From patchwork Tue Oct 10 18:01:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 77429 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0301B3875425 for ; Tue, 10 Oct 2023 18:01:58 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by sourceware.org (Postfix) with ESMTPS id B32A5385696F for ; Tue, 10 Oct 2023 18:01:25 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B32A5385696F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1c77449a6daso51045435ad.0 for ; Tue, 10 Oct 2023 11:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1696960884; x=1697565684; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+qRKbKPI9Mc6EdKbNTJ862H/Lfcr3fs6jhsYzWZrQ2c=; b=cmkUKrlOFUc7yg6bRhYa2/f2cyjDNluqffgHTldbJxSDVWVqafo70NgMawY4DaFUv0 ht3JAS/B2W58yTHWAOOEsLk4IFWTbP7Oxk2eIwkV+e9yueTnKzbAfAvKDOWg3QFWYydM PpPrErYBQMWEm0kbGk+jbFNnQR0P5aH4tcC24yDAmacE+pItg09ati1sEs8JFGs10p+w nvqI/BZMzBYb0ZkhD7RIFHIXsdy6EUpiJCzfl4XC1ax+c5dW0ls11duqmOWI+HiaSRWg nB1qTEFFrh+q3+OAy5mlpXPBvLkW7ObBl3k4JTu7ZBqP5I9rnLi7LFKuyvo6dZcKj+DL /qbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696960884; x=1697565684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+qRKbKPI9Mc6EdKbNTJ862H/Lfcr3fs6jhsYzWZrQ2c=; b=B/iA8xZJdoGl+T+Pi+XaA4+qVpxQcv80+PGNiLScU2GIw/9SjNOdhA0ISdp02RDj0h gfSjxRgr1L3Jm85vxxr9hMazJb/F0Bqd7WN5M+gIi+6qu9zkOj47YkXfD19/M5rWySdU /oqPX79CjeGjISBqVMQSVP8Egk+H8uFRTxbRRlOU38XyFZUtsPOs4DWpRAm341SXh987 qpMTXgiDm5w8P4Bao3EsznVFmaBkyF4aCzsfm0z46BS3g2fbMab47VGJDOhhcik4DhwB znCOlntcDSi9aevxoqwQhRg/W0mxr12GUY+lY5F3mPP0DufOeGrGEqqbvY4lgEIgNqw1 AAbQ== X-Gm-Message-State: AOJu0YyGinvwqEw9uoOF6Sb8X3Iop4BxcvjIABVS74iOb1ddhurg3bSH s6HAEYiuCvFZQVvp63xhT4lJkH1MzTzaUom1LUewBw== X-Google-Smtp-Source: AGHT+IHnaNGRPR9WFAUxiJpG2jBPf51UCZf/8qZjL85G1lRZnnMl1cbqLJVmtiCvT+Hbsytz7a02Bw== X-Received: by 2002:a17:902:e80a:b0:1c6:7ba:3a9a with SMTP id u10-20020a170902e80a00b001c607ba3a9amr25472589plg.14.1696960884308; Tue, 10 Oct 2023 11:01:24 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c2:d09b:ef2e:7c42:5ecf:a4ef]) by smtp.gmail.com with ESMTPSA id 5-20020a170902c24500b001bb9d6b1baasm12088022plg.198.2023.10.10.11.01.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 11:01:23 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Siddhesh Poyarekar Subject: [PATCH 03/11] elf: Add all malloc tunable to unsecvars Date: Tue, 10 Oct 2023 15:01:03 -0300 Message-Id: <20231010180111.561793-4-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231010180111.561793-1-adhemerval.zanella@linaro.org> References: <20231010180111.561793-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-13.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Some environment variables allow alteration of allocator behavior across setuid boundaries, where a setuid program may ignore the tunable, but its non-setuid child can read it and adjust the memory allocator behavior accordingly. Most library behavior tunings is limited to the current process and does not bleed in scope; so it is unclear how pratical this misfeature is. If behavior change across privilege boundaries is desirable, it would be better done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. The patch as fixes tst-env-setuid, where it fail if any unsecvars is set. Co-authored-by: Siddhesh Poyarekar Checked on x86_64-linux-gnu. --- elf/tst-env-setuid.c | 87 +++++++++++++------------------------ sysdeps/generic/unsecvars.h | 7 +++ 2 files changed, 36 insertions(+), 58 deletions(-) diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c index 032ab44be2..b9f4b3244d 100644 --- a/elf/tst-env-setuid.c +++ b/elf/tst-env-setuid.c @@ -15,19 +15,14 @@ License along with the GNU C Library; if not, see . */ -/* Verify that tunables correctly filter out unsafe environment variables like - MALLOC_CHECK_ and MALLOC_MMAP_THRESHOLD_ but also retain - MALLOC_MMAP_THRESHOLD_ in an unprivileged child. */ +/* Verify that correctly filter out unsafe environment variables defined + by unsecvars.h. */ -#include -#include -#include -#include #include +#include #include -#include -#include #include +#include #include #include @@ -36,57 +31,22 @@ static char SETGID_CHILD[] = "setgid-child"; -#ifndef test_child static int test_child (void) { - if (getenv ("MALLOC_CHECK_") != NULL) - { - printf ("MALLOC_CHECK_ is still set\n"); - return 1; - } - - if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL) - { - printf ("MALLOC_MMAP_THRESHOLD_ lost\n"); - return 1; - } + int ret = 0; - if (getenv ("LD_HWCAP_MASK") != NULL) + const char *nextp = UNSECURE_ENVVARS; + do { - printf ("LD_HWCAP_MASK still set\n"); - return 1; + const char *env = getenv (nextp); + ret |= env != NULL; + nextp = strchr (nextp, '\0') + 1; } + while (*nextp != '\0'); return 0; } -#endif - -#ifndef test_parent -static int -test_parent (void) -{ - if (getenv ("MALLOC_CHECK_") == NULL) - { - printf ("MALLOC_CHECK_ lost\n"); - return 1; - } - - if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL) - { - printf ("MALLOC_MMAP_THRESHOLD_ lost\n"); - return 1; - } - - if (getenv ("LD_HWCAP_MASK") == NULL) - { - printf ("LD_HWCAP_MASK lost\n"); - return 1; - } - - return 0; -} -#endif static int do_test (int argc, char **argv) @@ -104,20 +64,31 @@ do_test (int argc, char **argv) if (ret != 0) exit (1); - exit (EXIT_SUCCESS); + /* Special return code to make sure that the child executed all the way + through. */ + exit (42); } else { - if (test_parent () != 0) - exit (1); + const char *nextp = UNSECURE_ENVVARS; + do + { + setenv (nextp, "some-value", 1); + nextp = strchr (nextp, '\0') + 1; + } + while (*nextp != '\0'); int status = support_capture_subprogram_self_sgid (SETGID_CHILD); if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) - return EXIT_UNSUPPORTED; - - if (!WIFEXITED (status)) - FAIL_EXIT1 ("Unexpected exit status %d from child process\n", status); + exit (EXIT_UNSUPPORTED); + + if (WEXITSTATUS (status) != 42) + { + printf (" child failed with status %d\n", + WEXITSTATUS (status)); + support_record_failure (); + } return 0; } diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h index 8278c50a84..ca70e2e989 100644 --- a/sysdeps/generic/unsecvars.h +++ b/sysdeps/generic/unsecvars.h @@ -17,7 +17,14 @@ "LD_SHOW_AUXV\0" \ "LOCALDOMAIN\0" \ "LOCPATH\0" \ + "MALLOC_ARENA_MAX\0" \ + "MALLOC_ARENA_TEST\0" \ + "MALLOC_MMAP_MAX_\0" \ + "MALLOC_MMAP_THRESHOLD_\0" \ + "MALLOC_PERTURB_\0" \ + "MALLOC_TOP_PAD_\0" \ "MALLOC_TRACE\0" \ + "MALLOC_TRIM_THRESHOLD_\0" \ "NIS_PATH\0" \ "NLSPATH\0" \ "RESOLV_HOST_CONF\0" \