Post linker, delayed relocations, v1: Allows for transitive shared library resolution from patch objects

Author: elfmaster

Makefile

@@ -1,10 +1,10 @@
 BUILD_DIR = './build'
 INTERP_PATH = $(PWD)/build/shiva
 PATCH_PATH = "modules/aarch64_patches"
-GCC_OPTS= -fPIC -ggdb -c
+GCC_OPTS= -fPIC -ggdb -c 
 OBJ_LIST=shiva.o shiva_util.o shiva_signal.o shiva_ulexec.o shiva_auxv.o	\
     shiva_module.o shiva_trace.o shiva_trace_thread.o shiva_error.o shiva_maps.o shiva_analyze.o \
-    shiva_callsite.o shiva_target.o shiva_xref.o shiva_transform.o
+    shiva_callsite.o shiva_target.o shiva_xref.o shiva_transform.o shiva_so.o shiva_post_linker.o
 STATIC_LIBS=/opt/elfmaster/lib/libelfmaster.a libcapstone.a
 CC=gcc
 MUSL=musl-gcc
@@ -27,6 +27,8 @@ interp:
 	$(CC) $(GCC_OPTS) shiva_target.c -o	shiva_target.o
 	$(CC) $(GCC_OPTS) shiva_xref.c -o		shiva_xref.o
 	$(CC) $(GCC_OPTS) shiva_transform.c -o	shiva_transform.o
+	$(CC) $(GCC_OPTS) shiva_so.c -o		shiva_so.o
+	$(CC) $(GCC_OPTS) -fno-stack-protector shiva_post_linker.c -o shiva_post_linker.o
 	$(MUSL) -static -Wl,-undefined=system -Wl,-undefined=prctl -Wl,-undefined=pause -Wl,-undefined=puts -Wl,-undefined=putchar $(OBJ_LIST) $(STATIC_LIBS) -o $(BUILD_DIR)/shiva
 
 shiva-ld:

PERFORMANCE.txt

@@ -0,0 +1,13 @@
+# A document to describe thoughts on performance enhancements
+
+1. Currently Shiva has to analyze every instruction within the .text
+to determine where it needs to relocate/relink external instructions
+from the target into the patch code, etc. This is the most time consuming
+part of Shiva, and can be fixed by implementing this analysis into shiva-ld
+the prelinker, and let it generate a new ELF section containing all of the
+necessary meta-data for external relinking.
+
+2. We create a PLT entry in the module for every call. If there are 3 separate
+calls to a function, then 3 separate PLT entries are created. This creates
+a performance hit on runtime linking, and in the runtime post linker too.
+

shiva.c

@@ -157,6 +157,21 @@ shiva_interp_mode(struct shiva_ctx *ctx)
 		}
 	}
 
+	/*
+         * Get the entry point of the target executable. Stored in AT_ENTRY
+         * of the auxiliary vector.
+         */
+        if (shiva_auxv_iterator_init(ctx, &auxv_iter, NULL) == false) {
+                fprintf(stderr, "shiva_auxv_iterator_init failed\n");
+                return false;
+        }
+        while (shiva_auxv_iterator_next(&auxv_iter, &auxv_entry) == SHIVA_ITER_OK) {
+                if (auxv_entry.type == AT_ENTRY) {
+                        ctx->ulexec.entry_point = auxv_entry.value;
+                        shiva_debug("[1] Entry point: %#lx\n", entry_point);
+                        break;
+                }
+        }
 	if (shiva_module_loader(ctx, ctx->module_path,
 	    &ctx->module.runtime, SHIVA_MODULE_F_RUNTIME) == false) {
 		fprintf(stderr, "shiva_module_loader failed\n");
@@ -194,7 +209,7 @@ shiva_interp_mode(struct shiva_ctx *ctx)
 	while (shiva_auxv_iterator_next(&auxv_iter, &auxv_entry) == SHIVA_ITER_OK) {
 		if (auxv_entry.type == AT_ENTRY) {
 			entry_point = auxv_entry.value;
-			shiva_debug("Entry point: %#lx\n", entry_point);
+			shiva_debug("[2] Entry point: %#lx\n", entry_point);
 			break;
 		}
 	}

shiva.h

@@ -65,6 +65,7 @@
 #define SHIVA_MODULE_F_INIT	(1UL << 1) /* deprecated, meaningless */
 #define SHIVA_MODULE_F_DUMMY_TEXT	(1UL << 2) /* Module has empty text region */
 #define SHIVA_MODULE_F_TRANSFORM	(1UL << 3) /* Module has transform records */
+#define SHIVA_MODULE_F_DELAYED_RELOCS	(1UL << 4) /* Module has delayed relocs to process */
 
 #define SHIVA_DT_NEEDED	(DT_LOOS + 10)
 #define SHIVA_DT_SEARCH (DT_LOOS + 11)
@@ -99,6 +100,19 @@
 						"mov x0, #0	\n"	\
 						"ret		" \
 						:: "r" (stack), "r" (addr));
+
+#define SHIVA_ULEXEC_TARGET_TRANSFER2(entry) __asm__ __volatile__ ("mov x9, %0\n" \
+								   "br x9"	\
+								   :: "r"(entry));
+
+#define SHIVA_ULEXEC_TARGET_TRANSFER(entry) __asm__ __volatile__("mov x30, %0	\n"	\
+								 "ret		" \
+	 						 	:: "r"(entry));
+#define SHIVA_ULEXEC_TARGET_TRANSFER3(entry, arg0) __asm__ __volatile__ ("mov x0, %0\n"	\
+								   "mov x9, %1\n" \
+                                                                   "blr x9"      \
+                                                                   :: "r"(arg0), "r"(entry));
+
 #endif
 
 /*
@@ -338,6 +352,22 @@ typedef struct shiva_transform {
 	TAILQ_ENTRY(shiva_transform) _linkage;
 } shiva_transform_t;
 
+/*
+ * Delayed relocatoin entries are not handled until
+ * after ld-linux.so is completely done and passes
+ * control back to Shiva AT_ENTRY, if needed.
+ */
+struct shiva_module_delayed_reloc {
+	uint8_t *rel_unit;
+	uint64_t rel_addr;
+	uint64_t symval;	   /* The symbols value */
+	struct elf_relocation rel; /* Original relocation: (May be updated/modified by Transforms though) */
+	uint64_t flags;
+	char *symname;
+	char so_path[PATH_MAX];
+	TAILQ_ENTRY(shiva_module_delayed_reloc) _linkage;
+} shiva_module_delayed_reloc_t;
+
 struct shiva_module {
 	int fd;
 	uint64_t flags;
@@ -369,12 +399,14 @@ struct shiva_module {
 		TAILQ_HEAD(, shiva_module_section_mapping) section_maplist;
 		TAILQ_HEAD(, shiva_module_plt_entry) plt_list;
 		TAILQ_HEAD(, shiva_transform) transform_list;
+		TAILQ_HEAD(, shiva_module_delayed_reloc) delayed_reloc_list;
 	} tailq;
 	struct {
 		struct hsearch_data bss;
 		struct hsearch_data got;
 	} cache;
 	shiva_linking_mode_t mode;
+	struct shiva_ctx *ctx; /* this is a pointer back to the main context */
 };
 
 typedef struct shiva_trace_regset_x86_64 {
@@ -535,6 +567,9 @@ bool shiva_maps_validate_addr(shiva_ctx_t *, uint64_t);
 void shiva_maps_iterator_init(shiva_ctx_t *, shiva_maps_iterator_t *);
 shiva_iterator_res_t shiva_maps_iterator_next(shiva_maps_iterator_t *, struct shiva_mmap_entry *);
 bool shiva_maps_get_base(shiva_ctx_t *, uint64_t *);
+bool shiva_maps_get_so_base(struct shiva_ctx *, char *,
+    uint64_t *);
+
 /*
  * shiva_callsite.c
  */
@@ -772,4 +807,15 @@ shiva_iterator_res_t shiva_xref_iterator_next(struct shiva_xref_iterator *, stru
  */
 bool shiva_tf_process_transforms(struct shiva_module *, uint8_t *,
     struct elf_section section, uint64_t *segment_offset);
+
+/*
+ * shiva_so.c
+ */
+bool shiva_so_resolve_symbol(struct shiva_module *, char *, struct elf_symbol *,
+    char **);
+
+/*
+ * shiva_post_linker.c
+ */
+void shiva_post_linker(void);
 #endif

shiva_maps.c

@@ -27,6 +27,33 @@ shiva_maps_get_base(struct shiva_ctx *ctx, uint64_t *out)
 	return false;
 }
 
+bool
+shiva_maps_get_so_base(struct shiva_ctx *ctx, char *so_path,
+    uint64_t *out)
+{
+	FILE *fp;
+	char buf[PATH_MAX];
+	char *p;
+
+	fp = fopen("/proc/self/maps", "r");
+	if (fp == NULL) {
+		perror("fopen");
+		return false;
+	}
+	while (fgets(buf, sizeof(buf), fp) != NULL) {
+		if (strstr(buf, so_path) == NULL)
+			continue;
+		if (strstr(buf, "r-xp") == NULL)
+			continue;
+		p = strchr(buf, '-');
+		*p = '\0';
+		*out = strtoul(buf, NULL, 16);
+		fclose(fp);
+		return true;
+	}
+	fclose(fp);
+	return false;
+}
 /*
  * Checking if 'addr' is a valid address mapping.
  * It's valid if it exists in /proc/pid/maps, as long as it
@@ -95,10 +122,10 @@ shiva_maps_build_list(struct shiva_ctx *ctx)
 				if (strstr(buf, "r----") != NULL) {
 					if (ctx->shiva_path == NULL) {
 						p = strchr(tmp, '/');
-                                		ctx->shiva_path = shiva_malloc(PATH_MAX + 1);
-                                		for (i = 0; *p != '\n' && *p != '\0'; p++, i++)
-                                        		ctx->shiva_path[i] = *p;
-                                		ctx->shiva_path[i] = '\0';
+						ctx->shiva_path = shiva_malloc(PATH_MAX + 1);
+						for (i = 0; *p != '\n' && *p != '\0'; p++, i++)
+							ctx->shiva_path[i] = *p;
+						ctx->shiva_path[i] = '\0';
 					}
 				}
 				entry->mmap_type = SHIVA_MMAP_TYPE_SHIVA;