| Age | Commit message (Collapse) | Author |
|---|
|
|
|
To take advantage of file-backed huge pages for the text segments of key
shared libraries (go/android-hugepages), the dynamic linker must load
candidate ELF files at an appropriately aligned address and mark
executable segments with MADV_HUGEPAGE.
This patches uses segments' p_align values to determine when a file is
PMD aligned (2MB alignment), and performs load operations accordingly.
Bug: 158135888
Test: Verified PMD aligned libraries are backed with huge pages on
supporting kernel versions.
Change-Id: Ia2367fd5652f663d50103e18f7695c59dc31c7b9
|
|
Introduces a cc_defaults category hugepage_aligned that passes the
requisite linker flags to produce shared object files with 2MB-aligned
sections. This enables supporting platforms to back the text segments of
these libraries with hugepages.
Bug: 158135888
Test: Built and confirmed ELF layout
Change-Id: I5c8ce35d8f8bf6647ec19d58398740bd494cc89c
|
|
Test: build/bazel/scripts/milestone-2/demo.sh full
Test: bazel query //bionic/...
Change-Id: I737574766be898279d8bf6f3f0adb43dcc40c220
|
|
__scudo_get_error_info()."
|
|
< S."
|
|
This works around buggy applications that read a few bytes past the
end of their allocation, which would otherwise cause a segfault with
the concurrent Scudo change that aligns large allocations to the right.
Because the implementation of
android_set_application_target_sdk_version() lives in the linker,
we need to introduce a hook so that libc is notified when the target
SDK version changes.
Bug: 181344545
Change-Id: Id4be6645b94fad3f64ae48afd16c0154f1de448f
|
|
Otherwise if a 32bit copy of a library used by Toybox
exists on LD_LIBRARY_PATH then file(1) will fail.
Bug: 181666541
Test: Manually copied to device and verified correct behaviour
Change-Id: I7d729927b1b433ec953c266920489613fc096e03
|
|
Added SPDX-license-identifier-Apache-2.0 to:
apex/Android.bp
libdl/Android.bp
tools/Android.bp
tools/versioner/Android.bp
tools/versioner/src/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD to:
benchmarks/Android.bp
benchmarks/linker_relocation/gen/Android.bp
libc/malloc_debug/Android.bp
libc/system_properties/Android.bp
tests/Android.bp
tests/libs/Android.bp
tests/libs/Android.build.dlext_testzip.mk
tests/make_fortify_compile_test.mk
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD
SPDX-license-identifier-ISC SPDX-license-identifier-MIT
legacy_notice legacy_unencumbered
to:
libc/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD
SPDX-license-identifier-MIT legacy_unencumbered
to:
libm/Android.bp
Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered
to:
libc/tools/Android.bp
Added SPDX-license-identifier-BSD
to:
benchmarks/linker_relocation/Android.bp
benchmarks/spawn/Android.bp
libc/async_safe/Android.bp
libc/malloc_hooks/Android.bp
libfdtrack/Android.bp
linker/Android.bp
tests/headers/Android.bp
tests/headers/posix/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: Ib05bcaa276b3aa71a7654ccbe8e67e1f16aec9f3
|
|
Test: m and bp2build write; bazel build ...
Change-Id: Ic8a4ad6ac81f034ac8b9736d99a322c48598619e
|
|
|
|
|
|
Auto-generate NOTICE files for all the directories, and for each one
individually rather than mixing libc and libm together.
Test: N/A
Change-Id: I7e251194a8805c4ca78fcc5675c3321bcd5abf0a
|
|
This reverts commit 48d43034d7b5a419ba56f052856696d53a7bd979.
Reason for revert: bionic is multiple projects, not just one.
Change-Id: Ib31e1bb8888cc85c6e7736c4e2a1d4652fd23935
|
|
Test: bazel build ...
Change-Id: I15f23804ab1ef44cc0a68b66c408dd88366f8098
|
|
Added SPDX-license-identifier-Apache-2.0 to:
libdl/Android.bp
tools/versioner/src/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD to:
benchmarks/Android.bp
libc/malloc_debug/Android.bp
libc/system_properties/Android.bp
linker/Android.bp
tests/Android.bp
tests/libs/Android.bp
tests/libs/Android.build.dlext_testzip.mk
tests/make_fortify_compile_test.mk
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD
SPDX-license-identifier-ISC SPDX-license-identifier-MIT
legacy_notice legacy_unencumbered
to:
Android.bp
libc/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD
SPDX-license-identifier-ISC SPDX-license-identifier-MIT
legacy_unencumbered
to:
tools/Android.bp
tools/versioner/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-BSD
SPDX-license-identifier-MIT legacy_unencumbered
to:
libm/Android.bp
Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered
to:
libc/tools/Android.bp
Added SPDX-license-identifier-BSD
to:
benchmarks/linker_relocation/Android.bp
benchmarks/spawn/Android.bp
libc/async_safe/Android.bp
libc/malloc_hooks/Android.bp
libfdtrack/Android.bp
tests/headers/Android.bp
tests/headers/posix/Android.bp
Added legacy_notice
to:
apex/Android.bp
benchmarks/linker_relocation/gen/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I76cad00578b9b99180ee5dd1e04b4646d5c5fedf
|
|
With this change we can report memory errors involving secondary
allocations. Update the existing crasher tests to also test
UAF/overflow/underflow on allocations with sizes sufficient to trigger
the secondary allocator.
Bug: 135772972
Change-Id: Ic8925c1f18621a8f272e26d5630e5d11d6d34d38
|
|
Test: build/bazel/scripts/bp2build-sync.sh write.
Change-Id: I8e8c3c95aa2c7ff6d7db3d92291f224bdf7cf255
|
|
These lines shouldn't actually matter, because the DSOs are using
version scripts to allow-list exported symbols.
Bug: none
Test: bionic unit tests
Change-Id: I39d3df8c4f8053624f862b3c6994e30c693e928c
|
|
During "step 1" of find_libraries, the linker finds the transitive
closure of dependencies, in BFS order. As it finds each library, it
adds the library to its primary namespace (so that, if some other
library also depends on it, find_loaded_library_by_soname can find the
library in the process of being loaded).
LD_PRELOAD libraries are automatically marked DF_1_GLOBAL, and any
DF_1_GLOBAL library is added to every linker namespace. Previously,
this secondary namespace registration happened after step 1. The result
is that across different namespaces, the order of libraries could vary.
In general, a namespace's primary members will all appear before
secondary members. This is undesirable for libsigchain.so, which we
want to have appear before any other non-preloaded library.
Instead, when an soinfo is added to its primary namespace, immediately
add it to all the other namespaces, too. This ensures that the order of
soinfo objects is the same across namespaces.
Expand the dl.exec_with_ld_config_file_with_ld_preload and
dl.exec_with_ld_config_file tests to cover the new behavior. Mark
lib1.so DF_1_GLOBAL and use a "foo" symbol to mimic the behavior of a
signal API interposed by (e.g.) libsigchain.so and a ASAN preload.
Test: bionic unit tests
Bug: http://b/143219447
Change-Id: I9fd90f6f0d14caf1aca6d414b3e9aab77deca3ff
|
|
|
|
No-one seems to understand that a crash in a random .so from call_array()
in the linker isn't a linker bug. They _seem_ to understand (or at least
claim to) when we explain that this is just the linker calling their ELF
constructors --- despite the fact that the caller of call_array() is
call_constructors().
One experiment we can try though is to inline call_array() to elide that
frame from the crash dumps. I do also wonder whether renaming
call_constructors() to call_elf_constructors() would help/hinder/make no
difference. For now I'm leaning toward "hinder" because I suspect most
people don't understand "ELF constructor" and C++ folks at least will
probably be influenced in a not wholly incorrect direction when they
hear "constructor" (whereas "ELF constructor" might mislead them back in
the direction of "strange linker magic, not my fault" again)...
(The reformatting is clang-format's decision, not mine.)
Test: treehugger
Change-Id: I65ab95ceb2e988fd053c48c66f51afba17ccfa61
|
|
For libc.so, use a special build of libunwind.a whose symbols aren't
hidden ("libunwind-exported"), because libc.so exports the _Unwind_*
APIs.
Bug: http://b/153025717
Test: bionic unit tests
Change-Id: I7435e076ec8cc4410e3e6086d3cf5d2c6011c80c
|
|
Setting the linker's soname ("ld-android.so") can allocate heap memory
now that the name uses an std::string, and it's probably a good idea to
defer doing this until after the linker has relocated itself (and after
it has called C++ constructors for global variables.)
Bug: none
Test: bionic unit tests
Test: verify that dlopen("ld-android.so", RTLD_NOLOAD) works
Change-Id: I6b9bd7552c3ae9b77e3ee9e2a98b069b8eef25ca
|
|
Once upon a time (and, indeed, to this very day if you're on LP32) the
soinfo struct used a fixed-length buffer for the soname. This caused
some issues, mainly with app developers who accidentally included a full
Windows "C:\My Computer\...\libfoo.so" style path. To avoid all this we
switched to just pointing into the ELF file itself, where the DT_SONAME
is already stored as a NUL-terminated string. And all was well for many
years.
Now though, we've seen a bunch of slow startup traces from dogfood where
`dlopen("libnativebridge.so")` in a cold start takes 125-200ms on a recent
device, despite no IO contention. Even though libnativebridge.so is only
20KiB.
Measurement showed that every library whose soname we check required
pulling in a whole page just for the (usually) very short string. Worse,
there's readahead. In one trace we saw 18 pages of libhwui.so pulled
in just for `"libhwui.so\0"`. In fact, there were 3306 pages (~13MiB)
added to the page cache during `dlopen("libnativebridge.so")`. 13MiB for
a 20KiB shared library!
This is the obvious change to use a std::string to copy the sonames
instead. This will dirty slightly more memory, but massively improve
locality.
Testing with the same pathological setup took `dlopen("libnativebridge.so")`
down from 192ms to 819us.
Bug: http://b/177102905
Test: tested with a pathologically modified kernel
Change-Id: I33837f4706adc25f93c6fa6013e8ba970911dfb9
|
|
Use a note in executables to specify
(none|sync|async) heap tagging level. To be extended with (heap x stack x
globals) in the future. A missing note disables all tagging.
Bug: b/135772972
Test: bionic-unit-tests (in a future change)
Change-Id: Iab145a922c7abe24cdce17323f9e0c1063cc1321
|
|
linker-reloc-bench shows 1.2% improvement on flame.
PGO No PGO
BM_linker_relocation/
real_time_mean 52215 us 52916 us
Test: linker-reloc-bench --benchmark_repetitions=25
Bug: 175205560
Change-Id: I6abbbd51912f86fcf8112c024d1cf2519056bea7
|
|
Bug: http://b/172640358
Test: treehugger
Change-Id: I9d6b7c1e200d2effb737508d3c282063edefa888
|
|
|
|
Test: pass
Bug: 156098440
Change-Id: I8fe2deb8fa3b24c227202be02d8af648629cffeb
|
|
Previous CL aosp/1432874 missed one project to exclude.
Test: make
Change-Id: Ib39e6a86c410e35141cba17948a0f30e197ea9a3
|
|
There are multiple build breakages with bionic when we enable ThinLTO
globally. Opt bionic out of ThinLTO for now.
#global-thinlto-opt-out
Test: TreeHugger
Bug: 169004486
Change-Id: I546a8074f9c3e0ddbd01d3b7cd730e215e3c0c49
|
|
This patch adds support to load BTI-enabled objects.
According to the ABI, BTI is recorded in the .note.gnu.property section.
The new parser evaluates the property section, if exists.
It searches for .note section with NT_GNU_PROPERTY_TYPE_0.
Once found it tries to find GNU_PROPERTY_AARCH64_FEATURE_1_AND.
The results are cached.
The main change in linker is when protection of loaded ranges gets
applied. When BTI is requested and the platform also supports it
the prot flags have to be amended with PROT_BTI for executable ranges.
Failing to add PROT_BTI flag would disable BTI protection.
Moreover, adding the new PROT flag for shared objects without BTI
compatibility would break applications.
Kernel does not add PROT_BTI to a loaded ELF which has interpreter.
Linker handles this case too.
Test: 1. Flame boots
2. Tested on FVP with BTI enabled
Change-Id: Iafdf223b74c6e75d9f17ca90500e6fe42c4c1218
|
|
As we enable arm64-based Bionic host target (linux_bionic_arm64),
linker_wrapper is added with the corresponding source.
Bug: 159685774
Test: HOST_CROSS_OS=linux_bionic HOST_CROSS_ARCH=arm64 m
Test: copy out/soong/host/linux_bionic_arm64/ to an ARM64 emulator
running Linux and execute the binaries
Change-Id: I4f367a349f7e0015318352cb7f2870fc856eab05
|
|
(Based on proposal at https://sourceware.org/glibc/wiki/ThreadPropertiesAPI)
This includes API to:
- locate static and dynamic TLS
- register thread-exit and dynamic TLS creation/destruction callbacks
Change-Id: Icd9d29a5b2f47495395645e19d3b2c96826f19c8
|
|
Update a comment in android-changes-for-ndk-developers.md about the
removed debug.ld.greylist_disabled system property.
Update language to comply with Android's inclusive language guidance
#inclusivefixit
See https://source.android.com/setup/contribute/respectful-code for reference
Bug: http://b/162536543
Test: bionic-unit-tests
Change-Id: I760ee14bce14d9d799926c43d2c14fd8ffbc6968
|
|
|
|
1. Cleanup for #inclusivefixit. (whitelisted -> allowed_libs)
2. Support the old term for backwards compatibility. (Also update test.)
3. Fix the formatting errors found by clang-format.
See https://source.android.com/setup/contribute/respectful-code
for reference.
Bug: 161896447
Test: atest linker-unit-tests linker-benchmarks
Change-Id: I19dbed27a6d874ac0049cb7b67d2cb0f75369c1b
|
|
This property provided a way to disable the greylist, for testing
whether an app targeting < 24 still works. Instead of turning off the
greylist, though, an app developer should simply target a newer API.
(If app developers really need this property for testing, they can
still use it on versions of Android between N and R, inclusive.)
Update language to comply with Android's inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for reference
#inclusivefixit
Bug: http://b/162536543
Test: bionic-unit-tests
Change-Id: Id1eb2807fbb7436dc9ed7fe47e15b7d165a26789
|
|
Test: treehugger
Change-Id: I7ff0496c5c2792a41781e74634247f55b0548213
|
|
Add inaccessible gaps between shared libraries to make it harder for the
attackers to defeat ASLR by random probing.
To avoid excessive page table bloat, only do this when a library is
about to cross a huge page boundary, effectively allowing several
smaller libraries to be lumped together.
Bug: 158113540
Test: look at /proc/$$/maps
Change-Id: I39c0100b81f72447e8b3c6faafa561111492bf8c
|
|
|
|
This reverts commit a8cf3fef2aa2201014c35c3487da222ccfedfc1c.
Reason for revert: memory regression due to the fragmentation of the page tables
Bug: 159810641
Bug: 158113540
Change-Id: I6212c623ff440c7f6889f0a1e82cf7a96200a411
|
|
There are some special cases - such as init process - when linker
configuration is not expected to exist. This change disables warning
message that generated linker configuration does not exist in those
cases.
Bug: 158800902
Test: Tested from cuttlefish that warning message is not generated from
init
Change-Id: Ie2fbb5210175cf1e6f2b7e638f57c3b74d395368
|
|
Improve ASLR by increasing the randomly sized gaps between shared
library mappings, and keep them mapped PROT_NONE.
Bug: 158113540
Test: look at /proc/$$/maps
Change-Id: Ie72c84047fb624fe2ac8b7744b2a2d0d255ea974
|
|
This replaces a single 2Gb readable memory region with a bunch of tiny
regions, and leaves the bulk of 2Gb mapped but unaccessible. This makes
it harder to defeat ASLR by probing for the CFI shadow region.
Sample CFI shadow mapping with this change:
7165151000-716541f000 ---p 00000000 00:00 0 [anon:cfi shadow]
716541f000-7165420000 r--p 00000000 00:00 0 [anon:cfi shadow]
7165420000-71654db000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654db000-71654dc000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dc000-71654dd000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dd000-71654f0000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654f0000-71654f1000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654f1000-71e5151000 ---p 00000000 00:00 0 [anon:cfi shadow]
This change degrades CFI diagnostics for wild jumps and casts (i.e. when
the target of a CFI check is outside of any known library bounds). This
is acceptable, because CFI does not have much to tell about those cases
anyway. Such bugs will show up as SEGV_ACCERR crashes inside
__cfi_slowpath in libdl.so from now on.
Bug: 158113540
Test: bionic-unit-tests/cfi_test.*
Test: adb shell cat /proc/$PID/maps | grep cfi
Change-Id: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
Merged-In: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
|
|
In particular, add the strerror() output if mprotect() fails.
Fix the CHECK macro so that you can make assertions involving operator%
without that being confused for a printf format specifier.
Bug: https://issuetracker.google.com/158645318
Test: treehugger
Change-Id: I6817f8ca5f094c52dc2c9067bfac90385a8743f5
|
|
.whitelisted is a list of sonames seperated by ":" just like
.shared_libs and .paths properties. It makes sense to make it appendable
using += as well ass .shared_libs and .paths.
Bug: n/a
Test: atest linker-unit-tests
Change-Id: If61cc553c8080e8a58de8a3a6051c1853f7bfe5f
|
|
This is more efficient and easier to read.
Test: bionic-unit-tests --gtest_filter=*icu*
Change-Id: Iddeed7cd4a1d48d8968f97951a9af004ccce52e8
|
|
Bug: http://b/156397945
Test: dlfcn.dlopen_system_libicuuc_android_api_level_28 with native_bridge
Change-Id: I3ecd929a0c31dda8cd424795f21f6ef472776557
|
