[v2] string: strerror, strsignal cannot use buffer after dlmopen (bug 32026)

Message ID 87jzgpg2ln.fsf@oldenburg.str.redhat.com
State Committed
Delegated to: Adhemerval Zanella Netto
Headers
Series [v2] string: strerror, strsignal cannot use buffer after dlmopen (bug 32026) |

Checks

Context Check Description
redhat-pt-bot/TryBot-32bit success Build for i686
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Test passed
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Build passed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Test passed

Commit Message

Florian Weimer Aug. 9, 2024, 3:03 p.m. UTC
  Secondary namespaces have a different malloc.  Allocating the
buffer in one namespace and freeing it another results in
heap corruption.  Fix this by using a static string (potentially
translated) in secondary namespaces.  It would also be possible
to use the malloc from the initial namespace to manage the
buffer, but these functions would still not be safe to use in
auditors etc. because a call to strerror could still free a
buffer while it is used by the application.  Another approach
could use proper initial-exec TLS, duplicated in secondary
namespaces, but that would need a callback interface for freeing
libc resources in namespaces on thread exit, which does not exist
today.

---
v2: Fix double-free bug in strsignal (after asprintf failure).
 string/strerror_l.c | 35 ++++++++++++++++++++++++-----------
 string/strsignal.c  | 34 +++++++++++++++++++++-------------
 2 files changed, 45 insertions(+), 24 deletions(-)


base-commit: eb0e50e9a1cf80a2ba6f33f990a08ef37a3267fb
  

Comments

Adhemerval Zanella Netto Aug. 19, 2024, 1:37 p.m. UTC | #1
On 09/08/24 12:03, Florian Weimer wrote:
> Secondary namespaces have a different malloc.  Allocating the
> buffer in one namespace and freeing it another results in
> heap corruption.  Fix this by using a static string (potentially
> translated) in secondary namespaces.  It would also be possible
> to use the malloc from the initial namespace to manage the
> buffer, but these functions would still not be safe to use in
> auditors etc. because a call to strerror could still free a
> buffer while it is used by the application.  Another approach
> could use proper initial-exec TLS, duplicated in secondary
> namespaces, but that would need a callback interface for freeing
> libc resources in namespaces on thread exit, which does not exist
> today.
> 

I wonder if the RTLD_SHARED proposal would help us here, since the
libc.so loading duplication on audit modules brings a lot of corner
cases.

In any case, LGTM.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

> ---
> v2: Fix double-free bug in strsignal (after asprintf failure).
>  string/strerror_l.c | 35 ++++++++++++++++++++++++-----------
>  string/strsignal.c  | 34 +++++++++++++++++++++-------------
>  2 files changed, 45 insertions(+), 24 deletions(-)
> 
> diff --git a/string/strerror_l.c b/string/strerror_l.c
> index 15cce261e6..70456e5bb4 100644
> --- a/string/strerror_l.c
> +++ b/string/strerror_l.c
> @@ -20,7 +20,7 @@
>  #include <stdio.h>
>  #include <string.h>
>  #include <tls-internal.h>
> -
> +#include <libc-internal.h>
>  
>  static const char *
>  translate (const char *str, locale_t loc)
> @@ -31,6 +31,12 @@ translate (const char *str, locale_t loc)
>    return res;
>  }
>  
> +static char *
> +unknown_error (locale_t loc)
> +{
> +  return (char *) translate ("Unknown error", loc);
> +}
> +
>  
>  /* Return a string describing the errno code in ERRNUM.  */
>  char *
> @@ -40,18 +46,25 @@ __strerror_l (int errnum, locale_t loc)
>    char *err = (char *) __get_errlist (errnum);
>    if (__glibc_unlikely (err == NULL))
>      {
> -      struct tls_internal_t *tls_internal = __glibc_tls_internal ();
> -      free (tls_internal->strerror_l_buf);
> -      if (__asprintf (&tls_internal->strerror_l_buf, "%s%d",
> -		      translate ("Unknown error ", loc), errnum) > 0)
> -	err = tls_internal->strerror_l_buf;
> -      else
> +      if (__libc_initial)
>  	{
> -	  /* The memory was freed above.  */
> -	  tls_internal->strerror_l_buf = NULL;
> -	  /* Provide a fallback translation.  */
> -	  err = (char *) translate ("Unknown error", loc);
> +	  struct tls_internal_t *tls_internal = __glibc_tls_internal ();
> +	  free (tls_internal->strerror_l_buf);
> +	  if (__asprintf (&tls_internal->strerror_l_buf, "%s%d",
> +			  translate ("Unknown error ", loc), errnum) > 0)
> +	    err = tls_internal->strerror_l_buf;
> +	  else
> +	    {
> +	      /* The memory was freed above.  */
> +	      tls_internal->strerror_l_buf = NULL;
> +	      /* Provide a fallback translation.  */
> +	      err = unknown_error (loc);
> +	    }
>  	}
> +      else
> +	/* Secondary namespaces use a different malloc, so cannot
> +	   participate in the buffer management.  */
> +	err = unknown_error (loc);
>      }
>    else
>      err = (char *) translate (err, loc);
> diff --git a/string/strsignal.c b/string/strsignal.c
> index 3114601564..d9b0365468 100644
> --- a/string/strsignal.c
> +++ b/string/strsignal.c
> @@ -21,6 +21,7 @@
>  #include <string.h>
>  #include <libintl.h>
>  #include <tls-internal.h>
> +#include <libc-internal.h>
>  
>  /* Return a string describing the meaning of the signal number SIGNUM.  */
>  char *
> @@ -30,21 +31,28 @@ strsignal (int signum)
>    if (desc != NULL)
>      return _(desc);
>  
> -  struct tls_internal_t *tls_internal = __glibc_tls_internal ();
> -  free (tls_internal->strsignal_buf);
> +  if (__libc_initial)
> +    {
> +      struct tls_internal_t *tls_internal = __glibc_tls_internal ();
> +      free (tls_internal->strsignal_buf);
>  
> -  int r;
> +      int r;
>  #ifdef SIGRTMIN
> -  if (signum >= SIGRTMIN && signum <= SIGRTMAX)
> -    r = __asprintf (&tls_internal->strsignal_buf, _("Real-time signal %d"),
> -		    signum - SIGRTMIN);
> -  else
> +      if (signum >= SIGRTMIN && signum <= SIGRTMAX)
> +	r = __asprintf (&tls_internal->strsignal_buf, _("Real-time signal %d"),
> +			signum - SIGRTMIN);
> +      else
>  #endif
> -    r = __asprintf (&tls_internal->strsignal_buf, _("Unknown signal %d"),
> -		    signum);
> +	r = __asprintf (&tls_internal->strsignal_buf, _("Unknown signal %d"),
> +			signum);
>  
> -  if (r == -1)
> -    tls_internal->strsignal_buf = NULL;
> -
> -  return tls_internal->strsignal_buf;
> +      if (r >= 0)
> +	return tls_internal->strsignal_buf;
> +      else
> +	tls_internal->strsignal_buf = NULL;
> +    }
> +  /* Fall through on asprintf error, and for !__libc_initial:
> +     secondary namespaces use a different malloc and cannot
> +     participate in the buffer management.  */
> +  return _("Unknown signal");
>  }
> 
> base-commit: eb0e50e9a1cf80a2ba6f33f990a08ef37a3267fb
>
  
Florian Weimer Aug. 19, 2024, 1:46 p.m. UTC | #2
* Adhemerval Zanella Netto:

> On 09/08/24 12:03, Florian Weimer wrote:
>> Secondary namespaces have a different malloc.  Allocating the
>> buffer in one namespace and freeing it another results in
>> heap corruption.  Fix this by using a static string (potentially
>> translated) in secondary namespaces.  It would also be possible
>> to use the malloc from the initial namespace to manage the
>> buffer, but these functions would still not be safe to use in
>> auditors etc. because a call to strerror could still free a
>> buffer while it is used by the application.  Another approach
>> could use proper initial-exec TLS, duplicated in secondary
>> namespaces, but that would need a callback interface for freeing
>> libc resources in namespaces on thread exit, which does not exist
>> today.
>> 
>
> I wonder if the RTLD_SHARED proposal would help us here, since the
> libc.so loading duplication on audit modules brings a lot of corner
> cases.

No, audit modules need a separate libc because they can alter bindings
for the main libc.  Maybe they could share a libc.  Come to think of it,
it's not really clear to me why we need to load audit modules into
separate namespaces.

> In any case, LGTM.
>
> Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

Thanks,
Florian
  

Patch

diff --git a/string/strerror_l.c b/string/strerror_l.c
index 15cce261e6..70456e5bb4 100644
--- a/string/strerror_l.c
+++ b/string/strerror_l.c
@@ -20,7 +20,7 @@ 
 #include <stdio.h>
 #include <string.h>
 #include <tls-internal.h>
-
+#include <libc-internal.h>
 
 static const char *
 translate (const char *str, locale_t loc)
@@ -31,6 +31,12 @@  translate (const char *str, locale_t loc)
   return res;
 }
 
+static char *
+unknown_error (locale_t loc)
+{
+  return (char *) translate ("Unknown error", loc);
+}
+
 
 /* Return a string describing the errno code in ERRNUM.  */
 char *
@@ -40,18 +46,25 @@  __strerror_l (int errnum, locale_t loc)
   char *err = (char *) __get_errlist (errnum);
   if (__glibc_unlikely (err == NULL))
     {
-      struct tls_internal_t *tls_internal = __glibc_tls_internal ();
-      free (tls_internal->strerror_l_buf);
-      if (__asprintf (&tls_internal->strerror_l_buf, "%s%d",
-		      translate ("Unknown error ", loc), errnum) > 0)
-	err = tls_internal->strerror_l_buf;
-      else
+      if (__libc_initial)
 	{
-	  /* The memory was freed above.  */
-	  tls_internal->strerror_l_buf = NULL;
-	  /* Provide a fallback translation.  */
-	  err = (char *) translate ("Unknown error", loc);
+	  struct tls_internal_t *tls_internal = __glibc_tls_internal ();
+	  free (tls_internal->strerror_l_buf);
+	  if (__asprintf (&tls_internal->strerror_l_buf, "%s%d",
+			  translate ("Unknown error ", loc), errnum) > 0)
+	    err = tls_internal->strerror_l_buf;
+	  else
+	    {
+	      /* The memory was freed above.  */
+	      tls_internal->strerror_l_buf = NULL;
+	      /* Provide a fallback translation.  */
+	      err = unknown_error (loc);
+	    }
 	}
+      else
+	/* Secondary namespaces use a different malloc, so cannot
+	   participate in the buffer management.  */
+	err = unknown_error (loc);
     }
   else
     err = (char *) translate (err, loc);
diff --git a/string/strsignal.c b/string/strsignal.c
index 3114601564..d9b0365468 100644
--- a/string/strsignal.c
+++ b/string/strsignal.c
@@ -21,6 +21,7 @@ 
 #include <string.h>
 #include <libintl.h>
 #include <tls-internal.h>
+#include <libc-internal.h>
 
 /* Return a string describing the meaning of the signal number SIGNUM.  */
 char *
@@ -30,21 +31,28 @@  strsignal (int signum)
   if (desc != NULL)
     return _(desc);
 
-  struct tls_internal_t *tls_internal = __glibc_tls_internal ();
-  free (tls_internal->strsignal_buf);
+  if (__libc_initial)
+    {
+      struct tls_internal_t *tls_internal = __glibc_tls_internal ();
+      free (tls_internal->strsignal_buf);
 
-  int r;
+      int r;
 #ifdef SIGRTMIN
-  if (signum >= SIGRTMIN && signum <= SIGRTMAX)
-    r = __asprintf (&tls_internal->strsignal_buf, _("Real-time signal %d"),
-		    signum - SIGRTMIN);
-  else
+      if (signum >= SIGRTMIN && signum <= SIGRTMAX)
+	r = __asprintf (&tls_internal->strsignal_buf, _("Real-time signal %d"),
+			signum - SIGRTMIN);
+      else
 #endif
-    r = __asprintf (&tls_internal->strsignal_buf, _("Unknown signal %d"),
-		    signum);
+	r = __asprintf (&tls_internal->strsignal_buf, _("Unknown signal %d"),
+			signum);
 
-  if (r == -1)
-    tls_internal->strsignal_buf = NULL;
-
-  return tls_internal->strsignal_buf;
+      if (r >= 0)
+	return tls_internal->strsignal_buf;
+      else
+	tls_internal->strsignal_buf = NULL;
+    }
+  /* Fall through on asprintf error, and for !__libc_initial:
+     secondary namespaces use a different malloc and cannot
+     participate in the buffer management.  */
+  return _("Unknown signal");
 }