A delay-import symbol (of a function) is resolved when a call to it is made.
The delay loader may overwrite the `__imp_` pointer to the actual function
after it has been resolved, which requires the pointer itself be in a
writeable section.
Previously it was placed in the ordinary Import Address Table (IAT), which
is emitted into the `.idata` section, which had been changed to read-only
in db00f6c3ac, which caused segmentation
faults when functions from delay-import library were called. This is
PR 32675.
This commit makes DLLTOOL emit delay-import IAT into `.didat`, as specified
by Microsoft. Most of the code is copied from `.idata`, except that this
section is writeable. As a side-effect of this, PR 14339 is also fixed.
Using this DEF:
```
; ws2_32.def
LIBRARY "WS2_32.DLL"
EXPORTS
WSAGetLastError
```
and this C program:
```
// delay.c
#define WIN32_LEAN_AND_MEAN 1
#include <windows.h>
#include <stdio.h>
/////////////////////////////////////////////////////////
// User code
/////////////////////////////////////////////////////////
DWORD WINAPI WSAGetLastError(void);
extern PVOID __imp_WSAGetLastError;
int
main(void)
{
fprintf(stderr, "before delay load, __imp_WSAGetLastError = %p\n", __imp_WSAGetLastError);
SetLastError(123);
fprintf(stderr, "WSAGetLastError() = %d\n", WSAGetLastError());
fprintf(stderr, "after delay load, __imp_WSAGetLastError = %p\n", __imp_WSAGetLastError);
__imp_WSAGetLastError = (PVOID) 1234567;
fprintf(stderr, "after plain write, __imp_WSAGetLastError = %p\n", __imp_WSAGetLastError);
}
/////////////////////////////////////////////////////////
// Overridden `__delayLoadHelper2` facility
/////////////////////////////////////////////////////////
extern char __ImageBase[];
PVOID WINAPI ResolveDelayLoadedAPI(PVOID ParentModuleBase, LPCVOID DelayloadDescriptor,
PVOID FailureDllHook, PVOID FailureSystemHook,
FARPROC* ThunkAddress, ULONG Flags);
FARPROC WINAPI DelayLoadFailureHook(LPCSTR name, LPCSTR function);
FARPROC WINAPI __delayLoadHelper2(LPCVOID pidd, FARPROC* ppfnIATEntry)
{
return ResolveDelayLoadedAPI(&__ImageBase, pidd, NULL, (PVOID) DelayLoadFailureHook,
ppfnIATEntry, 0);
}
```
This program used to crash:
```
$ dlltool -nn -d ws2_32.def -y delay_ws2_32.a
$ gcc -g delay.c delay_ws2_32.a -o delay.exe
$ ./delay.exe
before delay load, __imp_WSAGetLastError = 00007FF6937215C6
Segmentation fault
```
After this commit, it loads and calls `WSAGetLastError()` properly, and
`__imp_WSAGetLastError` is writeable:
```
$ dlltool -nn -d ws2_32.def -y delay_ws2_32.a
$ gcc -g delay.c delay_ws2_32.a -o delay.exe
$ ./delay.exe
before delay load, __imp_WSAGetLastError = 00007FF76E2215C6
WSAGetLastError() = 123
after delay load, __imp_WSAGetLastError = 00007FFF191FA720
after plain write, __imp_WSAGetLastError = 000000000012D687
```
Reference: https://learn.microsoft.com/en-us/windows/win32/secbp/pe-metadata#import-handling
Co-authored-by: Jeremy Drake <sourceware-bugzilla@jdrake.com>
Signed-off-by: LIU Hao <lh_mouse@126.com>
Signed-off-by: Jeremy Drake <sourceware-bugzilla@jdrake.com>
dlltool copies strings with strdup all over the place, seeming to take
the attitude that anything might be modified. That leads to lots of
memory leaks. Fixing the leaks by removing the strdup calls of course
means you need to take good care that strings *aren't* modified. This
isn't as easy as it sounds due to functions like xlate that have
const char* params but then manage to modify the strings. I've fixed
xlate, but if I've missed something somewhere then this patch likely
will break dlltool. Testsuite coverage of dlltool isn't good.
The leaks in defparse.y are small. It also is a little work to verify
that all the strings I'm freeing in defparse.y are in fact malloc'd,
which is no doubt why the leaks are there.
Using bfd_xalloc in make_one_lib_file and functions called from there
results in memory being freed automatically at the bfd_close in
make_one_lib_file, without any fuss.
The patch also makes use of xasprintf to replace xmalloc followed by
sprintf.
* defparse.y (opt_name2): Free incoming ID strings after
adding prefix/suffix.
* dlltool.c (struct ifunct): Constify char* fields.
(struct iheadt, struct dlist): Likewise.
(set_dll_name_from_def, def_heapsize, def_stacksize),
(def_section, assemble_file): Use xasprintf.
(def_name, def_library): Free dll_name and name.
(def_description, new_directove): Don't strdup incoming args.
(append_import): Likewise.
(def_import): Free module after appending dllext.
(run): Free temp_base.
(scan_filtered_symbols): Don't segfault on NULL strchr return.
Remove unnecessary strdup.
(scan_drectve_symbols): Likewise. Constify pointers.
Use bfd_malloc_and_get_section. Use xmemdup.
(add_excludes): Use xasprintf and xstrdup.
(gen_exp_file): Free xlate return. Constify pointer to suit
struct changes. Free copy.
(xlate): Always copy arg. Use xasprintf and xstrdup.
(make_imp_label): Add bfd arg. Use bfd_xalloc.
(gen_lib_file): Adjust to suit.
(make_one_lib_file): Likewise. Use bfd_xalloc for section data
and relocs. Simplify code calling xlate, and free xlate return.
(dll_name_list_free_contents): Flatten recursion.
(mangle_defs): Free d_export_vec.
(main): Formatting. Use xasprintf.
* resres.c (write_res_id): Free section data.
When cleaning up an archive, close all its elements. This fixes a
number of ar memory leaks.
bfd/
* archive.c (_bfd_archive_close_and_cleanup): Close elements
of an archive open for writing.
binutils/
* objcopy.c (copy_archive): Don't close output archive
elements here.
* dlltool.c (gen_lib_file): Likewise.
ld/
* pe-dll.c (pe_dll_generate_implib): Don't close output
archive elements here.
This also reduces peak memory a little.
* dlltool.c (identify_search_archive): Close last_arfile earlier.
Report an error if bfd_openr_next_archived_file returns the same
bfd. Localise variables.
* nm.c (display_archive): Likewise.
* objdump.c (display_any_bfd): Likewise.
* size.c (display_archive): Likewise.
For some reason, dlltool supports mcore-elf input files.
* dlltool.c (filter_symbols): Drop symbols with NULL names.
(identify_member_contains_symname): Don't consider symbols
with NULL names.
This also makes the dlltool tests run more PE targets, finding that
sh-pe dlltool reports "Machine 'sh' not supported". I guess no one
cares about that.
PR19459
* dlltool.c (asm_prefix): Remove "mach" parameter. Return
leading_underscore independent of machine.
(ASM_PREFIX): Adjust.
* testsuite/binutils-all/dlltool.exp: Run on any target
satisfying is_pecoff_format for which dlltool is built.
Revert commit 0398b8d6c8. Remove target_xfail.
This patch tidies dlltool code dealing with adding a leading
underscore to generated symbol names. There should be no functional
change here, but there could be if we ever have a bfd target with
symbol_leading_char something other than '_' or 0.
* dlltool.c (leading_underscore): Change from an int to a
char*. Update all uses. If neither --leading-underscore or
--no=leading-underscore is given, set leading_underscore to a
string with first char returned by bfd_get_target_info as the
target's symbol underscoring.
Allow for "snnnnn.o" suffix when testing against NAME_MAX, and tidy
TMP_STUB handling by overwriting a prior nnnnn.o string rather than
copying the entire name.
* dlltool.c (TMP_STUB): Add "nnnnn.o" to format.
(make_one_lib_file): Localise variables. Don't copy TMP_STUB,
overwrite suffix instead.
(gen_lib_file): Similarly.
(main): Allow for max suffix when testing against NAME_MAX.
During the execution of the command: i686-w64-mingw32-dlltool
--input-def $def_filepath --output-delaylib $filepath --dllname qemu.exe
An error occurred:
i686-w64-mingw32-dlltool: failed to open temporary head file: ..._w64_mingw32_nativesdk_qemu_8_2_2_build_plugins_libqemu_plugin_api_a_h.s
Due to the path length exceeding the Linux system's file name length
limit (NAME_MAX=255), the temporary file name generated by the
i686-w64-mingw32-dlltool command becomes too long to open. To address
this, a new temporary file name prefix is generated using tmp_prefix =
prefix_encode ("d", getpid()), ensuring that the file name does not
exceed the system's length limit.
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Reviewed-by: Alan Modra <amodra@gmail.com>
Adds two new external authors to etc/update-copyright.py to cover
bfd/ax_tls.m4, and adds gprofng to dirs handled automatically, then
updates copyright messages as follows:
1) Update cgen/utils.scm emitted copyrights.
2) Run "etc/update-copyright.py --this-year" with an extra external
author I haven't committed, 'Kalray SA.', to cover gas testsuite
files (which should have their copyright message removed).
3) Build with --enable-maintainer-mode --enable-cgen-maint=yes.
4) Check out */po/*.pot which we don't update frequently.
Some places matching the first char of a string against
bfd_get_symbol_leading_char, which may be zero, didn't check for the
string being "". This patch adds the check to stop accesses past the
end of the string and potential buffer overruns.
The dlltool one was found by oss-fuzz quite a while ago.
bfd/
* cofflink.c (_bfd_coff_link_input_bfd): Ensure a zero
bfd_get_symbol_leading_char doesn't lead to accessing past the
zero string terminator.
* linker.c (bfd_wrapped_link_hash_lookup): Likewise.
(unwrap_hash_lookup): Likewise.
binutils/
* dlltool.c (scan_filtered_symbols): Ensure a zero
bfd_get_symbol_leading_char doesn't lead to accessing past the
zero string terminator.
Avoid the use of sprintf with a "%s" format string, replacing with
strcpy or stpcpy. Use sprintf return value rather than a later
strlen. Don't use strcat where we can keep track of the end of a
string output buffer.
* dlltool.c (look_for_prog): memcpy prefix and strcpy prog_name.
* dllwrap.c (look_for_prog): Likewise.
* resrc.c (look_for_default): Likewise. Add quotes with memmove
rather than allocating another buffer.
* size.c (size_number): Use sprintf return value.
* stabs.c (parse_stab_argtypes): Likewise.
* windmc.c (write_bin): Likewes, and use stpcpy.
* wrstabs.c: Similarly throughout.
This adds a mingw target for aarch64, including windres and dlltool.
Note that the old value of jmp_aarch64_bytes was wrong, and this does
the same thing as MSVC does.
The newer update-copyright.py fixes file encoding too, removing cr/lf
on binutils/bfdtest2.c and ld/testsuite/ld-cygwin/exe-export.exp, and
embedded cr in binutils/testsuite/binutils-all/ar.exp string match.
PR 29489
* dlltool.c (deterministic): New variable.
(gen_lib_file): If deterministic is true set the
BFD_DETERMINISTIC_OUTPUT flag.
(usage): Mention --deterministic-libraries and
--non-deterministic-libraries.
(long_options): Add new options.
(main): Parse new options.
* doc/binutils.texi: Document the new options.
* NEWS: Mention the new feature.
ld * pe-dll.c (make_head): Prefix the symbol name with the dll name.
(make_tail, make_one, make_singleton_name_thunk): Likewise.
(make_import_fixup_entry, make_runtime_pseudo_reloc): Likewise.
(pe_create_runtime_relocator_reference): Likewise.
(pe_dll_generate_implib): Set dll_symname_len.
(pe_process_import_defs): Likewise.
binutils
* dlltool.c (main): If a prefix has not been provided, attempt to
use a deterministic one based upon the dll name.
The result of running etc/update-copyright.py --this-year, fixing all
the files whose mode is changed by the script, plus a build with
--enable-maintainer-mode --enable-cgen-maint=yes, then checking
out */po/*.pot which we don't update frequently.
The copy of cgen was with commit d1dd5fcc38ead reverted as that commit
breaks building of bfp opcodes files.
Newer versions of bison emit a prototype for yyerror
void yyerror (const char *);
This clashes with some of our old code that declares yyerror to return
an int. Fix that in most cases by modernizing yyerror. bfin-parse.y
uses the return value all over the place, so for there disable
generation of the prototype as specified by posix.
binutils/
* arparse.y (yyerror): Return void.
* dlltool.c (yyerror): Likewise.
* dlltool.h (yyerror): Likewise.
* sysinfo.y (yyerror): Likewise.
* windmc.h (yyerror): Likewise.
* mclex.c (mc_error): Extract from ..
(yyerror): ..here, both now returning void.
gas/
* config/bfin-parse.y (yyerror): Define.
(yyerror): Make static.
* itbl-parse.y (yyerror): Return void.
ld/
* deffilep.y (def_error): Return void.
This patch performs a run-time test that a shared libbfd.so has been
compiled with the same size bfd_vma as that of apps using the library.
On a 32-bit host it is easily possible to have one libbfd.so compiled
to support 64-bit targets (or configured with --enable-64-bit-bfd)
while another only supports 32-bit targets. The two libraries will
have differently sized bfd_vma types, and if the wrong one is loaded
all sorts of weird behaviour might be seen.
bfd/
PR 23534
* init.c (BFD_INIT_MAGIC): Define.
(bfd_init): Return BFD_INIT_MAGIC.
bfd-in2.h: Regenerate.
binutils/
PR 23534
* addr2line.c (main): Exit with fatal error if bfd_init
returns an unexpected value.
* ar.c (main): Likewise.
* dlltool.c (identify_dll_for_implib): Likewise.
* nm.c (main): Likewise.
* objcopy.c (main): Likewise.
* objdump.c (main): Likewise.
* size.c (main): Likewise.
* strings.c (main): Likewise.
* windmc.c (main): Likewise.
* windres.c (main): Likewise.
gas/
PR 23534
* as.c (main): Exit with fatal error if bfd_init returns an
unexpected value.
ld/
PR 23534
* ldmain.c (main): Exit with fatal error if bfd_init returns
an unexpected value.
