rtld: Workaround Morello LLVM lld bug with local-caprelocs=elf

Morello LLVM's lld always emits PLT-related .dynamic entries when ELF local caprelocs are used even if the PLT is empty. This confuses rtld which tries to treat the start of the binary as a GOT PLT. In particular, rtld itself ends up with an empty PLT and so rtld tries to write to its ELF header which crashes since the page is mapped read-only. Workaround this by ignoring DT_JMPREL and DT_PLTGOT entries whose value is 0. The PLT GOT and PLT relocation table can never be at the start of a valid binary.
CTSRD-CHERI · Jan 8, 2025 · 8a811da · 8a811da
1 parent 7ec64fb
commit 8a811da
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
@@ -1485,6 +1485,11 @@ digest_dynamic1(Obj_Entry *obj, int early, const Elf_Dyn **dyn_rpath,
 	    break;
 
 	case DT_JMPREL:
+#ifdef __aarch64__
+	    /* Ignore empty PLT entries for Morello. */
+	    if (dynp->d_un.d_ptr == 0)
+		break;
+#endif
 	    obj->pltrel = (const Elf_Rel *)
 	      (obj->relocbase + dynp->d_un.d_ptr);
 	    break;
@@ -1643,6 +1648,11 @@ digest_dynamic1(Obj_Entry *obj, int early, const Elf_Dyn **dyn_rpath,
 	    break;
 
 	case DT_PLTGOT:
+#ifdef __aarch64__
+	    /* Ignore empty PLT entries for Morello. */
+	    if (dynp->d_un.d_ptr == 0)
+		break;
+#endif
 	    obj->pltgot = (uintptr_t *)(obj->relocbase + dynp->d_un.d_ptr);
 	    break;