1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #pragma ident "%Z%%M% %I% %E% SMI"
27
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <strings.h>
32 #include <sys/types.h>
33 #include <sys/link.h>
34 #include <libproc.h>
35 #include <proc_service.h>
36 #include <rtld_db.h>
37 #include <synch.h>
38
39 #include <sys/lx_brand.h>
40
41 /*
42 * ATTENTION:
43 * Librtl_db brand plugin libraries should NOT directly invoke any
44 * libproc.so interfaces or be linked against libproc. If a librtl_db
45 * brand plugin library uses libproc.so interfaces then it may break
46 * any other librtld_db consumers (like mdb) that tries to attach
47 * to a branded process. The only safe interfaces that the a librtld_db
48 * brand plugin library can use to access a target process are the
49 * proc_service(3PROC) apis.
50 */
51
52 /*
53 * M_DATA comes from some streams header file but is also redifined in
54 * _rtld_db.h, so nuke the old streams definition here.
55 */
56 #ifdef M_DATA
57 #undef M_DATA
58 #endif /* M_DATA */
59
60 /*
61 * For 32-bit versions of this library, this file get's compiled once.
62 * For 64-bit versions of this library, this file get's compiled twice,
63 * once with _ELF64 defined and once without. The expectation is that
64 * the 64-bit version of the library can properly deal with both 32-bit
65 * and 64-bit elf files, hence in the 64-bit library there are two copies
66 * of all the interfaces in this file, one set named *32 and one named *64.
67 *
68 * This also means that we need to be careful when declaring local pointers
69 * that point to objects in another processes address space, since these
70 * pointers may not match the current processes pointer width. Basically,
71 * we should avoid using data types that change size between 32 and 64 bit
72 * modes like: long, void *, uintprt_t, caddr_t, psaddr_t, size_t, etc.
73 * Instead we should declare all pointers as uint32_t. Then when we
74 * are compiled to deal with 64-bit targets we'll re-define uint32_t
75 * to be a uint64_t.
76 *
77 * Finally, one last importante note. All the 64-bit elf file code
78 * is never used and can't be tested. This is because we don't actually
79 * support 64-bit Linux processes yet. The reason that we have it here
80 * is because we want to support debugging 32-bit elf targets with the
81 * 64-bit version of this library, so we need to have a 64-bit version
82 * of this library. But a 64-bit version of this library is expected
83 * to provide debugging interfaces for both 32 and 64-bit elf targets.
84 * So we provide the 64-bit elf target interfaces, but they will never
85 * be invoked and are untested. If we ever add support for 64-bit elf
86 * Linux processes, we'll need to verify that this code works correctly
87 * for those targets.
88 */
89 #ifdef _LP64
90 #ifdef _ELF64
91 #define lx_ldb_get_dyns32 lx_ldb_get_dyns64
92 #define lx_ldb_init32 lx_ldb_init64
93 #define lx_ldb_fini32 lx_ldb_fini64
94 #define lx_ldb_loadobj_iter32 lx_ldb_loadobj_iter64
95 #define lx_ldb_getauxval32 lx_ldb_getauxval64
96 #define lx_elf_props32 lx_elf_props64
97 #define _rd_get_dyns32 _rd_get_dyns64
98 #define _rd_get_ehdr32 _rd_get_ehdr64
99 #define uint32_t uint64_t
100 #define Elf32_Dyn Elf64_Dyn
101 #define Elf32_Ehdr Elf64_Ehdr
102 #define Elf32_Phdr Elf64_Phdr
103 #endif /* _ELF64 */
104 #endif /* _LP64 */
105
106 /* Included from usr/src/cmd/sgs/librtld_db/common */
107 #include <_rtld_db.h>
108
109 typedef struct lx_rd {
110 rd_agent_t *lr_rap;
111 struct ps_prochandle *lr_php; /* proc handle pointer */
112 uint32_t lr_rdebug; /* address of lx r_debug */
113 uint32_t lr_exec; /* base address of executable */
114 } lx_rd_t;
115
116 typedef struct lx_link_map {
117 uint32_t lxm_addr; /* Base address shared object is loaded at. */
118 uint32_t lxm_name; /* Absolute file name object was found in. */
119 uint32_t lxm_ld; /* Dynamic section of the shared object. */
120 uint32_t lxm_next; /* Chain of loaded objects. */
121 } lx_link_map_t;
122
123 typedef struct lx_r_debug {
124 int r_version; /* Version number for this protocol. */
125 uint32_t r_map; /* Head of the chain of loaded objects. */
126
127 /*
128 * This is the address of a function internal to the run-time linker,
129 * that will always be called when the linker begins to map in a
130 * library or unmap it, and again when the mapping change is complete.
131 * The debugger can set a breakpoint at this address if it wants to
132 * notice shared object mapping changes.
133 */
134 uint32_t r_brk;
135 r_state_e r_state; /* defined the same way between lx/solaris */
136 uint32_t r_ldbase; /* Base address the linker is loaded at. */
137 } lx_r_debug_t;
138
139 static uint32_t
140 lx_ldb_getauxval32(struct ps_prochandle *php, int type)
141 {
142 const auxv_t *auxvp = NULL;
143
144 if (ps_pauxv(php, &auxvp) != PS_OK)
145 return ((uint32_t)-1);
146
147 while (auxvp->a_type != AT_NULL) {
148 if (auxvp->a_type == type)
149 return ((uint32_t)(uintptr_t)auxvp->a_un.a_ptr);
150 auxvp++;
151 }
152 return ((uint32_t)-1);
153 }
154
155 /*
156 * A key difference between the linux linker and ours' is that the linux
157 * linker adds the base address of segments to certain values in the
158 * segments' ELF header. As an example, look at the address of the
159 * DT_HASH hash table in a Solaris section - it is a relative address
160 * which locates the start of the hash table, relative to the beginning
161 * of the ELF file. However, when the linux linker loads a section, it
162 * modifies the in-memory ELF image by changing address of the hash
163 * table to be an absolute address. This is only done for libraries - not for
164 * executables.
165 *
166 * Solaris tools expect the relative address to remain relative, so
167 * here we will modify the in-memory ELF image so that it once again
168 * contains relative addresses.
169 *
170 * To accomplish this, we walk through all sections in the target.
171 * Linux sections are identified by pointing to the linux linker or libc in the
172 * DT_NEEDED section. For all matching sections, we subtract the segment
173 * base address to get back to relative addresses.
174 */
175 static rd_err_e
176 lx_ldb_get_dyns32(rd_helper_data_t rhd,
177 psaddr_t addr, void **dynpp, size_t *dynpp_sz)
178 {
179 lx_rd_t *lx_rd = (lx_rd_t *)rhd;
180 rd_agent_t *rap = lx_rd->lr_rap;
181 Elf32_Ehdr ehdr;
182 Elf32_Dyn *dynp = NULL;
183 size_t dynp_sz;
184 uint_t ndyns;
185 int i;
186
187 ps_plog("lx_ldb_get_dyns: invoked for object at 0x%p", addr);
188
189 /* Read in a copy of the ehdr */
190 if (_rd_get_ehdr32(rap, addr, &ehdr, NULL) != RD_OK) {
191 ps_plog("lx_ldb_get_dyns: _rd_get_ehdr() failed");
192 return (RD_ERR);
193 }
194
195 /* read out the PT_DYNAMIC elements for this object */
196 if (_rd_get_dyns32(rap, addr, &dynp, &dynp_sz) != RD_OK) {
197 ps_plog("lx_ldb_get_dyns: _rd_get_dyns() failed");
198 return (RD_ERR);
199 }
200
201 /*
202 * From here on out if we encounter an error we'll just return
203 * success and pass back the unmolested dynamic elements that
204 * we've already obtained.
205 */
206 *dynpp = dynp;
207 *dynpp_sz = dynp_sz;
208 ndyns = dynp_sz / sizeof (Elf32_Dyn);
209
210 /* If this isn't a dynamic object, there's nothing left todo */
211 if (ehdr.e_type != ET_DYN) {
212 ps_plog("lx_ldb_get_dyns: done: not a shared object");
213 return (RD_OK);
214 }
215
216 /*
217 * Before we blindly start changing dynamic section addresses
218 * we need to figure out if the current object that we're looking
219 * at is a linux object or a solaris object. To do this first
220 * we need to find the string tab dynamic section element.
221 */
222 for (i = 0; i < ndyns; i++) {
223 if (dynp[i].d_tag == DT_STRTAB)
224 break;
225 }
226 if (i == ndyns) {
227 ps_plog("lx_ldb_get_dyns: "
228 "failed to find string tab in the dynamic section");
229 return (RD_OK);
230 }
231
232 /*
233 * Check if the strtab value looks like an offset or an address.
234 * It's an offset if the value is less then the base address that
235 * the object is loaded at, or if the value is less than the offset
236 * of the section headers in the same elf object. This check isn't
237 * perfect, but in practice it's good enough.
238 */
239 if ((dynp[i].d_un.d_ptr < addr) ||
240 (dynp[i].d_un.d_ptr < ehdr.e_shoff)) {
241 ps_plog("lx_ldb_get_dyns: "
242 "doesn't appear to be an lx object");
243 return (RD_OK);
244 }
245
246 /*
247 * This seems to be a a linux object, so we'll patch up the dynamic
248 * section addresses
249 */
250 ps_plog("lx_ldb_get_dyns: "
251 "patching up lx object dynamic section addresses");
252 for (i = 0; i < ndyns; i++) {
253 switch (dynp[i].d_tag) {
254 case DT_PLTGOT:
255 case DT_HASH:
256 case DT_STRTAB:
257 case DT_SYMTAB:
258 case DT_RELA:
259 case DT_REL:
260 case DT_DEBUG:
261 case DT_JMPREL:
262 case DT_VERSYM:
263 if (dynp[i].d_un.d_val > addr) {
264 dynp[i].d_un.d_ptr -= addr;
265 }
266 break;
267 default:
268 break;
269 }
270 }
271 return (RD_OK);
272 }
273
274 static void
275 lx_ldb_fini32(rd_helper_data_t rhd)
276 {
277 lx_rd_t *lx_rd = (lx_rd_t *)rhd;
278 ps_plog("lx_ldb_fini: cleaning up lx helper");
279 free(lx_rd);
280 }
281
282 /*
283 * The linux linker has an r_debug structure somewhere in its data section that
284 * contains the address of the head of the link map list. To find this, we will
285 * use the DT_DEBUG token in the executable's dynamic section. The linux linker
286 * wrote the address of its r_debug structure to the DT_DEBUG dynamic entry. We
287 * get the address of the executable's program headers from the
288 * AT_SUN_BRAND_LX_PHDR aux vector entry. From there, we calculate the
289 * address of the Elf header, and from there we can easily get to the DT_DEBUG
290 * entry.
291 */
292 static rd_helper_data_t
293 lx_ldb_init32(rd_agent_t *rap, struct ps_prochandle *php)
294 {
295 lx_rd_t *lx_rd;
296 uint32_t addr, phdr_addr, dyn_addr;
297 Elf32_Dyn *dyn;
298 Elf32_Phdr phdr, *ph, *phdrs;
299 Elf32_Ehdr ehdr;
300 int i, dyn_count;
301
302 lx_rd = calloc(sizeof (lx_rd_t), 1);
303 if (lx_rd == NULL) {
304 ps_plog("lx_ldb_init: cannot allocate memory");
305 return (NULL);
306 }
307 lx_rd->lr_rap = rap;
308 lx_rd->lr_php = php;
309
310 phdr_addr = lx_ldb_getauxval32(php, AT_SUN_BRAND_LX_PHDR);
311 if (phdr_addr == (uint32_t)-1) {
312 ps_plog("lx_ldb_init: no LX_PHDR found in aux vector");
313 return (NULL);
314 }
315 ps_plog("lx_ldb_init: found LX_PHDR auxv phdr at: 0x%p",
316 phdr_addr);
317
318 if (ps_pread(php, phdr_addr, &phdr, sizeof (phdr)) != PS_OK) {
319 ps_plog("lx_ldb_init: couldn't read phdr at 0x%p",
320 phdr_addr);
321 free(lx_rd);
322 return (NULL);
323 }
324
325 /* The ELF headher should be before the program header in memory */
326 lx_rd->lr_exec = addr = phdr_addr - phdr.p_offset;
327 if (ps_pread(php, addr, &ehdr, sizeof (ehdr)) != PS_OK) {
328 ps_plog("lx_ldb_init: couldn't read ehdr at 0x%p",
329 lx_rd->lr_exec);
330 free(lx_rd);
331 return (NULL);
332 }
333 ps_plog("lx_ldb_init: read ehdr at: 0x%p", addr);
334
335 if ((phdrs = malloc(ehdr.e_phnum * ehdr.e_phentsize)) == NULL) {
336 ps_plog("lx_ldb_init: couldn't alloc phdrs memory");
337 free(lx_rd);
338 return (NULL);
339 }
340
341 if (ps_pread(php, phdr_addr, phdrs, ehdr.e_phnum * ehdr.e_phentsize) !=
342 PS_OK) {
343 ps_plog("lx_ldb_init: couldn't read phdrs at 0x%p",
344 phdr_addr);
345 free(lx_rd);
346 free(phdrs);
347 return (NULL);
348 }
349 ps_plog("lx_ldb_init: read %d phdrs at: 0x%p",
350 ehdr.e_phnum, phdr_addr);
351
352 for (i = 0, ph = phdrs; i < ehdr.e_phnum; i++,
353 /*LINTED */
354 ph = (Elf32_Phdr *)((char *)ph + ehdr.e_phentsize)) {
355 if (ph->p_type == PT_DYNAMIC)
356 break;
357 }
358 if (i == ehdr.e_phnum) {
359 ps_plog("lx_ldb_init: no PT_DYNAMIC in executable");
360 free(lx_rd);
361 free(phdrs);
362 return (NULL);
363 }
364 ps_plog("lx_ldb_init: found PT_DYNAMIC phdr[%d] at: 0x%p",
365 i, (phdr_addr + ((char *)ph - (char *)phdrs)));
366
367 if ((dyn = malloc(ph->p_filesz)) == NULL) {
368 ps_plog("lx_ldb_init: couldn't alloc for PT_DYNAMIC");
369 free(lx_rd);
370 free(phdrs);
371 return (NULL);
372 }
373
374 dyn_addr = addr + ph->p_offset;
375 dyn_count = ph->p_filesz / sizeof (Elf32_Dyn);
376 if (ps_pread(php, dyn_addr, dyn, ph->p_filesz) != PS_OK) {
377 ps_plog("lx_ldb_init: couldn't read dynamic at 0x%p",
378 dyn_addr);
379 free(lx_rd);
380 free(phdrs);
381 free(dyn);
382 return (NULL);
383 }
384 ps_plog("lx_ldb_init: read %d dynamic headers at: 0x%p",
385 dyn_count, dyn_addr);
386
387 for (i = 0; i < dyn_count; i++) {
388 if (dyn[i].d_tag == DT_DEBUG) {
389 lx_rd->lr_rdebug = dyn[i].d_un.d_ptr;
390 break;
391 }
392 }
393 free(phdrs);
394 free(dyn);
395
396 if (lx_rd->lr_rdebug == 0) {
397 ps_plog("lx_ldb_init: no DT_DEBUG found in exe");
398 free(lx_rd);
399 return (NULL);
400 }
401 ps_plog("lx_ldb_init: found DT_DEBUG: 0x%p", lx_rd->lr_rdebug);
402
403 return ((rd_helper_data_t)lx_rd);
404 }
405
406 /*
407 * Given the address of an ELF object in the target, return its size and
408 * the proper link map ID.
409 */
410 static size_t
411 lx_elf_props32(struct ps_prochandle *php, uint32_t addr, psaddr_t *data_addr)
412 {
413 Elf32_Ehdr ehdr;
414 Elf32_Phdr *phdrs, *ph;
415 int i;
416 uint32_t min = (uint32_t)-1;
417 uint32_t max = 0;
418 size_t sz = NULL;
419
420 if (ps_pread(php, addr, &ehdr, sizeof (ehdr)) != PS_OK) {
421 ps_plog("lx_elf_props: Couldn't read ELF header at 0x%p",
422 addr);
423 return (0);
424 }
425
426 if ((phdrs = malloc(ehdr.e_phnum * ehdr.e_phentsize)) == NULL)
427 return (0);
428
429 if (ps_pread(php, addr + ehdr.e_phoff, phdrs, ehdr.e_phnum *
430 ehdr.e_phentsize) != PS_OK) {
431 ps_plog("lx_elf_props: Couldn't read program headers at 0x%p",
432 addr + ehdr.e_phoff);
433 return (0);
434 }
435
436 for (i = 0, ph = phdrs; i < ehdr.e_phnum; i++,
437 /*LINTED */
438 ph = (Elf32_Phdr *)((char *)ph + ehdr.e_phentsize)) {
439
440 if (ph->p_type != PT_LOAD)
441 continue;
442
443 if ((ph->p_flags & (PF_W | PF_R)) == (PF_W | PF_R)) {
444 *data_addr = ph->p_vaddr;
445 if (ehdr.e_type == ET_DYN)
446 *data_addr += addr;
447 if (*data_addr & (ph->p_align - 1))
448 *data_addr = *data_addr & (~(ph->p_align -1));
449 }
450
451 if (ph->p_vaddr < min)
452 min = ph->p_vaddr;
453
454 if (ph->p_vaddr > max) {
455 max = ph->p_vaddr;
456 sz = ph->p_memsz + max - min;
457 if (sz & (ph->p_align - 1))
458 sz = (sz & (~(ph->p_align - 1))) + ph->p_align;
459 }
460 }
461
462 free(phdrs);
463 return (sz);
464 }
465
466 static int
467 lx_ldb_loadobj_iter32(rd_helper_data_t rhd, rl_iter_f *cb, void *client_data)
468 {
469 lx_rd_t *lx_rd = (lx_rd_t *)rhd;
470 struct ps_prochandle *php = lx_rd->lr_php;
471 lx_r_debug_t r_debug;
472 lx_link_map_t map;
473 uint32_t p = NULL;
474 int rc;
475 rd_loadobj_t exec;
476
477 if ((rc = ps_pread(php, (psaddr_t)lx_rd->lr_rdebug, &r_debug,
478 sizeof (r_debug))) != PS_OK) {
479 ps_plog("lx_ldb_loadobj_iter: "
480 "Couldn't read linux r_debug at 0x%p", lx_rd->lr_rdebug);
481 return (rc);
482 }
483
484 p = r_debug.r_map;
485
486 /*
487 * The first item on the link map list is for the executable, but it
488 * doesn't give us any useful information about it. We need to
489 * synthesize a rd_loadobj_t for the client.
490 *
491 * Linux doesn't give us the executable name, so we'll get it from
492 * the AT_EXECNAME entry instead.
493 */
494 if ((rc = ps_pread(php, (psaddr_t)p, &map, sizeof (map))) != PS_OK) {
495 ps_plog("lx_ldb_loadobj_iter: "
496 "Couldn't read linux link map at 0x%p", p);
497 return (rc);
498 }
499
500 bzero(&exec, sizeof (exec));
501 exec.rl_base = lx_rd->lr_exec;
502 exec.rl_dynamic = map.lxm_ld;
503 exec.rl_nameaddr = lx_ldb_getauxval32(php, AT_SUN_EXECNAME);
504 exec.rl_lmident = LM_ID_BASE;
505
506 exec.rl_bend = exec.rl_base +
507 lx_elf_props32(php, lx_rd->lr_exec, &exec.rl_data_base);
508
509 if ((*cb)(&exec, client_data) == 0) {
510 ps_plog("lx_ldb_loadobj_iter: "
511 "client callb failed for executable");
512 return (PS_ERR);
513 }
514
515 for (p = map.lxm_next; p != NULL; p = map.lxm_next) {
516 rd_loadobj_t obj;
517
518 if ((rc = ps_pread(php, (psaddr_t)p, &map, sizeof (map))) !=
519 PS_OK) {
520 ps_plog("lx_ldb_loadobj_iter: "
521 "Couldn't read lk map at %p", p);
522 return (rc);
523 }
524
525 /*
526 * The linux link map has less information than the Solaris one.
527 * We need to go fetch the missing information from the ELF
528 * headers.
529 */
530
531 obj.rl_nameaddr = (psaddr_t)map.lxm_name;
532 obj.rl_base = map.lxm_addr;
533 obj.rl_refnameaddr = (psaddr_t)map.lxm_name;
534 obj.rl_plt_base = NULL;
535 obj.rl_plt_size = 0;
536 obj.rl_lmident = LM_ID_BASE;
537
538 /*
539 * Ugh - we have to walk the ELF stuff, find the PT_LOAD
540 * sections, and calculate the end of the file's mappings
541 * ourselves.
542 */
543
544 obj.rl_bend = map.lxm_addr +
545 lx_elf_props32(php, map.lxm_addr, &obj.rl_data_base);
546 obj.rl_padstart = obj.rl_base;
547 obj.rl_padend = obj.rl_bend;
548 obj.rl_dynamic = map.lxm_ld;
549 obj.rl_tlsmodid = 0;
550
551 ps_plog("lx_ldb_loadobj_iter: 0x%p to 0x%p",
552 obj.rl_base, obj.rl_bend);
553
554 if ((*cb)(&obj, client_data) == 0) {
555 ps_plog("lx_ldb_loadobj_iter: "
556 "Client callback failed on %s", map.lxm_name);
557 return (rc);
558 }
559 }
560 return (RD_OK);
561 }
562
563 /*
564 * Librtld_db plugin linkage struct.
565 *
566 * When we get loaded by librtld_db, it will look for the symbol below
567 * to find our plugin entry points.
568 */
569 rd_helper_ops_t RTLD_DB_BRAND_OPS = {
570 LM_ID_BRAND,
571 lx_ldb_init32,
572 lx_ldb_fini32,
573 lx_ldb_loadobj_iter32,
574 lx_ldb_get_dyns32
575 };