From patchwork Tue Jul 2 13:25:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Liebler X-Patchwork-Id: 93237 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8A28E3882071 for ; Tue, 2 Jul 2024 13:27:31 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by sourceware.org (Postfix) with ESMTPS id 6154D388214C for ; Tue, 2 Jul 2024 13:26:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6154D388214C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linux.ibm.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6154D388214C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1719926819; cv=none; b=EmOjtstlSI1FRm2nHqGKgAc63p8ar27EuxRCufh2+/7WGi34Hm+oyrYx4wQkIWBbLdVgMGF2HWEWDvCodR1863yNIfJwWXXie/CTOtXoZ2Z1pGzv0ptMETjPHg8u9wu2rjJ8+d4Kh857N7JLMbjpu4Bjafer5jzAAbLHiZHyelI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1719926819; c=relaxed/simple; bh=dphZlJ6UB12yIlFQW1tbvD1zjPnX0Pe5+RZN1CaDxtg=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=SWrHCI4H31wvx28a7+SseWUJAlXJ7Jms0xtHMGe84pYwz2+Dovdhapsh5E1ZHVUfyMXE/PP6HtlfCbKnaqFaGJAqHWjKUoqAV28bIpxFRUWNfLkSrb/7zIrOeJjHoDJxl/+eIE7dUz+NA64As2ahIEznIQu8e783mv9c9AMP1FE= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 462CSPoQ023605; Tue, 2 Jul 2024 13:26:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from :to:cc:subject:date:message-id:content-transfer-encoding :mime-version; s=pp1; bh=uSHnqddtiaOowruty/0WhEK3V9wo327dhFg03xw ildM=; b=rn9D+zsXcfgfk0Zw2ZB15UIInc3kWIj783Cp25OE86Xmx3SsQvfDNij hRWOpciv1G8DCRb5pWm7YIP9CNbcY1/jZx5+93ZLtQZUZQACMjzGE+NymTRW61Ka 707wjfZoP2bRZocnt/KCIOVapKGaJLt8ijzZTBIZ36IUDeyAnz9FFKhxAdI9TOLC Zjzgb+dWiojlCjfNlUpg6AOzK3atAZo5c2MTxVOp0uRq0jbX2GvQFm/7V6OftiBW SylN09PDK3qwuAv2zkAEu12sFf7OGhwlJCD4Hk4l022odlLtV+bHBcrx85Uza1Zu SPyPHPI96MRAEynHnNkHEntuX3Lf6MQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 404hk685tq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Jul 2024 13:26:52 +0000 (GMT) Received: from m0360072.ppops.net (m0360072.ppops.net [127.0.0.1]) by pps.reinject (8.18.0.8/8.18.0.8) with ESMTP id 462DPTQm017952; Tue, 2 Jul 2024 13:26:52 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 404hk685tm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Jul 2024 13:26:52 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 462C4JEK024120; Tue, 2 Jul 2024 13:26:51 GMT Received: from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 402ya3cm98-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Jul 2024 13:26:51 +0000 Received: from smtpav03.fra02v.mail.ibm.com (smtpav03.fra02v.mail.ibm.com [10.20.54.102]) by smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 462DQmFs14680374 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 2 Jul 2024 13:26:50 GMT Received: from smtpav03.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E221220043; Tue, 2 Jul 2024 13:26:47 +0000 (GMT) Received: from smtpav03.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C58FD20040; Tue, 2 Jul 2024 13:26:47 +0000 (GMT) Received: from li-75e136cc-3486-11b2-a85c-daad184f266e.boeblingen.de.ibm.com (unknown [9.152.222.232]) by smtpav03.fra02v.mail.ibm.com (Postfix) with ESMTP; Tue, 2 Jul 2024 13:26:47 +0000 (GMT) From: Stefan Liebler To: libc-alpha@sourceware.org Cc: Joe Simmons-Talbott , Stefan Liebler , Adhemerval Zanella Subject: [PATCH v2] elf/rtld: Fix auxiliary vector for enable_secure Date: Tue, 2 Jul 2024 15:25:20 +0200 Message-ID: <20240702132520.941809-1-stli@linux.ibm.com> X-Mailer: git-send-email 2.45.2 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: msPq8FMGF3NxRXRGJ7_DqKDf8hDV_HE_ X-Proofpoint-ORIG-GUID: DEgXAijv4dehZ8lAmRtqeQpEYSGkjUYC X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-02_09,2024-07-02_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 adultscore=0 phishscore=0 mlxlogscore=999 priorityscore=1501 malwarescore=0 suspectscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2406140001 definitions=main-2407020099 X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_EF, GIT_PATCH_0, KAM_ASCII_DIVIDERS, KAM_SHORT, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org Starting with commit 59974938fe1f4add843f5325f78e2a7ccd8db853 elf/rtld: Count skipped environment variables for enable_secure The new testcase elf/tst-tunables-enable_secure-env segfaults on s390 (31bit). There _start parses the auxiliary vector for some additional checks. Therefore it skips over the zeros after the environment variables ... 0x7fffac20: 0x7fffbd17 0x7fffbd32 0x7fffbd69 0x00000000 ------------------------------------------------^^^last environment variable ... and then it parses the auxiliary vector and stops at AT_NULL. 0x7fffac30: 0x00000000 0x00000021 0x00000000 0x00000000 --------------------------------^^^AT_SYSINFO_EHDR--------------^^^AT_NULL ----------------^^^newp-----------------------------------------^^^oldp Afterwards it tries to access AT_PHDR which points to somewhere and segfaults. Due to not incorporating the skip_env variable in the computation of oldp when shuffling down the auxv in rtld.c, it just copies one entry with AT_NULL and value 0x00000021 and stops the loop. In reality we have skipped GLIBC_TUNABLES environment variable (=> skip_env=1). Thus we should copy from here: 0x7fffac40: 0x00000021 0x7ffff000 0x00000010 0x007fffff ----------------^^^fixed-oldp This patch fixes the computation of oldp when shuffling down auxiliary vector. It also adds some checks in the testcase. Those checks also fail on s390x (64bit) and x86_64 without the fix. Co-authored-by: Adhemerval Zanella Reviewed-by: Adhemerval Zanella --- elf/Makefile | 9 +- elf/rtld.c | 2 +- elf/tst-tunables-enable_secure-env.c | 127 ++++++++++++++++++++++++++- 3 files changed, 126 insertions(+), 12 deletions(-) diff --git a/elf/Makefile b/elf/Makefile index 24ad5221c2..a3475f3fb5 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -1224,7 +1224,6 @@ tests-special += \ $(objpfx)tst-trace3.out \ $(objpfx)tst-trace4.out \ $(objpfx)tst-trace5.out \ - $(objpfx)tst-tunables-enable_secure-env.out \ $(objpfx)tst-unused-dep-cmp.out \ $(objpfx)tst-unused-dep.out \ # tests-special @@ -2252,13 +2251,7 @@ $(objpfx)tst-unused-dep-cmp.out: $(objpfx)tst-unused-dep.out cmp $< /dev/null > $@; \ $(evaluate-test) -$(objpfx)tst-tunables-enable_secure-env.out: $(objpfx)tst-tunables-enable_secure-env - $(test-wrapper-env) \ - GLIBC_TUNABLES=glibc.rtld.enable_secure=1 \ - $(rtld-prefix) \ - $< > $@; \ - $(evaluate-test) - +tst-tunables-enable_secure-env-ARGS = -- $(host-test-program-cmd) $(objpfx)tst-audit11.out: $(objpfx)tst-auditmod11.so $(objpfx)tst-audit11mod1.so tst-audit11-ENV = LD_AUDIT=$(objpfx)tst-auditmod11.so diff --git a/elf/rtld.c b/elf/rtld.c index 6352ba76c5..bfdf632e77 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -1327,7 +1327,7 @@ _dl_start_args_adjust (int skip_args, int skip_env) /* Shuffle auxv down. */ ElfW(auxv_t) ax; - char *oldp = (char *) (p + 1); + char *oldp = (char *) (p + 1 + skip_env); char *newp = (char *) (sp + 1); do { diff --git a/elf/tst-tunables-enable_secure-env.c b/elf/tst-tunables-enable_secure-env.c index 24e846f299..01f121efc3 100644 --- a/elf/tst-tunables-enable_secure-env.c +++ b/elf/tst-tunables-enable_secure-env.c @@ -17,15 +17,136 @@ License along with the GNU C Library; if not, see . */ +#include +#include +#include +#include +#include #include #include +#ifdef __linux__ +# define HAVE_AUXV 1 +# include +#else +# define HAVE_AUXV 0 +#endif + +/* Nonzero if the program gets called via `exec'. */ +#define CMDLINE_OPTIONS \ + { "restart", no_argument, &restart, 1 }, +static int restart; + +/* Hold the four initial argument used to respawn the process, plus the extra + '--direct', '--restart', auxiliary vector values, and final NULL. */ +static char *spargs[11]; + +#if HAVE_AUXV +static void +check_auxv (unsigned long type, char *argv) +{ + char *endptr; + errno = 0; + unsigned long int varg = strtol (argv, &endptr, 10); + TEST_VERIFY_EXIT (errno == 0); + TEST_VERIFY_EXIT (*endptr == '\0'); + errno = 0; + unsigned long int v = getauxval (type); + TEST_COMPARE (errno, 0); + TEST_COMPARE (varg, v); +} +#endif + +/* Called on process re-execution. */ +_Noreturn static void +handle_restart (int argc, char *argv[]) +{ + TEST_VERIFY (getenv ("GLIBC_TUNABLES") == NULL); + TEST_VERIFY (getenv ("LD_BIND_NOW") == NULL); + +#if HAVE_AUXV + TEST_VERIFY_EXIT (argc == 4); + check_auxv (AT_PHENT, argv[0]); + check_auxv (AT_PHNUM, argv[1]); + check_auxv (AT_PAGESZ, argv[2]); + check_auxv (AT_HWCAP, argv[3]); +#endif + + exit (EXIT_SUCCESS); +} static int do_test (int argc, char *argv[]) { - /* Ensure that no assertions are hit when a dynamically linked application - runs. This test requires that GLIBC_TUNABLES=glibc.rtld.enable_secure=1 - is set. */ + /* We must have either: + + - four parameter if called initially: + + path for ld.so [optional] + + "--library-path" [optional] + + the library path [optional] + + the application name + + - either parameters left if called through re-execution. + + auxiliary vector value 1 + + auxiliary vector value 2 + + auxiliary vector value 3 + + auxiliary vector value 4 + */ + if (restart) + handle_restart (argc - 1, &argv[1]); + + TEST_VERIFY_EXIT (argc == 2 || argc == 5); + +#if HAVE_AUXV + struct + { + unsigned long int type; + char str[INT_BUFSIZE_BOUND (unsigned long)]; + } auxvals[] = + { + /* Check some auxiliary values that should be constant over process + re-execution. */ + { AT_PHENT }, + { AT_PHNUM }, + { AT_PAGESZ }, + { AT_HWCAP }, + }; + for (int i = 0; i < array_length (auxvals); i++) + { + unsigned long int v = getauxval (auxvals[i].type); + snprintf (auxvals[i].str, sizeof auxvals[i].str, "%lu", v); + } +#endif + + { + int i; + for (i = 0; i < argc - 1; i++) + spargs[i] = argv[i + 1]; + spargs[i++] = (char *) "--direct"; + spargs[i++] = (char *) "--restart"; +#if HAVE_AUXV + for (int j = 0; j < array_length (auxvals); j++) + spargs[i++] = auxvals[j].str; +#endif + spargs[i] = NULL; + } + + { + char *envs[] = + { + /* Add some environment variable that should be filtered out. */ + (char *) "GLIBC_TUNABLES=glibc.rtld.enable_secure=1", + (char* ) "LD_BIND_NOW=0", + NULL, + }; + struct support_capture_subprocess result + = support_capture_subprogram (spargs[0], spargs, envs); + support_capture_subprocess_check (&result, + "tst-tunables-enable_secure-env", + 0, + sc_allow_none); + support_capture_subprocess_free (&result); + } + return 0; }