| blob | 55b113467a27e0fae08358a7120ee2a9bcf21d42 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
3 * You can obtain one at http://mozilla.org/MPL/2.0/. */
5 #include <string>
6 #include <cstring>
7 #include <cstdlib>
8 #include <cstdio>
9 #include <dlfcn.h>
10 #include <unistd.h>
11 #include <errno.h>
12 #include <algorithm>
13 #include <fcntl.h>
20 #include <inttypes.h>
22 // From Utils.h
25 #if defined(ANDROID)
26 # include <sys/syscall.h>
27 # include <sys/system_properties.h>
28 # include <math.h>
30 # include <android/api-level.h>
32 /**
33 * Return the current Android version, or 0 on failure.
34 */
39 }
45 }
47 }
49 # if __ANDROID_API__ < 8
50 /* Android API < 8 doesn't provide sigaltstack */
56 }
62 #ifdef __ARM_EABI__
65 #endif
67 /* Ideally we'd #include <link.h>, but that's a world of pain
68 * Moreover, not all versions of android support it, so we need a weak
69 * reference. */
73 /* Pointer to the PT_DYNAMIC section of the executable or library
74 * containing this code. */
77 /**
78 * dlfcn.h replacements functions
79 */
82 #if defined(ANDROID)
85 }
86 #endif
91 }
94 #if defined(ANDROID)
97 }
98 #endif
102 // Return a custom error if available.
104 }
105 // Or fallback to the system error.
107 }
110 #if defined(ANDROID)
113 }
114 #endif
119 }
123 }
127 }
130 #if defined(ANDROID)
133 }
134 #endif
139 }
142 }
145 #if defined(ANDROID)
148 }
149 #endif
155 }
159 }
168 }
175 AutoCloseFD read_fd;
176 AutoCloseFD write_fd;
177 };
179 // This function is called for each shared library iterated over by
180 // dl_iterate_phdr, and is used to fill a dl_phdr_info which is then
181 // sent through to the dl_iterate_phdr callback.
184 dl_phdr_info info;
190 // Assuming l_addr points to Elf headers (in most cases, this is true),
191 // get the Phdr location from there.
192 // Unfortunately, when l_addr doesn't point to Elf headers, it may point
193 // to unmapped memory, or worse, unreadable memory. The only way to detect
194 // the latter without causing a SIGSEGV is to use the pointer in a system
195 // call that will try to read from there, and return an EFAULT error if
196 // it can't. One such system call is write(). It used to be possible to
197 // use a file descriptor on /dev/null for these kind of things, but recent
198 // Linux kernels never return an EFAULT error when using /dev/null.
199 // So instead, we use a self pipe. We do however need to read() from the
200 // read end of the pipe as well so as to not fill up the pipe buffer and
201 // block on subsequent writes.
202 // In the unlikely event reads from or write to the pipe fail for some
203 // other reason than EFAULT, we don't try any further and just skip setting
204 // the Phdr location for all subsequent libraries, rather than trying to
205 // start over with a new pipe.
212 // writes are atomic when smaller than PIPE_BUF, per POSIX.1-2008.
220 }
224 // Per POSIX.1-2008, interrupted reads can return a length smaller
225 // than the given one instead of failing with errno EINTR.
232 }
233 }
234 }
242 }
243 }
246 }
249 #if defined(ANDROID)
252 }
253 #endif
255 DlIteratePhdrHelper helper;
265 }
269 }
271 }
273 /* For versions of Android that don't support dl_iterate_phdr (< 5.0),
274 * we go through the debugger helper data, which is known to be racy, but
275 * there's not much we can do about this :( . */
283 }
285 }
287 #ifdef __ARM_EABI__
294 }
295 #endif
297 /**
298 * faulty.lib public API
299 */
304 }
307 off_t offset) {
310 offset);
311 }
316 }
320 }
324 /**
325 * Returns the part after the last '/' for the given path
326 */
331 }
333 /**
334 * Run the given lambda while holding the internal lock of the system linker.
335 * To take the lock, we call the system dl_iterate_phdr and invoke the lambda
336 * from the callback, which is called while the lock is held. Return true on
337 * success.
338 */
342 // No dl_iterate_phdr support.
344 }
346 #if defined(ANDROID)
348 // dl_iterate_phdr is _not_ protected by a lock on Android < 23.
349 // Also return false here if we failed to get the version.
351 }
352 #endif
357 // Return 1 to stop iterating.
359 },
362 }
366 /**
367 * LibHandle
368 */
373 }
379 }
386 }
390 }
392 /**
393 * SystemElf
394 */
396 /* The Android linker returns a handle when the file name matches an
397 * already loaded library, even when the full path doesn't exist */
402 }
412 }
414 }
422 }
428 sym);
430 }
435 #ifdef ANDROID
436 /* On Android, if we don't have the full path, try in /system/lib */
443 }
444 #endif
447 }
449 #ifdef __ARM_EABI__
451 /* TODO: properly implement when ElfLoader::GetHandleByPtr
452 does return SystemElf handles */
455 }
456 #endif
458 /**
459 * ElfLoader
460 */
462 /* Unique ElfLoader instance */
467 /* Ensure logging is initialized or refresh if environment changed. */
470 /* Ensure self_elf initialization. */
475 /* Handle dlopen(nullptr) directly. */
479 }
481 /* TODO: Handle relative paths correctly */
484 /* Search the list of handles we already have for a match. When the given
485 * path is not absolute, compare file names, otherwise compare full paths. */
492 }
499 }
500 }
505 /* When the path is not absolute and the library is being loaded for
506 * another, first try to load the library from the directory containing
507 * that parent library. */
515 }
519 /* Try loading with the custom linker if we have a Mappable */
522 /* Try loading with the system linker if everything above failed */
525 /* If we didn't have an absolute path and haven't been able to load
526 * a library yet, try in the system search path */
535 }
539 /* Scan the list of handles we already have for a match */
544 }
545 }
547 }
557 }
562 /* When the MOZ_LINKER_EXTRACT environment variable is set to "1",
563 * compressed libraries are going to be (temporarily) extracted as
564 * files, in the directory pointed by the MOZ_LINKER_CACHE
565 * environment variable. */
572 }
573 }
574 }
575 }
576 /* If we couldn't load above, try with a MappableFile */
580 }
585 }
590 // We could race with the system linker when modifying the debug map, so
591 // only do so while holding the system linker's internal lock.
593 }
594 }
597 /* Ensure logging is initialized or refresh if environment changed. */
610 }
611 }
616 // We could race with the system linker when modifying the debug map, so
617 // only do so while holding the system linker's internal lock.
619 }
620 }
623 Dl_info info;
624 /* On Android < 4.1 can't reenter dl* functions. So when the library
625 * containing this code is dlopen()ed, it can't call dladdr from a
626 * static initializer. */
629 }
630 #if defined(ANDROID)
631 // On Android < 5.0, resolving weak symbols via dlsym doesn't work.
632 // The weak symbols Gecko uses are in either libc or libm, so we
633 // wrap those such that this linker does symbol resolution for them.
637 }
640 }
641 }
642 #endif
643 }
646 LibHandleList list;
650 }
652 /* Release self_elf and libc */
654 #if defined(ANDROID)
657 #endif
660 /* Build up a list of all library handles with direct (external) references.
661 * We actually skip system library handles because we want to keep at least
662 * some of these open. Most notably, Mozilla codebase keeps a few libgnome
663 * libraries deliberately open because of the mess that libORBit destruction
664 * is. dlclose()ing these libraries actually leads to problems. */
672 }
673 }
674 }
675 /* Force release all external references to the handles collected above */
678 }
679 }
680 /* Remove the remaining system handles. */
695 /* Not removing, since it could have references to other libraries,
696 * destroying them as a side effect, and possibly leaving dangling
697 * pointers in the handle list we're scanning */
698 }
699 }
700 }
702 }
704 #ifdef __ARM_EABI__
710 }
711 #else
717 }
718 #endif
721 /* Call all destructors for the given DSO handle in reverse order they were
722 * registered. */
728 }
729 }
730 }
738 }
739 }
743 /* Find ELF auxiliary vectors.
744 *
745 * The kernel stores the following data on the stack when starting a
746 * program:
747 * argc
748 * argv[0] (pointer into argv strings defined below)
749 * argv[1] (likewise)
750 * ...
751 * argv[argc - 1] (likewise)
752 * nullptr
753 * envp[0] (pointer into environment strings defined below)
754 * envp[1] (likewise)
755 * ...
756 * envp[n] (likewise)
757 * nullptr
758 * ... (more NULLs on some platforms such as Android 4.3)
759 * auxv[0] (first ELF auxiliary vector)
760 * auxv[1] (second ELF auxiliary vector)
761 * ...
762 * auxv[p] (last ELF auxiliary vector)
763 * (AT_NULL, nullptr)
764 * padding
765 * argv strings, separated with '\0'
766 * environment strings, separated with '\0'
767 * nullptr
768 *
769 * What we are after are the auxv values defined by the following struct.
770 */
774 };
776 /* Pointer to the environment variables list */
779 /* The environment may have changed since the program started, in which
780 * case the environ variables list isn't the list the kernel put on stack
781 * anymore. But in this new list, variables that didn't change still point
782 * to the strings the kernel put on stack. It is quite unlikely that two
783 * modified environment variables point to two consecutive strings in memory,
784 * so we assume that if two consecutive environment variables point to two
785 * consecutive strings, we found strings the kernel put on stack. */
791 /* Next, we scan the stack backwards to find a pointer to one of those
792 * strings we found above, which will give us the location of the original
793 * envp list. As we are looking for pointers, we need to look at 32-bits or
794 * 64-bits aligned values, depening on the architecture. */
799 /* Finally, scan forward to find the last environment variable pointer and
800 * thus the first auxiliary vector. */
802 ;
804 /* Some platforms have more NULLs here, so skip them if we encounter them */
809 /* The two values of interest in the auxiliary vectors are AT_PHDR and
810 * AT_PHNUM, which gives us the the location and size of the ELF program
811 * headers. */
817 /* Assume the base address is the first byte of the same page */
819 }
821 auxv++;
822 }
827 }
829 /* In some cases, the address for the program headers we get from the
830 * auxiliary vectors is not mapped, because of the PT_LOAD segments
831 * definitions in the program executable. Trying to map anonymous memory
832 * with a hint giving the base address will return a different address
833 * if something is mapped there, and the base address otherwise. */
837 /* If program headers aren't mapped, try to map them */
842 }
845 /* If we don't manage to map at the right address, just give up. */
849 }
850 }
851 /* Sanity check: the first bytes at the base address should be an ELF
852 * header. */
856 }
858 /* Search for the program PT_DYNAMIC segment */
862 /* While the program headers are expected within the first mapped page of
863 * the program executable, the executable PT_LOADs may actually make them
864 * loaded at an address that is not the wanted base address of the
865 * library. We thus need to adjust the base address, compensating for the
866 * virtual address of the PT_LOAD segment corresponding to offset 0. */
870 }
874 }
876 /* Search for the DT_DEBUG information */
881 }
882 }
884 }
886 /**
887 * Helper class to ensure the given pointer is writable within the scope of
888 * an instance. Permissions to the memory page where the pointer lies are
889 * restored to their original value when the instance is destroyed.
890 */
912 }
920 }
921 }
928 }
929 }
933 /* The interesting part of the /proc/self/maps format looks like:
934 * startAddr-endAddr rwxp */
958 }
960 }
966 };
968 /**
969 * The system linker maintains a doubly linked list of library it loads
970 * for use by the debugger. Unfortunately, it also uses the list pointers
971 * in a lot of operations and adding our data in the list is likely to
972 * trigger crashes when the linker tries to use data we don't provide or
973 * that fall off the amount data we allocated. Fortunately, the linker only
974 * traverses the list forward and accesses the head of the list from a
975 * private pointer instead of using the value in the r_debug structure.
976 * This means we can safely add members at the beginning of the list.
977 * Unfortunately, gdb checks the coherency of l_prev values, so we have
978 * to adjust the l_prev value for the first element the system linker
979 * knows about. Fortunately, it doesn't use l_prev, and the first element
980 * is not ever going to be released before our elements, since it is the
981 * program executable, so the system linker should not be changing
982 * r_debug::r_map.
983 */
991 /* When adding a library for the first time, r_map points to data
992 * handled by the system linker, and that data may be read-only */
998 }
1011 }
1020 /* When removing the first added library, its l_next is going to be
1021 * data handled by the system linker, and that data may be read-only */
1027 }
1033 }
1039 }
1042 }
1044 #if defined(ANDROID) && defined(__NR_sigaction)
1045 /* As some system libraries may be calling signal() or sigaction() to
1046 * set a SIGSEGV handler, effectively breaking MappableSeekableZStream,
1047 * or worse, restore our SIGSEGV handler with wrong flags (which using
1048 * signal() will do), we want to hook into the system's sigaction() to
1049 * replace it with our own wrapper instead, so that our handler is never
1050 * replaced. We used to only do that with libraries this linker loads,
1051 * but it turns out at least one system library does call signal() and
1052 * breaks us (libsc-a3xx.so on the Samsung Galaxy S4).
1053 * As libc's signal (bsd_signal/sysv_signal, really) calls sigaction
1054 * under the hood, instead of calling the signal system call directly,
1055 * we only need to hook sigaction. This is true for both bionic and
1056 * glibc.
1057 */
1059 /* libc's sigaction */
1063 /* Simple reimplementation of sigaction. This is roughly equivalent
1064 * to the assembly that comes in bionic, but not quite equivalent to
1065 * glibc's implementation, so we only use this on Android. */
1069 }
1071 /* Replace the first instructions of the given function with a jump
1072 * to the given new function. */
1078 # if defined(__i386__)
1079 // A 32-bit jump is a 5 bytes instruction.
1085 # elif defined(__arm__) || defined(__aarch64__)
1087 # ifdef __arm__
1088 // .thumb
1092 // .arm
1094 // .word <new_func>
1100 // .word <new_func.lo> ; scratch register.
1101 // .word <new_func.hi>
1102 # endif
1103 };
1105 # ifdef __arm__
1107 /* Function is thumb, the actual address of the code is without the
1108 * least significant bit. */
1109 addr--;
1110 /* The arm part of the trampoline needs to be 32-bit aligned */
1113 else
1116 /* Function is arm, we only need the arm part of the trampoline */
1118 }
1121 # endif
1130 # else
1132 # endif
1133 }
1134 #else
1135 # define sys_sigaction sigaction
1139 }
1140 #endif
1144 /* Clock that only accounts for time spent in the current process. */
1151 }
1155 }
1159 /* Data structure used to pass data to the temporary signal handler,
1160 * as well as triggering a test crash. */
1164 };
1171 /* Ensure logging is initialized before the DEBUG_LOG in the test_handler.
1172 * As this constructor runs before the ElfLoader constructor (by effect
1173 * of ElfLoader inheriting from this class), this also initializes on behalf
1174 * of ElfLoader and DebuggerHelper. */
1177 /* Initialize oldStack.ss_flags to an invalid value when used to set
1178 * an alternative stack, meaning we haven't got information about the
1179 * original alternative stack and thus don't mean to restore it in
1180 * the destructor. */
1183 /* Get the current segfault signal handler. */
1187 /* Some devices don't provide useful information to their SIGSEGV handlers,
1188 * making it impossible for on-demand decompression to work. To check if
1189 * we're on such a device, setup a temporary handler and deliberately
1190 * trigger a segfault. The handler will set signalHandlingBroken if the
1191 * provided information is bogus.
1192 * Some other devices have a kernel option enabled that makes SIGSEGV handler
1193 * have an overhead so high that it affects how on-demand decompression
1194 * performs. The handler will also set signalHandlingSlow if the triggered
1195 * SIGSEGV took too much time. */
1210 /* Restore the original segfault signal handler. */
1213 }
1216 /* Ideally, we'd need some locking here, but in practice, we're not
1217 * going to race with another thread. */
1225 sigaction_func libc_sigaction;
1227 #if defined(ANDROID)
1228 /* Android > 4.4 comes with a sigaction wrapper in a LD_PRELOADed library
1229 * (libsigchain) for ART. That wrapper kind of does the same trick as we
1230 * do, so we need extra care in handling it.
1231 * - Divert the libc's sigaction, assuming the LD_PRELOADed library uses
1232 * it under the hood (which is more or less true according to the source
1233 * of that library, since it's doing a lookup in RTLD_NEXT)
1234 * - With the LD_PRELOADed library in place, all calls to sigaction from
1235 * from system libraries will go to the LD_PRELOADed library.
1236 * - The LD_PRELOADed library calls to sigaction go to our __wrap_sigaction.
1237 * - The calls to sigaction from libraries faulty.lib loads are sent to
1238 * the LD_PRELOADed library.
1239 * In practice, for signal handling, this means:
1240 * - The signal handler registered to the kernel is ours.
1241 * - Our handler redispatches to the LD_PRELOADed library's if there's a
1242 * segfault we don't handle.
1243 * - The LD_PRELOADed library redispatches according to whatever system
1244 * library or faulty.lib-loaded library set with sigaction.
1245 *
1246 * When there is no sigaction wrapper in place:
1247 * - Divert the libc's sigaction.
1248 * - Calls to sigaction from system library and faulty.lib-loaded libraries
1249 * all go to the libc's sigaction, which end up in our __wrap_sigaction.
1250 * - The signal handler registered to the kernel is ours.
1251 * - Our handler redispatches according to whatever system library or
1252 * faulty.lib-loaded library set with sigaction.
1253 */
1256 /*
1257 * Lollipop bionic only has a small trampoline in sigaction, with the real
1258 * work happening in __sigaction. Divert there instead of sigaction if it
1259 * exists. Bug 1154803
1260 */
1261 libc_sigaction =
1265 libc_sigaction =
1267 }
1269 #endif
1270 {
1272 }
1276 /* Setup an alternative stack if the already existing one is not big
1277 * enough, or if there is none. */
1285 stack_t stack;
1290 }
1291 }
1292 /* Register our own handler, and store the already registered one in
1293 * SEGVHandler's struct sigaction member */
1297 }
1300 /* Restore alternative stack for signals */
1302 /* Restore original signal handler */
1304 }
1306 /* Test handler for a deliberately triggered SIGSEGV that determines whether
1307 * useful information is provided to signal handlers, particularly whether
1308 * si_addr is filled in properly, and whether the segfault handler is called
1309 * quickly enough. */
1318 /* See bug 886736 for timings on different devices, 150 µs is reasonably above
1319 * the latency on "working" devices and seems to be short enough to not incur
1320 * a huge overhead to on-demand decompression. */
1322 }
1324 /* TODO: "properly" handle signal masks and flags */
1326 // ASSERT(signum == SIGSEGV);
1329 /* Redispatch to the registered handler */
1337 /* Reset the handler to the default one, and trigger it. */
1346 }
1347 }
1353 /* Use system sigaction() function for all but SIGSEGV signals. */
1360 }