71ade013f4
It is easy to dos the property_service socket, since it will wait for a complete data packet from one command before moving on to the next one. To prevent low privilege apps interfering with system and root apps, add a second property_service socket that only they can use. However, since writes to properties are not thread-safe, limit use of this second socket to just sys.powerctl messages. These are the messages that this security issue is concerned about, and they do not actually write to the properties, rather they are acted upon immediately. Bug: 262208935 Test: Builds, boots Ignore-AOSP-First: Security fix Change-Id: I1e96444115de4cc0b021c6864922845de331f6a7
320 lines
10 KiB
C++
320 lines
10 KiB
C++
/*
|
|
* Copyright (C) 2017 The Android Open Source Project
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* * Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* * Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
|
|
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
|
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <errno.h>
|
|
#include <poll.h>
|
|
#include <stdatomic.h>
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <sys/uio.h>
|
|
#include <sys/un.h>
|
|
#define _REALLY_INCLUDE_SYS__SYSTEM_PROPERTIES_H_
|
|
#include <sys/_system_properties.h>
|
|
#include <unistd.h>
|
|
|
|
#include <async_safe/log.h>
|
|
#include <async_safe/CHECK.h>
|
|
|
|
#include "private/bionic_defs.h"
|
|
#include "platform/bionic/macros.h"
|
|
#include "private/ScopedFd.h"
|
|
|
|
static const char property_service_socket[] = "/dev/socket/" PROP_SERVICE_NAME;
|
|
static const char property_service_for_system_socket[] =
|
|
"/dev/socket/" PROP_SERVICE_FOR_SYSTEM_NAME;
|
|
static const char* kServiceVersionPropertyName = "ro.property_service.version";
|
|
|
|
class PropertyServiceConnection {
|
|
public:
|
|
PropertyServiceConnection(const char* name) : last_error_(0) {
|
|
socket_.reset(::socket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0));
|
|
if (socket_.get() == -1) {
|
|
last_error_ = errno;
|
|
return;
|
|
}
|
|
|
|
// If we're trying to set "sys.powerctl" from a privileged process, use the special
|
|
// socket. Because this socket is only accessible to privileged processes, it can't
|
|
// be DoSed directly by malicious apps. (The shell user should be able to reboot,
|
|
// though, so we don't just always use the special socket for "sys.powerctl".)
|
|
// See b/262237198 for context
|
|
const char* socket = property_service_socket;
|
|
if (strcmp(name, "sys.powerctl") == 0 &&
|
|
access(property_service_for_system_socket, W_OK) == 0) {
|
|
socket = property_service_for_system_socket;
|
|
}
|
|
|
|
const size_t namelen = strlen(socket);
|
|
sockaddr_un addr;
|
|
memset(&addr, 0, sizeof(addr));
|
|
strlcpy(addr.sun_path, socket, sizeof(addr.sun_path));
|
|
addr.sun_family = AF_LOCAL;
|
|
socklen_t alen = namelen + offsetof(sockaddr_un, sun_path) + 1;
|
|
|
|
if (TEMP_FAILURE_RETRY(connect(socket_.get(),
|
|
reinterpret_cast<sockaddr*>(&addr), alen)) == -1) {
|
|
last_error_ = errno;
|
|
socket_.reset();
|
|
}
|
|
}
|
|
|
|
bool IsValid() {
|
|
return socket_.get() != -1;
|
|
}
|
|
|
|
int GetLastError() {
|
|
return last_error_;
|
|
}
|
|
|
|
bool RecvInt32(int32_t* value) {
|
|
int result = TEMP_FAILURE_RETRY(recv(socket_.get(), value, sizeof(*value), MSG_WAITALL));
|
|
return CheckSendRecvResult(result, sizeof(*value));
|
|
}
|
|
|
|
int socket() {
|
|
return socket_.get();
|
|
}
|
|
|
|
private:
|
|
bool CheckSendRecvResult(int result, int expected_len) {
|
|
if (result == -1) {
|
|
last_error_ = errno;
|
|
} else if (result != expected_len) {
|
|
last_error_ = -1;
|
|
} else {
|
|
last_error_ = 0;
|
|
}
|
|
|
|
return last_error_ == 0;
|
|
}
|
|
|
|
ScopedFd socket_;
|
|
int last_error_;
|
|
|
|
friend class SocketWriter;
|
|
};
|
|
|
|
class SocketWriter {
|
|
public:
|
|
explicit SocketWriter(PropertyServiceConnection* connection)
|
|
: connection_(connection), iov_index_(0), uint_buf_index_(0) {
|
|
}
|
|
|
|
SocketWriter& WriteUint32(uint32_t value) {
|
|
CHECK(uint_buf_index_ < kUintBufSize);
|
|
CHECK(iov_index_ < kIovSize);
|
|
uint32_t* ptr = uint_buf_ + uint_buf_index_;
|
|
uint_buf_[uint_buf_index_++] = value;
|
|
iov_[iov_index_].iov_base = ptr;
|
|
iov_[iov_index_].iov_len = sizeof(*ptr);
|
|
++iov_index_;
|
|
return *this;
|
|
}
|
|
|
|
SocketWriter& WriteString(const char* value) {
|
|
uint32_t valuelen = strlen(value);
|
|
WriteUint32(valuelen);
|
|
if (valuelen == 0) {
|
|
return *this;
|
|
}
|
|
|
|
CHECK(iov_index_ < kIovSize);
|
|
iov_[iov_index_].iov_base = const_cast<char*>(value);
|
|
iov_[iov_index_].iov_len = valuelen;
|
|
++iov_index_;
|
|
|
|
return *this;
|
|
}
|
|
|
|
bool Send() {
|
|
if (!connection_->IsValid()) {
|
|
return false;
|
|
}
|
|
|
|
if (writev(connection_->socket(), iov_, iov_index_) == -1) {
|
|
connection_->last_error_ = errno;
|
|
return false;
|
|
}
|
|
|
|
iov_index_ = uint_buf_index_ = 0;
|
|
return true;
|
|
}
|
|
|
|
private:
|
|
static constexpr size_t kUintBufSize = 8;
|
|
static constexpr size_t kIovSize = 8;
|
|
|
|
PropertyServiceConnection* connection_;
|
|
iovec iov_[kIovSize];
|
|
size_t iov_index_;
|
|
uint32_t uint_buf_[kUintBufSize];
|
|
size_t uint_buf_index_;
|
|
|
|
BIONIC_DISALLOW_IMPLICIT_CONSTRUCTORS(SocketWriter);
|
|
};
|
|
|
|
struct prop_msg {
|
|
unsigned cmd;
|
|
char name[PROP_NAME_MAX];
|
|
char value[PROP_VALUE_MAX];
|
|
};
|
|
|
|
static int send_prop_msg(const prop_msg* msg) {
|
|
PropertyServiceConnection connection(msg->name);
|
|
if (!connection.IsValid()) {
|
|
return connection.GetLastError();
|
|
}
|
|
|
|
int result = -1;
|
|
int s = connection.socket();
|
|
|
|
const int num_bytes = TEMP_FAILURE_RETRY(send(s, msg, sizeof(prop_msg), 0));
|
|
if (num_bytes == sizeof(prop_msg)) {
|
|
// We successfully wrote to the property server but now we
|
|
// wait for the property server to finish its work. It
|
|
// acknowledges its completion by closing the socket so we
|
|
// poll here (on nothing), waiting for the socket to close.
|
|
// If you 'adb shell setprop foo bar' you'll see the POLLHUP
|
|
// once the socket closes. Out of paranoia we cap our poll
|
|
// at 250 ms.
|
|
pollfd pollfds[1];
|
|
pollfds[0].fd = s;
|
|
pollfds[0].events = 0;
|
|
const int poll_result = TEMP_FAILURE_RETRY(poll(pollfds, 1, 250 /* ms */));
|
|
if (poll_result == 1 && (pollfds[0].revents & POLLHUP) != 0) {
|
|
result = 0;
|
|
} else {
|
|
// Ignore the timeout and treat it like a success anyway.
|
|
// The init process is single-threaded and its property
|
|
// service is sometimes slow to respond (perhaps it's off
|
|
// starting a child process or something) and thus this
|
|
// times out and the caller thinks it failed, even though
|
|
// it's still getting around to it. So we fake it here,
|
|
// mostly for ctl.* properties, but we do try and wait 250
|
|
// ms so callers who do read-after-write can reliably see
|
|
// what they've written. Most of the time.
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Property service has timed out while trying to set \"%s\" to \"%s\"",
|
|
msg->name, msg->value);
|
|
result = 0;
|
|
}
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
static constexpr uint32_t kProtocolVersion1 = 1;
|
|
static constexpr uint32_t kProtocolVersion2 = 2; // current
|
|
|
|
static atomic_uint_least32_t g_propservice_protocol_version = 0;
|
|
|
|
static void detect_protocol_version() {
|
|
char value[PROP_VALUE_MAX];
|
|
if (__system_property_get(kServiceVersionPropertyName, value) == 0) {
|
|
g_propservice_protocol_version = kProtocolVersion1;
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Using old property service protocol (\"%s\" is not set)",
|
|
kServiceVersionPropertyName);
|
|
} else {
|
|
uint32_t version = static_cast<uint32_t>(atoll(value));
|
|
if (version >= kProtocolVersion2) {
|
|
g_propservice_protocol_version = kProtocolVersion2;
|
|
} else {
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Using old property service protocol (\"%s\"=\"%s\")",
|
|
kServiceVersionPropertyName, value);
|
|
g_propservice_protocol_version = kProtocolVersion1;
|
|
}
|
|
}
|
|
}
|
|
|
|
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
|
|
int __system_property_set(const char* key, const char* value) {
|
|
if (key == nullptr) return -1;
|
|
if (value == nullptr) value = "";
|
|
|
|
if (g_propservice_protocol_version == 0) {
|
|
detect_protocol_version();
|
|
}
|
|
|
|
if (g_propservice_protocol_version == kProtocolVersion1) {
|
|
// Old protocol does not support long names or values
|
|
if (strlen(key) >= PROP_NAME_MAX) return -1;
|
|
if (strlen(value) >= PROP_VALUE_MAX) return -1;
|
|
|
|
prop_msg msg;
|
|
memset(&msg, 0, sizeof msg);
|
|
msg.cmd = PROP_MSG_SETPROP;
|
|
strlcpy(msg.name, key, sizeof msg.name);
|
|
strlcpy(msg.value, value, sizeof msg.value);
|
|
|
|
return send_prop_msg(&msg);
|
|
} else {
|
|
// New protocol only allows long values for ro. properties only.
|
|
if (strlen(value) >= PROP_VALUE_MAX && strncmp(key, "ro.", 3) != 0) return -1;
|
|
// Use proper protocol
|
|
PropertyServiceConnection connection(key);
|
|
if (!connection.IsValid()) {
|
|
errno = connection.GetLastError();
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Unable to set property \"%s\" to \"%s\": connection failed: %m", key,
|
|
value);
|
|
return -1;
|
|
}
|
|
|
|
SocketWriter writer(&connection);
|
|
if (!writer.WriteUint32(PROP_MSG_SETPROP2).WriteString(key).WriteString(value).Send()) {
|
|
errno = connection.GetLastError();
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Unable to set property \"%s\" to \"%s\": write failed: %m", key,
|
|
value);
|
|
return -1;
|
|
}
|
|
|
|
int result = -1;
|
|
if (!connection.RecvInt32(&result)) {
|
|
errno = connection.GetLastError();
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Unable to set property \"%s\" to \"%s\": recv failed: %m", key, value);
|
|
return -1;
|
|
}
|
|
|
|
if (result != PROP_SUCCESS) {
|
|
async_safe_format_log(ANDROID_LOG_WARN, "libc",
|
|
"Unable to set property \"%s\" to \"%s\": error code: 0x%x", key, value,
|
|
result);
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
}
|