1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2019, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <ctype.h> 8 #include <elf32.h> 9 #include <elf64.h> 10 #include <elf_common.h> 11 #include <ldelf.h> 12 #include <link.h> 13 #include <pta_system.h> 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <string_ext.h> 17 #include <string.h> 18 #include <tee_api_types.h> 19 #include <tee_internal_api_extensions.h> 20 #include <unw/unwind.h> 21 #include <user_ta_header.h> 22 #include <utee_syscalls.h> 23 #include <util.h> 24 25 #include "sys.h" 26 #include "ta_elf.h" 27 28 /* 29 * Layout of a 32-bit struct dl_phdr_info for a 64-bit ldelf to access a 32-bit 30 * TA 31 */ 32 struct dl_phdr_info32 { 33 uint32_t dlpi_addr; 34 uint32_t dlpi_name; 35 uint32_t dlpi_phdr; 36 uint16_t dlpi_phnum; 37 uint64_t dlpi_adds; 38 uint64_t dlpi_subs; 39 uint32_t dlpi_tls_modid; 40 uint32_t dlpi_tls_data; 41 }; 42 43 static vaddr_t ta_stack; 44 static vaddr_t ta_stack_size; 45 46 struct ta_elf_queue main_elf_queue = TAILQ_HEAD_INITIALIZER(main_elf_queue); 47 48 /* 49 * Main application is always ID 1, shared libraries with TLS take IDs 2 and 50 * above 51 */ 52 static void assign_tls_mod_id(struct ta_elf *elf) 53 { 54 static size_t last_tls_mod_id = 1; 55 56 if (elf->is_main) 57 assert(last_tls_mod_id == 1); /* Main always comes first */ 58 elf->tls_mod_id = last_tls_mod_id++; 59 } 60 61 static struct ta_elf *queue_elf_helper(const TEE_UUID *uuid) 62 { 63 struct ta_elf *elf = calloc(1, sizeof(*elf)); 64 65 if (!elf) 66 return NULL; 67 68 TAILQ_INIT(&elf->segs); 69 70 elf->uuid = *uuid; 71 TAILQ_INSERT_TAIL(&main_elf_queue, elf, link); 72 return elf; 73 } 74 75 static struct ta_elf *queue_elf(const TEE_UUID *uuid) 76 { 77 struct ta_elf *elf = ta_elf_find_elf(uuid); 78 79 if (elf) 80 return NULL; 81 82 elf = queue_elf_helper(uuid); 83 if (!elf) 84 err(TEE_ERROR_OUT_OF_MEMORY, "queue_elf_helper"); 85 86 return elf; 87 } 88 89 struct ta_elf *ta_elf_find_elf(const TEE_UUID *uuid) 90 { 91 struct ta_elf *elf = NULL; 92 93 TAILQ_FOREACH(elf, &main_elf_queue, link) 94 if (!memcmp(uuid, &elf->uuid, sizeof(*uuid))) 95 return elf; 96 97 return NULL; 98 } 99 100 static TEE_Result e32_parse_ehdr(struct ta_elf *elf, Elf32_Ehdr *ehdr) 101 { 102 if (ehdr->e_ident[EI_VERSION] != EV_CURRENT || 103 ehdr->e_ident[EI_CLASS] != ELFCLASS32 || 104 ehdr->e_ident[EI_DATA] != ELFDATA2LSB || 105 ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE || 106 ehdr->e_type != ET_DYN || ehdr->e_machine != EM_ARM || 107 (ehdr->e_flags & EF_ARM_ABIMASK) != EF_ARM_ABI_VERSION || 108 #ifndef CFG_WITH_VFP 109 (ehdr->e_flags & EF_ARM_ABI_FLOAT_HARD) || 110 #endif 111 ehdr->e_phentsize != sizeof(Elf32_Phdr) || 112 ehdr->e_shentsize != sizeof(Elf32_Shdr)) 113 return TEE_ERROR_BAD_FORMAT; 114 115 elf->is_32bit = true; 116 elf->e_entry = ehdr->e_entry; 117 elf->e_phoff = ehdr->e_phoff; 118 elf->e_shoff = ehdr->e_shoff; 119 elf->e_phnum = ehdr->e_phnum; 120 elf->e_shnum = ehdr->e_shnum; 121 elf->e_phentsize = ehdr->e_phentsize; 122 elf->e_shentsize = ehdr->e_shentsize; 123 124 return TEE_SUCCESS; 125 } 126 127 #ifdef ARM64 128 static TEE_Result e64_parse_ehdr(struct ta_elf *elf, Elf64_Ehdr *ehdr) 129 { 130 if (ehdr->e_ident[EI_VERSION] != EV_CURRENT || 131 ehdr->e_ident[EI_CLASS] != ELFCLASS64 || 132 ehdr->e_ident[EI_DATA] != ELFDATA2LSB || 133 ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE || 134 ehdr->e_type != ET_DYN || ehdr->e_machine != EM_AARCH64 || 135 ehdr->e_flags || ehdr->e_phentsize != sizeof(Elf64_Phdr) || 136 ehdr->e_shentsize != sizeof(Elf64_Shdr)) 137 return TEE_ERROR_BAD_FORMAT; 138 139 140 elf->is_32bit = false; 141 elf->e_entry = ehdr->e_entry; 142 elf->e_phoff = ehdr->e_phoff; 143 elf->e_shoff = ehdr->e_shoff; 144 elf->e_phnum = ehdr->e_phnum; 145 elf->e_shnum = ehdr->e_shnum; 146 elf->e_phentsize = ehdr->e_phentsize; 147 elf->e_shentsize = ehdr->e_shentsize; 148 149 return TEE_SUCCESS; 150 } 151 #else /*ARM64*/ 152 static TEE_Result e64_parse_ehdr(struct ta_elf *elf __unused, 153 Elf64_Ehdr *ehdr __unused) 154 { 155 return TEE_ERROR_NOT_SUPPORTED; 156 } 157 #endif /*ARM64*/ 158 159 static void check_phdr_in_range(struct ta_elf *elf, unsigned int type, 160 vaddr_t addr, size_t memsz) 161 { 162 vaddr_t max_addr = 0; 163 164 if (ADD_OVERFLOW(addr, memsz, &max_addr)) 165 err(TEE_ERROR_BAD_FORMAT, "Program header %#x overflow", type); 166 167 /* 168 * elf->load_addr and elf->max_addr are both using the 169 * final virtual addresses, while this program header is 170 * relative to 0. 171 */ 172 if (max_addr > elf->max_addr - elf->load_addr) 173 err(TEE_ERROR_BAD_FORMAT, "Program header %#x out of bounds", 174 type); 175 } 176 177 static void read_dyn(struct ta_elf *elf, vaddr_t addr, 178 size_t idx, unsigned int *tag, size_t *val) 179 { 180 if (elf->is_32bit) { 181 Elf32_Dyn *dyn = (Elf32_Dyn *)(addr + elf->load_addr); 182 183 *tag = dyn[idx].d_tag; 184 *val = dyn[idx].d_un.d_val; 185 } else { 186 Elf64_Dyn *dyn = (Elf64_Dyn *)(addr + elf->load_addr); 187 188 *tag = dyn[idx].d_tag; 189 *val = dyn[idx].d_un.d_val; 190 } 191 } 192 193 static void save_hashtab_from_segment(struct ta_elf *elf, unsigned int type, 194 vaddr_t addr, size_t memsz) 195 { 196 size_t dyn_entsize = 0; 197 size_t num_dyns = 0; 198 size_t n = 0; 199 unsigned int tag = 0; 200 size_t val = 0; 201 202 if (type != PT_DYNAMIC) 203 return; 204 205 check_phdr_in_range(elf, type, addr, memsz); 206 207 if (elf->is_32bit) 208 dyn_entsize = sizeof(Elf32_Dyn); 209 else 210 dyn_entsize = sizeof(Elf64_Dyn); 211 212 assert(!(memsz % dyn_entsize)); 213 num_dyns = memsz / dyn_entsize; 214 215 for (n = 0; n < num_dyns; n++) { 216 read_dyn(elf, addr, n, &tag, &val); 217 if (tag == DT_HASH) { 218 elf->hashtab = (void *)(val + elf->load_addr); 219 break; 220 } 221 } 222 } 223 224 static void check_range(struct ta_elf *elf, const char *name, const void *ptr, 225 size_t sz) 226 { 227 size_t max_addr = 0; 228 229 if ((vaddr_t)ptr < elf->load_addr) 230 err(TEE_ERROR_BAD_FORMAT, "%s %p out of range", name, ptr); 231 232 if (ADD_OVERFLOW((vaddr_t)ptr, sz, &max_addr)) 233 err(TEE_ERROR_BAD_FORMAT, "%s range overflow", name); 234 235 if (max_addr > elf->max_addr) 236 err(TEE_ERROR_BAD_FORMAT, 237 "%s %p..%#zx out of range", name, ptr, max_addr); 238 } 239 240 static void check_hashtab(struct ta_elf *elf, void *ptr, size_t num_buckets, 241 size_t num_chains) 242 { 243 /* 244 * Starting from 2 as the first two words are mandatory and hold 245 * num_buckets and num_chains. So this function is called twice, 246 * first to see that there's indeed room for num_buckets and 247 * num_chains and then to see that all of it fits. 248 * See http://www.sco.com/developers/gabi/latest/ch5.dynamic.html#hash 249 */ 250 size_t num_words = 2; 251 size_t sz = 0; 252 253 if (!ALIGNMENT_IS_OK(ptr, uint32_t)) 254 err(TEE_ERROR_BAD_FORMAT, "Bad alignment of DT_HASH %p", ptr); 255 256 if (ADD_OVERFLOW(num_words, num_buckets, &num_words) || 257 ADD_OVERFLOW(num_words, num_chains, &num_words) || 258 MUL_OVERFLOW(num_words, sizeof(uint32_t), &sz)) 259 err(TEE_ERROR_BAD_FORMAT, "DT_HASH overflow"); 260 261 check_range(elf, "DT_HASH", ptr, sz); 262 } 263 264 static void save_hashtab(struct ta_elf *elf) 265 { 266 uint32_t *hashtab = NULL; 267 size_t n = 0; 268 269 if (elf->is_32bit) { 270 Elf32_Phdr *phdr = elf->phdr; 271 272 for (n = 0; n < elf->e_phnum; n++) 273 save_hashtab_from_segment(elf, phdr[n].p_type, 274 phdr[n].p_vaddr, 275 phdr[n].p_memsz); 276 } else { 277 Elf64_Phdr *phdr = elf->phdr; 278 279 for (n = 0; n < elf->e_phnum; n++) 280 save_hashtab_from_segment(elf, phdr[n].p_type, 281 phdr[n].p_vaddr, 282 phdr[n].p_memsz); 283 } 284 285 check_hashtab(elf, elf->hashtab, 0, 0); 286 hashtab = elf->hashtab; 287 check_hashtab(elf, elf->hashtab, hashtab[0], hashtab[1]); 288 } 289 290 static void save_soname_from_segment(struct ta_elf *elf, unsigned int type, 291 vaddr_t addr, size_t memsz) 292 { 293 size_t dyn_entsize = 0; 294 size_t num_dyns = 0; 295 size_t n = 0; 296 unsigned int tag = 0; 297 size_t val = 0; 298 char *str_tab = NULL; 299 300 if (type != PT_DYNAMIC) 301 return; 302 303 if (elf->is_32bit) 304 dyn_entsize = sizeof(Elf32_Dyn); 305 else 306 dyn_entsize = sizeof(Elf64_Dyn); 307 308 assert(!(memsz % dyn_entsize)); 309 num_dyns = memsz / dyn_entsize; 310 311 for (n = 0; n < num_dyns; n++) { 312 read_dyn(elf, addr, n, &tag, &val); 313 if (tag == DT_STRTAB) { 314 str_tab = (char *)(val + elf->load_addr); 315 break; 316 } 317 } 318 for (n = 0; n < num_dyns; n++) { 319 read_dyn(elf, addr, n, &tag, &val); 320 if (tag == DT_SONAME) { 321 elf->soname = str_tab + val; 322 break; 323 } 324 } 325 } 326 327 static void save_soname(struct ta_elf *elf) 328 { 329 size_t n = 0; 330 331 if (elf->is_32bit) { 332 Elf32_Phdr *phdr = elf->phdr; 333 334 for (n = 0; n < elf->e_phnum; n++) 335 save_soname_from_segment(elf, phdr[n].p_type, 336 phdr[n].p_vaddr, 337 phdr[n].p_memsz); 338 } else { 339 Elf64_Phdr *phdr = elf->phdr; 340 341 for (n = 0; n < elf->e_phnum; n++) 342 save_soname_from_segment(elf, phdr[n].p_type, 343 phdr[n].p_vaddr, 344 phdr[n].p_memsz); 345 } 346 } 347 348 static void e32_save_symtab(struct ta_elf *elf, size_t tab_idx) 349 { 350 Elf32_Shdr *shdr = elf->shdr; 351 size_t str_idx = shdr[tab_idx].sh_link; 352 353 elf->dynsymtab = (void *)(shdr[tab_idx].sh_addr + elf->load_addr); 354 if (!ALIGNMENT_IS_OK(elf->dynsymtab, Elf32_Sym)) 355 err(TEE_ERROR_BAD_FORMAT, "Bad alignment of dynsymtab %p", 356 elf->dynsymtab); 357 check_range(elf, "Dynsymtab", elf->dynsymtab, shdr[tab_idx].sh_size); 358 359 if (shdr[tab_idx].sh_size % sizeof(Elf32_Sym)) 360 err(TEE_ERROR_BAD_FORMAT, 361 "Size of dynsymtab not an even multiple of Elf32_Sym"); 362 elf->num_dynsyms = shdr[tab_idx].sh_size / sizeof(Elf32_Sym); 363 364 if (str_idx >= elf->e_shnum) 365 err(TEE_ERROR_BAD_FORMAT, "Dynstr section index out of range"); 366 elf->dynstr = (void *)(shdr[str_idx].sh_addr + elf->load_addr); 367 check_range(elf, "Dynstr", elf->dynstr, shdr[str_idx].sh_size); 368 369 elf->dynstr_size = shdr[str_idx].sh_size; 370 } 371 372 static void e64_save_symtab(struct ta_elf *elf, size_t tab_idx) 373 { 374 Elf64_Shdr *shdr = elf->shdr; 375 size_t str_idx = shdr[tab_idx].sh_link; 376 377 elf->dynsymtab = (void *)(vaddr_t)(shdr[tab_idx].sh_addr + 378 elf->load_addr); 379 380 if (!ALIGNMENT_IS_OK(elf->dynsymtab, Elf64_Sym)) 381 err(TEE_ERROR_BAD_FORMAT, "Bad alignment of .dynsym/DYNSYM %p", 382 elf->dynsymtab); 383 check_range(elf, ".dynsym/DYNSYM", elf->dynsymtab, 384 shdr[tab_idx].sh_size); 385 386 if (shdr[tab_idx].sh_size % sizeof(Elf64_Sym)) 387 err(TEE_ERROR_BAD_FORMAT, 388 "Size of .dynsym/DYNSYM not an even multiple of Elf64_Sym"); 389 elf->num_dynsyms = shdr[tab_idx].sh_size / sizeof(Elf64_Sym); 390 391 if (str_idx >= elf->e_shnum) 392 err(TEE_ERROR_BAD_FORMAT, 393 ".dynstr/STRTAB section index out of range"); 394 elf->dynstr = (void *)(vaddr_t)(shdr[str_idx].sh_addr + elf->load_addr); 395 check_range(elf, ".dynstr/STRTAB", elf->dynstr, shdr[str_idx].sh_size); 396 397 elf->dynstr_size = shdr[str_idx].sh_size; 398 } 399 400 static void save_symtab(struct ta_elf *elf) 401 { 402 size_t n = 0; 403 404 if (elf->is_32bit) { 405 Elf32_Shdr *shdr = elf->shdr; 406 407 for (n = 0; n < elf->e_shnum; n++) { 408 if (shdr[n].sh_type == SHT_DYNSYM) { 409 e32_save_symtab(elf, n); 410 break; 411 } 412 } 413 } else { 414 Elf64_Shdr *shdr = elf->shdr; 415 416 for (n = 0; n < elf->e_shnum; n++) { 417 if (shdr[n].sh_type == SHT_DYNSYM) { 418 e64_save_symtab(elf, n); 419 break; 420 } 421 } 422 423 } 424 425 save_hashtab(elf); 426 save_soname(elf); 427 } 428 429 static void init_elf(struct ta_elf *elf) 430 { 431 TEE_Result res = TEE_SUCCESS; 432 vaddr_t va = 0; 433 uint32_t flags = PTA_SYSTEM_MAP_FLAG_SHAREABLE; 434 size_t sz = 0; 435 436 res = sys_open_ta_bin(&elf->uuid, &elf->handle); 437 if (res) 438 err(res, "sys_open_ta_bin(%pUl)", (void *)&elf->uuid); 439 440 /* 441 * Map it read-only executable when we're loading a library where 442 * the ELF header is included in a load segment. 443 */ 444 if (!elf->is_main) 445 flags |= PTA_SYSTEM_MAP_FLAG_EXECUTABLE; 446 res = sys_map_ta_bin(&va, SMALL_PAGE_SIZE, flags, elf->handle, 0, 0, 0); 447 if (res) 448 err(res, "sys_map_ta_bin"); 449 elf->ehdr_addr = va; 450 if (!elf->is_main) { 451 elf->load_addr = va; 452 elf->max_addr = va + SMALL_PAGE_SIZE; 453 elf->max_offs = SMALL_PAGE_SIZE; 454 } 455 456 if (!IS_ELF(*(Elf32_Ehdr *)va)) 457 err(TEE_ERROR_BAD_FORMAT, "TA is not an ELF"); 458 459 res = e32_parse_ehdr(elf, (void *)va); 460 if (res == TEE_ERROR_BAD_FORMAT) 461 res = e64_parse_ehdr(elf, (void *)va); 462 if (res) 463 err(res, "Cannot parse ELF"); 464 465 if (MUL_OVERFLOW(elf->e_phnum, elf->e_phentsize, &sz) || 466 ADD_OVERFLOW(sz, elf->e_phoff, &sz)) 467 err(TEE_ERROR_BAD_FORMAT, "Program headers size overflow"); 468 469 if (sz > SMALL_PAGE_SIZE) 470 err(TEE_ERROR_NOT_SUPPORTED, "Cannot read program headers"); 471 472 elf->phdr = (void *)(va + elf->e_phoff); 473 } 474 475 static size_t roundup(size_t v) 476 { 477 return ROUNDUP(v, SMALL_PAGE_SIZE); 478 } 479 480 static size_t rounddown(size_t v) 481 { 482 return ROUNDDOWN(v, SMALL_PAGE_SIZE); 483 } 484 485 static void add_segment(struct ta_elf *elf, size_t offset, size_t vaddr, 486 size_t filesz, size_t memsz, size_t flags, size_t align) 487 { 488 struct segment *seg = calloc(1, sizeof(*seg)); 489 490 if (!seg) 491 err(TEE_ERROR_OUT_OF_MEMORY, "calloc"); 492 493 if (memsz < filesz) 494 err(TEE_ERROR_BAD_FORMAT, "Memsz smaller than filesz"); 495 496 seg->offset = offset; 497 seg->vaddr = vaddr; 498 seg->filesz = filesz; 499 seg->memsz = memsz; 500 seg->flags = flags; 501 seg->align = align; 502 503 TAILQ_INSERT_TAIL(&elf->segs, seg, link); 504 } 505 506 static void parse_load_segments(struct ta_elf *elf) 507 { 508 size_t n = 0; 509 510 if (elf->is_32bit) { 511 Elf32_Phdr *phdr = elf->phdr; 512 513 for (n = 0; n < elf->e_phnum; n++) 514 if (phdr[n].p_type == PT_LOAD) { 515 add_segment(elf, phdr[n].p_offset, 516 phdr[n].p_vaddr, phdr[n].p_filesz, 517 phdr[n].p_memsz, phdr[n].p_flags, 518 phdr[n].p_align); 519 } else if (phdr[n].p_type == PT_ARM_EXIDX) { 520 elf->exidx_start = phdr[n].p_vaddr; 521 elf->exidx_size = phdr[n].p_filesz; 522 } else if (phdr[n].p_type == PT_TLS) { 523 assign_tls_mod_id(elf); 524 } 525 } else { 526 Elf64_Phdr *phdr = elf->phdr; 527 528 for (n = 0; n < elf->e_phnum; n++) 529 if (phdr[n].p_type == PT_LOAD) { 530 add_segment(elf, phdr[n].p_offset, 531 phdr[n].p_vaddr, phdr[n].p_filesz, 532 phdr[n].p_memsz, phdr[n].p_flags, 533 phdr[n].p_align); 534 } else if (phdr[n].p_type == PT_TLS) { 535 elf->tls_start = phdr[n].p_vaddr; 536 elf->tls_filesz = phdr[n].p_filesz; 537 elf->tls_memsz = phdr[n].p_memsz; 538 } 539 } 540 } 541 542 static void copy_remapped_to(struct ta_elf *elf, const struct segment *seg) 543 { 544 uint8_t *dst = (void *)(seg->vaddr + elf->load_addr); 545 size_t n = 0; 546 size_t offs = seg->offset; 547 size_t num_bytes = seg->filesz; 548 549 if (offs < elf->max_offs) { 550 n = MIN(elf->max_offs - offs, num_bytes); 551 memcpy(dst, (void *)(elf->max_addr + offs - elf->max_offs), n); 552 dst += n; 553 offs += n; 554 num_bytes -= n; 555 } 556 557 if (num_bytes) { 558 TEE_Result res = sys_copy_from_ta_bin(dst, num_bytes, 559 elf->handle, offs); 560 561 if (res) 562 err(res, "sys_copy_from_ta_bin"); 563 elf->max_offs += offs; 564 } 565 } 566 567 static void adjust_segments(struct ta_elf *elf) 568 { 569 struct segment *seg = NULL; 570 struct segment *prev_seg = NULL; 571 size_t prev_end_addr = 0; 572 size_t align = 0; 573 size_t mask = 0; 574 575 /* Sanity check */ 576 TAILQ_FOREACH(seg, &elf->segs, link) { 577 size_t dummy __maybe_unused = 0; 578 579 assert(seg->align >= SMALL_PAGE_SIZE); 580 assert(!ADD_OVERFLOW(seg->vaddr, seg->memsz, &dummy)); 581 assert(seg->filesz <= seg->memsz); 582 assert((seg->offset & SMALL_PAGE_MASK) == 583 (seg->vaddr & SMALL_PAGE_MASK)); 584 585 prev_seg = TAILQ_PREV(seg, segment_head, link); 586 if (prev_seg) { 587 assert(seg->vaddr >= prev_seg->vaddr + prev_seg->memsz); 588 assert(seg->offset >= 589 prev_seg->offset + prev_seg->filesz); 590 } 591 if (!align) 592 align = seg->align; 593 assert(align == seg->align); 594 } 595 596 mask = align - 1; 597 598 seg = TAILQ_FIRST(&elf->segs); 599 if (seg) 600 seg = TAILQ_NEXT(seg, link); 601 while (seg) { 602 prev_seg = TAILQ_PREV(seg, segment_head, link); 603 prev_end_addr = prev_seg->vaddr + prev_seg->memsz; 604 605 /* 606 * This segment may overlap with the last "page" in the 607 * previous segment in two different ways: 608 * 1. Virtual address (and offset) overlaps => 609 * Permissions needs to be merged. The offset must have 610 * the SMALL_PAGE_MASK bits set as vaddr and offset must 611 * add up with prevsion segment. 612 * 613 * 2. Only offset overlaps => 614 * The same page in the ELF is mapped at two different 615 * virtual addresses. As a limitation this segment must 616 * be mapped as writeable. 617 */ 618 619 /* Case 1. */ 620 if (rounddown(seg->vaddr) < prev_end_addr) { 621 assert((seg->vaddr & mask) == (seg->offset & mask)); 622 assert(prev_seg->memsz == prev_seg->filesz); 623 624 /* 625 * Merge the segments and their permissions. 626 * Note that the may be a small hole between the 627 * two sections. 628 */ 629 prev_seg->filesz = seg->vaddr + seg->filesz - 630 prev_seg->vaddr; 631 prev_seg->memsz = seg->vaddr + seg->memsz - 632 prev_seg->vaddr; 633 prev_seg->flags |= seg->flags; 634 635 TAILQ_REMOVE(&elf->segs, seg, link); 636 free(seg); 637 seg = TAILQ_NEXT(prev_seg, link); 638 continue; 639 } 640 641 /* Case 2. */ 642 if ((seg->offset & mask) && 643 rounddown(seg->offset) < 644 (prev_seg->offset + prev_seg->filesz)) { 645 646 assert(seg->flags & PF_W); 647 seg->remapped_writeable = true; 648 } 649 650 /* 651 * No overlap, but we may need to align address, offset and 652 * size. 653 */ 654 seg->filesz += seg->vaddr - rounddown(seg->vaddr); 655 seg->memsz += seg->vaddr - rounddown(seg->vaddr); 656 seg->vaddr = rounddown(seg->vaddr); 657 seg->offset = rounddown(seg->offset); 658 seg = TAILQ_NEXT(seg, link); 659 } 660 661 } 662 663 static void populate_segments_legacy(struct ta_elf *elf) 664 { 665 TEE_Result res = TEE_SUCCESS; 666 struct segment *seg = NULL; 667 vaddr_t va = 0; 668 669 assert(elf->is_legacy); 670 TAILQ_FOREACH(seg, &elf->segs, link) { 671 struct segment *last_seg = TAILQ_LAST(&elf->segs, segment_head); 672 size_t pad_end = roundup(last_seg->vaddr + last_seg->memsz - 673 seg->vaddr - seg->memsz); 674 size_t num_bytes = roundup(seg->memsz); 675 676 if (!elf->load_addr) 677 va = 0; 678 else 679 va = seg->vaddr + elf->load_addr; 680 681 682 if (!(seg->flags & PF_R)) 683 err(TEE_ERROR_NOT_SUPPORTED, 684 "Segment must be readable"); 685 686 res = sys_map_zi(num_bytes, 0, &va, 0, pad_end); 687 if (res) 688 err(res, "sys_map_zi"); 689 res = sys_copy_from_ta_bin((void *)va, seg->filesz, 690 elf->handle, seg->offset); 691 if (res) 692 err(res, "sys_copy_from_ta_bin"); 693 694 if (!elf->load_addr) 695 elf->load_addr = va; 696 elf->max_addr = va + num_bytes; 697 elf->max_offs = seg->offset + seg->filesz; 698 } 699 } 700 701 static size_t get_pad_begin(void) 702 { 703 #ifdef CFG_TA_ASLR 704 size_t min = CFG_TA_ASLR_MIN_OFFSET_PAGES; 705 size_t max = CFG_TA_ASLR_MAX_OFFSET_PAGES; 706 TEE_Result res = TEE_SUCCESS; 707 uint32_t rnd32 = 0; 708 size_t rnd = 0; 709 710 COMPILE_TIME_ASSERT(CFG_TA_ASLR_MIN_OFFSET_PAGES < 711 CFG_TA_ASLR_MAX_OFFSET_PAGES); 712 if (max > min) { 713 res = _utee_cryp_random_number_generate(&rnd32, sizeof(rnd32)); 714 if (res) { 715 DMSG("Random read failed: %#"PRIx32, res); 716 return min * SMALL_PAGE_SIZE; 717 } 718 rnd = rnd32 % (max - min); 719 } 720 721 return (min + rnd) * SMALL_PAGE_SIZE; 722 #else /*!CFG_TA_ASLR*/ 723 return 0; 724 #endif /*!CFG_TA_ASLR*/ 725 } 726 727 static void populate_segments(struct ta_elf *elf) 728 { 729 TEE_Result res = TEE_SUCCESS; 730 struct segment *seg = NULL; 731 vaddr_t va = 0; 732 size_t pad_begin = 0; 733 734 assert(!elf->is_legacy); 735 TAILQ_FOREACH(seg, &elf->segs, link) { 736 struct segment *last_seg = TAILQ_LAST(&elf->segs, segment_head); 737 size_t pad_end = roundup(last_seg->vaddr + last_seg->memsz - 738 seg->vaddr - seg->memsz); 739 740 if (seg->remapped_writeable) { 741 size_t num_bytes = roundup(seg->vaddr + seg->memsz) - 742 rounddown(seg->vaddr); 743 744 assert(elf->load_addr); 745 va = rounddown(elf->load_addr + seg->vaddr); 746 assert(va >= elf->max_addr); 747 res = sys_map_zi(num_bytes, 0, &va, 0, pad_end); 748 if (res) 749 err(res, "sys_map_zi"); 750 751 copy_remapped_to(elf, seg); 752 elf->max_addr = va + num_bytes; 753 } else { 754 uint32_t flags = 0; 755 size_t filesz = seg->filesz; 756 size_t memsz = seg->memsz; 757 size_t offset = seg->offset; 758 size_t vaddr = seg->vaddr; 759 760 if (offset < elf->max_offs) { 761 /* 762 * We're in a load segment which overlaps 763 * with (or is covered by) the first page 764 * of a shared library. 765 */ 766 if (vaddr + filesz < SMALL_PAGE_SIZE) { 767 size_t num_bytes = 0; 768 769 /* 770 * If this segment is completely 771 * covered, take next. 772 */ 773 if (vaddr + memsz <= SMALL_PAGE_SIZE) 774 continue; 775 776 /* 777 * All data of the segment is 778 * loaded, but we need to zero 779 * extend it. 780 */ 781 va = elf->max_addr; 782 num_bytes = roundup(vaddr + memsz) - 783 roundup(vaddr) - 784 SMALL_PAGE_SIZE; 785 assert(num_bytes); 786 res = sys_map_zi(num_bytes, 0, &va, 0, 787 0); 788 if (res) 789 err(res, "sys_map_zi"); 790 elf->max_addr = roundup(va + num_bytes); 791 continue; 792 } 793 794 /* Partial overlap, remove the first page. */ 795 vaddr += SMALL_PAGE_SIZE; 796 filesz -= SMALL_PAGE_SIZE; 797 memsz -= SMALL_PAGE_SIZE; 798 offset += SMALL_PAGE_SIZE; 799 } 800 801 if (!elf->load_addr) { 802 va = 0; 803 pad_begin = get_pad_begin(); 804 /* 805 * If mapping with pad_begin fails we'll 806 * retry without pad_begin, effectively 807 * disabling ASLR for the current ELF file. 808 */ 809 } else { 810 va = vaddr + elf->load_addr; 811 pad_begin = 0; 812 } 813 814 if (seg->flags & PF_W) 815 flags |= PTA_SYSTEM_MAP_FLAG_WRITEABLE; 816 else 817 flags |= PTA_SYSTEM_MAP_FLAG_SHAREABLE; 818 if (seg->flags & PF_X) 819 flags |= PTA_SYSTEM_MAP_FLAG_EXECUTABLE; 820 if (!(seg->flags & PF_R)) 821 err(TEE_ERROR_NOT_SUPPORTED, 822 "Segment must be readable"); 823 if (flags & PTA_SYSTEM_MAP_FLAG_WRITEABLE) { 824 res = sys_map_zi(memsz, 0, &va, pad_begin, 825 pad_end); 826 if (pad_begin && res == TEE_ERROR_OUT_OF_MEMORY) 827 res = sys_map_zi(memsz, 0, &va, 0, 828 pad_end); 829 if (res) 830 err(res, "sys_map_zi"); 831 res = sys_copy_from_ta_bin((void *)va, filesz, 832 elf->handle, offset); 833 if (res) 834 err(res, "sys_copy_from_ta_bin"); 835 } else { 836 if (filesz != memsz) 837 err(TEE_ERROR_BAD_FORMAT, 838 "Filesz and memsz mismatch"); 839 res = sys_map_ta_bin(&va, filesz, flags, 840 elf->handle, offset, 841 pad_begin, pad_end); 842 if (pad_begin && res == TEE_ERROR_OUT_OF_MEMORY) 843 res = sys_map_ta_bin(&va, filesz, flags, 844 elf->handle, 845 offset, 0, 846 pad_end); 847 if (res) 848 err(res, "sys_map_ta_bin"); 849 } 850 851 if (!elf->load_addr) 852 elf->load_addr = va; 853 elf->max_addr = roundup(va + memsz); 854 elf->max_offs += filesz; 855 } 856 } 857 } 858 859 static void map_segments(struct ta_elf *elf) 860 { 861 TEE_Result res = TEE_SUCCESS; 862 863 parse_load_segments(elf); 864 adjust_segments(elf); 865 if (TAILQ_FIRST(&elf->segs)->offset < SMALL_PAGE_SIZE) { 866 vaddr_t va = 0; 867 size_t sz = elf->max_addr - elf->load_addr; 868 struct segment *seg = TAILQ_LAST(&elf->segs, segment_head); 869 size_t pad_begin = get_pad_begin(); 870 871 /* 872 * We're loading a library, if not other parts of the code 873 * need to be updated too. 874 */ 875 assert(!elf->is_main); 876 877 /* 878 * Now that we know how much virtual memory is needed move 879 * the already mapped part to a location which can 880 * accommodate us. 881 */ 882 res = sys_remap(elf->load_addr, &va, sz, pad_begin, 883 roundup(seg->vaddr + seg->memsz)); 884 if (res == TEE_ERROR_OUT_OF_MEMORY) 885 res = sys_remap(elf->load_addr, &va, sz, 0, 886 roundup(seg->vaddr + seg->memsz)); 887 if (res) 888 err(res, "sys_remap"); 889 elf->ehdr_addr = va; 890 elf->load_addr = va; 891 elf->max_addr = va + sz; 892 elf->phdr = (void *)(va + elf->e_phoff); 893 } 894 } 895 896 static void add_deps_from_segment(struct ta_elf *elf, unsigned int type, 897 vaddr_t addr, size_t memsz) 898 { 899 size_t dyn_entsize = 0; 900 size_t num_dyns = 0; 901 size_t n = 0; 902 unsigned int tag = 0; 903 size_t val = 0; 904 TEE_UUID uuid = { }; 905 char *str_tab = NULL; 906 size_t str_tab_sz = 0; 907 908 if (type != PT_DYNAMIC) 909 return; 910 911 check_phdr_in_range(elf, type, addr, memsz); 912 913 if (elf->is_32bit) 914 dyn_entsize = sizeof(Elf32_Dyn); 915 else 916 dyn_entsize = sizeof(Elf64_Dyn); 917 918 assert(!(memsz % dyn_entsize)); 919 num_dyns = memsz / dyn_entsize; 920 921 for (n = 0; n < num_dyns && !(str_tab && str_tab_sz); n++) { 922 read_dyn(elf, addr, n, &tag, &val); 923 if (tag == DT_STRTAB) 924 str_tab = (char *)(val + elf->load_addr); 925 else if (tag == DT_STRSZ) 926 str_tab_sz = val; 927 } 928 check_range(elf, ".dynstr/STRTAB", str_tab, str_tab_sz); 929 930 for (n = 0; n < num_dyns; n++) { 931 read_dyn(elf, addr, n, &tag, &val); 932 if (tag != DT_NEEDED) 933 continue; 934 if (val >= str_tab_sz) 935 err(TEE_ERROR_BAD_FORMAT, 936 "Offset into .dynstr/STRTAB out of range"); 937 tee_uuid_from_str(&uuid, str_tab + val); 938 queue_elf(&uuid); 939 } 940 } 941 942 static void add_dependencies(struct ta_elf *elf) 943 { 944 size_t n = 0; 945 946 if (elf->is_32bit) { 947 Elf32_Phdr *phdr = elf->phdr; 948 949 for (n = 0; n < elf->e_phnum; n++) 950 add_deps_from_segment(elf, phdr[n].p_type, 951 phdr[n].p_vaddr, phdr[n].p_memsz); 952 } else { 953 Elf64_Phdr *phdr = elf->phdr; 954 955 for (n = 0; n < elf->e_phnum; n++) 956 add_deps_from_segment(elf, phdr[n].p_type, 957 phdr[n].p_vaddr, phdr[n].p_memsz); 958 } 959 } 960 961 static void copy_section_headers(struct ta_elf *elf) 962 { 963 TEE_Result res = TEE_SUCCESS; 964 size_t sz = 0; 965 size_t offs = 0; 966 967 if (MUL_OVERFLOW(elf->e_shnum, elf->e_shentsize, &sz)) 968 err(TEE_ERROR_BAD_FORMAT, "Section headers size overflow"); 969 970 elf->shdr = malloc(sz); 971 if (!elf->shdr) 972 err(TEE_ERROR_OUT_OF_MEMORY, "malloc"); 973 974 /* 975 * We're assuming that section headers comes after the load segments, 976 * but if it's a very small dynamically linked library the section 977 * headers can still end up (partially?) in the first mapped page. 978 */ 979 if (elf->e_shoff < SMALL_PAGE_SIZE) { 980 assert(!elf->is_main); 981 offs = MIN(SMALL_PAGE_SIZE - elf->e_shoff, sz); 982 memcpy(elf->shdr, (void *)(elf->load_addr + elf->e_shoff), 983 offs); 984 } 985 986 if (offs < sz) { 987 res = sys_copy_from_ta_bin((uint8_t *)elf->shdr + offs, 988 sz - offs, elf->handle, 989 elf->e_shoff + offs); 990 if (res) 991 err(res, "sys_copy_from_ta_bin"); 992 } 993 } 994 995 static void close_handle(struct ta_elf *elf) 996 { 997 TEE_Result res = sys_close_ta_bin(elf->handle); 998 999 if (res) 1000 err(res, "sys_close_ta_bin"); 1001 elf->handle = -1; 1002 } 1003 1004 static void clean_elf_load_main(struct ta_elf *elf) 1005 { 1006 TEE_Result res = TEE_SUCCESS; 1007 1008 /* 1009 * Clean up from last attempt to load 1010 */ 1011 res = sys_unmap(elf->ehdr_addr, SMALL_PAGE_SIZE); 1012 if (res) 1013 err(res, "sys_unmap"); 1014 1015 while (!TAILQ_EMPTY(&elf->segs)) { 1016 struct segment *seg = TAILQ_FIRST(&elf->segs); 1017 vaddr_t va = 0; 1018 size_t num_bytes = 0; 1019 1020 va = rounddown(elf->load_addr + seg->vaddr); 1021 if (seg->remapped_writeable) 1022 num_bytes = roundup(seg->vaddr + seg->memsz) - 1023 rounddown(seg->vaddr); 1024 else 1025 num_bytes = seg->memsz; 1026 1027 res = sys_unmap(va, num_bytes); 1028 if (res) 1029 err(res, "sys_unmap"); 1030 1031 TAILQ_REMOVE(&elf->segs, seg, link); 1032 free(seg); 1033 } 1034 1035 free(elf->shdr); 1036 memset(&elf->is_32bit, 0, 1037 (vaddr_t)&elf->uuid - (vaddr_t)&elf->is_32bit); 1038 1039 TAILQ_INIT(&elf->segs); 1040 } 1041 1042 #ifdef ARM64 1043 /* 1044 * Allocates an offset in the TA's Thread Control Block for the TLS segment of 1045 * the @elf module. 1046 */ 1047 #define TCB_HEAD_SIZE (2 * sizeof(long)) 1048 static void set_tls_offset(struct ta_elf *elf) 1049 { 1050 static size_t next_offs = TCB_HEAD_SIZE; 1051 1052 if (!elf->tls_start) 1053 return; 1054 1055 /* Module has a TLS segment */ 1056 elf->tls_tcb_offs = next_offs; 1057 next_offs += elf->tls_memsz; 1058 } 1059 #else 1060 static void set_tls_offset(struct ta_elf *elf __unused) {} 1061 #endif 1062 1063 static void load_main(struct ta_elf *elf) 1064 { 1065 init_elf(elf); 1066 map_segments(elf); 1067 populate_segments(elf); 1068 add_dependencies(elf); 1069 copy_section_headers(elf); 1070 save_symtab(elf); 1071 close_handle(elf); 1072 set_tls_offset(elf); 1073 1074 elf->head = (struct ta_head *)elf->load_addr; 1075 if (elf->head->depr_entry != UINT64_MAX) { 1076 /* 1077 * Legacy TAs sets their entry point in ta_head. For 1078 * non-legacy TAs the entry point of the ELF is set instead 1079 * and leaving the ta_head entry point set to UINT64_MAX to 1080 * indicate that it's not used. 1081 * 1082 * NB, everything before the commit a73b5878c89d ("Replace 1083 * ta_head.entry with elf entry") is considered legacy TAs 1084 * for ldelf. 1085 * 1086 * Legacy TAs cannot be mapped with shared memory segments 1087 * so restart the mapping if it turned out we're loading a 1088 * legacy TA. 1089 */ 1090 1091 DMSG("Reloading TA %pUl as legacy TA", (void *)&elf->uuid); 1092 clean_elf_load_main(elf); 1093 elf->is_legacy = true; 1094 init_elf(elf); 1095 map_segments(elf); 1096 populate_segments_legacy(elf); 1097 add_dependencies(elf); 1098 copy_section_headers(elf); 1099 save_symtab(elf); 1100 close_handle(elf); 1101 elf->head = (struct ta_head *)elf->load_addr; 1102 /* 1103 * Check that the TA is still a legacy TA, if it isn't give 1104 * up now since we're likely under attack. 1105 */ 1106 if (elf->head->depr_entry == UINT64_MAX) 1107 err(TEE_ERROR_GENERIC, 1108 "TA %pUl was changed on disk to non-legacy", 1109 (void *)&elf->uuid); 1110 } 1111 1112 } 1113 1114 void ta_elf_load_main(const TEE_UUID *uuid, uint32_t *is_32bit, uint64_t *sp, 1115 uint32_t *ta_flags) 1116 { 1117 struct ta_elf *elf = queue_elf(uuid); 1118 vaddr_t va = 0; 1119 TEE_Result res = TEE_SUCCESS; 1120 1121 assert(elf); 1122 elf->is_main = true; 1123 1124 load_main(elf); 1125 1126 *is_32bit = elf->is_32bit; 1127 res = sys_map_zi(elf->head->stack_size, 0, &va, 0, 0); 1128 if (res) 1129 err(res, "sys_map_zi stack"); 1130 1131 if (elf->head->flags & ~TA_FLAGS_MASK) 1132 err(TEE_ERROR_BAD_FORMAT, "Invalid TA flags(s) %#"PRIx32, 1133 elf->head->flags & ~TA_FLAGS_MASK); 1134 1135 *ta_flags = elf->head->flags; 1136 *sp = va + elf->head->stack_size; 1137 ta_stack = va; 1138 ta_stack_size = elf->head->stack_size; 1139 } 1140 1141 void ta_elf_finalize_load_main(uint64_t *entry) 1142 { 1143 struct ta_elf *elf = TAILQ_FIRST(&main_elf_queue); 1144 TEE_Result res = TEE_SUCCESS; 1145 1146 assert(elf->is_main); 1147 1148 res = ta_elf_set_init_fini_info_compat(elf->is_32bit); 1149 if (res) 1150 err(res, "ta_elf_set_init_fini_info_compat"); 1151 res = ta_elf_set_elf_phdr_info(elf->is_32bit); 1152 if (res) 1153 err(res, "ta_elf_set_elf_phdr_info"); 1154 1155 if (elf->is_legacy) 1156 *entry = elf->head->depr_entry; 1157 else 1158 *entry = elf->e_entry + elf->load_addr; 1159 } 1160 1161 1162 void ta_elf_load_dependency(struct ta_elf *elf, bool is_32bit) 1163 { 1164 if (elf->is_main) 1165 return; 1166 1167 init_elf(elf); 1168 if (elf->is_32bit != is_32bit) 1169 err(TEE_ERROR_BAD_FORMAT, "ELF %pUl is %sbit (expected %sbit)", 1170 (void *)&elf->uuid, elf->is_32bit ? "32" : "64", 1171 is_32bit ? "32" : "64"); 1172 1173 map_segments(elf); 1174 populate_segments(elf); 1175 add_dependencies(elf); 1176 copy_section_headers(elf); 1177 save_symtab(elf); 1178 close_handle(elf); 1179 set_tls_offset(elf); 1180 } 1181 1182 void ta_elf_finalize_mappings(struct ta_elf *elf) 1183 { 1184 TEE_Result res = TEE_SUCCESS; 1185 struct segment *seg = NULL; 1186 1187 if (!elf->is_legacy) 1188 return; 1189 1190 TAILQ_FOREACH(seg, &elf->segs, link) { 1191 vaddr_t va = elf->load_addr + seg->vaddr; 1192 uint32_t flags = 0; 1193 1194 if (seg->flags & PF_W) 1195 flags |= PTA_SYSTEM_MAP_FLAG_WRITEABLE; 1196 if (seg->flags & PF_X) 1197 flags |= PTA_SYSTEM_MAP_FLAG_EXECUTABLE; 1198 1199 res = sys_set_prot(va, seg->memsz, flags); 1200 if (res) 1201 err(res, "sys_set_prot"); 1202 } 1203 } 1204 1205 static void __printf(3, 4) print_wrapper(void *pctx, print_func_t print_func, 1206 const char *fmt, ...) 1207 { 1208 va_list ap; 1209 1210 va_start(ap, fmt); 1211 print_func(pctx, fmt, ap); 1212 va_end(ap); 1213 } 1214 1215 static void print_seg(void *pctx, print_func_t print_func, 1216 size_t idx __maybe_unused, int elf_idx __maybe_unused, 1217 vaddr_t va __maybe_unused, paddr_t pa __maybe_unused, 1218 size_t sz __maybe_unused, uint32_t flags) 1219 { 1220 int width __maybe_unused = 8; 1221 char desc[14] __maybe_unused = ""; 1222 char flags_str[] __maybe_unused = "----"; 1223 1224 if (elf_idx > -1) { 1225 snprintf(desc, sizeof(desc), " [%d]", elf_idx); 1226 } else { 1227 if (flags & DUMP_MAP_EPHEM) 1228 snprintf(desc, sizeof(desc), " (param)"); 1229 if (flags & DUMP_MAP_LDELF) 1230 snprintf(desc, sizeof(desc), " (ldelf)"); 1231 if (va == ta_stack) 1232 snprintf(desc, sizeof(desc), " (stack)"); 1233 } 1234 1235 if (flags & DUMP_MAP_READ) 1236 flags_str[0] = 'r'; 1237 if (flags & DUMP_MAP_WRITE) 1238 flags_str[1] = 'w'; 1239 if (flags & DUMP_MAP_EXEC) 1240 flags_str[2] = 'x'; 1241 if (flags & DUMP_MAP_SECURE) 1242 flags_str[3] = 's'; 1243 1244 print_wrapper(pctx, print_func, 1245 "region %2zu: va 0x%0*"PRIxVA" pa 0x%0*"PRIxPA" size 0x%06zx flags %s%s\n", 1246 idx, width, va, width, pa, sz, flags_str, desc); 1247 } 1248 1249 static bool get_next_in_order(struct ta_elf_queue *elf_queue, 1250 struct ta_elf **elf, struct segment **seg, 1251 size_t *elf_idx) 1252 { 1253 struct ta_elf *e = NULL; 1254 struct segment *s = NULL; 1255 size_t idx = 0; 1256 vaddr_t va = 0; 1257 struct ta_elf *e2 = NULL; 1258 size_t i2 = 0; 1259 1260 assert(elf && seg && elf_idx); 1261 e = *elf; 1262 s = *seg; 1263 assert((e == NULL && s == NULL) || (e != NULL && s != NULL)); 1264 1265 if (s) { 1266 s = TAILQ_NEXT(s, link); 1267 if (s) { 1268 *seg = s; 1269 return true; 1270 } 1271 } 1272 1273 if (e) 1274 va = e->load_addr; 1275 1276 /* Find the ELF with next load address */ 1277 e = NULL; 1278 TAILQ_FOREACH(e2, elf_queue, link) { 1279 if (e2->load_addr > va) { 1280 if (!e || e2->load_addr < e->load_addr) { 1281 e = e2; 1282 idx = i2; 1283 } 1284 } 1285 i2++; 1286 } 1287 if (!e) 1288 return false; 1289 1290 *elf = e; 1291 *seg = TAILQ_FIRST(&e->segs); 1292 *elf_idx = idx; 1293 return true; 1294 } 1295 1296 void ta_elf_print_mappings(void *pctx, print_func_t print_func, 1297 struct ta_elf_queue *elf_queue, size_t num_maps, 1298 struct dump_map *maps, vaddr_t mpool_base) 1299 { 1300 struct segment *seg = NULL; 1301 struct ta_elf *elf = NULL; 1302 size_t elf_idx = 0; 1303 size_t idx = 0; 1304 size_t map_idx = 0; 1305 1306 /* 1307 * Loop over all segments and maps, printing virtual address in 1308 * order. Segment has priority if the virtual address is present 1309 * in both map and segment. 1310 */ 1311 get_next_in_order(elf_queue, &elf, &seg, &elf_idx); 1312 while (true) { 1313 vaddr_t va = -1; 1314 size_t sz = 0; 1315 uint32_t flags = DUMP_MAP_SECURE; 1316 size_t offs = 0; 1317 1318 if (seg) { 1319 va = rounddown(seg->vaddr + elf->load_addr); 1320 sz = roundup(seg->vaddr + seg->memsz) - 1321 rounddown(seg->vaddr); 1322 } 1323 1324 while (map_idx < num_maps && maps[map_idx].va <= va) { 1325 uint32_t f = 0; 1326 1327 /* If there's a match, it should be the same map */ 1328 if (maps[map_idx].va == va) { 1329 /* 1330 * In shared libraries the first page is 1331 * mapped separately with the rest of that 1332 * segment following back to back in a 1333 * separate entry. 1334 */ 1335 if (map_idx + 1 < num_maps && 1336 maps[map_idx].sz == SMALL_PAGE_SIZE) { 1337 vaddr_t next_va = maps[map_idx].va + 1338 maps[map_idx].sz; 1339 size_t comb_sz = maps[map_idx].sz + 1340 maps[map_idx + 1].sz; 1341 1342 if (next_va == maps[map_idx + 1].va && 1343 comb_sz == sz && 1344 maps[map_idx].flags == 1345 maps[map_idx + 1].flags) { 1346 /* Skip this and next entry */ 1347 map_idx += 2; 1348 continue; 1349 } 1350 } 1351 assert(maps[map_idx].sz == sz); 1352 } else if (maps[map_idx].va < va) { 1353 if (maps[map_idx].va == mpool_base) 1354 f |= DUMP_MAP_LDELF; 1355 print_seg(pctx, print_func, idx, -1, 1356 maps[map_idx].va, maps[map_idx].pa, 1357 maps[map_idx].sz, 1358 maps[map_idx].flags | f); 1359 idx++; 1360 } 1361 map_idx++; 1362 } 1363 1364 if (!seg) 1365 break; 1366 1367 offs = rounddown(seg->offset); 1368 if (seg->flags & PF_R) 1369 flags |= DUMP_MAP_READ; 1370 if (seg->flags & PF_W) 1371 flags |= DUMP_MAP_WRITE; 1372 if (seg->flags & PF_X) 1373 flags |= DUMP_MAP_EXEC; 1374 1375 print_seg(pctx, print_func, idx, elf_idx, va, offs, sz, flags); 1376 idx++; 1377 1378 if (!get_next_in_order(elf_queue, &elf, &seg, &elf_idx)) 1379 seg = NULL; 1380 } 1381 1382 elf_idx = 0; 1383 TAILQ_FOREACH(elf, elf_queue, link) { 1384 print_wrapper(pctx, print_func, 1385 " [%zu] %pUl @ 0x%0*"PRIxVA"\n", 1386 elf_idx, (void *)&elf->uuid, 8, elf->load_addr); 1387 elf_idx++; 1388 } 1389 } 1390 1391 #ifdef CFG_UNWIND 1392 /* Called by libunw */ 1393 bool find_exidx(vaddr_t addr, vaddr_t *idx_start, vaddr_t *idx_end) 1394 { 1395 struct segment *seg = NULL; 1396 struct ta_elf *elf = NULL; 1397 vaddr_t a = 0; 1398 1399 TAILQ_FOREACH(elf, &main_elf_queue, link) { 1400 if (addr < elf->load_addr) 1401 continue; 1402 a = addr - elf->load_addr; 1403 TAILQ_FOREACH(seg, &elf->segs, link) { 1404 if (a < seg->vaddr) 1405 continue; 1406 if (a - seg->vaddr < seg->filesz) { 1407 *idx_start = elf->exidx_start + elf->load_addr; 1408 *idx_end = elf->exidx_start + elf->load_addr + 1409 elf->exidx_size; 1410 return true; 1411 } 1412 } 1413 } 1414 1415 return false; 1416 } 1417 1418 void ta_elf_stack_trace_a32(uint32_t regs[16]) 1419 { 1420 struct unwind_state_arm32 state = { }; 1421 1422 memcpy(state.registers, regs, sizeof(state.registers)); 1423 print_stack_arm32(&state, ta_stack, ta_stack_size); 1424 } 1425 1426 void ta_elf_stack_trace_a64(uint64_t fp, uint64_t sp, uint64_t pc) 1427 { 1428 struct unwind_state_arm64 state = { .fp = fp, .sp = sp, .pc = pc }; 1429 1430 print_stack_arm64(&state, ta_stack, ta_stack_size); 1431 } 1432 #endif 1433 1434 TEE_Result ta_elf_add_library(const TEE_UUID *uuid) 1435 { 1436 TEE_Result res = TEE_ERROR_GENERIC; 1437 struct ta_elf *ta = TAILQ_FIRST(&main_elf_queue); 1438 struct ta_elf *lib = ta_elf_find_elf(uuid); 1439 struct ta_elf *elf = NULL; 1440 1441 if (lib) 1442 return TEE_SUCCESS; /* Already mapped */ 1443 1444 lib = queue_elf_helper(uuid); 1445 if (!lib) 1446 return TEE_ERROR_OUT_OF_MEMORY; 1447 1448 for (elf = lib; elf; elf = TAILQ_NEXT(elf, link)) 1449 ta_elf_load_dependency(elf, ta->is_32bit); 1450 1451 for (elf = lib; elf; elf = TAILQ_NEXT(elf, link)) { 1452 ta_elf_relocate(elf); 1453 ta_elf_finalize_mappings(elf); 1454 } 1455 1456 for (elf = lib; elf; elf = TAILQ_NEXT(elf, link)) 1457 DMSG("ELF (%pUl) at %#"PRIxVA, 1458 (void *)&elf->uuid, elf->load_addr); 1459 1460 res = ta_elf_set_init_fini_info_compat(ta->is_32bit); 1461 if (res) 1462 return res; 1463 1464 return ta_elf_set_elf_phdr_info(ta->is_32bit); 1465 } 1466 1467 /* Get address/size of .init_array and .fini_array from the dynamic segment */ 1468 static void get_init_fini_array(struct ta_elf *elf, unsigned int type, 1469 vaddr_t addr, size_t memsz, vaddr_t *init, 1470 size_t *init_cnt, vaddr_t *fini, 1471 size_t *fini_cnt) 1472 { 1473 size_t addrsz = 0; 1474 size_t dyn_entsize = 0; 1475 size_t num_dyns = 0; 1476 size_t n = 0; 1477 unsigned int tag = 0; 1478 size_t val = 0; 1479 1480 assert(type == PT_DYNAMIC); 1481 1482 check_phdr_in_range(elf, type, addr, memsz); 1483 1484 if (elf->is_32bit) { 1485 dyn_entsize = sizeof(Elf32_Dyn); 1486 addrsz = 4; 1487 } else { 1488 dyn_entsize = sizeof(Elf64_Dyn); 1489 addrsz = 8; 1490 } 1491 1492 assert(!(memsz % dyn_entsize)); 1493 num_dyns = memsz / dyn_entsize; 1494 1495 for (n = 0; n < num_dyns; n++) { 1496 read_dyn(elf, addr, n, &tag, &val); 1497 if (tag == DT_INIT_ARRAY) 1498 *init = val + elf->load_addr; 1499 else if (tag == DT_FINI_ARRAY) 1500 *fini = val + elf->load_addr; 1501 else if (tag == DT_INIT_ARRAYSZ) 1502 *init_cnt = val / addrsz; 1503 else if (tag == DT_FINI_ARRAYSZ) 1504 *fini_cnt = val / addrsz; 1505 } 1506 } 1507 1508 /* Get address/size of .init_array and .fini_array in @elf (if present) */ 1509 static void elf_get_init_fini_array(struct ta_elf *elf, vaddr_t *init, 1510 size_t *init_cnt, vaddr_t *fini, 1511 size_t *fini_cnt) 1512 { 1513 size_t n = 0; 1514 1515 if (elf->is_32bit) { 1516 Elf32_Phdr *phdr = elf->phdr; 1517 1518 for (n = 0; n < elf->e_phnum; n++) { 1519 if (phdr[n].p_type == PT_DYNAMIC) { 1520 get_init_fini_array(elf, phdr[n].p_type, 1521 phdr[n].p_vaddr, 1522 phdr[n].p_memsz, 1523 init, init_cnt, fini, 1524 fini_cnt); 1525 return; 1526 } 1527 } 1528 } else { 1529 Elf64_Phdr *phdr = elf->phdr; 1530 1531 for (n = 0; n < elf->e_phnum; n++) { 1532 if (phdr[n].p_type == PT_DYNAMIC) { 1533 get_init_fini_array(elf, phdr[n].p_type, 1534 phdr[n].p_vaddr, 1535 phdr[n].p_memsz, 1536 init, init_cnt, fini, 1537 fini_cnt); 1538 return; 1539 } 1540 } 1541 } 1542 } 1543 1544 /* 1545 * Deprecated by __elf_phdr_info below. Kept for compatibility. 1546 * 1547 * Pointers to ELF initialization and finalization functions are extracted by 1548 * ldelf and stored on the TA heap, then exported to the TA via the global 1549 * symbol __init_fini_info. libutee in OP-TEE 3.9.0 uses this mechanism. 1550 */ 1551 1552 struct __init_fini { 1553 uint32_t flags; 1554 uint16_t init_size; 1555 uint16_t fini_size; 1556 1557 void (**init)(void); /* @init_size entries */ 1558 void (**fini)(void); /* @fini_size entries */ 1559 }; 1560 1561 #define __IFS_VALID BIT(0) 1562 #define __IFS_INIT_HAS_RUN BIT(1) 1563 #define __IFS_FINI_HAS_RUN BIT(2) 1564 1565 struct __init_fini_info { 1566 uint32_t reserved; 1567 uint16_t size; 1568 uint16_t pad; 1569 struct __init_fini *ifs; /* @size entries */ 1570 }; 1571 1572 /* 32-bit variants for a 64-bit ldelf to access a 32-bit TA */ 1573 1574 struct __init_fini32 { 1575 uint32_t flags; 1576 uint16_t init_size; 1577 uint16_t fini_size; 1578 uint32_t init; 1579 uint32_t fini; 1580 }; 1581 1582 struct __init_fini_info32 { 1583 uint32_t reserved; 1584 uint16_t size; 1585 uint16_t pad; 1586 uint32_t ifs; 1587 }; 1588 1589 static TEE_Result realloc_ifs(vaddr_t va, size_t cnt, bool is_32bit) 1590 { 1591 struct __init_fini_info32 *info32 = (struct __init_fini_info32 *)va; 1592 struct __init_fini_info *info = (struct __init_fini_info *)va; 1593 struct __init_fini32 *ifs32 = NULL; 1594 struct __init_fini *ifs = NULL; 1595 size_t prev_cnt = 0; 1596 void *ptr = NULL; 1597 1598 if (is_32bit) { 1599 ptr = (void *)(vaddr_t)info32->ifs; 1600 ptr = realloc(ptr, cnt * sizeof(struct __init_fini32)); 1601 if (!ptr) 1602 return TEE_ERROR_OUT_OF_MEMORY; 1603 ifs32 = ptr; 1604 prev_cnt = info32->size; 1605 if (cnt > prev_cnt) 1606 memset(ifs32 + prev_cnt, 0, 1607 (cnt - prev_cnt) * sizeof(*ifs32)); 1608 info32->ifs = (uint32_t)(vaddr_t)ifs32; 1609 info32->size = cnt; 1610 } else { 1611 ptr = realloc(info->ifs, cnt * sizeof(struct __init_fini)); 1612 if (!ptr) 1613 return TEE_ERROR_OUT_OF_MEMORY; 1614 ifs = ptr; 1615 prev_cnt = info->size; 1616 if (cnt > prev_cnt) 1617 memset(ifs + prev_cnt, 0, 1618 (cnt - prev_cnt) * sizeof(*ifs)); 1619 info->ifs = ifs; 1620 info->size = cnt; 1621 } 1622 1623 return TEE_SUCCESS; 1624 } 1625 1626 static void fill_ifs(vaddr_t va, size_t idx, struct ta_elf *elf, bool is_32bit) 1627 { 1628 struct __init_fini_info32 *info32 = (struct __init_fini_info32 *)va; 1629 struct __init_fini_info *info = (struct __init_fini_info *)va; 1630 struct __init_fini32 *ifs32 = NULL; 1631 struct __init_fini *ifs = NULL; 1632 size_t init_cnt = 0; 1633 size_t fini_cnt = 0; 1634 vaddr_t init = 0; 1635 vaddr_t fini = 0; 1636 1637 if (is_32bit) { 1638 assert(idx < info32->size); 1639 ifs32 = &((struct __init_fini32 *)(vaddr_t)info32->ifs)[idx]; 1640 1641 if (ifs32->flags & __IFS_VALID) 1642 return; 1643 1644 elf_get_init_fini_array(elf, &init, &init_cnt, &fini, 1645 &fini_cnt); 1646 1647 ifs32->init = (uint32_t)init; 1648 ifs32->init_size = init_cnt; 1649 1650 ifs32->fini = (uint32_t)fini; 1651 ifs32->fini_size = fini_cnt; 1652 1653 ifs32->flags |= __IFS_VALID; 1654 } else { 1655 assert(idx < info->size); 1656 ifs = &info->ifs[idx]; 1657 1658 if (ifs->flags & __IFS_VALID) 1659 return; 1660 1661 elf_get_init_fini_array(elf, &init, &init_cnt, &fini, 1662 &fini_cnt); 1663 1664 ifs->init = (void (**)(void))init; 1665 ifs->init_size = init_cnt; 1666 1667 ifs->fini = (void (**)(void))fini; 1668 ifs->fini_size = fini_cnt; 1669 1670 ifs->flags |= __IFS_VALID; 1671 } 1672 } 1673 1674 /* 1675 * Set or update __init_fini_info in the TA with information from the ELF 1676 * queue 1677 */ 1678 TEE_Result ta_elf_set_init_fini_info_compat(bool is_32bit) 1679 { 1680 struct __init_fini_info *info = NULL; 1681 TEE_Result res = TEE_SUCCESS; 1682 struct ta_elf *elf = NULL; 1683 vaddr_t info_va = 0; 1684 size_t cnt = 0; 1685 1686 res = ta_elf_resolve_sym("__init_fini_info", &info_va, NULL, NULL); 1687 if (res) { 1688 if (res == TEE_ERROR_ITEM_NOT_FOUND) { 1689 /* 1690 * Not an error, only TAs linked against libutee from 1691 * OP-TEE 3.9.0 have this symbol. 1692 */ 1693 return TEE_SUCCESS; 1694 } 1695 return res; 1696 } 1697 assert(info_va); 1698 1699 info = (struct __init_fini_info *)info_va; 1700 if (info->reserved) 1701 return TEE_ERROR_NOT_SUPPORTED; 1702 1703 TAILQ_FOREACH(elf, &main_elf_queue, link) 1704 cnt++; 1705 1706 /* Queue has at least one file (main) */ 1707 assert(cnt); 1708 1709 res = realloc_ifs(info_va, cnt, is_32bit); 1710 if (res) 1711 goto err; 1712 1713 cnt = 0; 1714 TAILQ_FOREACH(elf, &main_elf_queue, link) { 1715 fill_ifs(info_va, cnt, elf, is_32bit); 1716 cnt++; 1717 } 1718 1719 return TEE_SUCCESS; 1720 err: 1721 free(info); 1722 return res; 1723 } 1724 1725 static TEE_Result realloc_elf_phdr_info(vaddr_t va, size_t cnt, bool is_32bit) 1726 { 1727 struct __elf_phdr_info32 *info32 = (struct __elf_phdr_info32 *)va; 1728 struct __elf_phdr_info *info = (struct __elf_phdr_info *)va; 1729 struct dl_phdr_info32 *dlpi32 = NULL; 1730 struct dl_phdr_info *dlpi = NULL; 1731 size_t prev_cnt = 0; 1732 void *ptr = NULL; 1733 1734 if (is_32bit) { 1735 ptr = (void *)(vaddr_t)info32->dlpi; 1736 ptr = realloc(ptr, cnt * sizeof(*dlpi32)); 1737 if (!ptr) 1738 return TEE_ERROR_OUT_OF_MEMORY; 1739 dlpi32 = ptr; 1740 prev_cnt = info32->count; 1741 if (cnt > prev_cnt) 1742 memset(dlpi32 + prev_cnt, 0, 1743 (cnt - prev_cnt) * sizeof(*dlpi32)); 1744 info32->dlpi = (uint32_t)(vaddr_t)dlpi32; 1745 info32->count = cnt; 1746 } else { 1747 ptr = realloc(info->dlpi, cnt * sizeof(*dlpi)); 1748 if (!ptr) 1749 return TEE_ERROR_OUT_OF_MEMORY; 1750 dlpi = ptr; 1751 prev_cnt = info->count; 1752 if (cnt > prev_cnt) 1753 memset(dlpi + prev_cnt, 0, 1754 (cnt - prev_cnt) * sizeof(*dlpi)); 1755 info->dlpi = dlpi; 1756 info->count = cnt; 1757 } 1758 1759 return TEE_SUCCESS; 1760 } 1761 1762 static void fill_elf_phdr_info(vaddr_t va, size_t idx, struct ta_elf *elf, 1763 bool is_32bit) 1764 { 1765 struct __elf_phdr_info32 *info32 = (struct __elf_phdr_info32 *)va; 1766 struct __elf_phdr_info *info = (struct __elf_phdr_info *)va; 1767 struct dl_phdr_info32 *dlpi32 = NULL; 1768 struct dl_phdr_info *dlpi = NULL; 1769 1770 if (is_32bit) { 1771 assert(idx < info32->count); 1772 dlpi32 = (struct dl_phdr_info32 *)(vaddr_t)info32->dlpi + idx; 1773 1774 dlpi32->dlpi_addr = elf->load_addr; 1775 if (elf->soname) 1776 dlpi32->dlpi_name = (vaddr_t)elf->soname; 1777 else 1778 dlpi32->dlpi_name = (vaddr_t)&info32->zero; 1779 dlpi32->dlpi_phdr = (vaddr_t)elf->phdr; 1780 dlpi32->dlpi_phnum = elf->e_phnum; 1781 dlpi32->dlpi_adds = 1; /* No unloading on dlclose() currently */ 1782 dlpi32->dlpi_subs = 0; /* No unloading on dlclose() currently */ 1783 dlpi32->dlpi_tls_modid = elf->tls_mod_id; 1784 dlpi32->dlpi_tls_data = elf->tls_start; 1785 } else { 1786 assert(idx < info->count); 1787 dlpi = info->dlpi + idx; 1788 1789 dlpi->dlpi_addr = elf->load_addr; 1790 if (elf->soname) 1791 dlpi->dlpi_name = elf->soname; 1792 else 1793 dlpi->dlpi_name = &info32->zero; 1794 dlpi->dlpi_phdr = elf->phdr; 1795 dlpi->dlpi_phnum = elf->e_phnum; 1796 dlpi->dlpi_adds = 1; /* No unloading on dlclose() currently */ 1797 dlpi->dlpi_subs = 0; /* No unloading on dlclose() currently */ 1798 dlpi->dlpi_tls_modid = elf->tls_mod_id; 1799 dlpi->dlpi_tls_data = (void *)elf->tls_start; 1800 } 1801 } 1802 1803 /* Set or update __elf_hdr_info in the TA with information from the ELF queue */ 1804 TEE_Result ta_elf_set_elf_phdr_info(bool is_32bit) 1805 { 1806 struct __elf_phdr_info *info = NULL; 1807 TEE_Result res = TEE_SUCCESS; 1808 struct ta_elf *elf = NULL; 1809 vaddr_t info_va = 0; 1810 size_t cnt = 0; 1811 1812 res = ta_elf_resolve_sym("__elf_phdr_info", &info_va, NULL, NULL); 1813 if (res) { 1814 if (res == TEE_ERROR_ITEM_NOT_FOUND) { 1815 /* Older TA */ 1816 return TEE_SUCCESS; 1817 } 1818 return res; 1819 } 1820 assert(info_va); 1821 1822 info = (struct __elf_phdr_info *)info_va; 1823 if (info->reserved) 1824 return TEE_ERROR_NOT_SUPPORTED; 1825 1826 TAILQ_FOREACH(elf, &main_elf_queue, link) 1827 cnt++; 1828 1829 res = realloc_elf_phdr_info(info_va, cnt, is_32bit); 1830 if (res) 1831 return res; 1832 1833 cnt = 0; 1834 TAILQ_FOREACH(elf, &main_elf_queue, link) { 1835 fill_elf_phdr_info(info_va, cnt, elf, is_32bit); 1836 cnt++; 1837 } 1838 1839 return TEE_SUCCESS; 1840 } 1841