From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- build/unix/elfhack/inject.c | 225 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 225 insertions(+) create mode 100644 build/unix/elfhack/inject.c (limited to 'build/unix/elfhack/inject.c') diff --git a/build/unix/elfhack/inject.c b/build/unix/elfhack/inject.c new file mode 100644 index 0000000000..f1a8e36e1c --- /dev/null +++ b/build/unix/elfhack/inject.c @@ -0,0 +1,225 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include +#include +#include +#include + +/* The Android NDK headers define those */ +#undef Elf_Ehdr +#undef Elf_Addr + +#if defined(__LP64__) +# define Elf_Ehdr Elf64_Ehdr +# define Elf_Phdr Elf64_Phdr +# define Elf_Addr Elf64_Addr +# define Elf_Word Elf64_Word +# define Elf_Dyn Elf64_Dyn +#else +# define Elf_Phdr Elf32_Phdr +# define Elf_Ehdr Elf32_Ehdr +# define Elf_Addr Elf32_Addr +# define Elf_Word Elf32_Word +# define Elf_Dyn Elf32_Dyn +#endif + +#ifdef RELRHACK +# include "relrhack.h" +# define mprotect_cb mprotect +# define sysconf_cb sysconf + +#else +// On ARM, PC-relative function calls have a limit in how far they can jump, +// which might not be enough for e.g. libxul.so. The easy way out would be +// to use the long_call attribute, which forces the compiler to generate code +// that can call anywhere, but clang doesn't support the attribute yet +// (https://bugs.llvm.org/show_bug.cgi?id=40623), and while the command-line +// equivalent does exist, it's currently broken +// (https://bugs.llvm.org/show_bug.cgi?id=40624). So we create a manual +// trampoline, corresponding to the code GCC generates with long_call. +# ifdef __arm__ +__attribute__((section(".text._init_trampoline"), naked)) int init_trampoline( + int argc, char** argv, char** env) { + __asm__ __volatile__( + // thumb doesn't allow to use r12/ip with ldr, and thus would require an + // additional push/pop to save/restore the modified register, which would + // also change the call into a blx. It's simpler to switch to arm. + ".arm\n" + " ldr ip, .LADDR\n" + ".LAFTER:\n" + " add ip, pc, ip\n" + " bx ip\n" + ".LADDR:\n" + " .word real_original_init-(.LAFTER+8)\n"); +} +# endif + +// On aarch64, a similar problem exists, but long_call is not an option at all +// (even GCC doesn't support them on aarch64). +# ifdef __aarch64__ +__attribute__((section(".text._init_trampoline"), naked)) int init_trampoline( + int argc, char** argv, char** env) { + __asm__ __volatile__( + " adrp x8, .LADDR\n" + " add x8, x8, :lo12:.LADDR\n" // adrp + add gives us the full address + // for .LADDR + " ldr x0, [x8]\n" // Load the address of real_original_init relative to + // .LADDR + " add x0, x8, x0\n" // Add the address of .LADDR + " br x0\n" // Branch to real_original_init + ".LADDR:\n" + " .xword real_original_init-.LADDR\n"); +} +# endif + +extern __attribute__((visibility("hidden"))) void original_init(int argc, + char** argv, + char** env); + +extern __attribute__((visibility("hidden"))) Elf_Addr relhack[]; +extern __attribute__((visibility("hidden"))) Elf_Addr relhack_end[]; + +extern __attribute__((visibility("hidden"))) int (*mprotect_cb)(void* addr, + size_t len, + int prot); +extern __attribute__((visibility("hidden"))) long (*sysconf_cb)(int name); +extern __attribute__((visibility("hidden"))) char relro_start[]; +extern __attribute__((visibility("hidden"))) char relro_end[]; +#endif + +extern __attribute__((visibility("hidden"))) Elf_Ehdr __ehdr_start; + +static inline __attribute__((always_inline)) void do_relocations( + Elf_Addr* relhack, Elf_Addr* relhack_end) { + Elf_Addr* ptr; + for (Elf_Addr* entry = relhack; entry < relhack_end; entry++) { + if ((*entry & 1) == 0) { + ptr = (Elf_Addr*)((intptr_t)&__ehdr_start + *entry); + *ptr += (intptr_t)&__ehdr_start; + } else { + Elf_Addr bits = *entry; + Elf_Addr* end = ptr + 8 * sizeof(Elf_Addr) - 1; + do { + ptr++; + bits >>= 1; + if (bits & 1) { + *ptr += (intptr_t)&__ehdr_start; + } + } while (ptr < end); + } + } +} + +#ifndef RELRHACK +__attribute__((section(".text._init_noinit"))) int init_noinit(int argc, + char** argv, + char** env) { + do_relocations(relhack, relhack_end); + return 0; +} + +__attribute__((section(".text._init"))) int init(int argc, char** argv, + char** env) { + do_relocations(relhack, relhack_end); + original_init(argc, argv, env); + // Ensure there is no tail-call optimization, avoiding the use of the + // B.W instruction in Thumb for the call above. + return 0; +} +#endif + +static inline __attribute__((always_inline)) void do_relocations_with_relro( + Elf_Addr* relhack, Elf_Addr* relhack_end, char* relro_start, + char* relro_end) { + long page_size = sysconf_cb(_SC_PAGESIZE); + uintptr_t aligned_relro_start = ((uintptr_t)relro_start) & ~(page_size - 1); + // The relro segment may not end at a page boundary. If that's the case, the + // remainder of the page needs to stay read-write, so the last page is never + // set read-only. Thus the aligned relro end is page-rounded down. + uintptr_t aligned_relro_end = ((uintptr_t)relro_end) & ~(page_size - 1); + // By the time the injected code runs, the relro segment is read-only. But + // we want to apply relocations in it, so we set it r/w first. We'll restore + // it to read-only in relro_post. + mprotect_cb((void*)aligned_relro_start, + aligned_relro_end - aligned_relro_start, PROT_READ | PROT_WRITE); + + do_relocations(relhack, relhack_end); + + mprotect_cb((void*)aligned_relro_start, + aligned_relro_end - aligned_relro_start, PROT_READ); +#ifndef RELRHACK + // mprotect_cb and sysconf_cb are allocated in .bss, so we need to restore + // them to a NULL value. + mprotect_cb = NULL; + sysconf_cb = NULL; +#endif +} + +#ifndef RELRHACK +__attribute__((section(".text._init_noinit_relro"))) int init_noinit_relro( + int argc, char** argv, char** env) { + do_relocations_with_relro(relhack, relhack_end, relro_start, relro_end); + return 0; +} + +__attribute__((section(".text._init_relro"))) int init_relro(int argc, + char** argv, + char** env) { + do_relocations_with_relro(relhack, relhack_end, relro_start, relro_end); + original_init(argc, argv, env); + return 0; +} +#else + +extern __attribute__((visibility("hidden"))) Elf_Dyn _DYNAMIC[]; + +static void _relrhack_init(void) { + // Get the location of the SHT_RELR data from the PT_DYNAMIC segment. + uintptr_t elf_header = (uintptr_t)&__ehdr_start; + Elf_Addr* relhack = NULL; + Elf_Word size = 0; + for (Elf_Dyn* dyn = _DYNAMIC; dyn->d_tag != DT_NULL; dyn++) { + if ((dyn->d_tag & ~DT_RELRHACK_BIT) == DT_RELR) { + relhack = (Elf_Addr*)(elf_header + dyn->d_un.d_ptr); + } else if ((dyn->d_tag & ~DT_RELRHACK_BIT) == DT_RELRSZ) { + size = dyn->d_un.d_val; + } + } + + Elf_Addr* relhack_end = (Elf_Addr*)((uintptr_t)relhack + size); + + // Find the location of the PT_GNU_RELRO segment in the program headers. + Elf_Phdr* phdr = (Elf_Phdr*)(elf_header + __ehdr_start.e_phoff); + char* relro_start = NULL; + char* relro_end = NULL; + for (int i = 0; i < __ehdr_start.e_phnum; i++) { + if (phdr[i].p_type == PT_GNU_RELRO) { + relro_start = (char*)(elf_header + phdr[i].p_vaddr); + relro_end = (char*)(relro_start + phdr[i].p_memsz); + break; + } + } + + if (relro_start != relro_end) { + do_relocations_with_relro(relhack, relhack_end, relro_start, relro_end); + } else { + do_relocations(relhack, relhack_end); + } +} + +// The Android CRT doesn't contain an init function. +# ifndef ANDROID +extern __attribute__((visibility("hidden"))) void _init(int argc, char** argv, + char** env); +# endif + +void _relrhack_wrap_init(int argc, char** argv, char** env) { + _relrhack_init(); +# ifndef ANDROID + _init(argc, argv, env); +# endif +} +#endif -- cgit v1.2.3