b6453c52ac
Before, dynamic executables would initialize the global stack protector twice, once for the linker, and once for the executable. This worked because the result was the same for both initializations, because it used getauxval(AT_RANDOM), which won't be the case once arc4random gets used for it. Bug: http://b/29622562 Change-Id: I7718b1ba8ee8fac7127ab2360cb1088e510fef5c Test: ran the stack protector tests on angler (32/64bit, static/dynamic)
374 lines
11 KiB
C++
374 lines
11 KiB
C++
/*
|
|
* Copyright (C) 2008 The Android Open Source Project
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* * Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* * Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
|
|
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
|
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "libc_init_common.h"
|
|
|
|
#include <elf.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/auxv.h>
|
|
#include <sys/personality.h>
|
|
#include <sys/time.h>
|
|
#include <unistd.h>
|
|
|
|
#include "private/KernelArgumentBlock.h"
|
|
#include "private/WriteProtected.h"
|
|
#include "private/bionic_auxv.h"
|
|
#include "private/bionic_globals.h"
|
|
#include "private/bionic_tls.h"
|
|
#include "private/libc_logging.h"
|
|
#include "private/thread_private.h"
|
|
#include "pthread_internal.h"
|
|
|
|
extern "C" abort_msg_t** __abort_message_ptr;
|
|
extern "C" int __system_properties_init(void);
|
|
|
|
__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
|
|
|
|
// Not public, but well-known in the BSDs.
|
|
const char* __progname;
|
|
|
|
// Declared in <unistd.h>.
|
|
char** environ;
|
|
|
|
#if defined(__i386__)
|
|
__LIBC_HIDDEN__ void* __libc_sysinfo = nullptr;
|
|
|
|
__LIBC_HIDDEN__ void __libc_init_sysinfo(KernelArgumentBlock& args) {
|
|
__libc_sysinfo = reinterpret_cast<void*>(args.getauxval(AT_SYSINFO));
|
|
}
|
|
|
|
// TODO: lose this function and just access __libc_sysinfo directly.
|
|
__LIBC_HIDDEN__ extern "C" void* __kernel_syscall() {
|
|
return __libc_sysinfo;
|
|
}
|
|
#endif
|
|
|
|
void __libc_init_globals(KernelArgumentBlock& args) {
|
|
#if defined(__i386__)
|
|
__libc_init_sysinfo(args);
|
|
#endif
|
|
// Initialize libc globals that are needed in both the linker and in libc.
|
|
// In dynamic binaries, this is run at least twice for different copies of the
|
|
// globals, once for the linker's copy and once for the one in libc.so.
|
|
__libc_auxv = args.auxv;
|
|
__libc_globals.initialize();
|
|
__libc_globals.mutate([&args](libc_globals* globals) {
|
|
__libc_init_vdso(globals, args);
|
|
__libc_init_setjmp_cookie(globals, args);
|
|
});
|
|
}
|
|
|
|
#if !defined(__LP64__)
|
|
static void __check_max_thread_id() {
|
|
if (gettid() > 65535) {
|
|
__libc_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
|
|
"pid <= 65535, but current pid is %d", gettid());
|
|
}
|
|
}
|
|
#endif
|
|
|
|
static void arc4random_fork_handler() {
|
|
_rs_forked = 1;
|
|
_thread_arc4_lock();
|
|
}
|
|
|
|
void __libc_init_common(KernelArgumentBlock& args) {
|
|
// Initialize various globals.
|
|
environ = args.envp;
|
|
errno = 0;
|
|
__progname = args.argv[0] ? args.argv[0] : "<unknown>";
|
|
__abort_message_ptr = args.abort_message_ptr;
|
|
|
|
#if !defined(__LP64__)
|
|
__check_max_thread_id();
|
|
#endif
|
|
|
|
// Get the main thread from TLS and add it to the thread list.
|
|
pthread_internal_t* main_thread = __get_thread();
|
|
__pthread_internal_add(main_thread);
|
|
|
|
// Register atfork handlers to take and release the arc4random lock.
|
|
pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
|
|
|
|
__system_properties_init(); // Requires 'environ'.
|
|
}
|
|
|
|
__noreturn static void __early_abort(int line) {
|
|
// We can't write to stdout or stderr because we're aborting before we've checked that
|
|
// it's safe for us to use those file descriptors. We probably can't strace either, so
|
|
// we rely on the fact that if we dereference a low address, either debuggerd or the
|
|
// kernel's crash dump will show the fault address.
|
|
*reinterpret_cast<int*>(line) = 0;
|
|
_exit(EXIT_FAILURE);
|
|
}
|
|
|
|
// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
|
|
static void __nullify_closed_stdio() {
|
|
int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
|
|
if (dev_null == -1) {
|
|
// init won't have /dev/null available, but SELinux provides an equivalent.
|
|
dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
|
|
}
|
|
if (dev_null == -1) {
|
|
__early_abort(__LINE__);
|
|
}
|
|
|
|
// If any of the stdio file descriptors is valid and not associated
|
|
// with /dev/null, dup /dev/null to it.
|
|
for (int i = 0; i < 3; i++) {
|
|
// If it is /dev/null already, we are done.
|
|
if (i == dev_null) {
|
|
continue;
|
|
}
|
|
|
|
// Is this fd already open?
|
|
int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
|
|
if (status != -1) {
|
|
continue;
|
|
}
|
|
|
|
// The only error we allow is that the file descriptor does not
|
|
// exist, in which case we dup /dev/null to it.
|
|
if (errno == EBADF) {
|
|
// Try dupping /dev/null to this stdio file descriptor and
|
|
// repeat if there is a signal. Note that any errors in closing
|
|
// the stdio descriptor are lost.
|
|
status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
|
|
if (status == -1) {
|
|
__early_abort(__LINE__);
|
|
}
|
|
} else {
|
|
__early_abort(__LINE__);
|
|
}
|
|
}
|
|
|
|
// If /dev/null is not one of the stdio file descriptors, close it.
|
|
if (dev_null > 2) {
|
|
if (close(dev_null) == -1) {
|
|
__early_abort(__LINE__);
|
|
}
|
|
}
|
|
}
|
|
|
|
// Check if the environment variable definition at 'envstr'
|
|
// starts with '<name>=', and if so return the address of the
|
|
// first character after the equal sign. Otherwise return null.
|
|
static const char* env_match(const char* envstr, const char* name) {
|
|
size_t i = 0;
|
|
|
|
while (envstr[i] == name[i] && name[i] != '\0') {
|
|
++i;
|
|
}
|
|
|
|
if (name[i] == '\0' && envstr[i] == '=') {
|
|
return envstr + i + 1;
|
|
}
|
|
|
|
return nullptr;
|
|
}
|
|
|
|
static bool __is_valid_environment_variable(const char* name) {
|
|
// According to the kernel source, by default the kernel uses 32*PAGE_SIZE
|
|
// as the maximum size for an environment variable definition.
|
|
const int MAX_ENV_LEN = 32*4096;
|
|
|
|
if (name == nullptr) {
|
|
return false;
|
|
}
|
|
|
|
// Parse the string, looking for the first '=' there, and its size.
|
|
int pos = 0;
|
|
int first_equal_pos = -1;
|
|
while (pos < MAX_ENV_LEN) {
|
|
if (name[pos] == '\0') {
|
|
break;
|
|
}
|
|
if (name[pos] == '=' && first_equal_pos < 0) {
|
|
first_equal_pos = pos;
|
|
}
|
|
pos++;
|
|
}
|
|
|
|
// Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
|
|
if (pos >= MAX_ENV_LEN) {
|
|
return false;
|
|
}
|
|
|
|
// Check that it contains at least one equal sign that is not the first character
|
|
if (first_equal_pos < 1) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool __is_unsafe_environment_variable(const char* name) {
|
|
// None of these should be allowed when the AT_SECURE auxv
|
|
// flag is set. This flag is set to inform userspace that a
|
|
// security transition has occurred, for example, as a result
|
|
// of executing a setuid program or the result of an SELinux
|
|
// security transition.
|
|
static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
|
|
"GCONV_PATH",
|
|
"GETCONF_DIR",
|
|
"HOSTALIASES",
|
|
"JE_MALLOC_CONF",
|
|
"LD_AOUT_LIBRARY_PATH",
|
|
"LD_AOUT_PRELOAD",
|
|
"LD_AUDIT",
|
|
"LD_DEBUG",
|
|
"LD_DEBUG_OUTPUT",
|
|
"LD_DYNAMIC_WEAK",
|
|
"LD_LIBRARY_PATH",
|
|
"LD_ORIGIN_PATH",
|
|
"LD_PRELOAD",
|
|
"LD_PROFILE",
|
|
"LD_SHOW_AUXV",
|
|
"LD_USE_LOAD_BIAS",
|
|
"LOCALDOMAIN",
|
|
"LOCPATH",
|
|
"MALLOC_CHECK_",
|
|
"MALLOC_CONF",
|
|
"MALLOC_TRACE",
|
|
"NIS_PATH",
|
|
"NLSPATH",
|
|
"RESOLV_HOST_CONF",
|
|
"RES_OPTIONS",
|
|
"TMPDIR",
|
|
"TZDIR",
|
|
};
|
|
for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
|
|
if (env_match(name, unsafe_variable_name) != nullptr) {
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static void __sanitize_environment_variables(char** env) {
|
|
bool is_AT_SECURE = getauxval(AT_SECURE);
|
|
char** src = env;
|
|
char** dst = env;
|
|
for (; src[0] != nullptr; ++src) {
|
|
if (!__is_valid_environment_variable(src[0])) {
|
|
continue;
|
|
}
|
|
// Remove various unsafe environment variables if we're loading a setuid program.
|
|
if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
|
|
continue;
|
|
}
|
|
dst[0] = src[0];
|
|
++dst;
|
|
}
|
|
dst[0] = nullptr;
|
|
}
|
|
|
|
static void __initialize_personality() {
|
|
#if !defined(__LP64__)
|
|
int old_value = personality(0xffffffff);
|
|
if (old_value == -1) {
|
|
__libc_fatal("error getting old personality value: %s", strerror(errno));
|
|
}
|
|
|
|
if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
|
|
__libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
|
|
}
|
|
#endif
|
|
}
|
|
|
|
void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
|
|
__libc_auxv = args.auxv;
|
|
|
|
// Check that the kernel provided a value for AT_SECURE.
|
|
bool found_AT_SECURE = false;
|
|
for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
|
|
if (v->a_type == AT_SECURE) {
|
|
found_AT_SECURE = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!found_AT_SECURE) __early_abort(__LINE__);
|
|
|
|
if (getauxval(AT_SECURE)) {
|
|
// If this is a setuid/setgid program, close the security hole described in
|
|
// https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
|
|
__nullify_closed_stdio();
|
|
|
|
__sanitize_environment_variables(args.envp);
|
|
}
|
|
|
|
// Now the environment has been sanitized, make it available.
|
|
environ = args.envp;
|
|
|
|
__initialize_personality();
|
|
}
|
|
|
|
/* This function will be called during normal program termination
|
|
* to run the destructors that are listed in the .fini_array section
|
|
* of the executable, if any.
|
|
*
|
|
* 'fini_array' points to a list of function addresses. The first
|
|
* entry in the list has value -1, the last one has value 0.
|
|
*/
|
|
void __libc_fini(void* array) {
|
|
typedef void (*Dtor)();
|
|
Dtor* fini_array = reinterpret_cast<Dtor*>(array);
|
|
const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
|
|
|
|
// Sanity check - first entry must be -1.
|
|
if (array == NULL || fini_array[0] != minus1) {
|
|
return;
|
|
}
|
|
|
|
// Skip over it.
|
|
fini_array += 1;
|
|
|
|
// Count the number of destructors.
|
|
int count = 0;
|
|
while (fini_array[count] != NULL) {
|
|
++count;
|
|
}
|
|
|
|
// Now call each destructor in reverse order.
|
|
while (count > 0) {
|
|
Dtor dtor = fini_array[--count];
|
|
|
|
// Sanity check, any -1 in the list is ignored.
|
|
if (dtor == minus1) {
|
|
continue;
|
|
}
|
|
|
|
dtor();
|
|
}
|
|
}
|