libc_init_common.cpp revision 36733fc4c10854766cca3b617aae61149895e4b2 
1/*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *  * Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *  * Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in
12 *    the documentation and/or other materials provided with the
13 *    distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include "libc_init_common.h"
30
31#include <elf.h>
32#include <errno.h>
33#include <fcntl.h>
34#include <stddef.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <stdlib.h>
38#include <string.h>
39#include <sys/auxv.h>
40#include <sys/personality.h>
41#include <sys/time.h>
42#include <unistd.h>
43
44#include "private/bionic_auxv.h"
45#include "private/bionic_globals.h"
46#include "private/bionic_ssp.h"
47#include "private/bionic_tls.h"
48#include "private/KernelArgumentBlock.h"
49#include "private/libc_logging.h"
50#include "private/WriteProtected.h"
51#include "pthread_internal.h"
52
53extern "C" abort_msg_t** __abort_message_ptr;
54extern "C" int __system_properties_init(void);
55
56__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
57
58// Not public, but well-known in the BSDs.
59const char* __progname;
60
61// Declared in <unistd.h>.
62char** environ;
63
64// Declared in "private/bionic_ssp.h".
65uintptr_t __stack_chk_guard = 0;
66
67void __libc_init_global_stack_chk_guard(KernelArgumentBlock& args) {
68  // AT_RANDOM is a pointer to 16 bytes of randomness on the stack.
69  // Take the first 4/8 for the -fstack-protector implementation.
70  __stack_chk_guard = *reinterpret_cast<uintptr_t*>(args.getauxval(AT_RANDOM));
71}
72
73void __libc_init_globals(KernelArgumentBlock& args) {
74  // Initialize libc globals that are needed in both the linker and in libc.
75  // In dynamic binaries, this is run at least twice for different copies of the
76  // globals, once for the linker's copy and once for the one in libc.so.
77  __libc_init_global_stack_chk_guard(args);
78  __libc_auxv = args.auxv;
79  __libc_globals.initialize();
80  __libc_globals.mutate([&args](libc_globals* globals) {
81    __libc_init_vdso(globals, args);
82    __libc_init_setjmp_cookie(globals, args);
83  });
84}
85
86#if !defined(__LP64__)
87static void __check_max_thread_id() {
88  if (gettid() > 65535) {
89    __libc_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
90                 "pid <= 65535, but current pid is %d", gettid());
91  }
92}
93#endif
94
95void __libc_init_common(KernelArgumentBlock& args) {
96  // Initialize various globals.
97  environ = args.envp;
98  errno = 0;
99  __progname = args.argv[0] ? args.argv[0] : "<unknown>";
100  __abort_message_ptr = args.abort_message_ptr;
101
102#if !defined(__LP64__)
103  __check_max_thread_id();
104#endif
105
106  // Get the main thread from TLS and add it to the thread list.
107  pthread_internal_t* main_thread = __get_thread();
108  __pthread_internal_add(main_thread);
109
110  __system_properties_init(); // Requires 'environ'.
111}
112
113__noreturn static void __early_abort(int line) {
114  // We can't write to stdout or stderr because we're aborting before we've checked that
115  // it's safe for us to use those file descriptors. We probably can't strace either, so
116  // we rely on the fact that if we dereference a low address, either debuggerd or the
117  // kernel's crash dump will show the fault address.
118  *reinterpret_cast<int*>(line) = 0;
119  _exit(EXIT_FAILURE);
120}
121
122// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
123static void __nullify_closed_stdio() {
124  int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
125  if (dev_null == -1) {
126    // init won't have /dev/null available, but SELinux provides an equivalent.
127    dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
128  }
129  if (dev_null == -1) {
130    __early_abort(__LINE__);
131  }
132
133  // If any of the stdio file descriptors is valid and not associated
134  // with /dev/null, dup /dev/null to it.
135  for (int i = 0; i < 3; i++) {
136    // If it is /dev/null already, we are done.
137    if (i == dev_null) {
138      continue;
139    }
140
141    // Is this fd already open?
142    int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
143    if (status != -1) {
144      continue;
145    }
146
147    // The only error we allow is that the file descriptor does not
148    // exist, in which case we dup /dev/null to it.
149    if (errno == EBADF) {
150      // Try dupping /dev/null to this stdio file descriptor and
151      // repeat if there is a signal. Note that any errors in closing
152      // the stdio descriptor are lost.
153      status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
154      if (status == -1) {
155        __early_abort(__LINE__);
156      }
157    } else {
158      __early_abort(__LINE__);
159    }
160  }
161
162  // If /dev/null is not one of the stdio file descriptors, close it.
163  if (dev_null > 2) {
164    if (close(dev_null) == -1) {
165      __early_abort(__LINE__);
166    }
167  }
168}
169
170// Check if the environment variable definition at 'envstr'
171// starts with '<name>=', and if so return the address of the
172// first character after the equal sign. Otherwise return null.
173static const char* env_match(const char* envstr, const char* name) {
174  size_t i = 0;
175
176  while (envstr[i] == name[i] && name[i] != '\0') {
177    ++i;
178  }
179
180  if (name[i] == '\0' && envstr[i] == '=') {
181    return envstr + i + 1;
182  }
183
184  return nullptr;
185}
186
187static bool __is_valid_environment_variable(const char* name) {
188  // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
189  // as the maximum size for an environment variable definition.
190  const int MAX_ENV_LEN = 32*4096;
191
192  if (name == nullptr) {
193    return false;
194  }
195
196  // Parse the string, looking for the first '=' there, and its size.
197  int pos = 0;
198  int first_equal_pos = -1;
199  while (pos < MAX_ENV_LEN) {
200    if (name[pos] == '\0') {
201      break;
202    }
203    if (name[pos] == '=' && first_equal_pos < 0) {
204      first_equal_pos = pos;
205    }
206    pos++;
207  }
208
209  // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
210  if (pos >= MAX_ENV_LEN) {
211    return false;
212  }
213
214  // Check that it contains at least one equal sign that is not the first character
215  if (first_equal_pos < 1) {
216    return false;
217  }
218
219  return true;
220}
221
222static bool __is_unsafe_environment_variable(const char* name) {
223  // None of these should be allowed when the AT_SECURE auxv
224  // flag is set. This flag is set to inform userspace that a
225  // security transition has occurred, for example, as a result
226  // of executing a setuid program or the result of an SELinux
227  // security transition.
228  static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
229    "GCONV_PATH",
230    "GETCONF_DIR",
231    "HOSTALIASES",
232    "JE_MALLOC_CONF",
233    "LD_AOUT_LIBRARY_PATH",
234    "LD_AOUT_PRELOAD",
235    "LD_AUDIT",
236    "LD_DEBUG",
237    "LD_DEBUG_OUTPUT",
238    "LD_DYNAMIC_WEAK",
239    "LD_LIBRARY_PATH",
240    "LD_ORIGIN_PATH",
241    "LD_PRELOAD",
242    "LD_PROFILE",
243    "LD_SHOW_AUXV",
244    "LD_USE_LOAD_BIAS",
245    "LOCALDOMAIN",
246    "LOCPATH",
247    "MALLOC_CHECK_",
248    "MALLOC_CONF",
249    "MALLOC_TRACE",
250    "NIS_PATH",
251    "NLSPATH",
252    "RESOLV_HOST_CONF",
253    "RES_OPTIONS",
254    "TMPDIR",
255    "TZDIR",
256  };
257  for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
258    if (env_match(name, unsafe_variable_name) != nullptr) {
259      return true;
260    }
261  }
262  return false;
263}
264
265static void __sanitize_environment_variables(char** env) {
266  bool is_AT_SECURE = getauxval(AT_SECURE);
267  char** src = env;
268  char** dst = env;
269  for (; src[0] != nullptr; ++src) {
270    if (!__is_valid_environment_variable(src[0])) {
271      continue;
272    }
273    // Remove various unsafe environment variables if we're loading a setuid program.
274    if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
275      continue;
276    }
277    dst[0] = src[0];
278    ++dst;
279  }
280  dst[0] = nullptr;
281}
282
283static void __initialize_personality() {
284#if !defined(__LP64__)
285  int old_value = personality(0xffffffff);
286  if (old_value == -1) {
287    __libc_fatal("error getting old personality value: %s", strerror(errno));
288  }
289
290  if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
291    __libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
292  }
293#endif
294}
295
296void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
297  __libc_auxv = args.auxv;
298
299  // Check that the kernel provided a value for AT_SECURE.
300  bool found_AT_SECURE = false;
301  for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
302    if (v->a_type == AT_SECURE) {
303      found_AT_SECURE = true;
304      break;
305    }
306  }
307  if (!found_AT_SECURE) __early_abort(__LINE__);
308
309  if (getauxval(AT_SECURE)) {
310    // If this is a setuid/setgid program, close the security hole described in
311    // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
312    __nullify_closed_stdio();
313
314    __sanitize_environment_variables(args.envp);
315  }
316
317  // Now the environment has been sanitized, make it available.
318  environ = args.envp;
319
320  __initialize_personality();
321}
322
323/* This function will be called during normal program termination
324 * to run the destructors that are listed in the .fini_array section
325 * of the executable, if any.
326 *
327 * 'fini_array' points to a list of function addresses. The first
328 * entry in the list has value -1, the last one has value 0.
329 */
330void __libc_fini(void* array) {
331  typedef void (*Dtor)();
332  Dtor* fini_array = reinterpret_cast<Dtor*>(array);
333  const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
334
335  // Sanity check - first entry must be -1.
336  if (array == NULL || fini_array[0] != minus1) {
337    return;
338  }
339
340  // Skip over it.
341  fini_array += 1;
342
343  // Count the number of destructors.
344  int count = 0;
345  while (fini_array[count] != NULL) {
346    ++count;
347  }
348
349  // Now call each destructor in reverse order.
350  while (count > 0) {
351    Dtor dtor = fini_array[--count];
352
353    // Sanity check, any -1 in the list is ignored.
354    if (dtor == minus1) {
355      continue;
356    }
357
358    dtor();
359  }
360}
361