libc_init_common.cpp revision c8bae05f3ff9f1c736f7be70fa17d02795d748bb 
1/*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *  * Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *  * Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in
12 *    the documentation and/or other materials provided with the
13 *    distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include "libc_init_common.h"
30
31#include <elf.h>
32#include <errno.h>
33#include <fcntl.h>
34#include <stddef.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <stdlib.h>
38#include <string.h>
39#include <sys/auxv.h>
40#include <sys/personality.h>
41#include <sys/time.h>
42#include <unistd.h>
43
44#include "private/bionic_auxv.h"
45#include "private/bionic_globals.h"
46#include "private/bionic_ssp.h"
47#include "private/bionic_tls.h"
48#include "private/KernelArgumentBlock.h"
49#include "private/libc_logging.h"
50#include "private/WriteProtected.h"
51#include "pthread_internal.h"
52
53extern "C" abort_msg_t** __abort_message_ptr;
54extern "C" int __system_properties_init(void);
55extern "C" int __set_tls(void* ptr);
56extern "C" int __set_tid_address(int* tid_address);
57extern "C" int __sinit(void);
58
59__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
60
61// Not public, but well-known in the BSDs.
62const char* __progname;
63
64// Declared in <unistd.h>.
65char** environ;
66
67// Declared in "private/bionic_ssp.h".
68uintptr_t __stack_chk_guard = 0;
69
70// Setup for the main thread. For dynamic executables, this is called by the
71// linker _before_ libc is mapped in memory. This means that all writes to
72// globals from this function will apply to linker-private copies and will not
73// be visible from libc later on.
74//
75// Note: this function creates a pthread_internal_t for the initial thread and
76// stores the pointer in TLS, but does not add it to pthread's thread list. This
77// has to be done later from libc itself (see __libc_init_common).
78void __libc_init_main_thread(KernelArgumentBlock& args) {
79  __libc_auxv = args.auxv;
80
81  static pthread_internal_t main_thread;
82
83  // Tell the kernel to clear our tid field when we exit, so we're like any other pthread.
84  // As a side-effect, this tells us our pid (which is the same as the main thread's tid).
85  main_thread.tid = __set_tid_address(&main_thread.tid);
86  main_thread.set_cached_pid(main_thread.tid);
87
88  // We don't want to free the main thread's stack even when the main thread exits
89  // because things like environment variables with global scope live on it.
90  // We also can't free the pthread_internal_t itself, since that lives on the main
91  // thread's stack rather than on the heap.
92  // The main thread has no mmap allocated space for stack or pthread_internal_t.
93  main_thread.mmap_size = 0;
94  pthread_attr_init(&main_thread.attr);
95  main_thread.attr.guard_size = 0; // The main thread has no guard page.
96  main_thread.attr.stack_size = 0; // User code should never see this; we'll compute it when asked.
97  // TODO: the main thread's sched_policy and sched_priority need to be queried.
98
99  __init_thread(&main_thread);
100  __init_tls(&main_thread);
101  __set_tls(main_thread.tls);
102
103  // Store a pointer to the kernel argument block in a TLS slot to be
104  // picked up by the libc constructor.
105  main_thread.tls[TLS_SLOT_BIONIC_PREINIT] = &args;
106
107  __init_alternate_signal_stack(&main_thread);
108}
109
110void __libc_init_globals(KernelArgumentBlock& args) {
111  // Initialize libc globals that are needed in both the linker and in libc.
112  // In dynamic binaries, this is run at least twice for different copies of the
113  // globals, once for the linker's copy and once for the one in libc.so.
114  __libc_auxv = args.auxv;
115  __libc_globals.initialize();
116  __libc_globals.mutate([&args](libc_globals* globals) {
117    __libc_init_vdso(globals, args);
118    __libc_init_setjmp_cookie(globals, args);
119  });
120}
121
122void __libc_init_common(KernelArgumentBlock& args) {
123  // Initialize various globals.
124  environ = args.envp;
125  errno = 0;
126  __progname = args.argv[0] ? args.argv[0] : "<unknown>";
127  __abort_message_ptr = args.abort_message_ptr;
128
129  // AT_RANDOM is a pointer to 16 bytes of randomness on the stack.
130  __stack_chk_guard = *reinterpret_cast<uintptr_t*>(getauxval(AT_RANDOM));
131
132  // Get the main thread from TLS and add it to the thread list.
133  pthread_internal_t* main_thread = __get_thread();
134  __pthread_internal_add(main_thread);
135
136  __system_properties_init(); // Requires 'environ'.
137  // Initialize stdio here to get rid of data races caused by lazy initialization.
138  // TODO: Remove other calls to __sinit().
139  __sinit();
140}
141
142__noreturn static void __early_abort(int line) {
143  // We can't write to stdout or stderr because we're aborting before we've checked that
144  // it's safe for us to use those file descriptors. We probably can't strace either, so
145  // we rely on the fact that if we dereference a low address, either debuggerd or the
146  // kernel's crash dump will show the fault address.
147  *reinterpret_cast<int*>(line) = 0;
148  _exit(EXIT_FAILURE);
149}
150
151// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
152static void __nullify_closed_stdio() {
153  int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
154  if (dev_null == -1) {
155    // init won't have /dev/null available, but SELinux provides an equivalent.
156    dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
157  }
158  if (dev_null == -1) {
159    __early_abort(__LINE__);
160  }
161
162  // If any of the stdio file descriptors is valid and not associated
163  // with /dev/null, dup /dev/null to it.
164  for (int i = 0; i < 3; i++) {
165    // If it is /dev/null already, we are done.
166    if (i == dev_null) {
167      continue;
168    }
169
170    // Is this fd already open?
171    int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
172    if (status != -1) {
173      continue;
174    }
175
176    // The only error we allow is that the file descriptor does not
177    // exist, in which case we dup /dev/null to it.
178    if (errno == EBADF) {
179      // Try dupping /dev/null to this stdio file descriptor and
180      // repeat if there is a signal. Note that any errors in closing
181      // the stdio descriptor are lost.
182      status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
183      if (status == -1) {
184        __early_abort(__LINE__);
185      }
186    } else {
187      __early_abort(__LINE__);
188    }
189  }
190
191  // If /dev/null is not one of the stdio file descriptors, close it.
192  if (dev_null > 2) {
193    if (close(dev_null) == -1) {
194      __early_abort(__LINE__);
195    }
196  }
197}
198
199// Check if the environment variable definition at 'envstr'
200// starts with '<name>=', and if so return the address of the
201// first character after the equal sign. Otherwise return null.
202static const char* env_match(const char* envstr, const char* name) {
203  size_t i = 0;
204
205  while (envstr[i] == name[i] && name[i] != '\0') {
206    ++i;
207  }
208
209  if (name[i] == '\0' && envstr[i] == '=') {
210    return envstr + i + 1;
211  }
212
213  return nullptr;
214}
215
216static bool __is_valid_environment_variable(const char* name) {
217  // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
218  // as the maximum size for an environment variable definition.
219  const int MAX_ENV_LEN = 32*4096;
220
221  if (name == nullptr) {
222    return false;
223  }
224
225  // Parse the string, looking for the first '=' there, and its size.
226  int pos = 0;
227  int first_equal_pos = -1;
228  while (pos < MAX_ENV_LEN) {
229    if (name[pos] == '\0') {
230      break;
231    }
232    if (name[pos] == '=' && first_equal_pos < 0) {
233      first_equal_pos = pos;
234    }
235    pos++;
236  }
237
238  // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
239  if (pos >= MAX_ENV_LEN) {
240    return false;
241  }
242
243  // Check that it contains at least one equal sign that is not the first character
244  if (first_equal_pos < 1) {
245    return false;
246  }
247
248  return true;
249}
250
251static bool __is_unsafe_environment_variable(const char* name) {
252  // None of these should be allowed when the AT_SECURE auxv
253  // flag is set. This flag is set to inform userspace that a
254  // security transition has occurred, for example, as a result
255  // of executing a setuid program or the result of an SELinux
256  // security transition.
257  static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
258    "GCONV_PATH",
259    "GETCONF_DIR",
260    "HOSTALIASES",
261    "JE_MALLOC_CONF",
262    "LD_AOUT_LIBRARY_PATH",
263    "LD_AOUT_PRELOAD",
264    "LD_AUDIT",
265    "LD_DEBUG",
266    "LD_DEBUG_OUTPUT",
267    "LD_DYNAMIC_WEAK",
268    "LD_LIBRARY_PATH",
269    "LD_ORIGIN_PATH",
270    "LD_PRELOAD",
271    "LD_PROFILE",
272    "LD_SHOW_AUXV",
273    "LD_USE_LOAD_BIAS",
274    "LOCALDOMAIN",
275    "LOCPATH",
276    "MALLOC_CHECK_",
277    "MALLOC_CONF",
278    "MALLOC_TRACE",
279    "NIS_PATH",
280    "NLSPATH",
281    "RESOLV_HOST_CONF",
282    "RES_OPTIONS",
283    "TMPDIR",
284    "TZDIR",
285  };
286  for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
287    if (env_match(name, unsafe_variable_name) != nullptr) {
288      return true;
289    }
290  }
291  return false;
292}
293
294static void __sanitize_environment_variables(char** env) {
295  bool is_AT_SECURE = getauxval(AT_SECURE);
296  char** src = env;
297  char** dst = env;
298  for (; src[0] != nullptr; ++src) {
299    if (!__is_valid_environment_variable(src[0])) {
300      continue;
301    }
302    // Remove various unsafe environment variables if we're loading a setuid program.
303    if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
304      continue;
305    }
306    dst[0] = src[0];
307    ++dst;
308  }
309  dst[0] = nullptr;
310}
311
312static void __initialize_personality() {
313#if !defined(__LP64__)
314  int old_value = personality(0xffffffff);
315  if (old_value == -1) {
316    __libc_fatal("error getting old personality value: %s", strerror(errno));
317  }
318
319  if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
320    __libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
321  }
322#endif
323}
324
325void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
326  __libc_auxv = args.auxv;
327
328  // Check that the kernel provided a value for AT_SECURE.
329  bool found_AT_SECURE = false;
330  for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
331    if (v->a_type == AT_SECURE) {
332      found_AT_SECURE = true;
333      break;
334    }
335  }
336  if (!found_AT_SECURE) __early_abort(__LINE__);
337
338  if (getauxval(AT_SECURE)) {
339    // If this is a setuid/setgid program, close the security hole described in
340    // ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc
341    __nullify_closed_stdio();
342
343    __sanitize_environment_variables(args.envp);
344  }
345
346  // Now the environment has been sanitized, make it available.
347  environ = args.envp;
348
349  __initialize_personality();
350}
351
352/* This function will be called during normal program termination
353 * to run the destructors that are listed in the .fini_array section
354 * of the executable, if any.
355 *
356 * 'fini_array' points to a list of function addresses. The first
357 * entry in the list has value -1, the last one has value 0.
358 */
359void __libc_fini(void* array) {
360  typedef void (*Dtor)();
361  Dtor* fini_array = reinterpret_cast<Dtor*>(array);
362  const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
363
364  // Sanity check - first entry must be -1.
365  if (array == NULL || fini_array[0] != minus1) {
366    return;
367  }
368
369  // Skip over it.
370  fini_array += 1;
371
372  // Count the number of destructors.
373  int count = 0;
374  while (fini_array[count] != NULL) {
375    ++count;
376  }
377
378  // Now call each destructor in reverse order.
379  while (count > 0) {
380    Dtor dtor = fini_array[--count];
381
382    // Sanity check, any -1 in the list is ignored.
383    if (dtor == minus1) {
384      continue;
385    }
386
387    dtor();
388  }
389
390#ifndef LIBC_STATIC
391  {
392    extern void __libc_postfini(void) __attribute__((weak));
393    if (__libc_postfini) {
394      __libc_postfini();
395    }
396  }
397#endif
398}
399