libc_init_common.cpp revision 40c2bf6cf6d9fa423d36128823451ae1cc1f7662
1/* 2 * Copyright (C) 2008 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include "libc_init_common.h" 30 31#include <elf.h> 32#include <errno.h> 33#include <fcntl.h> 34#include <stddef.h> 35#include <stdint.h> 36#include <stdio.h> 37#include <stdlib.h> 38#include <string.h> 39#include <sys/auxv.h> 40#include <sys/personality.h> 41#include <sys/time.h> 42#include <unistd.h> 43 44#include "private/bionic_auxv.h" 45#include "private/bionic_globals.h" 46#include "private/bionic_ssp.h" 47#include "private/bionic_tls.h" 48#include "private/KernelArgumentBlock.h" 49#include "private/libc_logging.h" 50#include "private/WriteProtected.h" 51#include "pthread_internal.h" 52 53extern "C" abort_msg_t** __abort_message_ptr; 54extern "C" int __system_properties_init(void); 55extern "C" int __set_tls(void* ptr); 56extern "C" int __set_tid_address(int* tid_address); 57 58__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals; 59 60// Not public, but well-known in the BSDs. 61const char* __progname; 62 63// Declared in <unistd.h>. 64char** environ; 65 66// Declared in "private/bionic_ssp.h". 67uintptr_t __stack_chk_guard = 0; 68 69// Setup for the main thread. For dynamic executables, this is called by the 70// linker _before_ libc is mapped in memory. This means that all writes to 71// globals from this function will apply to linker-private copies and will not 72// be visible from libc later on. 73// 74// Note: this function creates a pthread_internal_t for the initial thread and 75// stores the pointer in TLS, but does not add it to pthread's thread list. This 76// has to be done later from libc itself (see __libc_init_common). 77void __libc_init_main_thread(KernelArgumentBlock& args) { 78 __libc_auxv = args.auxv; 79 80 static pthread_internal_t main_thread; 81 82 // The x86 -fstack-protector implementation uses TLS, so make sure that's 83 // set up before we call any function that might get a stack check inserted. 84 __set_tls(main_thread.tls); 85 86 // Tell the kernel to clear our tid field when we exit, so we're like any other pthread. 87 // As a side-effect, this tells us our pid (which is the same as the main thread's tid). 88 main_thread.tid = __set_tid_address(&main_thread.tid); 89 main_thread.set_cached_pid(main_thread.tid); 90 91 // We don't want to free the main thread's stack even when the main thread exits 92 // because things like environment variables with global scope live on it. 93 // We also can't free the pthread_internal_t itself, since that lives on the main 94 // thread's stack rather than on the heap. 95 // The main thread has no mmap allocated space for stack or pthread_internal_t. 96 main_thread.mmap_size = 0; 97 pthread_attr_init(&main_thread.attr); 98 main_thread.attr.guard_size = 0; // The main thread has no guard page. 99 main_thread.attr.stack_size = 0; // User code should never see this; we'll compute it when asked. 100 // TODO: the main thread's sched_policy and sched_priority need to be queried. 101 102 __init_thread(&main_thread); 103 __init_tls(&main_thread); 104 105 // Store a pointer to the kernel argument block in a TLS slot to be 106 // picked up by the libc constructor. 107 main_thread.tls[TLS_SLOT_BIONIC_PREINIT] = &args; 108 109 __init_alternate_signal_stack(&main_thread); 110} 111 112void __libc_init_globals(KernelArgumentBlock& args) { 113 // Initialize libc globals that are needed in both the linker and in libc. 114 // In dynamic binaries, this is run at least twice for different copies of the 115 // globals, once for the linker's copy and once for the one in libc.so. 116 __libc_auxv = args.auxv; 117 __libc_globals.initialize(); 118 __libc_globals.mutate([&args](libc_globals* globals) { 119 __libc_init_vdso(globals, args); 120 __libc_init_setjmp_cookie(globals, args); 121 }); 122} 123 124void __libc_init_common(KernelArgumentBlock& args) { 125 // Initialize various globals. 126 environ = args.envp; 127 errno = 0; 128 __progname = args.argv[0] ? args.argv[0] : "<unknown>"; 129 __abort_message_ptr = args.abort_message_ptr; 130 131 // AT_RANDOM is a pointer to 16 bytes of randomness on the stack. 132 __stack_chk_guard = *reinterpret_cast<uintptr_t*>(getauxval(AT_RANDOM)); 133 134 // Get the main thread from TLS and add it to the thread list. 135 pthread_internal_t* main_thread = __get_thread(); 136 __pthread_internal_add(main_thread); 137 138 __system_properties_init(); // Requires 'environ'. 139} 140 141__noreturn static void __early_abort(int line) { 142 // We can't write to stdout or stderr because we're aborting before we've checked that 143 // it's safe for us to use those file descriptors. We probably can't strace either, so 144 // we rely on the fact that if we dereference a low address, either debuggerd or the 145 // kernel's crash dump will show the fault address. 146 *reinterpret_cast<int*>(line) = 0; 147 _exit(EXIT_FAILURE); 148} 149 150// Force any of the closed stdin, stdout and stderr to be associated with /dev/null. 151static void __nullify_closed_stdio() { 152 int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR)); 153 if (dev_null == -1) { 154 // init won't have /dev/null available, but SELinux provides an equivalent. 155 dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR)); 156 } 157 if (dev_null == -1) { 158 __early_abort(__LINE__); 159 } 160 161 // If any of the stdio file descriptors is valid and not associated 162 // with /dev/null, dup /dev/null to it. 163 for (int i = 0; i < 3; i++) { 164 // If it is /dev/null already, we are done. 165 if (i == dev_null) { 166 continue; 167 } 168 169 // Is this fd already open? 170 int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL)); 171 if (status != -1) { 172 continue; 173 } 174 175 // The only error we allow is that the file descriptor does not 176 // exist, in which case we dup /dev/null to it. 177 if (errno == EBADF) { 178 // Try dupping /dev/null to this stdio file descriptor and 179 // repeat if there is a signal. Note that any errors in closing 180 // the stdio descriptor are lost. 181 status = TEMP_FAILURE_RETRY(dup2(dev_null, i)); 182 if (status == -1) { 183 __early_abort(__LINE__); 184 } 185 } else { 186 __early_abort(__LINE__); 187 } 188 } 189 190 // If /dev/null is not one of the stdio file descriptors, close it. 191 if (dev_null > 2) { 192 if (close(dev_null) == -1) { 193 __early_abort(__LINE__); 194 } 195 } 196} 197 198// Check if the environment variable definition at 'envstr' 199// starts with '<name>=', and if so return the address of the 200// first character after the equal sign. Otherwise return null. 201static const char* env_match(const char* envstr, const char* name) { 202 size_t i = 0; 203 204 while (envstr[i] == name[i] && name[i] != '\0') { 205 ++i; 206 } 207 208 if (name[i] == '\0' && envstr[i] == '=') { 209 return envstr + i + 1; 210 } 211 212 return nullptr; 213} 214 215static bool __is_valid_environment_variable(const char* name) { 216 // According to the kernel source, by default the kernel uses 32*PAGE_SIZE 217 // as the maximum size for an environment variable definition. 218 const int MAX_ENV_LEN = 32*4096; 219 220 if (name == nullptr) { 221 return false; 222 } 223 224 // Parse the string, looking for the first '=' there, and its size. 225 int pos = 0; 226 int first_equal_pos = -1; 227 while (pos < MAX_ENV_LEN) { 228 if (name[pos] == '\0') { 229 break; 230 } 231 if (name[pos] == '=' && first_equal_pos < 0) { 232 first_equal_pos = pos; 233 } 234 pos++; 235 } 236 237 // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings). 238 if (pos >= MAX_ENV_LEN) { 239 return false; 240 } 241 242 // Check that it contains at least one equal sign that is not the first character 243 if (first_equal_pos < 1) { 244 return false; 245 } 246 247 return true; 248} 249 250static bool __is_unsafe_environment_variable(const char* name) { 251 // None of these should be allowed when the AT_SECURE auxv 252 // flag is set. This flag is set to inform userspace that a 253 // security transition has occurred, for example, as a result 254 // of executing a setuid program or the result of an SELinux 255 // security transition. 256 static constexpr const char* UNSAFE_VARIABLE_NAMES[] = { 257 "GCONV_PATH", 258 "GETCONF_DIR", 259 "HOSTALIASES", 260 "JE_MALLOC_CONF", 261 "LD_AOUT_LIBRARY_PATH", 262 "LD_AOUT_PRELOAD", 263 "LD_AUDIT", 264 "LD_DEBUG", 265 "LD_DEBUG_OUTPUT", 266 "LD_DYNAMIC_WEAK", 267 "LD_LIBRARY_PATH", 268 "LD_ORIGIN_PATH", 269 "LD_PRELOAD", 270 "LD_PROFILE", 271 "LD_SHOW_AUXV", 272 "LD_USE_LOAD_BIAS", 273 "LOCALDOMAIN", 274 "LOCPATH", 275 "MALLOC_CHECK_", 276 "MALLOC_CONF", 277 "MALLOC_TRACE", 278 "NIS_PATH", 279 "NLSPATH", 280 "RESOLV_HOST_CONF", 281 "RES_OPTIONS", 282 "TMPDIR", 283 "TZDIR", 284 }; 285 for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) { 286 if (env_match(name, unsafe_variable_name) != nullptr) { 287 return true; 288 } 289 } 290 return false; 291} 292 293static void __sanitize_environment_variables(char** env) { 294 bool is_AT_SECURE = getauxval(AT_SECURE); 295 char** src = env; 296 char** dst = env; 297 for (; src[0] != nullptr; ++src) { 298 if (!__is_valid_environment_variable(src[0])) { 299 continue; 300 } 301 // Remove various unsafe environment variables if we're loading a setuid program. 302 if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) { 303 continue; 304 } 305 dst[0] = src[0]; 306 ++dst; 307 } 308 dst[0] = nullptr; 309} 310 311static void __initialize_personality() { 312#if !defined(__LP64__) 313 int old_value = personality(0xffffffff); 314 if (old_value == -1) { 315 __libc_fatal("error getting old personality value: %s", strerror(errno)); 316 } 317 318 if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) { 319 __libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno)); 320 } 321#endif 322} 323 324void __libc_init_AT_SECURE(KernelArgumentBlock& args) { 325 __libc_auxv = args.auxv; 326 327 // Check that the kernel provided a value for AT_SECURE. 328 bool found_AT_SECURE = false; 329 for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) { 330 if (v->a_type == AT_SECURE) { 331 found_AT_SECURE = true; 332 break; 333 } 334 } 335 if (!found_AT_SECURE) __early_abort(__LINE__); 336 337 if (getauxval(AT_SECURE)) { 338 // If this is a setuid/setgid program, close the security hole described in 339 // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc 340 __nullify_closed_stdio(); 341 342 __sanitize_environment_variables(args.envp); 343 } 344 345 // Now the environment has been sanitized, make it available. 346 environ = args.envp; 347 348 __initialize_personality(); 349} 350 351/* This function will be called during normal program termination 352 * to run the destructors that are listed in the .fini_array section 353 * of the executable, if any. 354 * 355 * 'fini_array' points to a list of function addresses. The first 356 * entry in the list has value -1, the last one has value 0. 357 */ 358void __libc_fini(void* array) { 359 typedef void (*Dtor)(); 360 Dtor* fini_array = reinterpret_cast<Dtor*>(array); 361 const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1)); 362 363 // Sanity check - first entry must be -1. 364 if (array == NULL || fini_array[0] != minus1) { 365 return; 366 } 367 368 // Skip over it. 369 fini_array += 1; 370 371 // Count the number of destructors. 372 int count = 0; 373 while (fini_array[count] != NULL) { 374 ++count; 375 } 376 377 // Now call each destructor in reverse order. 378 while (count > 0) { 379 Dtor dtor = fini_array[--count]; 380 381 // Sanity check, any -1 in the list is ignored. 382 if (dtor == minus1) { 383 continue; 384 } 385 386 dtor(); 387 } 388 389#ifndef LIBC_STATIC 390 { 391 extern void __libc_postfini(void) __attribute__((weak)); 392 if (__libc_postfini) { 393 __libc_postfini(); 394 } 395 } 396#endif 397} 398