From patchwork Mon Nov  6 20:25:45 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 79242
X-Patchwork-Delegate: siddhesh@gotplt.org
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 3646138555AB
	for <patchwork@sourceware.org>; Mon,  6 Nov 2023 20:27:59 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com
 [IPv6:2607:f8b0:4864:20::112e])
 by sourceware.org (Postfix) with ESMTPS id 422023858284
 for <libc-alpha@sourceware.org>; Mon,  6 Nov 2023 20:26:23 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 422023858284
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 422023858284
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::112e
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699302384; cv=none;
 b=j3eFZ+gdxmKhLZdWMRPEG6xjUACySl0UA2+2Ba6Q40ETV5q9EDetAlGxk7ZD6wkYo/Ws5IV1OZC5oIr0+DWAOYp4Bms8dRT1Br97AVTwI08HQO7p2qxo8JB9yG/WG/KKPMrlOKq4c6ONRYjLAA19t+jI0+AEnVzA2//YEgpOPW0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1699302384; c=relaxed/simple;
 bh=pe2v7EEbWvJamm2roR38t7wNaCVAkohWPxItdsjkAis=;
 h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version;
 b=hq2zNzAZxImwKYGz9MBa+JlpJ8YETBegP90+KmOTh/qU6DMhYy3GSsUpij3O9EFoA1Nea5VOhXq8Pd4H/DTjYG/Fe7hmgcQ4g+vPj0O1TUATTPwYbTUGlSngFRTPje1iM/Ngrv2N79lfTInmK653finDj0Pt5tyeVIC32vwKRRs=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-yw1-x112e.google.com with SMTP id
 00721157ae682-5b31c5143a0so58952627b3.3
 for <libc-alpha@sourceware.org>; Mon, 06 Nov 2023 12:26:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1699302382; x=1699907182; darn=sourceware.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=V8mDfNj7KbyA7VaqVdjoRSrc2S/fxpr85M6+lBmAK18=;
 b=k/hQQ3YA49KaKMKQIN9OQd9W+w+7Da21NTjKj3GpJGIJVXCWiM1aD6BgoW3eG54EoX
 t570lSPbMdqMviCPn8ED2Pq4872f7qaTm6RgMk8REBNkPDpt64ghjifvJW9/XI603tdt
 TgXhkACL6MwtY7L1r3YJWfMT4WMrtgm7D/ABWAG3mHAIr7WMWGEVxNWvHb5adTi5KSYy
 LaXDT4r4NlRcVnisVjrRSul0oHaVjGFKNHgJfqUYSUJev6GUu6jsYzD5x5wPHsHvFI+E
 0kv5t2PkrRnNiTAFyh0cm1peIARODw1YqBVkCCiLMSYBraNQWwshPfBXxu00mM4FNvsr
 stbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1699302382; x=1699907182;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=V8mDfNj7KbyA7VaqVdjoRSrc2S/fxpr85M6+lBmAK18=;
 b=FhBonRmwny/DweNKX82J18rba9jEQ3C+OEhzc5ADrq9HTpiFn86TQ+gEUOUTyjLikV
 79h8I9Qz+d8O6zc9MB/8aYS0xdNS82941bVKkb/Nto8DleuifbJeAgFMeAhwVyri/QE5
 GJSChQUHiYKF37A1TRG7p4a4hcRSBaj1Syk00QW4E36JDJjE47MOrwKhOlnkzqE6OUpQ
 IuY3FMThnG9i2b3XQAOQ8PQSsiNrbIp7drG0/joSeba9rgSYfg5D6KwJ9bu+G798ltCT
 y6PMfhcT8MPQre0FDOn2QxvAdRMMly2XBPb8mrki69yuvsfsJue9EWxEmohJjUxg39LY
 iuAQ==
X-Gm-Message-State: AOJu0Yy5DRHQWDHXDIqqenHM6TwH0MEGZ/gnVtJV3YWOo60UDlETymeZ
 dvhtDUZa5EoLZfyrLNWYK3SfE+spwZeXWAZVK98K3A==
X-Google-Smtp-Source: 
 AGHT+IEdb1QFGcoBYFkFV8xTD5v2oru8wznRKwu1zn+Z3NzxHPiRXgC3Qe2Sw0jR+8swrRJQiQ9yXA==
X-Received: by 2002:a0d:d949:0:b0:5a8:299b:433c with SMTP id
 b70-20020a0dd949000000b005a8299b433cmr12271313ywe.18.1699302381815;
 Mon, 06 Nov 2023 12:26:21 -0800 (PST)
Received: from mandiga.. ([2804:1b3:a7c0:a715:c1a0:7281:6384:2ee9])
 by smtp.gmail.com with ESMTPSA id
 ci7-20020a05690c0a8700b005a7b8fddfedsm4707154ywb.41.2023.11.06.12.26.19
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 06 Nov 2023 12:26:20 -0800 (PST)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org,
	Siddhesh Poyarekar <siddhesh@sourceware.org>
Subject: [PATCH v3 12/19] elf: Ignore LD_PROFILE for setuid binaries
Date: Mon,  6 Nov 2023 17:25:45 -0300
Message-Id: <20231106202552.3404059-13-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231106202552.3404059-1-adhemerval.zanella@linaro.org>
References: <20231106202552.3404059-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-12.7 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org

Loader does not ignore LD_PROFILE in secure-execution mode (different
than man-page states [1]), rather it uses a different path
(/var/profile) and ignore LD_PROFILE_OUTPUT.

Allowing secure-execution profiling is already a non good security
boundary, since it enables different code paths and extra OS access by
the process.  But by ignoring LD_PROFILE_OUTPUT, the resulting profile
file might also be acceded in a racy manner since the file name does not
use any process-specific information (such as pid, timing, etc.).

Another side-effect is it forces lazy binding even on libraries that
might be with DF_BIND_NOW.

[1] https://man7.org/linux/man-pages/man8/ld.so.8.html
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 elf/Makefile         |  3 +++
 elf/rtld.c           |  8 +++-----
 elf/tst-env-setuid.c | 12 +++++++++++-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/elf/Makefile b/elf/Makefile
index 52981c19d0..08896bb895 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -2983,3 +2983,6 @@ $(objpfx)tst-dlclose-lazy.out: \
   $(objpfx)tst-dlclose-lazy-mod1.so $(objpfx)tst-dlclose-lazy-mod2.so
 
 tst-env-setuid-ARGS = -- $(host-test-program-cmd)
+
+# Reuse a module with a SONAME, to specific as the LD_PROFILE.
+$(objpfx)tst-env-setuid: $(objpfx)tst-sonamemove-runmod2.so
diff --git a/elf/rtld.c b/elf/rtld.c
index 51b6d9f326..a09cf2a9df 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -361,6 +361,7 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_fpu_control = _FPU_DEFAULT,
     ._dl_pagesize = EXEC_PAGESIZE,
     ._dl_inhibit_cache = 0,
+    ._dl_profile_output = "/var/tmp",
 
     /* Function pointers.  */
     ._dl_debug_printf = _dl_debug_printf,
@@ -2534,10 +2535,6 @@ process_envvars (struct dl_main_state *state)
   char *envline;
   char *debug_output = NULL;
 
-  /* This is the default place for profiling data file.  */
-  GLRO(dl_profile_output)
-    = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
-
   while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
     {
       size_t len = 0;
@@ -2586,7 +2583,8 @@ process_envvars (struct dl_main_state *state)
 	    }
 
 	  /* Which shared object shall be profiled.  */
-	  if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
 	    GLRO(dl_profile) = &envline[8];
 	  break;
 
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index ba295a6a14..76b8e1fb45 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -34,6 +34,9 @@ static char SETGID_CHILD[] = "setgid-child";
 
 #define FILTERED_VALUE   "some-filtered-value"
 #define UNFILTERED_VALUE "some-unfiltered-value"
+/* It assumes no other programs is being profile with a library with same
+   SONAME using the default folder.  */
+#define PROFILE_LIB      "tst-sonamemove-runmod2.so"
 
 struct envvar_t
 {
@@ -50,7 +53,7 @@ static const struct envvar_t filtered_envvars[] =
   { "LD_HWCAP_MASK",           FILTERED_VALUE },
   { "LD_LIBRARY_PATH",         FILTERED_VALUE },
   { "LD_PRELOAD",              FILTERED_VALUE },
-  { "LD_PROFILE",              FILTERED_VALUE },
+  { "LD_PROFILE",              "tst-sonamemove-runmod2.so" },
   { "MALLOC_ARENA_MAX",        FILTERED_VALUE },
   { "MALLOC_PERTURB_",         FILTERED_VALUE },
   { "MALLOC_TRACE",            FILTERED_VALUE },
@@ -87,6 +90,13 @@ test_child (void)
       ret |= !(env != NULL && strcmp (env, e->value) == 0);
     }
 
+  /* Also check if no profile file was created.  */
+  {
+    char *profilepath = xasprintf ("/var/tmp/%s.profile", PROFILE_LIB);
+    ret |= !access (profilepath, R_OK);
+    free (profilepath);
+  }
+
   return ret;
 }