tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc/bionic/libc_init_common.cpp
Josh Gao c80ffece02 Defer registration of the arc4random fork-detect handler. 
Previously, arc4random would register a fork-detecting pthread_atfork
handler to not have to call getpid() after a fork. pthread_atfork uses
pthread_mutex_lock, which requires the current thread to be initialized,
preventing the use of arc4random for initializing the global stack guard,
which needs to happen before the main thread has been initialized.

Extract the arc4random fork-detection flag and use the existing
arc4random fork handler to set it.

Bug: http://b/29622562
Change-Id: I98c9329fa0e489c3f78cad52747eaaf2f5226b80
2016-06-28 15:52:59 -07:00

385 lines
11 KiB
C++
Raw Blame History

/*
* Copyright (C) 2008 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "libc_init_common.h"
#include <elf.h>
#include <errno.h>
#include <fcntl.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/auxv.h>
#include <sys/personality.h>
#include <sys/time.h>
#include <unistd.h>
#include "private/KernelArgumentBlock.h"
#include "private/WriteProtected.h"
#include "private/bionic_auxv.h"
#include "private/bionic_globals.h"
#include "private/bionic_ssp.h"
#include "private/bionic_tls.h"
#include "private/libc_logging.h"
#include "private/thread_private.h"
#include "pthread_internal.h"
extern "C" abort_msg_t** __abort_message_ptr;
extern "C" int __system_properties_init(void);
__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
// Not public, but well-known in the BSDs.
const char* __progname;
// Declared in <unistd.h>.
char** environ;
// Declared in "private/bionic_ssp.h".
uintptr_t __stack_chk_guard = 0;
void __libc_init_global_stack_chk_guard(KernelArgumentBlock& args) {
// AT_RANDOM is a pointer to 16 bytes of randomness on the stack.
// Take the first 4/8 for the -fstack-protector implementation.
__stack_chk_guard = *reinterpret_cast<uintptr_t*>(args.getauxval(AT_RANDOM));
}
#if defined(__i386__)
__LIBC_HIDDEN__ void* __libc_sysinfo = nullptr;
__LIBC_HIDDEN__ void __libc_init_sysinfo(KernelArgumentBlock& args) {
__libc_sysinfo = reinterpret_cast<void*>(args.getauxval(AT_SYSINFO));
}
// TODO: lose this function and just access __libc_sysinfo directly.
__LIBC_HIDDEN__ extern "C" void* __kernel_syscall() {
return __libc_sysinfo;
}
#endif
void __libc_init_globals(KernelArgumentBlock& args) {
#if defined(__i386__)
__libc_init_sysinfo(args);
#endif
// Initialize libc globals that are needed in both the linker and in libc.
// In dynamic binaries, this is run at least twice for different copies of the
// globals, once for the linker's copy and once for the one in libc.so.
__libc_init_global_stack_chk_guard(args);
__libc_auxv = args.auxv;
__libc_globals.initialize();
__libc_globals.mutate([&args](libc_globals* globals) {
__libc_init_vdso(globals, args);
__libc_init_setjmp_cookie(globals, args);
});
}
#if !defined(__LP64__)
static void __check_max_thread_id() {
if (gettid() > 65535) {
__libc_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
"pid <= 65535, but current pid is %d", gettid());
}
}
#endif
static void arc4random_fork_handler() {
_rs_forked = 1;
_thread_arc4_lock();
}
void __libc_init_common(KernelArgumentBlock& args) {
// Initialize various globals.
environ = args.envp;
errno = 0;
__progname = args.argv[0] ? args.argv[0] : "<unknown>";
__abort_message_ptr = args.abort_message_ptr;
#if !defined(__LP64__)
__check_max_thread_id();
#endif
// Get the main thread from TLS and add it to the thread list.
pthread_internal_t* main_thread = __get_thread();
__pthread_internal_add(main_thread);
// Register atfork handlers to take and release the arc4random lock.
pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
__system_properties_init(); // Requires 'environ'.
}
__noreturn static void __early_abort(int line) {
// We can't write to stdout or stderr because we're aborting before we've checked that
// it's safe for us to use those file descriptors. We probably can't strace either, so
// we rely on the fact that if we dereference a low address, either debuggerd or the
// kernel's crash dump will show the fault address.
*reinterpret_cast<int*>(line) = 0;
_exit(EXIT_FAILURE);
}
// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
static void __nullify_closed_stdio() {
int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
if (dev_null == -1) {
// init won't have /dev/null available, but SELinux provides an equivalent.
dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
}
if (dev_null == -1) {
__early_abort(__LINE__);
}
// If any of the stdio file descriptors is valid and not associated
// with /dev/null, dup /dev/null to it.
for (int i = 0; i < 3; i++) {
// If it is /dev/null already, we are done.
if (i == dev_null) {
continue;
}
// Is this fd already open?
int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
if (status != -1) {
continue;
}
// The only error we allow is that the file descriptor does not
// exist, in which case we dup /dev/null to it.
if (errno == EBADF) {
// Try dupping /dev/null to this stdio file descriptor and
// repeat if there is a signal. Note that any errors in closing
// the stdio descriptor are lost.
status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
if (status == -1) {
__early_abort(__LINE__);
}
} else {
__early_abort(__LINE__);
}
}
// If /dev/null is not one of the stdio file descriptors, close it.
if (dev_null > 2) {
if (close(dev_null) == -1) {
__early_abort(__LINE__);
}
}
}
// Check if the environment variable definition at 'envstr'
// starts with '<name>=', and if so return the address of the
// first character after the equal sign. Otherwise return null.
static const char* env_match(const char* envstr, const char* name) {
size_t i = 0;
while (envstr[i] == name[i] && name[i] != '\0') {
++i;
}
if (name[i] == '\0' && envstr[i] == '=') {
return envstr + i + 1;
}
return nullptr;
}
static bool __is_valid_environment_variable(const char* name) {
// According to the kernel source, by default the kernel uses 32*PAGE_SIZE
// as the maximum size for an environment variable definition.
const int MAX_ENV_LEN = 32*4096;
if (name == nullptr) {
return false;
}
// Parse the string, looking for the first '=' there, and its size.
int pos = 0;
int first_equal_pos = -1;
while (pos < MAX_ENV_LEN) {
if (name[pos] == '\0') {
break;
}
if (name[pos] == '=' && first_equal_pos < 0) {
first_equal_pos = pos;
}
pos++;
}
// Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
if (pos >= MAX_ENV_LEN) {
return false;
}
// Check that it contains at least one equal sign that is not the first character
if (first_equal_pos < 1) {
return false;
}
return true;
}
static bool __is_unsafe_environment_variable(const char* name) {
// None of these should be allowed when the AT_SECURE auxv
// flag is set. This flag is set to inform userspace that a
// security transition has occurred, for example, as a result
// of executing a setuid program or the result of an SELinux
// security transition.
static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
"GCONV_PATH",
"GETCONF_DIR",
"HOSTALIASES",
"JE_MALLOC_CONF",
"LD_AOUT_LIBRARY_PATH",
"LD_AOUT_PRELOAD",
"LD_AUDIT",
"LD_DEBUG",
"LD_DEBUG_OUTPUT",
"LD_DYNAMIC_WEAK",
"LD_LIBRARY_PATH",
"LD_ORIGIN_PATH",
"LD_PRELOAD",
"LD_PROFILE",
"LD_SHOW_AUXV",
"LD_USE_LOAD_BIAS",
"LOCALDOMAIN",
"LOCPATH",
"MALLOC_CHECK_",
"MALLOC_CONF",
"MALLOC_TRACE",
"NIS_PATH",
"NLSPATH",
"RESOLV_HOST_CONF",
"RES_OPTIONS",
"TMPDIR",
"TZDIR",
};
for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
if (env_match(name, unsafe_variable_name) != nullptr) {
return true;
}
}
return false;
}
static void __sanitize_environment_variables(char** env) {
bool is_AT_SECURE = getauxval(AT_SECURE);
char** src = env;
char** dst = env;
for (; src[0] != nullptr; ++src) {
if (!__is_valid_environment_variable(src[0])) {
continue;
}
// Remove various unsafe environment variables if we're loading a setuid program.
if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
continue;
}
dst[0] = src[0];
++dst;
}
dst[0] = nullptr;
}
static void __initialize_personality() {
#if !defined(__LP64__)
int old_value = personality(0xffffffff);
if (old_value == -1) {
__libc_fatal("error getting old personality value: %s", strerror(errno));
}
if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
__libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
}
#endif
}
void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
__libc_auxv = args.auxv;
// Check that the kernel provided a value for AT_SECURE.
bool found_AT_SECURE = false;
for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
if (v->a_type == AT_SECURE) {
found_AT_SECURE = true;
break;
}
}
if (!found_AT_SECURE) __early_abort(__LINE__);
if (getauxval(AT_SECURE)) {
// If this is a setuid/setgid program, close the security hole described in
// https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
__nullify_closed_stdio();
__sanitize_environment_variables(args.envp);
}
// Now the environment has been sanitized, make it available.
environ = args.envp;
__initialize_personality();
}
/* This function will be called during normal program termination
* to run the destructors that are listed in the .fini_array section
* of the executable, if any.
*
* 'fini_array' points to a list of function addresses. The first
* entry in the list has value -1, the last one has value 0.
*/
void __libc_fini(void* array) {
typedef void (*Dtor)();
Dtor* fini_array = reinterpret_cast<Dtor*>(array);
const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
// Sanity check - first entry must be -1.
if (array == NULL || fini_array[0] != minus1) {
return;
}
// Skip over it.
fini_array += 1;
// Count the number of destructors.
int count = 0;
while (fini_array[count] != NULL) {
++count;
}
// Now call each destructor in reverse order.
while (count > 0) {
Dtor dtor = fini_array[--count];
// Sanity check, any -1 in the list is ignored.
if (dtor == minus1) {
continue;
}
dtor();
}
}
Reference in a new issue View git blame Copy permalink