From patchwork Tue Oct 17 13:05:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 56249 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 64D5C3857026 for ; Tue, 17 Oct 2023 13:05:47 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by sourceware.org (Postfix) with ESMTPS id C72313858408 for ; Tue, 17 Oct 2023 13:05:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C72313858408 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C72313858408 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::534 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697547934; cv=none; b=WFbXOJdHjHs5mPUGRJiwth36VOi62Bq/tZzRwvaDQZJ2OCAOq6MOIxSHXdgWYRCgSlEkMiLRoPlGGr3TLCyjGbjLeJVRpuvkUACWj3XKm2hhuqbRStHU/31ui3flJHkoxX5u5IM5/yIf7vHnUEVV+51KWsPmFMpHhbAO+OZXbFU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697547934; c=relaxed/simple; bh=wWcRKCaDmha0yJgmC7N3nZ+z77FsE2ZJzXX/d+iNPcI=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=DspsWei6exRZ8LH42LQGUCdCeB1gOlyTbH7m2pl7rsYq1Z04dO1wcU7nnbNIrB41l3Rc4NtS1uZ+VIhCTnsz6fVW9pmsjdux3PdSjTbAtLGd8UXsvNUZZRCnxh6xP19FpWsHAomd3hShgtkTtFeY950EcJKBamZhvhC8x751MYs= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-578d0dcd4e1so3343241a12.2 for ; Tue, 17 Oct 2023 06:05:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1697547931; x=1698152731; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=tZvgI0Aq1PDqTV4crIuen4RcXYJWHe4/VPQRWfNG42w=; b=HN+nraRyNvtmnJiCnk7jxXMGqu6G7D9fD5uDRWFIWuo9KEjlamq/9icm1E4ByJLBkB 36+liK6tWLJ0fxu7X/2t82/g3VgM6mrBZXyCaQuvqZXNen9pdNOg+A0G4537hbj9AKOc /e73lq/98eBMnzNABis5PK+KipsL3lAW7bZn4mLQPDf23Sbq1/B/hMAv6kwX5PFQJupZ Jdac8/ABHxT2gMNL4c2n38sLYSfPN0QIVeJEOwklAFmyvhYTPrWdmUWxynBI9bZakS0R KmNdjq3Y/RXguE/90Q8G5peXtvhlljObXPsrGv9FUp9jKdSBuj9m7+10v0uZTHjgmZei Iedw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697547931; x=1698152731; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tZvgI0Aq1PDqTV4crIuen4RcXYJWHe4/VPQRWfNG42w=; b=v91RgYcVzzsOEnhHOqXkxdDJbUo2IGynY3NuR/fmXXhsZoMm3P161lB7DIqDGdmO9i T8YH8k2AE8j6GECZPs8+cZ29VLLQR4l8yt1eCotJslO65vkOO/UP5ibbvDpV5I4zPOIN 7OE/j7/W7Fi+btZpqSu9AUE/ZlLDrT+V381xL7wT6jikd8nJfyzWguFWDpuABRa2Na2/ 7R+ksKTHvlwpB8NY3ote6q9iSPoxLLEeNgrJhdNry+NL/q/+jcPqlTtJ/7T2+aTdSHGT K+Kzn2W8NULZJ8Rjy1n5qp3ZuEUBOxOv+hp2qOgzuMQosL7qQrAIa/HD9Odh3XrabUrA AuPA== X-Gm-Message-State: AOJu0YyB8glG7j30qLxfjo6SV/41jhabp37EWqSRTXkPwvvhJV2voLhv joa+n/AWZx9L/RHIA+OUX27ODBUFfkAXQkfS8Z8= X-Google-Smtp-Source: AGHT+IGShvuZ//3ELdLvyJN4g2PlOAVWDzA4UCscovpN9Nz1ibCFA/KzlK45rYsyW1mn7sETRBrtWw== X-Received: by 2002:a17:90a:f016:b0:27d:5562:7e13 with SMTP id bt22-20020a17090af01600b0027d55627e13mr1997446pjb.39.1697547931185; Tue, 17 Oct 2023 06:05:31 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c3:7f2e:11d:92b4:4d78:4197]) by smtp.gmail.com with ESMTPSA id l28-20020a635b5c000000b0056b6d1ac949sm1309788pgm.13.2023.10.17.06.05.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 06:05:30 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Siddhesh Poyarekar Subject: [PATCH v2 00/19] Improve loader environment variable handling Date: Tue, 17 Oct 2023 10:05:07 -0300 Message-Id: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org The recent CVE-2023-4911 fix [1] and tunable change to SXID_ERASE discussion [2] brought some issues with the current environment handling by the loader. Besides the bugs in tuning parsing, some other questions are: * What should be the security boundaries for tunable and other tuning environment variables? * Should tunables be filtered out or be disabled altogether in setuid binaries [3]? * How should ld.so handle security-sensitive tunable (like malloc options)? * How to handle ill-formatted tunable definition [4]? * Is tunable copy/parsing (through tunable_strdup) required [5]? * Which other environment variables the loader should ignore and/or filter in security-sensitive context. On this patchset, I followed the idea laid out in the discussion on whether to apply SXID_ERASE to all tunables [6]: 1. ignore any tunable on AT_SECURE binaries (as some Linux distributions do already [7]); 2. Add malloc tunables along with GLIBC_TUNABLES to unsecvars; 3. Do not parse ill-formatted GLIBC_TUNABLES strings; 4. Remove the requirement of duplicating the GLIBC_TUNABLES string for parsing. 5. Ignore most of the environment variables on security-sensitive mode (AT_SECURE/setuid/setgid). Patch #1 removes '/etc/suid-debug', which has not been working since malloc debugging supported moved to libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Patch #2 removed tunables parsing and applying for setuid/setgid binaries (similar to Alt Linux patch). Patch #3 and #4 add all malloc tunable and GLIBC_TUNABLES to unsecvars and improve tst-env-setuid.c to test all possible environment variables. Patch #5 and #6 improved the GLIBC_TUNABLES handling to avoid handling ill-formatted inputs. Patch #7 makes _dl_debug_vdprintf usable before self-relocation so patch #8 can add a loader warning that ill-formatted GLIBC_TUNABLES inputs are ignored (it also fixes the issue where the GLIBC_TUNABLE allocation failure will trigger a SEGFAULT on some architecture for PIE). Patch #9, #10, and #11 remove the tunable_strdup and make the GLIBC_TUNABLE parsing in place (no more possible allocation failure). The parsing now tracks the tunable start and its size. The dl-tunable-parse.h adds helper functions to help to parse, like an strcmp that also checks for size and an iterator for suboptions that are comma-separated (used on hwcap parsing by x86, powerpc, and s390x). Patch #12, #13, #14, #16, and #18 make loader ignore all but just LD_PRELOAD and LD_AUDIT for setuid binaries. For both options, loader ensures that pathnames containing slashes are ignored and shared libraries are loaded only from the standard search directories and only if they have set-user-ID mode bit enabled. [1] https://sourceware.org/pipermail/libc-alpha/2023-October/151921.html [2] https://sourceware.org/pipermail/libc-alpha/2023-October/151936.html [3] https://www.openwall.com/lists/oss-security/2023/10/03/3 [4] https://sourceware.org/pipermail/libc-alpha/2023-October/151927.html [5] https://sourceware.org/pipermail/libc-alpha/2023-October/151959.html [6] https://sourceware.org/pipermail/libc-alpha/2023-October/152011.html [7] https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9 Changes from v1: * Ignore most of the environment variables on security-sensitive mode. * Extend tests. Adhemerval Zanella (19): elf: Remove /etc/suid-debug support elf: Add GLIBC_TUNABLES to unsecvars elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries elf: Add all malloc tunable to unsecvars elf: Do not process invalid tunable format elf: Do not parse ill-formatted strings elf: Fix _dl_debug_vdprintf to work before self-relocation elf: Emit warning if tunable is ill-formatted x86: Use dl-symbol-redir-ifunc.h on cpu-tunables s390: Use dl-symbol-redir-ifunc.h on cpu-tunables elf: Do not duplicate the GLIBC_TUNABLES string elf: Ignore LD_PROFILE for setuid binaries elf: Remove LD_PROFILE for static binaries elf: Ignore loader debug env vars for setuid elf: Remove any_debug from dl_main_state elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secure elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries elf: Refactor process_envvars elf/Makefile | 26 +- elf/dl-load.c | 10 +- elf/dl-main.h | 3 - elf/dl-printf.c | 16 +- elf/dl-runtime.c | 12 +- elf/dl-support.c | 41 ++- elf/dl-tunable-types.h | 10 - elf/dl-tunables.c | 219 +++++---------- elf/dl-tunables.h | 6 +- elf/dl-tunables.list | 9 - elf/{dl-profstub.c => libc-dl-profstub.c} | 0 elf/rtld.c | 122 +++++--- elf/tst-env-setuid-static.c | 1 + elf/tst-env-setuid-tunables.c | 59 ++-- elf/tst-env-setuid.c | 140 ++++++---- elf/tst-tunables.c | 261 ++++++++++++++++++ include/dlfcn.h | 5 + manual/README.tunables | 9 - manual/memory.texi | 4 +- manual/tunables.texi | 4 +- scripts/gen-tunables.awk | 18 +- stdio-common/Makefile | 5 + stdio-common/_itoa.c | 5 + sysdeps/aarch64/dl-machine.h | 4 +- sysdeps/aarch64/dl-trampoline.S | 3 +- sysdeps/alpha/dl-machine.h | 6 +- sysdeps/alpha/dl-trampoline.S | 6 + sysdeps/arm/dl-machine.h | 4 +- sysdeps/arm/dl-trampoline.S | 2 +- sysdeps/generic/dl-tunables-parse.h | 128 +++++++++ sysdeps/generic/unsecvars.h | 10 + sysdeps/hppa/dl-machine.h | 36 +-- sysdeps/hppa/dl-trampoline.S | 2 + sysdeps/i386/dl-machine.h | 2 + sysdeps/i386/dl-trampoline.S | 2 +- .../i686/multiarch/dl-symbol-redir-ifunc.h | 5 + sysdeps/ia64/dl-machine.h | 10 +- sysdeps/ia64/dl-trampoline.S | 2 +- sysdeps/loongarch/dl-machine.h | 6 +- sysdeps/loongarch/dl-trampoline.h | 2 + sysdeps/m68k/dl-machine.h | 4 +- sysdeps/m68k/dl-trampoline.S | 2 + sysdeps/powerpc/powerpc32/dl-machine.c | 2 +- sysdeps/powerpc/powerpc32/dl-machine.h | 10 +- sysdeps/powerpc/powerpc32/dl-trampoline.S | 2 +- sysdeps/powerpc/powerpc64/dl-machine.h | 20 +- sysdeps/powerpc/powerpc64/dl-trampoline.S | 2 +- sysdeps/s390/cpu-features.c | 169 +++++------- .../s390/multiarch/dl-symbol-redir-ifunc.h | 2 + sysdeps/s390/s390-32/dl-machine.h | 8 +- sysdeps/s390/s390-32/dl-trampoline.h | 2 +- sysdeps/s390/s390-64/dl-machine.h | 8 +- sysdeps/s390/s390-64/dl-trampoline.h | 2 +- sysdeps/sh/dl-machine.h | 2 + sysdeps/sh/dl-trampoline.S | 2 + sysdeps/sparc/sparc32/dl-machine.h | 4 +- sysdeps/sparc/sparc32/dl-trampoline.S | 2 + sysdeps/sparc/sparc64/dl-machine.h | 4 +- sysdeps/sparc/sparc64/dl-trampoline.S | 2 + .../unix/sysv/linux/aarch64/cpu-features.c | 38 ++- .../sysv/linux/i386/dl-writev.h} | 18 +- .../unix/sysv/linux/powerpc/cpu-features.c | 45 +-- .../sysv/linux/powerpc/tst-hwcap-tunables.c | 6 +- sysdeps/x86/Makefile | 4 +- sysdeps/x86/cpu-tunables.c | 135 +++------ sysdeps/x86/tst-hwcap-tunables.c | 150 ++++++++++ sysdeps/x86_64/64/dl-tunables.list | 1 - sysdeps/x86_64/dl-machine.h | 2 + sysdeps/x86_64/dl-trampoline.S | 64 +++-- .../x86_64/multiarch/dl-symbol-redir-ifunc.h | 15 + 70 files changed, 1225 insertions(+), 717 deletions(-) rename elf/{dl-profstub.c => libc-dl-profstub.c} (100%) create mode 100644 elf/tst-env-setuid-static.c create mode 100644 elf/tst-tunables.c create mode 100644 sysdeps/generic/dl-tunables-parse.h rename sysdeps/{x86_64/memcmp-isa-default-impl.h => unix/sysv/linux/i386/dl-writev.h} (62%) create mode 100644 sysdeps/x86/tst-hwcap-tunables.c