1	/* Map in a shared object's segments from the file.
2	Copyright (C) 1995-2022 Free Software Foundation, Inc.
3	Copyright The GNU Toolchain Authors.
4	This file is part of the GNU C Library.
5
6	The GNU C Library is free software; you can redistribute it and/or
7	modify it under the terms of the GNU Lesser General Public
8	License as published by the Free Software Foundation; either
9	version 2.1 of the License, or (at your option) any later version.
10
11	The GNU C Library is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14	Lesser General Public License for more details.
15
16	You should have received a copy of the GNU Lesser General Public
17	License along with the GNU C Library; if not, see
18	<https://www.gnu.org/licenses/>. */
19
20	#include <elf.h>
21	#include <errno.h>
22	#include <fcntl.h>
23	#include <libintl.h>
24	#include <stdbool.h>
25	#include <stdlib.h>
26	#include <string.h>
27	#include <unistd.h>
28	#include <ldsodefs.h>
29	#include <bits/wordsize.h>
30	#include <sys/mman.h>
31	#include <sys/param.h>
32	#include <sys/stat.h>
33	#include <sys/types.h>
34	#include <gnu/lib-names.h>
35
36	/* Type for the buffer we put the ELF header and hopefully the program
37	header. This buffer does not really have to be too large. In most
38	cases the program header follows the ELF header directly. If this
39	is not the case all bets are off and we can make the header
40	arbitrarily large and still won't get it read. This means the only
41	question is how large are the ELF and program header combined. The
42	ELF header 32-bit files is 52 bytes long and in 64-bit files is 64
43	bytes long. Each program header entry is again 32 and 56 bytes
44	long respectively. I.e., even with a file which has 10 program
45	header entries we only have to read 372B/624B respectively. Add to
46	this a bit of margin for program notes and reading 512B and 832B
47	for 32-bit and 64-bit files respecitvely is enough. If this
48	heuristic should really fail for some file the code in
49	`_dl_map_object_from_fd' knows how to recover. */
50	struct filebuf
51	{
52	ssize_t len;
53	#if __WORDSIZE == 32
54	# define FILEBUF_SIZE 512
55	#else
56	# define FILEBUF_SIZE 832
57	#endif
58	char buf[FILEBUF_SIZE] __attribute__ ((aligned (__alignof (ElfW(Ehdr)))));
59	};
60
61	#include "dynamic-link.h"
62	#include "get-dynamic-info.h"
63	#include <abi-tag.h>
64	#include <stackinfo.h>
65	#include <sysdep.h>
66	#include <stap-probe.h>
67	#include <libc-pointer-arith.h>
68	#include <array_length.h>
69
70	#include <dl-dst.h>
71	#include <dl-load.h>
72	#include <dl-map-segments.h>
73	#include <dl-unmap-segments.h>
74	#include <dl-machine-reject-phdr.h>
75	#include <dl-sysdep-open.h>
76	#include <dl-prop.h>
77	#include <not-cancel.h>
78
79	#include <endian.h>
80	#if BYTE_ORDER == BIG_ENDIAN
81	# define byteorder ELFDATA2MSB
82	#elif BYTE_ORDER == LITTLE_ENDIAN
83	# define byteorder ELFDATA2LSB
84	#else
85	# error "Unknown BYTE_ORDER " BYTE_ORDER
86	# define byteorder ELFDATANONE
87	#endif
88
89	#define STRING(x) __STRING (x)
90
91
92	int __stack_prot attribute_hidden attribute_relro
93	#if _STACK_GROWS_DOWN && defined PROT_GROWSDOWN
94	= PROT_GROWSDOWN;
95	#elif _STACK_GROWS_UP && defined PROT_GROWSUP
96	= PROT_GROWSUP;
97	#else
98	= 0;
99	#endif
100
101
102	/* This is the decomposed LD_LIBRARY_PATH search path. */
103	struct r_search_path_struct __rtld_env_path_list attribute_relro;
104
105	/* List of the hardware capabilities we might end up using. */
106	#ifdef SHARED
107	static const struct r_strlenpair *capstr attribute_relro;
108	static size_t ncapstr attribute_relro;
109	static size_t max_capstrlen attribute_relro;
110	#else
111	enum { ncapstr = 1, max_capstrlen = 0 };
112	#endif
113
114
115	/* Get the generated information about the trusted directories. Use
116	an array of concatenated strings to avoid relocations. See
117	gen-trusted-dirs.awk. */
118	#include "trusted-dirs.h"
119
120	static const char system_dirs[] = SYSTEM_DIRS;
121	static const size_t system_dirs_len[] =
122	{
123	SYSTEM_DIRS_LEN
124	};
125	#define nsystem_dirs_len array_length (system_dirs_len)
126
127	static bool
128	is_trusted_path_normalize (const char *path, size_t len)
129	{
130	if (len == 0)
131	return false;
132
133	char *npath = (char *) alloca (len + 2);
134	char *wnp = npath;
135	while (*path != '\0')
136	{
137	if (path[0] == '/')
138	{
139	if (path[1] == '.')
140	{
141	if (path[2] == '.' && (path[3] == '/' || path[3] == '\0'))
142	{
143	while (wnp > npath && *--wnp != '/')
144	;
145	path += 3;
146	continue;
147	}
148	else if (path[2] == '/' || path[2] == '\0')
149	{
150	path += 2;
151	continue;
152	}
153	}
154
155	if (wnp > npath && wnp[-1] == '/')
156	{
157	++path;
158	continue;
159	}
160	}
161
162	*wnp++ = *path++;
163	}
164
165	if (wnp == npath || wnp[-1] != '/')
166	*wnp++ = '/';
167
168	const char *trun = system_dirs;
169
170	for (size_t idx = 0; idx < nsystem_dirs_len; ++idx)
171	{
172	if (wnp - npath >= system_dirs_len[idx]
173	&& memcmp (trun, npath, system_dirs_len[idx]) == 0)
174	/* Found it. */
175	return true;
176
177	trun += system_dirs_len[idx] + 1;
178	}
179
180	return false;
181	}
182
183	/* Given a substring starting at INPUT, just after the DST '$' start
184	token, determine if INPUT contains DST token REF, following the
185	ELF gABI rules for DSTs:
186
187	* Longest possible sequence using the rules (greedy).
188
189	* Must start with a $ (enforced by caller).
190
191	* Must follow $ with one underscore or ASCII [A-Za-z] (caller
192	follows these rules for REF) or '{' (start curly quoted name).
193
194	* Must follow first two characters with zero or more [A-Za-z0-9_]
195	(enforced by caller) or '}' (end curly quoted name).
196
197	If the sequence is a DST matching REF then the length of the DST
198	(excluding the $ sign but including curly braces, if any) is
199	returned, otherwise 0. */
200	static size_t
201	is_dst (const char *input, const char *ref)
202	{
203	bool is_curly = false;
204
205	/* Is a ${...} input sequence? */
206	if (input[0] == '{')
207	{
208	is_curly = true;
209	++input;
210	}
211
212	/* Check for matching name, following closing curly brace (if
213	required), or trailing characters which are part of an
214	identifier. */
215	size_t rlen = strlen (ref);
216	if (strncmp (input, ref, rlen) != 0
217	|| (is_curly && input[rlen] != '}')
218	|| ((input[rlen] >= 'A' && input[rlen] <= 'Z')
219	|| (input[rlen] >= 'a' && input[rlen] <= 'z')
220	|| (input[rlen] >= '0' && input[rlen] <= '9')
221	|| (input[rlen] == '_')))
222	return 0;
223
224	if (is_curly)
225	/* Count the two curly braces. */
226	return rlen + 2;
227	else
228	return rlen;
229	}
230
231	/* INPUT should be the start of a path e.g DT_RPATH or name e.g.
232	DT_NEEDED. The return value is the number of known DSTs found. We
233	count all known DSTs regardless of __libc_enable_secure; the caller
234	is responsible for enforcing the security of the substitution rules
235	(usually _dl_dst_substitute). */
236	size_t
237	_dl_dst_count (const char *input)
238	{
239	size_t cnt = 0;
240
241	input = strchr (input, '$');
242
243	/* Most likely there is no DST. */
244	if (__glibc_likely (input == NULL))
245	return 0;
246
247	do
248	{
249	size_t len;
250
251	++input;
252	/* All DSTs must follow ELF gABI rules, see is_dst (). */
253	if ((len = is_dst (input, ref: "ORIGIN")) != 0
254	|| (len = is_dst (input, ref: "PLATFORM")) != 0
255	|| (len = is_dst (input, ref: "LIB")) != 0)
256	++cnt;
257
258	/* There may be more than one DST in the input. */
259	input = strchr (input + len, '$');
260	}
261	while (input != NULL);
262
263	return cnt;
264	}
265
266	/* Process INPUT for DSTs and store in RESULT using the information
267	from link map L to resolve the DSTs. This function only handles one
268	path at a time and does not handle colon-separated path lists (see
269	fillin_rpath ()). Lastly the size of result in bytes should be at
270	least equal to the value returned by DL_DST_REQUIRED. Note that it
271	is possible for a DT_NEEDED, DT_AUXILIARY, and DT_FILTER entries to
272	have colons, but we treat those as literal colons here, not as path
273	list delimeters. */
274	char *
275	_dl_dst_substitute (struct link_map *l, const char *input, char *result)
276	{
277	/* Copy character-by-character from input into the working pointer
278	looking for any DSTs. We track the start of input and if we are
279	going to check for trusted paths, all of which are part of $ORIGIN
280	handling in SUID/SGID cases (see below). In some cases, like when
281	a DST cannot be replaced, we may set result to an empty string and
282	return. */
283	char *wp = result;
284	const char *start = input;
285	bool check_for_trusted = false;
286
287	do
288	{
289	if (__glibc_unlikely (*input == '$'))
290	{
291	const char *repl = NULL;
292	size_t len;
293
294	++input;
295	if ((len = is_dst (input, ref: "ORIGIN")) != 0)
296	{
297	/* For SUID/GUID programs we normally ignore the path with
298	$ORIGIN in DT_RUNPATH, or DT_RPATH. However, there is
299	one exception to this rule, and it is:
300
301	* $ORIGIN appears as the first path element, and is
302	the only string in the path or is immediately
303	followed by a path separator and the rest of the
304	path,
305
306	and ...
307
308	* The path is rooted in a trusted directory.
309
310	This exception allows such programs to reference
311	shared libraries in subdirectories of trusted
312	directories. The use case is one of general
313	organization and deployment flexibility.
314	Trusted directories are usually such paths as "/lib64"
315	or "/usr/lib64", and the usual RPATHs take the form of
316	[$ORIGIN/../$LIB/somedir]. */
317	if (__glibc_unlikely (__libc_enable_secure)
318	&& !(input == start + 1
319	&& (input[len] == '\0' || input[len] == '/')))
320	repl = (const char *) -1;
321	else
322	repl = l->l_origin;
323
324	check_for_trusted = (__libc_enable_secure
325	&& l->l_type == lt_executable);
326	}
327	else if ((len = is_dst (input, ref: "PLATFORM")) != 0)
328	repl = GLRO(dl_platform);
329	else if ((len = is_dst (input, ref: "LIB")) != 0)
330	repl = DL_DST_LIB;
331
332	if (repl != NULL && repl != (const char *) -1)
333	{
334	wp = __stpcpy (wp, repl);
335	input += len;
336	}
337	else if (len != 0)
338	{
339	/* We found a valid DST that we know about, but we could
340	not find a replacement value for it, therefore we
341	cannot use this path and discard it. */
342	*result = '\0';
343	return result;
344	}
345	else
346	/* No DST we recognize. */
347	*wp++ = '$';
348	}
349	else
350	{
351	*wp++ = *input++;
352	}
353	}
354	while (*input != '\0');
355
356	/* In SUID/SGID programs, after $ORIGIN expansion the normalized
357	path must be rooted in one of the trusted directories. The $LIB
358	and $PLATFORM DST cannot in any way be manipulated by the caller
359	because they are fixed values that are set by the dynamic loader
360	and therefore any paths using just $LIB or $PLATFORM need not be
361	checked for trust, the authors of the binaries themselves are
362	trusted to have designed this correctly. Only $ORIGIN is tested in
363	this way because it may be manipulated in some ways with hard
364	links. */
365	if (__glibc_unlikely (check_for_trusted)
366	&& !is_trusted_path_normalize (path: result, len: wp - result))
367	{
368	*result = '\0';
369	return result;
370	}
371
372	*wp = '\0';
373
374	return result;
375	}
376
377
378	/* Return a malloc allocated copy of INPUT with all recognized DSTs
379	replaced. On some platforms it might not be possible to determine the
380	path from which the object belonging to the map is loaded. In this
381	case the path containing the DST is left out. On error NULL
382	is returned. */
383	static char *
384	expand_dynamic_string_token (struct link_map *l, const char *input)
385	{
386	/* We make two runs over the string. First we determine how large the
387	resulting string is and then we copy it over. Since this is no
388	frequently executed operation we are looking here not for performance
389	but rather for code size. */
390	size_t cnt;
391	size_t total;
392	char *result;
393
394	/* Determine the number of DSTs. */
395	cnt = _dl_dst_count (input);
396
397	/* If we do not have to replace anything simply copy the string. */
398	if (__glibc_likely (cnt == 0))
399	return __strdup (input);
400
401	/* Determine the length of the substituted string. */
402	total = DL_DST_REQUIRED (l, input, strlen (input), cnt);
403
404	/* Allocate the necessary memory. */
405	result = (char *) malloc (size: total + 1);
406	if (result == NULL)
407	return NULL;
408
409	return _dl_dst_substitute (l, input, result);
410	}
411
412
413	/* Add `name' to the list of names for a particular shared object.
414	`name' is expected to have been allocated with malloc and will
415	be freed if the shared object already has this name.
416	Returns false if the object already had this name. */
417	static void
418	add_name_to_object (struct link_map *l, const char *name)
419	{
420	struct libname_list *lnp, *lastp;
421	struct libname_list *newname;
422	size_t name_len;
423
424	lastp = NULL;
425	for (lnp = l->l_libname; lnp != NULL; lastp = lnp, lnp = lnp->next)
426	if (strcmp (name, lnp->name) == 0)
427	return;
428
429	name_len = strlen (name) + 1;
430	newname = (struct libname_list *) malloc (size: sizeof *newname + name_len);
431	if (newname == NULL)
432	{
433	/* No more memory. */
434	_dl_signal_error (ENOMEM, name, NULL, N_("cannot allocate name record"));
435	return;
436	}
437	/* The object should have a libname set from _dl_new_object. */
438	assert (lastp != NULL);
439
440	newname->name = memcpy (newname + 1, name, name_len);
441	newname->next = NULL;
442	newname->dont_free = 0;
443	/* CONCURRENCY NOTES:
444
445	Make sure the initialization of newname happens before its address is
446	read from the lastp->next store below.
447
448	GL(dl_load_lock) is held here (and by other writers, e.g. dlclose), so
449	readers of libname_list->next (e.g. _dl_check_caller or the reads above)
450	can use that for synchronization, however the read in _dl_name_match_p
451	may be executed without holding the lock during _dl_runtime_resolve
452	(i.e. lazy symbol resolution when a function of library l is called).
453
454	The release MO store below synchronizes with the acquire MO load in
455	_dl_name_match_p. Other writes need to synchronize with that load too,
456	however those happen either early when the process is single threaded
457	(dl_main) or when the library is unloaded (dlclose) and the user has to
458	synchronize library calls with unloading. */
459	atomic_store_release (&lastp->next, newname);
460	}
461
462	/* Standard search directories. */
463	struct r_search_path_struct __rtld_search_dirs attribute_relro;
464
465	static size_t max_dirnamelen;
466
467	static struct r_search_path_elem **
468	fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
469	const char *what, const char *where, struct link_map *l)
470	{
471	char *cp;
472	size_t nelems = 0;
473
474	while ((cp = __strsep (&rpath, sep)) != NULL)
475	{
476	struct r_search_path_elem *dirp;
477	char *to_free = NULL;
478	size_t len = 0;
479
480	/* `strsep' can pass an empty string. */
481	if (*cp != '\0')
482	{
483	to_free = cp = expand_dynamic_string_token (l, input: cp);
484
485	/* expand_dynamic_string_token can return NULL in case of empty
486	path or memory allocation failure. */
487	if (cp == NULL)
488	continue;
489
490	/* Compute the length after dynamic string token expansion and
491	ignore empty paths. */
492	len = strlen (cp);
493	if (len == 0)
494	{
495	free (ptr: to_free);
496	continue;
497	}
498
499	/* Remove trailing slashes (except for "/"). */
500	while (len > 1 && cp[len - 1] == '/')
501	--len;
502
503	/* Now add one if there is none so far. */
504	if (len > 0 && cp[len - 1] != '/')
505	cp[len++] = '/';
506	}
507
508	/* See if this directory is already known. */
509	for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)
510	if (dirp->dirnamelen == len && memcmp (cp, dirp->dirname, len) == 0)
511	break;
512
513	if (dirp != NULL)
514	{
515	/* It is available, see whether it's on our own list. */
516	size_t cnt;
517	for (cnt = 0; cnt < nelems; ++cnt)
518	if (result[cnt] == dirp)
519	break;
520
521	if (cnt == nelems)
522	result[nelems++] = dirp;
523	}
524	else
525	{
526	size_t cnt;
527	enum r_dir_status init_val;
528	size_t where_len = where ? strlen (where) + 1 : 0;
529
530	/* It's a new directory. Create an entry and add it. */
531	dirp = (struct r_search_path_elem *)
532	malloc (size: sizeof (*dirp) + ncapstr * sizeof (enum r_dir_status)
533	+ where_len + len + 1);
534	if (dirp == NULL)
535	_dl_signal_error (ENOMEM, NULL, NULL,
536	N_("cannot create cache for search path"));
537
538	dirp->dirname = ((char *) dirp + sizeof (*dirp)
539	+ ncapstr * sizeof (enum r_dir_status));
540	*((char *) __mempcpy ((char *) dirp->dirname, cp, len)) = '\0';
541	dirp->dirnamelen = len;
542
543	if (len > max_dirnamelen)
544	max_dirnamelen = len;
545
546	/* We have to make sure all the relative directories are
547	never ignored. The current directory might change and
548	all our saved information would be void. */
549	init_val = cp[0] != '/' ? existing : unknown;
550	for (cnt = 0; cnt < ncapstr; ++cnt)
551	dirp->status[cnt] = init_val;
552
553	dirp->what = what;
554	if (__glibc_likely (where != NULL))
555	dirp->where = memcpy ((char *) dirp + sizeof (*dirp) + len + 1
556	+ (ncapstr * sizeof (enum r_dir_status)),
557	where, where_len);
558	else
559	dirp->where = NULL;
560
561	dirp->next = GL(dl_all_dirs);
562	GL(dl_all_dirs) = dirp;
563
564	/* Put it in the result array. */
565	result[nelems++] = dirp;
566	}
567	free (ptr: to_free);
568	}
569
570	/* Terminate the array. */
571	result[nelems] = NULL;
572
573	return result;
574	}
575
576
577	static bool
578	decompose_rpath (struct r_search_path_struct *sps,
579	const char *rpath, struct link_map *l, const char *what)
580	{
581	/* Make a copy we can work with. */
582	const char *where = l->l_name;
583	char *cp;
584	struct r_search_path_elem **result;
585	size_t nelems;
586	/* Initialize to please the compiler. */
587	const char *errstring = NULL;
588
589	/* First see whether we must forget the RUNPATH and RPATH from this
590	object. */
591	if (__glibc_unlikely (GLRO(dl_inhibit_rpath) != NULL)
592	&& !__libc_enable_secure)
593	{
594	const char *inhp = GLRO(dl_inhibit_rpath);
595
596	do
597	{
598	const char *wp = where;
599
600	while (*inhp == *wp && *wp != '\0')
601	{
602	++inhp;
603	++wp;
604	}
605
606	if (*wp == '\0' && (*inhp == '\0' || *inhp == ':'))
607	{
608	/* This object is on the list of objects for which the
609	RUNPATH and RPATH must not be used. */
610	sps->dirs = (void *) -1;
611	return false;
612	}
613
614	while (*inhp != '\0')
615	if (*inhp++ == ':')
616	break;
617	}
618	while (*inhp != '\0');
619	}
620
621	/* Ignore empty rpaths. */
622	if (*rpath == '\0')
623	{
624	sps->dirs = (struct r_search_path_elem **) -1;
625	return false;
626	}
627
628	/* Make a writable copy. */
629	char *copy = __strdup (rpath);
630	if (copy == NULL)
631	{
632	errstring = N_("cannot create RUNPATH/RPATH copy");
633	goto signal_error;
634	}
635
636	/* Count the number of necessary elements in the result array. */
637	nelems = 0;
638	for (cp = copy; *cp != '\0'; ++cp)
639	if (*cp == ':')
640	++nelems;
641
642	/* Allocate room for the result. NELEMS + 1 is an upper limit for the
643	number of necessary entries. */
644	result = (struct r_search_path_elem **) malloc (size: (nelems + 1 + 1)
645	* sizeof (*result));
646	if (result == NULL)
647	{
648	free (ptr: copy);
649	errstring = N_("cannot create cache for search path");
650	signal_error:
651	_dl_signal_error (ENOMEM, NULL, NULL, errstring);
652	}
653
654	fillin_rpath (rpath: copy, result, sep: ":", what, where, l);
655
656	/* Free the copied RPATH string. `fillin_rpath' make own copies if
657	necessary. */
658	free (ptr: copy);
659
660	/* There is no path after expansion. */
661	if (result[0] == NULL)
662	{
663	free (ptr: result);
664	sps->dirs = (struct r_search_path_elem **) -1;
665	return false;
666	}
667
668	sps->dirs = result;
669	/* The caller will change this value if we haven't used a real malloc. */
670	sps->malloced = 1;
671	return true;
672	}
673
674	/* Make sure cached path information is stored in *SP
675	and return true if there are any paths to search there. */
676	static bool
677	cache_rpath (struct link_map *l,
678	struct r_search_path_struct *sp,
679	int tag,
680	const char *what)
681	{
682	if (sp->dirs == (void *) -1)
683	return false;
684
685	if (sp->dirs != NULL)
686	return true;
687
688	if (l->l_info[tag] == NULL)
689	{
690	/* There is no path. */
691	sp->dirs = (void *) -1;
692	return false;
693	}
694
695	/* Make sure the cache information is available. */
696	return decompose_rpath (sps: sp, rpath: (const char *) (D_PTR (l, l_info[DT_STRTAB])
697	+ l->l_info[tag]->d_un.d_val),
698	l, what);
699	}
700
701
702	void
703	_dl_init_paths (const char *llp, const char *source,
704	const char *glibc_hwcaps_prepend,
705	const char *glibc_hwcaps_mask)
706	{
707	size_t idx;
708	const char *strp;
709	struct r_search_path_elem *pelem, **aelem;
710	size_t round_size;
711	struct link_map __attribute__ ((unused)) *l = NULL;
712	/* Initialize to please the compiler. */
713	const char *errstring = NULL;
714
715	/* Fill in the information about the application's RPATH and the
716	directories addressed by the LD_LIBRARY_PATH environment variable. */
717
718	#ifdef SHARED
719	/* Get the capabilities. */
720	capstr = _dl_important_hwcaps (glibc_hwcaps_prepend, glibc_hwcaps_mask,
721	&ncapstr, &max_capstrlen);
722	#endif
723
724	/* First set up the rest of the default search directory entries. */
725	aelem = __rtld_search_dirs.dirs = (struct r_search_path_elem **)
726	malloc ((nsystem_dirs_len + 1) * sizeof (struct r_search_path_elem *));
727	if (__rtld_search_dirs.dirs == NULL)
728	{
729	errstring = N_("cannot create search path array");
730	signal_error:
731	_dl_signal_error (ENOMEM, NULL, NULL, errstring);
732	}
733
734	round_size = ((2 * sizeof (struct r_search_path_elem) - 1
735	+ ncapstr * sizeof (enum r_dir_status))
736	/ sizeof (struct r_search_path_elem));
737
738	__rtld_search_dirs.dirs[0]
739	= malloc (nsystem_dirs_len * round_size
740	* sizeof (*__rtld_search_dirs.dirs[0]));
741	if (__rtld_search_dirs.dirs[0] == NULL)
742	{
743	errstring = N_("cannot create cache for search path");
744	goto signal_error;
745	}
746
747	__rtld_search_dirs.malloced = 0;
748	pelem = GL(dl_all_dirs) = __rtld_search_dirs.dirs[0];
749	strp = system_dirs;
750	idx = 0;
751
752	do
753	{
754	size_t cnt;
755
756	*aelem++ = pelem;
757
758	pelem->what = "system search path";
759	pelem->where = NULL;
760
761	pelem->dirname = strp;
762	pelem->dirnamelen = system_dirs_len[idx];
763	strp += system_dirs_len[idx] + 1;
764
765	/* System paths must be absolute. */
766	assert (pelem->dirname[0] == '/');
767	for (cnt = 0; cnt < ncapstr; ++cnt)
768	pelem->status[cnt] = unknown;
769
770	pelem->next = (++idx == nsystem_dirs_len ? NULL : (pelem + round_size));
771
772	pelem += round_size;
773	}
774	while (idx < nsystem_dirs_len);
775
776	max_dirnamelen = SYSTEM_DIRS_MAX_LEN;
777	*aelem = NULL;
778
779	/* This points to the map of the main object. If there is no main
780	object (e.g., under --help, use the dynamic loader itself as a
781	stand-in. */
782	l = GL(dl_ns)[LM_ID_BASE]._ns_loaded;
783	#ifdef SHARED
784	if (l == NULL)
785	l = &GL (dl_rtld_map);
786	#endif
787	assert (l->l_type != lt_loaded);
788
789	if (l->l_info[DT_RUNPATH])
790	{
791	/* Allocate room for the search path and fill in information
792	from RUNPATH. */
793	decompose_rpath (sps: &l->l_runpath_dirs,
794	rpath: (const void *) (D_PTR (l, l_info[DT_STRTAB])
795	+ l->l_info[DT_RUNPATH]->d_un.d_val),
796	l, what: "RUNPATH");
797	/* During rtld init the memory is allocated by the stub malloc,
798	prevent any attempt to free it by the normal malloc. */
799	l->l_runpath_dirs.malloced = 0;
800
801	/* The RPATH is ignored. */
802	l->l_rpath_dirs.dirs = (void *) -1;
803	}
804	else
805	{
806	l->l_runpath_dirs.dirs = (void *) -1;
807
808	if (l->l_info[DT_RPATH])
809	{
810	/* Allocate room for the search path and fill in information
811	from RPATH. */
812	decompose_rpath (sps: &l->l_rpath_dirs,
813	rpath: (const void *) (D_PTR (l, l_info[DT_STRTAB])
814	+ l->l_info[DT_RPATH]->d_un.d_val),
815	l, what: "RPATH");
816	/* During rtld init the memory is allocated by the stub
817	malloc, prevent any attempt to free it by the normal
818	malloc. */
819	l->l_rpath_dirs.malloced = 0;
820	}
821	else
822	l->l_rpath_dirs.dirs = (void *) -1;
823	}
824
825	if (llp != NULL && *llp != '\0')
826	{
827	char *llp_tmp = strdupa (llp);
828
829	/* Decompose the LD_LIBRARY_PATH contents. First determine how many
830	elements it has. */
831	size_t nllp = 1;
832	for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
833	if (*cp == ':' || *cp == ';')
834	++nllp;
835
836	__rtld_env_path_list.dirs = (struct r_search_path_elem **)
837	malloc (size: (nllp + 1) * sizeof (struct r_search_path_elem *));
838	if (__rtld_env_path_list.dirs == NULL)
839	{
840	errstring = N_("cannot create cache for search path");
841	goto signal_error;
842	}
843
844	(void) fillin_rpath (rpath: llp_tmp, result: __rtld_env_path_list.dirs, sep: ":;",
845	what: source, NULL, l);
846
847	if (__rtld_env_path_list.dirs[0] == NULL)
848	{
849	free (ptr: __rtld_env_path_list.dirs);
850	__rtld_env_path_list.dirs = (void *) -1;
851	}
852
853	__rtld_env_path_list.malloced = 0;
854	}
855	else
856	__rtld_env_path_list.dirs = (void *) -1;
857	}
858
859
860	/* Process PT_GNU_PROPERTY program header PH in module L after
861	PT_LOAD segments are mapped. Only one NT_GNU_PROPERTY_TYPE_0
862	note is handled which contains processor specific properties.
863	FD is -1 for the kernel mapped main executable otherwise it is
864	the fd used for loading module L. */
865
866	void
867	_dl_process_pt_gnu_property (struct link_map *l, int fd, const ElfW(Phdr) *ph)
868	{
869	const ElfW(Nhdr) *note = (const void *) (ph->p_vaddr + l->l_addr);
870	const ElfW(Addr) size = ph->p_memsz;
871	const ElfW(Addr) align = ph->p_align;
872
873	/* The NT_GNU_PROPERTY_TYPE_0 note must be aligned to 4 bytes in
874	32-bit objects and to 8 bytes in 64-bit objects. Skip notes
875	with incorrect alignment. */
876	if (align != (__ELF_NATIVE_CLASS / 8))
877	return;
878
879	const ElfW(Addr) start = (ElfW(Addr)) note;
880	unsigned int last_type = 0;
881
882	while ((ElfW(Addr)) (note + 1) - start < size)
883	{
884	/* Find the NT_GNU_PROPERTY_TYPE_0 note. */
885	if (note->n_namesz == 4
886	&& note->n_type == NT_GNU_PROPERTY_TYPE_0
887	&& memcmp (note + 1, "GNU", 4) == 0)
888	{
889	/* Check for invalid property. */
890	if (note->n_descsz < 8
891	|| (note->n_descsz % sizeof (ElfW(Addr))) != 0)
892	return;
893
894	/* Start and end of property array. */
895	unsigned char *ptr = (unsigned char *) (note + 1) + 4;
896	unsigned char *ptr_end = ptr + note->n_descsz;
897
898	do
899	{
900	unsigned int type = *(unsigned int *) ptr;
901	unsigned int datasz = *(unsigned int *) (ptr + 4);
902
903	/* Property type must be in ascending order. */
904	if (type < last_type)
905	return;
906
907	ptr += 8;
908	if ((ptr + datasz) > ptr_end)
909	return;
910
911	last_type = type;
912
913	/* Target specific property processing. */
914	if (_dl_process_gnu_property (l, fd, type, datasz, data: ptr) == 0)
915	return;
916
917	/* Check the next property item. */
918	ptr += ALIGN_UP (datasz, sizeof (ElfW(Addr)));
919	}
920	while ((ptr_end - ptr) >= 8);
921
922	/* Only handle one NT_GNU_PROPERTY_TYPE_0. */
923	return;
924	}
925
926	note = ((const void *) note
927	+ ELF_NOTE_NEXT_OFFSET (note->n_namesz, note->n_descsz,
928	align));
929	}
930	}
931
932
933	/* Map in the shared object NAME, actually located in REALNAME, and already
934	opened on FD. */
935
936	#ifndef EXTERNAL_MAP_FROM_FD
937	static
938	#endif
939	struct link_map *
940	_dl_map_object_from_fd (const char *name, const char *origname, int fd,
941	struct filebuf *fbp, char *realname,
942	struct link_map *loader, int l_type, int mode,
943	void **stack_endp, Lmid_t nsid)
944	{
945	struct link_map *l = NULL;
946	const ElfW(Ehdr) *header;
947	const ElfW(Phdr) *phdr;
948	const ElfW(Phdr) *ph;
949	size_t maplength;
950	int type;
951	/* Initialize to keep the compiler happy. */
952	const char *errstring = NULL;
953	int errval = 0;
954	struct r_debug *r = _dl_debug_update (ns: nsid);
955	bool make_consistent = false;
956
957	/* Get file information. To match the kernel behavior, do not fill
958	in this information for the executable in case of an explicit
959	loader invocation. */
960	struct r_file_id id;
961	if (mode & __RTLD_OPENEXEC)
962	{
963	assert (nsid == LM_ID_BASE);
964	memset (&id, 0, sizeof (id));
965	}
966	else
967	{
968	if (__glibc_unlikely (!_dl_get_file_id (fd, &id)))
969	{
970	errstring = N_("cannot stat shared object");
971	lose_errno:
972	errval = errno;
973	lose:
974	/* The file might already be closed. */
975	if (fd != -1)
976	__close_nocancel (fd);
977	if (l != NULL && l->l_map_start != 0)
978	_dl_unmap_segments (l);
979	if (l != NULL && l->l_origin != (char *) -1l)
980	free (ptr: (char *) l->l_origin);
981	if (l != NULL && !l->l_libname->dont_free)
982	free (ptr: l->l_libname);
983	if (l != NULL && l->l_phdr_allocated)
984	free (ptr: (void *) l->l_phdr);
985	free (ptr: l);
986	free (ptr: realname);
987
988	if (make_consistent && r != NULL)
989	{
990	r->r_state = RT_CONSISTENT;
991	_dl_debug_state ();
992	LIBC_PROBE (map_failed, 2, nsid, r);
993	}
994
995	_dl_signal_error (errval, name, NULL, errstring);
996	}
997
998	/* Look again to see if the real name matched another already loaded. */
999	for (l = GL(dl_ns)[nsid]._ns_loaded; l != NULL; l = l->l_next)
1000	if (!l->l_removed && _dl_file_id_match_p (a: &l->l_file_id, b: &id))
1001	{
1002	/* The object is already loaded.
1003	Just bump its reference count and return it. */
1004	__close_nocancel (fd);
1005
1006	/* If the name is not in the list of names for this object add
1007	it. */
1008	free (ptr: realname);
1009	add_name_to_object (l, name);
1010
1011	return l;
1012	}
1013	}
1014
1015	#ifdef SHARED
1016	/* When loading into a namespace other than the base one we must
1017	avoid loading ld.so since there can only be one copy. Ever. */
1018	if (__glibc_unlikely (nsid != LM_ID_BASE)
1019	&& (_dl_file_id_match_p (&id, &GL(dl_rtld_map).l_file_id)
1020	|| _dl_name_match_p (name, &GL(dl_rtld_map))))
1021	{
1022	/* This is indeed ld.so. Create a new link_map which refers to
1023	the real one for almost everything. */
1024	l = _dl_new_object (realname, name, l_type, loader, mode, nsid);
1025	if (l == NULL)
1026	goto fail_new;
1027
1028	/* Refer to the real descriptor. */
1029	l->l_real = &GL(dl_rtld_map);
1030
1031	/* Copy l_addr and l_ld to avoid a GDB warning with dlmopen(). */
1032	l->l_addr = l->l_real->l_addr;
1033	l->l_ld = l->l_real->l_ld;
1034
1035	/* No need to bump the refcount of the real object, ld.so will
1036	never be unloaded. */
1037	__close_nocancel (fd);
1038
1039	/* Add the map for the mirrored object to the object list. */
1040	_dl_add_to_namespace_list (l, nsid);
1041
1042	return l;
1043	}
1044	#endif
1045
1046	if (mode & RTLD_NOLOAD)
1047	{
1048	/* We are not supposed to load the object unless it is already
1049	loaded. So return now. */
1050	free (ptr: realname);
1051	__close_nocancel (fd);
1052	return NULL;
1053	}
1054
1055	/* Print debugging message. */
1056	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES))
1057	_dl_debug_printf (fmt: "file=%s [%lu]; generating link map\n", name, nsid);
1058
1059	/* This is the ELF header. We read it in `open_verify'. */
1060	header = (void *) fbp->buf;
1061
1062	/* Enter the new object in the list of loaded objects. */
1063	l = _dl_new_object (realname, libname: name, type: l_type, loader, mode, nsid);
1064	if (__glibc_unlikely (l == NULL))
1065	{
1066	#ifdef SHARED
1067	fail_new:
1068	#endif
1069	errstring = N_("cannot create shared object descriptor");
1070	goto lose_errno;
1071	}
1072
1073	/* Extract the remaining details we need from the ELF header
1074	and then read in the program header table. */
1075	l->l_entry = header->e_entry;
1076	type = header->e_type;
1077	l->l_phnum = header->e_phnum;
1078
1079	maplength = header->e_phnum * sizeof (ElfW(Phdr));
1080	if (header->e_phoff + maplength <= (size_t) fbp->len)
1081	phdr = (void *) (fbp->buf + header->e_phoff);
1082	else
1083	{
1084	phdr = alloca (maplength);
1085	if ((size_t) __pread64_nocancel (fd, (void *) phdr, maplength,
1086	header->e_phoff) != maplength)
1087	{
1088	errstring = N_("cannot read file data");
1089	goto lose_errno;
1090	}
1091	}
1092
1093	/* On most platforms presume that PT_GNU_STACK is absent and the stack is
1094	* executable. Other platforms default to a nonexecutable stack and don't
1095	* need PT_GNU_STACK to do so. */
1096	uint_fast16_t stack_flags = DEFAULT_STACK_PERMS;
1097
1098	{
1099	/* Scan the program header table, collecting its load commands. */
1100	struct loadcmd loadcmds[l->l_phnum];
1101	size_t nloadcmds = 0;
1102	bool has_holes = false;
1103	bool empty_dynamic = false;
1104	ElfW(Addr) p_align_max = 0;
1105
1106	/* The struct is initialized to zero so this is not necessary:
1107	l->l_ld = 0;
1108	l->l_phdr = 0;
1109	l->l_addr = 0; */
1110	for (ph = phdr; ph < &phdr[l->l_phnum]; ++ph)
1111	switch (ph->p_type)
1112	{
1113	/* These entries tell us where to find things once the file's
1114	segments are mapped in. We record the addresses it says
1115	verbatim, and later correct for the run-time load address. */
1116	case PT_DYNAMIC:
1117	if (ph->p_filesz == 0)
1118	empty_dynamic = true; /* Usually separate debuginfo. */
1119	else
1120	{
1121	/* Debuginfo only files from "objcopy --only-keep-debug"
1122	contain a PT_DYNAMIC segment with p_filesz == 0. Skip
1123	such a segment to avoid a crash later. */
1124	l->l_ld = (void *) ph->p_vaddr;
1125	l->l_ldnum = ph->p_memsz / sizeof (ElfW(Dyn));
1126	l->l_ld_readonly = (ph->p_flags & PF_W) == 0;
1127	}
1128	break;
1129
1130	case PT_PHDR:
1131	l->l_phdr = (void *) ph->p_vaddr;
1132	break;
1133
1134	case PT_LOAD:
1135	/* A load command tells us to map in part of the file.
1136	We record the load commands and process them all later. */
1137	if (__glibc_unlikely (((ph->p_vaddr - ph->p_offset)
1138	& (GLRO(dl_pagesize) - 1)) != 0))
1139	{
1140	errstring
1141	= N_("ELF load command address/offset not page-aligned");
1142	goto lose;
1143	}
1144
1145	struct loadcmd *c = &loadcmds[nloadcmds++];
1146	c->mapstart = ALIGN_DOWN (ph->p_vaddr, GLRO(dl_pagesize));
1147	c->mapend = ALIGN_UP (ph->p_vaddr + ph->p_filesz, GLRO(dl_pagesize));
1148	c->dataend = ph->p_vaddr + ph->p_filesz;
1149	c->allocend = ph->p_vaddr + ph->p_memsz;
1150	/* Remember the maximum p_align. */
1151	if (powerof2 (ph->p_align) && ph->p_align > p_align_max)
1152	p_align_max = ph->p_align;
1153	c->mapoff = ALIGN_DOWN (ph->p_offset, GLRO(dl_pagesize));
1154
1155	/* Determine whether there is a gap between the last segment
1156	and this one. */
1157	if (nloadcmds > 1 && c[-1].mapend != c->mapstart)
1158	has_holes = true;
1159
1160	/* Optimize a common case. */
1161	#if (PF_R | PF_W | PF_X) == 7 && (PROT_READ | PROT_WRITE | PROT_EXEC) == 7
1162	c->prot = (PF_TO_PROT
1163	>> ((ph->p_flags & (PF_R | PF_W | PF_X)) * 4)) & 0xf;
1164	#else
1165	c->prot = 0;
1166	if (ph->p_flags & PF_R)
1167	c->prot |= PROT_READ;
1168	if (ph->p_flags & PF_W)
1169	c->prot |= PROT_WRITE;
1170	if (ph->p_flags & PF_X)
1171	c->prot |= PROT_EXEC;
1172	#endif
1173	break;
1174
1175	case PT_TLS:
1176	if (ph->p_memsz == 0)
1177	/* Nothing to do for an empty segment. */
1178	break;
1179
1180	l->l_tls_blocksize = ph->p_memsz;
1181	l->l_tls_align = ph->p_align;
1182	if (ph->p_align == 0)
1183	l->l_tls_firstbyte_offset = 0;
1184	else
1185	l->l_tls_firstbyte_offset = ph->p_vaddr & (ph->p_align - 1);
1186	l->l_tls_initimage_size = ph->p_filesz;
1187	/* Since we don't know the load address yet only store the
1188	offset. We will adjust it later. */
1189	l->l_tls_initimage = (void *) ph->p_vaddr;
1190
1191	/* l->l_tls_modid is assigned below, once there is no
1192	possibility for failure. */
1193
1194	if (l->l_type != lt_library
1195	&& GL(dl_tls_dtv_slotinfo_list) == NULL)
1196	{
1197	#ifdef SHARED
1198	/* We are loading the executable itself when the dynamic
1199	linker was executed directly. The setup will happen
1200	later. */
1201	assert (l->l_prev == NULL || (mode & __RTLD_AUDIT) != 0);
1202	#else
1203	assert (false && "TLS not initialized in static application");
1204	#endif
1205	}
1206	break;
1207
1208	case PT_GNU_STACK:
1209	stack_flags = ph->p_flags;
1210	break;
1211
1212	case PT_GNU_RELRO:
1213	l->l_relro_addr = ph->p_vaddr;
1214	l->l_relro_size = ph->p_memsz;
1215	break;
1216	}
1217
1218	if (__glibc_unlikely (nloadcmds == 0))
1219	{
1220	/* This only happens for a bogus object that will be caught with
1221	another error below. But we don't want to go through the
1222	calculations below using NLOADCMDS - 1. */
1223	errstring = N_("object file has no loadable segments");
1224	goto lose;
1225	}
1226
1227	/* Align all PT_LOAD segments to the maximum p_align. */
1228	for (size_t i = 0; i < nloadcmds; i++)
1229	loadcmds[i].mapalign = p_align_max;
1230
1231	/* dlopen of an executable is not valid because it is not possible
1232	to perform proper relocations, handle static TLS, or run the
1233	ELF constructors. For PIE, the check needs the dynamic
1234	section, so there is another check below. */
1235	if (__glibc_unlikely (type != ET_DYN)
1236	&& __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0))
1237	{
1238	/* This object is loaded at a fixed address. This must never
1239	happen for objects loaded with dlopen. */
1240	errstring = N_("cannot dynamically load executable");
1241	goto lose;
1242	}
1243
1244	/* This check recognizes most separate debuginfo files. */
1245	if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic))
1246	{
1247	errstring = N_("object file has no dynamic section");
1248	goto lose;
1249	}
1250
1251	/* Length of the sections to be loaded. */
1252	maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart;
1253
1254	/* Now process the load commands and map segments into memory.
1255	This is responsible for filling in:
1256	l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr
1257	*/
1258	errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds,
1259	maplength, has_holes, loader);
1260	if (__glibc_unlikely (errstring != NULL))
1261	{
1262	/* Mappings can be in an inconsistent state: avoid unmap. */
1263	l->l_map_start = l->l_map_end = 0;
1264	goto lose;
1265	}
1266	}
1267
1268	if (l->l_ld != 0)
1269	l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr);
1270
1271	elf_get_dynamic_info (l, false, false);
1272
1273	/* Make sure we are not dlopen'ing an object that has the
1274	DF_1_NOOPEN flag set, or a PIE object. */
1275	if ((__glibc_unlikely (l->l_flags_1 & DF_1_NOOPEN)
1276	&& (mode & __RTLD_DLOPEN))
1277	|| (__glibc_unlikely (l->l_flags_1 & DF_1_PIE)
1278	&& __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0)))
1279	{
1280	if (l->l_flags_1 & DF_1_PIE)
1281	errstring
1282	= N_("cannot dynamically load position-independent executable");
1283	else
1284	errstring = N_("shared object cannot be dlopen()ed");
1285	goto lose;
1286	}
1287
1288	if (l->l_phdr == NULL)
1289	{
1290	/* The program header is not contained in any of the segments.
1291	We have to allocate memory ourself and copy it over from out
1292	temporary place. */
1293	ElfW(Phdr) *newp = (ElfW(Phdr) *) malloc (size: header->e_phnum
1294	* sizeof (ElfW(Phdr)));
1295	if (newp == NULL)
1296	{
1297	errstring = N_("cannot allocate memory for program header");
1298	goto lose_errno;
1299	}
1300
1301	l->l_phdr = memcpy (newp, phdr,
1302	(header->e_phnum * sizeof (ElfW(Phdr))));
1303	l->l_phdr_allocated = 1;
1304	}
1305	else
1306	/* Adjust the PT_PHDR value by the runtime load address. */
1307	l->l_phdr = (ElfW(Phdr) *) ((ElfW(Addr)) l->l_phdr + l->l_addr);
1308
1309	if (__glibc_unlikely ((stack_flags &~ GL(dl_stack_flags)) & PF_X))
1310	{
1311	/* The stack is presently not executable, but this module
1312	requires that it be executable. We must change the
1313	protection of the variable which contains the flags used in
1314	the mprotect calls. */
1315	#ifdef SHARED
1316	if ((mode & (__RTLD_DLOPEN | __RTLD_AUDIT)) == __RTLD_DLOPEN)
1317	{
1318	const uintptr_t p = (uintptr_t) &__stack_prot & -GLRO(dl_pagesize);
1319	const size_t s = (uintptr_t) (&__stack_prot + 1) - p;
1320
1321	struct link_map *const m = &GL(dl_rtld_map);
1322	const uintptr_t relro_end = ((m->l_addr + m->l_relro_addr
1323	+ m->l_relro_size)
1324	& -GLRO(dl_pagesize));
1325	if (__glibc_likely (p + s <= relro_end))
1326	{
1327	/* The variable lies in the region protected by RELRO. */
1328	if (__mprotect ((void *) p, s, PROT_READ|PROT_WRITE) < 0)
1329	{
1330	errstring = N_("cannot change memory protections");
1331	goto lose_errno;
1332	}
1333	__stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
1334	__mprotect ((void *) p, s, PROT_READ);
1335	}
1336	else
1337	__stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
1338	}
1339	else
1340	#endif
1341	__stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
1342
1343	#ifdef check_consistency
1344	check_consistency ();
1345	#endif
1346
1347	#if PTHREAD_IN_LIBC
1348	errval = _dl_make_stacks_executable (stack_endp);
1349	#else
1350	errval = (*GL(dl_make_stack_executable_hook)) (stack_endp);
1351	#endif
1352	if (errval)
1353	{
1354	errstring = N_("\
1355	cannot enable executable stack as shared object requires");
1356	goto lose;
1357	}
1358	}
1359
1360	/* Adjust the address of the TLS initialization image. */
1361	if (l->l_tls_initimage != NULL)
1362	l->l_tls_initimage = (char *) l->l_tls_initimage + l->l_addr;
1363
1364	/* Process program headers again after load segments are mapped in
1365	case processing requires accessing those segments. Scan program
1366	headers backward so that PT_NOTE can be skipped if PT_GNU_PROPERTY
1367	exits. */
1368	for (ph = &l->l_phdr[l->l_phnum]; ph != l->l_phdr; --ph)
1369	switch (ph[-1].p_type)
1370	{
1371	case PT_NOTE:
1372	_dl_process_pt_note (l, fd, ph: &ph[-1]);
1373	break;
1374	case PT_GNU_PROPERTY:
1375	_dl_process_pt_gnu_property (l, fd, ph: &ph[-1]);
1376	break;
1377	}
1378
1379	/* We are done mapping in the file. We no longer need the descriptor. */
1380	if (__glibc_unlikely (__close_nocancel (fd) != 0))
1381	{
1382	errstring = N_("cannot close file descriptor");
1383	goto lose_errno;
1384	}
1385	/* Signal that we closed the file. */
1386	fd = -1;
1387
1388	/* Failures before this point are handled locally via lose.
1389	There are no more failures in this function until return,
1390	to change that the cleanup handling needs to be updated. */
1391
1392	/* If this is ET_EXEC, we should have loaded it as lt_executable. */
1393	assert (type != ET_EXEC || l->l_type == lt_executable);
1394
1395	l->l_entry += l->l_addr;
1396
1397	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES))
1398	_dl_debug_printf (fmt: "\
1399	dynamic: 0x%0*lx base: 0x%0*lx size: 0x%0*Zx\n\
1400	entry: 0x%0*lx phdr: 0x%0*lx phnum: %*u\n\n",
1401	(int) sizeof (void *) * 2,
1402	(unsigned long int) l->l_ld,
1403	(int) sizeof (void *) * 2,
1404	(unsigned long int) l->l_addr,
1405	(int) sizeof (void *) * 2, maplength,
1406	(int) sizeof (void *) * 2,
1407	(unsigned long int) l->l_entry,
1408	(int) sizeof (void *) * 2,
1409	(unsigned long int) l->l_phdr,
1410	(int) sizeof (void *) * 2, l->l_phnum);
1411
1412	/* Set up the symbol hash table. */
1413	_dl_setup_hash (map: l);
1414
1415	/* If this object has DT_SYMBOLIC set modify now its scope. We don't
1416	have to do this for the main map. */
1417	if ((mode & RTLD_DEEPBIND) == 0
1418	&& __glibc_unlikely (l->l_info[DT_SYMBOLIC] != NULL)
1419	&& &l->l_searchlist != l->l_scope[0])
1420	{
1421	/* Create an appropriate searchlist. It contains only this map.
1422	This is the definition of DT_SYMBOLIC in SysVr4. */
1423	l->l_symbolic_searchlist.r_list[0] = l;
1424	l->l_symbolic_searchlist.r_nlist = 1;
1425
1426	/* Now move the existing entries one back. */
1427	memmove (&l->l_scope[1], &l->l_scope[0],
1428	(l->l_scope_max - 1) * sizeof (l->l_scope[0]));
1429
1430	/* Now add the new entry. */
1431	l->l_scope[0] = &l->l_symbolic_searchlist;
1432	}
1433
1434	/* Remember whether this object must be initialized first. */
1435	if (l->l_flags_1 & DF_1_INITFIRST)
1436	GL(dl_initfirst) = l;
1437
1438	/* Finally the file information. */
1439	l->l_file_id = id;
1440
1441	#ifdef SHARED
1442	/* When auditing is used the recorded names might not include the
1443	name by which the DSO is actually known. Add that as well. */
1444	if (__glibc_unlikely (origname != NULL))
1445	add_name_to_object (l, origname);
1446	#else
1447	/* Audit modules only exist when linking is dynamic so ORIGNAME
1448	cannot be non-NULL. */
1449	assert (origname == NULL);
1450	#endif
1451
1452	/* When we profile the SONAME might be needed for something else but
1453	loading. Add it right away. */
1454	if (__glibc_unlikely (GLRO(dl_profile) != NULL)
1455	&& l->l_info[DT_SONAME] != NULL)
1456	add_name_to_object (l, name: ((const char *) D_PTR (l, l_info[DT_STRTAB])
1457	+ l->l_info[DT_SONAME]->d_un.d_val));
1458
1459	/* If we have newly loaded libc.so, update the namespace
1460	description. */
1461	if (GL(dl_ns)[nsid].libc_map == NULL
1462	&& l->l_info[DT_SONAME] != NULL
1463	&& strcmp (((const char *) D_PTR (l, l_info[DT_STRTAB])
1464	+ l->l_info[DT_SONAME]->d_un.d_val), LIBC_SO) == 0)
1465	GL(dl_ns)[nsid].libc_map = l;
1466
1467	/* _dl_close can only eventually undo the module ID assignment (via
1468	remove_slotinfo) if this function returns a pointer to a link
1469	map. Therefore, delay this step until all possibilities for
1470	failure have been excluded. */
1471	if (l->l_tls_blocksize > 0
1472	&& (__glibc_likely (l->l_type == lt_library)
1473	/* If GL(dl_tls_dtv_slotinfo_list) == NULL, then rtld.c did
1474	not set up TLS data structures, so don't use them now. */
1475	|| __glibc_likely (GL(dl_tls_dtv_slotinfo_list) != NULL)))
1476	/* Assign the next available module ID. */
1477	_dl_assign_tls_modid (l);
1478
1479	#ifdef DL_AFTER_LOAD
1480	DL_AFTER_LOAD (l);
1481	#endif
1482
1483	/* Now that the object is fully initialized add it to the object list. */
1484	_dl_add_to_namespace_list (new: l, nsid);
1485
1486	/* Signal that we are going to add new objects. */
1487	if (r->r_state == RT_CONSISTENT)
1488	{
1489	#ifdef SHARED
1490	/* Auditing checkpoint: we are going to add new objects. Since this
1491	is called after _dl_add_to_namespace_list the namespace is guaranteed
1492	to not be empty. */
1493	if ((mode & __RTLD_AUDIT) == 0)
1494	_dl_audit_activity_nsid (nsid, LA_ACT_ADD);
1495	#endif
1496
1497	/* Notify the debugger we have added some objects. We need to
1498	call _dl_debug_initialize in a static program in case dynamic
1499	linking has not been used before. */
1500	r->r_state = RT_ADD;
1501	_dl_debug_state ();
1502	LIBC_PROBE (map_start, 2, nsid, r);
1503	make_consistent = true;
1504	}
1505	else
1506	assert (r->r_state == RT_ADD);
1507
1508	#ifdef SHARED
1509	/* Auditing checkpoint: we have a new object. */
1510	if (!GL(dl_ns)[l->l_ns]._ns_loaded->l_auditing)
1511	_dl_audit_objopen (l, nsid);
1512	#endif
1513
1514	return l;
1515	}
1516
1517	/* Print search path. */
1518	static void
1519	print_search_path (struct r_search_path_elem **list,
1520	const char *what, const char *name)
1521	{
1522	char buf[max_dirnamelen + max_capstrlen];
1523	int first = 1;
1524
1525	_dl_debug_printf (fmt: " search path=");
1526
1527	while (*list != NULL && (*list)->what == what) /* Yes, ==. */
1528	{
1529	char *endp = __mempcpy (buf, (*list)->dirname, (*list)->dirnamelen);
1530	size_t cnt;
1531
1532	for (cnt = 0; cnt < ncapstr; ++cnt)
1533	if ((*list)->status[cnt] != nonexisting)
1534	{
1535	#ifdef SHARED
1536	char *cp = __mempcpy (endp, capstr[cnt].str, capstr[cnt].len);
1537	if (cp == buf || (cp == buf + 1 && buf[0] == '/'))
1538	cp[0] = '\0';
1539	else
1540	cp[-1] = '\0';
1541	#else
1542	*endp = '\0';
1543	#endif
1544
1545	_dl_debug_printf_c (fmt: first ? "%s" : ":%s", buf);
1546	first = 0;
1547	}
1548
1549	++list;
1550	}
1551
1552	if (name != NULL)
1553	_dl_debug_printf_c (fmt: "\t\t(%s from file %s)\n", what,
1554	DSO_FILENAME (name));
1555	else
1556	_dl_debug_printf_c (fmt: "\t\t(%s)\n", what);
1557	}
1558
1559	/* Open a file and verify it is an ELF file for this architecture. We
1560	ignore only ELF files for other architectures. Non-ELF files and
1561	ELF files with different header information cause fatal errors since
1562	this could mean there is something wrong in the installation and the
1563	user might want to know about this.
1564
1565	If FD is not -1, then the file is already open and FD refers to it.
1566	In that case, FD is consumed for both successful and error returns. */
1567	static int
1568	open_verify (const char *name, int fd,
1569	struct filebuf *fbp, struct link_map *loader,
1570	int whatcode, int mode, bool *found_other_class, bool free_name)
1571	{
1572	/* This is the expected ELF header. */
1573	#define ELF32_CLASS ELFCLASS32
1574	#define ELF64_CLASS ELFCLASS64
1575	#ifndef VALID_ELF_HEADER
1576	# define VALID_ELF_HEADER(hdr,exp,size) (memcmp (hdr, exp, size) == 0)
1577	# define VALID_ELF_OSABI(osabi) (osabi == ELFOSABI_SYSV)
1578	# define VALID_ELF_ABIVERSION(osabi,ver) (ver == 0)
1579	#elif defined MORE_ELF_HEADER_DATA
1580	MORE_ELF_HEADER_DATA;
1581	#endif
1582	static const unsigned char expected[EI_NIDENT] =
1583	{
1584	[EI_MAG0] = ELFMAG0,
1585	[EI_MAG1] = ELFMAG1,
1586	[EI_MAG2] = ELFMAG2,
1587	[EI_MAG3] = ELFMAG3,
1588	[EI_CLASS] = ELFW(CLASS),
1589	[EI_DATA] = byteorder,
1590	[EI_VERSION] = EV_CURRENT,
1591	[EI_OSABI] = ELFOSABI_SYSV,
1592	[EI_ABIVERSION] = 0
1593	};
1594	static const struct
1595	{
1596	ElfW(Word) vendorlen;
1597	ElfW(Word) datalen;
1598	ElfW(Word) type;
1599	char vendor[4];
1600	} expected_note = { 4, 16, 1, "GNU" };
1601	/* Initialize it to make the compiler happy. */
1602	const char *errstring = NULL;
1603	int errval = 0;
1604
1605	#ifdef SHARED
1606	/* Give the auditing libraries a chance. */
1607	if (__glibc_unlikely (GLRO(dl_naudit) > 0))
1608	{
1609	const char *original_name = name;
1610	name = _dl_audit_objsearch (name, loader, whatcode);
1611	if (name == NULL)
1612	return -1;
1613
1614	if (fd != -1 && name != original_name && strcmp (name, original_name))
1615	{
1616	/* An audit library changed what we're supposed to open,
1617	so FD no longer matches it. */
1618	__close_nocancel (fd);
1619	fd = -1;
1620	}
1621	}
1622	#endif
1623
1624	if (fd == -1)
1625	/* Open the file. We always open files read-only. */
1626	fd = __open64_nocancel (name, O_RDONLY | O_CLOEXEC);
1627
1628	if (fd != -1)
1629	{
1630	ElfW(Ehdr) *ehdr;
1631	ElfW(Phdr) *phdr, *ph;
1632	ElfW(Word) *abi_note;
1633	ElfW(Word) *abi_note_malloced = NULL;
1634	unsigned int osversion;
1635	size_t maplength;
1636
1637	/* We successfully opened the file. Now verify it is a file
1638	we can use. */
1639	__set_errno (0);
1640	fbp->len = 0;
1641	assert (sizeof (fbp->buf) > sizeof (ElfW(Ehdr)));
1642	/* Read in the header. */
1643	do
1644	{
1645	ssize_t retlen = __read_nocancel (fd, fbp->buf + fbp->len,
1646	sizeof (fbp->buf) - fbp->len);
1647	if (retlen <= 0)
1648	break;
1649	fbp->len += retlen;
1650	}
1651	while (__glibc_unlikely (fbp->len < sizeof (ElfW(Ehdr))));
1652
1653	/* This is where the ELF header is loaded. */
1654	ehdr = (ElfW(Ehdr) *) fbp->buf;
1655
1656	/* Now run the tests. */
1657	if (__glibc_unlikely (fbp->len < (ssize_t) sizeof (ElfW(Ehdr))))
1658	{
1659	errval = errno;
1660	errstring = (errval == 0
1661	? N_("file too short") : N_("cannot read file data"));
1662	lose:
1663	if (free_name)
1664	{
1665	char *realname = (char *) name;
1666	name = strdupa (realname);
1667	free (ptr: realname);
1668	}
1669	__close_nocancel (fd);
1670	_dl_signal_error (errval, name, NULL, errstring);
1671	}
1672
1673	/* See whether the ELF header is what we expect. */
1674	if (__glibc_unlikely (! VALID_ELF_HEADER (ehdr->e_ident, expected,
1675	EI_ABIVERSION)
1676	|| !VALID_ELF_ABIVERSION (ehdr->e_ident[EI_OSABI],
1677	ehdr->e_ident[EI_ABIVERSION])
1678	|| memcmp (&ehdr->e_ident[EI_PAD],
1679	&expected[EI_PAD],
1680	EI_NIDENT - EI_PAD) != 0))
1681	{
1682	/* Something is wrong. */
1683	const Elf32_Word *magp = (const void *) ehdr->e_ident;
1684	if (*magp !=
1685	#if BYTE_ORDER == LITTLE_ENDIAN
1686	((ELFMAG0 << (EI_MAG0 * 8))
1687	| (ELFMAG1 << (EI_MAG1 * 8))
1688	| (ELFMAG2 << (EI_MAG2 * 8))
1689	| (ELFMAG3 << (EI_MAG3 * 8)))
1690	#else
1691	((ELFMAG0 << (EI_MAG3 * 8))
1692	| (ELFMAG1 << (EI_MAG2 * 8))
1693	| (ELFMAG2 << (EI_MAG1 * 8))
1694	| (ELFMAG3 << (EI_MAG0 * 8)))
1695	#endif
1696	)
1697	errstring = N_("invalid ELF header");
1698	else if (ehdr->e_ident[EI_CLASS] != ELFW(CLASS))
1699	{
1700	/* This is not a fatal error. On architectures where
1701	32-bit and 64-bit binaries can be run this might
1702	happen. */
1703	*found_other_class = true;
1704	goto close_and_out;
1705	}
1706	else if (ehdr->e_ident[EI_DATA] != byteorder)
1707	{
1708	if (BYTE_ORDER == BIG_ENDIAN)
1709	errstring = N_("ELF file data encoding not big-endian");
1710	else
1711	errstring = N_("ELF file data encoding not little-endian");
1712	}
1713	else if (ehdr->e_ident[EI_VERSION] != EV_CURRENT)
1714	errstring
1715	= N_("ELF file version ident does not match current one");
1716	/* XXX We should be able so set system specific versions which are
1717	allowed here. */
1718	else if (!VALID_ELF_OSABI (ehdr->e_ident[EI_OSABI]))
1719	errstring = N_("ELF file OS ABI invalid");
1720	else if (!VALID_ELF_ABIVERSION (ehdr->e_ident[EI_OSABI],
1721	ehdr->e_ident[EI_ABIVERSION]))
1722	errstring = N_("ELF file ABI version invalid");
1723	else if (memcmp (&ehdr->e_ident[EI_PAD], &expected[EI_PAD],
1724	EI_NIDENT - EI_PAD) != 0)
1725	errstring = N_("nonzero padding in e_ident");
1726	else
1727	/* Otherwise we don't know what went wrong. */
1728	errstring = N_("internal error");
1729
1730	goto lose;
1731	}
1732
1733	if (__glibc_unlikely (ehdr->e_version != EV_CURRENT))
1734	{
1735	errstring = N_("ELF file version does not match current one");
1736	goto lose;
1737	}
1738	if (! __glibc_likely (elf_machine_matches_host (ehdr)))
1739	goto close_and_out;
1740	else if (__glibc_unlikely (ehdr->e_type != ET_DYN
1741	&& ehdr->e_type != ET_EXEC))
1742	{
1743	errstring = N_("only ET_DYN and ET_EXEC can be loaded");
1744	goto lose;
1745	}
1746	else if (__glibc_unlikely (ehdr->e_phentsize != sizeof (ElfW(Phdr))))
1747	{
1748	errstring = N_("ELF file's phentsize not the expected size");
1749	goto lose;
1750	}
1751
1752	maplength = ehdr->e_phnum * sizeof (ElfW(Phdr));
1753	if (ehdr->e_phoff + maplength <= (size_t) fbp->len)
1754	phdr = (void *) (fbp->buf + ehdr->e_phoff);
1755	else
1756	{
1757	phdr = alloca (maplength);
1758	if ((size_t) __pread64_nocancel (fd, (void *) phdr, maplength,
1759	ehdr->e_phoff) != maplength)
1760	{
1761	read_error:
1762	errval = errno;
1763	errstring = N_("cannot read file data");
1764	goto lose;
1765	}
1766	}
1767
1768	if (__glibc_unlikely (elf_machine_reject_phdr_p
1769	(phdr, ehdr->e_phnum, fbp->buf, fbp->len,
1770	loader, fd)))
1771	goto close_and_out;
1772
1773	/* Check .note.ABI-tag if present. */
1774	for (ph = phdr; ph < &phdr[ehdr->e_phnum]; ++ph)
1775	if (ph->p_type == PT_NOTE && ph->p_filesz >= 32
1776	&& (ph->p_align == 4 || ph->p_align == 8))
1777	{
1778	ElfW(Addr) size = ph->p_filesz;
1779
1780	if (ph->p_offset + size <= (size_t) fbp->len)
1781	abi_note = (void *) (fbp->buf + ph->p_offset);
1782	else
1783	{
1784	/* Note: __libc_use_alloca is not usable here, because
1785	thread info may not have been set up yet. */
1786	if (size < __MAX_ALLOCA_CUTOFF)
1787	abi_note = alloca (size);
1788	else
1789	{
1790	/* There could be multiple PT_NOTEs. */
1791	abi_note_malloced = realloc (ptr: abi_note_malloced, size: size);
1792	if (abi_note_malloced == NULL)
1793	goto read_error;
1794
1795	abi_note = abi_note_malloced;
1796	}
1797	if (__pread64_nocancel (fd, (void *) abi_note, size,
1798	ph->p_offset) != size)
1799	{
1800	free (ptr: abi_note_malloced);
1801	goto read_error;
1802	}
1803	}
1804
1805	while (memcmp (abi_note, &expected_note, sizeof (expected_note)))
1806	{
1807	ElfW(Addr) note_size
1808	= ELF_NOTE_NEXT_OFFSET (abi_note[0], abi_note[1],
1809	ph->p_align);
1810
1811	if (size - 32 < note_size)
1812	{
1813	size = 0;
1814	break;
1815	}
1816	size -= note_size;
1817	abi_note = (void *) abi_note + note_size;
1818	}
1819
1820	if (size == 0)
1821	continue;
1822
1823	osversion = (abi_note[5] & 0xff) * 65536
1824	+ (abi_note[6] & 0xff) * 256
1825	+ (abi_note[7] & 0xff);
1826	if (abi_note[4] != __ABI_TAG_OS
1827	|| (GLRO(dl_osversion) && GLRO(dl_osversion) < osversion))
1828	{
1829	close_and_out:
1830	__close_nocancel (fd);
1831	__set_errno (ENOENT);
1832	fd = -1;
1833	}
1834
1835	break;
1836	}
1837	free (ptr: abi_note_malloced);
1838	}
1839
1840	return fd;
1841	}
1842
1843	/* Try to open NAME in one of the directories in *DIRSP.
1844	Return the fd, or -1. If successful, fill in *REALNAME
1845	with the malloc'd full directory name. If it turns out
1846	that none of the directories in *DIRSP exists, *DIRSP is
1847	replaced with (void *) -1, and the old value is free()d
1848	if MAY_FREE_DIRS is true. */
1849
1850	static int
1851	open_path (const char *name, size_t namelen, int mode,
1852	struct r_search_path_struct *sps, char **realname,
1853	struct filebuf *fbp, struct link_map *loader, int whatcode,
1854	bool *found_other_class)
1855	{
1856	struct r_search_path_elem **dirs = sps->dirs;
1857	char *buf;
1858	int fd = -1;
1859	const char *current_what = NULL;
1860	int any = 0;
1861
1862	if (__glibc_unlikely (dirs == NULL))
1863	/* We're called before _dl_init_paths when loading the main executable
1864	given on the command line when rtld is run directly. */
1865	return -1;
1866
1867	buf = alloca (max_dirnamelen + max_capstrlen + namelen);
1868	do
1869	{
1870	struct r_search_path_elem *this_dir = *dirs;
1871	size_t buflen = 0;
1872	size_t cnt;
1873	char *edp;
1874	int here_any = 0;
1875	int err;
1876
1877	/* If we are debugging the search for libraries print the path
1878	now if it hasn't happened now. */
1879	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS)
1880	&& current_what != this_dir->what)
1881	{
1882	current_what = this_dir->what;
1883	print_search_path (list: dirs, what: current_what, name: this_dir->where);
1884	}
1885
1886	edp = (char *) __mempcpy (buf, this_dir->dirname, this_dir->dirnamelen);
1887	for (cnt = 0; fd == -1 && cnt < ncapstr; ++cnt)
1888	{
1889	/* Skip this directory if we know it does not exist. */
1890	if (this_dir->status[cnt] == nonexisting)
1891	continue;
1892
1893	#ifdef SHARED
1894	buflen =
1895	((char *) __mempcpy (__mempcpy (edp, capstr[cnt].str,
1896	capstr[cnt].len),
1897	name, namelen)
1898	- buf);
1899	#else
1900	buflen = (char *) __mempcpy (edp, name, namelen) - buf;
1901	#endif
1902
1903	/* Print name we try if this is wanted. */
1904	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS))
1905	_dl_debug_printf (fmt: " trying file=%s\n", buf);
1906
1907	fd = open_verify (name: buf, fd: -1, fbp, loader, whatcode, mode,
1908	found_other_class, false);
1909	if (this_dir->status[cnt] == unknown)
1910	{
1911	if (fd != -1)
1912	this_dir->status[cnt] = existing;
1913	/* Do not update the directory information when loading
1914	auditing code. We must try to disturb the program as
1915	little as possible. */
1916	else if (loader == NULL
1917	|| GL(dl_ns)[loader->l_ns]._ns_loaded->l_auditing == 0)
1918	{
1919	/* We failed to open machine dependent library. Let's
1920	test whether there is any directory at all. */
1921	struct __stat64_t64 st;
1922
1923	buf[buflen - namelen - 1] = '\0';
1924
1925	if (__stat64_time64 (buf, &st) != 0
1926	|| ! S_ISDIR (st.st_mode))
1927	/* The directory does not exist or it is no directory. */
1928	this_dir->status[cnt] = nonexisting;
1929	else
1930	this_dir->status[cnt] = existing;
1931	}
1932	}
1933
1934	/* Remember whether we found any existing directory. */
1935	here_any |= this_dir->status[cnt] != nonexisting;
1936
1937	if (fd != -1 && __glibc_unlikely (mode & __RTLD_SECURE)
1938	&& __libc_enable_secure)
1939	{
1940	/* This is an extra security effort to make sure nobody can
1941	preload broken shared objects which are in the trusted
1942	directories and so exploit the bugs. */
1943	struct __stat64_t64 st;
1944
1945	if (__fstat64_time64 (fd, &st) != 0
1946	|| (st.st_mode & S_ISUID) == 0)
1947	{
1948	/* The shared object cannot be tested for being SUID
1949	or this bit is not set. In this case we must not
1950	use this object. */
1951	__close_nocancel (fd);
1952	fd = -1;
1953	/* We simply ignore the file, signal this by setting
1954	the error value which would have been set by `open'. */
1955	errno = ENOENT;
1956	}
1957	}
1958	}
1959
1960	if (fd != -1)
1961	{
1962	*realname = (char *) malloc (size: buflen);
1963	if (*realname != NULL)
1964	{
1965	memcpy (*realname, buf, buflen);
1966	return fd;
1967	}
1968	else
1969	{
1970	/* No memory for the name, we certainly won't be able
1971	to load and link it. */
1972	__close_nocancel (fd);
1973	return -1;
1974	}
1975	}
1976	if (here_any && (err = errno) != ENOENT && err != EACCES)
1977	/* The file exists and is readable, but something went wrong. */
1978	return -1;
1979
1980	/* Remember whether we found anything. */
1981	any |= here_any;
1982	}
1983	while (*++dirs != NULL);
1984
1985	/* Remove the whole path if none of the directories exists. */
1986	if (__glibc_unlikely (! any))
1987	{
1988	/* Paths which were allocated using the minimal malloc() in ld.so
1989	must not be freed using the general free() in libc. */
1990	if (sps->malloced)
1991	free (ptr: sps->dirs);
1992
1993	/* __rtld_search_dirs and __rtld_env_path_list are
1994	attribute_relro, therefore avoid writing to them. */
1995	if (sps != &__rtld_search_dirs && sps != &__rtld_env_path_list)
1996	sps->dirs = (void *) -1;
1997	}
1998
1999	return -1;
2000	}
2001
2002	/* Map in the shared object file NAME. */
2003
2004	struct link_map *
2005	_dl_map_object (struct link_map *loader, const char *name,
2006	int type, int trace_mode, int mode, Lmid_t nsid)
2007	{
2008	int fd;
2009	const char *origname = NULL;
2010	char *realname;
2011	char *name_copy;
2012	struct link_map *l;
2013	struct filebuf fb;
2014
2015	assert (nsid >= 0);
2016	assert (nsid < GL(dl_nns));
2017
2018	/* Look for this name among those already loaded. */
2019	for (l = GL(dl_ns)[nsid]._ns_loaded; l; l = l->l_next)
2020	{
2021	/* If the requested name matches the soname of a loaded object,
2022	use that object. Elide this check for names that have not
2023	yet been opened. */
2024	if (__glibc_unlikely ((l->l_faked | l->l_removed) != 0))
2025	continue;
2026	if (!_dl_name_match_p (name: name, map: l))
2027	{
2028	const char *soname;
2029
2030	if (__glibc_likely (l->l_soname_added)
2031	|| l->l_info[DT_SONAME] == NULL)
2032	continue;
2033
2034	soname = ((const char *) D_PTR (l, l_info[DT_STRTAB])
2035	+ l->l_info[DT_SONAME]->d_un.d_val);
2036	if (strcmp (name, soname) != 0)
2037	continue;
2038
2039	/* We have a match on a new name -- cache it. */
2040	add_name_to_object (l, name: soname);
2041	l->l_soname_added = 1;
2042	}
2043
2044	/* We have a match. */
2045	return l;
2046	}
2047
2048	/* Display information if we are debugging. */
2049	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES)
2050	&& loader != NULL)
2051	_dl_debug_printf (fmt: (mode & __RTLD_CALLMAP) == 0
2052	? "\nfile=%s [%lu]; needed by %s [%lu]\n"
2053	: "\nfile=%s [%lu]; dynamically loaded by %s [%lu]\n",
2054	name, nsid, DSO_FILENAME (loader->l_name), loader->l_ns);
2055
2056	#ifdef SHARED
2057	/* Give the auditing libraries a chance to change the name before we
2058	try anything. */
2059	if (__glibc_unlikely (GLRO(dl_naudit) > 0))
2060	{
2061	const char *before = name;
2062	name = _dl_audit_objsearch (name, loader, LA_SER_ORIG);
2063	if (name == NULL)
2064	{
2065	fd = -1;
2066	goto no_file;
2067	}
2068	if (before != name && strcmp (before, name) != 0)
2069	origname = before;
2070	}
2071	#endif
2072
2073	/* Will be true if we found a DSO which is of the other ELF class. */
2074	bool found_other_class = false;
2075
2076	if (strchr (name, '/') == NULL)
2077	{
2078	/* Search for NAME in several places. */
2079
2080	size_t namelen = strlen (name) + 1;
2081
2082	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS))
2083	_dl_debug_printf (fmt: "find library=%s [%lu]; searching\n", name, nsid);
2084
2085	fd = -1;
2086
2087	/* When the object has the RUNPATH information we don't use any
2088	RPATHs. */
2089	if (loader == NULL || loader->l_info[DT_RUNPATH] == NULL)
2090	{
2091	/* This is the executable's map (if there is one). Make sure that
2092	we do not look at it twice. */
2093	struct link_map *main_map = GL(dl_ns)[LM_ID_BASE]._ns_loaded;
2094	bool did_main_map = false;
2095
2096	/* First try the DT_RPATH of the dependent object that caused NAME
2097	to be loaded. Then that object's dependent, and on up. */
2098	for (l = loader; l; l = l->l_loader)
2099	if (cache_rpath (l, sp: &l->l_rpath_dirs, DT_RPATH, what: "RPATH"))
2100	{
2101	fd = open_path (name, namelen, mode,
2102	sps: &l->l_rpath_dirs,
2103	realname: &realname, fbp: &fb, loader, whatcode: LA_SER_RUNPATH,
2104	found_other_class: &found_other_class);
2105	if (fd != -1)
2106	break;
2107
2108	did_main_map |= l == main_map;
2109	}
2110
2111	/* If dynamically linked, try the DT_RPATH of the executable
2112	itself. NB: we do this for lookups in any namespace. */
2113	if (fd == -1 && !did_main_map
2114	&& main_map != NULL && main_map->l_type != lt_loaded
2115	&& cache_rpath (l: main_map, sp: &main_map->l_rpath_dirs, DT_RPATH,
2116	what: "RPATH"))
2117	fd = open_path (name, namelen, mode,
2118	sps: &main_map->l_rpath_dirs,
2119	realname: &realname, fbp: &fb, loader: loader ?: main_map, whatcode: LA_SER_RUNPATH,
2120	found_other_class: &found_other_class);
2121
2122	/* Also try DT_RUNPATH in the executable for LD_AUDIT dlopen
2123	call. */
2124	if (__glibc_unlikely (mode & __RTLD_AUDIT)
2125	&& fd == -1 && !did_main_map
2126	&& main_map != NULL && main_map->l_type != lt_loaded)
2127	{
2128	struct r_search_path_struct l_rpath_dirs;
2129	l_rpath_dirs.dirs = NULL;
2130	if (cache_rpath (l: main_map, sp: &l_rpath_dirs,
2131	DT_RUNPATH, what: "RUNPATH"))
2132	fd = open_path (name, namelen, mode, sps: &l_rpath_dirs,
2133	realname: &realname, fbp: &fb, loader: loader ?: main_map,
2134	whatcode: LA_SER_RUNPATH, found_other_class: &found_other_class);
2135	}
2136	}
2137
2138	/* Try the LD_LIBRARY_PATH environment variable. */
2139	if (fd == -1 && __rtld_env_path_list.dirs != (void *) -1)
2140	fd = open_path (name, namelen, mode, sps: &__rtld_env_path_list,
2141	realname: &realname, fbp: &fb,
2142	loader: loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
2143	whatcode: LA_SER_LIBPATH, found_other_class: &found_other_class);
2144
2145	/* Look at the RUNPATH information for this binary. */
2146	if (fd == -1 && loader != NULL
2147	&& cache_rpath (l: loader, sp: &loader->l_runpath_dirs,
2148	DT_RUNPATH, what: "RUNPATH"))
2149	fd = open_path (name, namelen, mode,
2150	sps: &loader->l_runpath_dirs, realname: &realname, fbp: &fb, loader,
2151	whatcode: LA_SER_RUNPATH, found_other_class: &found_other_class);
2152
2153	if (fd == -1)
2154	{
2155	realname = _dl_sysdep_open_object (name, namelen, fd: &fd);
2156	if (realname != NULL)
2157	{
2158	fd = open_verify (name: realname, fd,
2159	fbp: &fb, loader: loader ?: GL(dl_ns)[nsid]._ns_loaded,
2160	whatcode: LA_SER_CONFIG, mode, found_other_class: &found_other_class,
2161	false);
2162	if (fd == -1)
2163	free (ptr: realname);
2164	}
2165	}
2166
2167	#ifdef USE_LDCONFIG
2168	if (fd == -1
2169	&& (__glibc_likely ((mode & __RTLD_SECURE) == 0)
2170	|| ! __libc_enable_secure)
2171	&& __glibc_likely (GLRO(dl_inhibit_cache) == 0))
2172	{
2173	/* Check the list of libraries in the file /etc/ld.so.cache,
2174	for compatibility with Linux's ldconfig program. */
2175	char *cached = _dl_load_cache_lookup (name);
2176
2177	if (cached != NULL)
2178	{
2179	// XXX Correct to unconditionally default to namespace 0?
2180	l = (loader
2181	?: GL(dl_ns)[LM_ID_BASE]._ns_loaded
2182	# ifdef SHARED
2183	?: &GL(dl_rtld_map)
2184	# endif
2185	);
2186
2187	/* If the loader has the DF_1_NODEFLIB flag set we must not
2188	use a cache entry from any of these directories. */
2189	if (__glibc_unlikely (l->l_flags_1 & DF_1_NODEFLIB))
2190	{
2191	const char *dirp = system_dirs;
2192	unsigned int cnt = 0;
2193
2194	do
2195	{
2196	if (memcmp (cached, dirp, system_dirs_len[cnt]) == 0)
2197	{
2198	/* The prefix matches. Don't use the entry. */
2199	free (ptr: cached);
2200	cached = NULL;
2201	break;
2202	}
2203
2204	dirp += system_dirs_len[cnt] + 1;
2205	++cnt;
2206	}
2207	while (cnt < nsystem_dirs_len);
2208	}
2209
2210	if (cached != NULL)
2211	{
2212	fd = open_verify (name: cached, fd: -1,
2213	fbp: &fb, loader: loader ?: GL(dl_ns)[nsid]._ns_loaded,
2214	whatcode: LA_SER_CONFIG, mode, found_other_class: &found_other_class,
2215	false);
2216	if (__glibc_likely (fd != -1))
2217	realname = cached;
2218	else
2219	free (ptr: cached);
2220	}
2221	}
2222	}
2223	#endif
2224
2225	/* Finally, try the default path. */
2226	if (fd == -1
2227	&& ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
2228	|| __glibc_likely (!(l->l_flags_1 & DF_1_NODEFLIB)))
2229	&& __rtld_search_dirs.dirs != (void *) -1)
2230	fd = open_path (name, namelen, mode, sps: &__rtld_search_dirs,
2231	realname: &realname, fbp: &fb, loader: l, whatcode: LA_SER_DEFAULT, found_other_class: &found_other_class);
2232
2233	/* Add another newline when we are tracing the library loading. */
2234	if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_LIBS))
2235	_dl_debug_printf (fmt: "\n");
2236	}
2237	else
2238	{
2239	/* The path may contain dynamic string tokens. */
2240	realname = (loader
2241	? expand_dynamic_string_token (l: loader, input: name)
2242	: __strdup (name));
2243	if (realname == NULL)
2244	fd = -1;
2245	else
2246	{
2247	fd = open_verify (name: realname, fd: -1, fbp: &fb,
2248	loader: loader ?: GL(dl_ns)[nsid]._ns_loaded, whatcode: 0, mode,
2249	found_other_class: &found_other_class, true);
2250	if (__glibc_unlikely (fd == -1))
2251	free (ptr: realname);
2252	}
2253	}
2254
2255	#ifdef SHARED
2256	no_file:
2257	#endif
2258	/* In case the LOADER information has only been provided to get to
2259	the appropriate RUNPATH/RPATH information we do not need it
2260	anymore. */
2261	if (mode & __RTLD_CALLMAP)
2262	loader = NULL;
2263
2264	if (__glibc_unlikely (fd == -1))
2265	{
2266	if (trace_mode
2267	&& __glibc_likely ((GLRO(dl_debug_mask) & DL_DEBUG_PRELINK) == 0))
2268	{
2269	/* We haven't found an appropriate library. But since we
2270	are only interested in the list of libraries this isn't
2271	so severe. Fake an entry with all the information we
2272	have. */
2273	static const Elf_Symndx dummy_bucket = STN_UNDEF;
2274
2275	/* Allocate a new object map. */
2276	if ((name_copy = __strdup (name)) == NULL
2277	|| (l = _dl_new_object (realname: name_copy, libname: name, type, loader,
2278	mode, nsid)) == NULL)
2279	{
2280	free (ptr: name_copy);
2281	_dl_signal_error (ENOMEM, name, NULL,
2282	N_("cannot create shared object descriptor"));
2283	}
2284	/* Signal that this is a faked entry. */
2285	l->l_faked = 1;
2286	/* Since the descriptor is initialized with zero we do not
2287	have do this here.
2288	l->l_reserved = 0; */
2289	l->l_buckets = &dummy_bucket;
2290	l->l_nbuckets = 1;
2291	l->l_relocated = 1;
2292
2293	/* Enter the object in the object list. */
2294	_dl_add_to_namespace_list (new: l, nsid);
2295
2296	return l;
2297	}
2298	else if (found_other_class)
2299	_dl_signal_error (0, name, NULL,
2300	ELFW(CLASS) == ELFCLASS32
2301	? N_("wrong ELF class: ELFCLASS64")
2302	: N_("wrong ELF class: ELFCLASS32"));
2303	else
2304	_dl_signal_error (errno, name, NULL,
2305	N_("cannot open shared object file"));
2306	}
2307
2308	void *stack_end = __libc_stack_end;
2309	return _dl_map_object_from_fd (name, origname, fd, fbp: &fb, realname, loader,
2310	l_type: type, mode, stack_endp: &stack_end, nsid);
2311	}
2312
2313	struct add_path_state
2314	{
2315	bool counting;
2316	unsigned int idx;
2317	Dl_serinfo *si;
2318	char *allocptr;
2319	};
2320
2321	static void
2322	add_path (struct add_path_state *p, const struct r_search_path_struct *sps,
2323	unsigned int flags)
2324	{
2325	if (sps->dirs != (void *) -1)
2326	{
2327	struct r_search_path_elem **dirs = sps->dirs;
2328	do
2329	{
2330	const struct r_search_path_elem *const r = *dirs++;
2331	if (p->counting)
2332	{
2333	p->si->dls_cnt++;
2334	p->si->dls_size += MAX (2, r->dirnamelen);
2335	}
2336	else
2337	{
2338	Dl_serpath *const sp = &p->si->dls_serpath[p->idx++];
2339	sp->dls_name = p->allocptr;
2340	if (r->dirnamelen < 2)
2341	*p->allocptr++ = r->dirnamelen ? '/' : '.';
2342	else
2343	p->allocptr = __mempcpy (p->allocptr,
2344	r->dirname, r->dirnamelen - 1);
2345	*p->allocptr++ = '\0';
2346	sp->dls_flags = flags;
2347	}
2348	}
2349	while (*dirs != NULL);
2350	}
2351	}
2352
2353	void
2354	_dl_rtld_di_serinfo (struct link_map *loader, Dl_serinfo *si, bool counting)
2355	{
2356	if (counting)
2357	{
2358	si->dls_cnt = 0;
2359	si->dls_size = 0;
2360	}
2361
2362	struct add_path_state p =
2363	{
2364	.counting = counting,
2365	.idx = 0,
2366	.si = si,
2367	.allocptr = (char *) &si->dls_serpath[si->dls_cnt]
2368	};
2369
2370	# define add_path(p, sps, flags) add_path(p, sps, 0) /* XXX */
2371
2372	/* When the object has the RUNPATH information we don't use any RPATHs. */
2373	if (loader->l_info[DT_RUNPATH] == NULL)
2374	{
2375	/* First try the DT_RPATH of the dependent object that caused NAME
2376	to be loaded. Then that object's dependent, and on up. */
2377
2378	struct link_map *l = loader;
2379	do
2380	{
2381	if (cache_rpath (l, sp: &l->l_rpath_dirs, DT_RPATH, what: "RPATH"))
2382	add_path (&p, &l->l_rpath_dirs, XXX_RPATH);
2383	l = l->l_loader;
2384	}
2385	while (l != NULL);
2386
2387	/* If dynamically linked, try the DT_RPATH of the executable itself. */
2388	if (loader->l_ns == LM_ID_BASE)
2389	{
2390	l = GL(dl_ns)[LM_ID_BASE]._ns_loaded;
2391	if (l != NULL && l->l_type != lt_loaded && l != loader)
2392	if (cache_rpath (l, sp: &l->l_rpath_dirs, DT_RPATH, what: "RPATH"))
2393	add_path (&p, &l->l_rpath_dirs, XXX_RPATH);
2394	}
2395	}
2396
2397	/* Try the LD_LIBRARY_PATH environment variable. */
2398	add_path (&p, &__rtld_env_path_list, XXX_ENV);
2399
2400	/* Look at the RUNPATH information for this binary. */
2401	if (cache_rpath (l: loader, sp: &loader->l_runpath_dirs, DT_RUNPATH, what: "RUNPATH"))
2402	add_path (&p, &loader->l_runpath_dirs, XXX_RUNPATH);
2403
2404	/* XXX
2405	Here is where ld.so.cache gets checked, but we don't have
2406	a way to indicate that in the results for Dl_serinfo. */
2407
2408	/* Finally, try the default path. */
2409	if (!(loader->l_flags_1 & DF_1_NODEFLIB))
2410	add_path (&p, &__rtld_search_dirs, XXX_default);
2411
2412	if (counting)
2413	/* Count the struct size before the string area, which we didn't
2414	know before we completed dls_cnt. */
2415	si->dls_size += (char *) &si->dls_serpath[si->dls_cnt] - (char *) si;
2416	}
2417