Statically linked executables should honor AT_SECURE.

Bug: http://b/19647373
Change-Id: I10e7682d9cec26a523f1a3597ca5326c3ca42ebe
(cherry picked from commit 1801db3d3fe17df543e721b9fb355e5c882dc6cc)

3 files changed, 199 insertions, 0 deletions

diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
index 36dc085..9b23ece 100644
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp
@@ -30,10 +30,12 @@
 
 #include <elf.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <sys/auxv.h>
 #include <sys/time.h>
 #include <unistd.h>
@@ -120,6 +122,198 @@ void __libc_init_common(KernelArgumentBlock& args) {
   __libc_init_vdso();
 }
 
+__noreturn static void __early_abort(int line) {
+  // We can't write to stdout or stderr because we're aborting before we've checked that
+  // it's safe for us to use those file descriptors. We probably can't strace either, so
+  // we rely on the fact that if we dereference a low address, either debuggerd or the
+  // kernel's crash dump will show the fault address.
+  *reinterpret_cast<int*>(line) = 0;
+  _exit(EXIT_FAILURE);
+}
+
+// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
+static void __nullify_closed_stdio() {
+  int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
+  if (dev_null == -1) {
+    // init won't have /dev/null available, but SELinux provides an equivalent.
+    dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
+  }
+  if (dev_null == -1) {
+    __early_abort(__LINE__);
+  }
+
+  // If any of the stdio file descriptors is valid and not associated
+  // with /dev/null, dup /dev/null to it.
+  for (int i = 0; i < 3; i++) {
+    // If it is /dev/null already, we are done.
+    if (i == dev_null) {
+      continue;
+    }
+
+    // Is this fd already open?
+    int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
+    if (status != -1) {
+      continue;
+    }
+
+    // The only error we allow is that the file descriptor does not
+    // exist, in which case we dup /dev/null to it.
+    if (errno == EBADF) {
+      // Try dupping /dev/null to this stdio file descriptor and
+      // repeat if there is a signal. Note that any errors in closing
+      // the stdio descriptor are lost.
+      status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
+      if (status == -1) {
+        __early_abort(__LINE__);
+      }
+    } else {
+      __early_abort(__LINE__);
+    }
+  }
+
+  // If /dev/null is not one of the stdio file descriptors, close it.
+  if (dev_null > 2) {
+    if (close(dev_null) == -1) {
+      __early_abort(__LINE__);
+    }
+  }
+}
+
+// Check if the environment variable definition at 'envstr'
+// starts with '<name>=', and if so return the address of the
+// first character after the equal sign. Otherwise return null.
+static const char* env_match(const char* envstr, const char* name) {
+  size_t i = 0;
+
+  while (envstr[i] == name[i] && name[i] != '\0') {
+    ++i;
+  }
+
+  if (name[i] == '\0' && envstr[i] == '=') {
+    return envstr + i + 1;
+  }
+
+  return nullptr;
+}
+
+static bool __is_valid_environment_variable(const char* name) {
+  // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
+  // as the maximum size for an environment variable definition.
+  const int MAX_ENV_LEN = 32*4096;
+
+  if (name == nullptr) {
+    return false;
+  }
+
+  // Parse the string, looking for the first '=' there, and its size.
+  int pos = 0;
+  int first_equal_pos = -1;
+  while (pos < MAX_ENV_LEN) {
+    if (name[pos] == '\0') {
+      break;
+    }
+    if (name[pos] == '=' && first_equal_pos < 0) {
+      first_equal_pos = pos;
+    }
+    pos++;
+  }
+
+  // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
+  if (pos >= MAX_ENV_LEN) {
+    return false;
+  }
+
+  // Check that it contains at least one equal sign that is not the first character
+  if (first_equal_pos < 1) {
+    return false;
+  }
+
+  return true;
+}
+
+static bool __is_unsafe_environment_variable(const char* name) {
+  // None of these should be allowed in setuid programs.
+  static const char* const UNSAFE_VARIABLE_NAMES[] = {
+      "GCONV_PATH",
+      "GETCONF_DIR",
+      "HOSTALIASES",
+      "JE_MALLOC_CONF",
+      "LD_AOUT_LIBRARY_PATH",
+      "LD_AOUT_PRELOAD",
+      "LD_AUDIT",
+      "LD_DEBUG",
+      "LD_DEBUG_OUTPUT",
+      "LD_DYNAMIC_WEAK",
+      "LD_LIBRARY_PATH",
+      "LD_ORIGIN_PATH",
+      "LD_PRELOAD",
+      "LD_PROFILE",
+      "LD_SHOW_AUXV",
+      "LD_USE_LOAD_BIAS",
+      "LOCALDOMAIN",
+      "LOCPATH",
+      "MALLOC_CHECK_",
+      "MALLOC_CONF",
+      "MALLOC_TRACE",
+      "NIS_PATH",
+      "NLSPATH",
+      "RESOLV_HOST_CONF",
+      "RES_OPTIONS",
+      "TMPDIR",
+      "TZDIR",
+      nullptr
+  };
+  for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != nullptr; ++i) {
+    if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != nullptr) {
+      return true;
+    }
+  }
+  return false;
+}
+
+static void __sanitize_environment_variables(char** env) {
+  bool is_AT_SECURE = getauxval(AT_SECURE);
+  char** src = env;
+  char** dst = env;
+  for (; src[0] != nullptr; ++src) {
+    if (!__is_valid_environment_variable(src[0])) {
+      continue;
+    }
+    // Remove various unsafe environment variables if we're loading a setuid program.
+    if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
+      continue;
+    }
+    dst[0] = src[0];
+    ++dst;
+  }
+  dst[0] = nullptr;
+}
+
+void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
+  __libc_auxv = args.auxv;
+
+  // Check that the kernel provided a value for AT_SECURE.
+  bool found_AT_SECURE = false;
+  for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
+    if (v->a_type == AT_SECURE) {
+      found_AT_SECURE = true;
+      break;
+    }
+  }
+  if (!found_AT_SECURE) __early_abort(__LINE__);
+
+  if (getauxval(AT_SECURE)) {
+    // If this is a setuid/setgid program, close the security hole described in
+    // ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc
+    __nullify_closed_stdio();
+
+    __sanitize_environment_variables(args.envp);
+  }
+
+  // Now the environment has been sanitized, make it available.
+  environ = args.envp;
+}
+
 /* This function will be called during normal program termination
  * to run the destructors that are listed in the .fini_array section
  * of the executable, if any.
diff --git a/libc/bionic/libc_init_common.h b/libc/bionic/libc_init_common.h
index 3032f99..673ad5b 100644
--- a/libc/bionic/libc_init_common.h
+++ b/libc/bionic/libc_init_common.h
@@ -49,8 +49,12 @@ __LIBC_HIDDEN__ void __libc_fini(void* finit_array);
 __END_DECLS
 
 #if defined(__cplusplus)
+
 class KernelArgumentBlock;
 __LIBC_HIDDEN__ void __libc_init_common(KernelArgumentBlock& args);
+
+__LIBC_HIDDEN__ void __libc_init_AT_SECURE(KernelArgumentBlock& args);
+
 #endif
 
 #endif
diff --git a/libc/bionic/libc_init_static.cpp b/libc/bionic/libc_init_static.cpp
index bc11f3d..7794fbe 100644
--- a/libc/bionic/libc_init_static.cpp
+++ b/libc/bionic/libc_init_static.cpp
@@ -91,6 +91,7 @@ __noreturn void __libc_init(void* raw_args,
                             structors_array_t const * const structors) {
   KernelArgumentBlock args(raw_args);
   __libc_init_tls(args);
+  __libc_init_AT_SECURE(args);
   __libc_init_common(args);
 
   apply_gnu_relro();