1 /* Map in a shared object's segments from the file.
2    Copyright (C) 1995-2022 Free Software Foundation, Inc.
3    Copyright The GNU Toolchain Authors.
4    This file is part of the GNU C Library.
5 
6    The GNU C Library is free software; you can redistribute it and/or
7    modify it under the terms of the GNU Lesser General Public
8    License as published by the Free Software Foundation; either
9    version 2.1 of the License, or (at your option) any later version.
10 
11    The GNU C Library is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14    Lesser General Public License for more details.
15 
16    You should have received a copy of the GNU Lesser General Public
17    License along with the GNU C Library; if not, see
18    <https://www.gnu.org/licenses/>.  */
19 
20 #include <elf.h>
21 #include <errno.h>
22 #include <fcntl.h>
23 #include <libintl.h>
24 #include <stdbool.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <unistd.h>
28 #include <ldsodefs.h>
29 #include <bits/wordsize.h>
30 #include <sys/mman.h>
31 #include <sys/param.h>
32 #include <sys/stat.h>
33 #include <sys/types.h>
34 #include <gnu/lib-names.h>
35 
36 /* Type for the buffer we put the ELF header and hopefully the program
37    header.  This buffer does not really have to be too large.  In most
38    cases the program header follows the ELF header directly.  If this
39    is not the case all bets are off and we can make the header
40    arbitrarily large and still won't get it read.  This means the only
41    question is how large are the ELF and program header combined.  The
42    ELF header 32-bit files is 52 bytes long and in 64-bit files is 64
43    bytes long.  Each program header entry is again 32 and 56 bytes
44    long respectively.  I.e., even with a file which has 10 program
45    header entries we only have to read 372B/624B respectively.  Add to
46    this a bit of margin for program notes and reading 512B and 832B
47    for 32-bit and 64-bit files respecitvely is enough.  If this
48    heuristic should really fail for some file the code in
49    `_dl_map_object_from_fd' knows how to recover.  */
50 struct filebuf
51 {
52   ssize_t len;
53 #if __WORDSIZE == 32
54 # define FILEBUF_SIZE 512
55 #else
56 # define FILEBUF_SIZE 832
57 #endif
58   char buf[FILEBUF_SIZE] __attribute__ ((aligned (__alignof (ElfW(Ehdr)))));
59 };
60 
61 #include "dynamic-link.h"
62 #include "get-dynamic-info.h"
63 #include <abi-tag.h>
64 #include <stackinfo.h>
65 #include <sysdep.h>
66 #include <stap-probe.h>
67 #include <libc-pointer-arith.h>
68 #include <array_length.h>
69 
70 #include <dl-dst.h>
71 #include <dl-load.h>
72 #include <dl-map-segments.h>
73 #include <dl-unmap-segments.h>
74 #include <dl-machine-reject-phdr.h>
75 #include <dl-sysdep-open.h>
76 #include <dl-prop.h>
77 #include <not-cancel.h>
78 
79 #include <endian.h>
80 #if BYTE_ORDER == BIG_ENDIAN
81 # define byteorder ELFDATA2MSB
82 #elif BYTE_ORDER == LITTLE_ENDIAN
83 # define byteorder ELFDATA2LSB
84 #else
85 # error "Unknown BYTE_ORDER " BYTE_ORDER
86 # define byteorder ELFDATANONE
87 #endif
88 
89 #define STRING(x) __STRING (x)
90 
91 
92 int __stack_prot attribute_hidden attribute_relro
93 #if _STACK_GROWS_DOWN && defined PROT_GROWSDOWN
94   = PROT_GROWSDOWN;
95 #elif _STACK_GROWS_UP && defined PROT_GROWSUP
96   = PROT_GROWSUP;
97 #else
98   = 0;
99 #endif
100 
101 
102 /* This is the decomposed LD_LIBRARY_PATH search path.  */
103 struct r_search_path_struct __rtld_env_path_list attribute_relro;
104 
105 /* List of the hardware capabilities we might end up using.  */
106 #ifdef SHARED
107 static const struct r_strlenpair *capstr attribute_relro;
108 static size_t ncapstr attribute_relro;
109 static size_t max_capstrlen attribute_relro;
110 #else
111 enum { ncapstr = 1, max_capstrlen = 0 };
112 #endif
113 
114 
115 /* Get the generated information about the trusted directories.  Use
116    an array of concatenated strings to avoid relocations.  See
117    gen-trusted-dirs.awk.  */
118 #include "trusted-dirs.h"
119 
120 static const char system_dirs[] = SYSTEM_DIRS;
121 static const size_t system_dirs_len[] =
122 {
123   SYSTEM_DIRS_LEN
124 };
125 #define nsystem_dirs_len array_length (system_dirs_len)
126 
127 static bool
is_trusted_path_normalize(const char * path,size_t len)128 is_trusted_path_normalize (const char *path, size_t len)
129 {
130   if (len == 0)
131     return false;
132 
133   char *npath = (char *) alloca (len + 2);
134   char *wnp = npath;
135   while (*path != '\0')
136     {
137       if (path[0] == '/')
138 	{
139 	  if (path[1] == '.')
140 	    {
141 	      if (path[2] == '.' && (path[3] == '/' || path[3] == '\0'))
142 		{
143 		  while (wnp > npath && *--wnp != '/')
144 		    ;
145 		  path += 3;
146 		  continue;
147 		}
148 	      else if (path[2] == '/' || path[2] == '\0')
149 		{
150 		  path += 2;
151 		  continue;
152 		}
153 	    }
154 
155 	  if (wnp > npath && wnp[-1] == '/')
156 	    {
157 	      ++path;
158 	      continue;
159 	    }
160 	}
161 
162       *wnp++ = *path++;
163     }
164 
165   if (wnp == npath || wnp[-1] != '/')
166     *wnp++ = '/';
167 
168   const char *trun = system_dirs;
169 
170   for (size_t idx = 0; idx < nsystem_dirs_len; ++idx)
171     {
172       if (wnp - npath >= system_dirs_len[idx]
173 	  && memcmp (trun, npath, system_dirs_len[idx]) == 0)
174 	/* Found it.  */
175 	return true;
176 
177       trun += system_dirs_len[idx] + 1;
178     }
179 
180   return false;
181 }
182 
183 /* Given a substring starting at INPUT, just after the DST '$' start
184    token, determine if INPUT contains DST token REF, following the
185    ELF gABI rules for DSTs:
186 
187    * Longest possible sequence using the rules (greedy).
188 
189    * Must start with a $ (enforced by caller).
190 
191    * Must follow $ with one underscore or ASCII [A-Za-z] (caller
192      follows these rules for REF) or '{' (start curly quoted name).
193 
194    * Must follow first two characters with zero or more [A-Za-z0-9_]
195      (enforced by caller) or '}' (end curly quoted name).
196 
197    If the sequence is a DST matching REF then the length of the DST
198    (excluding the $ sign but including curly braces, if any) is
199    returned, otherwise 0.  */
200 static size_t
is_dst(const char * input,const char * ref)201 is_dst (const char *input, const char *ref)
202 {
203   bool is_curly = false;
204 
205   /* Is a ${...} input sequence?  */
206   if (input[0] == '{')
207     {
208       is_curly = true;
209       ++input;
210     }
211 
212   /* Check for matching name, following closing curly brace (if
213      required), or trailing characters which are part of an
214      identifier.  */
215   size_t rlen = strlen (ref);
216   if (strncmp (input, ref, rlen) != 0
217       || (is_curly && input[rlen] != '}')
218       || ((input[rlen] >= 'A' && input[rlen] <= 'Z')
219 	  || (input[rlen] >= 'a' && input[rlen] <= 'z')
220 	  || (input[rlen] >= '0' && input[rlen] <= '9')
221 	  || (input[rlen] == '_')))
222     return 0;
223 
224   if (is_curly)
225     /* Count the two curly braces.  */
226     return rlen + 2;
227   else
228     return rlen;
229 }
230 
231 /* INPUT should be the start of a path e.g DT_RPATH or name e.g.
232    DT_NEEDED.  The return value is the number of known DSTs found.  We
233    count all known DSTs regardless of __libc_enable_secure; the caller
234    is responsible for enforcing the security of the substitution rules
235    (usually _dl_dst_substitute).  */
236 size_t
_dl_dst_count(const char * input)237 _dl_dst_count (const char *input)
238 {
239   size_t cnt = 0;
240 
241   input = strchr (input, '$');
242 
243   /* Most likely there is no DST.  */
244   if (__glibc_likely (input == NULL))
245     return 0;
246 
247   do
248     {
249       size_t len;
250 
251       ++input;
252       /* All DSTs must follow ELF gABI rules, see is_dst ().  */
253       if ((len = is_dst (input, "ORIGIN")) != 0
254 	  || (len = is_dst (input, "PLATFORM")) != 0
255 	  || (len = is_dst (input, "LIB")) != 0)
256 	++cnt;
257 
258       /* There may be more than one DST in the input.  */
259       input = strchr (input + len, '$');
260     }
261   while (input != NULL);
262 
263   return cnt;
264 }
265 
266 /* Process INPUT for DSTs and store in RESULT using the information
267    from link map L to resolve the DSTs. This function only handles one
268    path at a time and does not handle colon-separated path lists (see
269    fillin_rpath ()).  Lastly the size of result in bytes should be at
270    least equal to the value returned by DL_DST_REQUIRED.  Note that it
271    is possible for a DT_NEEDED, DT_AUXILIARY, and DT_FILTER entries to
272    have colons, but we treat those as literal colons here, not as path
273    list delimeters.  */
274 char *
_dl_dst_substitute(struct link_map * l,const char * input,char * result)275 _dl_dst_substitute (struct link_map *l, const char *input, char *result)
276 {
277   /* Copy character-by-character from input into the working pointer
278      looking for any DSTs.  We track the start of input and if we are
279      going to check for trusted paths, all of which are part of $ORIGIN
280      handling in SUID/SGID cases (see below).  In some cases, like when
281      a DST cannot be replaced, we may set result to an empty string and
282      return.  */
283   char *wp = result;
284   const char *start = input;
285   bool check_for_trusted = false;
286 
287   do
288     {
289       if (__glibc_unlikely (*input == '$'))
290 	{
291 	  const char *repl = NULL;
292 	  size_t len;
293 
294 	  ++input;
295 	  if ((len = is_dst (input, "ORIGIN")) != 0)
296 	    {
297 	      /* For SUID/GUID programs we normally ignore the path with
298 		 $ORIGIN in DT_RUNPATH, or DT_RPATH.  However, there is
299 		 one exception to this rule, and it is:
300 
301 		   * $ORIGIN appears as the first path element, and is
302 		     the only string in the path or is immediately
303 		     followed by a path separator and the rest of the
304 		     path,
305 
306 		   and ...
307 
308 		   * The path is rooted in a trusted directory.
309 
310 		 This exception allows such programs to reference
311 		 shared libraries in subdirectories of trusted
312 		 directories.  The use case is one of general
313 		 organization and deployment flexibility.
314 		 Trusted directories are usually such paths as "/lib64"
315 		 or "/usr/lib64", and the usual RPATHs take the form of
316 		 [$ORIGIN/../$LIB/somedir].  */
317 	      if (__glibc_unlikely (__libc_enable_secure)
318 		  && !(input == start + 1
319 		       && (input[len] == '\0' || input[len] == '/')))
320 		repl = (const char *) -1;
321 	      else
322 	        repl = l->l_origin;
323 
324 	      check_for_trusted = (__libc_enable_secure
325 				   && l->l_type == lt_executable);
326 	    }
327 	  else if ((len = is_dst (input, "PLATFORM")) != 0)
328 	    repl = GLRO(dl_platform);
329 	  else if ((len = is_dst (input, "LIB")) != 0)
330 	    repl = DL_DST_LIB;
331 
332 	  if (repl != NULL && repl != (const char *) -1)
333 	    {
334 	      wp = __stpcpy (wp, repl);
335 	      input += len;
336 	    }
337 	  else if (len != 0)
338 	    {
339 	      /* We found a valid DST that we know about, but we could
340 	         not find a replacement value for it, therefore we
341 		 cannot use this path and discard it.  */
342 	      *result = '\0';
343 	      return result;
344 	    }
345 	  else
346 	    /* No DST we recognize.  */
347 	    *wp++ = '$';
348 	}
349       else
350 	{
351 	  *wp++ = *input++;
352 	}
353     }
354   while (*input != '\0');
355 
356   /* In SUID/SGID programs, after $ORIGIN expansion the normalized
357      path must be rooted in one of the trusted directories.  The $LIB
358      and $PLATFORM DST cannot in any way be manipulated by the caller
359      because they are fixed values that are set by the dynamic loader
360      and therefore any paths using just $LIB or $PLATFORM need not be
361      checked for trust, the authors of the binaries themselves are
362      trusted to have designed this correctly.  Only $ORIGIN is tested in
363      this way because it may be manipulated in some ways with hard
364      links.  */
365   if (__glibc_unlikely (check_for_trusted)
366       && !is_trusted_path_normalize (result, wp - result))
367     {
368       *result = '\0';
369       return result;
370     }
371 
372   *wp = '\0';
373 
374   return result;
375 }
376 
377 
378 /* Return a malloc allocated copy of INPUT with all recognized DSTs
379    replaced. On some platforms it might not be possible to determine the
380    path from which the object belonging to the map is loaded.  In this
381    case the path containing the DST is left out.  On error NULL
382    is returned.  */
383 static char *
expand_dynamic_string_token(struct link_map * l,const char * input)384 expand_dynamic_string_token (struct link_map *l, const char *input)
385 {
386   /* We make two runs over the string.  First we determine how large the
387      resulting string is and then we copy it over.  Since this is no
388      frequently executed operation we are looking here not for performance
389      but rather for code size.  */
390   size_t cnt;
391   size_t total;
392   char *result;
393 
394   /* Determine the number of DSTs.  */
395   cnt = _dl_dst_count (input);
396 
397   /* If we do not have to replace anything simply copy the string.  */
398   if (__glibc_likely (cnt == 0))
399     return __strdup (input);
400 
401   /* Determine the length of the substituted string.  */
402   total = DL_DST_REQUIRED (l, input, strlen (input), cnt);
403 
404   /* Allocate the necessary memory.  */
405   result = (char *) malloc (total + 1);
406   if (result == NULL)
407     return NULL;
408 
409   return _dl_dst_substitute (l, input, result);
410 }
411 
412 
413 /* Add `name' to the list of names for a particular shared object.
414    `name' is expected to have been allocated with malloc and will
415    be freed if the shared object already has this name.
416    Returns false if the object already had this name.  */
417 static void
add_name_to_object(struct link_map * l,const char * name)418 add_name_to_object (struct link_map *l, const char *name)
419 {
420   struct libname_list *lnp, *lastp;
421   struct libname_list *newname;
422   size_t name_len;
423 
424   lastp = NULL;
425   for (lnp = l->l_libname; lnp != NULL; lastp = lnp, lnp = lnp->next)
426     if (strcmp (name, lnp->name) == 0)
427       return;
428 
429   name_len = strlen (name) + 1;
430   newname = (struct libname_list *) malloc (sizeof *newname + name_len);
431   if (newname == NULL)
432     {
433       /* No more memory.  */
434       _dl_signal_error (ENOMEM, name, NULL, N_("cannot allocate name record"));
435       return;
436     }
437   /* The object should have a libname set from _dl_new_object.  */
438   assert (lastp != NULL);
439 
440   newname->name = memcpy (newname + 1, name, name_len);
441   newname->next = NULL;
442   newname->dont_free = 0;
443   /* CONCURRENCY NOTES:
444 
445      Make sure the initialization of newname happens before its address is
446      read from the lastp->next store below.
447 
448      GL(dl_load_lock) is held here (and by other writers, e.g. dlclose), so
449      readers of libname_list->next (e.g. _dl_check_caller or the reads above)
450      can use that for synchronization, however the read in _dl_name_match_p
451      may be executed without holding the lock during _dl_runtime_resolve
452      (i.e. lazy symbol resolution when a function of library l is called).
453 
454      The release MO store below synchronizes with the acquire MO load in
455      _dl_name_match_p.  Other writes need to synchronize with that load too,
456      however those happen either early when the process is single threaded
457      (dl_main) or when the library is unloaded (dlclose) and the user has to
458      synchronize library calls with unloading.  */
459   atomic_store_release (&lastp->next, newname);
460 }
461 
462 /* Standard search directories.  */
463 struct r_search_path_struct __rtld_search_dirs attribute_relro;
464 
465 static size_t max_dirnamelen;
466 
467 static struct r_search_path_elem **
fillin_rpath(char * rpath,struct r_search_path_elem ** result,const char * sep,const char * what,const char * where,struct link_map * l)468 fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
469 	      const char *what, const char *where, struct link_map *l)
470 {
471   char *cp;
472   size_t nelems = 0;
473 
474   while ((cp = __strsep (&rpath, sep)) != NULL)
475     {
476       struct r_search_path_elem *dirp;
477       char *to_free = NULL;
478       size_t len = 0;
479 
480       /* `strsep' can pass an empty string.  */
481       if (*cp != '\0')
482 	{
483 	  to_free = cp = expand_dynamic_string_token (l, cp);
484 
485 	  /* expand_dynamic_string_token can return NULL in case of empty
486 	     path or memory allocation failure.  */
487 	  if (cp == NULL)
488 	    continue;
489 
490 	  /* Compute the length after dynamic string token expansion and
491 	     ignore empty paths.  */
492 	  len = strlen (cp);
493 	  if (len == 0)
494 	    {
495 	      free (to_free);
496 	      continue;
497 	    }
498 
499 	  /* Remove trailing slashes (except for "/").  */
500 	  while (len > 1 && cp[len - 1] == '/')
501 	    --len;
502 
503 	  /* Now add one if there is none so far.  */
504 	  if (len > 0 && cp[len - 1] != '/')
505 	    cp[len++] = '/';
506 	}
507 
508       /* See if this directory is already known.  */
509       for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)
510 	if (dirp->dirnamelen == len && memcmp (cp, dirp->dirname, len) == 0)
511 	  break;
512 
513       if (dirp != NULL)
514 	{
515 	  /* It is available, see whether it's on our own list.  */
516 	  size_t cnt;
517 	  for (cnt = 0; cnt < nelems; ++cnt)
518 	    if (result[cnt] == dirp)
519 	      break;
520 
521 	  if (cnt == nelems)
522 	    result[nelems++] = dirp;
523 	}
524       else
525 	{
526 	  size_t cnt;
527 	  enum r_dir_status init_val;
528 	  size_t where_len = where ? strlen (where) + 1 : 0;
529 
530 	  /* It's a new directory.  Create an entry and add it.  */
531 	  dirp = (struct r_search_path_elem *)
532 	    malloc (sizeof (*dirp) + ncapstr * sizeof (enum r_dir_status)
533 		    + where_len + len + 1);
534 	  if (dirp == NULL)
535 	    _dl_signal_error (ENOMEM, NULL, NULL,
536 			      N_("cannot create cache for search path"));
537 
538 	  dirp->dirname = ((char *) dirp + sizeof (*dirp)
539 			   + ncapstr * sizeof (enum r_dir_status));
540 	  *((char *) __mempcpy ((char *) dirp->dirname, cp, len)) = '\0';
541 	  dirp->dirnamelen = len;
542 
543 	  if (len > max_dirnamelen)
544 	    max_dirnamelen = len;
545 
546 	  /* We have to make sure all the relative directories are
547 	     never ignored.  The current directory might change and
548 	     all our saved information would be void.  */
549 	  init_val = cp[0] != '/' ? existing : unknown;
550 	  for (cnt = 0; cnt < ncapstr; ++cnt)
551 	    dirp->status[cnt] = init_val;
552 
553 	  dirp->what = what;
554 	  if (__glibc_likely (where != NULL))
555 	    dirp->where = memcpy ((char *) dirp + sizeof (*dirp) + len + 1
556 				  + (ncapstr * sizeof (enum r_dir_status)),
557 				  where, where_len);
558 	  else
559 	    dirp->where = NULL;
560 
561 	  dirp->next = GL(dl_all_dirs);
562 	  GL(dl_all_dirs) = dirp;
563 
564 	  /* Put it in the result array.  */
565 	  result[nelems++] = dirp;
566 	}
567       free (to_free);
568     }
569 
570   /* Terminate the array.  */
571   result[nelems] = NULL;
572 
573   return result;
574 }
575 
576 
577 static bool
decompose_rpath(struct r_search_path_struct * sps,const char * rpath,struct link_map * l,const char * what)578 decompose_rpath (struct r_search_path_struct *sps,
579 		 const char *rpath, struct link_map *l, const char *what)
580 {
581   /* Make a copy we can work with.  */
582   const char *where = l->l_name;
583   char *cp;
584   struct r_search_path_elem **result;
585   size_t nelems;
586   /* Initialize to please the compiler.  */
587   const char *errstring = NULL;
588 
589   /* First see whether we must forget the RUNPATH and RPATH from this
590      object.  */
591   if (__glibc_unlikely (GLRO(dl_inhibit_rpath) != NULL)
592       && !__libc_enable_secure)
593     {
594       const char *inhp = GLRO(dl_inhibit_rpath);
595 
596       do
597 	{
598 	  const char *wp = where;
599 
600 	  while (*inhp == *wp && *wp != '\0')
601 	    {
602 	      ++inhp;
603 	      ++wp;
604 	    }
605 
606 	  if (*wp == '\0' && (*inhp == '\0' || *inhp == ':'))
607 	    {
608 	      /* This object is on the list of objects for which the
609 		 RUNPATH and RPATH must not be used.  */
610 	      sps->dirs = (void *) -1;
611 	      return false;
612 	    }
613 
614 	  while (*inhp != '\0')
615 	    if (*inhp++ == ':')
616 	      break;
617 	}
618       while (*inhp != '\0');
619     }
620 
621   /* Ignore empty rpaths.  */
622   if (*rpath == '\0')
623     {
624       sps->dirs = (struct r_search_path_elem **) -1;
625       return false;
626     }
627 
628   /* Make a writable copy.  */
629   char *copy = __strdup (rpath);
630   if (copy == NULL)
631     {
632       errstring = N_("cannot create RUNPATH/RPATH copy");
633       goto signal_error;
634     }
635 
636   /* Count the number of necessary elements in the result array.  */
637   nelems = 0;
638   for (cp = copy; *cp != '\0'; ++cp)
639     if (*cp == ':')
640       ++nelems;
641 
642   /* Allocate room for the result.  NELEMS + 1 is an upper limit for the
643      number of necessary entries.  */
644   result = (struct r_search_path_elem **) malloc ((nelems + 1 + 1)
645 						  * sizeof (*result));
646   if (result == NULL)
647     {
648       free (copy);
649       errstring = N_("cannot create cache for search path");
650     signal_error:
651       _dl_signal_error (ENOMEM, NULL, NULL, errstring);
652     }
653 
654   fillin_rpath (copy, result, ":", what, where, l);
655 
656   /* Free the copied RPATH string.  `fillin_rpath' make own copies if
657      necessary.  */
658   free (copy);
659 
660   /* There is no path after expansion.  */
661   if (result[0] == NULL)
662     {
663       free (result);
664       sps->dirs = (struct r_search_path_elem **) -1;
665       return false;
666     }
667 
668   sps->dirs = result;
669   /* The caller will change this value if we haven't used a real malloc.  */
670   sps->malloced = 1;
671   return true;
672 }
673 
674 /* Make sure cached path information is stored in *SP
675    and return true if there are any paths to search there.  */
676 static bool
cache_rpath(struct link_map * l,struct r_search_path_struct * sp,int tag,const char * what)677 cache_rpath (struct link_map *l,
678 	     struct r_search_path_struct *sp,
679 	     int tag,
680 	     const char *what)
681 {
682   if (sp->dirs == (void *) -1)
683     return false;
684 
685   if (sp->dirs != NULL)
686     return true;
687 
688   if (l->l_info[tag] == NULL)
689     {
690       /* There is no path.  */
691       sp->dirs = (void *) -1;
692       return false;
693     }
694 
695   /* Make sure the cache information is available.  */
696   return decompose_rpath (sp, (const char *) (D_PTR (l, l_info[DT_STRTAB])
697 					      + l->l_info[tag]->d_un.d_val),
698 			  l, what);
699 }
700 
701 
702 void
_dl_init_paths(const char * llp,const char * source,const char * glibc_hwcaps_prepend,const char * glibc_hwcaps_mask)703 _dl_init_paths (const char *llp, const char *source,
704 		const char *glibc_hwcaps_prepend,
705 		const char *glibc_hwcaps_mask)
706 {
707   size_t idx;
708   const char *strp;
709   struct r_search_path_elem *pelem, **aelem;
710   size_t round_size;
711   struct link_map __attribute__ ((unused)) *l = NULL;
712   /* Initialize to please the compiler.  */
713   const char *errstring = NULL;
714 
715   /* Fill in the information about the application's RPATH and the
716      directories addressed by the LD_LIBRARY_PATH environment variable.  */
717 
718 #ifdef SHARED
719   /* Get the capabilities.  */
720   capstr = _dl_important_hwcaps (glibc_hwcaps_prepend, glibc_hwcaps_mask,
721 				 &ncapstr, &max_capstrlen);
722 #endif
723 
724   /* First set up the rest of the default search directory entries.  */
725   aelem = __rtld_search_dirs.dirs = (struct r_search_path_elem **)
726     malloc ((nsystem_dirs_len + 1) * sizeof (struct r_search_path_elem *));
727   if (__rtld_search_dirs.dirs == NULL)
728     {
729       errstring = N_("cannot create search path array");
730     signal_error:
731       _dl_signal_error (ENOMEM, NULL, NULL, errstring);
732     }
733 
734   round_size = ((2 * sizeof (struct r_search_path_elem) - 1
735 		 + ncapstr * sizeof (enum r_dir_status))
736 		/ sizeof (struct r_search_path_elem));
737 
738   __rtld_search_dirs.dirs[0]
739     = malloc (nsystem_dirs_len * round_size
740 	      * sizeof (*__rtld_search_dirs.dirs[0]));
741   if (__rtld_search_dirs.dirs[0] == NULL)
742     {
743       errstring = N_("cannot create cache for search path");
744       goto signal_error;
745     }
746 
747   __rtld_search_dirs.malloced = 0;
748   pelem = GL(dl_all_dirs) = __rtld_search_dirs.dirs[0];
749   strp = system_dirs;
750   idx = 0;
751 
752   do
753     {
754       size_t cnt;
755 
756       *aelem++ = pelem;
757 
758       pelem->what = "system search path";
759       pelem->where = NULL;
760 
761       pelem->dirname = strp;
762       pelem->dirnamelen = system_dirs_len[idx];
763       strp += system_dirs_len[idx] + 1;
764 
765       /* System paths must be absolute.  */
766       assert (pelem->dirname[0] == '/');
767       for (cnt = 0; cnt < ncapstr; ++cnt)
768 	pelem->status[cnt] = unknown;
769 
770       pelem->next = (++idx == nsystem_dirs_len ? NULL : (pelem + round_size));
771 
772       pelem += round_size;
773     }
774   while (idx < nsystem_dirs_len);
775 
776   max_dirnamelen = SYSTEM_DIRS_MAX_LEN;
777   *aelem = NULL;
778 
779   /* This points to the map of the main object.  If there is no main
780      object (e.g., under --help, use the dynamic loader itself as a
781      stand-in.  */
782   l = GL(dl_ns)[LM_ID_BASE]._ns_loaded;
783 #ifdef SHARED
784   if (l == NULL)
785     l = &GL (dl_rtld_map);
786 #endif
787   assert (l->l_type != lt_loaded);
788 
789   if (l->l_info[DT_RUNPATH])
790     {
791       /* Allocate room for the search path and fill in information
792 	 from RUNPATH.  */
793       decompose_rpath (&l->l_runpath_dirs,
794 		       (const void *) (D_PTR (l, l_info[DT_STRTAB])
795 				       + l->l_info[DT_RUNPATH]->d_un.d_val),
796 		       l, "RUNPATH");
797       /* During rtld init the memory is allocated by the stub malloc,
798 	 prevent any attempt to free it by the normal malloc.  */
799       l->l_runpath_dirs.malloced = 0;
800 
801       /* The RPATH is ignored.  */
802       l->l_rpath_dirs.dirs = (void *) -1;
803     }
804   else
805     {
806       l->l_runpath_dirs.dirs = (void *) -1;
807 
808       if (l->l_info[DT_RPATH])
809 	{
810 	  /* Allocate room for the search path and fill in information
811 	     from RPATH.  */
812 	  decompose_rpath (&l->l_rpath_dirs,
813 			   (const void *) (D_PTR (l, l_info[DT_STRTAB])
814 					   + l->l_info[DT_RPATH]->d_un.d_val),
815 			   l, "RPATH");
816 	  /* During rtld init the memory is allocated by the stub
817 	     malloc, prevent any attempt to free it by the normal
818 	     malloc.  */
819 	  l->l_rpath_dirs.malloced = 0;
820 	}
821       else
822 	l->l_rpath_dirs.dirs = (void *) -1;
823     }
824 
825   if (llp != NULL && *llp != '\0')
826     {
827       char *llp_tmp = strdupa (llp);
828 
829       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
830 	 elements it has.  */
831       size_t nllp = 1;
832       for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
833 	if (*cp == ':' || *cp == ';')
834 	  ++nllp;
835 
836       __rtld_env_path_list.dirs = (struct r_search_path_elem **)
837 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
838       if (__rtld_env_path_list.dirs == NULL)
839 	{
840 	  errstring = N_("cannot create cache for search path");
841 	  goto signal_error;
842 	}
843 
844       (void) fillin_rpath (llp_tmp, __rtld_env_path_list.dirs, ":;",
845 			   source, NULL, l);
846 
847       if (__rtld_env_path_list.dirs[0] == NULL)
848 	{
849 	  free (__rtld_env_path_list.dirs);
850 	  __rtld_env_path_list.dirs = (void *) -1;
851 	}
852 
853       __rtld_env_path_list.malloced = 0;
854     }
855   else
856     __rtld_env_path_list.dirs = (void *) -1;
857 }
858 
859 
860 /* Process PT_GNU_PROPERTY program header PH in module L after
861    PT_LOAD segments are mapped.  Only one NT_GNU_PROPERTY_TYPE_0
862    note is handled which contains processor specific properties.
863    FD is -1 for the kernel mapped main executable otherwise it is
864    the fd used for loading module L.  */
865 
866 void
_dl_process_pt_gnu_property(struct link_map * l,int fd,const ElfW (Phdr)* ph)867 _dl_process_pt_gnu_property (struct link_map *l, int fd, const ElfW(Phdr) *ph)
868 {
869   const ElfW(Nhdr) *note = (const void *) (ph->p_vaddr + l->l_addr);
870   const ElfW(Addr) size = ph->p_memsz;
871   const ElfW(Addr) align = ph->p_align;
872 
873   /* The NT_GNU_PROPERTY_TYPE_0 note must be aligned to 4 bytes in
874      32-bit objects and to 8 bytes in 64-bit objects.  Skip notes
875      with incorrect alignment.  */
876   if (align != (__ELF_NATIVE_CLASS / 8))
877     return;
878 
879   const ElfW(Addr) start = (ElfW(Addr)) note;
880   unsigned int last_type = 0;
881 
882   while ((ElfW(Addr)) (note + 1) - start < size)
883     {
884       /* Find the NT_GNU_PROPERTY_TYPE_0 note.  */
885       if (note->n_namesz == 4
886 	  && note->n_type == NT_GNU_PROPERTY_TYPE_0
887 	  && memcmp (note + 1, "GNU", 4) == 0)
888 	{
889 	  /* Check for invalid property.  */
890 	  if (note->n_descsz < 8
891 	      || (note->n_descsz % sizeof (ElfW(Addr))) != 0)
892 	    return;
893 
894 	  /* Start and end of property array.  */
895 	  unsigned char *ptr = (unsigned char *) (note + 1) + 4;
896 	  unsigned char *ptr_end = ptr + note->n_descsz;
897 
898 	  do
899 	    {
900 	      unsigned int type = *(unsigned int *) ptr;
901 	      unsigned int datasz = *(unsigned int *) (ptr + 4);
902 
903 	      /* Property type must be in ascending order.  */
904 	      if (type < last_type)
905 		return;
906 
907 	      ptr += 8;
908 	      if ((ptr + datasz) > ptr_end)
909 		return;
910 
911 	      last_type = type;
912 
913 	      /* Target specific property processing.  */
914 	      if (_dl_process_gnu_property (l, fd, type, datasz, ptr) == 0)
915 		return;
916 
917 	      /* Check the next property item.  */
918 	      ptr += ALIGN_UP (datasz, sizeof (ElfW(Addr)));
919 	    }
920 	  while ((ptr_end - ptr) >= 8);
921 
922 	  /* Only handle one NT_GNU_PROPERTY_TYPE_0.  */
923 	  return;
924 	}
925 
926       note = ((const void *) note
927 	      + ELF_NOTE_NEXT_OFFSET (note->n_namesz, note->n_descsz,
928 				      align));
929     }
930 }
931 
932 
933 /* Map in the shared object NAME, actually located in REALNAME, and already
934    opened on FD.  */
935 
936 #ifndef EXTERNAL_MAP_FROM_FD
937 static
938 #endif
939 struct link_map *
_dl_map_object_from_fd(const char * name,const char * origname,int fd,struct filebuf * fbp,char * realname,struct link_map * loader,int l_type,int mode,void ** stack_endp,Lmid_t nsid)940 _dl_map_object_from_fd (const char *name, const char *origname, int fd,
941 			struct filebuf *fbp, char *realname,
942 			struct link_map *loader, int l_type, int mode,
943 			void **stack_endp, Lmid_t nsid)
944 {
945   struct link_map *l = NULL;
946   const ElfW(Ehdr) *header;
947   const ElfW(Phdr) *phdr;
948   const ElfW(Phdr) *ph;
949   size_t maplength;
950   int type;
951   /* Initialize to keep the compiler happy.  */
952   const char *errstring = NULL;
953   int errval = 0;
954   struct r_debug *r = _dl_debug_update (nsid);
955   bool make_consistent = false;
956 
957   /* Get file information.  To match the kernel behavior, do not fill
958      in this information for the executable in case of an explicit
959      loader invocation.  */
960   struct r_file_id id;
961   if (mode & __RTLD_OPENEXEC)
962     {
963       assert (nsid == LM_ID_BASE);
964       memset (&id, 0, sizeof (id));
965     }
966   else
967     {
968       if (__glibc_unlikely (!_dl_get_file_id (fd, &id)))
969 	{
970 	  errstring = N_("cannot stat shared object");
971 	lose_errno:
972 	  errval = errno;
973 	lose:
974 	  /* The file might already be closed.  */
975 	  if (fd != -1)
976 	    __close_nocancel (fd);
977 	  if (l != NULL && l->l_map_start != 0)
978 	    _dl_unmap_segments (l);
979 	  if (l != NULL && l->l_origin != (char *) -1l)
980 	    free ((char *) l->l_origin);
981 	  if (l != NULL && !l->l_libname->dont_free)
982 	    free (l->l_libname);
983 	  if (l != NULL && l->l_phdr_allocated)
984 	    free ((void *) l->l_phdr);
985 	  free (l);
986 	  free (realname);
987 
988 	  if (make_consistent && r != NULL)
989 	    {
990 	      r->r_state = RT_CONSISTENT;
991 	      _dl_debug_state ();
992 	      LIBC_PROBE (map_failed, 2, nsid, r);
993 	    }
994 
995 	  _dl_signal_error (errval, name, NULL, errstring);
996 	}
997 
998       /* Look again to see if the real name matched another already loaded.  */
999       for (l = GL(dl_ns)[nsid]._ns_loaded; l != NULL; l = l->l_next)
1000 	if (!l->l_removed && _dl_file_id_match_p (&l->l_file_id, &id))
1001 	  {
1002 	    /* The object is already loaded.
1003 	       Just bump its reference count and return it.  */
1004 	    __close_nocancel (fd);
1005 
1006 	    /* If the name is not in the list of names for this object add
1007 	       it.  */
1008 	    free (realname);
1009 	    add_name_to_object (l, name);
1010 
1011 	    return l;
1012 	  }
1013     }
1014 
1015 #ifdef SHARED
1016   /* When loading into a namespace other than the base one we must
1017      avoid loading ld.so since there can only be one copy.  Ever.  */
1018   if (__glibc_unlikely (nsid != LM_ID_BASE)
1019       && (_dl_file_id_match_p (&id, &GL(dl_rtld_map).l_file_id)
1020 	  || _dl_name_match_p (name, &GL(dl_rtld_map))))
1021     {
1022       /* This is indeed ld.so.  Create a new link_map which refers to
1023 	 the real one for almost everything.  */
1024       l = _dl_new_object (realname, name, l_type, loader, mode, nsid);
1025       if (l == NULL)
1026 	goto fail_new;
1027 
1028       /* Refer to the real descriptor.  */
1029       l->l_real = &GL(dl_rtld_map);
1030 
1031       /* Copy l_addr and l_ld to avoid a GDB warning with dlmopen().  */
1032       l->l_addr = l->l_real->l_addr;
1033       l->l_ld = l->l_real->l_ld;
1034 
1035       /* No need to bump the refcount of the real object, ld.so will
1036 	 never be unloaded.  */
1037       __close_nocancel (fd);
1038 
1039       /* Add the map for the mirrored object to the object list.  */
1040       _dl_add_to_namespace_list (l, nsid);
1041 
1042       return l;
1043     }
1044 #endif
1045 
1046   if (mode & RTLD_NOLOAD)
1047     {
1048       /* We are not supposed to load the object unless it is already
1049 	 loaded.  So return now.  */
1050       free (realname);
1051       __close_nocancel (fd);
1052       return NULL;
1053     }
1054 
1055   /* Print debugging message.  */
1056   if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES))
1057     _dl_debug_printf ("file=%s [%lu];  generating link map\n", name, nsid);
1058 
1059   /* This is the ELF header.  We read it in `open_verify'.  */
1060   header = (void *) fbp->buf;
1061 
1062   /* Enter the new object in the list of loaded objects.  */
1063   l = _dl_new_object (realname, name, l_type, loader, mode, nsid);
1064   if (__glibc_unlikely (l == NULL))
1065     {
1066 #ifdef SHARED
1067     fail_new:
1068 #endif
1069       errstring = N_("cannot create shared object descriptor");
1070       goto lose_errno;
1071     }
1072 
1073   /* Extract the remaining details we need from the ELF header
1074      and then read in the program header table.  */
1075   l->l_entry = header->e_entry;
1076   type = header->e_type;
1077   l->l_phnum = header->e_phnum;
1078 
1079   maplength = header->e_phnum * sizeof (ElfW(Phdr));
1080   if (header->e_phoff + maplength <= (size_t) fbp->len)
1081     phdr = (void *) (fbp->buf + header->e_phoff);
1082   else
1083     {
1084       phdr = alloca (maplength);
1085       if ((size_t) __pread64_nocancel (fd, (void *) phdr, maplength,
1086 				       header->e_phoff) != maplength)
1087 	{
1088 	  errstring = N_("cannot read file data");
1089 	  goto lose_errno;
1090 	}
1091     }
1092 
1093    /* On most platforms presume that PT_GNU_STACK is absent and the stack is
1094     * executable.  Other platforms default to a nonexecutable stack and don't
1095     * need PT_GNU_STACK to do so.  */
1096    unsigned int stack_flags = DEFAULT_STACK_PERMS;
1097 
1098   {
1099     /* Scan the program header table, collecting its load commands.  */
1100     struct loadcmd loadcmds[l->l_phnum];
1101     size_t nloadcmds = 0;
1102     bool has_holes = false;
1103     bool empty_dynamic = false;
1104     ElfW(Addr) p_align_max = 0;
1105 
1106     /* The struct is initialized to zero so this is not necessary:
1107     l->l_ld = 0;
1108     l->l_phdr = 0;
1109     l->l_addr = 0; */
1110     for (ph = phdr; ph < &phdr[l->l_phnum]; ++ph)
1111       switch (ph->p_type)
1112 	{
1113 	  /* These entries tell us where to find things once the file's
1114 	     segments are mapped in.  We record the addresses it says
1115 	     verbatim, and later correct for the run-time load address.  */
1116 	case PT_DYNAMIC:
1117 	  if (ph->p_filesz == 0)
1118 	    empty_dynamic = true; /* Usually separate debuginfo.  */
1119 	  else
1120 	    {
1121 	      /* Debuginfo only files from "objcopy --only-keep-debug"
1122 		 contain a PT_DYNAMIC segment with p_filesz == 0.  Skip
1123 		 such a segment to avoid a crash later.  */
1124 	      l->l_ld = (void *) ph->p_vaddr;
1125 	      l->l_ldnum = ph->p_memsz / sizeof (ElfW(Dyn));
1126 	      l->l_ld_readonly = (ph->p_flags & PF_W) == 0;
1127 	    }
1128 	  break;
1129 
1130 	case PT_PHDR:
1131 	  l->l_phdr = (void *) ph->p_vaddr;
1132 	  break;
1133 
1134 	case PT_LOAD:
1135 	  /* A load command tells us to map in part of the file.
1136 	     We record the load commands and process them all later.  */
1137 	  if (__glibc_unlikely (((ph->p_vaddr - ph->p_offset)
1138 				 & (GLRO(dl_pagesize) - 1)) != 0))
1139 	    {
1140 	      errstring
1141 		= N_("ELF load command address/offset not page-aligned");
1142 	      goto lose;
1143 	    }
1144 
1145 	  struct loadcmd *c = &loadcmds[nloadcmds++];
1146 	  c->mapstart = ALIGN_DOWN (ph->p_vaddr, GLRO(dl_pagesize));
1147 	  c->mapend = ALIGN_UP (ph->p_vaddr + ph->p_filesz, GLRO(dl_pagesize));
1148 	  c->dataend = ph->p_vaddr + ph->p_filesz;
1149 	  c->allocend = ph->p_vaddr + ph->p_memsz;
1150 	  /* Remember the maximum p_align.  */
1151 	  if (powerof2 (ph->p_align) && ph->p_align > p_align_max)
1152 	    p_align_max = ph->p_align;
1153 	  c->mapoff = ALIGN_DOWN (ph->p_offset, GLRO(dl_pagesize));
1154 
1155 	  DIAG_PUSH_NEEDS_COMMENT;
1156 
1157 #if __GNUC_PREREQ (11, 0)
1158 	  /* Suppress invalid GCC warning:
1159 	     ‘(((char *)loadcmds.113_68 + _933 + 16))[329406144173384849].mapend’ may be used uninitialized [-Wmaybe-uninitialized]
1160 	     See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106008
1161 	   */
1162 	  DIAG_IGNORE_NEEDS_COMMENT (11, "-Wmaybe-uninitialized");
1163 #endif
1164 	  /* Determine whether there is a gap between the last segment
1165 	     and this one.  */
1166 	  if (nloadcmds > 1 && c[-1].mapend != c->mapstart)
1167 	    has_holes = true;
1168 	  DIAG_POP_NEEDS_COMMENT;
1169 
1170 	  /* Optimize a common case.  */
1171 #if (PF_R | PF_W | PF_X) == 7 && (PROT_READ | PROT_WRITE | PROT_EXEC) == 7
1172 	  c->prot = (PF_TO_PROT
1173 		     >> ((ph->p_flags & (PF_R | PF_W | PF_X)) * 4)) & 0xf;
1174 #else
1175 	  c->prot = 0;
1176 	  if (ph->p_flags & PF_R)
1177 	    c->prot |= PROT_READ;
1178 	  if (ph->p_flags & PF_W)
1179 	    c->prot |= PROT_WRITE;
1180 	  if (ph->p_flags & PF_X)
1181 	    c->prot |= PROT_EXEC;
1182 #endif
1183 	  break;
1184 
1185 	case PT_TLS:
1186 	  if (ph->p_memsz == 0)
1187 	    /* Nothing to do for an empty segment.  */
1188 	    break;
1189 
1190 	  l->l_tls_blocksize = ph->p_memsz;
1191 	  l->l_tls_align = ph->p_align;
1192 	  if (ph->p_align == 0)
1193 	    l->l_tls_firstbyte_offset = 0;
1194 	  else
1195 	    l->l_tls_firstbyte_offset = ph->p_vaddr & (ph->p_align - 1);
1196 	  l->l_tls_initimage_size = ph->p_filesz;
1197 	  /* Since we don't know the load address yet only store the
1198 	     offset.  We will adjust it later.  */
1199 	  l->l_tls_initimage = (void *) ph->p_vaddr;
1200 
1201 	  /* l->l_tls_modid is assigned below, once there is no
1202 	     possibility for failure.  */
1203 
1204 	  if (l->l_type != lt_library
1205 	      && GL(dl_tls_dtv_slotinfo_list) == NULL)
1206 	    {
1207 #ifdef SHARED
1208 	      /* We are loading the executable itself when the dynamic
1209 		 linker was executed directly.  The setup will happen
1210 		 later.  */
1211 	      assert (l->l_prev == NULL || (mode & __RTLD_AUDIT) != 0);
1212 #else
1213 	      assert (false && "TLS not initialized in static application");
1214 #endif
1215 	    }
1216 	  break;
1217 
1218 	case PT_GNU_STACK:
1219 	  stack_flags = ph->p_flags;
1220 	  break;
1221 
1222 	case PT_GNU_RELRO:
1223 	  l->l_relro_addr = ph->p_vaddr;
1224 	  l->l_relro_size = ph->p_memsz;
1225 	  break;
1226 	}
1227 
1228     if (__glibc_unlikely (nloadcmds == 0))
1229       {
1230 	/* This only happens for a bogus object that will be caught with
1231 	   another error below.  But we don't want to go through the
1232 	   calculations below using NLOADCMDS - 1.  */
1233 	errstring = N_("object file has no loadable segments");
1234 	goto lose;
1235       }
1236 
1237     /* Align all PT_LOAD segments to the maximum p_align.  */
1238     for (size_t i = 0; i < nloadcmds; i++)
1239       loadcmds[i].mapalign = p_align_max;
1240 
1241     /* dlopen of an executable is not valid because it is not possible
1242        to perform proper relocations, handle static TLS, or run the
1243        ELF constructors.  For PIE, the check needs the dynamic
1244        section, so there is another check below.  */
1245     if (__glibc_unlikely (type != ET_DYN)
1246 	&& __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0))
1247       {
1248 	/* This object is loaded at a fixed address.  This must never
1249 	   happen for objects loaded with dlopen.  */
1250 	errstring = N_("cannot dynamically load executable");
1251 	goto lose;
1252       }
1253 
1254     /* This check recognizes most separate debuginfo files.  */
1255     if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic))
1256       {
1257 	errstring = N_("object file has no dynamic section");
1258 	goto lose;
1259       }
1260 
1261     /* Length of the sections to be loaded.  */
1262     maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart;
1263 
1264     /* Now process the load commands and map segments into memory.
1265        This is responsible for filling in:
1266        l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr
1267      */
1268     errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds,
1269 				  maplength, has_holes, loader);
1270     if (__glibc_unlikely (errstring != NULL))
1271       {
1272 	/* Mappings can be in an inconsistent state: avoid unmap.  */
1273 	l->l_map_start = l->l_map_end = 0;
1274 	goto lose;
1275       }
1276   }
1277 
1278   if (l->l_ld != 0)
1279     l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr);
1280 
1281   elf_get_dynamic_info (l, false, false);
1282 
1283   /* Make sure we are not dlopen'ing an object that has the
1284      DF_1_NOOPEN flag set, or a PIE object.  */
1285   if ((__glibc_unlikely (l->l_flags_1 & DF_1_NOOPEN)
1286        && (mode & __RTLD_DLOPEN))
1287       || (__glibc_unlikely (l->l_flags_1 & DF_1_PIE)
1288 	  && __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0)))
1289     {
1290       if (l->l_flags_1 & DF_1_PIE)
1291 	errstring
1292 	  = N_("cannot dynamically load position-independent executable");
1293       else
1294 	errstring = N_("shared object cannot be dlopen()ed");
1295       goto lose;
1296     }
1297 
1298   if (l->l_phdr == NULL)
1299     {
1300       /* The program header is not contained in any of the segments.
1301 	 We have to allocate memory ourself and copy it over from out
1302 	 temporary place.  */
1303       ElfW(Phdr) *newp = (ElfW(Phdr) *) malloc (header->e_phnum
1304 						* sizeof (ElfW(Phdr)));
1305       if (newp == NULL)
1306 	{
1307 	  errstring = N_("cannot allocate memory for program header");
1308 	  goto lose_errno;
1309 	}
1310 
1311       l->l_phdr = memcpy (newp, phdr,
1312 			  (header->e_phnum * sizeof (ElfW(Phdr))));
1313       l->l_phdr_allocated = 1;
1314     }
1315   else
1316     /* Adjust the PT_PHDR value by the runtime load address.  */
1317     l->l_phdr = (ElfW(Phdr) *) ((ElfW(Addr)) l->l_phdr + l->l_addr);
1318 
1319   if (__glibc_unlikely ((stack_flags &~ GL(dl_stack_flags)) & PF_X))
1320     {
1321       /* The stack is presently not executable, but this module
1322 	 requires that it be executable.  We must change the
1323 	 protection of the variable which contains the flags used in
1324 	 the mprotect calls.  */
1325 #ifdef SHARED
1326       if ((mode & (__RTLD_DLOPEN | __RTLD_AUDIT)) == __RTLD_DLOPEN)
1327 	{
1328 	  const uintptr_t p = (uintptr_t) &__stack_prot & -GLRO(dl_pagesize);
1329 	  const size_t s = (uintptr_t) (&__stack_prot + 1) - p;
1330 
1331 	  struct link_map *const m = &GL(dl_rtld_map);
1332 	  const uintptr_t relro_end = ((m->l_addr + m->l_relro_addr
1333 					+ m->l_relro_size)
1334 				       & -GLRO(dl_pagesize));
1335 	  if (__glibc_likely (p + s <= relro_end))
1336 	    {
1337 	      /* The variable lies in the region protected by RELRO.  */
1338 	      if (__mprotect ((void *) p, s, PROT_READ|PROT_WRITE) < 0)
1339 		{
1340 		  errstring = N_("cannot change memory protections");
1341 		  goto lose_errno;
1342 		}
1343 	      __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
1344 	      __mprotect ((void *) p, s, PROT_READ);
1345 	    }
1346 	  else
1347 	    __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
1348 	}
1349       else
1350 #endif
1351 	__stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
1352 
1353 #ifdef check_consistency
1354       check_consistency ();
1355 #endif
1356 
1357 #if PTHREAD_IN_LIBC
1358       errval = _dl_make_stacks_executable (stack_endp);
1359 #else
1360       errval = (*GL(dl_make_stack_executable_hook)) (stack_endp);
1361 #endif
1362       if (errval)
1363 	{
1364 	  errstring = N_("\
1365 cannot enable executable stack as shared object requires");
1366 	  goto lose;
1367 	}
1368     }
1369 
1370   /* Adjust the address of the TLS initialization image.  */
1371   if (l->l_tls_initimage != NULL)
1372     l->l_tls_initimage = (char *) l->l_tls_initimage + l->l_addr;
1373 
1374   /* Process program headers again after load segments are mapped in
1375      case processing requires accessing those segments.  Scan program
1376      headers backward so that PT_NOTE can be skipped if PT_GNU_PROPERTY
1377      exits.  */
1378   for (ph = &l->l_phdr[l->l_phnum]; ph != l->l_phdr; --ph)
1379     switch (ph[-1].p_type)
1380       {
1381       case PT_NOTE:
1382 	_dl_process_pt_note (l, fd, &ph[-1]);
1383 	break;
1384       case PT_GNU_PROPERTY:
1385 	_dl_process_pt_gnu_property (l, fd, &ph[-1]);
1386 	break;
1387       }
1388 
1389   /* We are done mapping in the file.  We no longer need the descriptor.  */
1390   if (__glibc_unlikely (__close_nocancel (fd) != 0))
1391     {
1392       errstring = N_("cannot close file descriptor");
1393       goto lose_errno;
1394     }
1395   /* Signal that we closed the file.  */
1396   fd = -1;
1397 
1398   /* Failures before this point are handled locally via lose.
1399      There are no more failures in this function until return,
1400      to change that the cleanup handling needs to be updated.  */
1401 
1402   /* If this is ET_EXEC, we should have loaded it as lt_executable.  */
1403   assert (type != ET_EXEC || l->l_type == lt_executable);
1404 
1405   l->l_entry += l->l_addr;
1406 
1407   if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES))
1408     _dl_debug_printf ("\
1409   dynamic: 0x%0*lx  base: 0x%0*lx   size: 0x%0*Zx\n\
1410     entry: 0x%0*lx  phdr: 0x%0*lx  phnum:   %*u\n\n",
1411 			   (int) sizeof (void *) * 2,
1412 			   (unsigned long int) l->l_ld,
1413 			   (int) sizeof (void *) * 2,
1414 			   (unsigned long int) l->l_addr,
1415 			   (int) sizeof (void *) * 2, maplength,
1416 			   (int) sizeof (void *) * 2,
1417 			   (unsigned long int) l->l_entry,
1418 			   (int) sizeof (void *) * 2,
1419 			   (unsigned long int) l->l_phdr,
1420 			   (int) sizeof (void *) * 2, l->l_phnum);
1421 
1422   /* Set up the symbol hash table.  */
1423   _dl_setup_hash (l);
1424 
1425   /* If this object has DT_SYMBOLIC set modify now its scope.  We don't
1426      have to do this for the main map.  */
1427   if ((mode & RTLD_DEEPBIND) == 0
1428       && __glibc_unlikely (l->l_info[DT_SYMBOLIC] != NULL)
1429       && &l->l_searchlist != l->l_scope[0])
1430     {
1431       /* Create an appropriate searchlist.  It contains only this map.
1432 	 This is the definition of DT_SYMBOLIC in SysVr4.  */
1433       l->l_symbolic_searchlist.r_list[0] = l;
1434       l->l_symbolic_searchlist.r_nlist = 1;
1435 
1436       /* Now move the existing entries one back.  */
1437       memmove (&l->l_scope[1], &l->l_scope[0],
1438 	       (l->l_scope_max - 1) * sizeof (l->l_scope[0]));
1439 
1440       /* Now add the new entry.  */
1441       l->l_scope[0] = &l->l_symbolic_searchlist;
1442     }
1443 
1444   /* Remember whether this object must be initialized first.  */
1445   if (l->l_flags_1 & DF_1_INITFIRST)
1446     GL(dl_initfirst) = l;
1447 
1448   /* Finally the file information.  */
1449   l->l_file_id = id;
1450 
1451 #ifdef SHARED
1452   /* When auditing is used the recorded names might not include the
1453      name by which the DSO is actually known.  Add that as well.  */
1454   if (__glibc_unlikely (origname != NULL))
1455     add_name_to_object (l, origname);
1456 #else
1457   /* Audit modules only exist when linking is dynamic so ORIGNAME
1458      cannot be non-NULL.  */
1459   assert (origname == NULL);
1460 #endif
1461 
1462   /* When we profile the SONAME might be needed for something else but
1463      loading.  Add it right away.  */
1464   if (__glibc_unlikely (GLRO(dl_profile) != NULL)
1465       && l->l_info[DT_SONAME] != NULL)
1466     add_name_to_object (l, ((const char *) D_PTR (l, l_info[DT_STRTAB])
1467 			    + l->l_info[DT_SONAME]->d_un.d_val));
1468 
1469   /* If we have newly loaded libc.so, update the namespace
1470      description.  */
1471   if (GL(dl_ns)[nsid].libc_map == NULL
1472       && l->l_info[DT_SONAME] != NULL
1473       && strcmp (((const char *) D_PTR (l, l_info[DT_STRTAB])
1474 		  + l->l_info[DT_SONAME]->d_un.d_val), LIBC_SO) == 0)
1475     GL(dl_ns)[nsid].libc_map = l;
1476 
1477   /* _dl_close can only eventually undo the module ID assignment (via
1478      remove_slotinfo) if this function returns a pointer to a link
1479      map.  Therefore, delay this step until all possibilities for
1480      failure have been excluded.  */
1481   if (l->l_tls_blocksize > 0
1482       && (__glibc_likely (l->l_type == lt_library)
1483 	  /* If GL(dl_tls_dtv_slotinfo_list) == NULL, then rtld.c did
1484 	     not set up TLS data structures, so don't use them now.  */
1485 	  || __glibc_likely (GL(dl_tls_dtv_slotinfo_list) != NULL)))
1486     /* Assign the next available module ID.  */
1487     _dl_assign_tls_modid (l);
1488 
1489 #ifdef DL_AFTER_LOAD
1490   DL_AFTER_LOAD (l);
1491 #endif
1492 
1493   /* Now that the object is fully initialized add it to the object list.  */
1494   _dl_add_to_namespace_list (l, nsid);
1495 
1496   /* Signal that we are going to add new objects.  */
1497   if (r->r_state == RT_CONSISTENT)
1498     {
1499 #ifdef SHARED
1500       /* Auditing checkpoint: we are going to add new objects.  Since this
1501          is called after _dl_add_to_namespace_list the namespace is guaranteed
1502 	 to not be empty.  */
1503       if ((mode & __RTLD_AUDIT) == 0)
1504 	_dl_audit_activity_nsid (nsid, LA_ACT_ADD);
1505 #endif
1506 
1507       /* Notify the debugger we have added some objects.  We need to
1508 	 call _dl_debug_initialize in a static program in case dynamic
1509 	 linking has not been used before.  */
1510       r->r_state = RT_ADD;
1511       _dl_debug_state ();
1512       LIBC_PROBE (map_start, 2, nsid, r);
1513       make_consistent = true;
1514     }
1515   else
1516     assert (r->r_state == RT_ADD);
1517 
1518 #ifdef SHARED
1519   /* Auditing checkpoint: we have a new object.  */
1520   if (!GL(dl_ns)[l->l_ns]._ns_loaded->l_auditing)
1521     _dl_audit_objopen (l, nsid);
1522 #endif
1523 
1524   return l;
1525 }
1526 
1527 /* Print search path.  */
1528 static void
print_search_path(struct r_search_path_elem ** list,const char * what,const char * name)1529 print_search_path (struct r_search_path_elem **list,
1530 		   const char *what, const char *name)
1531 {
1532   char buf[max_dirnamelen + max_capstrlen];
1533   int first = 1;
1534 
1535   _dl_debug_printf (" search path=");
1536 
1537   while (*list != NULL && (*list)->what == what) /* Yes, ==.  */
1538     {
1539       char *endp = __mempcpy (buf, (*list)->dirname, (*list)->dirnamelen);
1540       size_t cnt;
1541 
1542       for (cnt = 0; cnt < ncapstr; ++cnt)
1543 	if ((*list)->status[cnt] != nonexisting)
1544 	  {
1545 #ifdef SHARED
1546 	    char *cp = __mempcpy (endp, capstr[cnt].str, capstr[cnt].len);
1547 	    if (cp == buf || (cp == buf + 1 && buf[0] == '/'))
1548 	      cp[0] = '\0';
1549 	    else
1550 	      cp[-1] = '\0';
1551 #else
1552 	    *endp = '\0';
1553 #endif
1554 
1555 	    _dl_debug_printf_c (first ? "%s" : ":%s", buf);
1556 	    first = 0;
1557 	  }
1558 
1559       ++list;
1560     }
1561 
1562   if (name != NULL)
1563     _dl_debug_printf_c ("\t\t(%s from file %s)\n", what,
1564 			DSO_FILENAME (name));
1565   else
1566     _dl_debug_printf_c ("\t\t(%s)\n", what);
1567 }
1568 
1569 /* Open a file and verify it is an ELF file for this architecture.  We
1570    ignore only ELF files for other architectures.  Non-ELF files and
1571    ELF files with different header information cause fatal errors since
1572    this could mean there is something wrong in the installation and the
1573    user might want to know about this.
1574 
1575    If FD is not -1, then the file is already open and FD refers to it.
1576    In that case, FD is consumed for both successful and error returns.  */
1577 static int
open_verify(const char * name,int fd,struct filebuf * fbp,struct link_map * loader,int whatcode,int mode,bool * found_other_class,bool free_name)1578 open_verify (const char *name, int fd,
1579              struct filebuf *fbp, struct link_map *loader,
1580 	     int whatcode, int mode, bool *found_other_class, bool free_name)
1581 {
1582   /* This is the expected ELF header.  */
1583 #define ELF32_CLASS ELFCLASS32
1584 #define ELF64_CLASS ELFCLASS64
1585 #ifndef VALID_ELF_HEADER
1586 # define VALID_ELF_HEADER(hdr,exp,size)	(memcmp (hdr, exp, size) == 0)
1587 # define VALID_ELF_OSABI(osabi)		(osabi == ELFOSABI_SYSV)
1588 # define VALID_ELF_ABIVERSION(osabi,ver) (ver == 0)
1589 #elif defined MORE_ELF_HEADER_DATA
1590   MORE_ELF_HEADER_DATA;
1591 #endif
1592   static const unsigned char expected[EI_NIDENT] =
1593   {
1594     [EI_MAG0] = ELFMAG0,
1595     [EI_MAG1] = ELFMAG1,
1596     [EI_MAG2] = ELFMAG2,
1597     [EI_MAG3] = ELFMAG3,
1598     [EI_CLASS] = ELFW(CLASS),
1599     [EI_DATA] = byteorder,
1600     [EI_VERSION] = EV_CURRENT,
1601     [EI_OSABI] = ELFOSABI_SYSV,
1602     [EI_ABIVERSION] = 0
1603   };
1604   /* Initialize it to make the compiler happy.  */
1605   const char *errstring = NULL;
1606   int errval = 0;
1607 
1608 #ifdef SHARED
1609   /* Give the auditing libraries a chance.  */
1610   if (__glibc_unlikely (GLRO(dl_naudit) > 0))
1611     {
1612       const char *original_name = name;
1613       name = _dl_audit_objsearch (name, loader, whatcode);
1614       if (name == NULL)
1615 	return -1;
1616 
1617       if (fd != -1 && name != original_name && strcmp (name, original_name))
1618 	{
1619 	  /* An audit library changed what we're supposed to open,
1620 	     so FD no longer matches it.  */
1621 	  __close_nocancel (fd);
1622 	  fd = -1;
1623 	}
1624     }
1625 #endif
1626 
1627   if (fd == -1)
1628     /* Open the file.  We always open files read-only.  */
1629     fd = __open64_nocancel (name, O_RDONLY | O_CLOEXEC);
1630 
1631   if (fd != -1)
1632     {
1633       ElfW(Ehdr) *ehdr;
1634       ElfW(Phdr) *phdr;
1635       size_t maplength;
1636 
1637       /* We successfully opened the file.  Now verify it is a file
1638 	 we can use.  */
1639       __set_errno (0);
1640       fbp->len = 0;
1641       assert (sizeof (fbp->buf) > sizeof (ElfW(Ehdr)));
1642       /* Read in the header.  */
1643       do
1644 	{
1645 	  ssize_t retlen = __read_nocancel (fd, fbp->buf + fbp->len,
1646 					    sizeof (fbp->buf) - fbp->len);
1647 	  if (retlen <= 0)
1648 	    break;
1649 	  fbp->len += retlen;
1650 	}
1651       while (__glibc_unlikely (fbp->len < sizeof (ElfW(Ehdr))));
1652 
1653       /* This is where the ELF header is loaded.  */
1654       ehdr = (ElfW(Ehdr) *) fbp->buf;
1655 
1656       /* Now run the tests.  */
1657       if (__glibc_unlikely (fbp->len < (ssize_t) sizeof (ElfW(Ehdr))))
1658 	{
1659 	  errval = errno;
1660 	  errstring = (errval == 0
1661 		       ? N_("file too short") : N_("cannot read file data"));
1662 	lose:
1663 	  if (free_name)
1664 	    {
1665 	      char *realname = (char *) name;
1666 	      name = strdupa (realname);
1667 	      free (realname);
1668 	    }
1669 	  __close_nocancel (fd);
1670 	  _dl_signal_error (errval, name, NULL, errstring);
1671 	}
1672 
1673       /* See whether the ELF header is what we expect.  */
1674       if (__glibc_unlikely (! VALID_ELF_HEADER (ehdr->e_ident, expected,
1675 						EI_ABIVERSION)
1676 			    || !VALID_ELF_ABIVERSION (ehdr->e_ident[EI_OSABI],
1677 						      ehdr->e_ident[EI_ABIVERSION])
1678 			    || memcmp (&ehdr->e_ident[EI_PAD],
1679 				       &expected[EI_PAD],
1680 				       EI_NIDENT - EI_PAD) != 0))
1681 	{
1682 	  /* Something is wrong.  */
1683 	  const Elf32_Word *magp = (const void *) ehdr->e_ident;
1684 	  if (*magp !=
1685 #if BYTE_ORDER == LITTLE_ENDIAN
1686 	      ((ELFMAG0 << (EI_MAG0 * 8))
1687 	       | (ELFMAG1 << (EI_MAG1 * 8))
1688 	       | (ELFMAG2 << (EI_MAG2 * 8))
1689 	       | (ELFMAG3 << (EI_MAG3 * 8)))
1690 #else
1691 	      ((ELFMAG0 << (EI_MAG3 * 8))
1692 	       | (ELFMAG1 << (EI_MAG2 * 8))
1693 	       | (ELFMAG2 << (EI_MAG1 * 8))
1694 	       | (ELFMAG3 << (EI_MAG0 * 8)))
1695 #endif
1696 	      )
1697 	    errstring = N_("invalid ELF header");
1698 
1699 	  else if (ehdr->e_ident[EI_CLASS] != ELFW(CLASS))
1700 	    {
1701 	      /* This is not a fatal error.  On architectures where
1702 		 32-bit and 64-bit binaries can be run this might
1703 		 happen.  */
1704 	      *found_other_class = true;
1705 	      __close_nocancel (fd);
1706 	      __set_errno (ENOENT);
1707 	      return -1;
1708 	    }
1709 	  else if (ehdr->e_ident[EI_DATA] != byteorder)
1710 	    {
1711 	      if (BYTE_ORDER == BIG_ENDIAN)
1712 		errstring = N_("ELF file data encoding not big-endian");
1713 	      else
1714 		errstring = N_("ELF file data encoding not little-endian");
1715 	    }
1716 	  else if (ehdr->e_ident[EI_VERSION] != EV_CURRENT)
1717 	    errstring
1718 	      = N_("ELF file version ident does not match current one");
1719 	  /* XXX We should be able so set system specific versions which are
1720 	     allowed here.  */
1721 	  else if (!VALID_ELF_OSABI (ehdr->e_ident[EI_OSABI]))
1722 	    errstring = N_("ELF file OS ABI invalid");
1723 	  else if (!VALID_ELF_ABIVERSION (ehdr->e_ident[EI_OSABI],
1724 					  ehdr->e_ident[EI_ABIVERSION]))
1725 	    errstring = N_("ELF file ABI version invalid");
1726 	  else if (memcmp (&ehdr->e_ident[EI_PAD], &expected[EI_PAD],
1727 			   EI_NIDENT - EI_PAD) != 0)
1728 	    errstring = N_("nonzero padding in e_ident");
1729 	  else
1730 	    /* Otherwise we don't know what went wrong.  */
1731 	    errstring = N_("internal error");
1732 
1733 	  goto lose;
1734 	}
1735 
1736       if (__glibc_unlikely (ehdr->e_version != EV_CURRENT))
1737 	{
1738 	  errstring = N_("ELF file version does not match current one");
1739 	  goto lose;
1740 	}
1741       if (! __glibc_likely (elf_machine_matches_host (ehdr)))
1742 	{
1743 	  __close_nocancel (fd);
1744 	  __set_errno (ENOENT);
1745 	  return -1;
1746 	}
1747       else if (__glibc_unlikely (ehdr->e_type != ET_DYN
1748 				 && ehdr->e_type != ET_EXEC))
1749 	{
1750 	  errstring = N_("only ET_DYN and ET_EXEC can be loaded");
1751 	  goto lose;
1752 	}
1753       else if (__glibc_unlikely (ehdr->e_phentsize != sizeof (ElfW(Phdr))))
1754 	{
1755 	  errstring = N_("ELF file's phentsize not the expected size");
1756 	  goto lose;
1757 	}
1758 
1759       maplength = ehdr->e_phnum * sizeof (ElfW(Phdr));
1760       if (ehdr->e_phoff + maplength <= (size_t) fbp->len)
1761 	phdr = (void *) (fbp->buf + ehdr->e_phoff);
1762       else
1763 	{
1764 	  phdr = alloca (maplength);
1765 	  if ((size_t) __pread64_nocancel (fd, (void *) phdr, maplength,
1766 					   ehdr->e_phoff) != maplength)
1767 	    {
1768 	      errval = errno;
1769 	      errstring = N_("cannot read file data");
1770 	      goto lose;
1771 	    }
1772 	}
1773 
1774       if (__glibc_unlikely (elf_machine_reject_phdr_p
1775 			    (phdr, ehdr->e_phnum, fbp->buf, fbp->len,
1776 			     loader, fd)))
1777 	{
1778 	  __close_nocancel (fd);
1779 	  __set_errno (ENOENT);
1780 	  return -1;
1781 	}
1782 
1783     }
1784 
1785   return fd;
1786 }
1787 
1788 /* Try to open NAME in one of the directories in *DIRSP.
1789    Return the fd, or -1.  If successful, fill in *REALNAME
1790    with the malloc'd full directory name.  If it turns out
1791    that none of the directories in *DIRSP exists, *DIRSP is
1792    replaced with (void *) -1, and the old value is free()d
1793    if MAY_FREE_DIRS is true.  */
1794 
1795 static int
open_path(const char * name,size_t namelen,int mode,struct r_search_path_struct * sps,char ** realname,struct filebuf * fbp,struct link_map * loader,int whatcode,bool * found_other_class)1796 open_path (const char *name, size_t namelen, int mode,
1797 	   struct r_search_path_struct *sps, char **realname,
1798 	   struct filebuf *fbp, struct link_map *loader, int whatcode,
1799 	   bool *found_other_class)
1800 {
1801   struct r_search_path_elem **dirs = sps->dirs;
1802   char *buf;
1803   int fd = -1;
1804   const char *current_what = NULL;
1805   int any = 0;
1806 
1807   if (__glibc_unlikely (dirs == NULL))
1808     /* We're called before _dl_init_paths when loading the main executable
1809        given on the command line when rtld is run directly.  */
1810     return -1;
1811 
1812   buf = alloca (max_dirnamelen + max_capstrlen + namelen);
1813   do
1814     {
1815       struct r_search_path_elem *this_dir = *dirs;
1816       size_t buflen = 0;
1817       size_t cnt;
1818       char *edp;
1819       int here_any = 0;
1820       int err;
1821 
1822       /* If we are debugging the search for libraries print the path
1823 	 now if it hasn't happened now.  */
1824       if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS)
1825 	  && current_what != this_dir->what)
1826 	{
1827 	  current_what = this_dir->what;
1828 	  print_search_path (dirs, current_what, this_dir->where);
1829 	}
1830 
1831       edp = (char *) __mempcpy (buf, this_dir->dirname, this_dir->dirnamelen);
1832       for (cnt = 0; fd == -1 && cnt < ncapstr; ++cnt)
1833 	{
1834 	  /* Skip this directory if we know it does not exist.  */
1835 	  if (this_dir->status[cnt] == nonexisting)
1836 	    continue;
1837 
1838 #ifdef SHARED
1839 	  buflen =
1840 	    ((char *) __mempcpy (__mempcpy (edp, capstr[cnt].str,
1841 					    capstr[cnt].len),
1842 				 name, namelen)
1843 	     - buf);
1844 #else
1845 	  buflen = (char *) __mempcpy (edp, name, namelen) - buf;
1846 #endif
1847 
1848 	  /* Print name we try if this is wanted.  */
1849 	  if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS))
1850 	    _dl_debug_printf ("  trying file=%s\n", buf);
1851 
1852 	  fd = open_verify (buf, -1, fbp, loader, whatcode, mode,
1853 			    found_other_class, false);
1854 	  if (this_dir->status[cnt] == unknown)
1855 	    {
1856 	      if (fd != -1)
1857 		this_dir->status[cnt] = existing;
1858 	      /* Do not update the directory information when loading
1859 		 auditing code.  We must try to disturb the program as
1860 		 little as possible.  */
1861 	      else if (loader == NULL
1862 		       || GL(dl_ns)[loader->l_ns]._ns_loaded->l_auditing == 0)
1863 		{
1864 		  /* We failed to open machine dependent library.  Let's
1865 		     test whether there is any directory at all.  */
1866 		  struct __stat64_t64 st;
1867 
1868 		  buf[buflen - namelen - 1] = '\0';
1869 
1870 		  if (__stat64_time64 (buf, &st) != 0
1871 		      || ! S_ISDIR (st.st_mode))
1872 		    /* The directory does not exist or it is no directory.  */
1873 		    this_dir->status[cnt] = nonexisting;
1874 		  else
1875 		    this_dir->status[cnt] = existing;
1876 		}
1877 	    }
1878 
1879 	  /* Remember whether we found any existing directory.  */
1880 	  here_any |= this_dir->status[cnt] != nonexisting;
1881 
1882 	  if (fd != -1 && __glibc_unlikely (mode & __RTLD_SECURE)
1883 	      && __libc_enable_secure)
1884 	    {
1885 	      /* This is an extra security effort to make sure nobody can
1886 		 preload broken shared objects which are in the trusted
1887 		 directories and so exploit the bugs.  */
1888 	      struct __stat64_t64 st;
1889 
1890 	      if (__fstat64_time64 (fd, &st) != 0
1891 		  || (st.st_mode & S_ISUID) == 0)
1892 		{
1893 		  /* The shared object cannot be tested for being SUID
1894 		     or this bit is not set.  In this case we must not
1895 		     use this object.  */
1896 		  __close_nocancel (fd);
1897 		  fd = -1;
1898 		  /* We simply ignore the file, signal this by setting
1899 		     the error value which would have been set by `open'.  */
1900 		  errno = ENOENT;
1901 		}
1902 	    }
1903 	}
1904 
1905       if (fd != -1)
1906 	{
1907 	  *realname = (char *) malloc (buflen);
1908 	  if (*realname != NULL)
1909 	    {
1910 	      memcpy (*realname, buf, buflen);
1911 	      return fd;
1912 	    }
1913 	  else
1914 	    {
1915 	      /* No memory for the name, we certainly won't be able
1916 		 to load and link it.  */
1917 	      __close_nocancel (fd);
1918 	      return -1;
1919 	    }
1920 	}
1921       if (here_any && (err = errno) != ENOENT && err != EACCES)
1922 	/* The file exists and is readable, but something went wrong.  */
1923 	return -1;
1924 
1925       /* Remember whether we found anything.  */
1926       any |= here_any;
1927     }
1928   while (*++dirs != NULL);
1929 
1930   /* Remove the whole path if none of the directories exists.  */
1931   if (__glibc_unlikely (! any))
1932     {
1933       /* Paths which were allocated using the minimal malloc() in ld.so
1934 	 must not be freed using the general free() in libc.  */
1935       if (sps->malloced)
1936 	free (sps->dirs);
1937 
1938       /* __rtld_search_dirs and __rtld_env_path_list are
1939 	 attribute_relro, therefore avoid writing to them.  */
1940       if (sps != &__rtld_search_dirs && sps != &__rtld_env_path_list)
1941 	sps->dirs = (void *) -1;
1942     }
1943 
1944   return -1;
1945 }
1946 
1947 /* Map in the shared object file NAME.  */
1948 
1949 struct link_map *
_dl_map_object(struct link_map * loader,const char * name,int type,int trace_mode,int mode,Lmid_t nsid)1950 _dl_map_object (struct link_map *loader, const char *name,
1951 		int type, int trace_mode, int mode, Lmid_t nsid)
1952 {
1953   int fd;
1954   const char *origname = NULL;
1955   char *realname;
1956   char *name_copy;
1957   struct link_map *l;
1958   struct filebuf fb;
1959 
1960   assert (nsid >= 0);
1961   assert (nsid < GL(dl_nns));
1962 
1963   /* Look for this name among those already loaded.  */
1964   for (l = GL(dl_ns)[nsid]._ns_loaded; l; l = l->l_next)
1965     {
1966       /* If the requested name matches the soname of a loaded object,
1967 	 use that object.  Elide this check for names that have not
1968 	 yet been opened.  */
1969       if (__glibc_unlikely ((l->l_faked | l->l_removed) != 0))
1970 	continue;
1971       if (!_dl_name_match_p (name, l))
1972 	{
1973 	  const char *soname;
1974 
1975 	  if (__glibc_likely (l->l_soname_added)
1976 	      || l->l_info[DT_SONAME] == NULL)
1977 	    continue;
1978 
1979 	  soname = ((const char *) D_PTR (l, l_info[DT_STRTAB])
1980 		    + l->l_info[DT_SONAME]->d_un.d_val);
1981 	  if (strcmp (name, soname) != 0)
1982 	    continue;
1983 
1984 	  /* We have a match on a new name -- cache it.  */
1985 	  add_name_to_object (l, soname);
1986 	  l->l_soname_added = 1;
1987 	}
1988 
1989       /* We have a match.  */
1990       return l;
1991     }
1992 
1993   /* Display information if we are debugging.  */
1994   if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES)
1995       && loader != NULL)
1996     _dl_debug_printf ((mode & __RTLD_CALLMAP) == 0
1997 		      ? "\nfile=%s [%lu];  needed by %s [%lu]\n"
1998 		      : "\nfile=%s [%lu];  dynamically loaded by %s [%lu]\n",
1999 		      name, nsid, DSO_FILENAME (loader->l_name), loader->l_ns);
2000 
2001 #ifdef SHARED
2002   /* Give the auditing libraries a chance to change the name before we
2003      try anything.  */
2004   if (__glibc_unlikely (GLRO(dl_naudit) > 0))
2005     {
2006       const char *before = name;
2007       name = _dl_audit_objsearch (name, loader, LA_SER_ORIG);
2008       if (name == NULL)
2009 	{
2010 	  fd = -1;
2011 	  goto no_file;
2012 	}
2013       if (before != name && strcmp (before, name) != 0)
2014 	origname = before;
2015     }
2016 #endif
2017 
2018   /* Will be true if we found a DSO which is of the other ELF class.  */
2019   bool found_other_class = false;
2020 
2021   if (strchr (name, '/') == NULL)
2022     {
2023       /* Search for NAME in several places.  */
2024 
2025       size_t namelen = strlen (name) + 1;
2026 
2027       if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS))
2028 	_dl_debug_printf ("find library=%s [%lu]; searching\n", name, nsid);
2029 
2030       fd = -1;
2031 
2032       /* When the object has the RUNPATH information we don't use any
2033 	 RPATHs.  */
2034       if (loader == NULL || loader->l_info[DT_RUNPATH] == NULL)
2035 	{
2036 	  /* This is the executable's map (if there is one).  Make sure that
2037 	     we do not look at it twice.  */
2038 	  struct link_map *main_map = GL(dl_ns)[LM_ID_BASE]._ns_loaded;
2039 	  bool did_main_map = false;
2040 
2041 	  /* First try the DT_RPATH of the dependent object that caused NAME
2042 	     to be loaded.  Then that object's dependent, and on up.  */
2043 	  for (l = loader; l; l = l->l_loader)
2044 	    if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
2045 	      {
2046 		fd = open_path (name, namelen, mode,
2047 				&l->l_rpath_dirs,
2048 				&realname, &fb, loader, LA_SER_RUNPATH,
2049 				&found_other_class);
2050 		if (fd != -1)
2051 		  break;
2052 
2053 		did_main_map |= l == main_map;
2054 	      }
2055 
2056 	  /* If dynamically linked, try the DT_RPATH of the executable
2057 	     itself.  NB: we do this for lookups in any namespace.  */
2058 	  if (fd == -1 && !did_main_map
2059 	      && main_map != NULL && main_map->l_type != lt_loaded
2060 	      && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH,
2061 			      "RPATH"))
2062 	    fd = open_path (name, namelen, mode,
2063 			    &main_map->l_rpath_dirs,
2064 			    &realname, &fb, loader ?: main_map, LA_SER_RUNPATH,
2065 			    &found_other_class);
2066 
2067 	  /* Also try DT_RUNPATH in the executable for LD_AUDIT dlopen
2068 	     call.  */
2069 	  if (__glibc_unlikely (mode & __RTLD_AUDIT)
2070 	      && fd == -1 && !did_main_map
2071 	      && main_map != NULL && main_map->l_type != lt_loaded)
2072 	    {
2073 	      struct r_search_path_struct l_rpath_dirs;
2074 	      l_rpath_dirs.dirs = NULL;
2075 	      if (cache_rpath (main_map, &l_rpath_dirs,
2076 			       DT_RUNPATH, "RUNPATH"))
2077 		fd = open_path (name, namelen, mode, &l_rpath_dirs,
2078 				&realname, &fb, loader ?: main_map,
2079 				LA_SER_RUNPATH, &found_other_class);
2080 	    }
2081 	}
2082 
2083       /* Try the LD_LIBRARY_PATH environment variable.  */
2084       if (fd == -1 && __rtld_env_path_list.dirs != (void *) -1)
2085 	fd = open_path (name, namelen, mode, &__rtld_env_path_list,
2086 			&realname, &fb,
2087 			loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
2088 			LA_SER_LIBPATH, &found_other_class);
2089 
2090       /* Look at the RUNPATH information for this binary.  */
2091       if (fd == -1 && loader != NULL
2092 	  && cache_rpath (loader, &loader->l_runpath_dirs,
2093 			  DT_RUNPATH, "RUNPATH"))
2094 	fd = open_path (name, namelen, mode,
2095 			&loader->l_runpath_dirs, &realname, &fb, loader,
2096 			LA_SER_RUNPATH, &found_other_class);
2097 
2098       if (fd == -1)
2099         {
2100           realname = _dl_sysdep_open_object (name, namelen, &fd);
2101           if (realname != NULL)
2102             {
2103               fd = open_verify (realname, fd,
2104                                 &fb, loader ?: GL(dl_ns)[nsid]._ns_loaded,
2105                                 LA_SER_CONFIG, mode, &found_other_class,
2106                                 false);
2107               if (fd == -1)
2108                 free (realname);
2109             }
2110         }
2111 
2112 #ifdef USE_LDCONFIG
2113       if (fd == -1
2114 	  && (__glibc_likely ((mode & __RTLD_SECURE) == 0)
2115 	      || ! __libc_enable_secure)
2116 	  && __glibc_likely (GLRO(dl_inhibit_cache) == 0))
2117 	{
2118 	  /* Check the list of libraries in the file /etc/ld.so.cache,
2119 	     for compatibility with Linux's ldconfig program.  */
2120 	  char *cached = _dl_load_cache_lookup (name);
2121 
2122 	  if (cached != NULL)
2123 	    {
2124 	      // XXX Correct to unconditionally default to namespace 0?
2125 	      l = (loader
2126 		   ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded
2127 # ifdef SHARED
2128 		   ?: &GL(dl_rtld_map)
2129 # endif
2130 		  );
2131 
2132 	      /* If the loader has the DF_1_NODEFLIB flag set we must not
2133 		 use a cache entry from any of these directories.  */
2134 	      if (__glibc_unlikely (l->l_flags_1 & DF_1_NODEFLIB))
2135 		{
2136 		  const char *dirp = system_dirs;
2137 		  unsigned int cnt = 0;
2138 
2139 		  do
2140 		    {
2141 		      if (memcmp (cached, dirp, system_dirs_len[cnt]) == 0)
2142 			{
2143 			  /* The prefix matches.  Don't use the entry.  */
2144 			  free (cached);
2145 			  cached = NULL;
2146 			  break;
2147 			}
2148 
2149 		      dirp += system_dirs_len[cnt] + 1;
2150 		      ++cnt;
2151 		    }
2152 		  while (cnt < nsystem_dirs_len);
2153 		}
2154 
2155 	      if (cached != NULL)
2156 		{
2157 		  fd = open_verify (cached, -1,
2158 				    &fb, loader ?: GL(dl_ns)[nsid]._ns_loaded,
2159 				    LA_SER_CONFIG, mode, &found_other_class,
2160 				    false);
2161 		  if (__glibc_likely (fd != -1))
2162 		    realname = cached;
2163 		  else
2164 		    free (cached);
2165 		}
2166 	    }
2167 	}
2168 #endif
2169 
2170       /* Finally, try the default path.  */
2171       if (fd == -1
2172 	  && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
2173 	      || __glibc_likely (!(l->l_flags_1 & DF_1_NODEFLIB)))
2174 	  && __rtld_search_dirs.dirs != (void *) -1)
2175 	fd = open_path (name, namelen, mode, &__rtld_search_dirs,
2176 			&realname, &fb, l, LA_SER_DEFAULT, &found_other_class);
2177 
2178       /* Add another newline when we are tracing the library loading.  */
2179       if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS))
2180 	_dl_debug_printf ("\n");
2181     }
2182   else
2183     {
2184       /* The path may contain dynamic string tokens.  */
2185       realname = (loader
2186 		  ? expand_dynamic_string_token (loader, name)
2187 		  : __strdup (name));
2188       if (realname == NULL)
2189 	fd = -1;
2190       else
2191 	{
2192 	  fd = open_verify (realname, -1, &fb,
2193 			    loader ?: GL(dl_ns)[nsid]._ns_loaded, 0, mode,
2194 			    &found_other_class, true);
2195 	  if (__glibc_unlikely (fd == -1))
2196 	    free (realname);
2197 	}
2198     }
2199 
2200 #ifdef SHARED
2201  no_file:
2202 #endif
2203   /* In case the LOADER information has only been provided to get to
2204      the appropriate RUNPATH/RPATH information we do not need it
2205      anymore.  */
2206   if (mode & __RTLD_CALLMAP)
2207     loader = NULL;
2208 
2209   if (__glibc_unlikely (fd == -1))
2210     {
2211       if (trace_mode)
2212 	{
2213 	  /* We haven't found an appropriate library.  But since we
2214 	     are only interested in the list of libraries this isn't
2215 	     so severe.  Fake an entry with all the information we
2216 	     have.  */
2217 	  static const Elf_Symndx dummy_bucket = STN_UNDEF;
2218 
2219 	  /* Allocate a new object map.  */
2220 	  if ((name_copy = __strdup (name)) == NULL
2221 	      || (l = _dl_new_object (name_copy, name, type, loader,
2222 				      mode, nsid)) == NULL)
2223 	    {
2224 	      free (name_copy);
2225 	      _dl_signal_error (ENOMEM, name, NULL,
2226 				N_("cannot create shared object descriptor"));
2227 	    }
2228 	  /* Signal that this is a faked entry.  */
2229 	  l->l_faked = 1;
2230 	  /* Since the descriptor is initialized with zero we do not
2231 	     have do this here.
2232 	  l->l_reserved = 0; */
2233 	  l->l_buckets = &dummy_bucket;
2234 	  l->l_nbuckets = 1;
2235 	  l->l_relocated = 1;
2236 
2237 	  /* Enter the object in the object list.  */
2238 	  _dl_add_to_namespace_list (l, nsid);
2239 
2240 	  return l;
2241 	}
2242       else if (found_other_class)
2243 	_dl_signal_error (0, name, NULL,
2244 			  ELFW(CLASS) == ELFCLASS32
2245 			  ? N_("wrong ELF class: ELFCLASS64")
2246 			  : N_("wrong ELF class: ELFCLASS32"));
2247       else
2248 	_dl_signal_error (errno, name, NULL,
2249 			  N_("cannot open shared object file"));
2250     }
2251 
2252   void *stack_end = __libc_stack_end;
2253   return _dl_map_object_from_fd (name, origname, fd, &fb, realname, loader,
2254 				 type, mode, &stack_end, nsid);
2255 }
2256 
2257 struct add_path_state
2258 {
2259   bool counting;
2260   unsigned int idx;
2261   Dl_serinfo *si;
2262   char *allocptr;
2263 };
2264 
2265 static void
add_path(struct add_path_state * p,const struct r_search_path_struct * sps,unsigned int flags)2266 add_path (struct add_path_state *p, const struct r_search_path_struct *sps,
2267 	  unsigned int flags)
2268 {
2269   if (sps->dirs != (void *) -1)
2270     {
2271       struct r_search_path_elem **dirs = sps->dirs;
2272       do
2273 	{
2274 	  const struct r_search_path_elem *const r = *dirs++;
2275 	  if (p->counting)
2276 	    {
2277 	      p->si->dls_cnt++;
2278 	      p->si->dls_size += MAX (2, r->dirnamelen);
2279 	    }
2280 	  else
2281 	    {
2282 	      Dl_serpath *const sp = &p->si->dls_serpath[p->idx++];
2283 	      sp->dls_name = p->allocptr;
2284 	      if (r->dirnamelen < 2)
2285 		*p->allocptr++ = r->dirnamelen ? '/' : '.';
2286 	      else
2287 		p->allocptr = __mempcpy (p->allocptr,
2288 					  r->dirname, r->dirnamelen - 1);
2289 	      *p->allocptr++ = '\0';
2290 	      sp->dls_flags = flags;
2291 	    }
2292 	}
2293       while (*dirs != NULL);
2294     }
2295 }
2296 
2297 void
_dl_rtld_di_serinfo(struct link_map * loader,Dl_serinfo * si,bool counting)2298 _dl_rtld_di_serinfo (struct link_map *loader, Dl_serinfo *si, bool counting)
2299 {
2300   if (counting)
2301     {
2302       si->dls_cnt = 0;
2303       si->dls_size = 0;
2304     }
2305 
2306   struct add_path_state p =
2307     {
2308       .counting = counting,
2309       .idx = 0,
2310       .si = si,
2311       .allocptr = (char *) &si->dls_serpath[si->dls_cnt]
2312     };
2313 
2314 # define add_path(p, sps, flags) add_path(p, sps, 0) /* XXX */
2315 
2316   /* When the object has the RUNPATH information we don't use any RPATHs.  */
2317   if (loader->l_info[DT_RUNPATH] == NULL)
2318     {
2319       /* First try the DT_RPATH of the dependent object that caused NAME
2320 	 to be loaded.  Then that object's dependent, and on up.  */
2321 
2322       struct link_map *l = loader;
2323       do
2324 	{
2325 	  if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
2326 	    add_path (&p, &l->l_rpath_dirs, XXX_RPATH);
2327 	  l = l->l_loader;
2328 	}
2329       while (l != NULL);
2330 
2331       /* If dynamically linked, try the DT_RPATH of the executable itself.  */
2332       if (loader->l_ns == LM_ID_BASE)
2333 	{
2334 	  l = GL(dl_ns)[LM_ID_BASE]._ns_loaded;
2335 	  if (l != NULL && l->l_type != lt_loaded && l != loader)
2336 	    if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
2337 	      add_path (&p, &l->l_rpath_dirs, XXX_RPATH);
2338 	}
2339     }
2340 
2341   /* Try the LD_LIBRARY_PATH environment variable.  */
2342   add_path (&p, &__rtld_env_path_list, XXX_ENV);
2343 
2344   /* Look at the RUNPATH information for this binary.  */
2345   if (cache_rpath (loader, &loader->l_runpath_dirs, DT_RUNPATH, "RUNPATH"))
2346     add_path (&p, &loader->l_runpath_dirs, XXX_RUNPATH);
2347 
2348   /* XXX
2349      Here is where ld.so.cache gets checked, but we don't have
2350      a way to indicate that in the results for Dl_serinfo.  */
2351 
2352   /* Finally, try the default path.  */
2353   if (!(loader->l_flags_1 & DF_1_NODEFLIB))
2354     add_path (&p, &__rtld_search_dirs, XXX_default);
2355 
2356   if (counting)
2357     /* Count the struct size before the string area, which we didn't
2358        know before we completed dls_cnt.  */
2359     si->dls_size += (char *) &si->dls_serpath[si->dls_cnt] - (char *) si;
2360 }
2361