dynlink.texi 54 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294
  1. @node Dynamic Linker
  2. @c @node Dynamic Linker, Internal Probes, Threads, Top
  3. @c %MENU% Loading programs and shared objects.
  4. @chapter Dynamic Linker
  5. @cindex dynamic linker
  6. @cindex dynamic loader
  7. The @dfn{dynamic linker} is responsible for loading dynamically linked
  8. programs and their dependencies (in the form of shared objects). The
  9. dynamic linker in @theglibc{} also supports loading shared objects (such
  10. as plugins) later at run time.
  11. Dynamic linkers are sometimes called @dfn{dynamic loaders}.
  12. @menu
  13. * Dynamic Linker Invocation:: Explicit invocation of the dynamic linker.
  14. * Dynamic Linker Environment Variables:: Environment variables that control the
  15. dynamic linker.
  16. * Dynamic Linker Introspection:: Interfaces for querying mapping information.
  17. * Dynamic Linker Hardening:: Avoiding unexpected issues with dynamic linking.
  18. @end menu
  19. @node Dynamic Linker Invocation
  20. @section Dynamic Linker Invocation
  21. @cindex program interpreter
  22. When a dynamically linked program starts, the operating system
  23. automatically loads the dynamic linker along with the program.
  24. @Theglibc{} also supports invoking the dynamic linker explicitly to
  25. launch a program. This command uses the implied dynamic linker
  26. (also sometimes called the @dfn{program interpreter}):
  27. @smallexample
  28. sh -c 'echo "Hello, world!"'
  29. @end smallexample
  30. This command specifies the dynamic linker explicitly:
  31. @smallexample
  32. ld.so /bin/sh -c 'echo "Hello, world!"'
  33. @end smallexample
  34. Note that @command{ld.so} does not search the @env{PATH} environment
  35. variable, so the full file name of the executable needs to be specified.
  36. The @command{ld.so} program supports various options. Options start
  37. @samp{--} and need to come before the program that is being launched.
  38. Some of the supported options are listed below.
  39. @table @code
  40. @item --list-diagnostics
  41. Print system diagnostic information in a machine-readable format.
  42. @xref{Dynamic Linker Diagnostics}.
  43. @end table
  44. @menu
  45. * Dynamic Linker Diagnostics:: Obtaining system diagnostic information.
  46. @end menu
  47. @node Dynamic Linker Diagnostics
  48. @subsection Dynamic Linker Diagnostics
  49. @cindex diagnostics (dynamic linker)
  50. The @samp{ld.so --list-diagnostics} produces machine-readable
  51. diagnostics output. This output contains system data that affects the
  52. behavior of @theglibc{}, and potentially application behavior as well.
  53. The exact set of diagnostic items can change between releases of
  54. @theglibc{}. The output format itself is not expected to change
  55. radically.
  56. The following table shows some example lines that can be written by the
  57. diagnostics command.
  58. @table @code
  59. @item dl_pagesize=0x1000
  60. The system page size is 4096 bytes.
  61. @item env[0x14]="LANG=en_US.UTF-8"
  62. This item indicates that the 21st environment variable at process
  63. startup contains a setting for @code{LANG}.
  64. @item env_filtered[0x22]="DISPLAY"
  65. The 35th environment variable is @code{DISPLAY}. Its value is not
  66. included in the output for privacy reasons because it is not recognized
  67. as harmless by the diagnostics code.
  68. @item path.prefix="/usr"
  69. This means that @theglibc{} was configured with @code{--prefix=/usr}.
  70. @item path.system_dirs[0x0]="/lib64/"
  71. @itemx path.system_dirs[0x1]="/usr/lib64/"
  72. The built-in dynamic linker search path contains two directories,
  73. @code{/lib64} and @code{/usr/lib64}.
  74. @end table
  75. @menu
  76. * Dynamic Linker Diagnostics Format:: Format of ld.so output.
  77. * Dynamic Linker Diagnostics Values:: Data contain in ld.so output.
  78. @end menu
  79. @node Dynamic Linker Diagnostics Format
  80. @subsubsection Dynamic Linker Diagnostics Format
  81. As seen above, diagnostic lines assign values (integers or strings) to a
  82. sequence of labeled subscripts, separated by @samp{.}. Some subscripts
  83. have integer indices associated with them. The subscript indices are
  84. not necessarily contiguous or small, so an associative array should be
  85. used to store them. Currently, all integers fit into the 64-bit
  86. unsigned integer range. Every access path to a value has a fixed type
  87. (string or integer) independent of subscript index values. Likewise,
  88. whether a subscript is indexed does not depend on previous indices (but
  89. may depend on previous subscript labels).
  90. A syntax description in ABNF (RFC 5234) follows. Note that
  91. @code{%x30-39} denotes the range of decimal digits. Diagnostic output
  92. lines are expected to match the @code{line} production.
  93. @c ABNF-START
  94. @smallexample
  95. HEXDIG = %x30-39 / %x61-6f ; lowercase a-f only
  96. ALPHA = %x41-5a / %x61-7a / %x7f ; letters and underscore
  97. ALPHA-NUMERIC = ALPHA / %x30-39 / "_"
  98. DQUOTE = %x22 ; "
  99. ; Numbers are always hexadecimal and use a 0x prefix.
  100. hex-value-prefix = %x30 %x78
  101. hex-value = hex-value-prefix 1*HEXDIG
  102. ; Strings use octal escape sequences and \\, \".
  103. string-char = %x20-21 / %x23-5c / %x5d-7e ; printable but not "\
  104. string-quoted-octal = %x30-33 2*2%x30-37
  105. string-quoted = "\" ("\" / DQUOTE / string-quoted-octal)
  106. string-value = DQUOTE *(string-char / string-quoted) DQUOTE
  107. value = hex-value / string-value
  108. label = ALPHA *ALPHA-NUMERIC
  109. index = "[" hex-value "]"
  110. subscript = label [index]
  111. line = subscript *("." subscript) "=" value
  112. @end smallexample
  113. @node Dynamic Linker Diagnostics Values
  114. @subsubsection Dynamic Linker Diagnostics Values
  115. As mentioned above, the set of diagnostics may change between
  116. @theglibc{} releases. Nevertheless, the following table documents a few
  117. common diagnostic items. All numbers are in hexadecimal, with a
  118. @samp{0x} prefix.
  119. @table @code
  120. @item dl_dst_lib=@var{string}
  121. The @code{$LIB} dynamic string token expands to @var{string}.
  122. @cindex HWCAP (diagnostics)
  123. @item dl_hwcap=@var{integer}
  124. @itemx dl_hwcap2=@var{integer}
  125. The HWCAP and HWCAP2 values, as returned for @code{getauxval}, and as
  126. used in other places depending on the architecture.
  127. @cindex page size (diagnostics)
  128. @item dl_pagesize=@var{integer}
  129. The system page size is @var{integer} bytes.
  130. @item dl_platform=@var{string}
  131. The @code{$PLATFORM} dynamic string token expands to @var{string}.
  132. @item dso.libc=@var{string}
  133. This is the soname of the shared @code{libc} object that is part of
  134. @theglibc{}. On most architectures, this is @code{libc.so.6}.
  135. @item env[@var{index}]=@var{string}
  136. @itemx env_filtered[@var{index}]=@var{string}
  137. An environment variable from the process environment. The integer
  138. @var{index} is the array index in the environment array. Variables
  139. under @code{env} include the variable value after the @samp{=} (assuming
  140. that it was present), variables under @code{env_filtered} do not.
  141. @item path.prefix=@var{string}
  142. This indicates that @theglibc{} was configured using
  143. @samp{--prefix=@var{string}}.
  144. @item path.sysconfdir=@var{string}
  145. @Theglibc{} was configured (perhaps implicitly) with
  146. @samp{--sysconfdir=@var{string}} (typically @code{/etc}).
  147. @item path.system_dirs[@var{index}]=@var{string}
  148. These items list the elements of the built-in array that describes the
  149. default library search path. The value @var{string} is a directory file
  150. name with a trailing @samp{/}.
  151. @item path.rtld=@var{string}
  152. This string indicates the application binary interface (ABI) file name
  153. of the run-time dynamic linker.
  154. @item version.release="stable"
  155. @itemx version.release="development"
  156. The value @code{"stable"} indicates that this build of @theglibc{} is
  157. from a release branch. Releases labeled as @code{"development"} are
  158. unreleased development versions.
  159. @cindex version (diagnostics)
  160. @item version.version="@var{major}.@var{minor}"
  161. @itemx version.version="@var{major}.@var{minor}.9000"
  162. @Theglibc{} version. Development releases end in @samp{.9000}.
  163. @cindex auxiliary vector (diagnostics)
  164. @item auxv[@var{index}].a_type=@var{type}
  165. @itemx auxv[@var{index}].a_val=@var{integer}
  166. @itemx auxv[@var{index}].a_val_string=@var{string}
  167. An entry in the auxiliary vector (specific to Linux). The values
  168. @var{type} (an integer) and @var{integer} correspond to the members of
  169. @code{struct auxv}. If the value is a string, @code{a_val_string} is
  170. used instead of @code{a_val}, so that values have consistent types.
  171. The @code{AT_HWCAP} and @code{AT_HWCAP2} values in this output do not
  172. reflect adjustment by @theglibc{}.
  173. @item uname.sysname=@var{string}
  174. @itemx uname.nodename=@var{string}
  175. @itemx uname.release=@var{string}
  176. @itemx uname.version=@var{string}
  177. @itemx uname.machine=@var{string}
  178. @itemx uname.domain=@var{string}
  179. These Linux-specific items show the values of @code{struct utsname}, as
  180. reported by the @code{uname} function. @xref{Platform Type}.
  181. @item aarch64.cpu_features.@dots{}
  182. These items are specific to the AArch64 architectures. They report data
  183. @theglibc{} uses to activate conditionally supported features such as
  184. BTI and MTE, and to select alternative function implementations.
  185. @item aarch64.processor[@var{index}].@dots{}
  186. These are additional items for the AArch64 architecture and are
  187. described below.
  188. @item aarch64.processor[@var{index}].requested=@var{kernel-cpu}
  189. The kernel is told to run the subsequent probing on the CPU numbered
  190. @var{kernel-cpu}. The values @var{kernel-cpu} and @var{index} can be
  191. distinct if there are gaps in the process CPU affinity mask. This line
  192. is not included if CPU affinity mask information is not available.
  193. @item aarch64.processor[@var{index}].observed=@var{kernel-cpu}
  194. This line reports the kernel CPU number @var{kernel-cpu} on which the
  195. probing code initially ran. If the CPU number cannot be obtained,
  196. this line is not printed.
  197. @item aarch64.processor[@var{index}].observed_node=@var{node}
  198. This reports the observed NUMA node number, as reported by the
  199. @code{getcpu} system call. If this information cannot be obtained, this
  200. line is not printed.
  201. @item aarch64.processor[@var{index}].midr_el1=@var{value}
  202. The value of the @code{midr_el1} system register on the processor
  203. @var{index}. This line is only printed if the kernel indicates that
  204. this system register is supported.
  205. @item aarch64.processor[@var{index}].dczid_el0=@var{value}
  206. The value of the @code{dczid_el0} system register on the processor
  207. @var{index}.
  208. @cindex CPUID (diagnostics)
  209. @item x86.cpu_features.@dots{}
  210. These items are specific to the i386 and x86-64 architectures. They
  211. reflect supported CPU features and information on cache geometry, mostly
  212. collected using the CPUID instruction.
  213. @item x86.processor[@var{index}].@dots{}
  214. These are additional items for the i386 and x86-64 architectures, as
  215. described below. They mostly contain raw data from the CPUID
  216. instruction. The probes are performed for each active CPU for the
  217. @code{ld.so} process, and data for different probed CPUs receives a
  218. unique @var{index} value. Some CPUID data is expected to differ from CPU
  219. core to CPU core. In some cases, CPUs are not correctly initialized and
  220. indicate the presence of different feature sets.
  221. @item x86.processor[@var{index}].requested=@var{kernel-cpu}
  222. The kernel is told to run the subsequent probing on the CPU numbered
  223. @var{kernel-cpu}. The values @var{kernel-cpu} and @var{index} can be
  224. distinct if there are gaps in the process CPU affinity mask. This line
  225. is not included if CPU affinity mask information is not available.
  226. @item x86.processor[@var{index}].observed=@var{kernel-cpu}
  227. This line reports the kernel CPU number @var{kernel-cpu} on which the
  228. probing code initially ran. If the CPU number cannot be obtained,
  229. this line is not printed.
  230. @item x86.processor[@var{index}].observed_node=@var{node}
  231. This reports the observed NUMA node number, as reported by the
  232. @code{getcpu} system call. If this information cannot be obtained, this
  233. line is not printed.
  234. @item x86.processor[@var{index}].cpuid_leaves=@var{count}
  235. This line indicates that @var{count} distinct CPUID leaves were
  236. encountered. (This reflects internal @code{ld.so} storage space, it
  237. does not directly correspond to @code{CPUID} enumeration ranges.)
  238. @item x86.processor[@var{index}].ecx_limit=@var{value}
  239. The CPUID data extraction code uses a brute-force approach to enumerate
  240. subleaves (see the @samp{.subleaf_eax} lines below). The last
  241. @code{%rcx} value used in a CPUID query on this probed CPU was
  242. @var{value}.
  243. @item x86.processor[@var{index}].cpuid.eax[@var{query_eax}].eax=@var{eax}
  244. @itemx x86.processor[@var{index}].cpuid.eax[@var{query_eax}].ebx=@var{ebx}
  245. @itemx x86.processor[@var{index}].cpuid.eax[@var{query_eax}].ecx=@var{ecx}
  246. @itemx x86.processor[@var{index}].cpuid.eax[@var{query_eax}].edx=@var{edx}
  247. These lines report the register contents after executing the CPUID
  248. instruction with @samp{%rax == @var{query_eax}} and @samp{%rcx == 0} (a
  249. @dfn{leaf}). For the first probed CPU (with a zero @var{index}), only
  250. leaves with non-zero register contents are reported. For subsequent
  251. CPUs, only leaves whose register contents differs from the previously
  252. probed CPUs (with @var{index} one less) are reported.
  253. Basic and extended leaves are reported using the same syntax. This
  254. means there is a large jump in @var{query_eax} for the first reported
  255. extended leaf.
  256. @item x86.processor[@var{index}].cpuid.subleaf_eax[@var{query_eax}].ecx[@var{query_ecx}].eax=@var{eax}
  257. @itemx x86.processor[@var{index}].cpuid.subleaf_eax[@var{query_eax}].ecx[@var{query_ecx}].ebx=@var{ebx}
  258. @itemx x86.processor[@var{index}].cpuid.subleaf_eax[@var{query_eax}].ecx[@var{query_ecx}].ecx=@var{ecx}
  259. @itemx x86.processor[@var{index}].cpuid.subleaf_eax[@var{query_eax}].ecx[@var{query_ecx}].edx=@var{edx}
  260. This is similar to the leaves above, but for a @dfn{subleaf}. For
  261. subleaves, the CPUID instruction is executed with @samp{%rax ==
  262. @var{query_eax}} and @samp{%rcx == @var{query_ecx}}, so the result
  263. depends on both register values. The same rules about filtering zero
  264. and identical results apply.
  265. @item x86.processor[@var{index}].cpuid.subleaf_eax[@var{query_eax}].ecx[@var{query_ecx}].until_ecx=@var{ecx_limit}
  266. Some CPUID results are the same regardless the @var{query_ecx} value.
  267. If this situation is detected, a line with the @samp{.until_ecx}
  268. selector ins included, and this indicates that the CPUID register
  269. contents is the same for @code{%rcx} values between @var{query_ecx}
  270. and @var{ecx_limit} (inclusive).
  271. @item x86.processor[@var{index}].cpuid.subleaf_eax[@var{query_eax}].ecx[@var{query_ecx}].ecx_query_mask=0xff
  272. This line indicates that in an @samp{.until_ecx} range, the CPUID
  273. instruction preserved the lowest 8 bits of the input @code{%rcx} in
  274. the output @code{%rcx} registers. Otherwise, the subleaves in the range
  275. have identical values. This special treatment is necessary to report
  276. compact range information in case such copying occurs (because the
  277. subleaves would otherwise be all different).
  278. @item x86.processor[@var{index}].xgetbv.ecx[@var{query_ecx}]=@var{result}
  279. This line shows the 64-bit @var{result} value in the @code{%rdx:%rax}
  280. register pair after executing the XGETBV instruction with @code{%rcx}
  281. set to @var{query_ecx}. Zero values and values matching the previously
  282. probed CPU are omitted. Nothing is printed if the system does not
  283. support the XGETBV instruction.
  284. @end table
  285. @node Dynamic Linker Environment Variables
  286. @section Dynamic Linker Environment Variables
  287. The behavior of the dynamic linker can be modified through various environment
  288. variables.
  289. @table @code
  290. @item LD_DEBUG
  291. @cindex @code{LD_DEBUG} environment variable
  292. The @env{LD_DEBUG} environment variable can be set to a comma-separated list
  293. of keywords to enable debugging output from the dynamic linker. Setting it to
  294. @code{help} will display a list of all available keywords. The output is
  295. written to standard output by default.
  296. @table @code
  297. @item libs
  298. Display library search paths.
  299. @item reloc
  300. Display relocation processing.
  301. @item files
  302. Display progress for input file processing.
  303. @item symbols
  304. Display symbol table processing.
  305. @item bindings
  306. Display information about symbol binding.
  307. @item versions
  308. Display version dependencies.
  309. @item scopes
  310. Display scope information.
  311. @item tls
  312. Display information about Thread-Local Storage (TLS) handling, including TCB
  313. allocation, deallocation, and reuse. This is useful for debugging issues
  314. related to thread creation and lifecycle.
  315. @item security
  316. Display security warnings that are related to loading binaries that lack
  317. certain target-dependent hardening features. This may be useful for audit
  318. purposes.
  319. @item all
  320. All previous options combined.
  321. @item statistics
  322. Display relocation statistics.
  323. @item unused
  324. Determined unused DSOs.
  325. @item help
  326. Display a help message with all available options and exit.
  327. @end table
  328. @item LD_DEBUG_OUTPUT
  329. @cindex @code{LD_DEBUG_OUTPUT} environment variable
  330. If @env{LD_DEBUG} is set, the output is written to standard output by
  331. default. If @env{LD_DEBUG_OUTPUT} is set, the output is written to the
  332. file specified by its value, with the process ID appended. For example, if
  333. @env{LD_DEBUG_OUTPUT} is set to @file{/tmp/glibc.debug}, the output will be
  334. written to a file named @file{/tmp/glibc.debug.12345}, where @code{12345} is
  335. the process ID.
  336. @end table
  337. @node Dynamic Linker Introspection
  338. @section Dynamic Linker Introspection
  339. @Theglibc{} provides various facilities for querying information from the
  340. dynamic linker.
  341. @deftp {Data Type} {struct link_map}
  342. @cindex link map
  343. A @dfn{link map} is associated with the main executable and each shared
  344. object. Some fields of the link map are accessible to applications and
  345. exposed through the @code{struct link_map}. Applications must not modify
  346. the link map directly.
  347. Pointers to link maps can be obtained from the @code{_r_debug} variable,
  348. from the @code{RTLD_DI_LINKMAP} request for @code{dlinfo}, and from the
  349. @code{_dl_find_object} function. See below for details.
  350. @table @code
  351. @item l_addr
  352. @cindex load address
  353. This field contains the @dfn{load address} of the object. This is the
  354. offset that needs to be applied to unrelocated addresses in the object
  355. image (as stored on disk) to form an address that can be used at run
  356. time for accessing data or running code. For position-dependent
  357. executables, the load address is typically zero, and no adjustment is
  358. required. For position-independent objects, the @code{l_addr} field
  359. usually contains the address of the object's ELF header in the process
  360. image. However, this correspondence is not guaranteed because the ELF
  361. header might not be mapped at all, and the ELF file as stored on disk
  362. might use zero as the lowest virtual address. Due to the second
  363. variable, values of the @code{l_addr} field do not necessarily uniquely
  364. identify a shared object.
  365. On Linux, to obtain the lowest loaded address of the main program, use
  366. @code{getauxval} to obtain the @code{AT_PHDR} and @code{AT_PHNUM} values
  367. for the current process. Alternatively, call
  368. @samp{dlinfo (_r_debug.r_map, &@var{phdr})}
  369. to obtain the number of program headers, and the address of the program
  370. header array will be stored in @var{phdr}
  371. (of type @code{const ElfW(Phdr) *}, as explained below).
  372. These values allow processing the array of program headers and the
  373. address information in the @code{PT_LOAD} entries among them.
  374. This works even when the program was started with an explicit loader
  375. invocation.
  376. @item l_name
  377. For a shared object, this field contains the file name that the
  378. @theglibc{} dynamic loader used when opening the object. This can be
  379. a relative path (relative to the current directory at process start,
  380. or if the object was loaded later, via @code{dlopen} or
  381. @code{dlmopen}). Symbolic links are not necessarily resolved.
  382. For the main executable, @code{l_name} is @samp{""} (the empty string).
  383. (The main executable is not loaded by @theglibc{}, so its file name is
  384. not available.) On Linux, the main executable is available as
  385. @file{/proc/self/exe} (unless an explicit loader invocation was used to
  386. start the program). The file name @file{/proc/self/exe} continues to
  387. resolve to the same file even if it is moved within or deleted from the
  388. file system. Its current location can be read using @code{readlink}.
  389. @xref{Symbolic Links}. (Although @file{/proc/self/exe} is not actually
  390. a symbol link, it is only presented as one.) Note that @file{/proc} may
  391. not be mounted, in which case @file{/proc/self/exe} is not available.
  392. If an explicit loader invocation is used (such as @samp{ld.so
  393. /usr/bin/emacs}), the @file{/proc/self/exe} approach does not work
  394. because the file name refers to the dynamic linker @code{ld.so}, and not
  395. the @code{/usr/bin/emacs} program. An approximation to the executable
  396. path is still available in the @code{@var{info}.dli_fname} member after
  397. calling @samp{dladdr (_r_debug.r_map->l_ld, &@var{info})}. Note that
  398. this could be a relative path, and it is supplied by the process that
  399. created the current process, not the kernel, so it could be inaccurate.
  400. @item l_ld
  401. This is a pointer to the ELF dynamic segment, an array of tag/value
  402. pairs that provide various pieces of information that the dynamic
  403. linking process uses. On most architectures, addresses in the dynamic
  404. segment are relocated at run time, but on some architectures and in some
  405. run-time configurations, it is necessary to add the @code{l_addr} field
  406. value to obtain a proper address.
  407. @item l_prev
  408. @itemx l_next
  409. These fields are used to maintain a double-linked linked list of all
  410. link maps within one @code{dlmopen} namespace. Note that there is
  411. currently no thread-safe way to iterate over this list. The
  412. callback-based @code{dl_iterate_phdr} interface can be used instead.
  413. @end table
  414. @end deftp
  415. @strong{Portability note:} It is not possible to create a @code{struct
  416. link_map} object and pass a pointer to a function that expects a
  417. @code{struct link_map *} argument. Only link map pointers initially
  418. supplied by @theglibc{} are permitted as arguments. In current versions
  419. of @theglibc{}, handles returned by @code{dlopen} and @code{dlmopen} are
  420. pointers to link maps. However, this is not a portable assumption, and
  421. may even change in future versions of @theglibc{}. To obtain the link
  422. map associated with a handle, see @code{dlinfo} and
  423. @code{RTLD_DI_LINKMAP} below. If a function accepts both
  424. @code{dlopen}/@code{dlmopen} handles and @code{struct link_map} pointers
  425. in its @code{void *} argument, that is documented explicitly.
  426. @subsection Querying information for loaded objects
  427. The @code{dlinfo} function provides access to internal information
  428. associated with @code{dlopen}/@code{dlmopen} handles and link maps.
  429. @deftypefun {int} dlinfo (void *@var{handle}, int @var{request}, void *@var{arg})
  430. @safety{@mtsafe{}@asunsafe{@asucorrupt{}}@acunsafe{@acucorrupt{}}}
  431. @standards{GNU, dlfcn.h}
  432. This function returns information about @var{handle} in the memory
  433. location @var{arg}, based on @var{request}. The @var{handle} argument
  434. must be a pointer returned by @code{dlopen} or @code{dlmopen}; it must
  435. not have been closed by @code{dlclose}. Alternatively, @var{handle}
  436. can be a @code{struct link_map *} value for a link map of an object
  437. that has not been closed.
  438. On success, @code{dlinfo} returns 0 for most request types; exceptions
  439. are noted below. If there is an error, the function returns @math{-1},
  440. and @code{dlerror} can be used to obtain a corresponding error message.
  441. The following operations are defined for use with @var{request}:
  442. @vtable @code
  443. @item RTLD_DI_LINKMAP
  444. The corresponding @code{struct link_map} pointer for @var{handle} is
  445. written to @code{*@var{arg}}. The @var{arg} argument must be the
  446. address of an object of type @code{struct link_map *}.
  447. @item RTLD_DI_LMID
  448. The namespace identifier of @var{handle} is written to
  449. @code{*@var{arg}}. The @var{arg} argument must be the address of an
  450. object of type @code{Lmid_t}.
  451. @item RTLD_DI_ORIGIN
  452. The value of the @code{$ORIGIN} dynamic string token for @var{handle} is
  453. written to the character array starting at @var{arg} as a
  454. null-terminated string.
  455. This request type should not be used because it is prone to buffer
  456. overflows.
  457. @item RTLD_DI_SERINFO
  458. @itemx RTLD_DI_SERINFOSIZE
  459. These requests can be used to obtain search path information for
  460. @var{handle}. For both requests, @var{arg} must point to a
  461. @code{Dl_serinfo} object. The @code{RTLD_DI_SERINFOSIZE} request must
  462. be made first; it updates the @code{dls_size} and @code{dls_cnt} members
  463. of the @code{Dl_serinfo} object. The caller should then allocate memory
  464. to store at least @code{dls_size} bytes and pass that buffer to a
  465. @code{RTLD_DI_SERINFO} request. This second request fills the
  466. @code{dls_serpath} array. The number of array elements was returned in
  467. the @code{dls_cnt} member in the initial @code{RTLD_DI_SERINFOSIZE}
  468. request. The caller is responsible for freeing the allocated buffer.
  469. This interface is prone to buffer overflows in multi-threaded processes
  470. because the required size can change between the
  471. @code{RTLD_DI_SERINFOSIZE} and @code{RTLD_DI_SERINFO} requests.
  472. @item RTLD_DI_TLS_DATA
  473. This request writes the address of the TLS block (in the current thread)
  474. for the shared object identified by @var{handle} to @code{*@var{arg}}.
  475. The argument @var{arg} must be the address of an object of type
  476. @code{void *}. A null pointer is written if the object does not have
  477. any associated TLS block.
  478. @item RTLD_DI_TLS_MODID
  479. This request writes the TLS module ID for the shared object @var{handle}
  480. to @code{*@var{arg}}. The argument @var{arg} must be the address of an
  481. object of type @code{size_t}. The module ID is zero if the object
  482. does not have an associated TLS block.
  483. @item RTLD_DI_PHDR
  484. This request writes the address of the program header array to
  485. @code{*@var{arg}}. The argument @var{arg} must be the address of an
  486. object of type @code{const ElfW(Phdr) *} (that is,
  487. @code{const Elf32_Phdr *} or @code{const Elf64_Phdr *}, as appropriate
  488. for the current architecture). For this request, the value returned by
  489. @code{dlinfo} is the number of program headers in the program header
  490. array.
  491. @end vtable
  492. The @code{dlinfo} function is a GNU extension.
  493. @end deftypefun
  494. The remainder of this section documents the @code{_dl_find_object}
  495. function and supporting types and constants.
  496. @deftp {Data Type} {struct dl_find_object}
  497. @standards{GNU, dlfcn.h}
  498. This structure contains information about a main program or loaded
  499. object. The @code{_dl_find_object} function uses it to return
  500. result data to the caller.
  501. @table @code
  502. @item unsigned long long int dlfo_flags
  503. Bit zero signals if SFrame stack data is valid. See
  504. @code{DLFO_FLAG_SFRAME} below.
  505. @item void *dlfo_map_start
  506. The start address of the inspected mapping. This information comes from
  507. the program header, so it follows its convention, and the address is not
  508. necessarily page-aligned.
  509. @item void *dlfo_map_end
  510. The end address of the mapping.
  511. @item struct link_map *dlfo_link_map
  512. This member contains a pointer to the link map of the object.
  513. @item void *dlfo_eh_frame
  514. This member contains a pointer to the exception handling data of the
  515. object. See @code{DLFO_EH_SEGMENT_TYPE} below.
  516. @item void *dlfo_sframe
  517. This member points to the SFrame stack trace data associated with the
  518. object. It is valid only when @code{DLFO_FLAG_SFRAME} is set in
  519. @code{dlfo_flags}; otherwise, it may be null or undefined.
  520. @end table
  521. This structure is a GNU extension.
  522. @end deftp
  523. @deftypevr Macro int DLFO_STRUCT_HAS_EH_DBASE
  524. @standards{GNU, dlfcn.h}
  525. On most targets, this macro is defined as @code{0}. If it is defined to
  526. @code{1}, @code{struct dl_find_object} contains an additional member
  527. @code{dlfo_eh_dbase} of type @code{void *}. It is the base address for
  528. @code{DW_EH_PE_datarel} DWARF encodings to this location.
  529. This macro is a GNU extension.
  530. @end deftypevr
  531. @deftypevr Macro int DLFO_STRUCT_HAS_EH_COUNT
  532. @standards{GNU, dlfcn.h}
  533. On most targets, this macro is defined as @code{0}. If it is defined to
  534. @code{1}, @code{struct dl_find_object} contains an additional member
  535. @code{dlfo_eh_count} of type @code{int}. It is the number of exception
  536. handling entries in the EH frame segment identified by the
  537. @code{dlfo_eh_frame} member.
  538. This macro is a GNU extension.
  539. @end deftypevr
  540. @deftypevr Macro int DLFO_EH_SEGMENT_TYPE
  541. @standards{GNU, dlfcn.h}
  542. On targets using DWARF-based exception unwinding, this macro expands to
  543. @code{PT_GNU_EH_FRAME}. This indicates that @code{dlfo_eh_frame} in
  544. @code{struct dl_find_object} points to the @code{PT_GNU_EH_FRAME}
  545. segment of the object. On targets that use other unwinding formats, the
  546. macro expands to the program header type for the unwinding data.
  547. This macro is a GNU extension.
  548. @end deftypevr
  549. @deftypefun {int} _dl_find_object (void *@var{address}, struct dl_find_object *@var{result})
  550. @standards{GNU, dlfcn.h}
  551. @safety{@mtsafe{}@assafe{}@acsafe{}}
  552. On success, this function returns 0 and writes about the object
  553. surrounding the address to @code{*@var{result}}. On failure, -1 is
  554. returned.
  555. The @var{address} can be a code address or data address. On
  556. architectures using function descriptors, no attempt is made to decode
  557. the function descriptor. Depending on how these descriptors are
  558. implemented, @code{_dl_find_object} may return the object that defines
  559. the function descriptor (and not the object that contains the code
  560. implementing the function), or fail to find any object at all.
  561. On success @var{address} is greater than or equal to
  562. @code{@var{result}->dlfo_map_start} and less than
  563. @code{@var{result}->dlfo_map_end}, that is, the supplied code address is
  564. located within the reported mapping.
  565. This function returns a pointer to the unwinding information for the
  566. object that contains the program code @var{address} in
  567. @code{@var{result}->dlfo_eh_frame}. If the platform uses DWARF
  568. unwinding information, this is the in-memory address of the
  569. @code{PT_GNU_EH_FRAME} segment. See @code{DLFO_EH_SEGMENT_TYPE} above.
  570. In case @var{address} resides in an object that lacks unwinding information,
  571. the function still returns 0, but sets @code{@var{result}->dlfo_eh_frame}
  572. to a null pointer.
  573. @code{_dl_find_object} itself is thread-safe. However, if the
  574. application invokes @code{dlclose} for the object that contains
  575. @var{address} concurrently with @code{_dl_find_object} or after the call
  576. returns, accessing the unwinding data for that object or the link map
  577. (through @code{@var{result}->dlfo_link_map}) is not safe. Therefore, the
  578. application needs to ensure by other means (e.g., by convention) that
  579. @var{address} remains a valid code address while the unwinding
  580. information is processed.
  581. This function is a GNU extension.
  582. @end deftypefun
  583. The following flag masks are defined for use with @code{dlfo_flags}:
  584. @table @code
  585. @item DLFO_FLAG_SFRAME
  586. A bit mask used to signal that the object contains SFrame data. See
  587. @code{dlfo_sframe} above.
  588. @end table
  589. @node Dynamic Linker Hardening
  590. @section Avoiding Unexpected Issues With Dynamic Linking
  591. This section details recommendations for increasing application
  592. robustness, by avoiding potential issues related to dynamic linking.
  593. The recommendations have two main aims: reduce the involvement of the
  594. dynamic linker in application execution after process startup, and
  595. restrict the application to a dynamic linker feature set whose behavior
  596. is more easily understood.
  597. Key aspects of limiting dynamic linker usage after startup are: no use
  598. of the @code{dlopen} function, disabling lazy binding, and using the
  599. static TLS model. More easily understood dynamic linker behavior
  600. requires avoiding name conflicts (symbols and sonames) and highly
  601. customizable features like the audit subsystem.
  602. Note that while these steps can be considered a form of application
  603. hardening, they do not guard against potential harm from accidental or
  604. deliberate loading of untrusted or malicious code. There is only
  605. limited overlap with traditional security hardening for applications
  606. running on GNU systems.
  607. @subsection Restricted Dynamic Linker Features
  608. Avoiding certain dynamic linker features can increase predictability of
  609. applications and reduce the risk of running into dynamic linker defects.
  610. @itemize @bullet
  611. @item
  612. Do not use the functions @code{dlopen}, @code{dlmopen}, or
  613. @code{dlclose}. Dynamic loading and unloading of shared objects
  614. introduces substantial complications related to symbol and thread-local
  615. storage (TLS) management.
  616. @item
  617. Without the @code{dlopen} function, @code{dlsym} and @code{dlvsym}
  618. cannot be used with shared object handles. Minimizing the use of both
  619. functions is recommended. If they have to be used, only the
  620. @code{RTLD_DEFAULT} pseudo-handle should be used.
  621. @item
  622. Use the local-exec or initial-exec TLS models. If @code{dlopen} is not
  623. used, there are no compatibility concerns for initial-exec TLS. This
  624. TLS model avoids most of the complexity around TLS access. In
  625. particular, there are no TLS-related run-time memory allocations after
  626. process or thread start.
  627. If shared objects are expected to be used more generally, outside the
  628. hardened, feature-restricted context, lack of compatibility between
  629. @code{dlopen} and initial-exec TLS could be a concern. In that case,
  630. the second-best alternative is to use global-dynamic TLS with GNU2 TLS
  631. descriptors, for targets that fully implement them, including the fast
  632. path for access to TLS variables defined in the initially loaded set of
  633. objects. Like initial-exec TLS, this avoids memory allocations after
  634. thread creation, but only if the @code{dlopen} function is not used.
  635. @item
  636. Do not use lazy binding. Lazy binding may require run-time memory
  637. allocation, is not async-signal-safe, and introduces considerable
  638. complexity.
  639. @item
  640. Make dependencies on shared objects explicit. Do not assume that
  641. certain libraries (such as @code{libc.so.6}) are always loaded.
  642. Specifically, if a main program or shared object references a symbol,
  643. create an ELF @code{DT_NEEDED} dependency on that shared object, or on
  644. another shared object that is documented (or otherwise guaranteed) to
  645. have the required explicit dependency. Referencing a symbol without a
  646. matching link dependency results in underlinking, and underlinked
  647. objects cannot always be loaded correctly: Initialization of objects may
  648. not happen in the required order.
  649. @item
  650. Do not create dependency loops between shared objects (@code{libA.so.1}
  651. depending on @code{libB.so.1} depending on @code{libC.so.1} depending on
  652. @code{libA.so.1}). @Theglibc{} has to initialize one of the objects in
  653. the cycle first, and the choice of that object is arbitrary and can
  654. change over time. The object which is initialized first (and other
  655. objects involved in the cycle) may not run correctly because not all of
  656. its dependencies have been initialized.
  657. Underlinking (see above) can hide the presence of cycles.
  658. @item
  659. Limit the creation of indirect function (IFUNC) resolvers. These
  660. resolvers run during relocation processing, when @theglibc{} is not in
  661. a fully consistent state. If you write your own IFUNC resolvers, do
  662. not depend on external data or function references in those resolvers.
  663. @item
  664. Do not use the audit functionality (@code{LD_AUDIT}, @code{DT_AUDIT},
  665. @code{DT_DEPAUDIT}). Its callback and hooking capabilities introduce a
  666. lot of complexity and subtly alter dynamic linker behavior in corner
  667. cases even if the audit module is inactive.
  668. @item
  669. Do not use symbol interposition. Without symbol interposition, the
  670. exact order in which shared objects are searched are less relevant.
  671. Exceptions to this rule are copy relocations (see the next item), and
  672. vague linkage, as used by the C++ implementation (see below).
  673. @item
  674. One potential source of symbol interposition is a combination of static
  675. and dynamic linking, namely linking a static archive into multiple
  676. dynamic shared objects. For such scenarios, the static library should
  677. be converted into its own dynamic shared object.
  678. A different approach to this situation uses hidden visibility for
  679. symbols in the static library, but this can cause problems if the
  680. library does not expect that multiple copies of its code coexist within
  681. the same process, with no or partial sharing of state.
  682. @item
  683. If you use shared objects that are linked with @option{-Wl,-Bsymbolic}
  684. (or equivalent) or use protected visibility, the code for the main
  685. program must be built as @option{-fpic} or @option{-fPIC} to avoid
  686. creating copy relocations (and the main program must not use copy
  687. relocations for other reasons). Using @option{-fpie} or @option{-fPIE}
  688. is not an alternative to PIC code in this context.
  689. @item
  690. Be careful about explicit section annotations. Make sure that the
  691. target section matches the properties of the declared entity (e.g., no
  692. writable objects in @code{.text}).
  693. @item
  694. Ensure that all assembler or object input files have the recommended
  695. security markup, particularly for non-executable stack.
  696. @item
  697. Avoid using non-default linker flags and features. In particular, do
  698. not use the @code{DT_PREINIT_ARRAY} dynamic tag, and do not flag
  699. objects as @code{DF_1_INITFIRST}. Do not change the default linker
  700. script of BFD ld. Do not override ABI defaults, such as the dynamic
  701. linker path (with @option{--dynamic-linker}).
  702. @item
  703. Some features of @theglibc{} indirectly depend on run-time code loading
  704. and @code{dlopen}. Use @code{iconv_open} with built-in converters only
  705. (such as @code{UTF-8}). Do not use NSS functionality such as
  706. @code{getaddrinfo} or @code{getpwuid_r} unless the system is configured
  707. for built-in NSS service modules only (see below).
  708. @end itemize
  709. Several considerations apply to ELF constructors and destructors.
  710. @itemize @bullet
  711. @item
  712. The dynamic linker does not take constructor and destructor priorities
  713. into account when determining their execution order. Priorities are
  714. only used by the link editor for ordering execution within a
  715. completely linked object. If a dynamic shared object needs to be
  716. initialized before another object, this can be expressed with a
  717. @code{DT_NEEDED} dependency on the object that needs to be initialized
  718. earlier.
  719. @item
  720. The recommendations to avoid cyclic dependencies and symbol
  721. interposition make it less likely that ELF objects are accessed before
  722. their ELF constructors have run. However, using @code{dlsym} and
  723. @code{dlvsym}, it is still possible to access uninitialized facilities
  724. even with these restrictions in place. (Of course, access to
  725. uninitialized functionality is also possible within a single shared
  726. object or the main executable, without resorting to explicit symbol
  727. lookup.) Consider using dynamic, on-demand initialization instead. To
  728. deal with access after de-initialization, it may be necessary to
  729. implement special cases for that scenario, potentially with degraded
  730. functionality.
  731. @item
  732. Be aware that when ELF destructors are executed, it is possible to
  733. reference already-deconstructed shared objects. This can happen even in
  734. the absence of @code{dlsym} and @code{dlvsym} function calls, for
  735. example if client code using a shared object has registered callbacks or
  736. objects with another shared object. The ELF destructor for the client
  737. code is executed before the ELF destructor for the shared objects that
  738. it uses, based on the expected dependency order.
  739. @item
  740. If @code{dlopen} and @code{dlmopen} are not used, @code{DT_NEEDED}
  741. dependency information is complete, and lazy binding is disabled, the
  742. execution order of ELF destructors is expected to be the reverse of the
  743. ELF constructor order. However, two separate dependency sort operations
  744. still occur. Even though the listed preconditions should ensure that
  745. both sorts produce the same ordering, it is recommended not to depend on
  746. the destructor order being the reverse of the constructor order.
  747. @end itemize
  748. The following items provide C++-specific guidance for preparing
  749. applications. If another programming language is used and it uses these
  750. toolchain features targeted at C++ to implement some language
  751. constructs, these restrictions and recommendations still apply in
  752. analogous ways.
  753. @itemize @bullet
  754. @item
  755. C++ inline functions, templates, and other constructs may need to be
  756. duplicated into multiple shared objects using vague linkage, resulting
  757. in symbol interposition. This type of symbol interposition is
  758. unproblematic, as long as the C++ one definition rule (ODR) is followed,
  759. and all definitions in different translation units are equivalent
  760. according to the language C++ rules.
  761. @item
  762. Be aware that under C++ language rules, it is unspecified whether
  763. evaluating a string literal results in the same address for each
  764. evaluation. This also applies to anonymous objects of static storage
  765. duration that GCC creates, for example to implement the compound
  766. literals C++ extension. As a result, comparing pointers to such
  767. objects, or using them directly as hash table keys, may give unexpected
  768. results.
  769. By default, variables of block scope of static storage have consistent
  770. addresses across different translation units, even if defined in
  771. functions that use vague linkage.
  772. @item
  773. Special care is needed if a C++ project uses symbol visibility or
  774. symbol version management (for example, the GCC @samp{visibility}
  775. attribute, the GCC @option{-fvisibility} option, or a linker version
  776. script with the linker option @option{--version-script}). It is
  777. necessary to ensure that the symbol management remains consistent with
  778. how the symbols are used. Some C++ constructs are implemented with
  779. the help of ancillary symbols, which can make complicated to achieve
  780. consistency. For example, an inline function that is always inlined
  781. into its callers has no symbol footprint for the function itself, but
  782. if the function contains a variable of static storage duration, this
  783. variable may result in the creation of one or more global symbols.
  784. For correctness, such symbols must be visible and bound to the same
  785. object in all other places where the inline function may be called.
  786. This requirement is not met if the symbol visibility is set to hidden,
  787. or if symbols are assigned a textually different symbol version
  788. (effectively creating two distinct symbols).
  789. Due to the complex interaction between ELF symbol management and C++
  790. symbol generation, it is recommended to use C++ language features for
  791. symbol management, in particular inline namespaces.
  792. @item
  793. The toolchain and dynamic linker have multiple mechanisms that bypass
  794. the usual symbol binding procedures. This means that the C++ one
  795. definition rule (ODR) still holds even if certain symbol-based isolation
  796. mechanisms are used, and object addresses are not shared across
  797. translation units with incompatible type definitions.
  798. This does not matter if the original (language-independent) advice
  799. regarding symbol interposition is followed. However, as the advice may
  800. be difficult to implement for C++ applications, it is recommended to
  801. avoid ODR violations across the entire process image. Inline namespaces
  802. can be helpful in this context because they can be used to create
  803. distinct ELF symbols while maintaining source code compatibility at the
  804. C++ level.
  805. @item
  806. Be aware that as a special case of interposed symbols, symbols with the
  807. @code{STB_GNU_UNIQUE} binding type do not follow the usual ELF symbol
  808. namespace isolation rules: such symbols bind across @code{RTLD_LOCAL}
  809. boundaries. Furthermore, symbol versioning is ignored for such symbols;
  810. they are bound by symbol name only. All their definitions and uses must
  811. therefore be compatible. Hidden visibility still prevents the creation
  812. of @code{STB_GNU_UNIQUE} symbols and can achieve isolation of
  813. incompatible definitions.
  814. @item
  815. C++ constructor priorities only affect constructor ordering within one
  816. shared object. Global constructor order across shared objects is
  817. consistent with ELF dependency ordering if there are no ELF dependency
  818. cycles.
  819. @item
  820. C++ exception handling and run-time type information (RTTI), as
  821. implemented in the GNU toolchain, is not address-significant, and
  822. therefore is not affected by the symbol binding behaviour of the dynamic
  823. linker. This means that types of the same fully-qualified name (in
  824. non-anonymous namespaces) are always considered the same from an
  825. exception-handling or RTTI perspective. This is true even if the type
  826. information object or vtable has hidden symbol visibility, or the
  827. corresponding symbols are versioned under different symbol versions, or
  828. the symbols are not bound to the same objects due to the use of
  829. @code{RTLD_LOCAL} or @code{dlmopen}.
  830. This can cause issues in applications that contain multiple incompatible
  831. definitions of the same type. Inline namespaces can be used to create
  832. distinct symbols at the ELF layer, avoiding this type of issue.
  833. @item
  834. C++ exception handling across multiple @code{dlmopen} namespaces may
  835. not work, particular with the unwinder in GCC versions before 12.
  836. Current toolchain versions are able to process unwinding tables across
  837. @code{dlmopen} boundaries. However, note that type comparison is
  838. name-based, not address-based (see the previous item), so exception
  839. types may still be matched in unexpected ways. An important special
  840. case of exception handling, invoking destructors for variables of block
  841. scope, is not impacted by this RTTI type-sharing. Likewise, regular
  842. virtual member function dispatch for objects is unaffected (but still
  843. requires that the type definitions match in all directly involved
  844. translation units).
  845. Once more, inline namespaces can be used to create distinct ELF symbols
  846. for different types.
  847. @item
  848. Although the C++ standard requires that destructors for global objects
  849. run in the opposite order of their constructors, the Itanium C++ ABI
  850. requires a different destruction order in some cases. As a result, do
  851. not depend on the precise destructor invocation order in applications
  852. that use @code{dlclose}.
  853. @item
  854. Registering destructors for later invocation allocates memory and may
  855. silently fail if insufficient memory is available. As a result, the
  856. destructor is never invoked. This applies to all forms of destructor
  857. registration, with the exception of thread-local variables (see the next
  858. item). To avoid this issue, ensure that such objects merely have
  859. trivial destructors, avoiding the need for registration, and deallocate
  860. resources using a different mechanism (for example, from an ELF
  861. destructor).
  862. @item
  863. A similar issue exists for @code{thread_local} variables with thread
  864. storage duration of types that have non-trivial destructors. However,
  865. in this case, memory allocation failure during registration leads to
  866. process termination. If process termination is not acceptable, use
  867. @code{thread_local} variables with trivial destructors only.
  868. Functions for per-thread cleanup can be registered using
  869. @code{pthread_key_create} (globally for all threads) and activated
  870. using @code{pthread_setspecific} (on each thread). Note that a
  871. @code{pthread_key_create} call may still fail (and
  872. @code{pthread_create} keys are a limited resource in @theglibc{}), but
  873. this failure can be handled without terminating the process.
  874. @end itemize
  875. @subsection Producing Matching Binaries
  876. This subsection recommends tools and build flags for producing
  877. applications that meet the recommendations of the previous subsection.
  878. @itemize @bullet
  879. @item
  880. Use BFD ld (@command{bfd.ld}) from GNU binutils to produce binaries,
  881. invoked through a compiler driver such as @command{gcc}. The version
  882. should be not too far ahead of what was current when the version of
  883. @theglibc{} was first released.
  884. @item
  885. Do not use a binutils release that is older than the one used to build
  886. @theglibc{} itself.
  887. @item
  888. Compile with @option{-ftls-model=initial-exec} to force the initial-exec
  889. TLS model.
  890. @item
  891. Link with @option{-Wl,-z,now} to disable lazy binding.
  892. @item
  893. Link with @option{-Wl,-z,relro} to enable RELRO (which is the default on
  894. most targets).
  895. @item
  896. Specify all direct shared objects dependencies using @option{-l} options
  897. to avoid underlinking. Rely on @code{.so} files (which can be linker
  898. scripts) and searching with the @option{-l} option. Do not specify the
  899. file names of shared objects on the linker command line.
  900. @item
  901. Consider using @option{-Wl,-z,defs} to treat underlinking as an error
  902. condition.
  903. @item
  904. When creating a shared object (linked with @option{-shared}), use
  905. @option{-Wl,-soname,lib@dots{}} to set a soname that matches the final
  906. installed name of the file.
  907. @item
  908. Do not use the @option{-rpath} linker option. (As explained below, all
  909. required shared objects should be installed into the default search
  910. path.)
  911. @item
  912. Use @option{-Wl,--error-rwx-segments} and @option{-Wl,--error-execstack} to
  913. instruct the link editor to fail the link if the resulting final object
  914. would have read-write-execute segments or an executable stack. Such
  915. issues usually indicate that the input files are not marked up
  916. correctly.
  917. @item
  918. Ensure that for each @code{LOAD} segment in the ELF program header, file
  919. offsets, memory sizes, and load addresses are multiples of the largest
  920. page size supported at run time. Similarly, the start address and size
  921. of the @code{GNU_RELRO} range should be multiples of the page size.
  922. Avoid creating gaps between @code{LOAD} segments. The difference
  923. between the load addresses of two subsequent @code{LOAD} segments should
  924. be the size of the first @code{LOAD} segment. (This may require linking
  925. with @option{-Wl,-z,noseparate-code}.)
  926. This may not be possible to achieve with the currently available link
  927. editors.
  928. @item
  929. If the multiple-of-page-size criterion for the @code{GNU_RELRO} region
  930. cannot be achieved, ensure that the process memory image right before
  931. the start of the region does not contain executable or writable memory.
  932. @c https://sourceware.org/pipermail/libc-alpha/2022-May/138638.html
  933. @end itemize
  934. @subsection Checking Binaries
  935. In some cases, if the previous recommendations are not followed, this
  936. can be determined from the produced binaries. This section contains
  937. suggestions for verifying aspects of these binaries.
  938. @itemize @bullet
  939. @item
  940. To detect underlinking, examine the dynamic symbol table, for example
  941. using @samp{readelf -sDW}. If the symbol is defined in a shared object
  942. that uses symbol versioning, it must carry a symbol version, as in
  943. @samp{pthread_kill@@GLIBC_2.34}.
  944. @item
  945. Examine the dynamic segment with @samp{readelf -dW} to check that all
  946. the required @code{NEEDED} entries are present. (It is not necessary to
  947. list indirect dependencies if these dependencies are guaranteed to
  948. remain during the evolution of the explicitly listed direct
  949. dependencies.)
  950. @item
  951. The @code{NEEDED} entries should not contain full path names including
  952. slashes, only @code{sonames}.
  953. @item
  954. For a further consistency check, collect all shared objects referenced
  955. via @code{NEEDED} entries in dynamic segments, transitively, starting at
  956. the main program. Then determine their dynamic symbol tables (using
  957. @samp{readelf -sDW}, for example). Ideally, every symbol should be
  958. defined at most once, so that symbol interposition does not happen.
  959. If there are interposed data symbols, check if the single interposing
  960. definition is in the main program. In this case, there must be a copy
  961. relocation for it. (This only applies to targets with copy relocations.)
  962. Function symbols should only be interposed in C++ applications, to
  963. implement vague linkage. (See the discussion in the C++ recommendations
  964. above.)
  965. @item
  966. Using the previously collected @code{NEEDED} entries, check that the
  967. dependency graph does not contain any cycles.
  968. @item
  969. The dynamic segment should also mention @code{BIND_NOW} on the
  970. @code{FLAGS} line or @code{NOW} on the @code{FLAGS_1} line (one is
  971. enough).
  972. @item
  973. Ensure that only static TLS relocations (thread-pointer relative offset
  974. locations) are used, for example @code{R_AARCH64_TLS_TPREL} and
  975. @code{X86_64_TPOFF64}. As the second-best option, and only if
  976. compatibility with non-hardened applications using @code{dlopen} is
  977. needed, GNU2 TLS descriptor relocations can be used (for example,
  978. @code{R_AARCH64_TLSDESC} or @code{R_X86_64_TLSDESC}).
  979. @item
  980. There should not be references to the traditional TLS function symbols
  981. @code{__tls_get_addr}, @code{__tls_get_offset},
  982. @code{__tls_get_addr_opt} in the dynamic symbol table (in the
  983. @samp{readelf -sDW} output). Supporting global dynamic TLS relocations
  984. (such as @code{R_AARCH64_TLS_DTPMOD}, @code{R_AARCH64_TLS_DTPREL},
  985. @code{R_X86_64_DTPMOD64}, @code{R_X86_64_DTPOFF64}) should not be used,
  986. either.
  987. @item
  988. Likewise, the functions @code{dlopen}, @code{dlmopen}, @code{dlclose}
  989. should not be referenced from the dynamic symbol table.
  990. @item
  991. For shared objects, there should be a @code{SONAME} entry that matches
  992. the file name (the base name, i.e., the part after the slash). The
  993. @code{SONAME} string must not contain a slash @samp{/}.
  994. @item
  995. For all objects, the dynamic segment (as shown by @samp{readelf -dW})
  996. should not contain @code{RPATH} or @code{RUNPATH} entries.
  997. @item
  998. Likewise, the dynamic segment should not show any @code{AUDIT},
  999. @code{DEPAUDIT}, @code{AUXILIARY}, @code{FILTER}, or
  1000. @code{PREINIT_ARRAY} tags.
  1001. @item
  1002. If the dynamic segment contains a (deprecated) @code{HASH} tag, it
  1003. must also contain a @code{GNU_HASH} tag.
  1004. @item
  1005. The @code{INITFIRST} flag (under @code{FLAGS_1}) should not be used.
  1006. @item
  1007. The program header must not have @code{LOAD} segments that are writable
  1008. and executable at the same time.
  1009. @item
  1010. All produced objects should have a @code{GNU_STACK} program header that
  1011. is not marked as executable. (However, on some newer targets, a
  1012. non-executable stack is the default, so the @code{GNU_STACK} program
  1013. header is not required.)
  1014. @end itemize
  1015. @subsection Run-time Considerations
  1016. In addition to preparing program binaries in a recommended fashion, the
  1017. run-time environment should be set up in such a way that problematic
  1018. dynamic linker features are not used.
  1019. @itemize @bullet
  1020. @item
  1021. Install shared objects using their sonames in a default search path
  1022. directory (usually @file{/usr/lib64}). Do not use symbolic links.
  1023. @c This is currently not standard practice.
  1024. @item
  1025. The default search path must not contain objects with duplicate file
  1026. names or sonames.
  1027. @item
  1028. Do not use environment variables (@code{LD_@dots{}} variables such as
  1029. @code{LD_PRELOAD} or @code{LD_LIBRARY_PATH}, or @code{GLIBC_TUNABLES})
  1030. to change default dynamic linker behavior.
  1031. @item
  1032. Do not install shared objects in non-default locations. (Such locations
  1033. are listed explicitly in the configuration file for @command{ldconfig},
  1034. usually @file{/etc/ld.so.conf}, or in files included from there.)
  1035. @item
  1036. In relation to the previous item, do not install any objects it
  1037. @code{glibc-hwcaps} subdirectories.
  1038. @item
  1039. Do not configure dynamically-loaded NSS service modules, to avoid
  1040. accidental internal use of the @code{dlopen} facility. The @code{files}
  1041. and @code{dns} modules are built in and do not rely on @code{dlopen}.
  1042. @item
  1043. Do not truncate and overwrite files containing programs and shared
  1044. objects in place, while they are used. Instead, write the new version
  1045. to a different path and use @code{rename} to replace the
  1046. already-installed version.
  1047. @item
  1048. Be aware that during a component update procedure that involves multiple
  1049. object files (shared objects and main programs), concurrently starting
  1050. processes may observe an inconsistent combination of object files (some
  1051. already updated, some still at the previous version). For example,
  1052. this can happen during an update of @theglibc{} itself.
  1053. @end itemize
  1054. @c FIXME these are undocumented:
  1055. @c dladdr
  1056. @c dladdr1
  1057. @c dlclose
  1058. @c dlerror
  1059. @c dlmopen
  1060. @c dlopen
  1061. @c dlsym
  1062. @c dlvsym