From patchwork Tue Oct 17 13:05:19 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 78024
X-Patchwork-Delegate: siddhesh@gotplt.org
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 5AA07387545A
	for <patchwork@sourceware.org>; Tue, 17 Oct 2023 13:07:40 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com
 [IPv6:2607:f8b0:4864:20::435])
 by sourceware.org (Postfix) with ESMTPS id 86F8C385E02A
 for <libc-alpha@sourceware.org>; Tue, 17 Oct 2023 13:06:39 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 86F8C385E02A
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 86F8C385E02A
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::435
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697548001; cv=none;
 b=A9mjUY+urRNYYwjDSmdstf+ZSZGvcBAS0vExU1UYsmE/QLjDyQYNJ3tXhcYwojbRtmGezh9qOgwfpYmZ3FBJtpCkH5utDPVeiagv+/ev06Fym6f9M9YiAfhY8NDhTaME3wTX09ohncArkWFruFWeLefQRlGjkxeL+FYhBQE7wWo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1697548001; c=relaxed/simple;
 bh=R6d/6W/ll+4lPGZP5ToRnligX9x1R+NXrnQCLYAfTfU=;
 h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version;
 b=AvAfvkQKjupNhoN+AKjDFpo14IgNYRHm0heQ6GceGI8m6olMZisPYmzOIi5GZJ1EaYrkAFOfuQUvyvD6QoaU2MiYw/9tx/lfai1SbZVaIMQpSaKy9KGyfMZ1gnHCHEf37Z+zRzF9xIF/oAcI8cKkVQIXhFSbMFpMuBiPd5/hPyY=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-pf1-x435.google.com with SMTP id
 d2e1a72fcca58-6ba54c3ed97so2777123b3a.2
 for <libc-alpha@sourceware.org>; Tue, 17 Oct 2023 06:06:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1697547998; x=1698152798; darn=sourceware.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=VwAgn4DC4dsEDaoNr1W8sSxQxqv7YdE1ERKEKNDSSek=;
 b=exjdi3xl9qVBlaOmEG4GurXZuVDHT6WyDAkeXsjoMUaWX9CRWQ3/+05ClOzZoQwpCS
 9W3St4KvDkE7ELXsURcDkdUD5YX6TnGhuP1qyNvDVMbbQLxsUETxwv3g+a6HZ5CjYlc2
 4D02QHJLp/L9KN5ZQROi/pliL/qNi6O+SRrFPTxrRnsTGa+Krj7rm5YFj0dn+gzy6CuU
 VBLPzK1m9hcn/VHWhwIICiSMHaaEFc6X/AxeIm2efAZXGIkgevZgfsx7S2qzbpjtTvRQ
 7AcqHMX+fGsn1oarc6x263/SF+XPLWFHTQ3+SkS59vrqSMGLWMON7bVsXTQ+oVdfJDP8
 QONA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1697547998; x=1698152798;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=VwAgn4DC4dsEDaoNr1W8sSxQxqv7YdE1ERKEKNDSSek=;
 b=lRVub74wHtz/sFxHq4QDjBuIASaCluuxu+do7gb5YEROXruD23bOCy9XxS2OFmxzV8
 XgAxEyLJ7f1Sx15tVk+s+rD3V920KffO6zorZU4yWfvP4CYVWEBnfEIQ+k8xqmFNCugb
 L6H3D6BaAs93S8D6uqhMTuJhkGIhEKLv5rBbBQA0CkLD893h6t/jD9nyLfbSjPycYZNf
 Ay9NwJ3mgWWGpvhtLzn7cdBjfOKubldSzo/zFfyyJ3jwmkkRmNto4/2Ycy4CACMHjyBi
 vZ7Q8Rjc/c6249Nb/hCrvTBS9TGbnae488SR3bQdaMDpnpUdhhF6diVnLgo5ZuZ1rfAZ
 7nJw==
X-Gm-Message-State: AOJu0YwxTzojHSc60yhP8nUbSLVPJ7A4RcWjiilWYpC0Q1YtVzpXnbFd
 H4RnpvJKmgxRAyCHeRgQKJbUo+TILebhvWArWMWWcw==
X-Google-Smtp-Source: 
 AGHT+IEXHPlshiZHiUKn4RnSRAS6KJPXDNVMJ/EyawAEjc5kXU6J0pxQONf1JjY9jmkL8sdRgbJ/qg==
X-Received: by 2002:a05:6a00:23d3:b0:6bd:2c0a:e7d with SMTP id
 g19-20020a056a0023d300b006bd2c0a0e7dmr2054107pfc.19.1697547997899;
 Tue, 17 Oct 2023 06:06:37 -0700 (PDT)
Received: from mandiga.. ([2804:1b3:a7c3:7f2e:11d:92b4:4d78:4197])
 by smtp.gmail.com with ESMTPSA id
 l28-20020a635b5c000000b0056b6d1ac949sm1309788pgm.13.2023.10.17.06.06.36
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 17 Oct 2023 06:06:37 -0700 (PDT)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org,
	Siddhesh Poyarekar <siddhesh@sourceware.org>
Subject: [PATCH v2 12/19] elf: Ignore LD_PROFILE for setuid binaries
Date: Tue, 17 Oct 2023 10:05:19 -0300
Message-Id: <20231017130526.2216827-13-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231017130526.2216827-1-adhemerval.zanella@linaro.org>
References: <20231017130526.2216827-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-13.7 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org

Loader does not ignore LD_PROFILE in secure-execution mode (different
than man-page states [1]), rather it uses a different path
(/var/profile) and ignore LD_PROFILE_OUTPUT.

Allowing secure-execution profiling is already a non good security
boundary, since it enables different code paths and extra OS access by
the process.  But by ignoring LD_PROFILE_OUTPUT, the resulting profile
file might also be acceded in a racy manner since the file name does not
use any process-specific information (such as pid, timing, etc.).

Another side-effect is it forces lazy binding even on libraries that
might be with DF_BIND_NOW.

[1] https://man7.org/linux/man-pages/man8/ld.so.8.html
---
 elf/Makefile         |  3 +++
 elf/rtld.c           |  8 +++-----
 elf/tst-env-setuid.c | 12 +++++++++++-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/elf/Makefile b/elf/Makefile
index f1cd6e13fa..608bef46f5 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -3021,3 +3021,6 @@ $(objpfx)tst-dlclose-lazy.out: \
   $(objpfx)tst-dlclose-lazy-mod1.so $(objpfx)tst-dlclose-lazy-mod2.so
 
 tst-env-setuid-ARGS = -- $(host-test-program-cmd)
+
+# Reuse a module with a SONAME, to specific as the LD_PROFILE.
+$(objpfx)tst-env-setuid: $(objpfx)tst-sonamemove-runmod2.so
diff --git a/elf/rtld.c b/elf/rtld.c
index 51b6d9f326..a09cf2a9df 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -361,6 +361,7 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_fpu_control = _FPU_DEFAULT,
     ._dl_pagesize = EXEC_PAGESIZE,
     ._dl_inhibit_cache = 0,
+    ._dl_profile_output = "/var/tmp",
 
     /* Function pointers.  */
     ._dl_debug_printf = _dl_debug_printf,
@@ -2534,10 +2535,6 @@ process_envvars (struct dl_main_state *state)
   char *envline;
   char *debug_output = NULL;
 
-  /* This is the default place for profiling data file.  */
-  GLRO(dl_profile_output)
-    = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
-
   while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
     {
       size_t len = 0;
@@ -2586,7 +2583,8 @@ process_envvars (struct dl_main_state *state)
 	    }
 
 	  /* Which shared object shall be profiled.  */
-	  if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
 	    GLRO(dl_profile) = &envline[8];
 	  break;
 
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index ba295a6a14..76b8e1fb45 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -34,6 +34,9 @@ static char SETGID_CHILD[] = "setgid-child";
 
 #define FILTERED_VALUE   "some-filtered-value"
 #define UNFILTERED_VALUE "some-unfiltered-value"
+/* It assumes no other programs is being profile with a library with same
+   SONAME using the default folder.  */
+#define PROFILE_LIB      "tst-sonamemove-runmod2.so"
 
 struct envvar_t
 {
@@ -50,7 +53,7 @@ static const struct envvar_t filtered_envvars[] =
   { "LD_HWCAP_MASK",           FILTERED_VALUE },
   { "LD_LIBRARY_PATH",         FILTERED_VALUE },
   { "LD_PRELOAD",              FILTERED_VALUE },
-  { "LD_PROFILE",              FILTERED_VALUE },
+  { "LD_PROFILE",              "tst-sonamemove-runmod2.so" },
   { "MALLOC_ARENA_MAX",        FILTERED_VALUE },
   { "MALLOC_PERTURB_",         FILTERED_VALUE },
   { "MALLOC_TRACE",            FILTERED_VALUE },
@@ -87,6 +90,13 @@ test_child (void)
       ret |= !(env != NULL && strcmp (env, e->value) == 0);
     }
 
+  /* Also check if no profile file was created.  */
+  {
+    char *profilepath = xasprintf ("/var/tmp/%s.profile", PROFILE_LIB);
+    ret |= !access (profilepath, R_OK);
+    free (profilepath);
+  }
+
   return ret;
 }