This is an archive of the discontinued LLVM Phabricator instance.

Differential D43952

[ELF][MIPS] Don't change every dynamic relocation into R_MIPS_REL32
AbandonedPublic

Authored by arichardson on Mar 1 2018, 9:37 AM.

Details

Reviewers
atanasyan
ruiu
espindola
Summary

I was debugging some strange crashes in a dynamically linked CHERI binary
and it turns out that LLD always emits R_MIPS_REL32/R_MIPS_64 dynamic
relocations (even for an undefined symbol). The crash I was getting
happened because the program loaded a global function pointer referencing
an undefined symbol. However, because the wrong relocation was being
emitted RTLD only added the relocbase to the function pointer. Therefore
the program crashed when jumping to the start of the mapped ELF file
since that does not contain valid instructions.

Diff Detail

Event Timeline

arichardson created this revision.Mar 1 2018, 9:37 AM
Herald added subscribers: llvm-commits, sdardis, emaste. · View Herald TranscriptMar 1 2018, 9:37 AM
Harbormaster completed remote builds in B15578: Diff 136552.Mar 1 2018, 9:37 AM
arichardson updated this revision to Diff 136553.Mar 1 2018, 9:40 AM

Added the correct version of the test

Harbormaster completed remote builds in B15579: Diff 136553.Mar 1 2018, 9:41 AM
ruiu added inline comments.Mar 1 2018, 10:01 AM
ELF/Arch/Mips.cpp
191–192

Is this correct? getDynRel is supposed to return a dynamic relocation type for a given static relocation type. Currently it returns a platform-specific relocation type for the dynamic relocation, which seems correct to me.

arichardson added inline comments.Mar 1 2018, 10:12 AM
ELF/Arch/Mips.cpp
191–192

I am not sure if the TLS relocations need any change but for preemptible relocations in the data section we want to emit an absolute relocation that RTLD can fill in and not one that just adds the base address to the addend.

I looked at both FreeBSD rtld and glib rtld and both only add the current objects base address for R_MIPS_REL32/R_MIPS_64/R_MIPS_NONE (Target->RelativeRel) which will break any pointers to undefined symbols in the data section.

ruiu added inline comments.Mar 1 2018, 10:16 AM
ELF/Arch/Mips.cpp
191–192

Sorry I think I didn't understand this function well. I believe this change is correct. You can remove this function entirely because it is a virtual function, and the base class' function does the same thing as this function does.

arichardson added inline comments.Mar 1 2018, 10:20 AM
ELF/Arch/Mips.cpp
191–192

Yes, I will do that if @atanasyan can confirm that there are no MIPS relocations that need to be converted to another one.

atanasyan added inline comments.Mar 1 2018, 12:03 PM
test/ELF/mips-32.s
51

I have not had a time for deep investigation yet, but both bfd and gold linker emit two R_MIPS_REL32 relocations for that test case. It looks like either a bug in GNU tools or problem in this fix.

arichardson planned changes to this revision.Mar 2 2018, 6:55 AM

Turns out we can't emit R_MIPS_64 absolute relocations that don't need the GOT since neither glibc nor FreeBSD handle a R_MIPS_64 dynamic relocations.

I wonder if we should emit a R_MIPS_GLOB_DAT for unresolved symbols since that will always look in the global part of the GOT.

test/ELF/mips-32.s
51

It appears that while this fixes my issue it is not the actually correct fix. Emitting R_MIPS_REL32 is the correct thing because of the MIPS ABI:

R_MIPS_REL32 relocation depends on its r_symndx value. If the relocation r_symndx is less than DT_MIPS_GOTSYM, the value of EA is the symbol st_value plus displacement. Otherwise, the value of EA is the value in the GOT entry corresponding to the relocation entry r_symndx. The correspondence between the GOT and the dynamic symbol table is described in the "Global Offset Table" section in Chapter 5.

For some reason the r_symndx in my case ended up being less than DT_MIPS_GOTSYM even though it was referencing a preemptible symbol. Therefore it would only add the load address instead of the resolved value from the GOT. I will try to reduce my testcase (unfortunately it's libc.so, so it could take a while) to find out why I ended up getting the wrong value.

However, I don't really understand why we need to add a relocation in the GOT just to write an absolute data symbol. I believe emitting a R_MIPS_64 relocation should result in the same runtime value being stored but we don't need the additional GOT slot.

atanasyan added a comment.Mar 9 2018, 5:56 AM
In D43952#1025301, @arichardson wrote:

However, I don't really understand why we need to add a relocation in the GOT just to write an absolute data symbol. I believe emitting a R_MIPS_64 relocation should result in the same runtime value being stored but we don't need the additional GOT slot.

I think it's betters to ask this question on GNU binutils / libc mail lists.

arichardson abandoned this revision.Apr 10 2018, 9:01 AM

This is wrong

Revision Contents

PathSize
ELF/
Arch/
3 lines
test/
ELF/
2 lines
2 lines
14 lines
2 lines

Diff 136552

ELF/Arch/Mips.cpp

Show First 20 LinesShow All 182 Lines▼ Show 20 LinesRelExpr MIPS<ELFT>::getRelExpr(RelType Type, const Symbol &S,
} }
} }
template <class ELFT> bool MIPS<ELFT>::isPicRel(RelType Type) const { template <class ELFT> bool MIPS<ELFT>::isPicRel(RelType Type) const {
return Type == R_MIPS_32 || Type == R_MIPS_64; return Type == R_MIPS_32 || Type == R_MIPS_64;
} }
template <class ELFT> RelType MIPS<ELFT>::getDynRel(RelType Type) const { template <class ELFT> RelType MIPS<ELFT>::getDynRel(RelType Type) const {
return RelativeRel; // TODO: are there any that need to change?
return Type;
ruiuUnsubmitted
Not Done
ReplyInline Actions

Is this correct? getDynRel is supposed to return a dynamic relocation type for a given static relocation type. Currently it returns a platform-specific relocation type for the dynamic relocation, which seems correct to me.

ruiu: Is this correct? getDynRel is supposed to return a dynamic relocation type for a given static…
arichardsonAuthorUnsubmitted
Not Done
ReplyInline Actions

I am not sure if the TLS relocations need any change but for preemptible relocations in the data section we want to emit an absolute relocation that RTLD can fill in and not one that just adds the base address to the addend.

I looked at both FreeBSD rtld and glib rtld and both only add the current objects base address for R_MIPS_REL32/R_MIPS_64/R_MIPS_NONE (Target->RelativeRel) which will break any pointers to undefined symbols in the data section.

arichardson: I am not sure if the TLS relocations need any change but for preemptible relocations in the…
ruiuUnsubmitted
Not Done
ReplyInline Actions

Sorry I think I didn't understand this function well. I believe this change is correct. You can remove this function entirely because it is a virtual function, and the base class' function does the same thing as this function does.

ruiu: Sorry I think I didn't understand this function well. I believe this change is correct. You can…
arichardsonAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, I will do that if @atanasyan can confirm that there are no MIPS relocations that need to be converted to another one.

arichardson: Yes, I will do that if @atanasyan can confirm that there are no MIPS relocations that need to…
} }
template <class ELFT> template <class ELFT>
void MIPS<ELFT>::writeGotPlt(uint8_t *Buf, const Symbol &) const { void MIPS<ELFT>::writeGotPlt(uint8_t *Buf, const Symbol &) const {
uint64_t VA = InX::Plt->getVA(); uint64_t VA = InX::Plt->getVA();
if (isMicroMips()) if (isMicroMips())
VA |= 1; VA |= 1;
write32<ELFT::TargetEndianness>(Buf, VA); write32<ELFT::TargetEndianness>(Buf, VA);
▲ Show 20 LinesShow All 487 LinesShow Last 20 Lines

test/ELF/mips-32.s

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
# SYM: SYMBOL TABLE: # SYM: SYMBOL TABLE:
# SYM: 00020000 l .data 00000004 v1 # SYM: 00020000 l .data 00000004 v1
# SYM: 00020004 g .data 00000008 v2 # SYM: 00020004 g .data 00000008 v2
# REL: Relocations [ # REL: Relocations [
# REL-NEXT: Section (7) .rel.dyn { # REL-NEXT: Section (7) .rel.dyn {
# REL-NEXT: 0x20008 R_MIPS_REL32 - 0x0 # REL-NEXT: 0x20008 R_MIPS_REL32 - 0x0
# REL-NEXT: 0x20004 R_MIPS_REL32 v2 0x0 # REL-NEXT: 0x20004 R_MIPS_32 v2 0x0
atanasyanUnsubmitted
Not Done
ReplyInline Actions

I have not had a time for deep investigation yet, but both bfd and gold linker emit two R_MIPS_REL32 relocations for that test case. It looks like either a bug in GNU tools or problem in this fix.

atanasyan: I have not had a time for deep investigation yet, but both bfd and gold linker emit two…
arichardsonAuthorUnsubmitted
Not Done
ReplyInline Actions

It appears that while this fixes my issue it is not the actually correct fix. Emitting R_MIPS_REL32 is the correct thing because of the MIPS ABI:

R_MIPS_REL32 relocation depends on its r_symndx value. If the relocation r_symndx is less than DT_MIPS_GOTSYM, the value of EA is the symbol st_value plus displacement. Otherwise, the value of EA is the value in the GOT entry corresponding to the relocation entry r_symndx. The correspondence between the GOT and the dynamic symbol table is described in the "Global Offset Table" section in Chapter 5.

For some reason the r_symndx in my case ended up being less than DT_MIPS_GOTSYM even though it was referencing a preemptible symbol. Therefore it would only add the load address instead of the resolved value from the GOT. I will try to reduce my testcase (unfortunately it's libc.so, so it could take a while) to find out why I ended up getting the wrong value.

However, I don't really understand why we need to add a relocation in the GOT just to write an absolute data symbol. I believe emitting a R_MIPS_64 relocation should result in the same runtime value being stored but we don't need the additional GOT slot.

arichardson: It appears that while this fixes my issue it is not the actually correct fix. Emitting…
# REL-NEXT: } # REL-NEXT: }
# REL-NEXT: ] # REL-NEXT: ]
# REL: DynamicSection [ # REL: DynamicSection [
# REL: Tag Type Name/Value # REL: Tag Type Name/Value
# REL: 0x00000012 RELSZ 16 (bytes) # REL: 0x00000012 RELSZ 16 (bytes)
# REL: 0x00000013 RELENT 8 (bytes) # REL: 0x00000013 RELENT 8 (bytes)
# REL-NOT: 0x6FFFFFFA RELCOUNT # REL-NOT: 0x6FFFFFFA RELCOUNT
Show All 20 Lines

test/ELF/mips-64.s

Show All 26 Lines
# SYM: SYMBOL TABLE: # SYM: SYMBOL TABLE:
# SYM: 00020000 l .data 00000004 v1 # SYM: 00020000 l .data 00000004 v1
# SYM: 00020008 g .data 00000008 v2 # SYM: 00020008 g .data 00000008 v2
# CHECK: Relocations [ # CHECK: Relocations [
# CHECK-NEXT: Section (7) .rel.dyn { # CHECK-NEXT: Section (7) .rel.dyn {
# CHECK-NEXT: 0x20010 R_MIPS_REL32/R_MIPS_64/R_MIPS_NONE - 0x0 # CHECK-NEXT: 0x20010 R_MIPS_REL32/R_MIPS_64/R_MIPS_NONE - 0x0
# CHECK-NEXT: 0x20008 R_MIPS_REL32/R_MIPS_64/R_MIPS_NONE v2 0x0 # CHECK-NEXT: 0x20008 R_MIPS_64/R_MIPS_NONE/R_MIPS_NONE v2 0x0
# CHECK-NEXT: } # CHECK-NEXT: }
# CHECK-NEXT: ] # CHECK-NEXT: ]
# CHECK: DynamicSection [ # CHECK: DynamicSection [
# CHECK: Tag Type Name/Value # CHECK: Tag Type Name/Value
# CHECK: 0x0000000000000012 RELSZ 32 (bytes) # CHECK: 0x0000000000000012 RELSZ 32 (bytes)
# CHECK: 0x0000000000000013 RELENT 16 (bytes) # CHECK: 0x0000000000000013 RELENT 16 (bytes)
Show All 19 Lines

test/ELF/mips-data-relocation-undef.s

  • This file was added.
# REQUIRES: mips
# RUN: llvm-mc -triple=mips64-unknown-freebsd -filetype=obj %s -o %t.o
# RUN: ld.lld -shared %t.o -o %t.so
# RUN: llvm-readobj -expand-relocs -r -t %t.so
.global foo
.data
.global bar
bar:
.quad foo
.size bar, 8

test/ELF/rel-addend-with-rela-input.s

Show All 26 Lines
# RELA-TO-REL: DataEncoding: BigEndian # RELA-TO-REL: DataEncoding: BigEndian
# RELA-TO-REL: Section { # RELA-TO-REL: Section {
# RELA-TO-REL: Name: .data # RELA-TO-REL: Name: .data
# RELA-TO-REL: SectionData ( # RELA-TO-REL: SectionData (
# RELA-TO-REL-NEXT: 0000: 00000000 00005544 ABCDEF00 12345678 |......UD.....4Vx| # RELA-TO-REL-NEXT: 0000: 00000000 00005544 ABCDEF00 12345678 |......UD.....4Vx|
# ^--- Addend for relocation in .rel.dyn # ^--- Addend for relocation in .rel.dyn
# RELA-TO-REL: Relocations [ # RELA-TO-REL: Relocations [
# RELA-TO-REL-NEXT: Section ({{.+}}) .rel.dyn { # RELA-TO-REL-NEXT: Section ({{.+}}) .rel.dyn {
# RELA-TO-REL-NEXT: 0x10000 R_MIPS_REL32/R_MIPS_64/R_MIPS_NONE foo 0x0 # RELA-TO-REL-NEXT: 0x10000 R_MIPS_64/R_MIPS_NONE/R_MIPS_NONE foo 0x0
# RELA-TO-REL-NEXT: } # RELA-TO-REL-NEXT: }
# RELA-TO-REL-NEXT: ] # RELA-TO-REL-NEXT: ]
.extern foo .extern foo
.data .data
.quad foo + 0x5544 .quad foo + 0x5544
.quad 0xabcdef0012345678 .quad 0xabcdef0012345678