Text Relocations

When code is executed by a processor it must usually access various parts of the address space to access objects like variables or functions. There are two ways in which objects can be access:

The former seem to be the most obvious choice. At runtime each object has a fixed address which has to be known and can be used. There are two key words in this sentence: at runtime. The final layout of the address space is often not fixed until runtime. In the early days this was no problem. Programs consisted of one big block of code loaded at a fixed address. But today we have shared libraries and position independent executables (PIEs). For those kinds of position independent binaries the actual address used at runtime is not known until the binary is loaded. Referencing any object in an position independent binary cannot simply happen with an absolute address. There are two solutions of different efficiency for two different situations:

  1. The references to an object from a function in the same position independent binary can take advantage of the fact that regardless of where the binary is loaded, the relative distance between a specific point in the binary and the object is constant. Using addressing relative to a fixed point in the binary means that once the address of the fixed point in the object is determine all that is needed is to add the offset to the value to get the final address. The generated code does not need any change as long as the base value is treated as a variable.Some processors allow even simpler handling of this: the address of the instruction can be implicitly used as the base value. This requires no base value kept around.

  2. For references from a function in one binary to an object in another binary there is no fixed offset which can be determined at link-time. With ELF the final object might not even be found in the same binary for every start of the program. Therefore it is necessary to dynamically compute the address of the object the first time it is used in each program run.

How to generate programs to create the best possible references and many more things about position independent binaries is explained in my DSO How-To. What is explained in the following sections is how to correct the mistake of not using the correct way to generate position independent binaries. The result of such mistakes are text relocations. Some of the more modern architectures architecture (or more correctly, their ABIs) actively forbid text relocations. But there are others and unfortunately x86 is among them.

What do they look like?

A text relocation is the result of a reference to an object with a variable address at runtime using an absolute addressing mode. The instruction encoding itself contains the address and therefore the executable text of the binary must be changed to contain the correct address when taking the actual load addresses at runtime into account.

The result of a text relocation is that the binary text is written to. This means this page of the binary cannot be physically shared with other processes on the system (this is the goal of DSOs, aka shared libraries). It also means that the binary must have permission to change the access permissions for the memory page to include writing and then back to executing. This is a privileged operation when SELinux is enabled. I have a write-up of the ways this privilege mechanism makes itself known and how it can be controlled, if necessary.

Spotting binaries with text relocations is simple. The linker is supposed to mark them. It sets the DF_TEXTREL bit in the DT_FLAGS entry in the dynamic section. In older binaries a DT_TEXTREL entry is present. In any case, a binary with text relocations can be spotted with this:

eu-readelf -d  | fgrep -q TEXTREL

If this command pipeline exits with a zero status a text relocation is present.

This is the easy part of recognizing text relocations. It is more difficult to spot the exact relocation record(s) responsible for the TEXTREL flag. The relocation records of a binary can be viewed with

eu-readelf -r 

The first column is the address. Every address that is in the range of a segment which is loaded without write permission indicates a text relocation. The addresses of the segments can be seen with

eu-readelf -l  | fgrep LOAD

This alone can be pretty time consuming but it gets worse.

What is responsible?

To be able to remove the text relocation it is necessary to find out what piece of code corresponds to the address with the text relocation. The minimum information needed is a function name. Better yet is it to get the source file name and line number information as well. To get all this one can look through the symbol tables and debug information of the binary. eu-readelf provides all this information as well.but it is tedious to get to it. There is the eu-addr2line program which can make this much simpler. Given a binary name, the program can provide source file and line information for all the address given as input.

This is still quite complicated. It means three steps to arrive at the result. Too much for most developers who are not accustomed with binary formats or cannot find the time to dig into the details.

There is Help

Because text relocations are a huge problem and because it is obvious that programmers are not willing to put in the time to figure out the details I have written a tool which automates the process. It is, just like the other programs mentioned here, part of the elfutils package. Before we see how to use the program look at this code:

int a;
int
main (void)
{
  return a;
}

If this code is compiled on x86 with

gcc -o u -g -pie u.c

one can verify with the above mentioned commands that the resulting binary contains text relocations. The explained three steps can be used to find the reason for the text relocation. Or: one can run a single command:

eu-findtextrel u

In the case of this binaries the result of this program run will be the following output:

/home/drepper/local/elfutils-build/20060530/u.c not compiled with -fpic/-fPIC

That's as precise as one gets it. The solution is indeed to pass additional parameters to the compiler. -fpic and -fPIC are mentioned here (see the DSO How-To for the difference). The tool could also have mentioned -fpie and -fPIE which might be more optimal in this case. In any case, the solution for most C files is as simple as this.

The tool is not able to distinguish compiler-generated code from assembler code written by the programmer. In both cases the tool will print the message above since it is what is correct in 99% of all cases. If the problem is indeed the result of hand-written assembler code the solution is not as simple as adding a compiler/assembler flag. The code needs to be rewritten. This is architecture specific and can vary widely between every single instance. We are not going into those details here. Find a person with sufficient assembly programming skills if this problem appears.

The program above was compiled with debugging enabled. If this is not the case or the debug information is not available the tool cannot give information about the file which must be recompiled. In this case the output looks like this:

the file containing the function 'main' is not compiled with -fpic/-fPIC

It is left to the person who has to fix the problem to map the function name to a source file. In some situation it is not clear which function is responsible and then the tool gives the user the names of two functions, both of which are candidates. This is still a good situation. Sometimes no information at all is available and then the tool can only provide an address value and it is up to the user to figure out from what sources the code at that address has been generated. The tool does all it can to give as good information as possible. But there are limits. To not be exposed to the limits it is best to have debug information available.

Conclusion

Using the eu-findtextrel program it is in most situations relatively painless to determine the culprit(s) for the text relocations easily. There is usually no reason to not fix the problems. While a programs with text relocations can be made to run by relaxing the SELinux security this is a bad idea. The kind of permissions which have to be granted to the program create a gaping hole in the security policy. Attackers will be able to modify the memory as well. If this is not the case a program can enforce a strict W^X policy. I.e., no memory page is writable and executable at the same time. And more: SElinux can also enforce that no writable page can be marked as read/exec-only. With these provisions an attacker has no room where to place his/her exploit code. This is a huge win. So, always fix all text relocations. We've made it as easy as possible.