1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 *	Copyright (c) 1988 AT&T
24 *	  All Rights Reserved
25 *
26 * Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
27 */
28/*
29 * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
30 */
31
32/*
33 * Object file dependent support for ELF objects.
34 */
35
36#include	<stdio.h>
37#include	<sys/procfs.h>
38#include	<sys/mman.h>
39#include	<sys/debug.h>
40#include	<string.h>
41#include	<limits.h>
42#include	<dlfcn.h>
43#include	<debug.h>
44#include	<conv.h>
45#include	"_rtld.h"
46#include	"_audit.h"
47#include	"_elf.h"
48#include	"_inline_gen.h"
49#include	"_inline_reloc.h"
50#include	"msg.h"
51
52/*
53 * Default and secure dependency search paths.
54 */
55static Spath_defn _elf_def_dirs[] = {
56#if	defined(_ELF64)
57	{ MSG_ORIG(MSG_PTH_LIB_64),		MSG_PTH_LIB_64_SIZE },
58	{ MSG_ORIG(MSG_PTH_USRLIB_64),		MSG_PTH_USRLIB_64_SIZE },
59#else
60	{ MSG_ORIG(MSG_PTH_LIB),		MSG_PTH_LIB_SIZE },
61	{ MSG_ORIG(MSG_PTH_USRLIB),		MSG_PTH_USRLIB_SIZE },
62#endif
63	{ 0, 0 }
64};
65
66static Spath_defn _elf_sec_dirs[] = {
67#if	defined(_ELF64)
68	{ MSG_ORIG(MSG_PTH_LIBSE_64),		MSG_PTH_LIBSE_64_SIZE },
69	{ MSG_ORIG(MSG_PTH_USRLIBSE_64),	MSG_PTH_USRLIBSE_64_SIZE },
70#else
71	{ MSG_ORIG(MSG_PTH_LIBSE),		MSG_PTH_LIBSE_SIZE },
72	{ MSG_ORIG(MSG_PTH_USRLIBSE),		MSG_PTH_USRLIBSE_SIZE },
73#endif
74	{ 0, 0 }
75};
76
77Alist	*elf_def_dirs = NULL;
78Alist	*elf_sec_dirs = NULL;
79
80/*
81 * Defines for local functions.
82 */
83static void	elf_dladdr(ulong_t, Rt_map *, Dl_info *, void **, int);
84static Addr	elf_entry_point(void);
85static int	elf_fix_name(const char *, Rt_map *, Alist **, Aliste, uint_t);
86static Alist	**elf_get_def_dirs(void);
87static Alist	**elf_get_sec_dirs(void);
88static char	*elf_get_so(const char *, const char *, size_t, size_t);
89static int	elf_needed(Lm_list *, Aliste, Rt_map *, int *);
90
91/*
92 * Functions and data accessed through indirect pointers.
93 */
94Fct elf_fct = {
95	elf_verify,
96	elf_new_lmp,
97	elf_entry_point,
98	elf_needed,
99	lookup_sym,
100	elf_reloc,
101	elf_get_def_dirs,
102	elf_get_sec_dirs,
103	elf_fix_name,
104	elf_get_so,
105	elf_dladdr,
106	dlsym_handle
107};
108
109/*
110 * Default and secure dependency search paths.
111 */
112static Alist **
113elf_get_def_dirs()
114{
115	if (elf_def_dirs == NULL)
116		set_dirs(&elf_def_dirs, _elf_def_dirs, LA_SER_DEFAULT);
117	return (&elf_def_dirs);
118}
119
120static Alist **
121elf_get_sec_dirs()
122{
123	if (elf_sec_dirs == NULL)
124		set_dirs(&elf_sec_dirs, _elf_sec_dirs, LA_SER_SECURE);
125	return (&elf_sec_dirs);
126}
127
128/*
129 * For a.out we have actual work to do here, on ELF we just perform path
130 * expansion.
131 */
132static int
133elf_fix_name(const char *name, Rt_map *clmp, Alist **alpp, Aliste alni,
134    uint_t orig)
135{
136	return (expand_paths(clmp, name, alpp, alni, orig, 0));
137}
138
139/*
140 * Determine whether this object requires capabilities.
141 */
142inline static int
143elf_cap_check(Fdesc *fdp, Ehdr *ehdr, Rej_desc *rej)
144{
145	Phdr	*phdr;
146	Cap	*cap = NULL;
147	Dyn	*dyn = NULL;
148	char	*str = NULL;
149	Addr	base;
150	uint_t	cnt, dyncnt;
151
152	/*
153	 * If this is a shared object, the base address of the shared object is
154	 * added to all address values defined within the object.  Otherwise, if
155	 * this is an executable, all object addresses are used as is.
156	 */
157	if (ehdr->e_type == ET_EXEC)
158		base = 0;
159	else
160		base = (Addr)ehdr;
161
162	/* LINTED */
163	phdr = (Phdr *)((char *)ehdr + ehdr->e_phoff);
164	for (cnt = 0; cnt < ehdr->e_phnum; cnt++, phdr++) {
165		if (phdr->p_type == PT_DYNAMIC) {
166			/* LINTED */
167			dyn = (Dyn *)((uintptr_t)phdr->p_vaddr + base);
168			dyncnt = phdr->p_filesz / sizeof (Dyn);
169		} else if (phdr->p_type == PT_SUNWCAP) {
170			/* LINTED */
171			cap = (Cap *)((uintptr_t)phdr->p_vaddr + base);
172		}
173	}
174
175	if (cap) {
176		/*
177		 * From the .dynamic section, determine the associated string
178		 * table.  Required for CA_SUNW_MACH and CA_SUNW_PLAT
179		 * processing.
180		 */
181		while (dyn && dyncnt) {
182			if (dyn->d_tag == DT_NULL) {
183				break;
184			} else if (dyn->d_tag == DT_STRTAB) {
185				str = (char *)(dyn->d_un.d_ptr + base);
186				break;
187			}
188			dyn++, dyncnt--;
189		}
190	}
191
192	/*
193	 * Establish any alternative capabilities, and validate this object
194	 * if it defines it's own capabilities information.
195	 */
196	return (cap_check_fdesc(fdp, cap, str, rej));
197}
198
199/*
200 * Determine if we have been given an ELF file and if so determine if the file
201 * is compatible.  Returns 1 if true, else 0 and sets the reject descriptor
202 * with associated error information.
203 */
204Fct *
205elf_verify(caddr_t addr, size_t size, Fdesc *fdp, const char *name,
206    Rej_desc *rej)
207{
208	Ehdr	*ehdr;
209	char	*caddr = (char *)addr;
210
211	/*
212	 * Determine if we're an elf file.  If not simply return, we don't set
213	 * any rejection information as this test allows use to scroll through
214	 * the objects we support (ELF, AOUT).
215	 */
216	if (size < sizeof (Ehdr) ||
217	    caddr[EI_MAG0] != ELFMAG0 ||
218	    caddr[EI_MAG1] != ELFMAG1 ||
219	    caddr[EI_MAG2] != ELFMAG2 ||
220	    caddr[EI_MAG3] != ELFMAG3) {
221		return (NULL);
222	}
223
224	/*
225	 * Check class and encoding.
226	 */
227	/* LINTED */
228	ehdr = (Ehdr *)addr;
229	if (ehdr->e_ident[EI_CLASS] != M_CLASS) {
230		rej->rej_type = SGS_REJ_CLASS;
231		rej->rej_info = (uint_t)ehdr->e_ident[EI_CLASS];
232		return (NULL);
233	}
234	if (ehdr->e_ident[EI_DATA] != M_DATA) {
235		rej->rej_type = SGS_REJ_DATA;
236		rej->rej_info = (uint_t)ehdr->e_ident[EI_DATA];
237		return (NULL);
238	}
239	if ((ehdr->e_type != ET_REL) && (ehdr->e_type != ET_EXEC) &&
240	    (ehdr->e_type != ET_DYN)) {
241		rej->rej_type = SGS_REJ_TYPE;
242		rej->rej_info = (uint_t)ehdr->e_type;
243		return (NULL);
244	}
245
246	/*
247	 * Verify ELF version.
248	 */
249	if (ehdr->e_version > EV_CURRENT) {
250		rej->rej_type = SGS_REJ_VERSION;
251		rej->rej_info = (uint_t)ehdr->e_version;
252		return (NULL);
253	}
254
255	/*
256	 * Verify machine specific flags.
257	 */
258	if (elf_mach_flags_check(rej, ehdr) == 0)
259		return (NULL);
260
261	/*
262	 * Verify any capability requirements.  Note, if this object is a shared
263	 * object that is explicitly defined on the ldd(1) command line, and it
264	 * contains an incompatible capabilities requirement, then inform the
265	 * user, but continue processing.
266	 */
267	if (elf_cap_check(fdp, ehdr, rej) == 0) {
268		Rt_map	*lmp = lml_main.lm_head;
269
270		if ((lml_main.lm_flags & LML_FLG_TRC_LDDSTUB) && lmp &&
271		    (FLAGS1(lmp) & FL1_RT_LDDSTUB) && (NEXT(lmp) == NULL)) {
272			/* LINTED */
273			(void) printf(MSG_INTL(ldd_warn[rej->rej_type]), name,
274			    rej->rej_str);
275			return (&elf_fct);
276		}
277		return (NULL);
278	}
279	return (&elf_fct);
280}
281
282/*
283 * The runtime linker employs lazy loading to provide the libraries needed for
284 * debugging, preloading .o's and dldump().  As these are seldom used, the
285 * standard startup of ld.so.1 doesn't initialize all the information necessary
286 * to perform plt relocation on ld.so.1's link-map.  The first time lazy loading
287 * is called we get here to perform these initializations:
288 *
289 *  -	elf_needed() is called to establish any ld.so.1 dependencies.  These
290 *	dependencies should all be lazy loaded, so this routine is typically a
291 *	no-op.  However, we call elf_needed() for completeness, in case any
292 *	NEEDED initialization is required.
293 *
294 *  -	For intel, ld.so.1's JMPSLOT relocations need relative updates. These
295 *	are by default skipped thus delaying all relative relocation processing
296 *	on every invocation of ld.so.1.
297 */
298int
299elf_rtld_load()
300{
301	Lm_list	*lml = &lml_rtld;
302	Rt_map	*lmp = lml->lm_head;
303
304	if (lml->lm_flags & LML_FLG_PLTREL)
305		return (1);
306
307	if (elf_needed(lml, ALIST_OFF_DATA, lmp, NULL) == 0)
308		return (0);
309
310#if	defined(__i386)
311	/*
312	 * This is a kludge to give ld.so.1 a performance benefit on i386.
313	 * It's based around two factors.
314	 *
315	 *  -	JMPSLOT relocations (PLT's) actually need a relative relocation
316	 *	applied to the GOT entry so that they can find PLT0.
317	 *
318	 *  -	ld.so.1 does not exercise *any* PLT's before it has made a call
319	 *	to elf_lazy_load().  This is because all dynamic dependencies
320	 *	are recorded as lazy dependencies.
321	 */
322	(void) elf_reloc_relative_count((ulong_t)JMPREL(lmp),
323	    (ulong_t)(PLTRELSZ(lmp) / RELENT(lmp)), (ulong_t)RELENT(lmp),
324	    (ulong_t)ADDR(lmp), lmp, NULL, 0);
325#endif
326	lml->lm_flags |= LML_FLG_PLTREL;
327	return (1);
328}
329
330/*
331 * Lazy load an object.
332 */
333Rt_map *
334elf_lazy_load(Rt_map *clmp, Slookup *slp, uint_t ndx, const char *sym,
335    uint_t flags, Grp_hdl **hdl, int *in_nfavl)
336{
337	Alist		*palp = NULL;
338	Rt_map		*nlmp;
339	Dyninfo		*dip = &DYNINFO(clmp)[ndx], *pdip;
340	const char	*name;
341	Lm_list		*lml = LIST(clmp);
342	Aliste		lmco;
343
344	/*
345	 * If this dependency should be ignored, or has already been processed,
346	 * we're done.
347	 */
348	if (((nlmp = (Rt_map *)dip->di_info) != NULL) ||
349	    (dip->di_flags & (FLG_DI_IGNORE | FLG_DI_LDD_DONE)))
350		return (nlmp);
351
352	/*
353	 * If we're running under ldd(1), indicate that this dependency has been
354	 * processed (see test above).  It doesn't matter whether the object is
355	 * successfully loaded or not, this flag simply ensures that we don't
356	 * repeatedly attempt to load an object that has already failed to load.
357	 * To do so would create multiple failure diagnostics for the same
358	 * object under ldd(1).
359	 */
360	if (lml->lm_flags & LML_FLG_TRC_ENABLE)
361		dip->di_flags |= FLG_DI_LDD_DONE;
362
363	/*
364	 * Determine the initial dependency name.
365	 */
366	name = dip->di_name;
367	DBG_CALL(Dbg_file_lazyload(clmp, name, sym));
368
369	/*
370	 * If this object needs to establish its own group, make sure a handle
371	 * is created.
372	 */
373	if (dip->di_flags & FLG_DI_GROUP)
374		flags |= (FLG_RT_SETGROUP | FLG_RT_PUBHDL);
375
376	/*
377	 * Lazy dependencies are identified as DT_NEEDED entries with a
378	 * DF_P1_LAZYLOAD flag in the previous DT_POSFLAG_1 element.  The
379	 * dynamic information element that corresponds to the DT_POSFLAG_1
380	 * entry is free, and thus used to store the present entrance
381	 * identifier.  This identifier is used to prevent multiple attempts to
382	 * load a failed lazy loadable dependency within the same runtime linker
383	 * operation.  However, future attempts to reload this dependency are
384	 * still possible.
385	 */
386	if (ndx && (pdip = dip - 1) && (pdip->di_flags & FLG_DI_POSFLAG1))
387		pdip->di_info = (void *)slp->sl_id;
388
389	/*
390	 * Expand the requested name if necessary.
391	 */
392	if (elf_fix_name(name, clmp, &palp, AL_CNT_NEEDED, 0) == 0)
393		return (NULL);
394
395	/*
396	 * Establish a link-map control list for this request.
397	 */
398	if ((lmco = create_cntl(lml, 0)) == 0) {
399		remove_alist(&palp, 1);
400		return (NULL);
401	}
402
403	/*
404	 * Load the associated object.
405	 */
406	dip->di_info = nlmp =
407	    load_one(lml, lmco, palp, clmp, MODE(clmp), flags, hdl, in_nfavl);
408
409	/*
410	 * Remove any expanded pathname infrastructure.  Reduce the pending lazy
411	 * dependency count of the caller, together with the link-map lists
412	 * count of objects that still have lazy dependencies pending.
413	 */
414	remove_alist(&palp, 1);
415	if (--LAZY(clmp) == 0)
416		LIST(clmp)->lm_lazy--;
417
418	/*
419	 * Finish processing the objects associated with this request, and
420	 * create an association between the caller and this dependency.
421	 */
422	if (nlmp && ((bind_one(clmp, nlmp, BND_NEEDED) == 0) ||
423	    ((nlmp = analyze_lmc(lml, lmco, nlmp, clmp, in_nfavl)) == NULL) ||
424	    (relocate_lmc(lml, lmco, clmp, nlmp, in_nfavl) == 0)))
425		dip->di_info = nlmp = NULL;
426
427	/*
428	 * If this lazyload has failed, and we've created a new link-map
429	 * control list to which this request has added objects, then remove
430	 * all the objects that have been associated to this request.
431	 */
432	if ((nlmp == NULL) && (lmco != ALIST_OFF_DATA))
433		remove_lmc(lml, clmp, lmco, name);
434
435	/*
436	 * Remove any temporary link-map control list.
437	 */
438	if (lmco != ALIST_OFF_DATA)
439		remove_cntl(lml, lmco);
440
441	/*
442	 * If this lazy loading failed, record the fact, and bump the lazy
443	 * counts.
444	 */
445	if (nlmp == NULL) {
446		dip->di_flags |= FLG_DI_LAZYFAIL;
447		if (LAZY(clmp)++ == 0)
448			LIST(clmp)->lm_lazy++;
449	}
450
451	return (nlmp);
452}
453
454/*
455 * Return the entry point of the ELF executable.
456 */
457static Addr
458elf_entry_point(void)
459{
460	Rt_map	*lmp = lml_main.lm_head;
461	Ehdr	*ehdr = (Ehdr *)ADDR(lmp);
462	Addr	addr = (Addr)(ehdr->e_entry);
463
464	if ((FLAGS(lmp) & FLG_RT_FIXED) == 0)
465		addr += ADDR(lmp);
466
467	return (addr);
468}
469
470/*
471 * Determine if a dependency requires a particular version and if so verify
472 * that the version exists in the dependency.
473 */
474int
475elf_verify_vers(const char *name, Rt_map *clmp, Rt_map *nlmp)
476{
477	Verneed		*vnd = VERNEED(clmp);
478	int		_num, num = VERNEEDNUM(clmp);
479	char		*cstrs = (char *)STRTAB(clmp);
480	Lm_list		*lml = LIST(clmp);
481
482	/*
483	 * Traverse the callers version needed information and determine if any
484	 * specific versions are required from the dependency.
485	 */
486	DBG_CALL(Dbg_ver_need_title(LIST(clmp), NAME(clmp)));
487	for (_num = 1; _num <= num; _num++,
488	    vnd = (Verneed *)((Xword)vnd + vnd->vn_next)) {
489		Half		cnt = vnd->vn_cnt;
490		Vernaux		*vnap;
491		char		*nstrs, *need;
492
493		/*
494		 * Determine if a needed entry matches this dependency.
495		 */
496		need = (char *)(cstrs + vnd->vn_file);
497		if (strcmp(name, need) != 0)
498			continue;
499
500		if ((lml->lm_flags & LML_FLG_TRC_VERBOSE) &&
501		    ((FLAGS1(clmp) & FL1_RT_LDDSTUB) == 0))
502			(void) printf(MSG_INTL(MSG_LDD_VER_FIND), name);
503
504		/*
505		 * Validate that each version required actually exists in the
506		 * dependency.
507		 */
508		nstrs = (char *)STRTAB(nlmp);
509
510		for (vnap = (Vernaux *)((Xword)vnd + vnd->vn_aux); cnt;
511		    cnt--, vnap = (Vernaux *)((Xword)vnap + vnap->vna_next)) {
512			char		*version, *define;
513			Verdef		*vdf = VERDEF(nlmp);
514			ulong_t		_num, num = VERDEFNUM(nlmp);
515			int		found = 0;
516
517			/*
518			 * Skip validation of versions that are marked
519			 * INFO. This optimization is used for versions
520			 * that are inherited by another version. Verification
521			 * of the inheriting version is sufficient.
522			 *
523			 * Such versions are recorded in the object for the
524			 * benefit of VERSYM entries that refer to them. This
525			 * provides a purely diagnostic benefit.
526			 */
527			if (vnap->vna_flags & VER_FLG_INFO)
528				continue;
529
530			version = (char *)(cstrs + vnap->vna_name);
531			DBG_CALL(Dbg_ver_need_entry(lml, 0, need, version));
532
533			for (_num = 1; _num <= num; _num++,
534			    vdf = (Verdef *)((Xword)vdf + vdf->vd_next)) {
535				Verdaux		*vdap;
536
537				if (vnap->vna_hash != vdf->vd_hash)
538					continue;
539
540				vdap = (Verdaux *)((Xword)vdf + vdf->vd_aux);
541				define = (char *)(nstrs + vdap->vda_name);
542				if (strcmp(version, define) != 0)
543					continue;
544
545				found++;
546				break;
547			}
548
549			/*
550			 * If we're being traced print out any matched version
551			 * when the verbose (-v) option is in effect.  Always
552			 * print any unmatched versions.
553			 */
554			if (lml->lm_flags & LML_FLG_TRC_ENABLE) {
555				/* BEGIN CSTYLED */
556				if (found) {
557				    if (!(lml->lm_flags & LML_FLG_TRC_VERBOSE))
558					continue;
559
560				    (void) printf(MSG_ORIG(MSG_LDD_VER_FOUND),
561					need, version, NAME(nlmp));
562				} else {
563				    if (rtld_flags & RT_FL_SILENCERR)
564					continue;
565
566				    (void) printf(MSG_INTL(MSG_LDD_VER_NFOUND),
567					need, version);
568				}
569				/* END CSTYLED */
570				continue;
571			}
572
573			/*
574			 * If the version hasn't been found then this is a
575			 * candidate for a fatal error condition.  Weak
576			 * version definition requirements are silently
577			 * ignored.  Also, if the image inspected for a version
578			 * definition has no versioning recorded at all then
579			 * silently ignore this (this provides better backward
580			 * compatibility to old images created prior to
581			 * versioning being available).  Both of these skipped
582			 * diagnostics are available under tracing (see above).
583			 */
584			if ((found == 0) && (num != 0) &&
585			    (!(vnap->vna_flags & VER_FLG_WEAK))) {
586				eprintf(lml, ERR_FATAL,
587				    MSG_INTL(MSG_VER_NFOUND), need, version,
588				    NAME(clmp));
589				return (0);
590			}
591		}
592	}
593	DBG_CALL(Dbg_ver_need_done(lml));
594	return (1);
595}
596
597/*
598 * Search through the dynamic section for DT_NEEDED entries and perform one
599 * of two functions.  If only the first argument is specified then load the
600 * defined shared object, otherwise add the link map representing the defined
601 * link map the the dlopen list.
602 */
603static int
604elf_needed(Lm_list *lml, Aliste lmco, Rt_map *clmp, int *in_nfavl)
605{
606	Alist		*palp = NULL;
607	Dyn		*dyn;
608	Dyninfo		*dip;
609	Word		lmflags = lml->lm_flags;
610
611	/*
612	 * A DYNINFO() structure is created during link-map generation that
613	 * parallels the DYN() information, and defines any flags that
614	 * influence a dependencies loading.
615	 */
616	for (dyn = DYN(clmp), dip = DYNINFO(clmp);
617	    !(dip->di_flags & FLG_DI_IGNORE); dyn++, dip++) {
618		uint_t		flags = 0, silent = 0;
619		const char	*name = dip->di_name;
620		Rt_map		*nlmp = NULL;
621
622		if ((dip->di_flags & FLG_DI_NEEDED) == 0)
623			continue;
624
625		/*
626		 * Skip any deferred dependencies, unless ldd(1) has forced
627		 * their processing.  By default, deferred dependencies are
628		 * only processed when an explicit binding to an individual
629		 * deferred reference is made.
630		 */
631		if ((dip->di_flags & FLG_DI_DEFERRED) &&
632		    ((rtld_flags & RT_FL_DEFERRED) == 0))
633			continue;
634
635		/*
636		 * NOTE, libc.so.1 can't be lazy loaded.  Although a lazy
637		 * position flag won't be produced when a RTLDINFO .dynamic
638		 * entry is found (introduced with the UPM in Solaris 10), it
639		 * was possible to mark libc for lazy loading on previous
640		 * releases.  To reduce the overhead of testing for this
641		 * occurrence, only carry out this check for the first object
642		 * on the link-map list (there aren't many applications built
643		 * without libc).
644		 */
645		if ((dip->di_flags & FLG_DI_LAZY) && (lml->lm_head == clmp) &&
646		    (strcmp(name, MSG_ORIG(MSG_FIL_LIBC)) == 0))
647			dip->di_flags &= ~FLG_DI_LAZY;
648
649		/*
650		 * Don't bring in lazy loaded objects yet unless we've been
651		 * asked to attempt to load all available objects (crle(1) sets
652		 * LD_FLAGS=loadavail).  Even under RTLD_NOW we don't process
653		 * this - RTLD_NOW will cause relocation processing which in
654		 * turn might trigger lazy loading, but its possible that the
655		 * object has a lazy loaded file with no bindings (i.e., it
656		 * should never have been a dependency in the first place).
657		 */
658		if (dip->di_flags & FLG_DI_LAZY) {
659			if ((lmflags & LML_FLG_LOADAVAIL) == 0) {
660				LAZY(clmp)++;
661				continue;
662			}
663
664			/*
665			 * Silence any error messages - see description under
666			 * elf_lookup_filtee().
667			 */
668			if ((rtld_flags & RT_FL_SILENCERR) == 0) {
669				rtld_flags |= RT_FL_SILENCERR;
670				silent = 1;
671			}
672		}
673
674		DBG_CALL(Dbg_file_needed(clmp, name));
675
676		/*
677		 * If we're running under ldd(1), indicate that this dependency
678		 * has been processed.  It doesn't matter whether the object is
679		 * successfully loaded or not, this flag simply ensures that we
680		 * don't repeatedly attempt to load an object that has already
681		 * failed to load.  To do so would create multiple failure
682		 * diagnostics for the same object under ldd(1).
683		 */
684		if (lml->lm_flags & LML_FLG_TRC_ENABLE)
685			dip->di_flags |= FLG_DI_LDD_DONE;
686
687		/*
688		 * Identify any group permission requirements.
689		 */
690		if (dip->di_flags & FLG_DI_GROUP)
691			flags = (FLG_RT_SETGROUP | FLG_RT_PUBHDL);
692
693		/*
694		 * Establish the objects name, load it and establish a binding
695		 * with the caller.
696		 */
697		if ((elf_fix_name(name, clmp, &palp, AL_CNT_NEEDED, 0) == 0) ||
698		    ((nlmp = load_one(lml, lmco, palp, clmp, MODE(clmp),
699		    flags, 0, in_nfavl)) == NULL) ||
700		    (bind_one(clmp, nlmp, BND_NEEDED) == 0))
701			nlmp = NULL;
702
703		/*
704		 * Clean up any infrastructure, including the removal of the
705		 * error suppression state, if it had been previously set in
706		 * this routine.
707		 */
708		remove_alist(&palp, 0);
709
710		if (silent)
711			rtld_flags &= ~RT_FL_SILENCERR;
712
713		if ((dip->di_info = (void *)nlmp) == NULL) {
714			/*
715			 * If the object could not be mapped, continue if error
716			 * suppression is established or we're here with ldd(1).
717			 */
718			if ((MODE(clmp) & RTLD_CONFGEN) || (lmflags &
719			    (LML_FLG_LOADAVAIL | LML_FLG_TRC_ENABLE)))
720				continue;
721			else {
722				remove_alist(&palp, 1);
723				return (0);
724			}
725		}
726	}
727
728	if (LAZY(clmp))
729		lml->lm_lazy++;
730
731	remove_alist(&palp, 1);
732	return (1);
733}
734
735/*
736 * A null symbol interpretor.  Used if a filter has no associated filtees.
737 */
738/* ARGSUSED0 */
739static int
740elf_null_find_sym(Slookup *slp, Sresult *srp, uint_t *binfo, int *in_nfavl)
741{
742	return (0);
743}
744
745/*
746 * Disable filtee use.
747 */
748static void
749elf_disable_filtee(Rt_map *lmp, Dyninfo *dip)
750{
751	if ((dip->di_flags & FLG_DI_SYMFLTR) == 0) {
752		/*
753		 * If this is an object filter, null out the reference name.
754		 */
755		if (OBJFLTRNDX(lmp) != FLTR_DISABLED) {
756			REFNAME(lmp) = NULL;
757			OBJFLTRNDX(lmp) = FLTR_DISABLED;
758
759			/*
760			 * Indicate that this filtee is no longer available.
761			 */
762			if (dip->di_flags & FLG_DI_STDFLTR)
763				SYMINTP(lmp) = elf_null_find_sym;
764
765		}
766	} else if (dip->di_flags & FLG_DI_STDFLTR) {
767		/*
768		 * Indicate that this standard filtee is no longer available.
769		 */
770		if (SYMSFLTRCNT(lmp))
771			SYMSFLTRCNT(lmp)--;
772	} else {
773		/*
774		 * Indicate that this auxiliary filtee is no longer available.
775		 */
776		if (SYMAFLTRCNT(lmp))
777			SYMAFLTRCNT(lmp)--;
778	}
779	dip->di_flags &= ~MSK_DI_FILTER;
780}
781
782/*
783 * Find symbol interpreter - filters.
784 * This function is called when the symbols from a shared object should
785 * be resolved from the shared objects filtees instead of from within itself.
786 *
787 * A symbol name of 0 is used to trigger filtee loading.
788 */
789static int
790_elf_lookup_filtee(Slookup *slp, Sresult *srp, uint_t *binfo, uint_t ndx,
791    int *in_nfavl)
792{
793	const char	*name = slp->sl_name, *filtees;
794	Rt_map		*clmp = slp->sl_cmap;
795	Rt_map		*ilmp = slp->sl_imap;
796	Pdesc		*pdp;
797	int		any;
798	Dyninfo		*dip = &DYNINFO(ilmp)[ndx];
799	Lm_list		*lml = LIST(ilmp);
800	Aliste		idx;
801
802	/*
803	 * Indicate that the filter has been used.  If a binding already exists
804	 * to the caller, indicate that this object is referenced.  This insures
805	 * we don't generate false unreferenced diagnostics from ldd -u/U or
806	 * debugging.  Don't create a binding regardless, as this filter may
807	 * have been dlopen()'ed.
808	 */
809	if (name && (ilmp != clmp)) {
810		Word	tracing = (LIST(clmp)->lm_flags &
811		    (LML_FLG_TRC_UNREF | LML_FLG_TRC_UNUSED));
812
813		if (tracing || DBG_ENABLED) {
814			Bnd_desc	*bdp;
815			Aliste		idx;
816
817			FLAGS1(ilmp) |= FL1_RT_USED;
818
819			if ((tracing & LML_FLG_TRC_UNREF) || DBG_ENABLED) {
820				for (APLIST_TRAVERSE(CALLERS(ilmp), idx, bdp)) {
821					if (bdp->b_caller == clmp) {
822						bdp->b_flags |= BND_REFER;
823						break;
824					}
825				}
826			}
827		}
828	}
829
830	/*
831	 * If this is the first call to process this filter, establish the
832	 * filtee list.  If a configuration file exists, determine if any
833	 * filtee associations for this filter, and its filtee reference, are
834	 * defined.  Otherwise, process the filtee reference.  Any token
835	 * expansion is also completed at this point (i.e., $PLATFORM).
836	 */
837	filtees = dip->di_name;
838	if (dip->di_info == NULL) {
839		if (rtld_flags2 & RT_FL2_FLTCFG) {
840			elf_config_flt(lml, PATHNAME(ilmp), filtees,
841			    (Alist **)&dip->di_info, AL_CNT_FILTEES);
842		}
843		if (dip->di_info == NULL) {
844			DBG_CALL(Dbg_file_filter(lml, NAME(ilmp), filtees, 0));
845			if ((lml->lm_flags &
846			    (LML_FLG_TRC_VERBOSE | LML_FLG_TRC_SEARCH)) &&
847			    ((FLAGS1(ilmp) & FL1_RT_LDDSTUB) == 0))
848				(void) printf(MSG_INTL(MSG_LDD_FIL_FILTER),
849				    NAME(ilmp), filtees);
850
851			if (expand_paths(ilmp, filtees, (Alist **)&dip->di_info,
852			    AL_CNT_FILTEES, 0, 0) == 0) {
853				elf_disable_filtee(ilmp, dip);
854				return (0);
855			}
856		}
857	}
858
859	/*
860	 * Traverse the filtee list, dlopen()'ing any objects specified and
861	 * using their group handle to lookup the symbol.
862	 */
863	any = 0;
864	for (ALIST_TRAVERSE((Alist *)dip->di_info, idx, pdp)) {
865		int	mode;
866		Grp_hdl	*ghp;
867		Rt_map	*nlmp = NULL;
868
869		if (pdp->pd_plen == 0)
870			continue;
871
872		/*
873		 * Establish the mode of the filtee from the filter.  As filtees
874		 * are loaded via a dlopen(), make sure that RTLD_GROUP is set
875		 * and the filtees aren't global.  It would be nice to have
876		 * RTLD_FIRST used here also, but as filters got out long before
877		 * RTLD_FIRST was introduced it's a little too late now.
878		 */
879		mode = MODE(ilmp) | RTLD_GROUP;
880		mode &= ~RTLD_GLOBAL;
881
882		/*
883		 * Insure that any auxiliary filter can locate symbols from its
884		 * caller.
885		 */
886		if (dip->di_flags & FLG_DI_AUXFLTR)
887			mode |= RTLD_PARENT;
888
889		/*
890		 * Process any capability directory.  Establish a new link-map
891		 * control list from which to analyze any newly added objects.
892		 */
893		if ((pdp->pd_info == NULL) && (pdp->pd_flags & PD_TKN_CAP)) {
894			const char	*dir = pdp->pd_pname;
895			Aliste		lmco;
896
897			/*
898			 * Establish a link-map control list for this request.
899			 */
900			if ((lmco = create_cntl(lml, 0)) == 0)
901				return (0);
902
903			/*
904			 * Determine the capability filtees.  If none can be
905			 * found, provide suitable diagnostics.
906			 */
907			DBG_CALL(Dbg_cap_filter(lml, dir, ilmp));
908			if (cap_filtees((Alist **)&dip->di_info, idx, dir,
909			    lmco, ilmp, clmp, filtees, mode,
910			    (FLG_RT_PUBHDL | FLG_RT_CAP), in_nfavl) == 0) {
911				if ((lml->lm_flags & LML_FLG_TRC_ENABLE) &&
912				    (dip->di_flags & FLG_DI_AUXFLTR) &&
913				    (rtld_flags & RT_FL_WARNFLTR)) {
914					(void) printf(
915					    MSG_INTL(MSG_LDD_CAP_NFOUND), dir);
916				}
917				DBG_CALL(Dbg_cap_filter(lml, dir, 0));
918			}
919
920			/*
921			 * Re-establish the originating path name descriptor,
922			 * as the expansion of capabilities filtees may have
923			 * re-allocated the controlling Alist.  Mark this
924			 * original pathname descriptor as unused so that the
925			 * descriptor isn't revisited for processing.  Any real
926			 * capabilities filtees have been added as new pathname
927			 * descriptors following this descriptor.
928			 */
929			pdp = alist_item((Alist *)dip->di_info, idx);
930			pdp->pd_flags &= ~PD_TKN_CAP;
931			pdp->pd_plen = 0;
932
933			/*
934			 * Now that any capability objects have been processed,
935			 * remove any temporary link-map control list.
936			 */
937			if (lmco != ALIST_OFF_DATA)
938				remove_cntl(lml, lmco);
939		}
940
941		if (pdp->pd_plen == 0)
942			continue;
943
944		/*
945		 * Process an individual filtee.
946		 */
947		if (pdp->pd_info == NULL) {
948			const char	*filtee = pdp->pd_pname;
949			int		audit = 0;
950
951			DBG_CALL(Dbg_file_filtee(lml, NAME(ilmp), filtee, 0));
952
953			ghp = NULL;
954
955			/*
956			 * Determine if the reference link map is already
957			 * loaded.  As an optimization compare the filtee with
958			 * our interpretor.  The most common filter is
959			 * libdl.so.1, which is a filter on ld.so.1.
960			 */
961#if	defined(_ELF64)
962			if (strcmp(filtee, MSG_ORIG(MSG_PTH_RTLD_64)) == 0) {
963#else
964			if (strcmp(filtee, MSG_ORIG(MSG_PTH_RTLD)) == 0) {
965#endif
966				uint_t	hflags, rdflags, cdflags;
967
968				/*
969				 * Establish any flags for the handle (Grp_hdl).
970				 *
971				 *  -	This is a special, public, ld.so.1
972				 *	handle.
973				 *  -	Only the first object on this handle
974				 *	can supply symbols.
975				 *  -	This handle provides a filtee.
976				 *
977				 * Essentially, this handle allows a caller to
978				 * reference the dl*() family of interfaces from
979				 * ld.so.1.
980				 */
981				hflags = (GPH_PUBLIC | GPH_LDSO |
982				    GPH_FIRST | GPH_FILTEE);
983
984				/*
985				 * Establish the flags for the referenced
986				 * dependency descriptor (Grp_desc).
987				 *
988				 *  -	ld.so.1 is available for dlsym().
989				 *  -	ld.so.1 is available to relocate
990				 *	against.
991				 *  -	There's no need to add an dependencies
992				 *	to this handle.
993				 */
994				rdflags = (GPD_DLSYM | GPD_RELOC);
995
996				/*
997				 * Establish the flags for this callers
998				 * dependency descriptor (Grp_desc).
999				 *
1000				 *  -   The explicit creation of a handle
1001				 *	creates a descriptor for the referenced
1002				 *	object and the parent (caller).
1003				 */
1004				cdflags = GPD_PARENT;
1005
1006				nlmp = lml_rtld.lm_head;
1007				if ((ghp = hdl_create(&lml_rtld, nlmp, ilmp,
1008				    hflags, rdflags, cdflags)) == NULL)
1009					nlmp = NULL;
1010
1011				/*
1012				 * Establish the filter handle to prevent any
1013				 * recursion.
1014				 */
1015				if (nlmp && ghp)
1016					pdp->pd_info = (void *)ghp;
1017
1018				/*
1019				 * Audit the filter/filtee established.  Ignore
1020				 * any return from the auditor, as we can't
1021				 * allow ignore filtering to ld.so.1, otherwise
1022				 * nothing is going to work.
1023				 */
1024				if (nlmp && ((lml->lm_tflags | AFLAGS(ilmp)) &
1025				    LML_TFLG_AUD_OBJFILTER))
1026					(void) audit_objfilter(ilmp, filtees,
1027					    nlmp, 0);
1028
1029			} else {
1030				Rej_desc	rej = { 0 };
1031				Fdesc		fd = { 0 };
1032				Aliste		lmco;
1033
1034				/*
1035				 * Trace the inspection of this file, determine
1036				 * any auditor substitution, and seed the file
1037				 * descriptor with the originating name.
1038				 */
1039				if (load_trace(lml, pdp, clmp, &fd) == NULL)
1040					continue;
1041
1042				/*
1043				 * Establish a link-map control list for this
1044				 * request.
1045				 */
1046				if ((lmco = create_cntl(lml, 0)) == 0)
1047					return (0);
1048
1049				/*
1050				 * Locate and load the filtee.
1051				 */
1052				if ((nlmp = load_path(lml, lmco, ilmp, mode,
1053				    FLG_RT_PUBHDL, &ghp, &fd, &rej,
1054				    in_nfavl)) == NULL)
1055					file_notfound(LIST(ilmp), filtee, ilmp,
1056					    FLG_RT_PUBHDL, &rej);
1057
1058				filtee = pdp->pd_pname;
1059
1060				/*
1061				 * Establish the filter handle to prevent any
1062				 * recursion.
1063				 */
1064				if (nlmp && ghp) {
1065					ghp->gh_flags |= GPH_FILTEE;
1066					pdp->pd_info = (void *)ghp;
1067
1068					FLAGS1(nlmp) |= FL1_RT_USED;
1069				}
1070
1071				/*
1072				 * Audit the filter/filtee established.  A
1073				 * return of 0 indicates the auditor wishes to
1074				 * ignore this filtee.
1075				 */
1076				if (nlmp && ((lml->lm_tflags | FLAGS1(ilmp)) &
1077				    LML_TFLG_AUD_OBJFILTER)) {
1078					if (audit_objfilter(ilmp, filtees,
1079					    nlmp, 0) == 0) {
1080						audit = 1;
1081						nlmp = NULL;
1082					}
1083				}
1084
1085				/*
1086				 * Finish processing the objects associated with
1087				 * this request.  Create an association between
1088				 * this object and the originating filter to
1089				 * provide sufficient information to tear down
1090				 * this filtee if necessary.
1091				 */
1092				if (nlmp && ghp && (((nlmp = analyze_lmc(lml,
1093				    lmco, nlmp, clmp, in_nfavl)) == NULL) ||
1094				    (relocate_lmc(lml, lmco, ilmp, nlmp,
1095				    in_nfavl) == 0)))
1096					nlmp = NULL;
1097
1098				/*
1099				 * If the filtee has been successfully
1100				 * processed, then create an association
1101				 * between the filter and filtee.  This
1102				 * association provides sufficient information
1103				 * to tear down the filter and filtee if
1104				 * necessary.
1105				 */
1106				DBG_CALL(Dbg_file_hdl_title(DBG_HDL_ADD));
1107				if (nlmp && ghp && (hdl_add(ghp, ilmp,
1108				    GPD_FILTER, NULL) == NULL))
1109					nlmp = NULL;
1110
1111				/*
1112				 * Generate a diagnostic if the filtee couldn't
1113				 * be loaded.
1114				 */
1115				if (nlmp == NULL)
1116					DBG_CALL(Dbg_file_filtee(lml, 0, filtee,
1117					    audit));
1118
1119				/*
1120				 * If this filtee loading has failed, and we've
1121				 * created a new link-map control list to which
1122				 * this request has added objects, then remove
1123				 * all the objects that have been associated to
1124				 * this request.
1125				 */
1126				if ((nlmp == NULL) && (lmco != ALIST_OFF_DATA))
1127					remove_lmc(lml, clmp, lmco, name);
1128
1129				/*
1130				 * Remove any temporary link-map control list.
1131				 */
1132				if (lmco != ALIST_OFF_DATA)
1133					remove_cntl(lml, lmco);
1134			}
1135
1136			/*
1137			 * If the filtee couldn't be loaded, null out the
1138			 * path name descriptor entry, and continue the search.
1139			 * Otherwise, the group handle is retained for future
1140			 * symbol searches.
1141			 */
1142			if (nlmp == NULL) {
1143				pdp->pd_info = NULL;
1144				pdp->pd_plen = 0;
1145				continue;
1146			}
1147		}
1148
1149		ghp = (Grp_hdl *)pdp->pd_info;
1150
1151		/*
1152		 * If name is NULL, we're here to trigger filtee loading.
1153		 * Skip the symbol lookup so that we'll continue looking for
1154		 * additional filtees.
1155		 */
1156		if (name) {
1157			Grp_desc	*gdp;
1158			int		ret = 0;
1159			Aliste		idx;
1160			Slookup		sl = *slp;
1161
1162			sl.sl_flags |= (LKUP_FIRST | LKUP_DLSYM);
1163			any++;
1164
1165			/*
1166			 * Look for the symbol in the handles dependencies.
1167			 */
1168			for (ALIST_TRAVERSE(ghp->gh_depends, idx, gdp)) {
1169				if ((gdp->gd_flags & GPD_DLSYM) == 0)
1170					continue;
1171
1172				/*
1173				 * If our parent is a dependency don't look at
1174				 * it (otherwise we are in a recursive loop).
1175				 * This situation can occur with auxiliary
1176				 * filters if the filtee has a dependency on the
1177				 * filter.  This dependency isn't necessary as
1178				 * auxiliary filters are opened RTLD_PARENT, but
1179				 * users may still unknowingly add an explicit
1180				 * dependency to the parent.
1181				 */
1182				if ((sl.sl_imap = gdp->gd_depend) == ilmp)
1183					continue;
1184
1185				if (((ret = SYMINTP(sl.sl_imap)(&sl, srp, binfo,
1186				    in_nfavl)) != 0) ||
1187				    (ghp->gh_flags & GPH_FIRST))
1188					break;
1189			}
1190
1191			/*
1192			 * If a symbol has been found, indicate the binding
1193			 * and return the symbol.
1194			 */
1195			if (ret) {
1196				*binfo |= DBG_BINFO_FILTEE;
1197				return (1);
1198			}
1199		}
1200
1201		/*
1202		 * If this object is tagged to terminate filtee processing we're
1203		 * done.
1204		 */
1205		if (FLAGS1(ghp->gh_ownlmp) & FL1_RT_ENDFILTE)
1206			break;
1207	}
1208
1209	/*
1210	 * If we're just here to trigger filtee loading then we're done.
1211	 */
1212	if (name == NULL)
1213		return (0);
1214
1215	/*
1216	 * If no filtees have been found for a filter, clean up any path name
1217	 * descriptors and disable their search completely.  For auxiliary
1218	 * filters we can reselect the symbol search function so that we never
1219	 * enter this routine again for this object.  For standard filters we
1220	 * use the null symbol routine.
1221	 */
1222	if (any == 0) {
1223		remove_alist((Alist **)&(dip->di_info), 1);
1224		elf_disable_filtee(ilmp, dip);
1225	}
1226
1227	return (0);
1228}
1229
1230/*
1231 * Focal point for disabling error messages for auxiliary filters.  As an
1232 * auxiliary filter allows for filtee use, but provides a fallback should a
1233 * filtee not exist (or fail to load), any errors generated as a consequence of
1234 * trying to load the filtees are typically suppressed.  Setting RT_FL_SILENCERR
1235 * suppresses errors generated by eprintf(), but ensures a debug diagnostic is
1236 * produced.  ldd(1) employs printf(), and here the selection of whether to
1237 * print a diagnostic in regards to auxiliary filters is a little more complex.
1238 *
1239 *   -	The determination of whether to produce an ldd message, or a fatal
1240 *	error message is driven by LML_FLG_TRC_ENABLE.
1241 *   -	More detailed ldd messages may also be driven off of LML_FLG_TRC_WARN,
1242 *	(ldd -d/-r), LML_FLG_TRC_VERBOSE (ldd -v), LML_FLG_TRC_SEARCH (ldd -s),
1243 *	and LML_FLG_TRC_UNREF/LML_FLG_TRC_UNUSED (ldd -U/-u).
1244 *   -	If the calling object is lddstub, then several classes of message are
1245 *	suppressed.  The user isn't trying to diagnose lddstub, this is simply
1246 *	a stub executable employed to preload a user specified library against.
1247 *   -	If RT_FL_SILENCERR is in effect then any generic ldd() messages should
1248 *	be suppressed.  All detailed ldd messages should still be produced.
1249 */
1250int
1251elf_lookup_filtee(Slookup *slp, Sresult *srp, uint_t *binfo, uint_t ndx,
1252    int *in_nfavl)
1253{
1254	Dyninfo	*dip = &DYNINFO(slp->sl_imap)[ndx];
1255	int	ret, silent = 0;
1256
1257	/*
1258	 * Make sure this entry is still acting as a filter.  We may have tried
1259	 * to process this previously, and disabled it if the filtee couldn't
1260	 * be processed.  However, other entries may provide different filtees
1261	 * that are yet to be completed.
1262	 */
1263	if (dip->di_flags == 0)
1264		return (0);
1265
1266	/*
1267	 * Indicate whether an error message is required should this filtee not
1268	 * be found, based on the type of filter.
1269	 */
1270	if ((dip->di_flags & FLG_DI_AUXFLTR) &&
1271	    ((rtld_flags & (RT_FL_WARNFLTR | RT_FL_SILENCERR)) == 0)) {
1272		rtld_flags |= RT_FL_SILENCERR;
1273		silent = 1;
1274	}
1275
1276	ret = _elf_lookup_filtee(slp, srp, binfo, ndx, in_nfavl);
1277
1278	if (silent)
1279		rtld_flags &= ~RT_FL_SILENCERR;
1280
1281	return (ret);
1282}
1283
1284/*
1285 * Compute the elf hash value (as defined in the ELF access library).
1286 * The form of the hash table is:
1287 *
1288 *	|--------------|
1289 *	| # of buckets |
1290 *	|--------------|
1291 *	| # of chains  |
1292 *	|--------------|
1293 *	|   bucket[]   |
1294 *	|--------------|
1295 *	|   chain[]    |
1296 *	|--------------|
1297 */
1298ulong_t
1299elf_hash(const char *name)
1300{
1301	uint_t	hval = 0;
1302
1303	while (*name) {
1304		uint_t	g;
1305		hval = (hval << 4) + *name++;
1306		if ((g = (hval & 0xf0000000)) != 0)
1307			hval ^= g >> 24;
1308		hval &= ~g;
1309	}
1310	return ((ulong_t)hval);
1311}
1312
1313/*
1314 * Look up a symbol.  The callers lookup information is passed in the Slookup
1315 * structure, and any resultant binding information is returned in the Sresult
1316 * structure.
1317 */
1318int
1319elf_find_sym(Slookup *slp, Sresult *srp, uint_t *binfo, int *in_nfavl)
1320{
1321	const char	*name = slp->sl_name;
1322	Rt_map		*ilmp = slp->sl_imap;
1323	ulong_t		hash = slp->sl_hash;
1324	uint_t		ndx, hashoff, buckets, *chainptr;
1325	Sym		*sym, *symtabptr;
1326	char		*strtabptr, *strtabname;
1327	uint_t		flags1;
1328	Syminfo		*sip;
1329
1330	/*
1331	 * If we're only here to establish a symbols index, skip the diagnostic
1332	 * used to trace a symbol search.
1333	 */
1334	if ((slp->sl_flags & LKUP_SYMNDX) == 0)
1335		DBG_CALL(Dbg_syms_lookup(ilmp, name, MSG_ORIG(MSG_STR_ELF)));
1336
1337	if (HASH(ilmp) == NULL)
1338		return (0);
1339
1340	buckets = HASH(ilmp)[0];
1341	/* LINTED */
1342	hashoff = ((uint_t)hash % buckets) + 2;
1343
1344	/*
1345	 * Get the first symbol from the hash chain and initialize the string
1346	 * and symbol table pointers.
1347	 */
1348	if ((ndx = HASH(ilmp)[hashoff]) == 0)
1349		return (0);
1350
1351	chainptr = HASH(ilmp) + 2 + buckets;
1352	strtabptr = STRTAB(ilmp);
1353	symtabptr = SYMTAB(ilmp);
1354
1355	while (ndx) {
1356		sym = symtabptr + ndx;
1357		strtabname = strtabptr + sym->st_name;
1358
1359		/*
1360		 * Compare the symbol found with the name required.  If the
1361		 * names don't match continue with the next hash entry.
1362		 */
1363		if ((*strtabname++ != *name) || strcmp(strtabname, &name[1])) {
1364			hashoff = ndx + buckets + 2;
1365			if ((ndx = chainptr[ndx]) != 0)
1366				continue;
1367			return (0);
1368		}
1369
1370		/*
1371		 * Symbols that are defined as hidden within an object usually
1372		 * have any references from within the same object bound at
1373		 * link-edit time, thus ld.so.1 is not involved.  However, if
1374		 * these are capabilities symbols, then references to them must
1375		 * be resolved at runtime.  A hidden symbol can only be bound
1376		 * to by the object that defines the symbol.
1377		 */
1378		if ((sym->st_shndx != SHN_UNDEF) &&
1379		    (ELF_ST_VISIBILITY(sym->st_other) == STV_HIDDEN) &&
1380		    (slp->sl_cmap != ilmp))
1381			return (0);
1382
1383		/*
1384		 * The Solaris ld does not put DT_VERSYM in the dynamic
1385		 * section, but the GNU ld does. The GNU runtime linker
1386		 * interprets the top bit of the 16-bit Versym value
1387		 * (0x8000) as the "hidden" bit. If this bit is set,
1388		 * the linker is supposed to act as if that symbol does
1389		 * not exist. The hidden bit supports their versioning
1390		 * scheme, which allows multiple incompatible functions
1391		 * with the same name to exist at different versions
1392		 * within an object. The Solaris linker does not support this
1393		 * mechanism, or the model of interface evolution that
1394		 * it allows, but we honor the hidden bit in GNU ld
1395		 * produced objects in order to interoperate with them.
1396		 */
1397		if (VERSYM(ilmp) && (VERSYM(ilmp)[ndx] & 0x8000)) {
1398			DBG_CALL(Dbg_syms_ignore_gnuver(ilmp, name,
1399			    ndx, VERSYM(ilmp)[ndx]));
1400			return (0);
1401		}
1402
1403		/*
1404		 * If we're only here to establish a symbol's index, we're done.
1405		 */
1406		if (slp->sl_flags & LKUP_SYMNDX) {
1407			srp->sr_dmap = ilmp;
1408			srp->sr_sym = sym;
1409			return (1);
1410		}
1411
1412		/*
1413		 * If we find a match and the symbol is defined, capture the
1414		 * symbol pointer and the link map in which it was found.
1415		 */
1416		if (sym->st_shndx != SHN_UNDEF) {
1417			srp->sr_dmap = ilmp;
1418			srp->sr_sym = sym;
1419			*binfo |= DBG_BINFO_FOUND;
1420
1421			if ((FLAGS(ilmp) & FLG_RT_OBJINTPO) ||
1422			    ((FLAGS(ilmp) & FLG_RT_SYMINTPO) &&
1423			    is_sym_interposer(ilmp, sym)))
1424				*binfo |= DBG_BINFO_INTERPOSE;
1425			break;
1426
1427		/*
1428		 * If we find a match and the symbol is undefined, the
1429		 * symbol type is a function, and the value of the symbol
1430		 * is non zero, then this is a special case.  This allows
1431		 * the resolution of a function address to the plt[] entry.
1432		 * See SPARC ABI, Dynamic Linking, Function Addresses for
1433		 * more details.
1434		 */
1435		} else if ((slp->sl_flags & LKUP_SPEC) &&
1436		    (FLAGS(ilmp) & FLG_RT_ISMAIN) && (sym->st_value != 0) &&
1437		    (ELF_ST_TYPE(sym->st_info) == STT_FUNC)) {
1438			srp->sr_dmap = ilmp;
1439			srp->sr_sym = sym;
1440			*binfo |= (DBG_BINFO_FOUND | DBG_BINFO_PLTADDR);
1441
1442			if ((FLAGS(ilmp) & FLG_RT_OBJINTPO) ||
1443			    ((FLAGS(ilmp) & FLG_RT_SYMINTPO) &&
1444			    is_sym_interposer(ilmp, sym)))
1445				*binfo |= DBG_BINFO_INTERPOSE;
1446			return (1);
1447		}
1448
1449		/*
1450		 * Undefined symbol.
1451		 */
1452		return (0);
1453	}
1454
1455	/*
1456	 * We've found a match.  Determine if the defining object contains
1457	 * symbol binding information.
1458	 */
1459	if ((sip = SYMINFO(ilmp)) != NULL)
1460		sip += ndx;
1461
1462	/*
1463	 * If this definition is a singleton, and we haven't followed a default
1464	 * symbol search knowing that we're looking for a singleton (presumably
1465	 * because the symbol definition has been changed since the referring
1466	 * object was built), then reject this binding so that the caller can
1467	 * fall back to a standard symbol search.
1468	 */
1469	if ((ELF_ST_VISIBILITY(sym->st_other) == STV_SINGLETON) &&
1470	    (((slp->sl_flags & LKUP_STANDARD) == 0) ||
1471	    (((slp->sl_flags & LKUP_SINGLETON) == 0) &&
1472	    (LIST(ilmp)->lm_flags & LML_FLG_GROUPSEXIST)))) {
1473		DBG_CALL(Dbg_bind_reject(slp->sl_cmap, ilmp, name,
1474		    DBG_BNDREJ_SINGLE));
1475		*binfo |= BINFO_REJSINGLE;
1476		*binfo &= ~DBG_BINFO_MSK;
1477		return (0);
1478	}
1479
1480	/*
1481	 * If this is a direct binding request, but the symbol definition has
1482	 * disabled directly binding to it (presumably because the symbol
1483	 * definition has been changed since the referring object was built),
1484	 * reject this binding so that the caller can fall back to a standard
1485	 * symbol search.
1486	 */
1487	if (sip && (slp->sl_flags & LKUP_DIRECT) &&
1488	    (sip->si_flags & SYMINFO_FLG_NOEXTDIRECT)) {
1489		DBG_CALL(Dbg_bind_reject(slp->sl_cmap, ilmp, name,
1490		    DBG_BNDREJ_DIRECT));
1491		*binfo |= BINFO_REJDIRECT;
1492		*binfo &= ~DBG_BINFO_MSK;
1493		return (0);
1494	}
1495
1496	/*
1497	 * If this is a binding request within an RTLD_GROUP family, and the
1498	 * symbol has disabled directly binding to it, reject this binding so
1499	 * that the caller can fall back to a standard symbol search.
1500	 *
1501	 * Effectively, an RTLD_GROUP family achieves what can now be
1502	 * established with direct bindings.  However, various symbols have
1503	 * been tagged as inappropriate for direct binding to (ie. libc:malloc).
1504	 *
1505	 * A symbol marked as no-direct cannot be used within a group without
1506	 * first ensuring that the symbol has not been interposed upon outside
1507	 * of the group.  A common example occurs when users implement their own
1508	 * version of malloc() in the executable.  Such a malloc() interposes on
1509	 * the libc:malloc, and this interposition must be honored within the
1510	 * group as well.
1511	 *
1512	 * Following any rejection, LKUP_WORLD is established as a means of
1513	 * overriding this test as we return to a standard search.
1514	 */
1515	if (sip && (sip->si_flags & SYMINFO_FLG_NOEXTDIRECT) &&
1516	    ((MODE(slp->sl_cmap) & (RTLD_GROUP | RTLD_WORLD)) == RTLD_GROUP) &&
1517	    ((slp->sl_flags & LKUP_WORLD) == 0)) {
1518		DBG_CALL(Dbg_bind_reject(slp->sl_cmap, ilmp, name,
1519		    DBG_BNDREJ_GROUP));
1520		*binfo |= BINFO_REJGROUP;
1521		*binfo &= ~DBG_BINFO_MSK;
1522		return (0);
1523	}
1524
1525	/*
1526	 * If this symbol is associated with capabilities, then each of the
1527	 * capabilities instances needs to be compared against the system
1528	 * capabilities.  The best instance will be chosen to satisfy this
1529	 * binding.
1530	 */
1531	if (CAP(ilmp) && CAPINFO(ilmp) && ELF_C_GROUP(CAPINFO(ilmp)[ndx]) &&
1532	    (cap_match(srp, ndx, symtabptr, strtabptr) == 0))
1533		return (0);
1534
1535	/*
1536	 * Determine whether this object is acting as a filter.
1537	 */
1538	if (((flags1 = FLAGS1(ilmp)) & MSK_RT_FILTER) == 0)
1539		return (1);
1540
1541	/*
1542	 * Determine if this object offers per-symbol filtering, and if so,
1543	 * whether this symbol references a filtee.
1544	 */
1545	if (sip && (flags1 & (FL1_RT_SYMSFLTR | FL1_RT_SYMAFLTR))) {
1546		/*
1547		 * If this is a standard filter reference, and no standard
1548		 * filtees remain to be inspected, we're done.  If this is an
1549		 * auxiliary filter reference, and no auxiliary filtees remain,
1550		 * we'll fall through in case any object filtering is available.
1551		 */
1552		if ((sip->si_flags & SYMINFO_FLG_FILTER) &&
1553		    (SYMSFLTRCNT(ilmp) == 0))
1554			return (0);
1555
1556		if ((sip->si_flags & SYMINFO_FLG_FILTER) ||
1557		    ((sip->si_flags & SYMINFO_FLG_AUXILIARY) &&
1558		    SYMAFLTRCNT(ilmp))) {
1559			Sresult	sr;
1560
1561			/*
1562			 * Initialize a local symbol result descriptor, using
1563			 * the original symbol name.
1564			 */
1565			SRESULT_INIT(sr, slp->sl_name);
1566
1567			/*
1568			 * This symbol has an associated filtee.  Lookup the
1569			 * symbol in the filtee, and if it is found return it.
1570			 * If the symbol doesn't exist, and this is a standard
1571			 * filter, return an error, otherwise fall through to
1572			 * catch any object filtering that may be available.
1573			 */
1574			if (elf_lookup_filtee(slp, &sr, binfo, sip->si_boundto,
1575			    in_nfavl)) {
1576				*srp = sr;
1577				return (1);
1578			}
1579			if (sip->si_flags & SYMINFO_FLG_FILTER)
1580				return (0);
1581		}
1582	}
1583
1584	/*
1585	 * Determine if this object provides global filtering.
1586	 */
1587	if (flags1 & (FL1_RT_OBJSFLTR | FL1_RT_OBJAFLTR)) {
1588		if (OBJFLTRNDX(ilmp) != FLTR_DISABLED) {
1589			Sresult	sr;
1590
1591			/*
1592			 * Initialize a local symbol result descriptor, using
1593			 * the original symbol name.
1594			 */
1595			SRESULT_INIT(sr, slp->sl_name);
1596
1597			/*
1598			 * This object has an associated filtee.  Lookup the
1599			 * symbol in the filtee, and if it is found return it.
1600			 * If the symbol doesn't exist, and this is a standard
1601			 * filter, return and error, otherwise return the symbol
1602			 * within the filter itself.
1603			 */
1604			if (elf_lookup_filtee(slp, &sr, binfo, OBJFLTRNDX(ilmp),
1605			    in_nfavl)) {
1606				*srp = sr;
1607				return (1);
1608			}
1609		}
1610
1611		if (flags1 & FL1_RT_OBJSFLTR)
1612			return (0);
1613	}
1614	return (1);
1615}
1616
1617/*
1618 * Create a new Rt_map structure for an ELF object and initialize
1619 * all values.
1620 */
1621Rt_map *
1622elf_new_lmp(Lm_list *lml, Aliste lmco, Fdesc *fdp, Addr addr, size_t msize,
1623    void *odyn, Rt_map *clmp, int *in_nfavl)
1624{
1625	const char	*name = fdp->fd_nname;
1626	Rt_map		*lmp;
1627	Ehdr		*ehdr = (Ehdr *)addr;
1628	Phdr		*phdr, *tphdr = NULL, *dphdr = NULL, *uphdr = NULL;
1629	Dyn		*dyn = (Dyn *)odyn;
1630	Cap		*cap = NULL;
1631	int		ndx;
1632	Addr		base, fltr = 0, audit = 0, cfile = 0, crle = 0;
1633	Xword		rpath = 0;
1634	size_t		lmsz, rtsz, epsz, dynsz = 0;
1635	uint_t		dyncnt = 0;
1636
1637	DBG_CALL(Dbg_file_elf(lml, name, addr, msize, lml->lm_lmidstr, lmco));
1638
1639	/*
1640	 * If this is a shared object, the base address of the shared object is
1641	 * added to all address values defined within the object.  Otherwise, if
1642	 * this is an executable, all object addresses are used as is.
1643	 */
1644	if (ehdr->e_type == ET_EXEC)
1645		base = 0;
1646	else
1647		base = addr;
1648
1649	/*
1650	 * Traverse the program header table, picking off required items.  This
1651	 * traversal also provides for the sizing of the PT_DYNAMIC section.
1652	 */
1653	phdr = (Phdr *)((uintptr_t)ehdr + ehdr->e_phoff);
1654	for (ndx = 0; ndx < (int)ehdr->e_phnum; ndx++,
1655	    phdr = (Phdr *)((uintptr_t)phdr + ehdr->e_phentsize)) {
1656		switch (phdr->p_type) {
1657		case PT_DYNAMIC:
1658			dphdr = phdr;
1659			dyn = (Dyn *)((uintptr_t)phdr->p_vaddr + base);
1660			break;
1661		case PT_TLS:
1662			tphdr = phdr;
1663			break;
1664		case PT_SUNWCAP:
1665			cap = (Cap *)((uintptr_t)phdr->p_vaddr + base);
1666			break;
1667		case PT_SUNW_UNWIND:
1668		case PT_SUNW_EH_FRAME:
1669			uphdr = phdr;
1670			break;
1671		default:
1672			break;
1673		}
1674	}
1675
1676	/*
1677	 * Determine the number of PT_DYNAMIC entries for the DYNINFO()
1678	 * allocation.  Sadly, this is a little larger than we really need,
1679	 * as there are typically padding DT_NULL entries.  However, adding
1680	 * this data to the initial link-map allocation is a win.
1681	 */
1682	if (dyn) {
1683		dyncnt = dphdr->p_filesz / sizeof (Dyn);
1684		dynsz = dyncnt * sizeof (Dyninfo);
1685	}
1686
1687	/*
1688	 * Allocate space for the link-map, private elf information, and
1689	 * DYNINFO() data.  Once these are allocated and initialized,
1690	 * remove_so(0, lmp) can be used to tear down the link-map allocation
1691	 * should any failures occur.
1692	 */
1693	rtsz = S_DROUND(sizeof (Rt_map));
1694	epsz = S_DROUND(sizeof (Rt_elfp));
1695	lmsz = rtsz + epsz + dynsz;
1696	if ((lmp = calloc(lmsz, 1)) == NULL)
1697		return (NULL);
1698	ELFPRV(lmp) = (void *)((uintptr_t)lmp + rtsz);
1699	DYNINFO(lmp) = (Dyninfo *)((uintptr_t)lmp + rtsz + epsz);
1700	LMSIZE(lmp) = lmsz;
1701
1702	/*
1703	 * All fields not filled in were set to 0 by calloc.
1704	 */
1705	NAME(lmp) = (char *)name;
1706	ADDR(lmp) = addr;
1707	MSIZE(lmp) = msize;
1708	SYMINTP(lmp) = elf_find_sym;
1709	FCT(lmp) = &elf_fct;
1710	LIST(lmp) = lml;
1711	OBJFLTRNDX(lmp) = FLTR_DISABLED;
1712	SORTVAL(lmp) = -1;
1713	DYN(lmp) = dyn;
1714	DYNINFOCNT(lmp) = dyncnt;
1715	PTUNWIND(lmp) = uphdr;
1716
1717	if (ehdr->e_type == ET_EXEC)
1718		FLAGS(lmp) |= FLG_RT_FIXED;
1719
1720	/*
1721	 * Fill in rest of the link map entries with information from the file's
1722	 * dynamic structure.
1723	 */
1724	if (dyn) {
1725		Dyninfo		*dip;
1726		uint_t		dynndx;
1727		Xword		pltpadsz = 0;
1728		Rti_desc	*rti;
1729		Dyn		*pdyn;
1730		Word		lmtflags = lml->lm_tflags;
1731		int		ignore = 0;
1732
1733		/*
1734		 * Note, we use DT_NULL to terminate processing, and the
1735		 * dynamic entry count as a fall back.  Normally, a DT_NULL
1736		 * entry marks the end of the dynamic section.  Any non-NULL
1737		 * items following the first DT_NULL are silently ignored.
1738		 * This situation should only occur through use of elfedit(1)
1739		 * or a similar tool.
1740		 */
1741		for (dynndx = 0, pdyn = NULL, dip = DYNINFO(lmp);
1742		    dynndx < dyncnt; dynndx++, pdyn = dyn++, dip++) {
1743
1744			if (ignore) {
1745				dip->di_flags |= FLG_DI_IGNORE;
1746				continue;
1747			}
1748
1749			switch ((Xword)dyn->d_tag) {
1750			case DT_NULL:
1751				dip->di_flags |= ignore = FLG_DI_IGNORE;
1752				break;
1753			case DT_POSFLAG_1:
1754				dip->di_flags |= FLG_DI_POSFLAG1;
1755				break;
1756			case DT_NEEDED:
1757			case DT_USED:
1758				dip->di_flags |= FLG_DI_NEEDED;
1759
1760				/* BEGIN CSTYLED */
1761				if (pdyn && (pdyn->d_tag == DT_POSFLAG_1)) {
1762				    /*
1763				     * Identify any non-deferred lazy load for
1764				     * future processing, unless LD_NOLAZYLOAD
1765				     * has been set.
1766				     */
1767				    if ((pdyn->d_un.d_val & DF_P1_LAZYLOAD) &&
1768					((lmtflags & LML_TFLG_NOLAZYLD) == 0))
1769					    dip->di_flags |= FLG_DI_LAZY;
1770
1771				    /*
1772				     * Identify any group permission
1773				     * requirements.
1774				     */
1775				    if (pdyn->d_un.d_val & DF_P1_GROUPPERM)
1776					    dip->di_flags |= FLG_DI_GROUP;
1777
1778				    /*
1779				     * Identify any deferred dependencies.
1780				     */
1781				    if (pdyn->d_un.d_val & DF_P1_DEFERRED)
1782					    dip->di_flags |= FLG_DI_DEFERRED;
1783				}
1784				/* END CSTYLED */
1785				break;
1786			case DT_SYMTAB:
1787				SYMTAB(lmp) = (void *)(dyn->d_un.d_ptr + base);
1788				break;
1789			case DT_SUNW_SYMTAB:
1790				SUNWSYMTAB(lmp) =
1791				    (void *)(dyn->d_un.d_ptr + base);
1792				break;
1793			case DT_SUNW_SYMSZ:
1794				SUNWSYMSZ(lmp) = dyn->d_un.d_val;
1795				break;
1796			case DT_STRTAB:
1797				STRTAB(lmp) = (void *)(dyn->d_un.d_ptr + base);
1798				break;
1799			case DT_SYMENT:
1800				SYMENT(lmp) = dyn->d_un.d_val;
1801				break;
1802			case DT_FEATURE_1:
1803				if (dyn->d_un.d_val & DTF_1_CONFEXP)
1804					crle = 1;
1805				break;
1806			case DT_MOVESZ:
1807				MOVESZ(lmp) = dyn->d_un.d_val;
1808				FLAGS(lmp) |= FLG_RT_MOVE;
1809				break;
1810			case DT_MOVEENT:
1811				MOVEENT(lmp) = dyn->d_un.d_val;
1812				break;
1813			case DT_MOVETAB:
1814				MOVETAB(lmp) = (void *)(dyn->d_un.d_ptr + base);
1815				break;
1816			case DT_REL:
1817			case DT_RELA:
1818				/*
1819				 * At this time, ld.so. can only handle one
1820				 * type of relocation per object.
1821				 */
1822				REL(lmp) = (void *)(dyn->d_un.d_ptr + base);
1823				break;
1824			case DT_RELSZ:
1825			case DT_RELASZ:
1826				RELSZ(lmp) = dyn->d_un.d_val;
1827				break;
1828			case DT_RELENT:
1829			case DT_RELAENT:
1830				RELENT(lmp) = dyn->d_un.d_val;
1831				break;
1832			case DT_RELCOUNT:
1833			case DT_RELACOUNT:
1834				RELACOUNT(lmp) = (uint_t)dyn->d_un.d_val;
1835				break;
1836			case DT_HASH:
1837				HASH(lmp) = (uint_t *)(dyn->d_un.d_ptr + base);
1838				break;
1839			case DT_PLTGOT:
1840				PLTGOT(lmp) =
1841				    (uint_t *)(dyn->d_un.d_ptr + base);
1842				break;
1843			case DT_PLTRELSZ:
1844				PLTRELSZ(lmp) = dyn->d_un.d_val;
1845				break;
1846			case DT_JMPREL:
1847				JMPREL(lmp) = (void *)(dyn->d_un.d_ptr + base);
1848				break;
1849			case DT_INIT:
1850				if (dyn->d_un.d_ptr != 0)
1851					INIT(lmp) =
1852					    (void (*)())(dyn->d_un.d_ptr +
1853					    base);
1854				break;
1855			case DT_FINI:
1856				if (dyn->d_un.d_ptr != 0)
1857					FINI(lmp) =
1858					    (void (*)())(dyn->d_un.d_ptr +
1859					    base);
1860				break;
1861			case DT_INIT_ARRAY:
1862				INITARRAY(lmp) = (Addr *)(dyn->d_un.d_ptr +
1863				    base);
1864				break;
1865			case DT_INIT_ARRAYSZ:
1866				INITARRAYSZ(lmp) = (uint_t)dyn->d_un.d_val;
1867				break;
1868			case DT_FINI_ARRAY:
1869				FINIARRAY(lmp) = (Addr *)(dyn->d_un.d_ptr +
1870				    base);
1871				break;
1872			case DT_FINI_ARRAYSZ:
1873				FINIARRAYSZ(lmp) = (uint_t)dyn->d_un.d_val;
1874				break;
1875			case DT_PREINIT_ARRAY:
1876				PREINITARRAY(lmp) = (Addr *)(dyn->d_un.d_ptr +
1877				    base);
1878				break;
1879			case DT_PREINIT_ARRAYSZ:
1880				PREINITARRAYSZ(lmp) = (uint_t)dyn->d_un.d_val;
1881				break;
1882			case DT_RPATH:
1883			case DT_RUNPATH:
1884				rpath = dyn->d_un.d_val;
1885				break;
1886			case DT_FILTER:
1887				dip->di_flags |= FLG_DI_STDFLTR;
1888				fltr = dyn->d_un.d_val;
1889				OBJFLTRNDX(lmp) = dynndx;
1890				FLAGS1(lmp) |= FL1_RT_OBJSFLTR;
1891				break;
1892			case DT_AUXILIARY:
1893				dip->di_flags |= FLG_DI_AUXFLTR;
1894				if (!(rtld_flags & RT_FL_NOAUXFLTR)) {
1895					fltr = dyn->d_un.d_val;
1896					OBJFLTRNDX(lmp) = dynndx;
1897				}
1898				FLAGS1(lmp) |= FL1_RT_OBJAFLTR;
1899				break;
1900			case DT_SUNW_FILTER:
1901				dip->di_flags |=
1902				    (FLG_DI_STDFLTR | FLG_DI_SYMFLTR);
1903				SYMSFLTRCNT(lmp)++;
1904				FLAGS1(lmp) |= FL1_RT_SYMSFLTR;
1905				break;
1906			case DT_SUNW_AUXILIARY:
1907				dip->di_flags |=
1908				    (FLG_DI_AUXFLTR | FLG_DI_SYMFLTR);
1909				if (!(rtld_flags & RT_FL_NOAUXFLTR)) {
1910					SYMAFLTRCNT(lmp)++;
1911				}
1912				FLAGS1(lmp) |= FL1_RT_SYMAFLTR;
1913				break;
1914			case DT_DEPAUDIT:
1915				if (!(rtld_flags & RT_FL_NOAUDIT)) {
1916					audit = dyn->d_un.d_val;
1917					FLAGS1(lmp) |= FL1_RT_DEPAUD;
1918				}
1919				break;
1920			case DT_CONFIG:
1921				cfile = dyn->d_un.d_val;
1922				break;
1923			case DT_DEBUG:
1924				/*
1925				 * DT_DEBUG entries are only created in
1926				 * dynamic objects that require an interpretor
1927				 * (ie. all dynamic executables and some shared
1928				 * objects), and provide for a hand-shake with
1929				 * old debuggers.  This entry is initialized to
1930				 * zero by the link-editor.  If a debugger is
1931				 * monitoring us, and has updated this entry,
1932				 * set the debugger monitor flag, and finish
1933				 * initializing the debugging structure.  See
1934				 * setup().  Also, switch off any configuration
1935				 * object use as most debuggers can't handle
1936				 * fixed dynamic executables as dependencies.
1937				 */
1938				if (dyn->d_un.d_ptr)
1939					rtld_flags |=
1940					    (RT_FL_DEBUGGER | RT_FL_NOOBJALT);
1941				dyn->d_un.d_ptr = (Addr)&r_debug;
1942				break;
1943			case DT_VERNEED:
1944				VERNEED(lmp) = (Verneed *)(dyn->d_un.d_ptr +
1945				    base);
1946				break;
1947			case DT_VERNEEDNUM:
1948				/* LINTED */
1949				VERNEEDNUM(lmp) = (int)dyn->d_un.d_val;
1950				break;
1951			case DT_VERDEF:
1952				VERDEF(lmp) = (Verdef *)(dyn->d_un.d_ptr +
1953				    base);
1954				break;
1955			case DT_VERDEFNUM:
1956				/* LINTED */
1957				VERDEFNUM(lmp) = (int)dyn->d_un.d_val;
1958				break;
1959			case DT_VERSYM:
1960				/*
1961				 * The Solaris ld does not produce DT_VERSYM,
1962				 * but the GNU ld does, in order to support
1963				 * their style of versioning, which differs
1964				 * from ours in some ways, while using the
1965				 * same data structures. The presence of
1966				 * DT_VERSYM therefore means that GNU
1967				 * versioning rules apply to the given file.
1968				 * If DT_VERSYM is not present, then Solaris
1969				 * versioning rules apply.
1970				 */
1971				VERSYM(lmp) = (Versym *)(dyn->d_un.d_ptr +
1972				    base);
1973				break;
1974			case DT_BIND_NOW:
1975				if ((dyn->d_un.d_val & DF_BIND_NOW) &&
1976				    ((rtld_flags2 & RT_FL2_BINDLAZY) == 0)) {
1977					MODE(lmp) |= RTLD_NOW;
1978					MODE(lmp) &= ~RTLD_LAZY;
1979				}
1980				break;
1981			case DT_FLAGS:
1982				FLAGS1(lmp) |= FL1_RT_DTFLAGS;
1983				if (dyn->d_un.d_val & DF_SYMBOLIC)
1984					FLAGS1(lmp) |= FL1_RT_SYMBOLIC;
1985				if ((dyn->d_un.d_val & DF_BIND_NOW) &&
1986				    ((rtld_flags2 & RT_FL2_BINDLAZY) == 0)) {
1987					MODE(lmp) |= RTLD_NOW;
1988					MODE(lmp) &= ~RTLD_LAZY;
1989				}
1990				/*
1991				 * Capture any static TLS use, and enforce that
1992				 * this object be non-deletable.
1993				 */
1994				if (dyn->d_un.d_val & DF_STATIC_TLS) {
1995					FLAGS1(lmp) |= FL1_RT_TLSSTAT;
1996					MODE(lmp) |= RTLD_NODELETE;
1997				}
1998				break;
1999			case DT_FLAGS_1:
2000				if (dyn->d_un.d_val & DF_1_DISPRELPND)
2001					FLAGS1(lmp) |= FL1_RT_DISPREL;
2002				if (dyn->d_un.d_val & DF_1_GROUP)
2003					FLAGS(lmp) |=
2004					    (FLG_RT_SETGROUP | FLG_RT_PUBHDL);
2005				if ((dyn->d_un.d_val & DF_1_NOW) &&
2006				    ((rtld_flags2 & RT_FL2_BINDLAZY) == 0)) {
2007					MODE(lmp) |= RTLD_NOW;
2008					MODE(lmp) &= ~RTLD_LAZY;
2009				}
2010				if (dyn->d_un.d_val & DF_1_NODELETE)
2011					MODE(lmp) |= RTLD_NODELETE;
2012				if (dyn->d_un.d_val & DF_1_INITFIRST)
2013					FLAGS(lmp) |= FLG_RT_INITFRST;
2014				if (dyn->d_un.d_val & DF_1_NOOPEN)
2015					FLAGS(lmp) |= FLG_RT_NOOPEN;
2016				if (dyn->d_un.d_val & DF_1_LOADFLTR)
2017					FLAGS(lmp) |= FLG_RT_LOADFLTR;
2018				if (dyn->d_un.d_val & DF_1_NODUMP)
2019					FLAGS(lmp) |= FLG_RT_NODUMP;
2020				if (dyn->d_un.d_val & DF_1_CONFALT)
2021					crle = 1;
2022				if (dyn->d_un.d_val & DF_1_DIRECT)
2023					FLAGS1(lmp) |= FL1_RT_DIRECT;
2024				if (dyn->d_un.d_val & DF_1_NODEFLIB)
2025					FLAGS1(lmp) |= FL1_RT_NODEFLIB;
2026				if (dyn->d_un.d_val & DF_1_ENDFILTEE)
2027					FLAGS1(lmp) |= FL1_RT_ENDFILTE;
2028				if (dyn->d_un.d_val & DF_1_TRANS)
2029					FLAGS(lmp) |= FLG_RT_TRANS;
2030
2031				/*
2032				 * Global auditing is only meaningful when
2033				 * specified by the initiating object of the
2034				 * process - typically the dynamic executable.
2035				 * If this is the initiating object, its link-
2036				 * map will not yet have been added to the
2037				 * link-map list, and consequently the link-map
2038				 * list is empty.  (see setup()).
2039				 */
2040				if (dyn->d_un.d_val & DF_1_GLOBAUDIT) {
2041					if (lml_main.lm_head == NULL)
2042						FLAGS1(lmp) |= FL1_RT_GLOBAUD;
2043					else
2044						DBG_CALL(Dbg_audit_ignore(lmp));
2045				}
2046
2047				/*
2048				 * If this object identifies itself as an
2049				 * interposer, but relocation processing has
2050				 * already started, then demote it.  It's too
2051				 * late to guarantee complete interposition.
2052				 */
2053				/* BEGIN CSTYLED */
2054				if (dyn->d_un.d_val &
2055				    (DF_1_INTERPOSE | DF_1_SYMINTPOSE)) {
2056				    if (lml->lm_flags & LML_FLG_STARTREL) {
2057					DBG_CALL(Dbg_util_intoolate(lmp));
2058					if (lml->lm_flags & LML_FLG_TRC_ENABLE)
2059					    (void) printf(
2060						MSG_INTL(MSG_LDD_REL_ERR2),
2061						NAME(lmp));
2062				    } else if (dyn->d_un.d_val & DF_1_INTERPOSE)
2063					FLAGS(lmp) |= FLG_RT_OBJINTPO;
2064				    else
2065					FLAGS(lmp) |= FLG_RT_SYMINTPO;
2066				}
2067				/* END CSTYLED */
2068				break;
2069			case DT_SYMINFO:
2070				SYMINFO(lmp) = (Syminfo *)(dyn->d_un.d_ptr +
2071				    base);
2072				break;
2073			case DT_SYMINENT:
2074				SYMINENT(lmp) = dyn->d_un.d_val;
2075				break;
2076			case DT_PLTPAD:
2077				PLTPAD(lmp) = (void *)(dyn->d_un.d_ptr + base);
2078				break;
2079			case DT_PLTPADSZ:
2080				pltpadsz = dyn->d_un.d_val;
2081				break;
2082			case DT_SUNW_RTLDINF:
2083				/*
2084				 * Maintain a list of RTLDINFO structures.
2085				 * Typically, libc is the only supplier, and
2086				 * only one structure is provided.  However,
2087				 * multiple suppliers and multiple structures
2088				 * are supported.  For example, one structure
2089				 * may provide thread_init, and another
2090				 * structure may provide atexit reservations.
2091				 */
2092				if ((rti = alist_append(&lml->lm_rti, NULL,
2093				    sizeof (Rti_desc),
2094				    AL_CNT_RTLDINFO)) == NULL) {
2095					remove_so(0, lmp, clmp);
2096					return (NULL);
2097				}
2098				rti->rti_lmp = lmp;
2099				rti->rti_info = (void *)(dyn->d_un.d_ptr +
2100				    base);
2101				break;
2102			case DT_SUNW_SORTENT:
2103				SUNWSORTENT(lmp) = dyn->d_un.d_val;
2104				break;
2105			case DT_SUNW_SYMSORT:
2106				SUNWSYMSORT(lmp) =
2107				    (void *)(dyn->d_un.d_ptr + base);
2108				break;
2109			case DT_SUNW_SYMSORTSZ:
2110				SUNWSYMSORTSZ(lmp) = dyn->d_un.d_val;
2111				break;
2112			case DT_DEPRECATED_SPARC_REGISTER:
2113			case M_DT_REGISTER:
2114				dip->di_flags |= FLG_DI_REGISTER;
2115				FLAGS(lmp) |= FLG_RT_REGSYMS;
2116				break;
2117			case DT_SUNW_CAP:
2118				CAP(lmp) = (void *)(dyn->d_un.d_ptr + base);
2119				break;
2120			case DT_SUNW_CAPINFO:
2121				CAPINFO(lmp) = (void *)(dyn->d_un.d_ptr + base);
2122				break;
2123			case DT_SUNW_CAPCHAIN:
2124				CAPCHAIN(lmp) = (void *)(dyn->d_un.d_ptr +
2125				    base);
2126				break;
2127			case DT_SUNW_CAPCHAINENT:
2128				CAPCHAINENT(lmp) = dyn->d_un.d_val;
2129				break;
2130			case DT_SUNW_CAPCHAINSZ:
2131				CAPCHAINSZ(lmp) = dyn->d_un.d_val;
2132				break;
2133			}
2134		}
2135
2136		/*
2137		 * Update any Dyninfo string pointers now that STRTAB() is
2138		 * known.
2139		 */
2140		for (dynndx = 0, dyn = DYN(lmp), dip = DYNINFO(lmp);
2141		    !(dip->di_flags & FLG_DI_IGNORE); dyn++, dip++) {
2142
2143			switch ((Xword)dyn->d_tag) {
2144			case DT_NEEDED:
2145			case DT_USED:
2146			case DT_FILTER:
2147			case DT_AUXILIARY:
2148			case DT_SUNW_FILTER:
2149			case DT_SUNW_AUXILIARY:
2150				dip->di_name = STRTAB(lmp) + dyn->d_un.d_val;
2151				break;
2152			}
2153		}
2154
2155		/*
2156		 * Assign any padding.
2157		 */
2158		if (PLTPAD(lmp)) {
2159			if (pltpadsz == (Xword)0)
2160				PLTPAD(lmp) = NULL;
2161			else
2162				PLTPADEND(lmp) = (void *)((Addr)PLTPAD(lmp) +
2163				    pltpadsz);
2164		}
2165	}
2166
2167	/*
2168	 * A dynsym contains only global functions. We want to have
2169	 * a version of it that also includes local functions, so that
2170	 * dladdr() will be able to report names for local functions
2171	 * when used to generate a stack trace for a stripped file.
2172	 * This version of the dynsym is provided via DT_SUNW_SYMTAB.
2173	 *
2174	 * In producing DT_SUNW_SYMTAB, ld uses a non-obvious trick
2175	 * in order to avoid having to have two copies of the global
2176	 * symbols held in DT_SYMTAB: The local symbols are placed in
2177	 * a separate section than the globals in the dynsym, but the
2178	 * linker conspires to put the data for these two sections adjacent
2179	 * to each other. DT_SUNW_SYMTAB points at the top of the local
2180	 * symbols, and DT_SUNW_SYMSZ is the combined length of both tables.
2181	 *
2182	 * If the two sections are not adjacent, then something went wrong
2183	 * at link time. We use ASSERT to kill the process if this is
2184	 * a debug build. In a production build, we will silently ignore
2185	 * the presence of the .ldynsym and proceed. We can detect this
2186	 * situation by checking to see that DT_SYMTAB lies in
2187	 * the range given by DT_SUNW_SYMTAB/DT_SUNW_SYMSZ.
2188	 */
2189	if ((SUNWSYMTAB(lmp) != NULL) &&
2190	    (((char *)SYMTAB(lmp) <= (char *)SUNWSYMTAB(lmp)) ||
2191	    (((char *)SYMTAB(lmp) >=
2192	    (SUNWSYMSZ(lmp) + (char *)SUNWSYMTAB(lmp)))))) {
2193		ASSERT(0);
2194		SUNWSYMTAB(lmp) = NULL;
2195		SUNWSYMSZ(lmp) = 0;
2196	}
2197
2198	/*
2199	 * If configuration file use hasn't been disabled, and a configuration
2200	 * file hasn't already been set via an environment variable, see if any
2201	 * application specific configuration file is specified.  An LD_CONFIG
2202	 * setting is used first, but if this image was generated via crle(1)
2203	 * then a default configuration file is a fall-back.
2204	 */
2205	if ((!(rtld_flags & RT_FL_NOCFG)) && (config->c_name == NULL)) {
2206		if (cfile)
2207			config->c_name = (const char *)(cfile +
2208			    (char *)STRTAB(lmp));
2209		else if (crle)
2210			rtld_flags |= RT_FL_CONFAPP;
2211	}
2212
2213	if (rpath)
2214		RPATH(lmp) = (char *)(rpath + (char *)STRTAB(lmp));
2215	if (fltr)
2216		REFNAME(lmp) = (char *)(fltr + (char *)STRTAB(lmp));
2217
2218	/*
2219	 * For Intel ABI compatibility.  It's possible that a JMPREL can be
2220	 * specified without any other relocations (e.g. a dynamic executable
2221	 * normally only contains .plt relocations).  If this is the case then
2222	 * no REL, RELSZ or RELENT will have been created.  For us to be able
2223	 * to traverse the .plt relocations under LD_BIND_NOW we need to know
2224	 * the RELENT for these relocations.  Refer to elf_reloc() for more
2225	 * details.
2226	 */
2227	if (!RELENT(lmp) && JMPREL(lmp))
2228		RELENT(lmp) = sizeof (M_RELOC);
2229
2230	/*
2231	 * Establish any per-object auditing.  If we're establishing main's
2232	 * link-map its too early to go searching for audit objects so just
2233	 * hold the object name for later (see setup()).
2234	 */
2235	if (audit) {
2236		char	*cp = audit + (char *)STRTAB(lmp);
2237
2238		if (*cp) {
2239			if (((AUDITORS(lmp) =
2240			    calloc(1, sizeof (Audit_desc))) == NULL) ||
2241			    ((AUDITORS(lmp)->ad_name = strdup(cp)) == NULL)) {
2242				remove_so(0, lmp, clmp);
2243				return (NULL);
2244			}
2245			if (lml_main.lm_head) {
2246				if (audit_setup(lmp, AUDITORS(lmp), 0,
2247				    in_nfavl) == 0) {
2248					remove_so(0, lmp, clmp);
2249					return (NULL);
2250				}
2251				AFLAGS(lmp) |= AUDITORS(lmp)->ad_flags;
2252				lml->lm_flags |= LML_FLG_LOCAUDIT;
2253			}
2254		}
2255	}
2256
2257	if (tphdr && (tls_assign(lml, lmp, tphdr) == 0)) {
2258		remove_so(0, lmp, clmp);
2259		return (NULL);
2260	}
2261
2262	/*
2263	 * A capabilities section should be identified by a DT_SUNW_CAP entry,
2264	 * and if non-empty object capabilities are included, a PT_SUNWCAP
2265	 * header should reference the section.  Make sure CAP() is set
2266	 * regardless.
2267	 */
2268	if ((CAP(lmp) == NULL) && cap)
2269		CAP(lmp) = cap;
2270
2271	/*
2272	 * Make sure any capabilities information or chain can be handled.
2273	 */
2274	if (CAPINFO(lmp) && (CAPINFO(lmp)[0] > CAPINFO_CURRENT))
2275		CAPINFO(lmp) = NULL;
2276	if (CAPCHAIN(lmp) && (CAPCHAIN(lmp)[0] > CAPCHAIN_CURRENT))
2277		CAPCHAIN(lmp) = NULL;
2278
2279	/*
2280	 * As part of processing dependencies, a file descriptor is populated
2281	 * with capabilities information following validation.
2282	 */
2283	if (fdp->fd_flags & FLG_FD_ALTCHECK) {
2284		FLAGS1(lmp) |= FL1_RT_ALTCHECK;
2285		CAPSET(lmp) = fdp->fd_scapset;
2286
2287		if (fdp->fd_flags & FLG_FD_ALTCAP)
2288			FLAGS1(lmp) |= FL1_RT_ALTCAP;
2289
2290	} else if ((cap = CAP(lmp)) != NULL) {
2291		/*
2292		 * Processing of the a.out and ld.so.1 does not involve a file
2293		 * descriptor as exec() did all the work, so capture the
2294		 * capabilities for these cases.
2295		 */
2296		while (cap->c_tag != CA_SUNW_NULL) {
2297			switch (cap->c_tag) {
2298			case CA_SUNW_HW_1:
2299				CAPSET(lmp).sc_hw_1 = cap->c_un.c_val;
2300				break;
2301			case CA_SUNW_SF_1:
2302				CAPSET(lmp).sc_sf_1 = cap->c_un.c_val;
2303				break;
2304			case CA_SUNW_HW_2:
2305				CAPSET(lmp).sc_hw_2 = cap->c_un.c_val;
2306				break;
2307			case CA_SUNW_PLAT:
2308				CAPSET(lmp).sc_plat = STRTAB(lmp) +
2309				    cap->c_un.c_ptr;
2310				break;
2311			case CA_SUNW_MACH:
2312				CAPSET(lmp).sc_mach = STRTAB(lmp) +
2313				    cap->c_un.c_ptr;
2314				break;
2315			}
2316			cap++;
2317		}
2318	}
2319
2320	/*
2321	 * If a capabilities chain table exists, duplicate it.  The chain table
2322	 * is inspected for each initial call to a capabilities family lead
2323	 * symbol.  From this chain, each family member is inspected to
2324	 * determine the 'best' family member.  The chain table is then updated
2325	 * so that the best member is immediately selected for any further
2326	 * family searches.
2327	 */
2328	if (CAPCHAIN(lmp)) {
2329		Capchain	*capchain;
2330
2331		if ((capchain = calloc(CAPCHAINSZ(lmp), 1)) == NULL)
2332			return (NULL);
2333		(void) memcpy(capchain, CAPCHAIN(lmp), CAPCHAINSZ(lmp));
2334		CAPCHAIN(lmp) = capchain;
2335	}
2336
2337	/*
2338	 * Add the mapped object to the end of the link map list.
2339	 */
2340	lm_append(lml, lmco, lmp);
2341
2342	/*
2343	 * Start the system loading in the ELF information we'll be processing.
2344	 */
2345	if (REL(lmp)) {
2346		(void) madvise((void *)ADDR(lmp), (uintptr_t)REL(lmp) +
2347		    (uintptr_t)RELSZ(lmp) - (uintptr_t)ADDR(lmp),
2348		    MADV_WILLNEED);
2349	}
2350	return (lmp);
2351}
2352
2353/*
2354 * Build full pathname of shared object from given directory name and filename.
2355 */
2356static char *
2357elf_get_so(const char *dir, const char *file, size_t dlen, size_t flen)
2358{
2359	static char	pname[PATH_MAX];
2360
2361	(void) strncpy(pname, dir, dlen);
2362	pname[dlen++] = '/';
2363	(void) strncpy(&pname[dlen], file, flen + 1);
2364	return (pname);
2365}
2366
2367/*
2368 * The copy relocation is recorded in a copy structure which will be applied
2369 * after all other relocations are carried out.  This provides for copying data
2370 * that must be relocated itself (ie. pointers in shared objects).  This
2371 * structure also provides a means of binding RTLD_GROUP dependencies to any
2372 * copy relocations that have been taken from any group members.
2373 *
2374 * If the size of the .bss area available for the copy information is not the
2375 * same as the source of the data inform the user if we're under ldd(1) control
2376 * (this checking was only established in 5.3, so by only issuing an error via
2377 * ldd(1) we maintain the standard set by previous releases).
2378 */
2379int
2380elf_copy_reloc(char *name, Sym *rsym, Rt_map *rlmp, void *radd, Sym *dsym,
2381    Rt_map *dlmp, const void *dadd)
2382{
2383	Rel_copy	rc;
2384	Lm_list		*lml = LIST(rlmp);
2385
2386	rc.r_name = name;
2387	rc.r_rsym = rsym;		/* the new reference symbol and its */
2388	rc.r_rlmp = rlmp;		/*	associated link-map */
2389	rc.r_dlmp = dlmp;		/* the defining link-map */
2390	rc.r_dsym = dsym;		/* the original definition */
2391	rc.r_radd = radd;
2392	rc.r_dadd = dadd;
2393
2394	if (rsym->st_size > dsym->st_size)
2395		rc.r_size = (size_t)dsym->st_size;
2396	else
2397		rc.r_size = (size_t)rsym->st_size;
2398
2399	if (alist_append(&COPY_R(dlmp), &rc, sizeof (Rel_copy),
2400	    AL_CNT_COPYREL) == NULL) {
2401		if (!(lml->lm_flags & LML_FLG_TRC_WARN))
2402			return (0);
2403		else
2404			return (1);
2405	}
2406	if (!(FLAGS1(dlmp) & FL1_RT_COPYTOOK)) {
2407		if (aplist_append(&COPY_S(rlmp), dlmp,
2408		    AL_CNT_COPYREL) == NULL) {
2409			if (!(lml->lm_flags & LML_FLG_TRC_WARN))
2410				return (0);
2411			else
2412				return (1);
2413		}
2414		FLAGS1(dlmp) |= FL1_RT_COPYTOOK;
2415	}
2416
2417	/*
2418	 * If we are tracing (ldd), warn the user if
2419	 *	1) the size from the reference symbol differs from the
2420	 *	   copy definition. We can only copy as much data as the
2421	 *	   reference (dynamic executables) entry allows.
2422	 *	2) the copy definition has STV_PROTECTED visibility.
2423	 */
2424	if (lml->lm_flags & LML_FLG_TRC_WARN) {
2425		if (rsym->st_size != dsym->st_size) {
2426			(void) printf(MSG_INTL(MSG_LDD_CPY_SIZDIF),
2427			    _conv_reloc_type(M_R_COPY), demangle(name),
2428			    NAME(rlmp), EC_XWORD(rsym->st_size),
2429			    NAME(dlmp), EC_XWORD(dsym->st_size));
2430			if (rsym->st_size > dsym->st_size)
2431				(void) printf(MSG_INTL(MSG_LDD_CPY_INSDATA),
2432				    NAME(dlmp));
2433			else
2434				(void) printf(MSG_INTL(MSG_LDD_CPY_DATRUNC),
2435				    NAME(rlmp));
2436		}
2437
2438		if (ELF_ST_VISIBILITY(dsym->st_other) == STV_PROTECTED) {
2439			(void) printf(MSG_INTL(MSG_LDD_CPY_PROT),
2440			    _conv_reloc_type(M_R_COPY), demangle(name),
2441			    NAME(dlmp));
2442		}
2443	}
2444
2445	DBG_CALL(Dbg_reloc_apply_val(lml, ELF_DBG_RTLD, (Xword)radd,
2446	    (Xword)rc.r_size));
2447	return (1);
2448}
2449
2450/*
2451 * Determine the symbol location of an address within a link-map.  Look for
2452 * the nearest symbol (whose value is less than or equal to the required
2453 * address).  This is the object specific part of dladdr().
2454 */
2455static void
2456elf_dladdr(ulong_t addr, Rt_map *lmp, Dl_info *dlip, void **info, int flags)
2457{
2458	ulong_t		ndx, cnt, base, _value;
2459	Sym		*sym, *_sym = NULL;
2460	const char	*str;
2461	int		_flags;
2462	uint_t		*dynaddr_ndx;
2463	uint_t		dynaddr_n = 0;
2464	ulong_t		value;
2465
2466	/*
2467	 * If SUNWSYMTAB() is non-NULL, then it sees a special version of
2468	 * the dynsym that starts with any local function symbols that exist in
2469	 * the library and then moves to the data held in SYMTAB(). In this
2470	 * case, SUNWSYMSZ tells us how long the symbol table is. The
2471	 * availability of local function symbols will enhance the results
2472	 * we can provide.
2473	 *
2474	 * If SUNWSYMTAB() is non-NULL, then there might also be a
2475	 * SUNWSYMSORT() vector associated with it. SUNWSYMSORT() contains
2476	 * an array of indices into SUNWSYMTAB, sorted by increasing
2477	 * address. We can use this to do an O(log N) search instead of a
2478	 * brute force search.
2479	 *
2480	 * If SUNWSYMTAB() is NULL, then SYMTAB() references a dynsym that
2481	 * contains only global symbols. In that case, the length of
2482	 * the symbol table comes from the nchain field of the related
2483	 * symbol lookup hash table.
2484	 */
2485	str = STRTAB(lmp);
2486	if (SUNWSYMSZ(lmp) == 0) {
2487		sym = SYMTAB(lmp);
2488		/*
2489		 * If we don't have a .hash table there are no symbols
2490		 * to look at.
2491		 */
2492		if (HASH(lmp) == NULL)
2493			return;
2494		cnt = HASH(lmp)[1];
2495	} else {
2496		sym = SUNWSYMTAB(lmp);
2497		cnt = SUNWSYMSZ(lmp) / SYMENT(lmp);
2498		dynaddr_ndx = SUNWSYMSORT(lmp);
2499		if (dynaddr_ndx != NULL)
2500			dynaddr_n = SUNWSYMSORTSZ(lmp) / SUNWSORTENT(lmp);
2501	}
2502
2503	if (FLAGS(lmp) & FLG_RT_FIXED)
2504		base = 0;
2505	else
2506		base = ADDR(lmp);
2507
2508	if (dynaddr_n > 0) {		/* Binary search */
2509		long	low = 0, low_bnd;
2510		long	high = dynaddr_n - 1, high_bnd;
2511		long	mid;
2512		Sym	*mid_sym;
2513
2514		/*
2515		 * Note that SUNWSYMSORT only contains symbols types that
2516		 * supply memory addresses, so there's no need to check and
2517		 * filter out any other types.
2518		 */
2519		low_bnd = low;
2520		high_bnd = high;
2521		while (low <= high) {
2522			mid = (low + high) / 2;
2523			mid_sym = &sym[dynaddr_ndx[mid]];
2524			value = mid_sym->st_value + base;
2525			if (addr < value) {
2526				if ((sym[dynaddr_ndx[high]].st_value + base) >=
2527				    addr)
2528					high_bnd = high;
2529				high = mid - 1;
2530			} else if (addr > value) {
2531				if ((sym[dynaddr_ndx[low]].st_value + base) <=
2532				    addr)
2533					low_bnd = low;
2534				low = mid + 1;
2535			} else {
2536				_sym = mid_sym;
2537				_value = value;
2538				break;
2539			}
2540		}
2541		/*
2542		 * If the above didn't find it exactly, then we must
2543		 * return the closest symbol with a value that doesn't
2544		 * exceed the one we are looking for. If that symbol exists,
2545		 * it will lie in the range bounded by low_bnd and
2546		 * high_bnd. This is a linear search, but a short one.
2547		 */
2548		if (_sym == NULL) {
2549			for (mid = low_bnd; mid <= high_bnd; mid++) {
2550				mid_sym = &sym[dynaddr_ndx[mid]];
2551				value = mid_sym->st_value + base;
2552				if (addr >= value) {
2553					_sym = mid_sym;
2554					_value = value;
2555				} else {
2556					break;
2557				}
2558			}
2559		}
2560	} else {			/* Linear search */
2561		for (_value = 0, sym++, ndx = 1; ndx < cnt; ndx++, sym++) {
2562			/*
2563			 * Skip expected symbol types that are not functions
2564			 * or data:
2565			 *	- A symbol table starts with an undefined symbol
2566			 *		in slot 0. If we are using SUNWSYMTAB(),
2567			 *		there will be a second undefined symbol
2568			 *		right before the globals.
2569			 *	- The local part of SUNWSYMTAB() contains a
2570			 *		series of function symbols. Each section
2571			 *		starts with an initial STT_FILE symbol.
2572			 */
2573			if ((sym->st_shndx == SHN_UNDEF) ||
2574			    (ELF_ST_TYPE(sym->st_info) == STT_FILE))
2575				continue;
2576
2577			value = sym->st_value + base;
2578			if (value > addr)
2579				continue;
2580			if (value < _value)
2581				continue;
2582
2583			_sym = sym;
2584			_value = value;
2585
2586			/*
2587			 * Note, because we accept local and global symbols
2588			 * we could find a section symbol that matches the
2589			 * associated address, which means that the symbol
2590			 * name will be null.  In this case continue the
2591			 * search in case we can find a global symbol of
2592			 * the same value.
2593			 */
2594			if ((value == addr) &&
2595			    (ELF_ST_TYPE(sym->st_info) != STT_SECTION))
2596				break;
2597		}
2598	}
2599
2600	_flags = flags & RTLD_DL_MASK;
2601	if (_sym) {
2602		if (_flags == RTLD_DL_SYMENT)
2603			*info = (void *)_sym;
2604		else if (_flags == RTLD_DL_LINKMAP)
2605			*info = (void *)lmp;
2606
2607		dlip->dli_sname = str + _sym->st_name;
2608		dlip->dli_saddr = (void *)_value;
2609	} else {
2610		/*
2611		 * addr lies between the beginning of the mapped segment and
2612		 * the first global symbol. We have no symbol to return
2613		 * and the caller requires one. We use _START_, the base
2614		 * address of the mapping.
2615		 */
2616
2617		if (_flags == RTLD_DL_SYMENT) {
2618			/*
2619			 * An actual symbol struct is needed, so we
2620			 * construct one for _START_. To do this in a
2621			 * fully accurate way requires a different symbol
2622			 * for each mapped segment. This requires the
2623			 * use of dynamic memory and a mutex. That's too much
2624			 * plumbing for a fringe case of limited importance.
2625			 *
2626			 * Fortunately, we can simplify:
2627			 *    - Only the st_size and st_info fields are useful
2628			 *	outside of the linker internals. The others
2629			 *	reference things that outside code cannot see,
2630			 *	and can be set to 0.
2631			 *    - It's just a label and there is no size
2632			 *	to report. So, the size should be 0.
2633			 * This means that only st_info needs a non-zero
2634			 * (constant) value. A static struct will suffice.
2635			 * It must be const (readonly) so the caller can't
2636			 * change its meaning for subsequent callers.
2637			 */
2638			static const Sym fsym = { 0, 0, 0,
2639			    ELF_ST_INFO(STB_LOCAL, STT_OBJECT) };
2640			*info = (void *) &fsym;
2641		}
2642
2643		dlip->dli_sname = MSG_ORIG(MSG_SYM_START);
2644		dlip->dli_saddr = (void *) ADDR(lmp);
2645	}
2646}
2647
2648/*
2649 * This routine is called as a last fall-back to search for a symbol from a
2650 * standard relocation or dlsym().  To maintain lazy loadings goal of reducing
2651 * the number of objects mapped, any symbol search is first carried out using
2652 * the objects that already exist in the process (either on a link-map list or
2653 * handle).  If a symbol can't be found, and lazy dependencies are still
2654 * pending, this routine loads the dependencies in an attempt to locate the
2655 * symbol.
2656 */
2657int
2658elf_lazy_find_sym(Slookup *slp, Sresult *srp, uint_t *binfo, int *in_nfavl)
2659{
2660	static APlist	*alist = NULL;
2661	Aliste		idx1;
2662	Rt_map		*lmp1, *lmp = slp->sl_imap, *clmp = slp->sl_cmap;
2663	const char	*name = slp->sl_name;
2664	Slookup		sl1 = *slp;
2665	Lm_list		*lml;
2666	Lm_cntl		*lmc;
2667
2668	/*
2669	 * It's quite possible we've been here before to process objects,
2670	 * therefore reinitialize our dynamic list.
2671	 */
2672	if (alist)
2673		aplist_reset(alist);
2674
2675	/*
2676	 * Discard any relocation index from further symbol searches.  This
2677	 * index has already been used to trigger any necessary lazy-loads,
2678	 * and it might be because one of these lazy loads has failed that
2679	 * we're performing this fallback.  By removing the relocation index
2680	 * we don't try and perform the same failed lazy loading activity again.
2681	 */
2682	sl1.sl_rsymndx = 0;
2683
2684	/*
2685	 * Determine the callers link-map list so that we can monitor whether
2686	 * new objects have been added.
2687	 */
2688	lml = LIST(clmp);
2689	lmc = (Lm_cntl *)alist_item_by_offset(lml->lm_lists, CNTL(clmp));
2690
2691	/*
2692	 * Generate a local list of new objects to process.  This list can grow
2693	 * as each object supplies its own lazy dependencies.
2694	 */
2695	if (aplist_append(&alist, lmp, AL_CNT_LAZYFIND) == NULL)
2696		return (0);
2697
2698	for (APLIST_TRAVERSE(alist, idx1, lmp1)) {
2699		uint_t	dynndx;
2700		Dyninfo	*dip, *pdip;
2701
2702		/*
2703		 * Loop through the lazy DT_NEEDED entries examining each object
2704		 * for the required symbol.  If the symbol is not found, the
2705		 * object is in turn added to the local alist, so that the
2706		 * objects lazy DT_NEEDED entries can be examined.
2707		 */
2708		lmp = lmp1;
2709		for (dynndx = 0, dip = DYNINFO(lmp), pdip = NULL;
2710		    !(dip->di_flags & FLG_DI_IGNORE); dynndx++, pdip = dip++) {
2711			Grp_hdl		*ghp;
2712			Grp_desc	*gdp;
2713			Rt_map		*nlmp, *llmp;
2714			Slookup		sl2;
2715			Sresult		sr;
2716			Aliste		idx2;
2717
2718			if (((dip->di_flags & FLG_DI_LAZY) == 0) ||
2719			    dip->di_info)
2720				continue;
2721
2722			/*
2723			 * If this object has already failed to lazy load, and
2724			 * we're still processing the same runtime linker
2725			 * operation that produced the failure, don't bother
2726			 * to try and load the object again.
2727			 */
2728			if ((dip->di_flags & FLG_DI_LAZYFAIL) && pdip &&
2729			    (pdip->di_flags & FLG_DI_POSFLAG1)) {
2730				if (pdip->di_info == (void *)ld_entry_cnt)
2731					continue;
2732
2733				dip->di_flags &= ~FLG_DI_LAZYFAIL;
2734				pdip->di_info = NULL;
2735			}
2736
2737			/*
2738			 * Determine the last link-map presently on the callers
2739			 * link-map control list.
2740			 */
2741			llmp = lmc->lc_tail;
2742
2743			/*
2744			 * Try loading this lazy dependency.  If the object
2745			 * can't be loaded, consider this non-fatal and continue
2746			 * the search.  Lazy loaded dependencies need not exist
2747			 * and their loading should only turn out to be fatal
2748			 * if they are required to satisfy a relocation.
2749			 *
2750			 * A successful lazy load can mean one of two things:
2751			 *
2752			 *  -	new objects have been loaded, in which case the
2753			 *	objects will have been analyzed, relocated, and
2754			 *	finally moved to the callers control list.
2755			 *  -	the objects are already loaded, and this lazy
2756			 *	load has simply associated the referenced object
2757			 *	with it's lazy dependencies.
2758			 *
2759			 * If new objects are loaded, look in these objects
2760			 * first.  Note, a new object can be the object being
2761			 * referenced by this lazy load, however we can also
2762			 * descend into multiple lazy loads as we relocate this
2763			 * reference.
2764			 *
2765			 * If the symbol hasn't been found, use the referenced
2766			 * objects handle, as it might have dependencies on
2767			 * objects that are already loaded.  Note that existing
2768			 * objects might have already been searched and skipped
2769			 * as non-available to this caller.   However, a lazy
2770			 * load might have caused the promotion of modes, or
2771			 * added this object to the family of the caller.  In
2772			 * either case, the handle associated with the object
2773			 * is then used to carry out the symbol search.
2774			 */
2775			if ((nlmp = elf_lazy_load(lmp, &sl1, dynndx, name,
2776			    FLG_RT_PRIHDL, &ghp, in_nfavl)) == NULL)
2777				continue;
2778
2779			if (NEXT_RT_MAP(llmp)) {
2780				/*
2781				 * Look in any new objects.
2782				 */
2783				sl1.sl_imap = NEXT_RT_MAP(llmp);
2784				sl1.sl_flags &= ~LKUP_STDRELOC;
2785
2786				/*
2787				 * Initialize a local symbol result descriptor,
2788				 * using the original symbol name.
2789				 */
2790				SRESULT_INIT(sr, slp->sl_name);
2791
2792				if (lookup_sym(&sl1, &sr, binfo, in_nfavl)) {
2793					*srp = sr;
2794					return (1);
2795				}
2796			}
2797
2798			/*
2799			 * Use the objects handle to inspect the family of
2800			 * objects associated with the handle.  Note, there's
2801			 * a possibility of overlap with the above search,
2802			 * should a lazy load bring in new objects and
2803			 * reference existing objects.
2804			 */
2805			sl2 = sl1;
2806			for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
2807				if ((gdp->gd_depend != NEXT_RT_MAP(llmp)) &&
2808				    (gdp->gd_flags & GPD_DLSYM)) {
2809
2810					sl2.sl_imap = gdp->gd_depend;
2811					sl2.sl_flags |= LKUP_FIRST;
2812
2813					/*
2814					 * Initialize a local symbol result
2815					 * descriptor, using the original
2816					 * symbol name.
2817					 */
2818					SRESULT_INIT(sr, slp->sl_name);
2819
2820					if (lookup_sym(&sl2, &sr, binfo,
2821					    in_nfavl)) {
2822						*srp = sr;
2823						return (1);
2824					}
2825				}
2826			}
2827
2828			/*
2829			 * Some dlsym() operations are already traversing a
2830			 * link-map (dlopen(0)), and thus there's no need to
2831			 * save them on the dynamic dependency list.
2832			 */
2833			if (slp->sl_flags & LKUP_NODESCENT)
2834				continue;
2835
2836			if (aplist_test(&alist, nlmp, AL_CNT_LAZYFIND) == 0)
2837				return (0);
2838		}
2839	}
2840
2841	return (0);
2842}
2843
2844/*
2845 * Warning message for bad r_offset.
2846 */
2847void
2848elf_reloc_bad(Rt_map *lmp, void *rel, uchar_t rtype, ulong_t roffset,
2849    ulong_t rsymndx)
2850{
2851	const char	*name = NULL;
2852	Lm_list		*lml = LIST(lmp);
2853	int		trace;
2854
2855	if ((lml->lm_flags & LML_FLG_TRC_ENABLE) &&
2856	    (((rtld_flags & RT_FL_SILENCERR) == 0) ||
2857	    (lml->lm_flags & LML_FLG_TRC_VERBOSE)))
2858		trace = 1;
2859	else
2860		trace = 0;
2861
2862	if ((trace == 0) && (DBG_ENABLED == 0))
2863		return;
2864
2865	if (rsymndx) {
2866		Sym	*symref = (Sym *)((ulong_t)SYMTAB(lmp) +
2867		    (rsymndx * SYMENT(lmp)));
2868
2869		if (ELF_ST_BIND(symref->st_info) != STB_LOCAL)
2870			name = (char *)(STRTAB(lmp) + symref->st_name);
2871	}
2872
2873	if (name == NULL)
2874		name = MSG_INTL(MSG_STR_UNKNOWN);
2875
2876	if (trace) {
2877		const char *rstr;
2878
2879		rstr = _conv_reloc_type((uint_t)rtype);
2880		(void) printf(MSG_INTL(MSG_LDD_REL_ERR1), rstr, name,
2881		    EC_ADDR(roffset));
2882		return;
2883	}
2884
2885	Dbg_reloc_error(lml, ELF_DBG_RTLD, M_MACH, M_REL_SHT_TYPE, rel, name);
2886}
2887
2888/*
2889 * Resolve a static TLS relocation.
2890 */
2891long
2892elf_static_tls(Rt_map *lmp, Sym *sym, void *rel, uchar_t rtype, char *name,
2893    ulong_t roffset, long value)
2894{
2895	Lm_list	*lml = LIST(lmp);
2896
2897	/*
2898	 * Relocations against a static TLS block have limited support once
2899	 * process initialization has completed.  Any error condition should be
2900	 * discovered by testing for DF_STATIC_TLS as part of loading an object,
2901	 * however individual relocations are tested in case the dynamic flag
2902	 * had not been set when this object was built.
2903	 */
2904	if (PTTLS(lmp) == NULL) {
2905		DBG_CALL(Dbg_reloc_in(lml, ELF_DBG_RTLD, M_MACH,
2906		    M_REL_SHT_TYPE, rel, NULL, 0, name));
2907		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_BADTLS),
2908		    _conv_reloc_type((uint_t)rtype), NAME(lmp),
2909		    name ? demangle(name) : MSG_INTL(MSG_STR_UNKNOWN));
2910		return (0);
2911	}
2912
2913	/*
2914	 * If no static TLS has been set aside for this object, determine if
2915	 * any can be obtained.  Enforce that any object using static TLS is
2916	 * non-deletable.
2917	 */
2918	if (TLSSTATOFF(lmp) == 0) {
2919		FLAGS1(lmp) |= FL1_RT_TLSSTAT;
2920		MODE(lmp) |= RTLD_NODELETE;
2921
2922		if (tls_assign(lml, lmp, PTTLS(lmp)) == 0) {
2923			DBG_CALL(Dbg_reloc_in(lml, ELF_DBG_RTLD, M_MACH,
2924			    M_REL_SHT_TYPE, rel, NULL, 0, name));
2925			eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_BADTLS),
2926			    _conv_reloc_type((uint_t)rtype), NAME(lmp),
2927			    name ? demangle(name) : MSG_INTL(MSG_STR_UNKNOWN));
2928			return (0);
2929		}
2930	}
2931
2932	/*
2933	 * Typically, a static TLS offset is maintained as a symbols value.
2934	 * For local symbols that are not apart of the dynamic symbol table,
2935	 * the TLS relocation points to a section symbol, and the static TLS
2936	 * offset was deposited in the associated GOT table.  Make sure the GOT
2937	 * is cleared, so that the value isn't reused in do_reloc().
2938	 */
2939	if (ELF_ST_BIND(sym->st_info) == STB_LOCAL) {
2940		if ((ELF_ST_TYPE(sym->st_info) == STT_SECTION)) {
2941			value = *(long *)roffset;
2942			*(long *)roffset = 0;
2943		} else {
2944			value = sym->st_value;
2945		}
2946	}
2947	return (-(TLSSTATOFF(lmp) - value));
2948}
2949
2950/*
2951 * If the symbol is not found and the reference was not to a weak symbol, report
2952 * an error.  Weak references may be unresolved.
2953 */
2954int
2955elf_reloc_error(Rt_map *lmp, const char *name, void *rel, uint_t binfo)
2956{
2957	Lm_list	*lml = LIST(lmp);
2958
2959	/*
2960	 * Under crle(1), relocation failures are ignored.
2961	 */
2962	if (lml->lm_flags & LML_FLG_IGNRELERR)
2963		return (1);
2964
2965	/*
2966	 * Under ldd(1), unresolved references are reported.  However, if the
2967	 * original reference is EXTERN or PARENT these references are ignored
2968	 * unless ldd's -p option is in effect.
2969	 */
2970	if (lml->lm_flags & LML_FLG_TRC_WARN) {
2971		if (((binfo & DBG_BINFO_REF_MSK) == 0) ||
2972		    ((lml->lm_flags & LML_FLG_TRC_NOPAREXT) != 0)) {
2973			(void) printf(MSG_INTL(MSG_LDD_SYM_NFOUND),
2974			    demangle(name), NAME(lmp));
2975		}
2976		return (1);
2977	}
2978
2979	/*
2980	 * Otherwise, the unresolved references is fatal.
2981	 */
2982	DBG_CALL(Dbg_reloc_in(lml, ELF_DBG_RTLD, M_MACH, M_REL_SHT_TYPE, rel,
2983	    NULL, 0, name));
2984	eprintf(lml, ERR_FATAL, MSG_INTL(MSG_REL_NOSYM), NAME(lmp),
2985	    demangle(name));
2986
2987	return (0);
2988}
2989