michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: #undef NDEBUG
michael@0: #include <assert.h>
michael@0: #include <cstring>
michael@0: #include <cstdlib>
michael@0: #include <cstdio>
michael@0: #include "elfxx.h"
michael@0: 
michael@0: #define ver "0"
michael@0: #define elfhack_data ".elfhack.data.v" ver
michael@0: #define elfhack_text ".elfhack.text.v" ver
michael@0: 
michael@0: #ifndef R_ARM_V4BX
michael@0: #define R_ARM_V4BX 0x28
michael@0: #endif
michael@0: #ifndef R_ARM_CALL
michael@0: #define R_ARM_CALL 0x1c
michael@0: #endif
michael@0: #ifndef R_ARM_JUMP24
michael@0: #define R_ARM_JUMP24 0x1d
michael@0: #endif
michael@0: #ifndef R_ARM_THM_JUMP24
michael@0: #define R_ARM_THM_JUMP24 0x1e
michael@0: #endif
michael@0: 
michael@0: char *rundir = nullptr;
michael@0: 
michael@0: template <typename T>
michael@0: struct wrapped {
michael@0:     T value;
michael@0: };
michael@0: 
michael@0: class Elf_Addr_Traits {
michael@0: public:
michael@0:     typedef wrapped<Elf32_Addr> Type32;
michael@0:     typedef wrapped<Elf64_Addr> Type64;
michael@0: 
michael@0:     template <class endian, typename R, typename T>
michael@0:     static inline void swap(T &t, R &r) {
michael@0:         r.value = endian::swap(t.value);
michael@0:     }
michael@0: };
michael@0: 
michael@0: typedef serializable<Elf_Addr_Traits> Elf_Addr;
michael@0: 
michael@0: class Elf_RelHack_Traits {
michael@0: public:
michael@0:     typedef Elf32_Rel Type32;
michael@0:     typedef Elf32_Rel Type64;
michael@0: 
michael@0:     template <class endian, typename R, typename T>
michael@0:     static inline void swap(T &t, R &r) {
michael@0:         r.r_offset = endian::swap(t.r_offset);
michael@0:         r.r_info = endian::swap(t.r_info);
michael@0:     }
michael@0: };
michael@0: 
michael@0: typedef serializable<Elf_RelHack_Traits> Elf_RelHack;
michael@0: 
michael@0: class ElfRelHack_Section: public ElfSection {
michael@0: public:
michael@0:     ElfRelHack_Section(Elf_Shdr &s)
michael@0:     : ElfSection(s, nullptr, nullptr)
michael@0:     {
michael@0:         name = elfhack_data;
michael@0:     };
michael@0: 
michael@0:     void serialize(std::ofstream &file, char ei_class, char ei_data)
michael@0:     {
michael@0:         for (std::vector<Elf_RelHack>::iterator i = rels.begin();
michael@0:              i != rels.end(); ++i)
michael@0:             (*i).serialize(file, ei_class, ei_data);
michael@0:     }
michael@0: 
michael@0:     bool isRelocatable() {
michael@0:         return true;
michael@0:     }
michael@0: 
michael@0:     void push_back(Elf_RelHack &r) {
michael@0:         rels.push_back(r);
michael@0:         shdr.sh_size = rels.size() * shdr.sh_entsize;
michael@0:     }
michael@0: private:
michael@0:     std::vector<Elf_RelHack> rels;
michael@0: };
michael@0: 
michael@0: class ElfRelHackCode_Section: public ElfSection {
michael@0: public:
michael@0:     ElfRelHackCode_Section(Elf_Shdr &s, Elf &e, unsigned int init)
michael@0:     : ElfSection(s, nullptr, nullptr), parent(e), init(init) {
michael@0:         std::string file(rundir);
michael@0:         file += "/inject/";
michael@0:         switch (parent.getMachine()) {
michael@0:         case EM_386:
michael@0:             file += "x86";
michael@0:             break;
michael@0:         case EM_X86_64:
michael@0:             file += "x86_64";
michael@0:             break;
michael@0:         case EM_ARM:
michael@0:             file += "arm";
michael@0:             break;
michael@0:         default:
michael@0:             throw std::runtime_error("unsupported architecture");
michael@0:         }
michael@0:         file += ".o";
michael@0:         std::ifstream inject(file.c_str(), std::ios::in|std::ios::binary);
michael@0:         elf = new Elf(inject);
michael@0:         if (elf->getType() != ET_REL)
michael@0:             throw std::runtime_error("object for injected code is not ET_REL");
michael@0:         if (elf->getMachine() != parent.getMachine())
michael@0:             throw std::runtime_error("architecture of object for injected code doesn't match");
michael@0: 
michael@0:         ElfSymtab_Section *symtab = nullptr;
michael@0: 
michael@0:         // Find the symbol table.
michael@0:         for (ElfSection *section = elf->getSection(1); section != nullptr;
michael@0:              section = section->getNext()) {
michael@0:             if (section->getType() == SHT_SYMTAB)
michael@0:                 symtab = (ElfSymtab_Section *) section;
michael@0:         }
michael@0:         if (symtab == nullptr)
michael@0:             throw std::runtime_error("Couldn't find a symbol table for the injected code");
michael@0: 
michael@0:         // Find the init symbol
michael@0:         entry_point = -1;
michael@0:         Elf_SymValue *sym = symtab->lookup(init ? "init" : "init_noinit");
michael@0:         if (!sym)
michael@0:             throw std::runtime_error("Couldn't find an 'init' symbol in the injected code");
michael@0: 
michael@0:         entry_point = sym->value.getValue();
michael@0: 
michael@0:         // Get all relevant sections from the injected code object.
michael@0:         add_code_section(sym->value.getSection());
michael@0: 
michael@0:         // Adjust code sections offsets according to their size
michael@0:         std::vector<ElfSection *>::iterator c = code.begin();
michael@0:         (*c)->getShdr().sh_addr = 0;
michael@0:         for(ElfSection *last = *(c++); c != code.end(); c++) {
michael@0:             unsigned int addr = last->getShdr().sh_addr + last->getSize();
michael@0:             if (addr & ((*c)->getAddrAlign() - 1))
michael@0:                 addr = (addr | ((*c)->getAddrAlign() - 1)) + 1;
michael@0:             (*c)->getShdr().sh_addr = addr;
michael@0:             // We need to align this section depending on the greater
michael@0:             // alignment required by code sections.
michael@0:             if (shdr.sh_addralign < (*c)->getAddrAlign())
michael@0:                 shdr.sh_addralign = (*c)->getAddrAlign();
michael@0:         }
michael@0:         shdr.sh_size = code.back()->getAddr() + code.back()->getSize();
michael@0:         data = new char[shdr.sh_size];
michael@0:         char *buf = data;
michael@0:         for (c = code.begin(); c != code.end(); c++) {
michael@0:             memcpy(buf, (*c)->getData(), (*c)->getSize());
michael@0:             buf += (*c)->getSize();
michael@0:         }
michael@0:         name = elfhack_text;
michael@0:     }
michael@0: 
michael@0:     ~ElfRelHackCode_Section() {
michael@0:         delete elf;
michael@0:     }
michael@0: 
michael@0:     void serialize(std::ofstream &file, char ei_class, char ei_data)
michael@0:     {
michael@0:         // Readjust code offsets
michael@0:         for (std::vector<ElfSection *>::iterator c = code.begin(); c != code.end(); c++)
michael@0:             (*c)->getShdr().sh_addr += getAddr();
michael@0: 
michael@0:         // Apply relocations
michael@0:         for (std::vector<ElfSection *>::iterator c = code.begin(); c != code.end(); c++) {
michael@0:             for (ElfSection *rel = elf->getSection(1); rel != nullptr; rel = rel->getNext())
michael@0:                 if (((rel->getType() == SHT_REL) ||
michael@0:                      (rel->getType() == SHT_RELA)) &&
michael@0:                     (rel->getInfo().section == *c)) {
michael@0:                     if (rel->getType() == SHT_REL)
michael@0:                         apply_relocations((ElfRel_Section<Elf_Rel> *)rel, *c);
michael@0:                     else
michael@0:                         apply_relocations((ElfRel_Section<Elf_Rela> *)rel, *c);
michael@0:                 }
michael@0:             }
michael@0: 
michael@0:         ElfSection::serialize(file, ei_class, ei_data);
michael@0:     }
michael@0: 
michael@0:     bool isRelocatable() {
michael@0:         return true;
michael@0:     }
michael@0: 
michael@0:     unsigned int getEntryPoint() {
michael@0:         return entry_point;
michael@0:     }
michael@0: private:
michael@0:     void add_code_section(ElfSection *section)
michael@0:     {
michael@0:         if (section) {
michael@0:             /* Don't add section if it's already been added in the past */
michael@0:             for (auto s = code.begin(); s != code.end(); ++s) {
michael@0:                 if (section == *s)
michael@0:                     return;
michael@0:             }
michael@0:             code.push_back(section);
michael@0:             find_code(section);
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     /* Look at the relocations associated to the given section to find other
michael@0:      * sections that it requires */
michael@0:     void find_code(ElfSection *section)
michael@0:     {
michael@0:         for (ElfSection *s = elf->getSection(1); s != nullptr;
michael@0:              s = s->getNext()) {
michael@0:             if (((s->getType() == SHT_REL) ||
michael@0:                  (s->getType() == SHT_RELA)) &&
michael@0:                 (s->getInfo().section == section)) {
michael@0:                 if (s->getType() == SHT_REL)
michael@0:                     scan_relocs_for_code((ElfRel_Section<Elf_Rel> *)s);
michael@0:                 else
michael@0:                     scan_relocs_for_code((ElfRel_Section<Elf_Rela> *)s);
michael@0:             }
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     template <typename Rel_Type>
michael@0:     void scan_relocs_for_code(ElfRel_Section<Rel_Type> *rel)
michael@0:     {
michael@0:         ElfSymtab_Section *symtab = (ElfSymtab_Section *)rel->getLink();
michael@0:         for (auto r = rel->rels.begin(); r != rel->rels.end(); r++) {
michael@0:             ElfSection *section = symtab->syms[ELF32_R_SYM(r->r_info)].value.getSection();
michael@0:             add_code_section(section);
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     class pc32_relocation {
michael@0:     public:
michael@0:         Elf32_Addr operator()(unsigned int base_addr, Elf32_Off offset,
michael@0:                               Elf32_Word addend, unsigned int addr)
michael@0:         {
michael@0:             return addr + addend - offset - base_addr;
michael@0:         }
michael@0:     };
michael@0: 
michael@0:     class arm_plt32_relocation {
michael@0:     public:
michael@0:         Elf32_Addr operator()(unsigned int base_addr, Elf32_Off offset,
michael@0:                               Elf32_Word addend, unsigned int addr)
michael@0:         {
michael@0:             // We don't care about sign_extend because the only case where this is
michael@0:             // going to be used only jumps forward.
michael@0:             Elf32_Addr tmp = (Elf32_Addr) (addr - offset - base_addr) >> 2;
michael@0:             tmp = (addend + tmp) & 0x00ffffff;
michael@0:             return (addend & 0xff000000) | tmp;
michael@0:         }
michael@0:     };
michael@0: 
michael@0:     class arm_thm_jump24_relocation {
michael@0:     public:
michael@0:         Elf32_Addr operator()(unsigned int base_addr, Elf32_Off offset,
michael@0:                               Elf32_Word addend, unsigned int addr)
michael@0:         {
michael@0:             /* Follows description of b.w and bl instructions as per
michael@0:                ARM Architecture Reference Manual ARM® v7-A and ARM® v7-R edition, A8.6.16
michael@0:                We limit ourselves to Encoding T4 of b.w and Encoding T1 of bl.
michael@0:                We don't care about sign_extend because the only case where this is
michael@0:                going to be used only jumps forward. */
michael@0:             Elf32_Addr tmp = (Elf32_Addr) (addr - offset - base_addr);
michael@0:             unsigned int word0 = addend & 0xffff,
michael@0:                          word1 = addend >> 16;
michael@0: 
michael@0:             /* Encoding T4 of B.W is 10x1 ; Encoding T1 of BL is 11x1. */
michael@0:             unsigned int type = (word1 & 0xd000) >> 12;
michael@0:             if (((word0 & 0xf800) != 0xf000) || ((type & 0x9) != 0x9))
michael@0:                 throw std::runtime_error("R_ARM_THM_JUMP24/R_ARM_THM_CALL relocation only supported for B.W <label> and BL <label>");
michael@0: 
michael@0:             /* When the target address points to ARM code, switch a BL to a
michael@0:              * BLX. This however can't be done with a B.W without adding a
michael@0:              * trampoline, which is not supported as of now. */
michael@0:             if ((addr & 0x1) == 0) {
michael@0:                 if (type == 0x9)
michael@0:                     throw std::runtime_error("R_ARM_THM_JUMP24/R_ARM_THM_CALL relocation only supported for BL <label> when label points to ARM code");
michael@0:                 /* The address of the target is always relative to a 4-bytes
michael@0:                  * aligned address, so if the address of the BL instruction is
michael@0:                  * not 4-bytes aligned, adjust for it. */
michael@0:                 if ((base_addr + offset) & 0x2)
michael@0:                     tmp += 2;
michael@0:                 /* Encoding T2 of BLX is 11x0. */
michael@0:                 type = 0xc;
michael@0:             }
michael@0: 
michael@0:             unsigned int s = (word0 & (1 << 10)) >> 10;
michael@0:             unsigned int j1 = (word1 & (1 << 13)) >> 13;
michael@0:             unsigned int j2 = (word1 & (1 << 11)) >> 11;
michael@0:             unsigned int i1 = j1 ^ s ? 0 : 1;
michael@0:             unsigned int i2 = j2 ^ s ? 0 : 1;
michael@0: 
michael@0:             tmp += ((s << 24) | (i1 << 23) | (i2 << 22) | ((word0 & 0x3ff) << 12) | ((word1 & 0x7ff) << 1));
michael@0: 
michael@0:             s = (tmp & (1 << 24)) >> 24;
michael@0:             j1 = ((tmp & (1 << 23)) >> 23) ^ !s;
michael@0:             j2 = ((tmp & (1 << 22)) >> 22) ^ !s;
michael@0: 
michael@0:             return 0xf000 | (s << 10) | ((tmp & (0x3ff << 12)) >> 12) |
michael@0:                    (type << 28) | (j1 << 29) | (j2 << 27) | ((tmp & 0xffe) << 15);
michael@0:         }
michael@0:     };
michael@0: 
michael@0:     class gotoff_relocation {
michael@0:     public:
michael@0:         Elf32_Addr operator()(unsigned int base_addr, Elf32_Off offset,
michael@0:                               Elf32_Word addend, unsigned int addr)
michael@0:         {
michael@0:             return addr + addend;
michael@0:         }
michael@0:     };
michael@0: 
michael@0:     template <class relocation_type>
michael@0:     void apply_relocation(ElfSection *the_code, char *base, Elf_Rel *r, unsigned int addr)
michael@0:     {
michael@0:         relocation_type relocation;
michael@0:         Elf32_Addr value;
michael@0:         memcpy(&value, base + r->r_offset, 4);
michael@0:         value = relocation(the_code->getAddr(), r->r_offset, value, addr);
michael@0:         memcpy(base + r->r_offset, &value, 4);
michael@0:     }
michael@0: 
michael@0:     template <class relocation_type>
michael@0:     void apply_relocation(ElfSection *the_code, char *base, Elf_Rela *r, unsigned int addr)
michael@0:     {
michael@0:         relocation_type relocation;
michael@0:         Elf32_Addr value = relocation(the_code->getAddr(), r->r_offset, r->r_addend, addr);
michael@0:         memcpy(base + r->r_offset, &value, 4);
michael@0:     }
michael@0: 
michael@0:     template <typename Rel_Type>
michael@0:     void apply_relocations(ElfRel_Section<Rel_Type> *rel, ElfSection *the_code)
michael@0:     {
michael@0:         assert(rel->getType() == Rel_Type::sh_type);
michael@0:         char *buf = data + (the_code->getAddr() - code.front()->getAddr());
michael@0:         // TODO: various checks on the sections
michael@0:         ElfSymtab_Section *symtab = (ElfSymtab_Section *)rel->getLink();
michael@0:         for (typename std::vector<Rel_Type>::iterator r = rel->rels.begin(); r != rel->rels.end(); r++) {
michael@0:             // TODO: various checks on the symbol
michael@0:             const char *name = symtab->syms[ELF32_R_SYM(r->r_info)].name;
michael@0:             unsigned int addr;
michael@0:             if (symtab->syms[ELF32_R_SYM(r->r_info)].value.getSection() == nullptr) {
michael@0:                 if (strcmp(name, "relhack") == 0) {
michael@0:                     addr = getNext()->getAddr();
michael@0:                 } else if (strcmp(name, "elf_header") == 0) {
michael@0:                     // TODO: change this ungly hack to something better
michael@0:                     ElfSection *ehdr = parent.getSection(1)->getPrevious()->getPrevious();
michael@0:                     addr = ehdr->getAddr();
michael@0:                 } else if (strcmp(name, "original_init") == 0) {
michael@0:                     addr = init;
michael@0:                 } else if (strcmp(name, "_GLOBAL_OFFSET_TABLE_") == 0) {
michael@0:                     // We actually don't need a GOT, but need it as a reference for
michael@0:                     // GOTOFF relocations. We'll just use the start of the ELF file
michael@0:                     addr = 0;
michael@0:                 } else if (strcmp(name, "") == 0) {
michael@0:                     // This is for R_ARM_V4BX, until we find something better
michael@0:                     addr = -1;
michael@0:                 } else {
michael@0:                     throw std::runtime_error("Unsupported symbol in relocation");
michael@0:                 }
michael@0:             } else {
michael@0:                 ElfSection *section = symtab->syms[ELF32_R_SYM(r->r_info)].value.getSection();
michael@0:                 assert((section->getType() == SHT_PROGBITS) && (section->getFlags() & SHF_EXECINSTR));
michael@0:                 addr = symtab->syms[ELF32_R_SYM(r->r_info)].value.getValue();
michael@0:             }
michael@0:             // Do the relocation
michael@0: #define REL(machine, type) (EM_ ## machine | (R_ ## machine ## _ ## type << 8))
michael@0:             switch (elf->getMachine() | (ELF32_R_TYPE(r->r_info) << 8)) {
michael@0:             case REL(X86_64, PC32):
michael@0:             case REL(386, PC32):
michael@0:             case REL(386, GOTPC):
michael@0:             case REL(ARM, GOTPC):
michael@0:             case REL(ARM, REL32):
michael@0:                 apply_relocation<pc32_relocation>(the_code, buf, &*r, addr);
michael@0:                 break;
michael@0:             case REL(ARM, CALL):
michael@0:             case REL(ARM, JUMP24):
michael@0:             case REL(ARM, PLT32):
michael@0:                 apply_relocation<arm_plt32_relocation>(the_code, buf, &*r, addr);
michael@0:                 break;
michael@0:             case REL(ARM, THM_PC22 /* THM_CALL */):
michael@0:             case REL(ARM, THM_JUMP24):
michael@0:                 apply_relocation<arm_thm_jump24_relocation>(the_code, buf, &*r, addr);
michael@0:                 break;
michael@0:             case REL(386, GOTOFF):
michael@0:             case REL(ARM, GOTOFF):
michael@0:                 apply_relocation<gotoff_relocation>(the_code, buf, &*r, addr);
michael@0:                 break;
michael@0:             case REL(ARM, V4BX):
michael@0:                 // Ignore R_ARM_V4BX relocations
michael@0:                 break;
michael@0:             default:
michael@0:                 throw std::runtime_error("Unsupported relocation type");
michael@0:             }
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     Elf *elf, &parent;
michael@0:     std::vector<ElfSection *> code;
michael@0:     unsigned int init;
michael@0:     int entry_point;
michael@0: };
michael@0: 
michael@0: unsigned int get_addend(Elf_Rel *rel, Elf *elf) {
michael@0:     ElfLocation loc(rel->r_offset, elf);
michael@0:     Elf_Addr addr(loc.getBuffer(), Elf_Addr::size(elf->getClass()), elf->getClass(), elf->getData());
michael@0:     return addr.value;
michael@0: }
michael@0: 
michael@0: unsigned int get_addend(Elf_Rela *rel, Elf *elf) {
michael@0:     return rel->r_addend;
michael@0: }
michael@0: 
michael@0: void set_relative_reloc(Elf_Rel *rel, Elf *elf, unsigned int value) {
michael@0:     ElfLocation loc(rel->r_offset, elf);
michael@0:     Elf_Addr addr;
michael@0:     addr.value = value;
michael@0:     addr.serialize(const_cast<char *>(loc.getBuffer()), Elf_Addr::size(elf->getClass()), elf->getClass(), elf->getData());
michael@0: }
michael@0: 
michael@0: void set_relative_reloc(Elf_Rela *rel, Elf *elf, unsigned int value) {
michael@0:     // ld puts the value of relocated relocations both in the addend and
michael@0:     // at r_offset. For consistency, keep it that way.
michael@0:     set_relative_reloc((Elf_Rel *)rel, elf, value);
michael@0:     rel->r_addend = value;
michael@0: }
michael@0: 
michael@0: void maybe_split_segment(Elf *elf, ElfSegment *segment, bool fill)
michael@0: {
michael@0:     std::list<ElfSection *>::iterator it = segment->begin();
michael@0:     for (ElfSection *last = *(it++); it != segment->end(); last = *(it++)) {
michael@0:         // When two consecutive non-SHT_NOBITS sections are apart by more
michael@0:         // than the alignment of the section, the second can be moved closer
michael@0:         // to the first, but this requires the segment to be split.
michael@0:         if (((*it)->getType() != SHT_NOBITS) && (last->getType() != SHT_NOBITS) &&
michael@0:             ((*it)->getOffset() - last->getOffset() - last->getSize() > segment->getAlign())) {
michael@0:             // Probably very wrong.
michael@0:             Elf_Phdr phdr;
michael@0:             phdr.p_type = PT_LOAD;
michael@0:             phdr.p_vaddr = 0;
michael@0:             phdr.p_paddr = phdr.p_vaddr + segment->getVPDiff();
michael@0:             phdr.p_flags = segment->getFlags();
michael@0:             phdr.p_align = segment->getAlign();
michael@0:             phdr.p_filesz = (unsigned int)-1;
michael@0:             phdr.p_memsz = (unsigned int)-1;
michael@0:             ElfSegment *newSegment = new ElfSegment(&phdr);
michael@0:             elf->insertSegmentAfter(segment, newSegment);
michael@0:             ElfSection *section = *it;
michael@0:             for (; it != segment->end(); ++it) {
michael@0:                 newSegment->addSection(*it);
michael@0:             }
michael@0:             for (it = newSegment->begin(); it != newSegment->end(); it++) {
michael@0:                 segment->removeSection(*it);
michael@0:             }
michael@0:             // Fill the virtual address space gap left between the two PT_LOADs
michael@0:             // with a new PT_LOAD with no permissions. This avoids the linker
michael@0:             // (especially bionic's) filling the gap with anonymous memory,
michael@0:             // which breakpad doesn't like.
michael@0:             // /!\ running strip on a elfhacked binary will break this filler
michael@0:             // PT_LOAD.
michael@0:             if (!fill)
michael@0:                 break;
michael@0:             // Insert dummy segment to normalize the entire Elf with the header
michael@0:             // sizes adjusted, before inserting a filler segment.
michael@0:             {
michael@0:               memset(&phdr, 0, sizeof(phdr));
michael@0:               ElfSegment dummySegment(&phdr);
michael@0:               elf->insertSegmentAfter(segment, &dummySegment);
michael@0:               elf->normalize();
michael@0:               elf->removeSegment(&dummySegment);
michael@0:             }
michael@0:             ElfSection *previous = section->getPrevious();
michael@0:             phdr.p_type = PT_LOAD;
michael@0:             phdr.p_vaddr = (previous->getAddr() + previous->getSize() + segment->getAlign() - 1) & ~(segment->getAlign() - 1);
michael@0:             phdr.p_paddr = phdr.p_vaddr + segment->getVPDiff();
michael@0:             phdr.p_flags = 0;
michael@0:             phdr.p_align = 0;
michael@0:             phdr.p_filesz = (section->getAddr() & ~(newSegment->getAlign() - 1)) - phdr.p_vaddr;
michael@0:             phdr.p_memsz = phdr.p_filesz;
michael@0:             if (phdr.p_filesz) {
michael@0:                 newSegment = new ElfSegment(&phdr);
michael@0:                 assert(newSegment->isElfHackFillerSegment());
michael@0:                 elf->insertSegmentAfter(segment, newSegment);
michael@0:             } else {
michael@0:                 elf->normalize();
michael@0:             }
michael@0:             break;
michael@0:         }
michael@0:     }
michael@0: }
michael@0: 
michael@0: template <typename Rel_Type>
michael@0: int do_relocation_section(Elf *elf, unsigned int rel_type, unsigned int rel_type2, bool force, bool fill)
michael@0: {
michael@0:     ElfDynamic_Section *dyn = elf->getDynSection();
michael@0:     if (dyn == nullptr) {
michael@0:         fprintf(stderr, "Couldn't find SHT_DYNAMIC section\n");
michael@0:         return -1;
michael@0:     }
michael@0: 
michael@0:     ElfSegment *relro = elf->getSegmentByType(PT_GNU_RELRO);
michael@0: 
michael@0:     ElfRel_Section<Rel_Type> *section = (ElfRel_Section<Rel_Type> *)dyn->getSectionForType(Rel_Type::d_tag);
michael@0:     assert(section->getType() == Rel_Type::sh_type);
michael@0: 
michael@0:     Elf32_Shdr relhack32_section =
michael@0:         { 0, SHT_PROGBITS, SHF_ALLOC, 0, (Elf32_Off)-1, 0, SHN_UNDEF, 0,
michael@0:           Elf_RelHack::size(elf->getClass()), Elf_RelHack::size(elf->getClass()) }; // TODO: sh_addralign should be an alignment, not size
michael@0:     Elf32_Shdr relhackcode32_section =
michael@0:         { 0, SHT_PROGBITS, SHF_ALLOC | SHF_EXECINSTR, 0, (Elf32_Off)-1, 0,
michael@0:           SHN_UNDEF, 0, 1, 0 };
michael@0: 
michael@0:     unsigned int entry_sz = Elf_Addr::size(elf->getClass());
michael@0: 
michael@0:     // The injected code needs to be executed before any init code in the
michael@0:     // binary. There are three possible cases:
michael@0:     // - The binary has no init code at all. In this case, we will add a
michael@0:     //   DT_INIT entry pointing to the injected code.
michael@0:     // - The binary has a DT_INIT entry. In this case, we will interpose:
michael@0:     //   we change DT_INIT to point to the injected code, and have the
michael@0:     //   injected code call the original DT_INIT entry point.
michael@0:     // - The binary has no DT_INIT entry, but has a DT_INIT_ARRAY. In this
michael@0:     //   case, we interpose as well, by replacing the first entry in the
michael@0:     //   array to point to the injected code, and have the injected code
michael@0:     //   call the original first entry.
michael@0:     // The binary may have .ctors instead of DT_INIT_ARRAY, for its init
michael@0:     // functions, but this falls into the second case above, since .ctors
michael@0:     // are actually run by DT_INIT code.
michael@0:     ElfValue *value = dyn->getValueForType(DT_INIT);
michael@0:     unsigned int original_init = value ? value->getValue() : 0;
michael@0:     ElfSection *init_array = nullptr;
michael@0:     if (!value || !value->getValue()) {
michael@0:         value = dyn->getValueForType(DT_INIT_ARRAYSZ);
michael@0:         if (value && value->getValue() >= entry_sz)
michael@0:             init_array = dyn->getSectionForType(DT_INIT_ARRAY);
michael@0:     }
michael@0: 
michael@0:     Elf_Shdr relhack_section(relhack32_section);
michael@0:     Elf_Shdr relhackcode_section(relhackcode32_section);
michael@0:     ElfRelHack_Section *relhack = new ElfRelHack_Section(relhack_section);
michael@0: 
michael@0:     ElfSymtab_Section *symtab = (ElfSymtab_Section *) section->getLink();
michael@0:     Elf_SymValue *sym = symtab->lookup("__cxa_pure_virtual");
michael@0: 
michael@0:     std::vector<Rel_Type> new_rels;
michael@0:     Elf_RelHack relhack_entry;
michael@0:     relhack_entry.r_offset = relhack_entry.r_info = 0;
michael@0:     size_t init_array_reloc = 0;
michael@0:     for (typename std::vector<Rel_Type>::iterator i = section->rels.begin();
michael@0:          i != section->rels.end(); i++) {
michael@0:         // We don't need to keep R_*_NONE relocations
michael@0:         if (!ELF32_R_TYPE(i->r_info))
michael@0:             continue;
michael@0:         ElfLocation loc(i->r_offset, elf);
michael@0:         // __cxa_pure_virtual is a function used in vtables to point at pure
michael@0:         // virtual methods. The __cxa_pure_virtual function usually abort()s.
michael@0:         // These functions are however normally never called. In the case
michael@0:         // where they would, jumping to the null address instead of calling
michael@0:         // __cxa_pure_virtual is going to work just as well. So we can remove
michael@0:         // relocations for the __cxa_pure_virtual symbol and null out the
michael@0:         // content at the offset pointed by the relocation.
michael@0:         if (sym) {
michael@0:             if (sym->defined) {
michael@0:                 // If we are statically linked to libstdc++, the
michael@0:                 // __cxa_pure_virtual symbol is defined in our lib, and we
michael@0:                 // have relative relocations (rel_type) for it.
michael@0:                 if (ELF32_R_TYPE(i->r_info) == rel_type) {
michael@0:                     Elf_Addr addr(loc.getBuffer(), entry_sz, elf->getClass(), elf->getData());
michael@0:                     if (addr.value == sym->value.getValue()) {
michael@0:                         memset((char *)loc.getBuffer(), 0, entry_sz);
michael@0:                         continue;
michael@0:                     }
michael@0:                 }
michael@0:             } else {
michael@0:                 // If we are dynamically linked to libstdc++, the
michael@0:                 // __cxa_pure_virtual symbol is undefined in our lib, and we
michael@0:                 // have absolute relocations (rel_type2) for it.
michael@0:                 if ((ELF32_R_TYPE(i->r_info) == rel_type2) &&
michael@0:                     (sym == &symtab->syms[ELF32_R_SYM(i->r_info)])) {
michael@0:                     memset((char *)loc.getBuffer(), 0, entry_sz);
michael@0:                     continue;
michael@0:                 }
michael@0:             }
michael@0:         }
michael@0:         // Keep track of the relocation associated with the first init_array entry.
michael@0:         if (init_array && i->r_offset == init_array->getAddr()) {
michael@0:             if (init_array_reloc) {
michael@0:                 fprintf(stderr, "Found multiple relocations for the first init_array entry. Skipping\n");
michael@0:                 return -1;
michael@0:             }
michael@0:             new_rels.push_back(*i);
michael@0:             init_array_reloc = new_rels.size();
michael@0:         } else if (!(loc.getSection()->getFlags() & SHF_WRITE) || (ELF32_R_TYPE(i->r_info) != rel_type) ||
michael@0:                    (relro && (i->r_offset >= relro->getAddr()) &&
michael@0:                    (i->r_offset < relro->getAddr() + relro->getMemSize()))) {
michael@0:             // Don't pack relocations happening in non writable sections.
michael@0:             // Our injected code is likely not to be allowed to write there.
michael@0:             new_rels.push_back(*i);
michael@0:         } else {
michael@0:             // TODO: check that i->r_addend == *i->r_offset
michael@0:             if (i->r_offset == relhack_entry.r_offset + relhack_entry.r_info * entry_sz) {
michael@0:                 relhack_entry.r_info++;
michael@0:             } else {
michael@0:                 if (relhack_entry.r_offset)
michael@0:                     relhack->push_back(relhack_entry);
michael@0:                 relhack_entry.r_offset = i->r_offset;
michael@0:                 relhack_entry.r_info = 1;
michael@0:             }
michael@0:         }
michael@0:     }
michael@0:     if (relhack_entry.r_offset)
michael@0:         relhack->push_back(relhack_entry);
michael@0:     // Last entry must be nullptr
michael@0:     relhack_entry.r_offset = relhack_entry.r_info = 0;
michael@0:     relhack->push_back(relhack_entry);
michael@0: 
michael@0:     unsigned int old_end = section->getOffset() + section->getSize();
michael@0: 
michael@0:     if (init_array) {
michael@0:         if (! init_array_reloc) {
michael@0:             fprintf(stderr, "Didn't find relocation for DT_INIT_ARRAY's first entry. Skipping\n");
michael@0:             return -1;
michael@0:         }
michael@0:         Rel_Type *rel = &new_rels[init_array_reloc - 1];
michael@0:         unsigned int addend = get_addend(rel, elf);
michael@0:         // Use relocated value of DT_INIT_ARRAY's first entry for the
michael@0:         // function to be called by the injected code.
michael@0:         if (ELF32_R_TYPE(rel->r_info) == rel_type) {
michael@0:             original_init = addend;
michael@0:         } else if (ELF32_R_TYPE(rel->r_info) == rel_type2) {
michael@0:             ElfSymtab_Section *symtab = (ElfSymtab_Section *)section->getLink();
michael@0:             original_init = symtab->syms[ELF32_R_SYM(rel->r_info)].value.getValue() + addend;
michael@0:         } else {
michael@0:             fprintf(stderr, "Unsupported relocation type for DT_INIT_ARRAY's first entry. Skipping\n");
michael@0:             return -1;
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     section->rels.assign(new_rels.begin(), new_rels.end());
michael@0:     section->shrink(new_rels.size() * section->getEntSize());
michael@0: 
michael@0:     ElfRelHackCode_Section *relhackcode = new ElfRelHackCode_Section(relhackcode_section, *elf, original_init);
michael@0:     relhackcode->insertBefore(section);
michael@0:     relhack->insertAfter(relhackcode);
michael@0:     if (section->getOffset() + section->getSize() >= old_end) {
michael@0:         fprintf(stderr, "No gain. Skipping\n");
michael@0:         return -1;
michael@0:     }
michael@0: 
michael@0:     // Adjust PT_LOAD segments
michael@0:     for (ElfSegment *segment = elf->getSegmentByType(PT_LOAD); segment;
michael@0:          segment = elf->getSegmentByType(PT_LOAD, segment)) {
michael@0:         maybe_split_segment(elf, segment, fill);
michael@0:     }
michael@0: 
michael@0:     // Ensure Elf sections will be at their final location.
michael@0:     elf->normalize();
michael@0:     ElfLocation *init = new ElfLocation(relhackcode, relhackcode->getEntryPoint());
michael@0:     if (init_array) {
michael@0:         // Adjust the first DT_INIT_ARRAY entry to point at the injected code
michael@0:         // by transforming its relocation into a relative one pointing to the
michael@0:         // address of the injected code.
michael@0:         Rel_Type *rel = &section->rels[init_array_reloc - 1];
michael@0:         rel->r_info = ELF32_R_INFO(0, rel_type); // Set as a relative relocation
michael@0:         set_relative_reloc(&section->rels[init_array_reloc - 1], elf, init->getValue());
michael@0:     } else if (!dyn->setValueForType(DT_INIT, init)) {
michael@0:         fprintf(stderr, "Can't grow .dynamic section to set DT_INIT. Skipping\n");
michael@0:         return -1;
michael@0:     }
michael@0:     // TODO: adjust the value according to the remaining number of relative relocations
michael@0:     if (dyn->getValueForType(Rel_Type::d_tag_count))
michael@0:         dyn->setValueForType(Rel_Type::d_tag_count, new ElfPlainValue(0));
michael@0: 
michael@0:     return 0;
michael@0: }
michael@0: 
michael@0: static inline int backup_file(const char *name)
michael@0: {
michael@0:     std::string fname(name);
michael@0:     fname += ".bak";
michael@0:     return rename(name, fname.c_str());
michael@0: }
michael@0: 
michael@0: void do_file(const char *name, bool backup = false, bool force = false, bool fill = false)
michael@0: {
michael@0:     std::ifstream file(name, std::ios::in|std::ios::binary);
michael@0:     Elf elf(file);
michael@0:     unsigned int size = elf.getSize();
michael@0:     fprintf(stderr, "%s: ", name);
michael@0:     if (elf.getType() != ET_DYN) {
michael@0:         fprintf(stderr, "Not a shared object. Skipping\n");
michael@0:         return;
michael@0:     }
michael@0: 
michael@0:     for (ElfSection *section = elf.getSection(1); section != nullptr;
michael@0:          section = section->getNext()) {
michael@0:         if (section->getName() &&
michael@0:             (strncmp(section->getName(), ".elfhack.", 9) == 0)) {
michael@0:             fprintf(stderr, "Already elfhacked. Skipping\n");
michael@0:             return;
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     int exit = -1;
michael@0:     switch (elf.getMachine()) {
michael@0:     case EM_386:
michael@0:         exit = do_relocation_section<Elf_Rel>(&elf, R_386_RELATIVE, R_386_32, force, fill);
michael@0:         break;
michael@0:     case EM_X86_64:
michael@0:         exit = do_relocation_section<Elf_Rela>(&elf, R_X86_64_RELATIVE, R_X86_64_64, force, fill);
michael@0:         break;
michael@0:     case EM_ARM:
michael@0:         exit = do_relocation_section<Elf_Rel>(&elf, R_ARM_RELATIVE, R_ARM_ABS32, force, fill);
michael@0:         break;
michael@0:     }
michael@0:     if (exit == 0) {
michael@0:         if (!force && (elf.getSize() >= size)) {
michael@0:             fprintf(stderr, "No gain. Skipping\n");
michael@0:         } else if (backup && backup_file(name) != 0) {
michael@0:             fprintf(stderr, "Couln't create backup file\n");
michael@0:         } else {
michael@0:             std::ofstream ofile(name, std::ios::out|std::ios::binary|std::ios::trunc);
michael@0:             elf.write(ofile);
michael@0:             fprintf(stderr, "Reduced by %d bytes\n", size - elf.getSize());
michael@0:         }
michael@0:     }
michael@0: }
michael@0: 
michael@0: void undo_file(const char *name, bool backup = false)
michael@0: {
michael@0:     std::ifstream file(name, std::ios::in|std::ios::binary);
michael@0:     Elf elf(file);
michael@0:     unsigned int size = elf.getSize();
michael@0:     fprintf(stderr, "%s: ", name);
michael@0:     if (elf.getType() != ET_DYN) {
michael@0:         fprintf(stderr, "Not a shared object. Skipping\n");
michael@0:         return;
michael@0:     }
michael@0: 
michael@0:     ElfSection *data = nullptr, *text = nullptr;
michael@0:     for (ElfSection *section = elf.getSection(1); section != nullptr;
michael@0:          section = section->getNext()) {
michael@0:         if (section->getName() &&
michael@0:             (strcmp(section->getName(), elfhack_data) == 0))
michael@0:             data = section;
michael@0:         if (section->getName() &&
michael@0:             (strcmp(section->getName(), elfhack_text) == 0))
michael@0:             text = section;
michael@0:     }
michael@0: 
michael@0:     if (!data || !text) {
michael@0:         fprintf(stderr, "Not elfhacked. Skipping\n");
michael@0:         return;
michael@0:     }
michael@0:     if (data != text->getNext()) {
michael@0:         fprintf(stderr, elfhack_data " section not following " elfhack_text ". Skipping\n");
michael@0:         return;
michael@0:     }
michael@0: 
michael@0:     ElfSegment *first = elf.getSegmentByType(PT_LOAD);
michael@0:     ElfSegment *second = elf.getSegmentByType(PT_LOAD, first);
michael@0:     ElfSegment *filler = nullptr;
michael@0:     // If the second PT_LOAD is a filler from elfhack --fill, check the third.
michael@0:     if (second->isElfHackFillerSegment()) {
michael@0:         filler = second;
michael@0:         second = elf.getSegmentByType(PT_LOAD, filler);
michael@0:     }
michael@0:     if (second->getFlags() != first->getFlags()) {
michael@0:         fprintf(stderr, "Couldn't identify elfhacked PT_LOAD segments. Skipping\n");
michael@0:         return;
michael@0:     }
michael@0:     // Move sections from the second PT_LOAD to the first, and remove the
michael@0:     // second PT_LOAD segment.
michael@0:     for (std::list<ElfSection *>::iterator section = second->begin();
michael@0:          section != second->end(); ++section)
michael@0:         first->addSection(*section);
michael@0: 
michael@0:     elf.removeSegment(second);
michael@0:     if (filler)
michael@0:         elf.removeSegment(filler);
michael@0: 
michael@0:     if (backup && backup_file(name) != 0) {
michael@0:         fprintf(stderr, "Couln't create backup file\n");
michael@0:     } else {
michael@0:         std::ofstream ofile(name, std::ios::out|std::ios::binary|std::ios::trunc);
michael@0:         elf.write(ofile);
michael@0:         fprintf(stderr, "Grown by %d bytes\n", elf.getSize() - size);
michael@0:     }
michael@0: }
michael@0: 
michael@0: int main(int argc, char *argv[])
michael@0: {
michael@0:     int arg;
michael@0:     bool backup = false;
michael@0:     bool force = false;
michael@0:     bool revert = false;
michael@0:     bool fill = false;
michael@0:     char *lastSlash = rindex(argv[0], '/');
michael@0:     if (lastSlash != nullptr)
michael@0:         rundir = strndup(argv[0], lastSlash - argv[0]);
michael@0:     for (arg = 1; arg < argc; arg++) {
michael@0:         if (strcmp(argv[arg], "-f") == 0)
michael@0:             force = true;
michael@0:         else if (strcmp(argv[arg], "-b") == 0)
michael@0:             backup = true;
michael@0:         else if (strcmp(argv[arg], "-r") == 0)
michael@0:             revert = true;
michael@0:         else if (strcmp(argv[arg], "--fill") == 0)
michael@0:             fill = true;
michael@0:         else if (revert) {
michael@0:             undo_file(argv[arg], backup);
michael@0:         } else
michael@0:             do_file(argv[arg], backup, force, fill);
michael@0:     }
michael@0: 
michael@0:     free(rundir);
michael@0:     return 0;
michael@0: }