Force a dynamic library to be located on a fixed address, on Android

Question

I want to force a dynamic library to be loaded at a particular memory address. What I should do in order to accomplish this? Modify the dynamic linker? Give any instructions to the static linker? A linker script maybe?

I am working on Android, and when I launch an Android application the Bionic C library is loaded at:

b6d2e000-b6da0000 r-xp 00000000 103:09 139        /system/lib/libc.so
b6da0000-b6da4000 r--p 00071000 103:09 139        /system/lib/libc.so
b6da4000-b6da7000 rw-p 00075000 103:09 139        /system/lib/libc.so
b6da7000-b6db1000 rw-p 00000000 00:00 0

What I want is to give some hints, to the dynamic linker/static linker (or whatever), so when I launch another application (actually a pure C program), the libc.so will be loaded again on the same areas. If ASLR is a problem, we can assume it is disabled.

Currently, my C program has different mappings for the libc than the Android app:

b6f04000-b6f76000 r-xp 00000000 103:09 139        /system/lib/libc.so
b6f76000-b6f7a000 r--p 00071000 103:09 139        /system/lib/libc.so
b6f7a000-b6f7d000 rw-p 00075000 103:09 139        /system/lib/libc.so
b6f7d000-b6f87000 rw-p 00000000 00:00 0

NOTE: both runs was on the same reboot, with ASLR disabled! I guess they are in different areas as an Android app links way more shared libs than a pure C program.

What I want?

Ideally, I would like the libc in the pure C program to be mmaped at the same address with the Android program
At least, a way to place libc where I find convenient (e.g at a lower part of the VMA space maybe)
Make libc part of my C program by statically linking it

I 've tried the last thing, to statically link the libc.a to my C program, so it won't be loaded as a shared library at all, but the android linker was failing at runtime:

Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 11726 (aCprogram)
backtrace:
#00 pc 000057aa  /system/bin/aCprogram (getauxval+5)
#01 pc 0001a593  /system/lib/libc.so (__libc_init_common(KernelArgumentBlock&)+62)
#02 pc 000166a5  /system/lib/libc.so (__libc_preinit()+12)
#03 pc 00002465  /system/bin/linker (__dl__ZN6soinfo13call_functionEPKcPFvvE+48)
#04 pc 0000252f  /system/bin/linker (__dl__ZN6soinfo10call_arrayEPKcPPFvvEjb+134)
#05 pc 000026f5  /system/bin/linker (__dl__ZN6soinfo17call_constructorsEv+160)
#06 pc 000026a9  /system/bin/linker (__dl__ZN6soinfo17call_constructorsEv+84)
#07 pc 000026a9  /system/bin/linker (__dl__ZN6soinfo17call_constructorsEv+84)
#08 pc 000026a9  /system/bin/linker (__dl__ZN6soinfo17call_constructorsEv+84)
#09 pc 000065d7  /system/bin/linker (__dl___linker_init+1278)
#10 pc 00001658  /system/bin/linker (_start+4)

What are you trying to achieve? Android devices do not run in real mode, do they? — TNW, Feb 05 '16 at 00:00
No, they do not, but virtual mappings are still a problem for me! The question will be updated with all the scenarios that solve my problem! — Paschalis, Feb 05 '16 at 00:05
What if another system library was already loaded at that location? — user253751, Feb 05 '16 at 00:17
There aren't many system libraries that are loaded for pure C apps on Android. It's libc, libc++, netd, libm. — Paschalis, Feb 05 '16 at 00:19
I think by answering @paulsm4's question it would help us to understand and to help you — Garf365, Feb 05 '16 at 10:00

Force a dynamic library to be located on a fixed address, on Android

0 Answers0