diff options
Diffstat (limited to 'libc/bionic')
-rw-r--r-- | libc/bionic/libc_init_common.cpp | 194 | ||||
-rw-r--r-- | libc/bionic/libc_init_common.h | 4 | ||||
-rw-r--r-- | libc/bionic/libc_init_static.cpp | 1 |
3 files changed, 199 insertions, 0 deletions
diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp index 36dc085..9b23ece 100644 --- a/libc/bionic/libc_init_common.cpp +++ b/libc/bionic/libc_init_common.cpp @@ -30,10 +30,12 @@ #include <elf.h> #include <errno.h> +#include <fcntl.h> #include <stddef.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> +#include <string.h> #include <sys/auxv.h> #include <sys/time.h> #include <unistd.h> @@ -120,6 +122,198 @@ void __libc_init_common(KernelArgumentBlock& args) { __libc_init_vdso(); } +__noreturn static void __early_abort(int line) { + // We can't write to stdout or stderr because we're aborting before we've checked that + // it's safe for us to use those file descriptors. We probably can't strace either, so + // we rely on the fact that if we dereference a low address, either debuggerd or the + // kernel's crash dump will show the fault address. + *reinterpret_cast<int*>(line) = 0; + _exit(EXIT_FAILURE); +} + +// Force any of the closed stdin, stdout and stderr to be associated with /dev/null. +static void __nullify_closed_stdio() { + int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR)); + if (dev_null == -1) { + // init won't have /dev/null available, but SELinux provides an equivalent. + dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR)); + } + if (dev_null == -1) { + __early_abort(__LINE__); + } + + // If any of the stdio file descriptors is valid and not associated + // with /dev/null, dup /dev/null to it. + for (int i = 0; i < 3; i++) { + // If it is /dev/null already, we are done. + if (i == dev_null) { + continue; + } + + // Is this fd already open? + int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL)); + if (status != -1) { + continue; + } + + // The only error we allow is that the file descriptor does not + // exist, in which case we dup /dev/null to it. + if (errno == EBADF) { + // Try dupping /dev/null to this stdio file descriptor and + // repeat if there is a signal. Note that any errors in closing + // the stdio descriptor are lost. + status = TEMP_FAILURE_RETRY(dup2(dev_null, i)); + if (status == -1) { + __early_abort(__LINE__); + } + } else { + __early_abort(__LINE__); + } + } + + // If /dev/null is not one of the stdio file descriptors, close it. + if (dev_null > 2) { + if (close(dev_null) == -1) { + __early_abort(__LINE__); + } + } +} + +// Check if the environment variable definition at 'envstr' +// starts with '<name>=', and if so return the address of the +// first character after the equal sign. Otherwise return null. +static const char* env_match(const char* envstr, const char* name) { + size_t i = 0; + + while (envstr[i] == name[i] && name[i] != '\0') { + ++i; + } + + if (name[i] == '\0' && envstr[i] == '=') { + return envstr + i + 1; + } + + return nullptr; +} + +static bool __is_valid_environment_variable(const char* name) { + // According to the kernel source, by default the kernel uses 32*PAGE_SIZE + // as the maximum size for an environment variable definition. + const int MAX_ENV_LEN = 32*4096; + + if (name == nullptr) { + return false; + } + + // Parse the string, looking for the first '=' there, and its size. + int pos = 0; + int first_equal_pos = -1; + while (pos < MAX_ENV_LEN) { + if (name[pos] == '\0') { + break; + } + if (name[pos] == '=' && first_equal_pos < 0) { + first_equal_pos = pos; + } + pos++; + } + + // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings). + if (pos >= MAX_ENV_LEN) { + return false; + } + + // Check that it contains at least one equal sign that is not the first character + if (first_equal_pos < 1) { + return false; + } + + return true; +} + +static bool __is_unsafe_environment_variable(const char* name) { + // None of these should be allowed in setuid programs. + static const char* const UNSAFE_VARIABLE_NAMES[] = { + "GCONV_PATH", + "GETCONF_DIR", + "HOSTALIASES", + "JE_MALLOC_CONF", + "LD_AOUT_LIBRARY_PATH", + "LD_AOUT_PRELOAD", + "LD_AUDIT", + "LD_DEBUG", + "LD_DEBUG_OUTPUT", + "LD_DYNAMIC_WEAK", + "LD_LIBRARY_PATH", + "LD_ORIGIN_PATH", + "LD_PRELOAD", + "LD_PROFILE", + "LD_SHOW_AUXV", + "LD_USE_LOAD_BIAS", + "LOCALDOMAIN", + "LOCPATH", + "MALLOC_CHECK_", + "MALLOC_CONF", + "MALLOC_TRACE", + "NIS_PATH", + "NLSPATH", + "RESOLV_HOST_CONF", + "RES_OPTIONS", + "TMPDIR", + "TZDIR", + nullptr + }; + for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != nullptr; ++i) { + if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != nullptr) { + return true; + } + } + return false; +} + +static void __sanitize_environment_variables(char** env) { + bool is_AT_SECURE = getauxval(AT_SECURE); + char** src = env; + char** dst = env; + for (; src[0] != nullptr; ++src) { + if (!__is_valid_environment_variable(src[0])) { + continue; + } + // Remove various unsafe environment variables if we're loading a setuid program. + if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) { + continue; + } + dst[0] = src[0]; + ++dst; + } + dst[0] = nullptr; +} + +void __libc_init_AT_SECURE(KernelArgumentBlock& args) { + __libc_auxv = args.auxv; + + // Check that the kernel provided a value for AT_SECURE. + bool found_AT_SECURE = false; + for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) { + if (v->a_type == AT_SECURE) { + found_AT_SECURE = true; + break; + } + } + if (!found_AT_SECURE) __early_abort(__LINE__); + + if (getauxval(AT_SECURE)) { + // If this is a setuid/setgid program, close the security hole described in + // ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc + __nullify_closed_stdio(); + + __sanitize_environment_variables(args.envp); + } + + // Now the environment has been sanitized, make it available. + environ = args.envp; +} + /* This function will be called during normal program termination * to run the destructors that are listed in the .fini_array section * of the executable, if any. diff --git a/libc/bionic/libc_init_common.h b/libc/bionic/libc_init_common.h index 3032f99..673ad5b 100644 --- a/libc/bionic/libc_init_common.h +++ b/libc/bionic/libc_init_common.h @@ -49,8 +49,12 @@ __LIBC_HIDDEN__ void __libc_fini(void* finit_array); __END_DECLS #if defined(__cplusplus) + class KernelArgumentBlock; __LIBC_HIDDEN__ void __libc_init_common(KernelArgumentBlock& args); + +__LIBC_HIDDEN__ void __libc_init_AT_SECURE(KernelArgumentBlock& args); + #endif #endif diff --git a/libc/bionic/libc_init_static.cpp b/libc/bionic/libc_init_static.cpp index bc11f3d..7794fbe 100644 --- a/libc/bionic/libc_init_static.cpp +++ b/libc/bionic/libc_init_static.cpp @@ -91,6 +91,7 @@ __noreturn void __libc_init(void* raw_args, structors_array_t const * const structors) { KernelArgumentBlock args(raw_args); __libc_init_tls(args); + __libc_init_AT_SECURE(args); __libc_init_common(args); apply_gnu_relro(); |