[00/11] Improve tunable handling

Message ID 20231010180111.561793-1-adhemerval.zanella@linaro.org
Headers
Series Improve tunable handling |

Message

Adhemerval Zanella Netto Oct. 10, 2023, 6:01 p.m. UTC
  The recent CVE-2023-4911 fix [1] and tunable change to SXID_ERASE
discussion [2] brought some issues with the current tunable handling by
the loader. Besides the bugs in tuning parsing, some other questions
are:
* What should be the security boundaries for tunable and other tuning
* environment variables?
* Should tunables be filtered out or be disabled altogether in setuid
* binaries [3]?
* How should ld.so handle security-sensitive tunable (like malloc
* options)?
* How to handle ill-formatted tunable definition [4]?
* Is tunable copy/parsing (through tunable_strdup) required [5]?

On this patchset, I followed the idea laid out in the discussion on
whether to apply SXID_ERASE to all tunables [6]:
Ignore any tunable on AT_SECURE binaries (as some Linux distributions
are already [7]);
Add malloc tunables along with GLIBC_TUNABLES to unsecvars;
Do not parse ill-formatted GLIBC_TUNABLES strings;
Remove the requirement of duplicating the GLIBC_TUNABLES string for
parsing.

Patch #1 removes '/etc/suid-debug', which has not been working since
malloc debugging supported moved to libc_malloc_debug.so. It is one
thing less that might change AT_SECURE binaries' behavior
due to environment configurations.

Patch #2 removed tunables parsing and applying for setuid/setgid
binaries (similar to Alt Linux patch).

Patch #3 and #4 add all malloc tunable and GLIBC_TUNABLES to unsecvars
and improve tst-env-setuid.c to test all possible environment variables.

Patch #5 and #6 improved the GLIBC_TUNABLES handling to avoid handling
ill-formatted inputs.

Patch #7 makes _dl_debug_vdprintf usable before self-relocation so patch
#8 can add a loader warning that ill-formatted GLIBC_TUNABLES inputs are
ignored (it also fixes the issue where the GLIBC_TUNABLE allocation
failure will trigger a SEGFAULT on some architecture for PIE).

Patch #9, #10, and #11 remove the tunable_strdup and make the
GLIBC_TUNABLE parsing in place (no more possible allocation failure).
The parsing now tracks the tunable start and its size. The
dl-tunable-parse.h adds helper functions to help to parse, like an
strcmp that also checks for size and an iterator for suboptions that are
comma-separated (used on hwcap parsing by x86, powerpc, and s390x).

[1] https://sourceware.org/pipermail/libc-alpha/2023-October/151921.html
[2] https://sourceware.org/pipermail/libc-alpha/2023-October/151936.html
[3] https://www.openwall.com/lists/oss-security/2023/10/03/3
[4] https://sourceware.org/pipermail/libc-alpha/2023-October/151927.html
[5] https://sourceware.org/pipermail/libc-alpha/2023-October/151959.html
[6] https://sourceware.org/pipermail/libc-alpha/2023-October/152011.html
[7] https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9

Adhemerval Zanella (11):
  elf: Remove /etc/suid-debug support
  elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
  elf: Add all malloc tunable to unsecvars
  elf: Add GLIBC_TUNABLES to unsecvars
  elf: Do not process invalid tunable format
  elf: Do not parse ill-formatted strings
  elf: Fix _dl_debug_vdprintf to work before self-relocation
  elf: Emit warning if tunable is ill-formatted
  x86: Use dl-symbol-redir-ifunc.h on cpu-tunables
  s390: Use dl-symbol-redir-ifunc.h on cpu-tunables
  elf: Do not duplicate the GLIBC_TUNABLES string

 elf/Makefile                                  |   5 +-
 elf/dl-printf.c                               |  16 +-
 elf/dl-tunable-types.h                        |  10 -
 elf/dl-tunables.c                             | 219 +++++----------
 elf/dl-tunables.h                             |   6 +-
 elf/dl-tunables.list                          |   9 -
 elf/rtld.c                                    |   3 -
 elf/tst-env-setuid-tunables.c                 |  58 ++--
 elf/tst-env-setuid.c                          |  87 ++----
 elf/tst-tunables.c                            | 260 ++++++++++++++++++
 manual/README.tunables                        |   9 -
 manual/memory.texi                            |   4 +-
 manual/tunables.texi                          |   4 +-
 scripts/gen-tunables.awk                      |  18 +-
 stdio-common/Makefile                         |   5 +
 stdio-common/_itoa.c                          |   5 +
 sysdeps/generic/dl-tunables-parse.h           | 128 +++++++++
 sysdeps/generic/unsecvars.h                   |   8 +
 .../i686/multiarch/dl-symbol-redir-ifunc.h    |   5 +
 sysdeps/s390/cpu-features.c                   | 169 +++++-------
 .../s390/multiarch/dl-symbol-redir-ifunc.h    |   2 +
 .../unix/sysv/linux/aarch64/cpu-features.c    |  38 ++-
 .../sysv/linux/i386/dl-writev.h}              |  18 +-
 .../unix/sysv/linux/powerpc/cpu-features.c    |  45 +--
 .../sysv/linux/powerpc/tst-hwcap-tunables.c   |   6 +-
 sysdeps/x86/Makefile                          |   4 +-
 sysdeps/x86/cpu-tunables.c                    | 135 +++------
 sysdeps/x86/tst-hwcap-tunables.c              | 151 ++++++++++
 sysdeps/x86_64/64/dl-tunables.list            |   1 -
 .../x86_64/multiarch/dl-symbol-redir-ifunc.h  |  15 +
 30 files changed, 888 insertions(+), 555 deletions(-)
 create mode 100644 elf/tst-tunables.c
 create mode 100644 sysdeps/generic/dl-tunables-parse.h
 rename sysdeps/{x86_64/memcmp-isa-default-impl.h => unix/sysv/linux/i386/dl-writev.h} (62%)
 create mode 100644 sysdeps/x86/tst-hwcap-tunables.c