1/* 2 * Copyright (C) 2008 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include "libc_init_common.h" 30 31#include <elf.h> 32#include <errno.h> 33#include <fcntl.h> 34#include <stddef.h> 35#include <stdint.h> 36#include <stdio.h> 37#include <stdlib.h> 38#include <string.h> 39#include <sys/auxv.h> 40#include <sys/personality.h> 41#include <sys/time.h> 42#include <unistd.h> 43 44#include <async_safe/log.h> 45 46#include "private/KernelArgumentBlock.h" 47#include "private/WriteProtected.h" 48#include "private/bionic_auxv.h" 49#include "private/bionic_defs.h" 50#include "private/bionic_globals.h" 51#include "private/bionic_tls.h" 52#include "private/thread_private.h" 53#include "pthread_internal.h" 54 55extern "C" abort_msg_t** __abort_message_ptr; 56extern "C" int __system_properties_init(void); 57 58__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals; 59 60// Not public, but well-known in the BSDs. 61const char* __progname; 62 63#if defined(__i386__) 64__attribute__((__naked__)) static void __libc_int0x80() { 65 __asm__ volatile("int $0x80; ret"); 66} 67 68__LIBC_HIDDEN__ void* __libc_sysinfo = reinterpret_cast<void*>(__libc_int0x80); 69 70__LIBC_HIDDEN__ void __libc_init_sysinfo(KernelArgumentBlock& args) { 71 // Running under valgrind, AT_SYSINFO won't be set. 72 void* at_sysinfo = reinterpret_cast<void*>(args.getauxval(AT_SYSINFO)); 73 if (at_sysinfo != nullptr) __libc_sysinfo = at_sysinfo; 74} 75 76// TODO: lose this function and just access __libc_sysinfo directly. 77__LIBC_HIDDEN__ extern "C" void* __kernel_syscall() { 78 return __libc_sysinfo; 79} 80#endif 81 82void __libc_init_globals(KernelArgumentBlock& args) { 83#if defined(__i386__) 84 __libc_init_sysinfo(args); 85#endif 86 // Initialize libc globals that are needed in both the linker and in libc. 87 // In dynamic binaries, this is run at least twice for different copies of the 88 // globals, once for the linker's copy and once for the one in libc.so. 89 __libc_auxv = args.auxv; 90 __libc_globals.initialize(); 91 __libc_globals.mutate([&args](libc_globals* globals) { 92 __libc_init_vdso(globals, args); 93 __libc_init_setjmp_cookie(globals, args); 94 }); 95} 96 97#if !defined(__LP64__) 98static void __check_max_thread_id() { 99 if (gettid() > 65535) { 100 async_safe_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts " 101 "pid <= 65535, but current pid is %d", gettid()); 102 } 103} 104#endif 105 106static void arc4random_fork_handler() { 107 _rs_forked = 1; 108 _thread_arc4_lock(); 109} 110 111__BIONIC_WEAK_FOR_NATIVE_BRIDGE 112void __libc_add_main_thread() { 113 // Get the main thread from TLS and add it to the thread list. 114 pthread_internal_t* main_thread = __get_thread(); 115 __pthread_internal_add(main_thread); 116} 117 118void __libc_init_common(KernelArgumentBlock& args) { 119 // Initialize various globals. 120 environ = args.envp; 121 errno = 0; 122 __progname = args.argv[0] ? args.argv[0] : "<unknown>"; 123 __abort_message_ptr = args.abort_message_ptr; 124 125#if !defined(__LP64__) 126 __check_max_thread_id(); 127#endif 128 129 __libc_add_main_thread(); 130 131 // Register atfork handlers to take and release the arc4random lock. 132 pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock); 133 134 __system_properties_init(); // Requires 'environ'. 135} 136 137__noreturn static void __early_abort(int line) { 138 // We can't write to stdout or stderr because we're aborting before we've checked that 139 // it's safe for us to use those file descriptors. We probably can't strace either, so 140 // we rely on the fact that if we dereference a low address, either debuggerd or the 141 // kernel's crash dump will show the fault address. 142 *reinterpret_cast<int*>(line) = 0; 143 _exit(EXIT_FAILURE); 144} 145 146// Force any of the closed stdin, stdout and stderr to be associated with /dev/null. 147static void __nullify_closed_stdio() { 148 int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR)); 149 if (dev_null == -1) { 150 // init won't have /dev/null available, but SELinux provides an equivalent. 151 dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR)); 152 } 153 if (dev_null == -1) { 154 __early_abort(__LINE__); 155 } 156 157 // If any of the stdio file descriptors is valid and not associated 158 // with /dev/null, dup /dev/null to it. 159 for (int i = 0; i < 3; i++) { 160 // If it is /dev/null already, we are done. 161 if (i == dev_null) { 162 continue; 163 } 164 165 // Is this fd already open? 166 int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL)); 167 if (status != -1) { 168 continue; 169 } 170 171 // The only error we allow is that the file descriptor does not 172 // exist, in which case we dup /dev/null to it. 173 if (errno == EBADF) { 174 // Try dupping /dev/null to this stdio file descriptor and 175 // repeat if there is a signal. Note that any errors in closing 176 // the stdio descriptor are lost. 177 status = TEMP_FAILURE_RETRY(dup2(dev_null, i)); 178 if (status == -1) { 179 __early_abort(__LINE__); 180 } 181 } else { 182 __early_abort(__LINE__); 183 } 184 } 185 186 // If /dev/null is not one of the stdio file descriptors, close it. 187 if (dev_null > 2) { 188 if (close(dev_null) == -1) { 189 __early_abort(__LINE__); 190 } 191 } 192} 193 194// Check if the environment variable definition at 'envstr' 195// starts with '<name>=', and if so return the address of the 196// first character after the equal sign. Otherwise return null. 197static const char* env_match(const char* envstr, const char* name) { 198 size_t i = 0; 199 200 while (envstr[i] == name[i] && name[i] != '\0') { 201 ++i; 202 } 203 204 if (name[i] == '\0' && envstr[i] == '=') { 205 return envstr + i + 1; 206 } 207 208 return nullptr; 209} 210 211static bool __is_valid_environment_variable(const char* name) { 212 // According to the kernel source, by default the kernel uses 32*PAGE_SIZE 213 // as the maximum size for an environment variable definition. 214 const int MAX_ENV_LEN = 32*4096; 215 216 if (name == nullptr) { 217 return false; 218 } 219 220 // Parse the string, looking for the first '=' there, and its size. 221 int pos = 0; 222 int first_equal_pos = -1; 223 while (pos < MAX_ENV_LEN) { 224 if (name[pos] == '\0') { 225 break; 226 } 227 if (name[pos] == '=' && first_equal_pos < 0) { 228 first_equal_pos = pos; 229 } 230 pos++; 231 } 232 233 // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings). 234 if (pos >= MAX_ENV_LEN) { 235 return false; 236 } 237 238 // Check that it contains at least one equal sign that is not the first character 239 if (first_equal_pos < 1) { 240 return false; 241 } 242 243 return true; 244} 245 246static bool __is_unsafe_environment_variable(const char* name) { 247 // None of these should be allowed when the AT_SECURE auxv 248 // flag is set. This flag is set to inform userspace that a 249 // security transition has occurred, for example, as a result 250 // of executing a setuid program or the result of an SELinux 251 // security transition. 252 static constexpr const char* UNSAFE_VARIABLE_NAMES[] = { 253 "ANDROID_DNS_MODE", 254 "GCONV_PATH", 255 "GETCONF_DIR", 256 "HOSTALIASES", 257 "JE_MALLOC_CONF", 258 "LD_AOUT_LIBRARY_PATH", 259 "LD_AOUT_PRELOAD", 260 "LD_AUDIT", 261 "LD_DEBUG", 262 "LD_DEBUG_OUTPUT", 263 "LD_DYNAMIC_WEAK", 264 "LD_LIBRARY_PATH", 265 "LD_ORIGIN_PATH", 266 "LD_PRELOAD", 267 "LD_PROFILE", 268 "LD_SHOW_AUXV", 269 "LD_USE_LOAD_BIAS", 270 "LIBC_DEBUG_MALLOC_OPTIONS", 271 "LOCALDOMAIN", 272 "LOCPATH", 273 "MALLOC_CHECK_", 274 "MALLOC_CONF", 275 "MALLOC_TRACE", 276 "NIS_PATH", 277 "NLSPATH", 278 "RESOLV_HOST_CONF", 279 "RES_OPTIONS", 280 "TMPDIR", 281 "TZDIR", 282 }; 283 for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) { 284 if (env_match(name, unsafe_variable_name) != nullptr) { 285 return true; 286 } 287 } 288 return false; 289} 290 291static void __sanitize_environment_variables(char** env) { 292 bool is_AT_SECURE = getauxval(AT_SECURE); 293 char** src = env; 294 char** dst = env; 295 for (; src[0] != nullptr; ++src) { 296 if (!__is_valid_environment_variable(src[0])) { 297 continue; 298 } 299 // Remove various unsafe environment variables if we're loading a setuid program. 300 if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) { 301 continue; 302 } 303 dst[0] = src[0]; 304 ++dst; 305 } 306 dst[0] = nullptr; 307} 308 309static void __initialize_personality() { 310#if !defined(__LP64__) 311 int old_value = personality(0xffffffff); 312 if (old_value == -1) { 313 async_safe_fatal("error getting old personality value: %s", strerror(errno)); 314 } 315 316 if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) { 317 async_safe_fatal("error setting PER_LINUX32 personality: %s", strerror(errno)); 318 } 319#endif 320} 321 322void __libc_init_AT_SECURE(KernelArgumentBlock& args) { 323 __libc_auxv = args.auxv; 324 __abort_message_ptr = args.abort_message_ptr; 325 326 // Check that the kernel provided a value for AT_SECURE. 327 bool found_AT_SECURE = false; 328 for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) { 329 if (v->a_type == AT_SECURE) { 330 found_AT_SECURE = true; 331 break; 332 } 333 } 334 if (!found_AT_SECURE) __early_abort(__LINE__); 335 336 if (getauxval(AT_SECURE)) { 337 // If this is a setuid/setgid program, close the security hole described in 338 // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc 339 __nullify_closed_stdio(); 340 341 __sanitize_environment_variables(args.envp); 342 } 343 344 // Now the environment has been sanitized, make it available. 345 environ = args.envp; 346 347 __initialize_personality(); 348} 349 350/* This function will be called during normal program termination 351 * to run the destructors that are listed in the .fini_array section 352 * of the executable, if any. 353 * 354 * 'fini_array' points to a list of function addresses. The first 355 * entry in the list has value -1, the last one has value 0. 356 */ 357void __libc_fini(void* array) { 358 typedef void (*Dtor)(); 359 Dtor* fini_array = reinterpret_cast<Dtor*>(array); 360 const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1)); 361 362 // Sanity check - first entry must be -1. 363 if (array == NULL || fini_array[0] != minus1) { 364 return; 365 } 366 367 // Skip over it. 368 fini_array += 1; 369 370 // Count the number of destructors. 371 int count = 0; 372 while (fini_array[count] != NULL) { 373 ++count; 374 } 375 376 // Now call each destructor in reverse order. 377 while (count > 0) { 378 Dtor dtor = fini_array[--count]; 379 380 // Sanity check, any -1 in the list is ignored. 381 if (dtor == minus1) { 382 continue; 383 } 384 385 dtor(); 386 } 387} 388