[v3,14/19] elf: Ignore loader debug env vars for setuid

Message ID 20231106202552.3404059-15-adhemerval.zanella@linaro.org (mailing list archive)
State Superseded
Delegated to: Siddhesh Poyarekar
Headers
Series Improve loader environment variable handling |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm fail Patch failed to apply
linaro-tcwg-bot/tcwg_glibc_check--master-arm fail Patch failed to apply

Commit Message

Adhemerval Zanella Nov. 6, 2023, 8:25 p.m. UTC
  Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and
LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to
LD_DEBUG, in the sense they enable additional checks and debug
information, so it makes sense to disable them.

Checked on x86_64-linux-gnu.
---
 elf/rtld.c           | 22 ++++++++++++++--------
 elf/tst-env-setuid.c |  2 ++
 2 files changed, 16 insertions(+), 8 deletions(-)
  

Comments

Siddhesh Poyarekar Nov. 20, 2023, 10:57 p.m. UTC | #1
On 2023-11-06 15:25, Adhemerval Zanella wrote:
> Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and
> LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to
> LD_DEBUG, in the sense they enable additional checks and debug
> information, so it makes sense to disable them.
> 
> Checked on x86_64-linux-gnu.
> ---

Maybe also put it in unsecvars.h?

>   elf/rtld.c           | 22 ++++++++++++++--------
>   elf/tst-env-setuid.c |  2 ++
>   2 files changed, 16 insertions(+), 8 deletions(-)
> 
> diff --git a/elf/rtld.c b/elf/rtld.c
> index a09cf2a9df..e7f90d37e7 100644
> --- a/elf/rtld.c
> +++ b/elf/rtld.c
> @@ -2552,13 +2552,15 @@ process_envvars (struct dl_main_state *state)
>   	{
>   	case 4:
>   	  /* Warning level, verbose or not.  */
> -	  if (memcmp (envline, "WARN", 4) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "WARN", 4) == 0)
>   	    GLRO(dl_verbose) = envline[5] != '\0';
>   	  break;
>   
>   	case 5:
>   	  /* Debugging of the dynamic linker?  */
> -	  if (memcmp (envline, "DEBUG", 5) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "DEBUG", 5) == 0)
>   	    {
>   	      process_dl_debug (state, &envline[6]);
>   	      break;
> @@ -2569,7 +2571,8 @@ process_envvars (struct dl_main_state *state)
>   
>   	case 7:
>   	  /* Print information about versions.  */
> -	  if (memcmp (envline, "VERBOSE", 7) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "VERBOSE", 7) == 0)
>   	    {
>   	      state->version_info = envline[8] != '\0';
>   	      break;
> @@ -2625,7 +2628,8 @@ process_envvars (struct dl_main_state *state)
>   	    }
>   
>   	  /* Where to place the profiling data file.  */
> -	  if (memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
>   	    {
>   	      debug_output = &envline[13];
>   	      break;
> @@ -2646,7 +2650,8 @@ process_envvars (struct dl_main_state *state)
>   
>   	case 20:
>   	  /* The mode of the dynamic linker can be set.  */
> -	  if (memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
>   	    {
>   	      state->mode = rtld_mode_trace;
>   	      state->mode_trace_program
> @@ -2668,9 +2673,10 @@ process_envvars (struct dl_main_state *state)
>   	}
>         while (*nextp != '\0');
>   
> -      GLRO(dl_debug_mask) = 0;
> -
> -      if (state->mode != rtld_mode_normal)
> +      if (GLRO(dl_debug_mask) != 0
> +	  || GLRO(dl_verbose) != 0
> +	  || state->mode != rtld_mode_normal
> +	  || state->version_info)
>   	_exit (5);
>       }
>     /* If we have to run the dynamic linker in debugging mode and the
> diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
> index 76b8e1fb45..dcf213a4cd 100644
> --- a/elf/tst-env-setuid.c
> +++ b/elf/tst-env-setuid.c
> @@ -59,6 +59,8 @@ static const struct envvar_t filtered_envvars[] =
>     { "MALLOC_TRACE",            FILTERED_VALUE },
>     { "MALLOC_TRIM_THRESHOLD_",  FILTERED_VALUE },
>     { "RES_OPTIONS",             FILTERED_VALUE },
> +  { "LD_DEBUG",                "all" },
> +  { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
>   };
>   
>   static const struct envvar_t unfiltered_envvars[] =
  
Adhemerval Zanella Nov. 21, 2023, 6:24 p.m. UTC | #2
On 20/11/23 19:57, Siddhesh Poyarekar wrote:
> On 2023-11-06 15:25, Adhemerval Zanella wrote:
>> Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and
>> LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to
>> LD_DEBUG, in the sense they enable additional checks and debug
>> information, so it makes sense to disable them.
>>
>> Checked on x86_64-linux-gnu.
>> ---
> 
> Maybe also put it in unsecvars.h?

Ack.

> 
>>   elf/rtld.c           | 22 ++++++++++++++--------
>>   elf/tst-env-setuid.c |  2 ++
>>   2 files changed, 16 insertions(+), 8 deletions(-)
>>
>> diff --git a/elf/rtld.c b/elf/rtld.c
>> index a09cf2a9df..e7f90d37e7 100644
>> --- a/elf/rtld.c
>> +++ b/elf/rtld.c
>> @@ -2552,13 +2552,15 @@ process_envvars (struct dl_main_state *state)
>>       {
>>       case 4:
>>         /* Warning level, verbose or not.  */
>> -      if (memcmp (envline, "WARN", 4) == 0)
>> +      if (!__libc_enable_secure
>> +          && memcmp (envline, "WARN", 4) == 0)
>>           GLRO(dl_verbose) = envline[5] != '\0';
>>         break;
>>         case 5:
>>         /* Debugging of the dynamic linker?  */
>> -      if (memcmp (envline, "DEBUG", 5) == 0)
>> +      if (!__libc_enable_secure
>> +          && memcmp (envline, "DEBUG", 5) == 0)
>>           {
>>             process_dl_debug (state, &envline[6]);
>>             break;
>> @@ -2569,7 +2571,8 @@ process_envvars (struct dl_main_state *state)
>>         case 7:
>>         /* Print information about versions.  */
>> -      if (memcmp (envline, "VERBOSE", 7) == 0)
>> +      if (!__libc_enable_secure
>> +          && memcmp (envline, "VERBOSE", 7) == 0)
>>           {
>>             state->version_info = envline[8] != '\0';
>>             break;
>> @@ -2625,7 +2628,8 @@ process_envvars (struct dl_main_state *state)
>>           }
>>           /* Where to place the profiling data file.  */
>> -      if (memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
>> +      if (!__libc_enable_secure
>> +          && memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
>>           {
>>             debug_output = &envline[13];
>>             break;
>> @@ -2646,7 +2650,8 @@ process_envvars (struct dl_main_state *state)
>>         case 20:
>>         /* The mode of the dynamic linker can be set.  */
>> -      if (memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
>> +      if (!__libc_enable_secure
>> +          && memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
>>           {
>>             state->mode = rtld_mode_trace;
>>             state->mode_trace_program
>> @@ -2668,9 +2673,10 @@ process_envvars (struct dl_main_state *state)
>>       }
>>         while (*nextp != '\0');
>>   -      GLRO(dl_debug_mask) = 0;
>> -
>> -      if (state->mode != rtld_mode_normal)
>> +      if (GLRO(dl_debug_mask) != 0
>> +      || GLRO(dl_verbose) != 0
>> +      || state->mode != rtld_mode_normal
>> +      || state->version_info)
>>       _exit (5);
>>       }
>>     /* If we have to run the dynamic linker in debugging mode and the
>> diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
>> index 76b8e1fb45..dcf213a4cd 100644
>> --- a/elf/tst-env-setuid.c
>> +++ b/elf/tst-env-setuid.c
>> @@ -59,6 +59,8 @@ static const struct envvar_t filtered_envvars[] =
>>     { "MALLOC_TRACE",            FILTERED_VALUE },
>>     { "MALLOC_TRIM_THRESHOLD_",  FILTERED_VALUE },
>>     { "RES_OPTIONS",             FILTERED_VALUE },
>> +  { "LD_DEBUG",                "all" },
>> +  { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
>>   };
>>     static const struct envvar_t unfiltered_envvars[] =
  

Patch

diff --git a/elf/rtld.c b/elf/rtld.c
index a09cf2a9df..e7f90d37e7 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2552,13 +2552,15 @@  process_envvars (struct dl_main_state *state)
 	{
 	case 4:
 	  /* Warning level, verbose or not.  */
-	  if (memcmp (envline, "WARN", 4) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "WARN", 4) == 0)
 	    GLRO(dl_verbose) = envline[5] != '\0';
 	  break;
 
 	case 5:
 	  /* Debugging of the dynamic linker?  */
-	  if (memcmp (envline, "DEBUG", 5) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "DEBUG", 5) == 0)
 	    {
 	      process_dl_debug (state, &envline[6]);
 	      break;
@@ -2569,7 +2571,8 @@  process_envvars (struct dl_main_state *state)
 
 	case 7:
 	  /* Print information about versions.  */
-	  if (memcmp (envline, "VERBOSE", 7) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "VERBOSE", 7) == 0)
 	    {
 	      state->version_info = envline[8] != '\0';
 	      break;
@@ -2625,7 +2628,8 @@  process_envvars (struct dl_main_state *state)
 	    }
 
 	  /* Where to place the profiling data file.  */
-	  if (memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
 	    {
 	      debug_output = &envline[13];
 	      break;
@@ -2646,7 +2650,8 @@  process_envvars (struct dl_main_state *state)
 
 	case 20:
 	  /* The mode of the dynamic linker can be set.  */
-	  if (memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
 	    {
 	      state->mode = rtld_mode_trace;
 	      state->mode_trace_program
@@ -2668,9 +2673,10 @@  process_envvars (struct dl_main_state *state)
 	}
       while (*nextp != '\0');
 
-      GLRO(dl_debug_mask) = 0;
-
-      if (state->mode != rtld_mode_normal)
+      if (GLRO(dl_debug_mask) != 0
+	  || GLRO(dl_verbose) != 0
+	  || state->mode != rtld_mode_normal
+	  || state->version_info)
 	_exit (5);
     }
   /* If we have to run the dynamic linker in debugging mode and the
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index 76b8e1fb45..dcf213a4cd 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -59,6 +59,8 @@  static const struct envvar_t filtered_envvars[] =
   { "MALLOC_TRACE",            FILTERED_VALUE },
   { "MALLOC_TRIM_THRESHOLD_",  FILTERED_VALUE },
   { "RES_OPTIONS",             FILTERED_VALUE },
+  { "LD_DEBUG",                "all" },
+  { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
 };
 
 static const struct envvar_t unfiltered_envvars[] =