/* * Copyright (C) 2008 The Android Open Source Project * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "libc_init_common.h" #include #include #include #include #include #include #include #include #include #include #include #include #include "private/KernelArgumentBlock.h" #include "private/WriteProtected.h" #include "private/bionic_auxv.h" #include "private/bionic_globals.h" #include "private/bionic_tls.h" #include "private/libc_logging.h" #include "private/thread_private.h" #include "pthread_internal.h" extern "C" abort_msg_t** __abort_message_ptr; extern "C" int __system_properties_init(void); __LIBC_HIDDEN__ WriteProtected __libc_globals; // Not public, but well-known in the BSDs. const char* __progname; // Declared in . char** environ; #if defined(__i386__) __LIBC_HIDDEN__ void* __libc_sysinfo = nullptr; __LIBC_HIDDEN__ void __libc_init_sysinfo(KernelArgumentBlock& args) { __libc_sysinfo = reinterpret_cast(args.getauxval(AT_SYSINFO)); } // TODO: lose this function and just access __libc_sysinfo directly. __LIBC_HIDDEN__ extern "C" void* __kernel_syscall() { return __libc_sysinfo; } #endif void __libc_init_globals(KernelArgumentBlock& args) { #if defined(__i386__) __libc_init_sysinfo(args); #endif // Initialize libc globals that are needed in both the linker and in libc. // In dynamic binaries, this is run at least twice for different copies of the // globals, once for the linker's copy and once for the one in libc.so. __libc_auxv = args.auxv; __libc_globals.initialize(); __libc_globals.mutate([&args](libc_globals* globals) { __libc_init_vdso(globals, args); __libc_init_setjmp_cookie(globals, args); }); } #if !defined(__LP64__) static void __check_max_thread_id() { if (gettid() > 65535) { __libc_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts " "pid <= 65535, but current pid is %d", gettid()); } } #endif static void arc4random_fork_handler() { _rs_forked = 1; _thread_arc4_lock(); } void __libc_init_common(KernelArgumentBlock& args) { // Initialize various globals. environ = args.envp; errno = 0; __progname = args.argv[0] ? args.argv[0] : ""; __abort_message_ptr = args.abort_message_ptr; #if !defined(__LP64__) __check_max_thread_id(); #endif // Register atfork handlers to take and release the arc4random lock. pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock); __system_properties_init(); // Requires 'environ'. } __noreturn static void __early_abort(int line) { // We can't write to stdout or stderr because we're aborting before we've checked that // it's safe for us to use those file descriptors. We probably can't strace either, so // we rely on the fact that if we dereference a low address, either debuggerd or the // kernel's crash dump will show the fault address. *reinterpret_cast(line) = 0; _exit(EXIT_FAILURE); } // Force any of the closed stdin, stdout and stderr to be associated with /dev/null. static void __nullify_closed_stdio() { int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR)); if (dev_null == -1) { // init won't have /dev/null available, but SELinux provides an equivalent. dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR)); } if (dev_null == -1) { __early_abort(__LINE__); } // If any of the stdio file descriptors is valid and not associated // with /dev/null, dup /dev/null to it. for (int i = 0; i < 3; i++) { // If it is /dev/null already, we are done. if (i == dev_null) { continue; } // Is this fd already open? int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL)); if (status != -1) { continue; } // The only error we allow is that the file descriptor does not // exist, in which case we dup /dev/null to it. if (errno == EBADF) { // Try dupping /dev/null to this stdio file descriptor and // repeat if there is a signal. Note that any errors in closing // the stdio descriptor are lost. status = TEMP_FAILURE_RETRY(dup2(dev_null, i)); if (status == -1) { __early_abort(__LINE__); } } else { __early_abort(__LINE__); } } // If /dev/null is not one of the stdio file descriptors, close it. if (dev_null > 2) { if (close(dev_null) == -1) { __early_abort(__LINE__); } } } // Check if the environment variable definition at 'envstr' // starts with '=', and if so return the address of the // first character after the equal sign. Otherwise return null. static const char* env_match(const char* envstr, const char* name) { size_t i = 0; while (envstr[i] == name[i] && name[i] != '\0') { ++i; } if (name[i] == '\0' && envstr[i] == '=') { return envstr + i + 1; } return nullptr; } static bool __is_valid_environment_variable(const char* name) { // According to the kernel source, by default the kernel uses 32*PAGE_SIZE // as the maximum size for an environment variable definition. const int MAX_ENV_LEN = 32*4096; if (name == nullptr) { return false; } // Parse the string, looking for the first '=' there, and its size. int pos = 0; int first_equal_pos = -1; while (pos < MAX_ENV_LEN) { if (name[pos] == '\0') { break; } if (name[pos] == '=' && first_equal_pos < 0) { first_equal_pos = pos; } pos++; } // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings). if (pos >= MAX_ENV_LEN) { return false; } // Check that it contains at least one equal sign that is not the first character if (first_equal_pos < 1) { return false; } return true; } static bool __is_unsafe_environment_variable(const char* name) { // None of these should be allowed when the AT_SECURE auxv // flag is set. This flag is set to inform userspace that a // security transition has occurred, for example, as a result // of executing a setuid program or the result of an SELinux // security transition. static constexpr const char* UNSAFE_VARIABLE_NAMES[] = { "GCONV_PATH", "GETCONF_DIR", "HOSTALIASES", "JE_MALLOC_CONF", "LD_AOUT_LIBRARY_PATH", "LD_AOUT_PRELOAD", "LD_AUDIT", "LD_DEBUG", "LD_DEBUG_OUTPUT", "LD_DYNAMIC_WEAK", "LD_LIBRARY_PATH", "LD_ORIGIN_PATH", "LD_PRELOAD", "LD_PROFILE", "LD_SHOW_AUXV", "LD_USE_LOAD_BIAS", "LOCALDOMAIN", "LOCPATH", "MALLOC_CHECK_", "MALLOC_CONF", "MALLOC_TRACE", "NIS_PATH", "NLSPATH", "RESOLV_HOST_CONF", "RES_OPTIONS", "TMPDIR", "TZDIR", }; for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) { if (env_match(name, unsafe_variable_name) != nullptr) { return true; } } return false; } static void __sanitize_environment_variables(char** env) { bool is_AT_SECURE = getauxval(AT_SECURE); char** src = env; char** dst = env; for (; src[0] != nullptr; ++src) { if (!__is_valid_environment_variable(src[0])) { continue; } // Remove various unsafe environment variables if we're loading a setuid program. if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) { continue; } dst[0] = src[0]; ++dst; } dst[0] = nullptr; } static void __initialize_personality() { #if !defined(__LP64__) int old_value = personality(0xffffffff); if (old_value == -1) { __libc_fatal("error getting old personality value: %s", strerror(errno)); } if (personality((static_cast(old_value) & ~PER_MASK) | PER_LINUX32) == -1) { __libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno)); } #endif } void __libc_init_AT_SECURE(KernelArgumentBlock& args) { __libc_auxv = args.auxv; __abort_message_ptr = args.abort_message_ptr; // Check that the kernel provided a value for AT_SECURE. bool found_AT_SECURE = false; for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) { if (v->a_type == AT_SECURE) { found_AT_SECURE = true; break; } } if (!found_AT_SECURE) __early_abort(__LINE__); if (getauxval(AT_SECURE)) { // If this is a setuid/setgid program, close the security hole described in // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc __nullify_closed_stdio(); __sanitize_environment_variables(args.envp); } // Now the environment has been sanitized, make it available. environ = args.envp; __initialize_personality(); } /* This function will be called during normal program termination * to run the destructors that are listed in the .fini_array section * of the executable, if any. * * 'fini_array' points to a list of function addresses. The first * entry in the list has value -1, the last one has value 0. */ void __libc_fini(void* array) { typedef void (*Dtor)(); Dtor* fini_array = reinterpret_cast(array); const Dtor minus1 = reinterpret_cast(static_cast(-1)); // Sanity check - first entry must be -1. if (array == NULL || fini_array[0] != minus1) { return; } // Skip over it. fini_array += 1; // Count the number of destructors. int count = 0; while (fini_array[count] != NULL) { ++count; } // Now call each destructor in reverse order. while (count > 0) { Dtor dtor = fini_array[--count]; // Sanity check, any -1 in the list is ignored. if (dtor == minus1) { continue; } dtor(); } }