1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26/*
27 *	Copyright (c) 1988 AT&T
28 *	  All Rights Reserved
29 */
30/*
31 * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
32 */
33
34/*
35 * Run time linker common setup.
36 *
37 * Called from _setup to get the process going at startup.
38 */
39
40#include	<stdlib.h>
41#include	<fcntl.h>
42#include	<stdio.h>
43#include	<sys/types.h>
44#include	<sys/stat.h>
45#include	<sys/mman.h>
46#include	<string.h>
47#include	<unistd.h>
48#include	<dlfcn.h>
49#include	<sys/sysconfig.h>
50#include	<sys/auxv.h>
51#include	<debug.h>
52#include	<conv.h>
53#include	"_rtld.h"
54#include	"_audit.h"
55#include	"_elf.h"
56#include	"_a.out.h"
57#include	"msg.h"
58
59
60extern int	_end, _edata, _etext;
61extern void	_init(void);
62extern int	_brk_unlocked(void *);
63
64#ifndef	SGS_PRE_UNIFIED_PROCESS
65/* needed for _brk_unlocked() */
66void *_nd = &_end;
67#endif
68
69/*
70 * Counters that are incremented every time an object is mapped/unmapped.
71 *
72 * Note that exec() will usually map 2 objects before we receive control,
73 * but this can be 1 if ld.so.1 is executed directly. We count one of these
74 * here, and add another as necessary in setup().
75 */
76u_longlong_t	cnt_map = 1;
77u_longlong_t	cnt_unmap = 0;
78
79
80/*
81 * Define for the executable's interpreter.
82 * Usually it is ld.so.1, but for the first release of ICL binaries
83 * it is libc.so.1.  We keep this information so that we don't end
84 * up mapping libc twice if it is the interpreter.
85 */
86static Interp _interp;
87
88/*
89 * LD_PRELOAD objects.
90 */
91static int
92preload(const char *str, Rt_map *mlmp, Rt_map **clmp)
93{
94	Alist		*palp = NULL;
95	char		*objs, *ptr, *next;
96	Word		lmflags = lml_main.lm_flags;
97	int		lddstub;
98
99	DBG_CALL(Dbg_util_nl(&lml_main, DBG_NL_STD));
100
101	if ((objs = strdup(str)) == NULL)
102		return (0);
103
104	/*
105	 * Determine if we've been called from lddstub.
106	 */
107	lddstub = (lmflags & LML_FLG_TRC_ENABLE) &&
108	    (FLAGS1(*clmp) & FL1_RT_LDDSTUB);
109
110
111	for (ptr = strtok_r(objs, MSG_ORIG(MSG_STR_DELIMIT), &next);
112	    ptr != NULL;
113	    ptr = strtok_r(NULL, MSG_ORIG(MSG_STR_DELIMIT), &next)) {
114		Rt_map	*nlmp = NULL;
115		uint_t	flags;
116
117		DBG_CALL(Dbg_file_preload(&lml_main, ptr));
118
119		/*
120		 * Establish the flags for loading each object.  If we're
121		 * called via lddstub, then the first preloaded object is the
122		 * object being inspected by ldd(1).  This object should not be
123		 * marked as an interposer, as this object is intended to act
124		 * as the target object of the process.
125		 */
126		if (lddstub)
127			flags = FLG_RT_PRELOAD;
128		else
129			flags = (FLG_RT_PRELOAD | FLG_RT_OBJINTPO);
130
131		/*
132		 * If this a secure application, then preload errors are
133		 * reduced to warnings, as the errors are non-fatal.
134		 */
135		if (rtld_flags & RT_FL_SECURE)
136			rtld_flags2 |= RT_FL2_FTL2WARN;
137		if (expand_paths(*clmp, ptr, &palp, AL_CNT_NEEDED,
138		    PD_FLG_EXTLOAD, 0) != 0)
139			nlmp = load_one(&lml_main, ALIST_OFF_DATA, palp, *clmp,
140			    MODE(mlmp), flags, 0, NULL);
141		remove_alist(&palp, 0);
142		if (rtld_flags & RT_FL_SECURE)
143			rtld_flags2 &= ~RT_FL2_FTL2WARN;
144		if (nlmp && (bind_one(*clmp, nlmp, BND_NEEDED) == 0))
145			nlmp = NULL;
146
147		if (lddstub && nlmp) {
148			lddstub = 0;
149
150			/*
151			 * Fabricate a binding between the target shared object
152			 * and lddstub so that the target object isn't called
153			 * out from unused() processing.
154			 */
155			if (lmflags &
156			    (LML_FLG_TRC_UNREF | LML_FLG_TRC_UNUSED)) {
157				if (bind_one(*clmp, nlmp, BND_REFER) == 0)
158					nlmp = NULL;
159			}
160
161			/*
162			 * By identifying lddstub as the caller, several
163			 * confusing ldd() diagnostics get suppressed.  These
164			 * diagnostics would reveal how the target shared object
165			 * was found from lddstub.  Now that the real target is
166			 * loaded, identify the target as the caller so that all
167			 * ldd() diagnostics are enabled for subsequent objects.
168			 */
169			if (nlmp)
170				*clmp = nlmp;
171		}
172
173		/*
174		 * If no error occurred with loading this object, indicate that
175		 * this link-map list contains an interposer.
176		 */
177		if (nlmp == NULL) {
178			if ((lmflags & LML_FLG_TRC_ENABLE) ||
179			    (rtld_flags & RT_FL_SECURE))
180				continue;
181			else
182				return (0);
183		}
184		if (flags & FLG_RT_OBJINTPO)
185			lml_main.lm_flags |= LML_FLG_INTRPOSE;
186
187	}
188
189	free(palp);
190	free(objs);
191	return (1);
192}
193
194Rt_map *
195setup(char **envp, auxv_t *auxv, Word _flags, char *_platform, int _syspagsz,
196    char *_rtldname, ulong_t ld_base, ulong_t interp_base, int fd, Phdr *phdr,
197    char *execname, char **argv, uid_t uid, uid_t euid, gid_t gid, gid_t egid,
198    void *aoutdyn, int auxflags, uint_t *hwcap)
199{
200	Rt_map			*rlmp, *mlmp, *clmp, **tobj = NULL;
201	Ehdr			*ehdr;
202	rtld_stat_t		status;
203	int			features = 0, ldsoexec = 0;
204	size_t			eaddr, esize;
205	char			*str, *argvname;
206	Word			lmflags;
207	mmapobj_result_t	*mpp;
208	Fdesc			fdr = { 0 }, fdm = { 0 };
209	Rej_desc		rej = { 0 };
210	APlist			*ealp = NULL;
211
212	/*
213	 * Now that ld.so has relocated itself, initialize our own 'environ' so
214	 * as to establish an address suitable for any libc requirements.
215	 */
216	_environ = (char **)((ulong_t)auxv - sizeof (char *));
217	_init();
218	_environ = envp;
219
220	/*
221	 * Establish a base time.  Total time diagnostics start from entering
222	 * ld.so.1 here, however the base time is reset each time the ld.so.1
223	 * is re-entered.  Note also, there will be a large time associated
224	 * with the first diagnostic from ld.so.1, as bootstrapping ld.so.1
225	 * and establishing the liblddbg infrastructure takes some time.
226	 */
227	(void) gettimeofday(&DBG_TOTALTIME, NULL);
228	DBG_DELTATIME = DBG_TOTALTIME;
229
230	/*
231	 * Determine how ld.so.1 has been executed.
232	 */
233	if ((fd == -1) && (phdr == NULL)) {
234		/*
235		 * If we received neither the AT_EXECFD nor the AT_PHDR aux
236		 * vector, ld.so.1 must have been invoked directly from the
237		 * command line.
238		 */
239		ldsoexec = 1;
240
241		/*
242		 * AT_SUN_EXECNAME provides the most precise name, if it is
243		 * available, otherwise fall back to argv[0].  At this time,
244		 * there is no process name.
245		 */
246		if (execname)
247			rtldname = execname;
248		else if (argv[0])
249			rtldname = argv[0];
250		else
251			rtldname = (char *)MSG_INTL(MSG_STR_UNKNOWN);
252	} else {
253		/*
254		 * Otherwise, we have a standard process.  AT_SUN_EXECNAME
255		 * provides the most precise name, if it is available,
256		 * otherwise fall back to argv[0].  Provided the application
257		 * is already mapped, the process is the application, so
258		 * simplify the application name for use in any diagnostics.
259		 */
260		if (execname)
261			argvname = execname;
262		else if (argv[0])
263			argvname = execname = argv[0];
264		else
265			argvname = execname = (char *)MSG_INTL(MSG_STR_UNKNOWN);
266
267		if (fd == -1) {
268			if ((str = strrchr(argvname, '/')) != NULL)
269				procname = ++str;
270			else
271				procname = argvname;
272		}
273
274		/*
275		 * At this point, we don't know the runtime linkers full path
276		 * name.  The _rtldname passed to us is the SONAME of the
277		 * runtime linker, which is typically /lib/ld.so.1 no matter
278		 * what the full path is.   Use this for now, we'll reset the
279		 * runtime linkers name once the application is analyzed.
280		 */
281		if (_rtldname) {
282			if ((str = strrchr(_rtldname, '/')) != NULL)
283				rtldname = ++str;
284			else
285				rtldname = _rtldname;
286		} else
287			rtldname = (char *)MSG_INTL(MSG_STR_UNKNOWN);
288
289		/* exec() brought in two objects for us. Count the second one */
290		cnt_map++;
291	}
292
293	/*
294	 * Initialize any global variables.
295	 */
296	at_flags = _flags;
297
298	if ((org_scapset->sc_plat = _platform) != NULL)
299		org_scapset->sc_platsz = strlen(_platform);
300
301	if (org_scapset->sc_plat == NULL)
302		platform_name(org_scapset);
303	if (org_scapset->sc_mach == NULL)
304		machine_name(org_scapset);
305
306	/*
307	 * If pagesize is unspecified find its value.
308	 */
309	if ((syspagsz = _syspagsz) == 0)
310		syspagsz = _sysconfig(_CONFIG_PAGESIZE);
311
312	/*
313	 * Add the unused portion of the last data page to the free space list.
314	 * The page size must be set before doing this.  Here, _end refers to
315	 * the end of the runtime linkers bss.  Note that we do not use the
316	 * unused data pages from any included .so's to supplement this free
317	 * space as badly behaved .os's may corrupt this data space, and in so
318	 * doing ruin our data.
319	 */
320	eaddr = S_DROUND((size_t)&_end);
321	esize = eaddr % syspagsz;
322	if (esize) {
323		esize = syspagsz - esize;
324		addfree((void *)eaddr, esize);
325	}
326
327	/*
328	 * Establish initial link-map list flags, and link-map list alists.
329	 */
330	if (alist_append(&lml_main.lm_lists, NULL, sizeof (Lm_cntl),
331	    AL_CNT_LMLISTS) == NULL)
332		return (0);
333	lml_main.lm_flags |= LML_FLG_BASELM;
334	lml_main.lm_lmid = LM_ID_BASE;
335	lml_main.lm_lmidstr = (char *)MSG_ORIG(MSG_LMID_BASE);
336
337	if (alist_append(&lml_rtld.lm_lists, NULL, sizeof (Lm_cntl),
338	    AL_CNT_LMLISTS) == NULL)
339		return (0);
340	lml_rtld.lm_flags |= (LML_FLG_RTLDLM | LML_FLG_HOLDLOCK);
341	lml_rtld.lm_tflags |= LML_TFLG_NOAUDIT;
342	lml_rtld.lm_lmid = LM_ID_LDSO;
343	lml_rtld.lm_lmidstr = (char *)MSG_ORIG(MSG_LMID_LDSO);
344
345	/*
346	 * Determine whether we have a secure executable.
347	 */
348	security(uid, euid, gid, egid, auxflags);
349
350	/*
351	 * Make an initial pass of environment variables to pick off those
352	 * related to locale processing.  At the same time, collect and save
353	 * any LD_XXXX variables for later processing.  Note that this later
354	 * processing will be skipped if ld.so.1 is invoked from the command
355	 * line with -e LD_NOENVIRON.
356	 */
357	if (envp && (readenv_user((const char **)envp, &ealp) == 1))
358		return (0);
359
360	/*
361	 * If ld.so.1 has been invoked directly, process its arguments.
362	 */
363	if (ldsoexec) {
364		/*
365		 * Process any arguments that are specific to ld.so.1, and
366		 * reorganize the process stack to effectively remove ld.so.1
367		 * from the stack.  Reinitialize the environment pointer, as
368		 * this pointer may have been shifted after skipping ld.so.1's
369		 * arguments.
370		 */
371		if (rtld_getopt(argv, &envp, &auxv, &(lml_main.lm_flags),
372		    &(lml_main.lm_tflags), (aoutdyn != 0)) == 1) {
373			eprintf(&lml_main, ERR_NONE, MSG_INTL(MSG_USG_BADOPT));
374			return (0);
375		}
376		_environ = envp;
377
378		/*
379		 * Open the object that ld.so.1 is to execute.
380		 */
381		argvname = execname = argv[0];
382
383		if ((fd = open(argvname, O_RDONLY)) == -1) {
384			int	err = errno;
385			eprintf(&lml_main, ERR_FATAL, MSG_INTL(MSG_SYS_OPEN),
386			    argvname, strerror(err));
387			return (0);
388		}
389	}
390
391	/*
392	 * Having processed any ld.so.1 command line options, return to process
393	 * any LD_XXXX environment variables.
394	 */
395	if (ealp) {
396		if (((rtld_flags & RT_FL_NOENVIRON) == 0) &&
397		    (procenv_user(ealp, &(lml_main.lm_flags),
398		    &(lml_main.lm_tflags), (aoutdyn != 0)) == 1))
399			return (0);
400		free(ealp);
401	}
402
403	/*
404	 * Initialize a hardware capability descriptor for use in comparing
405	 * each loaded object.  The aux vector must provide AF_SUN_HWCAPVERIFY,
406	 * as prior to this setting any hardware capabilities that were found
407	 * could not be relied upon.
408	 */
409	if (auxflags & AF_SUN_HWCAPVERIFY) {
410		rtld_flags2 |= RT_FL2_HWCAP;
411		org_scapset->sc_hw_1 = (Xword)hwcap[0];
412		org_scapset->sc_hw_2 = (Xword)hwcap[1];
413	}
414
415	/*
416	 * Create a mapping descriptor for ld.so.1.  We can determine our
417	 * two segments information from known symbols.
418	 */
419	if ((mpp = calloc(2, sizeof (mmapobj_result_t))) == NULL)
420		return (0);
421	mpp[0].mr_addr = (caddr_t)M_PTRUNC(ld_base);
422	mpp[0].mr_msize = (caddr_t)&_etext - mpp[0].mr_addr;
423	mpp[0].mr_fsize = mpp[0].mr_msize;
424	mpp[0].mr_prot = (PROT_READ | PROT_EXEC);
425
426	mpp[1].mr_addr = (caddr_t)M_PTRUNC((uintptr_t)&r_debug);
427	mpp[1].mr_msize = (caddr_t)&_end - mpp[1].mr_addr;
428	mpp[1].mr_fsize = (caddr_t)&_edata - mpp[1].mr_addr;
429	mpp[1].mr_prot = (PROT_READ | PROT_WRITE | PROT_EXEC);
430
431	if ((fdr.fd_nname = stravl_insert(_rtldname, 0, 0, 0)) == NULL)
432		return (0);
433	if ((rlmp = elf_new_lmp(&lml_rtld, ALIST_OFF_DATA, &fdr,
434	    (Addr)mpp->mr_addr, (size_t)((uintptr_t)eaddr - (uintptr_t)ld_base),
435	    NULL, NULL, NULL)) == NULL)
436		return (0);
437
438	MMAPS(rlmp) = mpp;
439	MMAPCNT(rlmp) = 2;
440	PADSTART(rlmp) = (ulong_t)mpp[0].mr_addr;
441	PADIMLEN(rlmp) = (ulong_t)mpp[0].mr_addr + (ulong_t)mpp[1].mr_addr +
442	    (ulong_t)mpp[1].mr_msize;
443
444	MODE(rlmp) |= (RTLD_LAZY | RTLD_NODELETE | RTLD_GLOBAL | RTLD_WORLD);
445	FLAGS(rlmp) |= (FLG_RT_ANALYZED | FLG_RT_RELOCED | FLG_RT_INITDONE |
446	    FLG_RT_INITCLCT | FLG_RT_FINICLCT | FLG_RT_MODESET);
447
448	/*
449	 * Initialize the runtime linkers information.
450	 */
451	interp = &_interp;
452	interp->i_name = (char *)rtldname;
453	interp->i_faddr = (caddr_t)ADDR(rlmp);
454	ldso_plt_init(rlmp);
455
456	/*
457	 * Map in the file, if exec has not already done so, or if the file
458	 * was passed as an argument to an explicit execution of ld.so.1 from
459	 * the command line.
460	 */
461	if (fd != -1) {
462		/*
463		 * Map the file.  Once the object is mapped we no longer need
464		 * the file descriptor.
465		 */
466		(void) rtld_fstat(fd, &status);
467		fdm.fd_oname = argvname;
468		fdm.fd_ftp = map_obj(&lml_main, &fdm, status.st_size, argvname,
469		    fd, &rej);
470		(void) close(fd);
471
472		if (fdm.fd_ftp == NULL) {
473			Conv_reject_desc_buf_t rej_buf;
474
475			eprintf(&lml_main, ERR_FATAL,
476			    MSG_INTL(err_reject[rej.rej_type]), argvname,
477			    conv_reject_desc(&rej, &rej_buf, M_MACH));
478			return (0);
479		}
480
481		/*
482		 * Finish processing the loading of the file.
483		 */
484		if ((fdm.fd_nname = stravl_insert(argvname, 0, 0, 0)) == NULL)
485			return (0);
486		fdm.fd_dev = status.st_dev;
487		fdm.fd_ino = status.st_ino;
488
489		if ((mlmp = load_file(&lml_main, ALIST_OFF_DATA, NULL, &fdm,
490		    NULL)) == NULL)
491			return (0);
492
493		/*
494		 * We now have a process name for error diagnostics.
495		 */
496		if ((str = strrchr(argvname, '/')) != NULL)
497			procname = ++str;
498		else
499			procname = argvname;
500
501		if (ldsoexec) {
502			mmapobj_result_t	*mpp = MMAPS(mlmp);
503			uint_t			mnum, mapnum = MMAPCNT(mlmp);
504			void			*brkbase = NULL;
505
506			/*
507			 * Since ld.so.1 was the primary executed object - the
508			 * brk() base has not yet been initialized, we need to
509			 * initialize it.  For an executable, initialize it to
510			 * the end of the object.  For a shared object (ET_DYN)
511			 * initialize it to the first page in memory.
512			 */
513			for (mnum = 0; mnum < mapnum; mnum++, mpp++)
514				brkbase = mpp->mr_addr + mpp->mr_msize;
515
516			if (brkbase == NULL)
517				brkbase = (void *)syspagsz;
518
519			if (_brk_unlocked(brkbase) == -1) {
520				int	err = errno;
521
522				eprintf(&lml_main, ERR_FATAL,
523				    MSG_INTL(MSG_SYS_BRK), argvname,
524				    strerror(err));
525				return (0);
526			}
527		}
528	} else {
529		/*
530		 * Set up function ptr and arguments according to the type
531		 * of file class the executable is. (Currently only supported
532		 * types are ELF and a.out format.)  Then create a link map
533		 * for the executable.
534		 */
535		if (aoutdyn) {
536#ifdef A_OUT
537			mmapobj_result_t	*mpp;
538
539			/*
540			 * Create a mapping structure sufficient to describe
541			 * a single two segments.  The ADDR() of the a.out is
542			 * established as 0, which is required but the AOUT
543			 * relocation code.
544			 */
545			if ((mpp =
546			    calloc(sizeof (mmapobj_result_t), 2)) == NULL)
547				return (0);
548
549			if ((fdm.fd_nname =
550			    stravl_insert(execname, 0, 0, 0)) == NULL)
551				return (0);
552			if ((mlmp = aout_new_lmp(&lml_main, ALIST_OFF_DATA,
553			    &fdm, 0, 0, aoutdyn, NULL, NULL)) == NULL)
554				return (0);
555
556			/*
557			 * Establish the true mapping information for the a.out.
558			 */
559			if (aout_get_mmap(&lml_main, mpp)) {
560				free(mpp);
561				return (0);
562			}
563
564			MSIZE(mlmp) =
565			    (size_t)(mpp[1].mr_addr + mpp[1].mr_msize) -
566			    S_ALIGN((size_t)mpp[0].mr_addr, syspagsz);
567			MMAPS(mlmp) = mpp;
568			MMAPCNT(mlmp) = 2;
569			PADSTART(mlmp) = (ulong_t)mpp->mr_addr;
570			PADIMLEN(mlmp) = mpp->mr_msize;
571
572			/*
573			 * Disable any object configuration cache (BCP apps
574			 * bring in sbcp which can benefit from any object
575			 * cache, but both the app and sbcp can't use the same
576			 * objects).
577			 */
578			rtld_flags |= RT_FL_NOOBJALT;
579
580			/*
581			 * Make sure no-direct bindings are in effect.
582			 */
583			lml_main.lm_tflags |= LML_TFLG_NODIRECT;
584#else
585			eprintf(&lml_main, ERR_FATAL,
586			    MSG_INTL(MSG_ERR_REJ_UNKFILE), argvname);
587			return (0);
588#endif
589		} else if (phdr) {
590			Phdr			*pptr;
591			Off			i_offset = 0;
592			Addr			base = 0;
593			ulong_t			phsize;
594			mmapobj_result_t	*mpp, *fmpp, *hmpp = NULL;
595			uint_t			mapnum = 0;
596			int			i;
597			size_t			msize;
598
599			/*
600			 * Using the executables phdr address determine the base
601			 * address of the input file.  NOTE, this assumes the
602			 * program headers and elf header are part of the same
603			 * mapped segment.  Although this has held for many
604			 * years now, it might be more flexible if the kernel
605			 * gave use the ELF headers start address, rather than
606			 * the Program headers.
607			 *
608			 * Determine from the ELF header if we're been called
609			 * from a shared object or dynamic executable.  If the
610			 * latter, then any addresses within the object are used
611			 * as is.  Addresses within shared objects must be added
612			 * to the process's base address.
613			 */
614			ehdr = (Ehdr *)((Addr)phdr - phdr->p_offset);
615			phsize = ehdr->e_phentsize;
616			if (ehdr->e_type == ET_DYN)
617				base = (Addr)ehdr;
618
619			/*
620			 * Allocate a mapping array to retain mapped segment
621			 * information.
622			 */
623			if ((fmpp = mpp = calloc(ehdr->e_phnum,
624			    sizeof (mmapobj_result_t))) == NULL)
625				return (0);
626
627			/*
628			 * Extract the needed information from the segment
629			 * headers.
630			 */
631			for (i = 0, pptr = phdr; i < ehdr->e_phnum; i++) {
632				if (pptr->p_type == PT_INTERP) {
633					i_offset = pptr->p_offset;
634					interp->i_faddr =
635					    (caddr_t)interp_base;
636				}
637				if ((pptr->p_type == PT_LOAD) &&
638				    (pptr->p_filesz || pptr->p_memsz)) {
639					int	perm = (PROT_READ | PROT_EXEC);
640					size_t	off;
641
642					if (i_offset && pptr->p_filesz &&
643					    (i_offset >= pptr->p_offset) &&
644					    (i_offset <=
645					    (pptr->p_memsz + pptr->p_offset))) {
646						interp->i_name = (char *)
647						    pptr->p_vaddr + i_offset -
648						    pptr->p_offset + base;
649						i_offset = 0;
650					}
651
652					if (pptr->p_flags & PF_W)
653						perm |= PROT_WRITE;
654
655					/*
656					 * Retain segments mapping info.  Round
657					 * each segment to a page boundary, as
658					 * this insures addresses are suitable
659					 * for mprotect() if required.
660					 */
661					off = pptr->p_vaddr + base;
662					if (hmpp == NULL) {
663						hmpp = mpp;
664						mpp->mr_addr = (caddr_t)ehdr;
665					} else
666						mpp->mr_addr = (caddr_t)off;
667
668					off -= (size_t)(uintptr_t)mpp->mr_addr;
669					mpp->mr_msize = pptr->p_memsz + off;
670					mpp->mr_fsize = pptr->p_filesz + off;
671					mpp->mr_prot = perm;
672
673					mpp++, mapnum++;
674				}
675
676				pptr = (Phdr *)((ulong_t)pptr + phsize);
677			}
678
679			mpp--;
680			msize = (size_t)(mpp->mr_addr + mpp->mr_msize) -
681			    S_ALIGN((size_t)fmpp->mr_addr, syspagsz);
682
683			if ((fdm.fd_nname =
684			    stravl_insert(execname, 0, 0, 0)) == NULL)
685				return (0);
686			if ((mlmp = elf_new_lmp(&lml_main, ALIST_OFF_DATA,
687			    &fdm, (Addr)hmpp->mr_addr, msize,
688			    NULL, NULL, NULL)) == NULL)
689				return (0);
690
691			MMAPS(mlmp) = fmpp;
692			MMAPCNT(mlmp) = mapnum;
693			PADSTART(mlmp) = (ulong_t)fmpp->mr_addr;
694			PADIMLEN(mlmp) = (ulong_t)fmpp->mr_addr +
695			    (ulong_t)mpp->mr_addr + (ulong_t)mpp->mr_msize;
696		}
697	}
698
699	/*
700	 * Establish the interpretors name as that defined within the initial
701	 * object (executable).  This provides for ORIGIN processing of ld.so.1
702	 * dependencies.  Note, the NAME() of the object remains that which was
703	 * passed to us as the SONAME on execution.
704	 */
705	if (ldsoexec == 0) {
706		size_t	len = strlen(interp->i_name);
707
708		if (expand(&interp->i_name, &len, 0, 0,
709		    (PD_TKN_ISALIST | PD_TKN_CAP), rlmp) & PD_TKN_RESOLVED)
710			fdr.fd_flags |= FLG_FD_RESOLVED;
711	}
712	fdr.fd_pname = interp->i_name;
713	(void) fullpath(rlmp, &fdr);
714
715	/*
716	 * The runtime linker acts as a filtee for various dl*() functions that
717	 * are defined in libc (and libdl).  Make sure this standard name for
718	 * the runtime linker is also registered in the FullPathNode AVL tree.
719	 */
720	(void) fpavl_insert(&lml_rtld, rlmp, _rtldname, 0);
721
722	/*
723	 * Having established the true runtime linkers name, simplify the name
724	 * for error diagnostics.
725	 */
726	if ((str = strrchr(PATHNAME(rlmp), '/')) != NULL)
727		rtldname = ++str;
728	else
729		rtldname = PATHNAME(rlmp);
730
731	/*
732	 * Expand the fullpath name of the application.  This typically occurs
733	 * as a part of loading an object, but as the kernel probably mapped
734	 * it in, complete this processing now.
735	 */
736	(void) fullpath(mlmp, 0);
737
738	/*
739	 * Some troublesome programs will change the value of argv[0].  Dupping
740	 * the process string protects us, and insures the string is left in
741	 * any core files.
742	 */
743	if ((str = (char *)strdup(procname)) == NULL)
744		return (0);
745	procname = str;
746
747	FLAGS(mlmp) |= (FLG_RT_ISMAIN | FLG_RT_MODESET);
748	FLAGS1(mlmp) |= FL1_RT_USED;
749
750	/*
751	 * It's the responsibility of MAIN(crt0) to call it's _init and _fini
752	 * section, therefore null out any INIT/FINI so that this object isn't
753	 * collected during tsort processing.  And, if the application has no
754	 * initarray or finiarray we can economize on establishing bindings.
755	 */
756	INIT(mlmp) = FINI(mlmp) = NULL;
757	if ((INITARRAY(mlmp) == NULL) && (FINIARRAY(mlmp) == NULL))
758		FLAGS1(mlmp) |= FL1_RT_NOINIFIN;
759
760	/*
761	 * Identify lddstub if necessary.
762	 */
763	if (lml_main.lm_flags & LML_FLG_TRC_LDDSTUB)
764		FLAGS1(mlmp) |= FL1_RT_LDDSTUB;
765
766	/*
767	 * Retain our argument information for use in dlinfo.
768	 */
769	argsinfo.dla_argv = argv--;
770	argsinfo.dla_argc = (long)*argv;
771	argsinfo.dla_envp = envp;
772	argsinfo.dla_auxv = auxv;
773
774	(void) enter(0);
775
776	/*
777	 * Add our two main link-maps to the dynlm_list
778	 */
779	if (aplist_append(&dynlm_list, &lml_main, AL_CNT_DYNLIST) == NULL)
780		return (0);
781
782	if (aplist_append(&dynlm_list, &lml_rtld, AL_CNT_DYNLIST) == NULL)
783		return (0);
784
785	/*
786	 * Reset the link-map counts for both lists.  The init count is used to
787	 * track how many objects have pending init sections, this gets incre-
788	 * mented each time an object is relocated.  Since ld.so.1 relocates
789	 * itself, it's init count will remain zero.
790	 * The object count is used to track how many objects have pending fini
791	 * sections, as ld.so.1 handles its own fini we can zero its count.
792	 */
793	lml_main.lm_obj = 1;
794	lml_rtld.lm_obj = 0;
795
796	/*
797	 * Initialize debugger information structure.  Some parts of this
798	 * structure were initialized statically.
799	 */
800	r_debug.rtd_rdebug.r_map = (Link_map *)lml_main.lm_head;
801	r_debug.rtd_rdebug.r_ldsomap = (Link_map *)lml_rtld.lm_head;
802	r_debug.rtd_rdebug.r_ldbase = r_debug.rtd_rdebug.r_ldsomap->l_addr;
803	r_debug.rtd_dynlmlst = &dynlm_list;
804
805	/*
806	 * Determine the dev/inode information for the executable to complete
807	 * load_so() checking for those who might dlopen(a.out).
808	 */
809	if (rtld_stat(PATHNAME(mlmp), &status) == 0) {
810		STDEV(mlmp) = status.st_dev;
811		STINO(mlmp) = status.st_ino;
812	}
813
814	/*
815	 * Initialize any configuration information.
816	 */
817	if (!(rtld_flags & RT_FL_NOCFG)) {
818		if ((features = elf_config(mlmp, (aoutdyn != 0))) == -1)
819			return (0);
820	}
821
822#if	defined(_ELF64)
823	/*
824	 * If this is a 64-bit process, determine whether this process has
825	 * restricted the process address space to 32-bits.  Any dependencies
826	 * that are restricted to a 32-bit address space can only be loaded if
827	 * the executable has established this requirement.
828	 */
829	if (CAPSET(mlmp).sc_sf_1 & SF1_SUNW_ADDR32)
830		rtld_flags2 |= RT_FL2_ADDR32;
831#endif
832	/*
833	 * Establish any alternative capabilities, and validate this object
834	 * if it defines it's own capabilities information.
835	 */
836	if (cap_alternative() == 0)
837		return (0);
838
839	if (cap_check_lmp(mlmp, &rej) == 0) {
840		if (lml_main.lm_flags & LML_FLG_TRC_ENABLE) {
841			/* LINTED */
842			(void) printf(MSG_INTL(ldd_warn[rej.rej_type]),
843			    NAME(mlmp), rej.rej_str);
844		} else {
845			/* LINTED */
846			eprintf(&lml_main, ERR_FATAL,
847			    MSG_INTL(err_reject[rej.rej_type]),
848			    NAME(mlmp), rej.rej_str);
849			return (0);
850		}
851	}
852
853	/*
854	 * Establish the modes of the initial object.  These modes are
855	 * propagated to any preloaded objects and explicit shared library
856	 * dependencies.
857	 *
858	 * If we're generating a configuration file using crle(1), remove
859	 * any RTLD_NOW use, as we don't want to trigger any relocation proc-
860	 * essing during crle(1)'s first past (this would just be unnecessary
861	 * overhead).  Any filters are explicitly loaded, and thus RTLD_NOW is
862	 * not required to trigger filter loading.
863	 *
864	 * Note, RTLD_NOW may have been established during analysis of the
865	 * application had the application been built -z now.
866	 */
867	MODE(mlmp) |= (RTLD_NODELETE | RTLD_GLOBAL | RTLD_WORLD);
868
869	if (rtld_flags & RT_FL_CONFGEN) {
870		MODE(mlmp) |= RTLD_CONFGEN;
871		MODE(mlmp) &= ~RTLD_NOW;
872		rtld_flags2 &= ~RT_FL2_BINDNOW;
873	}
874
875	if ((MODE(mlmp) & RTLD_NOW) == 0) {
876		if (rtld_flags2 & RT_FL2_BINDNOW)
877			MODE(mlmp) |= RTLD_NOW;
878		else
879			MODE(mlmp) |= RTLD_LAZY;
880	}
881
882	/*
883	 * If debugging was requested initialize things now that any cache has
884	 * been established.  A user can specify LD_DEBUG=help to discover the
885	 * list of debugging tokens available without running the application.
886	 * However, don't allow this setting from a configuration file.
887	 *
888	 * Note, to prevent recursion issues caused by loading and binding the
889	 * debugging libraries themselves, a local debugging descriptor is
890	 * initialized.  Once the debugging setup has completed, this local
891	 * descriptor is copied to the global descriptor which effectively
892	 * enables diagnostic output.
893	 *
894	 * Ignore any debugging request if we're being monitored by a process
895	 * that expects the old getpid() initialization handshake.
896	 */
897	if ((rpl_debug || prm_debug) && ((rtld_flags & RT_FL_DEBUGGER) == 0)) {
898		Dbg_desc	_dbg_desc = {0};
899		struct timeval	total = DBG_TOTALTIME;
900		struct timeval	delta = DBG_DELTATIME;
901
902		if (rpl_debug) {
903			if (dbg_setup(rpl_debug, &_dbg_desc) == 0)
904				return (0);
905			if (_dbg_desc.d_extra & DBG_E_HELP_EXIT)
906				rtldexit(&lml_main, 0);
907		}
908		if (prm_debug)
909			(void) dbg_setup(prm_debug, &_dbg_desc);
910
911		*dbg_desc = _dbg_desc;
912		DBG_TOTALTIME = total;
913		DBG_DELTATIME = delta;
914	}
915
916	/*
917	 * Now that debugging is enabled generate any diagnostics from any
918	 * previous events.
919	 */
920	if (DBG_ENABLED) {
921		DBG_CALL(Dbg_cap_val(&lml_main, org_scapset, alt_scapset,
922		    M_MACH));
923		DBG_CALL(Dbg_file_config_dis(&lml_main, config->c_name,
924		    features));
925
926		DBG_CALL(Dbg_file_ldso(rlmp, envp, auxv,
927		    LIST(rlmp)->lm_lmidstr, ALIST_OFF_DATA));
928
929		if (THIS_IS_ELF(mlmp)) {
930			DBG_CALL(Dbg_file_elf(&lml_main, PATHNAME(mlmp),
931			    ADDR(mlmp), MSIZE(mlmp), LIST(mlmp)->lm_lmidstr,
932			    ALIST_OFF_DATA));
933		} else {
934			DBG_CALL(Dbg_file_aout(&lml_main, PATHNAME(mlmp),
935			    ADDR(mlmp), MSIZE(mlmp), LIST(mlmp)->lm_lmidstr,
936			    ALIST_OFF_DATA));
937		}
938	}
939
940	/*
941	 * Enable auditing.
942	 */
943	if (rpl_audit || prm_audit || profile_lib) {
944		int		ndx;
945		const char	*aud[3];
946
947		aud[0] = rpl_audit;
948		aud[1] = prm_audit;
949		aud[2] = profile_lib;
950
951		/*
952		 * Any global auditing (set using LD_AUDIT or LD_PROFILE) that
953		 * can't be established is non-fatal.
954		 */
955		if ((auditors = calloc(1, sizeof (Audit_desc))) == NULL)
956			return (0);
957
958		for (ndx = 0; ndx < 3; ndx++) {
959			if (aud[ndx]) {
960				if ((auditors->ad_name =
961				    strdup(aud[ndx])) == NULL)
962					return (0);
963				rtld_flags2 |= RT_FL2_FTL2WARN;
964				(void) audit_setup(mlmp, auditors,
965				    PD_FLG_EXTLOAD, NULL);
966				rtld_flags2 &= ~RT_FL2_FTL2WARN;
967			}
968		}
969		lml_main.lm_tflags |= auditors->ad_flags;
970	}
971	if (AUDITORS(mlmp)) {
972		/*
973		 * Any object required auditing (set with a DT_DEPAUDIT dynamic
974		 * entry) that can't be established is fatal.
975		 */
976		if (FLAGS1(mlmp) & FL1_RT_GLOBAUD) {
977			/*
978			 * If this object requires global auditing, use the
979			 * local auditing information to set the global
980			 * auditing descriptor.  The effect is that a
981			 * DT_DEPAUDIT act as an LD_AUDIT.
982			 */
983			if ((auditors == NULL) && ((auditors = calloc(1,
984			    sizeof (Audit_desc))) == NULL))
985				return (0);
986
987			auditors->ad_name = AUDITORS(mlmp)->ad_name;
988			if (audit_setup(mlmp, auditors, 0, NULL) == 0)
989				return (0);
990			lml_main.lm_tflags |= auditors->ad_flags;
991
992			/*
993			 * Clear the local auditor information.
994			 */
995			free((void *) AUDITORS(mlmp));
996			AUDITORS(mlmp) = NULL;
997
998		} else {
999			/*
1000			 * Establish any local auditing.
1001			 */
1002			if (audit_setup(mlmp, AUDITORS(mlmp), 0, NULL) == 0)
1003				return (0);
1004
1005			AFLAGS(mlmp) |= AUDITORS(mlmp)->ad_flags;
1006			lml_main.lm_flags |= LML_FLG_LOCAUDIT;
1007		}
1008	}
1009
1010	/*
1011	 * Explicitly add the initial object and ld.so.1 to those objects being
1012	 * audited.  Note, although the ld.so.1 link-map isn't auditable,
1013	 * establish a cookie for ld.so.1 as this may be bound to via the
1014	 * dl*() family.
1015	 */
1016	if ((lml_main.lm_tflags | AFLAGS(mlmp)) & LML_TFLG_AUD_MASK) {
1017		if (((audit_objopen(mlmp, mlmp) == 0) ||
1018		    (audit_objopen(mlmp, rlmp) == 0)) &&
1019		    (AFLAGS(mlmp) & LML_TFLG_AUD_MASK))
1020			return (0);
1021	}
1022
1023	/*
1024	 * Map in any preloadable shared objects.  Establish the caller as the
1025	 * head of the main link-map list.  In the case of being exercised from
1026	 * lddstub, the caller gets reassigned to the first target shared object
1027	 * so as to provide intuitive diagnostics from ldd().
1028	 *
1029	 * Note, it is valid to preload a 4.x shared object with a 5.0
1030	 * executable (or visa-versa), as this functionality is required by
1031	 * ldd(1).
1032	 */
1033	clmp = mlmp;
1034	if (rpl_preload && (preload(rpl_preload, mlmp, &clmp) == 0))
1035		return (0);
1036	if (prm_preload && (preload(prm_preload, mlmp, &clmp) == 0))
1037		return (0);
1038
1039	/*
1040	 * Load all dependent (needed) objects.
1041	 */
1042	if (analyze_lmc(&lml_main, ALIST_OFF_DATA, mlmp, mlmp, NULL) == NULL)
1043		return (0);
1044
1045	/*
1046	 * Relocate all the dependencies we've just added.
1047	 *
1048	 * If this process has been established via crle(1), the environment
1049	 * variable LD_CONFGEN will have been set.  crle(1) may create this
1050	 * process twice.  The first time crle only needs to gather dependency
1051	 * information.  The second time, is to dldump() the images.
1052	 *
1053	 * If we're only gathering dependencies, relocation is unnecessary.
1054	 * As crle(1) may be building an arbitrary family of objects, they may
1055	 * not fully relocate either.  Hence the relocation phase is not carried
1056	 * out now, but will be called by crle(1) once all objects have been
1057	 * loaded.
1058	 */
1059	if ((rtld_flags & RT_FL_CONFGEN) == 0) {
1060
1061		DBG_CALL(Dbg_util_nl(&lml_main, DBG_NL_STD));
1062
1063		if (relocate_lmc(&lml_main, ALIST_OFF_DATA, mlmp,
1064		    mlmp, NULL) == 0)
1065			return (0);
1066
1067		/*
1068		 * Inform the debuggers that basic process initialization is
1069		 * complete, and that the state of ld.so.1 (link-map lists,
1070		 * etc.) is stable.  This handshake enables the debugger to
1071		 * initialize themselves, and consequently allows the user to
1072		 * set break points in .init code.
1073		 *
1074		 * Most new debuggers use librtld_db to monitor activity events.
1075		 * Older debuggers indicated their presence by setting the
1076		 * DT_DEBUG entry in the dynamic executable (see elf_new_lm()).
1077		 * In this case, getpid() is called so that the debugger can
1078		 * catch the system call.  This old mechanism has some
1079		 * restrictions, as getpid() should not be called prior to
1080		 * basic process initialization being completed.  This
1081		 * restriction has become increasingly difficult to maintain,
1082		 * as the use of auditors, LD_DEBUG, and the initialization
1083		 * handshake with libc can result in "premature" getpid()
1084		 * calls.  The use of this getpid() handshake is expected to
1085		 * disappear at some point in the future, and there is intent
1086		 * to work towards that goal.
1087		 */
1088		rd_event(&lml_main, RD_DLACTIVITY, RT_CONSISTENT);
1089		rd_event(&lml_rtld, RD_DLACTIVITY, RT_CONSISTENT);
1090
1091		if (rtld_flags & RT_FL_DEBUGGER) {
1092			r_debug.rtd_rdebug.r_flags |= RD_FL_ODBG;
1093			(void) getpid();
1094		}
1095	}
1096
1097	/*
1098	 * Indicate preinit activity, and call any auditing routines.  These
1099	 * routines are called before initializing any threads via libc, or
1100	 * before collecting the complete set of .inits on the primary link-map.
1101	 * Although most libc interfaces are encapsulated in local routines
1102	 * within libc, they have been known to escape (ie. call a .plt).  As
1103	 * the appcert auditor uses preinit as a trigger to establish some
1104	 * external interfaces to the main link-maps libc, we need to activate
1105	 * this trigger before exercising any code within libc.  Additionally,
1106	 * I wouldn't put it past an auditor to add additional objects to the
1107	 * primary link-map.  Hence, we collect .inits after the audit call.
1108	 */
1109	rd_event(&lml_main, RD_PREINIT, 0);
1110
1111	if (aud_activity ||
1112	    ((lml_main.lm_tflags | AFLAGS(mlmp)) & LML_TFLG_AUD_ACTIVITY))
1113		audit_activity(mlmp, LA_ACT_CONSISTENT);
1114	if (aud_preinit ||
1115	    ((lml_main.lm_tflags | AFLAGS(mlmp)) & LML_TFLG_AUD_PREINIT))
1116		audit_preinit(mlmp);
1117
1118	/*
1119	 * If we're creating initial configuration information, we're done
1120	 * now that the auditing step has been called.
1121	 */
1122	if (rtld_flags & RT_FL_CONFGEN) {
1123		leave(LIST(mlmp), 0);
1124		return (mlmp);
1125	}
1126
1127	/*
1128	 * Sort the .init sections of all objects we've added.  If we're
1129	 * tracing we only need to execute this under ldd(1) with the -i or -u
1130	 * options.
1131	 */
1132	lmflags = lml_main.lm_flags;
1133	if (((lmflags & LML_FLG_TRC_ENABLE) == 0) ||
1134	    (lmflags & (LML_FLG_TRC_INIT | LML_FLG_TRC_UNREF))) {
1135		if ((tobj = tsort(mlmp, LIST(mlmp)->lm_init,
1136		    RT_SORT_REV)) == (Rt_map **)S_ERROR)
1137			return (0);
1138	}
1139
1140	/*
1141	 * If we are tracing we're done.  This is the one legitimate use of a
1142	 * direct call to rtldexit() rather than return, as we don't want to
1143	 * return and jump to the application.
1144	 */
1145	if (lmflags & LML_FLG_TRC_ENABLE) {
1146		unused(&lml_main);
1147		rtldexit(&lml_main, 0);
1148	}
1149
1150	/*
1151	 * Check if this instance of the linker should have a primary link
1152	 * map.  This flag allows multiple copies of the -same- -version-
1153	 * of the linker (and libc) to run in the same address space.
1154	 *
1155	 * Without this flag we only support one copy of the linker in a
1156	 * process because by default the linker will always try to
1157	 * initialize at one primary link map  The copy of libc which is
1158	 * initialized on a primary link map will initialize global TLS
1159	 * data which can be shared with other copies of libc in the
1160	 * process.  The problem is that if there is more than one copy
1161	 * of the linker, only one copy should link libc onto a primary
1162	 * link map, otherwise libc will attempt to re-initialize global
1163	 * TLS data.  So when a copy of the linker is loaded with this
1164	 * flag set, it will not initialize any primary link maps since
1165	 * presumably another copy of the linker will do this.
1166	 *
1167	 * Note that this flag only allows multiple copies of the -same-
1168	 * -version- of the linker (and libc) to coexist.  This approach
1169	 * will not work if we are trying to load different versions of
1170	 * the linker and libc into the same process.  The reason for
1171	 * this is that the format of the global TLS data may not be
1172	 * the same for different versions of libc.  In this case each
1173	 * different version of libc must have it's own primary link map
1174	 * and be able to maintain it's own TLS data.  The only way this
1175	 * can be done is by carefully managing TLS pointers on transitions
1176	 * between code associated with each of the different linkers.
1177	 * Note that this is actually what is done for processes in lx
1178	 * branded zones.  Although in the lx branded zone case, the
1179	 * other linker and libc are actually gld and glibc.  But the
1180	 * same general TLS management mechanism used by the lx brand
1181	 * would apply to any attempts to run multiple versions of the
1182	 * solaris linker and libc in a single process.
1183	 */
1184	if (auxflags & AF_SUN_NOPLM)
1185		rtld_flags2 |= RT_FL2_NOPLM;
1186
1187	/*
1188	 * Establish any static TLS for this primary link-map.  Note, regardless
1189	 * of whether TLS is available, an initial handshake occurs with libc to
1190	 * indicate we're processing the primary link-map.  Having identified
1191	 * the primary link-map, initialize threads.
1192	 */
1193	if (rt_get_extern(&lml_main, mlmp) == 0)
1194		return (0);
1195
1196	if ((rtld_flags2 & RT_FL2_NOPLM) == 0) {
1197		if (tls_statmod(&lml_main, mlmp) == 0)
1198			return (0);
1199		rt_thr_init(&lml_main);
1200		rtld_flags2 |= RT_FL2_PLMSETUP;
1201	} else {
1202		rt_thr_init(&lml_main);
1203	}
1204
1205	/*
1206	 * Fire all dependencies .init sections.  Identify any unused
1207	 * dependencies, and leave the runtime linker - effectively calling
1208	 * the dynamic executables entry point.
1209	 */
1210	call_array(PREINITARRAY(mlmp), (uint_t)PREINITARRAYSZ(mlmp), mlmp,
1211	    SHT_PREINIT_ARRAY);
1212
1213	if (tobj)
1214		call_init(tobj, DBG_INIT_SORT);
1215
1216	rd_event(&lml_main, RD_POSTINIT, 0);
1217
1218	unused(&lml_main);
1219
1220	DBG_CALL(Dbg_util_call_main(mlmp));
1221
1222	rtld_flags |= (RT_FL_OPERATION | RT_FL_APPLIC);
1223
1224	leave(LIST(mlmp), 0);
1225
1226	return (mlmp);
1227}
1228