The Tor Browser: mozglue/linker/ElfLoader.cpp@fc2d59ddac77 (annotated)

mozglue/linker/ElfLoader.cpp@fc2d59ddac77 (annotated)

mozglue/linker/ElfLoader.cpp

Wed, 31 Dec 2014 07:22:50 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 07:22:50 +0100
branch: TOR_BUG_3246
changeset 4: fc2d59ddac77
permissions: -rw-r--r--

Correct previous dual key logic pending first delivery installment.

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include <string>
 #include <cstring>
 #include <cstdlib>
 #include <cstdio>
 #include <dlfcn.h>
 #include <unistd.h>
 #include <algorithm>
 #include <fcntl.h>
 #include "ElfLoader.h"
 #include "CustomElf.h"
 #include "Mappable.h"
 #include "Logging.h"
 #include <inttypes.h>
 #if defined(ANDROID)
 #include <sys/syscall.h>
 #include <android/api-level.h>
 #if __ANDROID_API__ < 8
 /* Android API < 8 doesn't provide sigaltstack */
 extern "C" {
 inline int sigaltstack(const stack_t *ss, stack_t *oss) {
   return syscall(__NR_sigaltstack, ss, oss);
 }
 } /* extern "C" */
 #endif /* __ANDROID_API__ */
 #endif /* ANDROID */
 #ifdef __ARM_EABI__
 extern "C" const void *
 __gnu_Unwind_Find_exidx(void *pc, int *pcount) __attribute__((weak));
 #endif
 using namespace mozilla;
 /**
  * dlfcn.h replacements functions
  */
 void *
 __wrap_dlopen(const char *path, int flags)
 {
   RefPtr<LibHandle> handle = ElfLoader::Singleton.Load(path, flags);
   if (handle)
     handle->AddDirectRef();
   return handle;
 }
 const char *
 __wrap_dlerror(void)
 {
   const char *error = ElfLoader::Singleton.lastError;
   ElfLoader::Singleton.lastError = nullptr;
   return error;
 }
 void *
 __wrap_dlsym(void *handle, const char *symbol)
 {
   if (!handle) {
     ElfLoader::Singleton.lastError = "dlsym(NULL, sym) unsupported";
     return nullptr;
   }
   if (handle != RTLD_DEFAULT && handle != RTLD_NEXT) {
     LibHandle *h = reinterpret_cast<LibHandle *>(handle);
     return h->GetSymbolPtr(symbol);
   }
   return dlsym(handle, symbol);
 }
 int
 __wrap_dlclose(void *handle)
 {
   if (!handle) {
     ElfLoader::Singleton.lastError = "No handle given to dlclose()";
     return -1;
   }
   reinterpret_cast<LibHandle *>(handle)->ReleaseDirectRef();
   return 0;
 }
 int
 __wrap_dladdr(void *addr, Dl_info *info)
 {
   RefPtr<LibHandle> handle = ElfLoader::Singleton.GetHandleByPtr(addr);
   if (!handle)
     return 0;
   info->dli_fname = handle->GetPath();
   return 1;
 }
 int
 __wrap_dl_iterate_phdr(dl_phdr_cb callback, void *data)
 {
   if (!ElfLoader::Singleton.dbg)
     return -1;
   for (ElfLoader::DebuggerHelper::iterator it = ElfLoader::Singleton.dbg.begin();
        it < ElfLoader::Singleton.dbg.end(); ++it) {
     dl_phdr_info info;
     info.dlpi_addr = reinterpret_cast<Elf::Addr>(it->l_addr);
     info.dlpi_name = it->l_name;
     info.dlpi_phdr = nullptr;
     info.dlpi_phnum = 0;
     // Assuming l_addr points to Elf headers (in most cases, this is true),
     // get the Phdr location from there.
     uint8_t mapped;
     // If the page is not mapped, mincore returns an error.
     if (!mincore(const_cast<void*>(it->l_addr), PageSize(), &mapped)) {
       const Elf::Ehdr *ehdr = Elf::Ehdr::validate(it->l_addr);
       if (ehdr) {
         info.dlpi_phdr = reinterpret_cast<const Elf::Phdr *>(
                          reinterpret_cast<const char *>(ehdr) + ehdr->e_phoff);
         info.dlpi_phnum = ehdr->e_phnum;
       }
     }
     int ret = callback(&info, sizeof(dl_phdr_info), data);
     if (ret)
       return ret;
   }
   return 0;
 }
 #ifdef __ARM_EABI__
 const void *
 __wrap___gnu_Unwind_Find_exidx(void *pc, int *pcount)
 {
   RefPtr<LibHandle> handle = ElfLoader::Singleton.GetHandleByPtr(pc);
   if (handle)
     return handle->FindExidx(pcount);
   if (__gnu_Unwind_Find_exidx)
     return __gnu_Unwind_Find_exidx(pc, pcount);
   *pcount = 0;
   return nullptr;
 }
 #endif
 /**
  * faulty.lib public API
  */
 MFBT_API size_t
 __dl_get_mappable_length(void *handle) {
   if (!handle)
     return 0;
   return reinterpret_cast<LibHandle *>(handle)->GetMappableLength();
 }
 MFBT_API void *
 __dl_mmap(void *handle, void *addr, size_t length, off_t offset)
 {
   if (!handle)
     return nullptr;
   return reinterpret_cast<LibHandle *>(handle)->MappableMMap(addr, length,
                                                              offset);
 }
 MFBT_API void
 __dl_munmap(void *handle, void *addr, size_t length)
 {
   if (!handle)
     return;
   return reinterpret_cast<LibHandle *>(handle)->MappableMUnmap(addr, length);
 }
 MFBT_API bool
 IsSignalHandlingBroken()
 {
   return ElfLoader::Singleton.isSignalHandlingBroken();
 }
 namespace {
 /**
  * Returns the part after the last '/' for the given path
  */
 const char *
 LeafName(const char *path)
 {
   const char *lastSlash = strrchr(path, '/');
   if (lastSlash)
     return lastSlash + 1;
   return path;
 }
 } /* Anonymous namespace */
 /**
  * LibHandle
  */
 LibHandle::~LibHandle()
 {
   free(path);
 }
 const char *
 LibHandle::GetName() const
 {
   return path ? LeafName(path) : nullptr;
 }
 size_t
 LibHandle::GetMappableLength() const
 {
   if (!mappable)
     mappable = GetMappable();
   if (!mappable)
     return 0;
   return mappable->GetLength();
 }
 void *
 LibHandle::MappableMMap(void *addr, size_t length, off_t offset) const
 {
   if (!mappable)
     mappable = GetMappable();
   if (!mappable)
     return MAP_FAILED;
   void* mapped = mappable->mmap(addr, length, PROT_READ, MAP_PRIVATE, offset);
   if (mapped != MAP_FAILED) {
     /* Ensure the availability of all pages within the mapping */
     for (size_t off = 0; off < length; off += PageSize()) {
       mappable->ensure(reinterpret_cast<char *>(mapped) + off);
     }
   }
   return mapped;
 }
 void
 LibHandle::MappableMUnmap(void *addr, size_t length) const
 {
   if (mappable)
     mappable->munmap(addr, length);
 }
 /**
  * SystemElf
  */
 TemporaryRef<LibHandle>
 SystemElf::Load(const char *path, int flags)
 {
   /* The Android linker returns a handle when the file name matches an
    * already loaded library, even when the full path doesn't exist */
   if (path && path[0] == '/' && (access(path, F_OK) == -1)){
     DEBUG_LOG("dlopen(\"%s\", 0x%x) = %p", path, flags, (void *)nullptr);
     return nullptr;
   }
   void *handle = dlopen(path, flags);
   DEBUG_LOG("dlopen(\"%s\", 0x%x) = %p", path, flags, handle);
   ElfLoader::Singleton.lastError = dlerror();
   if (handle) {
     SystemElf *elf = new SystemElf(path, handle);
     ElfLoader::Singleton.Register(elf);
     return elf;
   }
   return nullptr;
 }
 SystemElf::~SystemElf()
 {
   if (!dlhandle)
     return;
   DEBUG_LOG("dlclose(%p [\"%s\"])", dlhandle, GetPath());
   dlclose(dlhandle);
   ElfLoader::Singleton.lastError = dlerror();
   ElfLoader::Singleton.Forget(this);
 }
 void *
 SystemElf::GetSymbolPtr(const char *symbol) const
 {
   void *sym = dlsym(dlhandle, symbol);
   DEBUG_LOG("dlsym(%p [\"%s\"], \"%s\") = %p", dlhandle, GetPath(), symbol, sym);
   ElfLoader::Singleton.lastError = dlerror();
   return sym;
 }
 Mappable *
 SystemElf::GetMappable() const
 {
   const char *path = GetPath();
   if (!path)
     return nullptr;
 #ifdef ANDROID
   /* On Android, if we don't have the full path, try in /system/lib */
   const char *name = LeafName(path);
   std::string systemPath;
   if (name == path) {
     systemPath = "/system/lib/";
     systemPath += path;
     path = systemPath.c_str();
   }
 #endif
   return MappableFile::Create(path);
 }
 #ifdef __ARM_EABI__
 const void *
 SystemElf::FindExidx(int *pcount) const
 {
   /* TODO: properly implement when ElfLoader::GetHandleByPtr
      does return SystemElf handles */
   *pcount = 0;
   return nullptr;
 }
 #endif
 /**
  * ElfLoader
  */
 /* Unique ElfLoader instance */
 ElfLoader ElfLoader::Singleton;
 TemporaryRef<LibHandle>
 ElfLoader::Load(const char *path, int flags, LibHandle *parent)
 {
   /* Ensure logging is initialized or refresh if environment changed. */
   Logging::Init();
   RefPtr<LibHandle> handle;
   /* Handle dlopen(nullptr) directly. */
   if (!path) {
     handle = SystemElf::Load(nullptr, flags);
     return handle;
   }
   /* TODO: Handle relative paths correctly */
   const char *name = LeafName(path);
   /* Search the list of handles we already have for a match. When the given
    * path is not absolute, compare file names, otherwise compare full paths. */
   if (name == path) {
     for (LibHandleList::iterator it = handles.begin(); it < handles.end(); ++it)
       if ((*it)->GetName() && (strcmp((*it)->GetName(), name) == 0))
         return *it;
   } else {
     for (LibHandleList::iterator it = handles.begin(); it < handles.end(); ++it)
       if ((*it)->GetPath() && (strcmp((*it)->GetPath(), path) == 0))
         return *it;
   }
   char *abs_path = nullptr;
   const char *requested_path = path;
   /* When the path is not absolute and the library is being loaded for
    * another, first try to load the library from the directory containing
    * that parent library. */
   if ((name == path) && parent) {
     const char *parentPath = parent->GetPath();
     abs_path = new char[strlen(parentPath) + strlen(path)];
     strcpy(abs_path, parentPath);
     char *slash = strrchr(abs_path, '/');
     strcpy(slash + 1, path);
     path = abs_path;
   }
   Mappable *mappable = GetMappableFromPath(path);
   /* Try loading with the custom linker if we have a Mappable */
   if (mappable)
     handle = CustomElf::Load(mappable, path, flags);
   /* Try loading with the system linker if everything above failed */
   if (!handle)
     handle = SystemElf::Load(path, flags);
   /* If we didn't have an absolute path and haven't been able to load
    * a library yet, try in the system search path */
   if (!handle && abs_path)
     handle = SystemElf::Load(name, flags);
   delete [] abs_path;
   DEBUG_LOG("ElfLoader::Load(\"%s\", 0x%x, %p [\"%s\"]) = %p", requested_path, flags,
             reinterpret_cast<void *>(parent), parent ? parent->GetPath() : "",
             static_cast<void *>(handle));
   return handle;
 }
 mozilla::TemporaryRef<LibHandle>
 ElfLoader::GetHandleByPtr(void *addr)
 {
   /* Scan the list of handles we already have for a match */
   for (LibHandleList::iterator it = handles.begin(); it < handles.end(); ++it) {
     if ((*it)->Contains(addr))
       return *it;
   }
   return nullptr;
 }
 Mappable *
 ElfLoader::GetMappableFromPath(const char *path)
 {
   const char *name = LeafName(path);
   Mappable *mappable = nullptr;
   RefPtr<Zip> zip;
   const char *subpath;
   if ((subpath = strchr(path, '!'))) {
     char *zip_path = strndup(path, subpath - path);
     while (*(++subpath) == '/') { }
     zip = ZipCollection::GetZip(zip_path);
     Zip::Stream s;
     if (zip && zip->GetStream(subpath, &s)) {
       /* When the MOZ_LINKER_EXTRACT environment variable is set to "1",
        * compressed libraries are going to be (temporarily) extracted as
        * files, in the directory pointed by the MOZ_LINKER_CACHE
        * environment variable. */
       const char *extract = getenv("MOZ_LINKER_EXTRACT");
       if (extract && !strncmp(extract, "1", 2 /* Including '\0' */))
         mappable = MappableExtractFile::Create(name, zip, &s);
       if (!mappable) {
         if (s.GetType() == Zip::Stream::DEFLATE) {
           mappable = MappableDeflate::Create(name, zip, &s);
         } else if (s.GetType() == Zip::Stream::STORE) {
           mappable = MappableSeekableZStream::Create(name, zip, &s);
         }
       }
     }
   }
   /* If we couldn't load above, try with a MappableFile */
   if (!mappable && !zip)
     mappable = MappableFile::Create(path);
   return mappable;
 }
 void
 ElfLoader::Register(LibHandle *handle)
 {
   handles.push_back(handle);
   if (dbg && !handle->IsSystemElf())
     dbg.Add(static_cast<CustomElf *>(handle));
 }
 void
 ElfLoader::Forget(LibHandle *handle)
 {
   /* Ensure logging is initialized or refresh if environment changed. */
   Logging::Init();
   LibHandleList::iterator it = std::find(handles.begin(), handles.end(), handle);
   if (it != handles.end()) {
     DEBUG_LOG("ElfLoader::Forget(%p [\"%s\"])", reinterpret_cast<void *>(handle),
                                                 handle->GetPath());
     if (dbg && !handle->IsSystemElf())
       dbg.Remove(static_cast<CustomElf *>(handle));
     handles.erase(it);
   } else {
     DEBUG_LOG("ElfLoader::Forget(%p [\"%s\"]): Handle not found",
               reinterpret_cast<void *>(handle), handle->GetPath());
   }
 }
 ElfLoader::~ElfLoader()
 {
   LibHandleList list;
   /* Build up a list of all library handles with direct (external) references.
    * We actually skip system library handles because we want to keep at least
    * some of these open. Most notably, Mozilla codebase keeps a few libgnome
    * libraries deliberately open because of the mess that libORBit destruction
    * is. dlclose()ing these libraries actually leads to problems. */
   for (LibHandleList::reverse_iterator it = handles.rbegin();
        it < handles.rend(); ++it) {
     if ((*it)->DirectRefCount()) {
       if ((*it)->IsSystemElf()) {
         static_cast<SystemElf *>(*it)->Forget();
       } else {
         list.push_back(*it);
       }
     }
   }
   /* Force release all external references to the handles collected above */
   for (LibHandleList::iterator it = list.begin(); it < list.end(); ++it) {
     while ((*it)->ReleaseDirectRef()) { }
   }
   /* Remove the remaining system handles. */
   if (handles.size()) {
     list = handles;
     for (LibHandleList::reverse_iterator it = list.rbegin();
          it < list.rend(); ++it) {
       if ((*it)->IsSystemElf()) {
         DEBUG_LOG("ElfLoader::~ElfLoader(): Remaining handle for \"%s\" "
                   "[%d direct refs, %d refs total]", (*it)->GetPath(),
                   (*it)->DirectRefCount(), (*it)->refCount());
       } else {
         DEBUG_LOG("ElfLoader::~ElfLoader(): Unexpected remaining handle for \"%s\" "
                   "[%d direct refs, %d refs total]", (*it)->GetPath(),
                   (*it)->DirectRefCount(), (*it)->refCount());
         /* Not removing, since it could have references to other libraries,
          * destroying them as a side effect, and possibly leaving dangling
          * pointers in the handle list we're scanning */
       }
     }
   }
 }
 void
 ElfLoader::stats(const char *when)
 {
   for (LibHandleList::iterator it = Singleton.handles.begin();
        it < Singleton.handles.end(); ++it)
     if (!(*it)->IsSystemElf())
       static_cast<CustomElf *>(*it)->stats(when);
 }
 #ifdef __ARM_EABI__
 int
 ElfLoader::__wrap_aeabi_atexit(void *that, ElfLoader::Destructor destructor,
                                void *dso_handle)
 {
   Singleton.destructors.push_back(
     DestructorCaller(destructor, that, dso_handle));
   return 0;
 }
 #else
 int
 ElfLoader::__wrap_cxa_atexit(ElfLoader::Destructor destructor, void *that,
                              void *dso_handle)
 {
   Singleton.destructors.push_back(
     DestructorCaller(destructor, that, dso_handle));
   return 0;
 }
 #endif
 void
 ElfLoader::__wrap_cxa_finalize(void *dso_handle)
 {
   /* Call all destructors for the given DSO handle in reverse order they were
    * registered. */
   std::vector<DestructorCaller>::reverse_iterator it;
   for (it = Singleton.destructors.rbegin();
        it < Singleton.destructors.rend(); ++it) {
     if (it->IsForHandle(dso_handle)) {
       it->Call();
     }
   }
 }
 void
 ElfLoader::DestructorCaller::Call()
 {
   if (destructor) {
     DEBUG_LOG("ElfLoader::DestructorCaller::Call(%p, %p, %p)",
               FunctionPtr(destructor), object, dso_handle);
     destructor(object);
     destructor = nullptr;
   }
 }
 ElfLoader::DebuggerHelper::DebuggerHelper(): dbg(nullptr)
 {
   /* Find ELF auxiliary vectors.
    *
    * The kernel stores the following data on the stack when starting a
    * program:
    *   argc
    *   argv[0] (pointer into argv strings defined below)
    *   argv[1] (likewise)
    *   ...
    *   argv[argc - 1] (likewise)
    *   nullptr
    *   envp[0] (pointer into environment strings defined below)
    *   envp[1] (likewise)
    *   ...
    *   envp[n] (likewise)
    *   nullptr
    *   ... (more NULLs on some platforms such as Android 4.3)
    *   auxv[0] (first ELF auxiliary vector)
    *   auxv[1] (second ELF auxiliary vector)
    *   ...
    *   auxv[p] (last ELF auxiliary vector)
    *   (AT_NULL, nullptr)
    *   padding
    *   argv strings, separated with '\0'
    *   environment strings, separated with '\0'
    *   nullptr
    *
    * What we are after are the auxv values defined by the following struct.
    */
   struct AuxVector {
     Elf::Addr type;
     Elf::Addr value;
   };
   /* Pointer to the environment variables list */
   extern char **environ;
   /* The environment may have changed since the program started, in which
    * case the environ variables list isn't the list the kernel put on stack
    * anymore. But in this new list, variables that didn't change still point
    * to the strings the kernel put on stack. It is quite unlikely that two
    * modified environment variables point to two consecutive strings in memory,
    * so we assume that if two consecutive environment variables point to two
    * consecutive strings, we found strings the kernel put on stack. */
   char **env;
   for (env = environ; *env; env++)
     if (*env + strlen(*env) + 1 == env[1])
       break;
   if (!*env)
     return;
   /* Next, we scan the stack backwards to find a pointer to one of those
    * strings we found above, which will give us the location of the original
    * envp list. As we are looking for pointers, we need to look at 32-bits or
    * 64-bits aligned values, depening on the architecture. */
   char **scan = reinterpret_cast<char **>(
                 reinterpret_cast<uintptr_t>(*env) & ~(sizeof(void *) - 1));
   while (*env != *scan)
     scan--;
   /* Finally, scan forward to find the last environment variable pointer and
    * thus the first auxiliary vector. */
   while (*scan++);
   /* Some platforms have more NULLs here, so skip them if we encounter them */
   while (!*scan)
     scan++;
   AuxVector *auxv = reinterpret_cast<AuxVector *>(scan);
   /* The two values of interest in the auxiliary vectors are AT_PHDR and
    * AT_PHNUM, which gives us the the location and size of the ELF program
    * headers. */
   Array<Elf::Phdr> phdrs;
   char *base = nullptr;
   while (auxv->type) {
     if (auxv->type == AT_PHDR) {
       phdrs.Init(reinterpret_cast<Elf::Phdr*>(auxv->value));
       /* Assume the base address is the first byte of the same page */
       base = reinterpret_cast<char *>(PageAlignedPtr(auxv->value));
     }
     if (auxv->type == AT_PHNUM)
       phdrs.Init(auxv->value);
     auxv++;
   }
   if (!phdrs) {
     DEBUG_LOG("Couldn't find program headers");
     return;
   }
   /* In some cases, the address for the program headers we get from the
    * auxiliary vectors is not mapped, because of the PT_LOAD segments
    * definitions in the program executable. Trying to map anonymous memory
    * with a hint giving the base address will return a different address
    * if something is mapped there, and the base address otherwise. */
   MappedPtr mem(MemoryRange::mmap(base, PageSize(), PROT_NONE,
                                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0));
   if (mem == base) {
     /* If program headers aren't mapped, try to map them */
     int fd = open("/proc/self/exe", O_RDONLY);
     if (fd == -1) {
       DEBUG_LOG("Failed to open /proc/self/exe");
       return;
     }
     mem.Assign(MemoryRange::mmap(base, PageSize(), PROT_READ, MAP_PRIVATE,
                                  fd, 0));
     /* If we don't manage to map at the right address, just give up. */
     if (mem != base) {
       DEBUG_LOG("Couldn't read program headers");
       return;
     }
   }
   /* Sanity check: the first bytes at the base address should be an ELF
    * header. */
   if (!Elf::Ehdr::validate(base)) {
      DEBUG_LOG("Couldn't find program base");
      return;
   }
   /* Search for the program PT_DYNAMIC segment */
   Array<Elf::Dyn> dyns;
   for (Array<Elf::Phdr>::iterator phdr = phdrs.begin(); phdr < phdrs.end();
        ++phdr) {
     /* While the program headers are expected within the first mapped page of
      * the program executable, the executable PT_LOADs may actually make them
      * loaded at an address that is not the wanted base address of the
      * library. We thus need to adjust the base address, compensating for the
      * virtual address of the PT_LOAD segment corresponding to offset 0. */
     if (phdr->p_type == PT_LOAD && phdr->p_offset == 0)
       base -= phdr->p_vaddr;
     if (phdr->p_type == PT_DYNAMIC)
       dyns.Init(base + phdr->p_vaddr, phdr->p_filesz);
   }
   if (!dyns) {
     DEBUG_LOG("Failed to find PT_DYNAMIC section in program");
     return;
   }
   /* Search for the DT_DEBUG information */
   for (Array<Elf::Dyn>::iterator dyn = dyns.begin(); dyn < dyns.end(); ++dyn) {
     if (dyn->d_tag == DT_DEBUG) {
       dbg = reinterpret_cast<r_debug *>(dyn->d_un.d_ptr);
       break;
     }
   }
   DEBUG_LOG("DT_DEBUG points at %p", static_cast<void *>(dbg));
 }
 /**
  * Helper class to ensure the given pointer is writable within the scope of
  * an instance. Permissions to the memory page where the pointer lies are
  * restored to their original value when the instance is destroyed.
  */
 class EnsureWritable
 {
 public:
   template <typename T>
   EnsureWritable(T *ptr, size_t length_ = sizeof(T))
   {
     MOZ_ASSERT(length_ < PageSize());
     prot = -1;
     page = MAP_FAILED;
     char *firstPage = PageAlignedPtr(reinterpret_cast<char *>(ptr));
     char *lastPageEnd = PageAlignedEndPtr(reinterpret_cast<char *>(ptr) + length_);
     length = lastPageEnd - firstPage;
     uintptr_t start = reinterpret_cast<uintptr_t>(firstPage);
     uintptr_t end;
     prot = getProt(start, &end);
     if (prot == -1 || (start + length) > end)
       MOZ_CRASH();
     if (prot & PROT_WRITE)
       return;
     page = firstPage;
     mprotect(page, length, prot | PROT_WRITE);
   }
   ~EnsureWritable()
   {
     if (page != MAP_FAILED) {
       mprotect(page, length, prot);
 }
   }
 private:
   int getProt(uintptr_t addr, uintptr_t *end)
   {
     /* The interesting part of the /proc/self/maps format looks like:
      * startAddr-endAddr rwxp */
     int result = 0;
     AutoCloseFILE f(fopen("/proc/self/maps", "r"));
     while (f) {
       unsigned long long startAddr, endAddr;
       char perms[5];
       if (fscanf(f, "%llx-%llx %4s %*1024[^\n] ", &startAddr, &endAddr, perms) != 3)
         return -1;
       if (addr < startAddr || addr >= endAddr)
         continue;
       if (perms[0] == 'r')
         result |= PROT_READ;
       else if (perms[0] != '-')
         return -1;
       if (perms[1] == 'w')
         result |= PROT_WRITE;
       else if (perms[1] != '-')
         return -1;
       if (perms[2] == 'x')
         result |= PROT_EXEC;
       else if (perms[2] != '-')
         return -1;
       *end = endAddr;
       return result;
     }
     return -1;
   }
   int prot;
   void *page;
   size_t length;
 };
 /**
  * The system linker maintains a doubly linked list of library it loads
  * for use by the debugger. Unfortunately, it also uses the list pointers
  * in a lot of operations and adding our data in the list is likely to
  * trigger crashes when the linker tries to use data we don't provide or
  * that fall off the amount data we allocated. Fortunately, the linker only
  * traverses the list forward and accesses the head of the list from a
  * private pointer instead of using the value in the r_debug structure.
  * This means we can safely add members at the beginning of the list.
  * Unfortunately, gdb checks the coherency of l_prev values, so we have
  * to adjust the l_prev value for the first element the system linker
  * knows about. Fortunately, it doesn't use l_prev, and the first element
  * is not ever going to be released before our elements, since it is the
  * program executable, so the system linker should not be changing
  * r_debug::r_map.
  */
 void
 ElfLoader::DebuggerHelper::Add(ElfLoader::link_map *map)
 {
   if (!dbg->r_brk)
     return;
   dbg->r_state = r_debug::RT_ADD;
   dbg->r_brk();
   map->l_prev = nullptr;
   map->l_next = dbg->r_map;
   if (!firstAdded) {
     firstAdded = map;
     /* When adding a library for the first time, r_map points to data
      * handled by the system linker, and that data may be read-only */
     EnsureWritable w(&dbg->r_map->l_prev);
     dbg->r_map->l_prev = map;
   } else
     dbg->r_map->l_prev = map;
   dbg->r_map = map;
   dbg->r_state = r_debug::RT_CONSISTENT;
   dbg->r_brk();
 }
 void
 ElfLoader::DebuggerHelper::Remove(ElfLoader::link_map *map)
 {
   if (!dbg->r_brk)
     return;
   dbg->r_state = r_debug::RT_DELETE;
   dbg->r_brk();
   if (dbg->r_map == map)
     dbg->r_map = map->l_next;
   else
     map->l_prev->l_next = map->l_next;
   if (map == firstAdded) {
     firstAdded = map->l_prev;
     /* When removing the first added library, its l_next is going to be
      * data handled by the system linker, and that data may be read-only */
     EnsureWritable w(&map->l_next->l_prev);
     map->l_next->l_prev = map->l_prev;
   } else
     map->l_next->l_prev = map->l_prev;
   dbg->r_state = r_debug::RT_CONSISTENT;
   dbg->r_brk();
 }
 #if defined(ANDROID)
 /* As some system libraries may be calling signal() or sigaction() to
  * set a SIGSEGV handler, effectively breaking MappableSeekableZStream,
  * or worse, restore our SIGSEGV handler with wrong flags (which using
  * signal() will do), we want to hook into the system's sigaction() to
  * replace it with our own wrapper instead, so that our handler is never
  * replaced. We used to only do that with libraries this linker loads,
  * but it turns out at least one system library does call signal() and
  * breaks us (libsc-a3xx.so on the Samsung Galaxy S4).
  * As libc's signal (bsd_signal/sysv_signal, really) calls sigaction
  * under the hood, instead of calling the signal system call directly,
  * we only need to hook sigaction. This is true for both bionic and
  * glibc.
  */
 /* libc's sigaction */
 extern "C" int
 sigaction(int signum, const struct sigaction *act,
           struct sigaction *oldact);
 /* Simple reimplementation of sigaction. This is roughly equivalent
  * to the assembly that comes in bionic, but not quite equivalent to
  * glibc's implementation, so we only use this on Android. */
 int
 sys_sigaction(int signum, const struct sigaction *act,
               struct sigaction *oldact)
 {
   return syscall(__NR_sigaction, signum, act, oldact);
 }
 /* Replace the first instructions of the given function with a jump
  * to the given new function. */
 template <typename T>
 static bool
 Divert(T func, T new_func)
 {
   void *ptr = FunctionPtr(func);
   uintptr_t addr = reinterpret_cast<uintptr_t>(ptr);
 #if defined(__i386__)
   // A 32-bit jump is a 5 bytes instruction.
   EnsureWritable w(ptr, 5);
   *reinterpret_cast<unsigned char *>(addr) = 0xe9; // jmp
   *reinterpret_cast<intptr_t *>(addr + 1) =
     reinterpret_cast<uintptr_t>(new_func) - addr - 5; // target displacement
   return true;
 #elif defined(__arm__)
   const unsigned char trampoline[] = {
                             // .thumb
 x46, 0x04,             // nop
 x78, 0x47,             // bx pc
 x46, 0x04,             // nop
                             // .arm
 x04, 0xf0, 0x1f, 0xe5, // ldr pc, [pc, #-4]
                             // .word <new_func>
   };
   const unsigned char *start;
   if (addr & 0x01) {
     /* Function is thumb, the actual address of the code is without the
      * least significant bit. */
     addr--;
     /* The arm part of the trampoline needs to be 32-bit aligned */
     if (addr & 0x02)
       start = trampoline;
     else
       start = trampoline + 2;
   } else {
     /* Function is arm, we only need the arm part of the trampoline */
     start = trampoline + 6;
   }
   size_t len = sizeof(trampoline) - (start - trampoline);
   EnsureWritable w(reinterpret_cast<void *>(addr), len + sizeof(void *));
   memcpy(reinterpret_cast<void *>(addr), start, len);
   *reinterpret_cast<void **>(addr + len) = FunctionPtr(new_func);
   cacheflush(addr, addr + len + sizeof(void *), 0);
   return true;
 #else
   return false;
 #endif
 }
 #else
 #define sys_sigaction sigaction
 template <typename T>
 static bool
 Divert(T func, T new_func)
 {
   return false;
 }
 #endif
 namespace {
 /* Clock that only accounts for time spent in the current process. */
 static uint64_t ProcessTimeStamp_Now()
 {
   struct timespec ts;
   int rv = clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &ts);
   if (rv != 0) {
     return 0;
   }
   uint64_t baseNs = (uint64_t)ts.tv_sec * 1000000000;
   return baseNs + (uint64_t)ts.tv_nsec;
 }
 }
 /* Data structure used to pass data to the temporary signal handler,
  * as well as triggering a test crash. */
 struct TmpData {
   volatile int crash_int;
   volatile uint64_t crash_timestamp;
 };
 SEGVHandler::SEGVHandler()
 : registeredHandler(false), signalHandlingBroken(false)
 , signalHandlingSlow(false)
 {
   /* Initialize oldStack.ss_flags to an invalid value when used to set
    * an alternative stack, meaning we haven't got information about the
    * original alternative stack and thus don't mean to restore it */
   oldStack.ss_flags = SS_ONSTACK;
   if (!Divert(sigaction, __wrap_sigaction))
     return;
   /* Get the current segfault signal handler. */
   sys_sigaction(SIGSEGV, nullptr, &this->action);
   /* Some devices don't provide useful information to their SIGSEGV handlers,
    * making it impossible for on-demand decompression to work. To check if
    * we're on such a device, setup a temporary handler and deliberately
    * trigger a segfault. The handler will set signalHandlingBroken if the
    * provided information is bogus.
    * Some other devices have a kernel option enabled that makes SIGSEGV handler
    * have an overhead so high that it affects how on-demand decompression
    * performs. The handler will also set signalHandlingSlow if the triggered
    * SIGSEGV took too much time. */
   struct sigaction action;
   action.sa_sigaction = &SEGVHandler::test_handler;
   sigemptyset(&action.sa_mask);
   action.sa_flags = SA_SIGINFO | SA_NODEFER;
   action.sa_restorer = nullptr;
   stackPtr.Assign(MemoryRange::mmap(nullptr, PageSize(),
                                     PROT_READ | PROT_WRITE,
                                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0));
   if (stackPtr.get() == MAP_FAILED)
     return;
   if (sys_sigaction(SIGSEGV, &action, nullptr))
     return;
   TmpData *data = reinterpret_cast<TmpData*>(stackPtr.get());
   data->crash_timestamp = ProcessTimeStamp_Now();
   mprotect(stackPtr, stackPtr.GetLength(), PROT_NONE);
   data->crash_int = 123;
   /* Restore the original segfault signal handler. */
   sys_sigaction(SIGSEGV, &this->action, nullptr);
   stackPtr.Assign(MAP_FAILED, 0);
   if (signalHandlingBroken || signalHandlingSlow)
     return;
   /* Setup an alternative stack if the already existing one is not big
    * enough, or if there is none. */
   if (sigaltstack(nullptr, &oldStack) == 0) {
     if (oldStack.ss_flags == SS_ONSTACK)
       oldStack.ss_flags = 0;
     if (!oldStack.ss_sp || oldStack.ss_size < stackSize) {
       stackPtr.Assign(MemoryRange::mmap(nullptr, stackSize,
                                         PROT_READ | PROT_WRITE,
                                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0));
       if (stackPtr.get() == MAP_FAILED)
         return;
       stack_t stack;
       stack.ss_sp = stackPtr;
       stack.ss_size = stackSize;
       stack.ss_flags = 0;
       if (sigaltstack(&stack, nullptr) != 0)
         return;
     }
   }
   /* Register our own handler, and store the already registered one in
    * SEGVHandler's struct sigaction member */
   action.sa_sigaction = &SEGVHandler::handler;
   action.sa_flags = SA_SIGINFO | SA_NODEFER | SA_ONSTACK;
   registeredHandler = !sys_sigaction(SIGSEGV, &action, nullptr);
 }
 SEGVHandler::~SEGVHandler()
 {
   /* Restore alternative stack for signals */
   if (oldStack.ss_flags != SS_ONSTACK)
     sigaltstack(&oldStack, nullptr);
   /* Restore original signal handler */
   if (registeredHandler)
     sys_sigaction(SIGSEGV, &this->action, nullptr);
 }
 /* Test handler for a deliberately triggered SIGSEGV that determines whether
  * useful information is provided to signal handlers, particularly whether
  * si_addr is filled in properly, and whether the segfault handler is called
  * quickly enough. */
 void SEGVHandler::test_handler(int signum, siginfo_t *info, void *context)
 {
   SEGVHandler &that = ElfLoader::Singleton;
   if (signum != SIGSEGV ||
       info == nullptr || info->si_addr != that.stackPtr.get())
     that.signalHandlingBroken = true;
   mprotect(that.stackPtr, that.stackPtr.GetLength(), PROT_READ | PROT_WRITE);
   TmpData *data = reinterpret_cast<TmpData*>(that.stackPtr.get());
   uint64_t latency = ProcessTimeStamp_Now() - data->crash_timestamp;
   DEBUG_LOG("SEGVHandler latency: %" PRIu64, latency);
   /* See bug 886736 for timings on different devices, 150 µs is reasonably above
    * the latency on "working" devices and seems to be reasonably fast to incur
    * a huge overhead to on-demand decompression. */
   if (latency > 150000)
     that.signalHandlingSlow = true;
 }
 /* TODO: "properly" handle signal masks and flags */
 void SEGVHandler::handler(int signum, siginfo_t *info, void *context)
 {
   //ASSERT(signum == SIGSEGV);
   DEBUG_LOG("Caught segmentation fault @%p", info->si_addr);
   /* Check whether we segfaulted in the address space of a CustomElf. We're
    * only expecting that to happen as an access error. */
   if (info->si_code == SEGV_ACCERR) {
     mozilla::RefPtr<LibHandle> handle =
       ElfLoader::Singleton.GetHandleByPtr(info->si_addr);
     if (handle && !handle->IsSystemElf()) {
       DEBUG_LOG("Within the address space of a CustomElf");
       CustomElf *elf = static_cast<CustomElf *>(static_cast<LibHandle *>(handle));
       if (elf->mappable->ensure(info->si_addr))
         return;
     }
   }
   /* Redispatch to the registered handler */
   SEGVHandler &that = ElfLoader::Singleton;
   if (that.action.sa_flags & SA_SIGINFO) {
     DEBUG_LOG("Redispatching to registered handler @%p",
               FunctionPtr(that.action.sa_sigaction));
     that.action.sa_sigaction(signum, info, context);
   } else if (that.action.sa_handler == SIG_DFL) {
     DEBUG_LOG("Redispatching to default handler");
     /* Reset the handler to the default one, and trigger it. */
     sys_sigaction(signum, &that.action, nullptr);
     raise(signum);
   } else if (that.action.sa_handler != SIG_IGN) {
     DEBUG_LOG("Redispatching to registered handler @%p",
               FunctionPtr(that.action.sa_handler));
     that.action.sa_handler(signum);
   } else {
     DEBUG_LOG("Ignoring");
   }
 }
 int
 SEGVHandler::__wrap_sigaction(int signum, const struct sigaction *act,
                               struct sigaction *oldact)
 {
   SEGVHandler &that = ElfLoader::Singleton;
   /* Use system sigaction() function for all but SIGSEGV signals. */
   if (!that.registeredHandler || (signum != SIGSEGV))
     return sys_sigaction(signum, act, oldact);
   if (oldact)
     *oldact = that.action;
   if (act)
     that.action = *act;
   return 0;
 }
 Logging Logging::Singleton;

The Tor Browser / annotate

mozglue/linker/ElfLoader.cpp@fc2d59ddac77 (annotated)

mozglue/linker/ElfLoader.cpp