally for this.

ok deraadt@

Delete an unused struct member that has hid out here for 17 years

Implement support for DT_GNU_HASH, taking all the interesting bits
from Matt Dillon's implementation in DragonFlyBSD commit 7629c631.
One difference is that as long as DT_HASH is still present, ld.so
will use that to get the total number of symbols rather than walking
the GNU hash chains. Note that the GPLv2 binutils we have doesn't
support DT_GNU_HASH, so this only helps archs were lld is used.

ok kettenis@ mpi@

Finish ld.so's transition to GNU_RELRO: eliminate support for using
__got_{start,end} to find a region to mark read-only. It was only used
for binaries that didn't have a GNU_RELRO segment, but all archs have
been using that for over a year. Since support for insecure-PLT layouts
on powerpc and alpha have been removed, all archs handle GNU_RELRO the
same way and the support can be moved from the MD code to the MI code.

ok mpi@

Delay processing of ld.so's own PT_GNU_RELRO section until after environment
processing and malloc initialization, and then move variables set by those
steps, including malloc's mopts structure, into the .data.rel.ro segment.
This protects more data and eliminates the extra padding of the mopts.

ok kettenis@

Use int, not char*, for booleans

ok millert@

Always use the same callback to unlock as was used to lock. Permits
libpthread initialization from a shared object's init (or fini, I suppose)
routines.

ok kurt@ kettenis@ espie@

Add support for DT_RUNPATH and DT_FLAGS

ok kettenis@

Move DT_NUM from <sys/exec_elf.h> to resolv.h in ld.so where it belongs.

ok guenther@

Implement support for DT_INIT_ARRAY, DT_FINI_ARRAY and DT_PREINIT_ARRAY.
Don't skip DT_INIT and DT_FINI for the main executable. This matches what
Linux and Solaris do.

ok guenther@

Look for a PT_GNU_RELRO section per object and, if present, mprotect that
range instead of the [__got_start, __got_end) range.
On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling
to before relocations and the mprotect are done.

ok kettenis@

Remove prebind support: binding to symbol table indices is too fragile
for our development process.

ok kettenis@ deraadt@

Use a Thread Information Block in both single and multi-threaded programs.
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!

Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!

Clean up libpthread's symbol exports like libc.

On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.

Testing by various, particularly sthen@ and patrick@
ok kettenis@

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

Delete remnants of grpsym cache setting during symbol search: it's done at
load time only nwo. Rename _dl_searchnum and lastlookup to _dl_grpsym_gen
and grpsym_gen as they are generation numbers. Merge _dl_newsymsearch()
into _dl_cache_grpsym_list_setup().

ok millert@

Factor out the logic for mprotecting the memory between two symbols into
a new MI routine _dl_protect_segment(), and use that for protecting the
GOT and--on some archs--the PLT.

Amazing testing turnaround by miod@, who apparently violated relativity
to get back results on some archs as fast as he did

kbind has eliminated the need for and use of the bind lock. Delete it, the
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.

discussed with miod@ at l2k15
ok kettenis@

Add missing 'extern's to avoid introducing commons into *crt0.o

ok miod@ kettenis@

delete annoying white space that annoy

prototype & void * math cleanup
ok guenther

Introduce ltrace(1). This tool works with ld.so to inject utrace record for
each plt call, allowing to trace a binary linked against shared library at the
public function call level.

To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.

Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.

"Get it in" deraadt

Implement symbol caching and RELACOUNT/RELCOUNT optimizations.
Much assistance and testing by miod

ok miod@

- Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.
Improvements and okay matthew@, millert@, guenther@

- Parse colon separated paths into NULL terminated arrays of string
pointers to prepare for adding rpath ORIGIN support.
okay matthew@ millert@

Add support for getting some flags from DT_FLAGS_1: new flags
DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.

Committing for kurt@ who worked out the final version; ok guenther@ drahn@

Backout the dynamic linker speed improvement diff for now, it still
has some issues. Discussed with various, ok drahn@

Dynamic linker speed improvement diff. tested by several sinc k2k11.
get it in tree now deraadt@, ok by several ports folks. Thanks for the testing.

Search loaded libs first and add support for SONAME matching. ok drahn@

Make _dl_searchnum signed as originally intended.
Pointed out by patrick keshish.

When generating grpsym lists, avoid duplicates without searching the
already generated list. Speeds up startup on deeply nested dlopen binaries.
ok guenther@, tested by ckuethe@ and ajacoutot@

Combine the signal mask handling into _dl_thread_bind_lock(), as it's MI.

ok drahn@

Implement lazy binding on mips64. This implementation relies on having two
reserved entries in the GOT, which is a GNU extension to the 64-bit MIPS
SVR4 ABI. That's fine; all existing OpenBSD/mips64 binaries have the extra
slot.

ok miod@, jsing@, drahn@

Constantly fill in the program header pointer and count in elf_object_t
for all objects which simplifies phdr usage in a few places.
"go for it" drahn@

Improve support for shared libs linked at non-zero addreses:
- rename private values in struct elf_object to better
describe their meaning:
s/load_offs/obj_base/ "object's address '0' base"
s/load_addr/load_base/ "The base address of the loadable
segments"
- gdb needs the obj_base value so swap positions with load_base in
struct elf_object
- fix a few occurrences of where load_base was used instead of
obj_base.

With help and okay drahn@

Make _dl_md_reloc_got() report errors, and take them into account.
Fixes PR #5579.

Provide hook so that rthreads can provide a spinlock to protect from races
in lazy binding. ok art@, kurt@

add support for LD_TRACE_LOADED_OBJECTS_{FMT1/FMT2/PROGNAME}. Functionality
matches and expands on the old a.out ld.so formatting. ok drahn

Add comment warning not to rename _dl_bind, since gdb(1) knows about it.
ok (quite a while ago) drahn@

prebind - how to prelink a binary without throwing security out the window

Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.

Still under development, now in-tree.

add RTLD_NOW support to dlopen and propogate -z now to dep libs.
ok drahn@

Consolidate dl_boot and dlopen dep lib loading into new function
_dl_load_dep_libs. Now both dl_boot and dlopen will randomize dep lib
loading, where previously only dl_boot did.

Split grpsym_list creation away from child_list creation and change
grpsym_list order to match Sun's docs. Also corrects bugs where
grpsym_list was either not created or partially created.

introduce object ref count macros (suggested by dale). no functional
change.

rename dload_list to grpsym_list which better represents its usage.

remove dep_next "shadow object" dead code.

separate load group references from dep lib child/dload lists. move load
group refs to own per object ref counter (grprefcount) and list
(grpref_list). corrects more complex load group ref cases and side effects
from initial implementation. design ideas and ok drahn@

keep a state flag if a library has been unloaded, and then free the list
seperately ok kurt@

remove _dl_exiting dead code

keep track of opencounts for dlopened objects, so that they
get unloaded the right number of times on exit.

Track if symbols are searched but missing while resolving GOT, if
any are missing exit instead of later causing an abort, ok kurt@

Simplify the internal symbol finding API, with some cleanup, prep for
next step. ok kurt@

Cleanly handle the case where a dynamic object is opened, but one of it's
dependant libraries is missing. return NULL for a handle instead of
causing the program to exit.

Rework symbol lookup to more closely match sun's documentation, now
treats dlopens as load groups. ok kurt@

Recommit the destructor order fix, now that the amd64 bug was fixed.
'no problem' pval@

backout -- breaks at least amd64; spotted by marc

Do a better job of running destructors in the right order.

Code reorganization, move copied code in library.c and library_mquery.c
into its own file. no functional change.

add dladdr() support and add some 'standard' dlsym() support.
ok millert miod pval, grumble deraadt

Fix an issue where a shared library could be loaded at two different
locations by resolving all dlopens back to a dev/inode.

i.e. Don't load a library if the dev/inode it stats back to matches one
already in our list.

fix started (and ok'ed) drahn@. ok deraadt@.
"doesn't break anything yet" pval@ art@ brad@

return object* the symbol is in for _dl_find_symbol*; drahn@ ok

Symbol cache for GOT lookup. When a symbol is found it is saved in a cache
for future lookups in the same GOT relocation table. Uses static buffer
for small symbol tables, mmap for larger ones. ok deraadt@

Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct
behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

Dynamic linking random order fixes. This enables random library ordering.
Tested by naddy@ and others.

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

mquery support, currently for i386 only.

Paranoia about mprotect, mprotect page aligned regions for got and plt.

knf & ansi; drahn ok

Change the constructor execution order to initialize dependant libraries
first. This mirrors the commit espie put in a.out ld.so recently.

Prepare for an upcoming ELF executable change. This will allow ld.so to
protect the GOT and PLT sections of the executable from being overwritten.
This behavior is enabled by changes in the executable/shared object layout,
and does not occur without the ld changes.

Make error messages on symbol lookup failures more useful.

Change arguments to _dl_find_symbol() myself, warnnotfound, and inplt into
a single flags field with bits representing each. Use defines to create
the appropriate masks.

Add a new argument sym_size to warn about symbols which have
the incorrect size. This replaces 'ifdef notyet' code which
was in several of the md files with a single version.
sym_size == 0 means do not check, and symbols of type FUNC are
not checked.

Fix for Elfbug, the Xtiherit problem which has been seen on most OpenBSD
ELF dynamic systems. This was due to an oddity in ELF where the address of
fuctions refer to the PLT address in the program, rather than the actual
function address.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

move load_offs out of the link_map area.

Get rid of an unnecessary typedef (for future cleanup).

more KNF

various KNF

Clean up the zapping of bad variables. Instead of implementing
_dl_suid_ok, just use the issetugid syscall.
ok drahn@.

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

Adapt to Elf_Word change.
XXX - Dyn.u should just go away.

Replace all 'if (_dl_debug) _dl_printf(...)' with a macro.

proper typing of two variables

Cleanup for 64bit support.
Pieces by art, niklas and me.
Only tested on powerpc.

Add infrastructure to allow mapping of text sections which are normally
RO, RW while ld.so is working. And then the information to set the
sections back to RO (or appropriate mode).

PowerPC now supports the typical NON-PIC relocations in ld.so.
I do not know how well this will work with large shared libraries.
I seem to recall a possible problem with large data where data is
located in a different shared library.

branches: 1.1.1;
Initial revision

whitespaces

Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that
is already loaded:
* add a 'trace' argument to _dl_show_objects() and exit the
walk-the-objects loop if you hit that traced object
* in dlopen(), pass the trace object to _dl_show_objects()
* also, invoke _dl_show_objects() + exit if the object was
already opened
* pass NULL to _dl_show_objects() for all the other calls
* oh hey, _dl_tracelib is now superfluous: _dl_show_objects()
should do the walk-the-objects loop only if trace is not NULL.

Problem noted by gnezdo@
ok millert@

Accumulate intermediate imutables locally before applying

OK deraadt

The next step for mimmutable(). ld.so figures out what regions of memory
of startup shared library mappings can be made immutable, and also does
this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this
diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections.
Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports
ok kettenis, much help from others.

dtors were broken by trying to reuse DF_1_NODELETE to hint that this
library would never unload, and could be immutable. Pass a seperate
flag for our purposes
Noticed from regress tests by anton, ok kettenis

Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@

Update comment: struct link_map is defined in <link_elf.h>

noted by miod

Add support for RELR relocations in the executable and share objects.
This doesn't affect ld.so's self-reloc, which still requires DT_REL/DT_RELA

ok kettenis@

add RTLD_NODELETE support

if RTLD_NODELETE isn't POSIX, it is widely deployed: at least linux,
freebsd, dragonfly, netbsd, solaris, illumos, apple, and fuchsia have
it.

ok kettenis@ on previous version
with help from and ok guenther@

diff partially inspired from a diff from brad@

On i386 don't attempt to map shared libraries in low memory when
a large executable's .text section crosses the 512MB exec line.

Executables that have MAXTSIZ > 64MB can map above the default
512MB exec line. When this happens, shared libs that attempt to map
into low memory will find their .data section can not be mapped. ld.so
will attempt to remap the share lib at higher addresses until it can be
mapped. For very large executables like chrome this process is very
time consuming. This change detects how much of the executable's
.text section exceeds 512MB and uses that as the initial hint for
shared libs to map into which avoids attempting to map into blocked
memory.

okay deraadt@

Convert the child_list member from a linked list to a vector.

ok mpi@

Use a better algorithm for calculating the grpsym library order.
The existing code did a full recursive walk for O(horrible). Instead,
keep a single list of nodes plus the index of the first node whose
children haven't been scanned; lookup until that index catches the
end, appending the unscanned children of the node at the index. This
also makes the grpsym list order match that calculated by FreeBSD and
glibc in dependency trees with inconsistent ordering of dependent libs.

To make this easier and more cache friendly, convert grpsym_list
to a vector: the size is bounded by the number of objects currently
loaded.

Other, related fixes:
* increment the grpsym generation number _after_ pushing the loading
object onto its grpsym list, to avoid double counting it
* increment the grpsym generation number when building the grpsym list
for an already loaded object that's being dlopen()ed, to avoid
incomplete grpsym lists
* use a more accurate test of whether an object already has a grpsym list

Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com)
that pointed to _dl_cache_grpsym_list() as a performance bottleneck.

Much proding from robert@, sthen@, aja@, jca@
no problem reports after being in snaps
ok mpi@

Simplify _dl_find_symbol(). Currently, it returns three values:
- the symbol it found, returned via the second argument
- the base offset of the the object it was found in, via the return value
- optionally: the object it was found in, returned via the last argument

Instead, return a struct with the symbol and object pointers and let the
caller get the base offset from the object's obj_base member. On at least
aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this
is passed in registers.

ok mpi@, kettenis@

In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default.
In 2013, I implemented the single-entry LRU cache that gets the maximal
symbol reuse from combreloc. Since then, the ld.so generic relocation
symcache has been a waste of CPU and memory with 0% hit-rate, so kill it.

ok mpi@

Prune visited leaves when walking dependencies to call init functions in
topological sort order, reducing it to O(n) from O(2^n) (ouch!)

diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com)
Much testing and pleading by robert@ and ajacoutot@
ok drahn@ mpi@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Now that all Elf_foo types are correct, we don't need to use Elf32_Word
anywhere and can use Elf_Word instead.
ok guenther

On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This was
previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h>
vary, but that doesn't match the spec and breaks libelf so it's gone away.
Implement the variation here by defining our own type locally for this.

ok deraadt@

Delete an unused struct member that has hid out here for 17 years

Implement support for DT_GNU_HASH, taking all the interesting bits
from Matt Dillon's implementation in DragonFlyBSD commit 7629c631.
One difference is that as long as DT_HASH is still present, ld.so
will use that to get the total number of symbols rather than walking
the GNU hash chains. Note that the GPLv2 binutils we have doesn't
support DT_GNU_HASH, so this only helps archs were lld is used.

ok kettenis@ mpi@

Finish ld.so's transition to GNU_RELRO: eliminate support for using
__got_{start,end} to find a region to mark read-only. It was only used
for binaries that didn't have a GNU_RELRO segment, but all archs have
been using that for over a year. Since support for insecure-PLT layouts
on powerpc and alpha have been removed, all archs handle GNU_RELRO the
same way and the support can be moved from the MD code to the MI code.

ok mpi@

Delay processing of ld.so's own PT_GNU_RELRO section until after environment
processing and malloc initialization, and then move variables set by those
steps, including malloc's mopts structure, into the .data.rel.ro segment.
This protects more data and eliminates the extra padding of the mopts.

ok kettenis@

Use int, not char*, for booleans

ok millert@

Always use the same callback to unlock as was used to lock. Permits
libpthread initialization from a shared object's init (or fini, I suppose)
routines.

ok kurt@ kettenis@ espie@

Add support for DT_RUNPATH and DT_FLAGS

ok kettenis@

Move DT_NUM from <sys/exec_elf.h> to resolv.h in ld.so where it belongs.

ok guenther@

Implement support for DT_INIT_ARRAY, DT_FINI_ARRAY and DT_PREINIT_ARRAY.
Don't skip DT_INIT and DT_FINI for the main executable. This matches what
Linux and Solaris do.

ok guenther@

Look for a PT_GNU_RELRO section per object and, if present, mprotect that
range instead of the [__got_start, __got_end) range.
On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling
to before relocations and the mprotect are done.

ok kettenis@

Remove prebind support: binding to symbol table indices is too fragile
for our development process.

ok kettenis@ deraadt@

Use a Thread Information Block in both single and multi-threaded programs.
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!

Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!

Clean up libpthread's symbol exports like libc.

On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.

Testing by various, particularly sthen@ and patrick@
ok kettenis@

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

Delete remnants of grpsym cache setting during symbol search: it's done at
load time only nwo. Rename _dl_searchnum and lastlookup to _dl_grpsym_gen
and grpsym_gen as they are generation numbers. Merge _dl_newsymsearch()
into _dl_cache_grpsym_list_setup().

ok millert@

Factor out the logic for mprotecting the memory between two symbols into
a new MI routine _dl_protect_segment(), and use that for protecting the
GOT and--on some archs--the PLT.

Amazing testing turnaround by miod@, who apparently violated relativity
to get back results on some archs as fast as he did

kbind has eliminated the need for and use of the bind lock. Delete it, the
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.

discussed with miod@ at l2k15
ok kettenis@

Add missing 'extern's to avoid introducing commons into *crt0.o

ok miod@ kettenis@

delete annoying white space that annoy

prototype & void * math cleanup
ok guenther

Introduce ltrace(1). This tool works with ld.so to inject utrace record for
each plt call, allowing to trace a binary linked against shared library at the
public function call level.

To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.

Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.

"Get it in" deraadt

Implement symbol caching and RELACOUNT/RELCOUNT optimizations.
Much assistance and testing by miod

ok miod@

- Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.
Improvements and okay matthew@, millert@, guenther@

- Parse colon separated paths into NULL terminated arrays of string
pointers to prepare for adding rpath ORIGIN support.
okay matthew@ millert@

Add support for getting some flags from DT_FLAGS_1: new flags
DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.

Committing for kurt@ who worked out the final version; ok guenther@ drahn@

Backout the dynamic linker speed improvement diff for now, it still
has some issues. Discussed with various, ok drahn@

Dynamic linker speed improvement diff. tested by several sinc k2k11.
get it in tree now deraadt@, ok by several ports folks. Thanks for the testing.

Search loaded libs first and add support for SONAME matching. ok drahn@

Make _dl_searchnum signed as originally intended.
Pointed out by patrick keshish.

When generating grpsym lists, avoid duplicates without searching the
already generated list. Speeds up startup on deeply nested dlopen binaries.
ok guenther@, tested by ckuethe@ and ajacoutot@

Combine the signal mask handling into _dl_thread_bind_lock(), as it's MI.

ok drahn@

Implement lazy binding on mips64. This implementation relies on having two
reserved entries in the GOT, which is a GNU extension to the 64-bit MIPS
SVR4 ABI. That's fine; all existing OpenBSD/mips64 binaries have the extra
slot.

ok miod@, jsing@, drahn@

Constantly fill in the program header pointer and count in elf_object_t
for all objects which simplifies phdr usage in a few places.
"go for it" drahn@

Improve support for shared libs linked at non-zero addreses:
- rename private values in struct elf_object to better
describe their meaning:
s/load_offs/obj_base/ "object's address '0' base"
s/load_addr/load_base/ "The base address of the loadable
segments"
- gdb needs the obj_base value so swap positions with load_base in
struct elf_object
- fix a few occurrences of where load_base was used instead of
obj_base.

With help and okay drahn@

Make _dl_md_reloc_got() report errors, and take them into account.
Fixes PR #5579.

Provide hook so that rthreads can provide a spinlock to protect from races
in lazy binding. ok art@, kurt@

add support for LD_TRACE_LOADED_OBJECTS_{FMT1/FMT2/PROGNAME}. Functionality
matches and expands on the old a.out ld.so formatting. ok drahn

Add comment warning not to rename _dl_bind, since gdb(1) knows about it.
ok (quite a while ago) drahn@

prebind - how to prelink a binary without throwing security out the window

Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.

Still under development, now in-tree.

add RTLD_NOW support to dlopen and propogate -z now to dep libs.
ok drahn@

Consolidate dl_boot and dlopen dep lib loading into new function
_dl_load_dep_libs. Now both dl_boot and dlopen will randomize dep lib
loading, where previously only dl_boot did.

Split grpsym_list creation away from child_list creation and change
grpsym_list order to match Sun's docs. Also corrects bugs where
grpsym_list was either not created or partially created.

introduce object ref count macros (suggested by dale). no functional
change.

rename dload_list to grpsym_list which better represents its usage.

remove dep_next "shadow object" dead code.

separate load group references from dep lib child/dload lists. move load
group refs to own per object ref counter (grprefcount) and list
(grpref_list). corrects more complex load group ref cases and side effects
from initial implementation. design ideas and ok drahn@

keep a state flag if a library has been unloaded, and then free the list
seperately ok kurt@

remove _dl_exiting dead code

keep track of opencounts for dlopened objects, so that they
get unloaded the right number of times on exit.

Track if symbols are searched but missing while resolving GOT, if
any are missing exit instead of later causing an abort, ok kurt@

Simplify the internal symbol finding API, with some cleanup, prep for
next step. ok kurt@

Cleanly handle the case where a dynamic object is opened, but one of it's
dependant libraries is missing. return NULL for a handle instead of
causing the program to exit.

Rework symbol lookup to more closely match sun's documentation, now
treats dlopens as load groups. ok kurt@

Recommit the destructor order fix, now that the amd64 bug was fixed.
'no problem' pval@

backout -- breaks at least amd64; spotted by marc

Do a better job of running destructors in the right order.

Code reorganization, move copied code in library.c and library_mquery.c
into its own file. no functional change.

add dladdr() support and add some 'standard' dlsym() support.
ok millert miod pval, grumble deraadt

Fix an issue where a shared library could be loaded at two different
locations by resolving all dlopens back to a dev/inode.

i.e. Don't load a library if the dev/inode it stats back to matches one
already in our list.

fix started (and ok'ed) drahn@. ok deraadt@.
"doesn't break anything yet" pval@ art@ brad@

return object* the symbol is in for _dl_find_symbol*; drahn@ ok

Symbol cache for GOT lookup. When a symbol is found it is saved in a cache
for future lookups in the same GOT relocation table. Uses static buffer
for small symbol tables, mmap for larger ones. ok deraadt@

Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct
behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

Dynamic linking random order fixes. This enables random library ordering.
Tested by naddy@ and others.

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

mquery support, currently for i386 only.

Paranoia about mprotect, mprotect page aligned regions for got and plt.

knf & ansi; drahn ok

Change the constructor execution order to initialize dependant libraries
first. This mirrors the commit espie put in a.out ld.so recently.

Prepare for an upcoming ELF executable change. This will allow ld.so to
protect the GOT and PLT sections of the executable from being overwritten.
This behavior is enabled by changes in the executable/shared object layout,
and does not occur without the ld changes.

Make error messages on symbol lookup failures more useful.

Change arguments to _dl_find_symbol() myself, warnnotfound, and inplt into
a single flags field with bits representing each. Use defines to create
the appropriate masks.

Add a new argument sym_size to warn about symbols which have
the incorrect size. This replaces 'ifdef notyet' code which
was in several of the md files with a single version.
sym_size == 0 means do not check, and symbols of type FUNC are
not checked.

Fix for Elfbug, the Xtiherit problem which has been seen on most OpenBSD
ELF dynamic systems. This was due to an oddity in ELF where the address of
fuctions refer to the PLT address in the program, rather than the actual
function address.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

move load_offs out of the link_map area.

Get rid of an unnecessary typedef (for future cleanup).

more KNF

various KNF

Clean up the zapping of bad variables. Instead of implementing
_dl_suid_ok, just use the issetugid syscall.
ok drahn@.

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

Adapt to Elf_Word change.
XXX - Dyn.u should just go away.

Replace all 'if (_dl_debug) _dl_printf(...)' with a macro.

proper typing of two variables

Cleanup for 64bit support.
Pieces by art, niklas and me.
Only tested on powerpc.

Add infrastructure to allow mapping of text sections which are normally
RO, RW while ld.so is working. And then the information to set the
sections back to RO (or appropriate mode).

PowerPC now supports the typical NON-PIC relocations in ld.so.
I do not know how well this will work with large shared libraries.
I seem to recall a possible problem with large data where data is
located in a different shared library.

branches: 1.1.1;
Initial revision

Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that
is already loaded:
* add a 'trace' argument to _dl_show_objects() and exit the
walk-the-objects loop if you hit that traced object
* in dlopen(), pass the trace object to _dl_show_objects()
* also, invoke _dl_show_objects() + exit if the object was
already opened
* pass NULL to _dl_show_objects() for all the other calls
* oh hey, _dl_tracelib is now superfluous: _dl_show_objects()
should do the walk-the-objects loop only if trace is not NULL.

Problem noted by gnezdo@
ok millert@

Accumulate intermediate imutables locally before applying

OK deraadt

The next step for mimmutable(). ld.so figures out what regions of memory
of startup shared library mappings can be made immutable, and also does
this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this
diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections.
Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports
ok kettenis, much help from others.

dtors were broken by trying to reuse DF_1_NODELETE to hint that this
library would never unload, and could be immutable. Pass a seperate
flag for our purposes
Noticed from regress tests by anton, ok kettenis

Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@

Update comment: struct link_map is defined in <link_elf.h>

noted by miod

Add support for RELR relocations in the executable and share objects.
This doesn't affect ld.so's self-reloc, which still requires DT_REL/DT_RELA

ok kettenis@

add RTLD_NODELETE support

if RTLD_NODELETE isn't POSIX, it is widely deployed: at least linux,
freebsd, dragonfly, netbsd, solaris, illumos, apple, and fuchsia have
it.

ok kettenis@ on previous version
with help from and ok guenther@

diff partially inspired from a diff from brad@

On i386 don't attempt to map shared libraries in low memory when
a large executable's .text section crosses the 512MB exec line.

Executables that have MAXTSIZ > 64MB can map above the default
512MB exec line. When this happens, shared libs that attempt to map
into low memory will find their .data section can not be mapped. ld.so
will attempt to remap the share lib at higher addresses until it can be
mapped. For very large executables like chrome this process is very
time consuming. This change detects how much of the executable's
.text section exceeds 512MB and uses that as the initial hint for
shared libs to map into which avoids attempting to map into blocked
memory.

okay deraadt@

Convert the child_list member from a linked list to a vector.

ok mpi@

Use a better algorithm for calculating the grpsym library order.
The existing code did a full recursive walk for O(horrible). Instead,
keep a single list of nodes plus the index of the first node whose
children haven't been scanned; lookup until that index catches the
end, appending the unscanned children of the node at the index. This
also makes the grpsym list order match that calculated by FreeBSD and
glibc in dependency trees with inconsistent ordering of dependent libs.

To make this easier and more cache friendly, convert grpsym_list
to a vector: the size is bounded by the number of objects currently
loaded.

Other, related fixes:
* increment the grpsym generation number _after_ pushing the loading
object onto its grpsym list, to avoid double counting it
* increment the grpsym generation number when building the grpsym list
for an already loaded object that's being dlopen()ed, to avoid
incomplete grpsym lists
* use a more accurate test of whether an object already has a grpsym list

Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com)
that pointed to _dl_cache_grpsym_list() as a performance bottleneck.

Much proding from robert@, sthen@, aja@, jca@
no problem reports after being in snaps
ok mpi@

Simplify _dl_find_symbol(). Currently, it returns three values:
- the symbol it found, returned via the second argument
- the base offset of the the object it was found in, via the return value
- optionally: the object it was found in, returned via the last argument

Instead, return a struct with the symbol and object pointers and let the
caller get the base offset from the object's obj_base member. On at least
aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this
is passed in registers.

ok mpi@, kettenis@

In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default.
In 2013, I implemented the single-entry LRU cache that gets the maximal
symbol reuse from combreloc. Since then, the ld.so generic relocation
symcache has been a waste of CPU and memory with 0% hit-rate, so kill it.

ok mpi@

Prune visited leaves when walking dependencies to call init functions in
topological sort order, reducing it to O(n) from O(2^n) (ouch!)

diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com)
Much testing and pleading by robert@ and ajacoutot@
ok drahn@ mpi@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Now that all Elf_foo types are correct, we don't need to use Elf32_Word
anywhere and can use Elf_Word instead.
ok guenther

On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This was
previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h>
vary, but that doesn't match the spec and breaks libelf so it's gone away.
Implement the variation here by defining our own type locally for this.

ok deraadt@

Delete an unused struct member that has hid out here for 17 years

Implement support for DT_GNU_HASH, taking all the interesting bits
from Matt Dillon's implementation in DragonFlyBSD commit 7629c631.
One difference is that as long as DT_HASH is still present, ld.so
will use that to get the total number of symbols rather than walking
the GNU hash chains. Note that the GPLv2 binutils we have doesn't
support DT_GNU_HASH, so this only helps archs were lld is used.

ok kettenis@ mpi@

Finish ld.so's transition to GNU_RELRO: eliminate support for using
__got_{start,end} to find a region to mark read-only. It was only used
for binaries that didn't have a GNU_RELRO segment, but all archs have
been using that for over a year. Since support for insecure-PLT layouts
on powerpc and alpha have been removed, all archs handle GNU_RELRO the
same way and the support can be moved from the MD code to the MI code.

ok mpi@

Delay processing of ld.so's own PT_GNU_RELRO section until after environment
processing and malloc initialization, and then move variables set by those
steps, including malloc's mopts structure, into the .data.rel.ro segment.
This protects more data and eliminates the extra padding of the mopts.

ok kettenis@

Use int, not char*, for booleans

ok millert@

Always use the same callback to unlock as was used to lock. Permits
libpthread initialization from a shared object's init (or fini, I suppose)
routines.

ok kurt@ kettenis@ espie@

Add support for DT_RUNPATH and DT_FLAGS

ok kettenis@

Move DT_NUM from <sys/exec_elf.h> to resolv.h in ld.so where it belongs.

ok guenther@

Implement support for DT_INIT_ARRAY, DT_FINI_ARRAY and DT_PREINIT_ARRAY.
Don't skip DT_INIT and DT_FINI for the main executable. This matches what
Linux and Solaris do.

ok guenther@

Look for a PT_GNU_RELRO section per object and, if present, mprotect that
range instead of the [__got_start, __got_end) range.
On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling
to before relocations and the mprotect are done.

ok kettenis@

Remove prebind support: binding to symbol table indices is too fragile
for our development process.

ok kettenis@ deraadt@

Use a Thread Information Block in both single and multi-threaded programs.
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!

Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!

Clean up libpthread's symbol exports like libc.

On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.

Testing by various, particularly sthen@ and patrick@
ok kettenis@

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

Delete remnants of grpsym cache setting during symbol search: it's done at
load time only nwo. Rename _dl_searchnum and lastlookup to _dl_grpsym_gen
and grpsym_gen as they are generation numbers. Merge _dl_newsymsearch()
into _dl_cache_grpsym_list_setup().

ok millert@

Factor out the logic for mprotecting the memory between two symbols into
a new MI routine _dl_protect_segment(), and use that for protecting the
GOT and--on some archs--the PLT.

Amazing testing turnaround by miod@, who apparently violated relativity
to get back results on some archs as fast as he did

kbind has eliminated the need for and use of the bind lock. Delete it, the
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.

discussed with miod@ at l2k15
ok kettenis@

Add missing 'extern's to avoid introducing commons into *crt0.o

ok miod@ kettenis@

delete annoying white space that annoy

prototype & void * math cleanup
ok guenther

Introduce ltrace(1). This tool works with ld.so to inject utrace record for
each plt call, allowing to trace a binary linked against shared library at the
public function call level.

To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.

Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.

"Get it in" deraadt

Implement symbol caching and RELACOUNT/RELCOUNT optimizations.
Much assistance and testing by miod

ok miod@

- Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.
Improvements and okay matthew@, millert@, guenther@

- Parse colon separated paths into NULL terminated arrays of string
pointers to prepare for adding rpath ORIGIN support.
okay matthew@ millert@

Add support for getting some flags from DT_FLAGS_1: new flags
DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.

Committing for kurt@ who worked out the final version; ok guenther@ drahn@

Backout the dynamic linker speed improvement diff for now, it still
has some issues. Discussed with various, ok drahn@

Dynamic linker speed improvement diff. tested by several sinc k2k11.
get it in tree now deraadt@, ok by several ports folks. Thanks for the testing.

Search loaded libs first and add support for SONAME matching. ok drahn@

Make _dl_searchnum signed as originally intended.
Pointed out by patrick keshish.

When generating grpsym lists, avoid duplicates without searching the
already generated list. Speeds up startup on deeply nested dlopen binaries.
ok guenther@, tested by ckuethe@ and ajacoutot@

Combine the signal mask handling into _dl_thread_bind_lock(), as it's MI.

ok drahn@

Implement lazy binding on mips64. This implementation relies on having two
reserved entries in the GOT, which is a GNU extension to the 64-bit MIPS
SVR4 ABI. That's fine; all existing OpenBSD/mips64 binaries have the extra
slot.

ok miod@, jsing@, drahn@

Constantly fill in the program header pointer and count in elf_object_t
for all objects which simplifies phdr usage in a few places.
"go for it" drahn@

Improve support for shared libs linked at non-zero addreses:
- rename private values in struct elf_object to better
describe their meaning:
s/load_offs/obj_base/ "object's address '0' base"
s/load_addr/load_base/ "The base address of the loadable
segments"
- gdb needs the obj_base value so swap positions with load_base in
struct elf_object
- fix a few occurrences of where load_base was used instead of
obj_base.

With help and okay drahn@

Make _dl_md_reloc_got() report errors, and take them into account.
Fixes PR #5579.

Provide hook so that rthreads can provide a spinlock to protect from races
in lazy binding. ok art@, kurt@

add support for LD_TRACE_LOADED_OBJECTS_{FMT1/FMT2/PROGNAME}. Functionality
matches and expands on the old a.out ld.so formatting. ok drahn

Add comment warning not to rename _dl_bind, since gdb(1) knows about it.
ok (quite a while ago) drahn@

prebind - how to prelink a binary without throwing security out the window

Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.

Still under development, now in-tree.

add RTLD_NOW support to dlopen and propogate -z now to dep libs.
ok drahn@

Consolidate dl_boot and dlopen dep lib loading into new function
_dl_load_dep_libs. Now both dl_boot and dlopen will randomize dep lib
loading, where previously only dl_boot did.

Split grpsym_list creation away from child_list creation and change
grpsym_list order to match Sun's docs. Also corrects bugs where
grpsym_list was either not created or partially created.

introduce object ref count macros (suggested by dale). no functional
change.

rename dload_list to grpsym_list which better represents its usage.

remove dep_next "shadow object" dead code.

separate load group references from dep lib child/dload lists. move load
group refs to own per object ref counter (grprefcount) and list
(grpref_list). corrects more complex load group ref cases and side effects
from initial implementation. design ideas and ok drahn@

keep a state flag if a library has been unloaded, and then free the list
seperately ok kurt@

remove _dl_exiting dead code

keep track of opencounts for dlopened objects, so that they
get unloaded the right number of times on exit.

Track if symbols are searched but missing while resolving GOT, if
any are missing exit instead of later causing an abort, ok kurt@

Simplify the internal symbol finding API, with some cleanup, prep for
next step. ok kurt@

Cleanly handle the case where a dynamic object is opened, but one of it's
dependant libraries is missing. return NULL for a handle instead of
causing the program to exit.

Rework symbol lookup to more closely match sun's documentation, now
treats dlopens as load groups. ok kurt@

Recommit the destructor order fix, now that the amd64 bug was fixed.
'no problem' pval@

backout -- breaks at least amd64; spotted by marc

Do a better job of running destructors in the right order.

Code reorganization, move copied code in library.c and library_mquery.c
into its own file. no functional change.

add dladdr() support and add some 'standard' dlsym() support.
ok millert miod pval, grumble deraadt

Fix an issue where a shared library could be loaded at two different
locations by resolving all dlopens back to a dev/inode.

i.e. Don't load a library if the dev/inode it stats back to matches one
already in our list.

fix started (and ok'ed) drahn@. ok deraadt@.
"doesn't break anything yet" pval@ art@ brad@

return object* the symbol is in for _dl_find_symbol*; drahn@ ok

Symbol cache for GOT lookup. When a symbol is found it is saved in a cache
for future lookups in the same GOT relocation table. Uses static buffer
for small symbol tables, mmap for larger ones. ok deraadt@

Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct
behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

Dynamic linking random order fixes. This enables random library ordering.
Tested by naddy@ and others.

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

mquery support, currently for i386 only.

Paranoia about mprotect, mprotect page aligned regions for got and plt.

knf & ansi; drahn ok

Change the constructor execution order to initialize dependant libraries
first. This mirrors the commit espie put in a.out ld.so recently.

Prepare for an upcoming ELF executable change. This will allow ld.so to
protect the GOT and PLT sections of the executable from being overwritten.
This behavior is enabled by changes in the executable/shared object layout,
and does not occur without the ld changes.

Make error messages on symbol lookup failures more useful.

Change arguments to _dl_find_symbol() myself, warnnotfound, and inplt into
a single flags field with bits representing each. Use defines to create
the appropriate masks.

Add a new argument sym_size to warn about symbols which have
the incorrect size. This replaces 'ifdef notyet' code which
was in several of the md files with a single version.
sym_size == 0 means do not check, and symbols of type FUNC are
not checked.

Fix for Elfbug, the Xtiherit problem which has been seen on most OpenBSD
ELF dynamic systems. This was due to an oddity in ELF where the address of
fuctions refer to the PLT address in the program, rather than the actual
function address.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

move load_offs out of the link_map area.

Get rid of an unnecessary typedef (for future cleanup).

more KNF

various KNF

Clean up the zapping of bad variables. Instead of implementing
_dl_suid_ok, just use the issetugid syscall.
ok drahn@.

cleanup of MD/MI ld.so (elf), most changes by art@ cleanup by me.
tested on alpha sparc64 powerpc.

Adapt to Elf_Word change.
XXX - Dyn.u should just go away.

Replace all 'if (_dl_debug) _dl_printf(...)' with a macro.

proper typing of two variables

Cleanup for 64bit support.
Pieces by art, niklas and me.
Only tested on powerpc.

Add infrastructure to allow mapping of text sections which are normally
RO, RW while ld.so is working. And then the information to set the
sections back to RO (or appropriate mode).

PowerPC now supports the typical NON-PIC relocations in ld.so.
I do not know how well this will work with large shared libraries.
I seem to recall a possible problem with large data where data is
located in a different shared library.

branches: 1.1.1;
Initial revision

Accumulate intermediate imutables locally before applying

OK deraadt

The next step for mimmutable(). ld.so figures out what regions of memory
of startup shared library mappings can be made immutable, and also does
this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this
diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections.
Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports
ok kettenis, much help from others.

dtors were broken by trying to reuse DF_1_NODELETE to hint that this
library would never unload, and could be immutable. Pass a seperate
flag for our purposes
Noticed from regress tests by anton, ok kettenis

Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@

Update comment: struct link_map is defined in <link_elf.h>

noted by miod

Add support for RELR relocations in the executable and share objects.
This doesn't affect ld.so's self-reloc, which still requires DT_REL/DT_RELA

ok kettenis@

add RTLD_NODELETE support

if RTLD_NODELETE isn't POSIX, it is widely deployed: at least linux,
freebsd, dragonfly, netbsd, solaris, illumos, apple, and fuchsia have
it.

ok kettenis@ on previous version
with help from and ok guenther@

diff partially inspired from a diff from brad@

On i386 don't attempt to map shared libraries in low memory when
a large executable's .text section crosses the 512MB exec line.

Executables that have MAXTSIZ > 64MB can map above the default
512MB exec line. When this happens, shared libs that attempt to map
into low memory will find their .data section can not be mapped. ld.so
will attempt to remap the share lib at higher addresses until it can be
mapped. For very large executables like chrome this process is very
time consuming. This change detects how much of the executable's
.text section exceeds 512MB and uses that as the initial hint for
shared libs to map into which avoids attempting to map into blocked
memory.

okay deraadt@

Convert the child_list member from a linked list to a vector.

ok mpi@

Use a better algorithm for calculating the grpsym library order.
The existing code did a full recursive walk for O(horrible). Instead,
keep a single list of nodes plus the index of the first node whose
children haven't been scanned; lookup until that index catches the
end, appending the unscanned children of the node at the index. This
also makes the grpsym list order match that calculated by FreeBSD and
glibc in dependency trees with inconsistent ordering of dependent libs.

To make this easier and more cache friendly, convert grpsym_list
to a vector: the size is bounded by the number of objects currently
loaded.

Other, related fixes:
* increment the grpsym generation number _after_ pushing the loading
object onto its grpsym list, to avoid double counting it
* increment the grpsym generation number when building the grpsym list
for an already loaded object that's being dlopen()ed, to avoid
incomplete grpsym lists
* use a more accurate test of whether an object already has a grpsym list

Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com)
that pointed to _dl_cache_grpsym_list() as a performance bottleneck.

Much proding from robert@, sthen@, aja@, jca@
no problem reports after being in snaps
ok mpi@

Simplify _dl_find_symbol(). Currently, it returns three values:
- the symbol it found, returned via the second argument
- the base offset of the the object it was found in, via the return value
- optionally: the object it was found in, returned via the last argument

Instead, return a struct with the symbol and object pointers and let the
caller get the base offset from the object's obj_base member. On at least
aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this
is passed in registers.

ok mpi@, kettenis@

In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default.
In 2013, I implemented the single-entry LRU cache that gets the maximal
symbol reuse from combreloc. Since then, the ld.so generic relocation
symcache has been a waste of CPU and memory with 0% hit-rate, so kill it.

ok mpi@

Prune visited leaves when walking dependencies to call init functions in
topological sort order, reducing it to O(n) from O(2^n) (ouch!)

diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com)
Much testing and pleading by robert@ and ajacoutot@
ok drahn@ mpi@

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

Now that all Elf_foo types are correct, we don't need to use Elf32_Word
anywhere and can use Elf_Word instead.
ok guenther

On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This was
previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h>
vary, but that doesn't match the spec and breaks libelf so it's gone away.
Implement the variation here by defining our own type locally for this.

ok deraadt@

Delete an unused struct member that has hid out here for 17 years

Implement support for DT_GNU_HASH, taking all the interesting bits
from Matt Dillon's implementation in DragonFlyBSD commit 7629c631.
One difference is that as long as DT_HASH is still present, ld.so
will use that to get the total number of symbols rather than walking
the GNU hash chains. Note that the GPLv2 binutils we have doesn't
support DT_GNU_HASH, so this only helps archs were lld is used.

ok kettenis@ mpi@

Finish ld.so's transition to GNU_RELRO: eliminate support for using
__got_{start,end} to find a region to mark read-only. It was only used
for binaries that didn't have a GNU_RELRO segment, but all archs have
been using that for over a year. Since support for insecure-PLT layouts
on powerpc and alpha have been removed, all archs handle GNU_RELRO the
same way and the support can be moved from the MD code to the MI code.

ok mpi@

Delay processing of ld.so's own PT_GNU_RELRO section until after environment
processing and malloc initialization, and then move variables set by those
steps, including malloc's mopts structure, into the .data.rel.ro segment.
This protects more data and eliminates the extra padding of the mopts.

ok kettenis@

Use int, not char*, for booleans

ok millert@

Always use the same callback to unlock as was used to lock. Permits
libpthread initialization from a shared object's init (or fini, I suppose)
routines.

ok kurt@ kettenis@ espie@

Add support for DT_RUNPATH and DT_FLAGS

ok kettenis@

Move DT_NUM from <sys/exec_elf.h> to resolv.h in ld.so where it belongs.

ok guenther@

Implement support for DT_INIT_ARRAY, DT_FINI_ARRAY and DT_PREINIT_ARRAY.
Don't skip DT_INIT and DT_FINI for the main executable. This matches what
Linux and Solaris do.

ok guenther@

Look for a PT_GNU_RELRO section per object and, if present, mprotect that
range instead of the [__got_start, __got_end) range.
On many archs this will cover _DYNAMIC too, so move up the DT_DEBUG handling
to before relocations and the mprotect are done.

ok kettenis@

Remove prebind support: binding to symbol table indices is too fragile
for our development process.

ok kettenis@ deraadt@

Use a Thread Information Block in both single and multi-threaded programs.
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!

Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!

Clean up libpthread's symbol exports like libc.

On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.

Testing by various, particularly sthen@ and patrick@
ok kettenis@

Export environ and __progname, making the latter a copy of just the filename
portion like crt0 does. This is prep for eliminating _dl_fixup_user_env()
Mark almost everything in resolve.h as hidden, to improve code generation.

ok kettenis@ mpi@ "good time" deraadt@

Delete remnants of grpsym cache setting during symbol search: it's done at
load time only nwo. Rename _dl_searchnum and lastlookup to _dl_grpsym_gen
and grpsym_gen as they are generation numbers. Merge _dl_newsymsearch()
into _dl_cache_grpsym_list_setup().

ok millert@

Factor out the logic for mprotecting the memory between two symbols into
a new MI routine _dl_protect_segment(), and use that for protecting the
GOT and--on some archs--the PLT.

Amazing testing turnaround by miod@, who apparently violated relativity
to get back results on some archs as fast as he did

kbind has eliminated the need for and use of the bind lock. Delete it, the
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.

discussed with miod@ at l2k15
ok kettenis@

Add missing 'extern's to avoid introducing commons into *crt0.o

ok miod@ kettenis@

delete annoying white space that annoy

prototype & void * math cleanup
ok guenther

Introduce ltrace(1). This tool works with ld.so to inject utrace record for
each plt call, allowing to trace a binary linked against shared library at the
public function call level.

To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.

Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.

"Get it in" deraadt

Implement symbol caching and RELACOUNT/RELCOUNT optimizations.
Much assistance and testing by miod

ok miod@

- Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.
Improvements and okay matthew@, millert@, guenther@

- Parse colon separated paths into NULL terminated arrays of string
pointers to prepare for adding rpath ORIGIN support.
okay matthew@ millert@

Add support for getting some flags from DT_FLAGS_1: new flags
DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.

Committing for kurt@ who worked out the final version; ok guenther@ drahn@

Backout the dynamic linker speed improvement diff for now, it still
has some issues. Discussed with various, ok drahn@

Dynamic linker speed improvement diff. tested by several sinc k2k11.
get it in tree now deraadt@, ok by several ports folks. Thanks for the testing.

Search loaded libs first and add support for SONAME matching. ok drahn@

Make _dl_searchnum signed as originally intended.
Pointed out by patrick keshish.

When generating grpsym lists, avoid duplicates without searching the
already generated list. Speeds up startup on deeply nested dlopen binaries.
ok guenther@, tested by ckuethe@ and ajacoutot@

Combine the signal mask handling into _dl_thread_bind_lock(), as it's MI.

ok drahn@

Implement lazy binding on mips64. This implementation relies on having two
reserved entries in the GOT, which is a GNU extension to the 64-bit MIPS
SVR4 ABI. That's fine; all existing OpenBSD/mips64 binaries have the extra
slot.

ok miod@, jsing@, drahn@

Constantly fill in the program header pointer and count in elf_object_t
for all objects which simplifies phdr usage in a few places.
"go for it" drahn@

Improve support for shared libs linked at non-zero addreses:
- rename private values in struct elf_object to better
describe their meaning:
s/load_offs/obj_base/ "object's address '0' base"
s/load_addr/load_base/ "The base address of the loadable
segments"
- gdb needs the obj_base value so swap positions with load_base in
struct elf_object
- fix a few occurrences of where load_base was used instead of
obj_base.

With help and okay drahn@

Make _dl_md_reloc_got() report errors, and take them into account.
Fixes PR #5579.

Provide hook so that rthreads can provide a spinlock to protect from races
in lazy binding. ok art@, kurt@

add support for LD_TRACE_LOADED_OBJECTS_{FMT1/FMT2/PROGNAME}. Functionality
matches and expands on the old a.out ld.so formatting. ok drahn

Add comment warning not to rename _dl_bind, since gdb(1) knows about it.
ok (quite a while ago) drahn@

prebind - how to prelink a binary without throwing security out the window

Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.

Still under development, now in-tree.

add RTLD_NOW support to dlopen and propogate -z now to dep libs.
ok drahn@

Consolidate dl_boot and dlopen dep lib loading into new function
_dl_load_dep_libs. Now both dl_boot and dlopen will randomize dep lib
loading, where previously only dl_boot did.

Split grpsym_list creation away from child_list creation and change
grpsym_list order to match Sun's docs. Also corrects bugs where
grpsym_list was either not created or partially created.

introduce object ref count macros (suggested by dale). no functional
change.

rename dload_list to grpsym_list which better represents its usage.

remove dep_next "shadow object" dead code.

separate load group references from dep lib child/dload lists. move load
group refs to own per object ref counter (grprefcount) and list
(grpref_list). corrects more complex load group ref cases and side effects
from initial implementation. design ideas and ok drahn@

keep a state flag if a library has been unloaded, and then free the list
seperately ok kurt@

remove _dl_exiting dead code

keep track of opencounts for dlopened objects, so that they
get unloaded the right number of times on exit.

Track if symbols are searched but missing while resolving GOT, if
any are missing exit instead of later causing an abort, ok kurt@

Simplify the internal symbol finding API, with some cleanup, prep for
next step. ok kurt@

Cleanly handle the case where a dynamic object is opened, but one of it's
dependant libraries is missing. return NULL for a handle instead of
causing the program to exit.

Rework symbol lookup to more closely match sun's documentation, now
treats dlopens as load groups. ok kurt@

Recommit the destructor order fix, now that the amd64 bug was fixed.
'no problem' pval@

backout -- breaks at least amd64; spotted by marc

Do a better job of running destructors in the right order.

Code reorganization, move copied code in library.c and library_mquery.c
into its own file. no functional change.

add dladdr() support and add some 'standard' dlsym() support.
ok millert miod pval, grumble deraadt

Fix an issue where a shared library could be loaded at two different
locations by resolving all dlopens back to a dev/inode.

i.e. Don't load a library if the dev/inode it stats back to matches one
already in our list.

fix started (and ok'ed) drahn@. ok deraadt@.
"doesn't break anything yet" pval@ art@ brad@

return object* the symbol is in for _dl_find_symbol*; drahn@ ok

Symbol cache for GOT lookup. When a symbol is found it is saved in a cache
for future lookups in the same GOT relocation table. Uses static buffer
for small symbol tables, mmap for larger ones. ok deraadt@

Fix PR 3371, symbol lookup in dlopen()ed objects is not correct. Correct
behavior for RTLD_GLOBAL/RTLD_LOCAL is now supported. ok espie@

various proto, ansi, and knf repair. tested on all architectures that
use it. (build may require make cleandir because of .depend balony)

Dynamic linking random order fixes. This enables random library ordering.
Tested by naddy@ and others.

pefo 3/4 licence cleanups

When loading a shared object or libraries dependant object, load them
in random order. This will reduce the possiblity of a buffer overflow
being able to predict the addresss of useful code. Can be disabled
with the LD_NORANDOM environment variable for debugging purposes.
ok deraadt.

mquery support, currently for i386 only.

Paranoia about mprotect, mprotect page aligned regions for got and plt.

knf & ansi; drahn ok

Change the constructor execution order to initialize dependant libraries
first. This mirrors the commit espie put in a.out ld.so recently.

Prepare for an upcoming ELF executable change. This will allow ld.so to
protect the GOT and PLT sections of the executable from being overwritten.
This behavior is enabled by changes in the executable/shared object layout,
and does not occur without the ld changes.

Make error messages on symbol lookup failures more useful.

Change arguments to _dl_find_symbol() myself, warnnotfound, and inplt into
a single flags field with bits representing each. Use defines to create
the appropriate masks.

Add a new argument sym_size to warn about symbols which have
the incorrect size. This replaces 'ifdef notyet' code which
was in several of the md files with a single version.
sym_size == 0 means do not check, and symbols of type FUNC are
not checked.

Fix for Elfbug, the Xtiherit problem which has been seen on most OpenBSD
ELF dynamic systems. This was due to an oddity in ELF where the address of
fuctions refer to the PLT address in the program, rather than the actual
function address.

ok i found it

back out broken stuff until it is fixed

make more _dl_*() func params like real ones in libc

move load_offs out of the link_map area.

Get rid of an unnecessary typedef (for future cleanup).

more KNF

various KNF