The tst-origin test must link against liborigin-mod.so. Correct
build order depends on a makefile rule dependency on
$(objpfx)liborigin-mod.so. Use +nolink-deps to remvoe this
dependency from the linker command line.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
The 7bb8045ec0 path made the '%n' fortify check ignore EMFILE errors
while trying to open /proc/self/maps, and this added a security
issue where EMFILE can be attacker-controlled thus making it
ineffective for some cases.
The EMFILE failure is reinstated but with a different error
message. Also, to improve the false positive of the hardening for
the cases where no new files can be opened, the
_dl_readonly_area now uses _dl_find_object to check if the
memory area is within a writable ELF segment. The procfs method is
still used as fallback.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
On both Linux and Hurd the __eloop_threshold() is always a constant
(40 and 32 respectively), so there is no need to always call
__sysconf (_SC_SYMLOOP_MAX) for Linux case (!SYMLOOP_MAX). To avoid
a name clash with gnulib, rename the new file min-eloop-threshold.h.
Checked on x86_64-linux-gnu and with a build for x86_64-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
The tst-origin build can fail with:
/usr/bin/ld: [...]libc.so: undefined reference to `__tunable_is_initialized@GLIBC_PRIVATE'
Since the custom link invocation links against system glibc instead
of the built one.
The only requirement is to avoid liborigin.so linked with a full path,
which is the default for --enable-hardcoded-path-in-tests. There
is no need to use a custom rule.
Checked on x86_64-linux-gnu.
When an executable is invoked directly, we calculate $ORIGIN by calling
readlink on /proc/self/exe, which the Linux kernel resolves to the
target of any symlinks. However, if an executable is run through ld.so,
we cannot use /proc/self/exe and instead use the path given as an
argument. This leads to a different calculation of $ORIGIN, which is
most notable in that it causes ldd to behave differently (e.g., by not
finding a library) from directly running the program.
To make the behavior consistent, take advantage of the fact that the
kernel also resolves /proc/self/fd/ symlinks to the target of any
symlinks in the same manner, so once we have opened the main executable
in order to load it, replace the user-provided path with the result of
calling readlink("/proc/self/fd/N").
(On non-Linux platforms this resolution does not happen and so no
behavior change is needed.)
The __fd_to_filename requires _fitoa_word and _itoa_word, which for
32-bits pulls a lot of definitions from _itoa.c (due _ITOA_NEEDED
being defined). To simplify the build move the required function
to a new file, _fitoa_word.c.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com>
Reviewed-by: Geoffrey Thomas <geofft@ldpreload.com>
Tested-by: Geoffrey Thomas <geofft@ldpreload.com>
This call must not complete initialization of all shared objects
in the global scope because the ELF constructor which makes the call
likely has not finished initialization. Calling more constructors
at this point would expose those to a partially constructed
dependency.
This completes the revert of commit 9897ced8e7
("elf: Run constructors on cyclic recursive dlopen (bug 31986)").
The BZ #32763 tests fail to build for MicroBlaze (which defines
MAX_OFILE_ALIGNMENT to (32768*8) in GCC, so __attribute__ ((aligned
(65536))) is unsupported). Add a configure-time check to enable BZ #32763
tests only if __attribute__ ((aligned (65536))) is supported.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
As shown in
https://sourceware.org/bugzilla/show_bug.cgi?id=25237
linker may generate an empty PT_LOAD segments at offset 0:
Elf file type is EXEC (Executable file)
Entry point 0x4000e8
There are 3 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x00000000000000f0 0x00000000000000f0 R E 0x1000
LOAD 0x0000000000000000 0x0000000000410000 0x0000000000410000
0x0000000000000000 0x0000000000b5dce8 RW 0x10000
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
Section to Segment mapping:
Segment Sections...
00 .text
01 .bss
02
Skip the empty PT_LOAD segment at offset 0 to support such binaries.
This fixes BZ #32763.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
powerpc was the only architecture with arch-specific hooks for
LD_SHOW_AUXV, and with the information moved to ld diagnostics there
is no need to keep the _dl_procinfo hook.
Checked with a build for all affected ABIs.
Reviewed-by: Peter Bergner <bergner@linux.ibm.com>
When GNU Binutils is configured with --enable-error-execstack=yes, a handful
of our tests which rely on -Wl,-z,execstack fail. Pass --Wl,--no-error-execstack
to override the behaviour and get a warning instead.
Bug: https://sourceware.org/PR32717
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
If an auditor loads many TLS-using modules during startup, it is
possible to trigger DTV resizing. Previously, the DTV was marked
as allocated by the main malloc afterwards, even if the minimal
malloc was still in use. With this change, _dl_resize_dtv marks
the resized DTV as allocated with the minimal malloc.
The new test reuses TLS-using modules from other auditing tests.
Reviewed-by: DJ Delorie <dj@redhat.com>
This is required when building for powerpc64le POWER8 with GCC 8
at least.
Fixes commit cbd9fd2369 ("Consolidate
TLS block allocation for static binaries with ld.so").
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
The functions serve very similar purposes. The advantage of
__rtld_libc_freeres is that it is located within ld.so, so it is
more natural to poke at link map internals there.
This slightly regresses cleanup capabilities for statically linked
binaries. If that becomes a problem, we should start calling
__rtld_libc_freeres from __libc_freeres (perhaps after renaming it).
It's not necessary to introduce temporaries because the compiler
is able to evaluate l_soname just once in constracts like:
l_soname (l) != NULL && strcmp (l_soname (l), LIBC_SO) != 0
This reduces code size and dependencies on ld.so internals from
libc.so.
Fixes commit f4c142bb9f
("arm: Use _dl_find_object on __gnu_Unwind_Find_exidx (BZ 31405)").
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Decorate BSS mappings with [anon: glibc: .bss <file>], for example
[anon: glibc: .bss /lib/libc.so.6]. The string ".bss" is already used
by bionic so use the same, but add the filename as well. If the name
would be longer than what the kernel allows, drop the directory part
of the path.
Refactor glibc.mem.decorate_maps check to a separate function and use
it to avoid assembling a name, which would not be used later.
Signed-off-by: Petr Malat <oss@malat.biz>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Older versions such as binutils 2.35.2 do not recognize
PT_GNU_PROPERTY.
Fixes commit d3f2b71ef1
("aarch64: Fix tests not compatible with targets supporting GCS").
- Add GCS marking to some of the tests when target supports GCS
- Fix tst-ro-dynamic-mod.map linker script to avoid removing
GNU properties
- Add header with macros for GNU properties
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Use the same code to compute the TLS block size and its alignment.
The code in elf/dl-tls.c is linked in anyway for all binaries
due to the reference to _dl_tls_static_surplus_init.
It is not possible to call _dl_allocate_tls_storage directly
because malloc is not available in the static case. (The
dynamic linker uses the minimal malloc at this stage.) Therefore,
split _dl_tls_block_size_with_pre and _dl_tls_block_align from
_dl_allocate_tls_storage, and call those new functions from
__libc_setup_tls.
This fixes extra TLS allocation for the static case, and apparently
some pre-existing bugs as well (the independent recomputation of
TLS block sizes in init_static_tls looks rather suspect).
Fixes commit 0e411c5d30 ("Add generic
'extra TLS'").
The old code used the slotinfo array as a scratch area to pass the
list of TLS-using objects to _dl_determine_tlsoffset. All array
entries are subsequently overwritten by _dl_add_to_slotinfo,
except the first one. The link maps are usually not at their
right position for their module ID in the slotinfo array, so
the initial use of the slotinfo array would be incorrect if not
for scratch purposes only.
In _dl_tls_initial_modid_limit_setup, the old code relied that
some link map was written to the first slotinfo entry. After the
change, this no longer happens because TLS module ID zero is unused.
It's also necessary to move the call after the real initialization
of the slotinfo array.
The __ifunc_resolver macro expands to:
extern __typeof (__redirect_name) name __attribute__ ((ifunc ("iname_ifunc")));
static __typeof (__redirect_name) *name_ifunc (void) { [...] };
And although NAME_IFUNC is and alias for NAME, clang-18 still emits
an 'unused function 'name_ifunc' [-Werror,-Wunused-function]'
warning.
Add the logic to append an 'extra TLS' block in the TLS block allocator
with a generic stub implementation. The duplicated code in
'csu/libc-tls.c' and 'elf/dl-tls.c' is to handle both statically linked
applications and the ELF dynamic loader.
Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
On 32-bit Arm, -fasynchronous-unwind-tables creates a reference
to the symbol __aeabi_unwind_cpp_pr0. Compile the tests without
this flag even if it is passed as part of CC, to avoid linker
failures.
Commit 8f8dd904c4 (“elf:
rtld_multiple_ref is always true”) removed some code that happened
to enable compatibility with programs that do not link against
libc.so. Such programs cannot call dlopen or any dynamic linker
functions (except __tls_get_addr), so this is not really useful.
Still ld.so should not crash with a null-pointer dereference
or undefined symbol reference in these cases.
In the main relocation loop, call _dl_relocate_object unconditionally
because it already checks if the object has been relocated.
If libc.so was loaded, self-relocate ld.so against it and call
__rtld_mutex_init and __rtld_malloc_init_real to activate the full
implementations. Those are available only if libc.so is there,
so skip these initialization steps if libc.so is absent. Without
libc.so, the global scope can be completely empty. This can cause
ld.so self-relocation to fail because if it uses symbol-based
relocations, which is why the second ld.so self-relocation is not
performed if libc.so is missing.
The previous concern regarding GOT updates through self-relocation
no longer applies because function pointers are updated
explicitly through __rtld_mutex_init and __rtld_malloc_init_real,
and not through relocation. However, the second ld.so self-relocation
is still delayed, in case there are other symbols being used.
Fixes commit 8f8dd904c4 (“elf:
rtld_multiple_ref is always true”).
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Since have-mtls-descriptor is only used for glibc testing, rename it to
have-test-mtls-descriptor. Also enable tst-gnu2-tls2-amx only if
$(have-test-mtls-descriptor) == gnu2.
Tested with GCC 14 and Clang 19/18/17 on x86-64.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Use explicit instantiation declaration and definition to silence Clang
error:
tst-unique3.cc:6:18: error: instantiation of variable 'S<char>::i' required here, but no definition is available [-Werror,-Wundefined-var-template]
6 | int t = S<char>::i;
| ^
./tst-unique3.h:5:14: note: forward declaration of template entity is here
5 | static int i;
| ^
tst-unique3.cc:6:18: note: add an explicit instantiation declaration to suppress this warning if 'S<char>::i' is explicitly instantiated in another translation unit
6 | int t = S<char>::i;
| ^
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
This fixes commit 5e249192ca ("elf:
Remove the GET_ADDR_ARGS and related macros from the TLS code"):
GET_ADDR_ARGS was indeed unused, but GET_ADDR_OFFSET was used
on several targets, those that define TLS_DTV_OFFSET. Instead
of reintroducing GET_ADDR_OFFSET, use TLS_DTV_OFFSET directly,
now that it is defined on all targets.
In the new tls_get_addr_adjust helper function, add a cast to
uintptr_t to help the s390 case, where the offset can be positive or
negative, depending on the addresses malloc returns. The cast avoids
pointer wraparound/overflow. The outer uintptr_t cast is needed
to suppress a warning on x86-64 x32 about mismatched integer/pointer
sizes.
Eventually this offset should be folded into the DTV addresses
themselves, to eliminate the subtraction on the TLS fast path.
This will require an adjustment to libthread_db because the
debugger interface currently returns unadjusted pointers.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This is needed for the next patch which updates copyright dates.
* assert/test-assert-2.c: Remove trailing white space.
* elf/tst-startup-errno.c: Remove trailing empty lines.
The new tunable can be used to control whether executable stacks are
allowed from either the main program or dependencies. The default is
to allow executable stacks.
The executable stacks default permission is checked agains the one
provided by the PT_GNU_STACK from program headers (if present). The
tunable also disables the stack permission change if any dependency
requires an executable stack at loading time.
Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
If some shared library loaded with dlopen/dlmopen requires an executable
stack, either implicitly because of a missing GNU_STACK ELF header
(where the ABI default flags implies in the executable bit) or explicitly
because of the executable bit from GNU_STACK; the loader will try to set
the both the main thread and all thread stacks (from the pthread cache)
as executable.
Besides the issue where any __nptl_change_stack_perm failure does not
undo the previous executable transition (meaning that if the library
fails to load, there can be thread stacks with executable stacks), this
behavior was used on a CVE [1] as a vector for RCE.
This patch changes that if a shared library requires an executable
stack, and the current stack is not executable, dlopen fails. The
change is done only for dynamically loaded modules, if the program
or any dependency requires an executable stack, the loader will still
change the main thread before program execution and any thread created
with default stack configuration.
[1] https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
This was used to manage an IA-64 ABI divergence is no longere needed
after the IA-64 removal.
(It should be possible to encode all the required information in
one machine word, so the pointer indirection is really unnecessary.
Technically, none of this is part of the ABI, so perhaps it's
possible to do this retroactively. See bug 27404.)
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Since Clang doesn't properly handle
/* FALLTHROUGH */
in elf/tst-align2.c nor
/* fall through */
in misc/tst-tsearch.c
tst-align2.c💯9: error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]
100 | case 'A':
| ^
tst-align2.c💯9: note: insert '__attribute__((fallthrough));' to silence this warning
100 | case 'A':
| ^
| __attribute__((fallthrough));
tst-align2.c💯9: note: insert 'break;' to avoid fall-through
100 | case 'A':
| ^
| break;
suppress them when compiled with Clang.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Add __attribute_optimization_barrier__ to disable inlining and cloning on a
function. For Clang, expand it to
__attribute__ ((optnone))
Otherwise, expand it to
__attribute__ ((noinline, clone))
Co-Authored-By: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
clang warns that the instantiation of the variable is required,
but no definition is available. They are implemented on
tst-unique4lib.so.
Checked on x86_64-linux-gnu.
Reviewed-by: Sam James <sam@gentoo.org>
tst-dlopen-nodelete-reloc requires STB_GNU_UNIQUE support so that NODELETE
is propagated by do_lookup_unique. Enable it only if TEST_CXX supports
STB_GNU_UNIQUE,
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Compiler may default to -fno-semantic-interposition. But some elf test
modules must be compiled with -fsemantic-interposition to function properly.
Add a TEST_CC check for -fsemantic-interposition and use it on elf test
modules. This fixed
FAIL: elf/tst-dlclose-lazy
FAIL: elf/tst-pie1
FAIL: elf/tst-plt-rewrite1
FAIL: elf/unload4
when Clang 19 is used to test glibc.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
Florian Weimer
Adhemerval Zanella
H.J. Lu
Sam James
Wilco Dijkstra
Petr Malat
Yury Khrustalev
Szabolcs Nagy
Samuel Thibault
Michael Jeanson
Paul Eggert