| Message ID | 20231017130526.2216827-1-adhemerval.zanella@linaro.org |
|---|---|
| Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 64D5C3857026 for <patchwork@sourceware.org>; Tue, 17 Oct 2023 13:05:47 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by sourceware.org (Postfix) with ESMTPS id C72313858408 for <libc-alpha@sourceware.org>; Tue, 17 Oct 2023 13:05:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C72313858408 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C72313858408 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::534 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697547934; cv=none; b=WFbXOJdHjHs5mPUGRJiwth36VOi62Bq/tZzRwvaDQZJ2OCAOq6MOIxSHXdgWYRCgSlEkMiLRoPlGGr3TLCyjGbjLeJVRpuvkUACWj3XKm2hhuqbRStHU/31ui3flJHkoxX5u5IM5/yIf7vHnUEVV+51KWsPmFMpHhbAO+OZXbFU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697547934; c=relaxed/simple; bh=wWcRKCaDmha0yJgmC7N3nZ+z77FsE2ZJzXX/d+iNPcI=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=DspsWei6exRZ8LH42LQGUCdCeB1gOlyTbH7m2pl7rsYq1Z04dO1wcU7nnbNIrB41l3Rc4NtS1uZ+VIhCTnsz6fVW9pmsjdux3PdSjTbAtLGd8UXsvNUZZRCnxh6xP19FpWsHAomd3hShgtkTtFeY950EcJKBamZhvhC8x751MYs= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-578d0dcd4e1so3343241a12.2 for <libc-alpha@sourceware.org>; Tue, 17 Oct 2023 06:05:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1697547931; x=1698152731; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=tZvgI0Aq1PDqTV4crIuen4RcXYJWHe4/VPQRWfNG42w=; b=HN+nraRyNvtmnJiCnk7jxXMGqu6G7D9fD5uDRWFIWuo9KEjlamq/9icm1E4ByJLBkB 36+liK6tWLJ0fxu7X/2t82/g3VgM6mrBZXyCaQuvqZXNen9pdNOg+A0G4537hbj9AKOc /e73lq/98eBMnzNABis5PK+KipsL3lAW7bZn4mLQPDf23Sbq1/B/hMAv6kwX5PFQJupZ Jdac8/ABHxT2gMNL4c2n38sLYSfPN0QIVeJEOwklAFmyvhYTPrWdmUWxynBI9bZakS0R KmNdjq3Y/RXguE/90Q8G5peXtvhlljObXPsrGv9FUp9jKdSBuj9m7+10v0uZTHjgmZei Iedw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697547931; x=1698152731; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tZvgI0Aq1PDqTV4crIuen4RcXYJWHe4/VPQRWfNG42w=; b=v91RgYcVzzsOEnhHOqXkxdDJbUo2IGynY3NuR/fmXXhsZoMm3P161lB7DIqDGdmO9i T8YH8k2AE8j6GECZPs8+cZ29VLLQR4l8yt1eCotJslO65vkOO/UP5ibbvDpV5I4zPOIN 7OE/j7/W7Fi+btZpqSu9AUE/ZlLDrT+V381xL7wT6jikd8nJfyzWguFWDpuABRa2Na2/ 7R+ksKTHvlwpB8NY3ote6q9iSPoxLLEeNgrJhdNry+NL/q/+jcPqlTtJ/7T2+aTdSHGT K+Kzn2W8NULZJ8Rjy1n5qp3ZuEUBOxOv+hp2qOgzuMQosL7qQrAIa/HD9Odh3XrabUrA AuPA== X-Gm-Message-State: AOJu0YyB8glG7j30qLxfjo6SV/41jhabp37EWqSRTXkPwvvhJV2voLhv joa+n/AWZx9L/RHIA+OUX27ODBUFfkAXQkfS8Z8= X-Google-Smtp-Source: AGHT+IGShvuZ//3ELdLvyJN4g2PlOAVWDzA4UCscovpN9Nz1ibCFA/KzlK45rYsyW1mn7sETRBrtWw== X-Received: by 2002:a17:90a:f016:b0:27d:5562:7e13 with SMTP id bt22-20020a17090af01600b0027d55627e13mr1997446pjb.39.1697547931185; Tue, 17 Oct 2023 06:05:31 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c3:7f2e:11d:92b4:4d78:4197]) by smtp.gmail.com with ESMTPSA id l28-20020a635b5c000000b0056b6d1ac949sm1309788pgm.13.2023.10.17.06.05.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 06:05:30 -0700 (PDT) From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: libc-alpha@sourceware.org, Siddhesh Poyarekar <siddhesh@sourceware.org> Subject: [PATCH v2 00/19] Improve loader environment variable handling Date: Tue, 17 Oct 2023 10:05:07 -0300 Message-Id: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org |
| Series |
Improve loader environment variable handling
|
|
Message
Adhemerval Zanella
Oct. 17, 2023, 1:05 p.m. UTC
The recent CVE-2023-4911 fix [1] and tunable change to SXID_ERASE
discussion [2] brought some issues with the current environment handling
by the loader. Besides the bugs in tuning parsing, some other questions
are:
* What should be the security boundaries for tunable and other tuning
environment variables?
* Should tunables be filtered out or be disabled altogether in setuid
binaries [3]?
* How should ld.so handle security-sensitive tunable (like malloc
options)?
* How to handle ill-formatted tunable definition [4]?
* Is tunable copy/parsing (through tunable_strdup) required [5]?
* Which other environment variables the loader should ignore and/or
filter in security-sensitive context.
On this patchset, I followed the idea laid out in the discussion on
whether to apply SXID_ERASE to all tunables [6]:
1. ignore any tunable on AT_SECURE binaries (as some Linux distributions
do already [7]);
2. Add malloc tunables along with GLIBC_TUNABLES to unsecvars;
3. Do not parse ill-formatted GLIBC_TUNABLES strings;
4. Remove the requirement of duplicating the GLIBC_TUNABLES string for
parsing.
5. Ignore most of the environment variables on security-sensitive
mode (AT_SECURE/setuid/setgid).
Patch #1 removes '/etc/suid-debug', which has not been working since
malloc debugging supported moved to libc_malloc_debug.so. It is one
thing less that might change AT_SECURE binaries' behavior
due to environment configurations.
Patch #2 removed tunables parsing and applying for setuid/setgid
binaries (similar to Alt Linux patch).
Patch #3 and #4 add all malloc tunable and GLIBC_TUNABLES to unsecvars
and improve tst-env-setuid.c to test all possible environment variables.
Patch #5 and #6 improved the GLIBC_TUNABLES handling to avoid handling
ill-formatted inputs.
Patch #7 makes _dl_debug_vdprintf usable before self-relocation so patch
#8 can add a loader warning that ill-formatted GLIBC_TUNABLES inputs are
ignored (it also fixes the issue where the GLIBC_TUNABLE allocation
failure will trigger a SEGFAULT on some architecture for PIE).
Patch #9, #10, and #11 remove the tunable_strdup and make the
GLIBC_TUNABLE parsing in place (no more possible allocation failure).
The parsing now tracks the tunable start and its size. The
dl-tunable-parse.h adds helper functions to help to parse, like an
strcmp that also checks for size and an iterator for suboptions that are
comma-separated (used on hwcap parsing by x86, powerpc, and s390x).
Patch #12, #13, #14, #16, and #18 make loader ignore all but just
LD_PRELOAD and LD_AUDIT for setuid binaries. For both options, loader
ensures that pathnames containing slashes are ignored and shared
libraries are loaded only from the standard search directories and only
if they have set-user-ID mode bit enabled.
[1] https://sourceware.org/pipermail/libc-alpha/2023-October/151921.html
[2] https://sourceware.org/pipermail/libc-alpha/2023-October/151936.html
[3] https://www.openwall.com/lists/oss-security/2023/10/03/3
[4] https://sourceware.org/pipermail/libc-alpha/2023-October/151927.html
[5] https://sourceware.org/pipermail/libc-alpha/2023-October/151959.html
[6] https://sourceware.org/pipermail/libc-alpha/2023-October/152011.html
[7] https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9
Changes from v1:
* Ignore most of the environment variables on security-sensitive mode.
* Extend tests.
Adhemerval Zanella (19):
elf: Remove /etc/suid-debug support
elf: Add GLIBC_TUNABLES to unsecvars
elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
elf: Add all malloc tunable to unsecvars
elf: Do not process invalid tunable format
elf: Do not parse ill-formatted strings
elf: Fix _dl_debug_vdprintf to work before self-relocation
elf: Emit warning if tunable is ill-formatted
x86: Use dl-symbol-redir-ifunc.h on cpu-tunables
s390: Use dl-symbol-redir-ifunc.h on cpu-tunables
elf: Do not duplicate the GLIBC_TUNABLES string
elf: Ignore LD_PROFILE for setuid binaries
elf: Remove LD_PROFILE for static binaries
elf: Ignore loader debug env vars for setuid
elf: Remove any_debug from dl_main_state
elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static
elf: Add comments on how LD_AUDIT and LD_PRELOAD handle
__libc_enable_secure
elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries
elf: Refactor process_envvars
elf/Makefile | 26 +-
elf/dl-load.c | 10 +-
elf/dl-main.h | 3 -
elf/dl-printf.c | 16 +-
elf/dl-runtime.c | 12 +-
elf/dl-support.c | 41 ++-
elf/dl-tunable-types.h | 10 -
elf/dl-tunables.c | 219 +++++----------
elf/dl-tunables.h | 6 +-
elf/dl-tunables.list | 9 -
elf/{dl-profstub.c => libc-dl-profstub.c} | 0
elf/rtld.c | 122 +++++---
elf/tst-env-setuid-static.c | 1 +
elf/tst-env-setuid-tunables.c | 59 ++--
elf/tst-env-setuid.c | 140 ++++++----
elf/tst-tunables.c | 261 ++++++++++++++++++
include/dlfcn.h | 5 +
manual/README.tunables | 9 -
manual/memory.texi | 4 +-
manual/tunables.texi | 4 +-
scripts/gen-tunables.awk | 18 +-
stdio-common/Makefile | 5 +
stdio-common/_itoa.c | 5 +
sysdeps/aarch64/dl-machine.h | 4 +-
sysdeps/aarch64/dl-trampoline.S | 3 +-
sysdeps/alpha/dl-machine.h | 6 +-
sysdeps/alpha/dl-trampoline.S | 6 +
sysdeps/arm/dl-machine.h | 4 +-
sysdeps/arm/dl-trampoline.S | 2 +-
sysdeps/generic/dl-tunables-parse.h | 128 +++++++++
sysdeps/generic/unsecvars.h | 10 +
sysdeps/hppa/dl-machine.h | 36 +--
sysdeps/hppa/dl-trampoline.S | 2 +
sysdeps/i386/dl-machine.h | 2 +
sysdeps/i386/dl-trampoline.S | 2 +-
.../i686/multiarch/dl-symbol-redir-ifunc.h | 5 +
sysdeps/ia64/dl-machine.h | 10 +-
sysdeps/ia64/dl-trampoline.S | 2 +-
sysdeps/loongarch/dl-machine.h | 6 +-
sysdeps/loongarch/dl-trampoline.h | 2 +
sysdeps/m68k/dl-machine.h | 4 +-
sysdeps/m68k/dl-trampoline.S | 2 +
sysdeps/powerpc/powerpc32/dl-machine.c | 2 +-
sysdeps/powerpc/powerpc32/dl-machine.h | 10 +-
sysdeps/powerpc/powerpc32/dl-trampoline.S | 2 +-
sysdeps/powerpc/powerpc64/dl-machine.h | 20 +-
sysdeps/powerpc/powerpc64/dl-trampoline.S | 2 +-
sysdeps/s390/cpu-features.c | 169 +++++-------
.../s390/multiarch/dl-symbol-redir-ifunc.h | 2 +
sysdeps/s390/s390-32/dl-machine.h | 8 +-
sysdeps/s390/s390-32/dl-trampoline.h | 2 +-
sysdeps/s390/s390-64/dl-machine.h | 8 +-
sysdeps/s390/s390-64/dl-trampoline.h | 2 +-
sysdeps/sh/dl-machine.h | 2 +
sysdeps/sh/dl-trampoline.S | 2 +
sysdeps/sparc/sparc32/dl-machine.h | 4 +-
sysdeps/sparc/sparc32/dl-trampoline.S | 2 +
sysdeps/sparc/sparc64/dl-machine.h | 4 +-
sysdeps/sparc/sparc64/dl-trampoline.S | 2 +
.../unix/sysv/linux/aarch64/cpu-features.c | 38 ++-
.../sysv/linux/i386/dl-writev.h} | 18 +-
.../unix/sysv/linux/powerpc/cpu-features.c | 45 +--
.../sysv/linux/powerpc/tst-hwcap-tunables.c | 6 +-
sysdeps/x86/Makefile | 4 +-
sysdeps/x86/cpu-tunables.c | 135 +++------
sysdeps/x86/tst-hwcap-tunables.c | 150 ++++++++++
sysdeps/x86_64/64/dl-tunables.list | 1 -
sysdeps/x86_64/dl-machine.h | 2 +
sysdeps/x86_64/dl-trampoline.S | 64 +++--
.../x86_64/multiarch/dl-symbol-redir-ifunc.h | 15 +
70 files changed, 1225 insertions(+), 717 deletions(-)
rename elf/{dl-profstub.c => libc-dl-profstub.c} (100%)
create mode 100644 elf/tst-env-setuid-static.c
create mode 100644 elf/tst-tunables.c
create mode 100644 sysdeps/generic/dl-tunables-parse.h
rename sysdeps/{x86_64/memcmp-isa-default-impl.h => unix/sysv/linux/i386/dl-writev.h} (62%)
create mode 100644 sysdeps/x86/tst-hwcap-tunables.c