Re: How can I wrap ld-linux or execve into it?

[Adhemerval Zanella <adhemerval.zanella@linaro.org>]

On 31/01/2022 17:10, Farid Zakaria via Libc-help wrote:
> Hi,
> 
> I am looking to perform some functionality before the dynamic linker
> (linux-ld/ld.so) is invoked.
> 
> My naive assessment was that I would be able to set in the PT_INTERP
> section of a binary, my *static binary*, which will then execve into
> the dynamic linker after doing some precanned actions.
> 
> Unfortunately, trying this has resulted in some SIGSEGV...
> 
> I came across https://github.com/Mic92/nix-ld which seems to do
> something similar, but I was curious why it has to do a lot more to
> achieve the same effect with a jump.
> 
> I have also been pointed to LD_AUDIT however I am also interested in
> having it agnostic to libc (glibc vs. musl)
> 
> Thank you for any tips, guidance or links you can provide.
> FZ

The issue is for static linking _dl_aux_init will setup the _dl_phdr
to the loaded binary (since it was done by the kernel) passed on auxiliary
vectors:

elf/dl-support.c:

246 void
247 _dl_aux_init (ElfW(auxv_t) *av)
248 {
[...]
269       case AT_PHDR:
270         GL(dl_phdr) = (const void *) av->a_un.a_val;
271         break;
[...]

And this is later used to setup the TCB:

csu/libc-tls.c

104 void
105 __libc_setup_tls (void)
106 {
[...]
120   /* Look through the TLS segment if there is any.  */
121   if (_dl_phdr != NULL)
122     for (phdr = _dl_phdr; phdr < &_dl_phdr[_dl_phnum]; ++phdr)
123       if (phdr->p_type == PT_TLS)
124         {
125           /* Remember the values we need.  */
126           memsz = phdr->p_memsz;
127           filesz = phdr->p_filesz;
128           initimage = (void *) phdr->p_vaddr + main_map->l_addr;
129           align = phdr->p_align;
130           if (phdr->p_align > max_align)
131             max_align = phdr->p_align;
132           break;
133         }

The problem is seice _dl_phdr is not pointing to the static programs acting
as loader, the PT_TLS is not considered and thus not initialized correctly.
That's why once __ctype_init tries to access TLS variables it triggers an
invalid memory reference:

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000045f464 in __ctype_init () at ctype-info.c:31
31        *bp = (const uint16_t *) _NL_CURRENT (LC_CTYPE, _NL_CTYPE_CLASS) + 128;


And I don't think this would be easy to support without changing a *lot* 
on static linking organization.  If you check the loader code, it avoids
to use TLS exactly to avoid this initialization issue.

I think the best option to work by checking elt/rtld.c and see if you can
hack a way link you code after its initialization.