1/*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *  * Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *  * Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in
12 *    the documentation and/or other materials provided with the
13 *    distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include "libc_init_common.h"
30
31#include <elf.h>
32#include <errno.h>
33#include <fcntl.h>
34#include <stddef.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <stdlib.h>
38#include <string.h>
39#include <sys/auxv.h>
40#include <sys/personality.h>
41#include <sys/time.h>
42#include <unistd.h>
43
44#include <async_safe/log.h>
45
46#include "private/KernelArgumentBlock.h"
47#include "private/WriteProtected.h"
48#include "private/bionic_auxv.h"
49#include "private/bionic_defs.h"
50#include "private/bionic_globals.h"
51#include "private/bionic_tls.h"
52#include "private/thread_private.h"
53#include "pthread_internal.h"
54
55extern "C" abort_msg_t** __abort_message_ptr;
56extern "C" int __system_properties_init(void);
57
58__LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
59
60// Not public, but well-known in the BSDs.
61const char* __progname;
62
63#if defined(__i386__)
64__attribute__((__naked__)) static void __libc_int0x80() {
65  __asm__ volatile("int $0x80; ret");
66}
67
68__LIBC_HIDDEN__ void* __libc_sysinfo = reinterpret_cast<void*>(__libc_int0x80);
69
70__LIBC_HIDDEN__ void __libc_init_sysinfo(KernelArgumentBlock& args) {
71  // Running under valgrind, AT_SYSINFO won't be set.
72  void* at_sysinfo = reinterpret_cast<void*>(args.getauxval(AT_SYSINFO));
73  if (at_sysinfo != nullptr) __libc_sysinfo = at_sysinfo;
74}
75
76// TODO: lose this function and just access __libc_sysinfo directly.
77__LIBC_HIDDEN__ extern "C" void* __kernel_syscall() {
78  return __libc_sysinfo;
79}
80#endif
81
82void __libc_init_globals(KernelArgumentBlock& args) {
83#if defined(__i386__)
84  __libc_init_sysinfo(args);
85#endif
86  // Initialize libc globals that are needed in both the linker and in libc.
87  // In dynamic binaries, this is run at least twice for different copies of the
88  // globals, once for the linker's copy and once for the one in libc.so.
89  __libc_auxv = args.auxv;
90  __libc_globals.initialize();
91  __libc_globals.mutate([&args](libc_globals* globals) {
92    __libc_init_vdso(globals, args);
93    __libc_init_setjmp_cookie(globals, args);
94  });
95}
96
97#if !defined(__LP64__)
98static void __check_max_thread_id() {
99  if (gettid() > 65535) {
100    async_safe_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
101                     "pid <= 65535, but current pid is %d", gettid());
102  }
103}
104#endif
105
106static void arc4random_fork_handler() {
107  _rs_forked = 1;
108  _thread_arc4_lock();
109}
110
111__BIONIC_WEAK_FOR_NATIVE_BRIDGE
112void __libc_add_main_thread() {
113  // Get the main thread from TLS and add it to the thread list.
114  pthread_internal_t* main_thread = __get_thread();
115  __pthread_internal_add(main_thread);
116}
117
118void __libc_init_common(KernelArgumentBlock& args) {
119  // Initialize various globals.
120  environ = args.envp;
121  errno = 0;
122  __progname = args.argv[0] ? args.argv[0] : "<unknown>";
123  __abort_message_ptr = args.abort_message_ptr;
124
125#if !defined(__LP64__)
126  __check_max_thread_id();
127#endif
128
129  __libc_add_main_thread();
130
131  // Register atfork handlers to take and release the arc4random lock.
132  pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
133
134  __system_properties_init(); // Requires 'environ'.
135}
136
137__noreturn static void __early_abort(int line) {
138  // We can't write to stdout or stderr because we're aborting before we've checked that
139  // it's safe for us to use those file descriptors. We probably can't strace either, so
140  // we rely on the fact that if we dereference a low address, either debuggerd or the
141  // kernel's crash dump will show the fault address.
142  *reinterpret_cast<int*>(line) = 0;
143  _exit(EXIT_FAILURE);
144}
145
146// Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
147static void __nullify_closed_stdio() {
148  int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
149  if (dev_null == -1) {
150    // init won't have /dev/null available, but SELinux provides an equivalent.
151    dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
152  }
153  if (dev_null == -1) {
154    __early_abort(__LINE__);
155  }
156
157  // If any of the stdio file descriptors is valid and not associated
158  // with /dev/null, dup /dev/null to it.
159  for (int i = 0; i < 3; i++) {
160    // If it is /dev/null already, we are done.
161    if (i == dev_null) {
162      continue;
163    }
164
165    // Is this fd already open?
166    int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
167    if (status != -1) {
168      continue;
169    }
170
171    // The only error we allow is that the file descriptor does not
172    // exist, in which case we dup /dev/null to it.
173    if (errno == EBADF) {
174      // Try dupping /dev/null to this stdio file descriptor and
175      // repeat if there is a signal. Note that any errors in closing
176      // the stdio descriptor are lost.
177      status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
178      if (status == -1) {
179        __early_abort(__LINE__);
180      }
181    } else {
182      __early_abort(__LINE__);
183    }
184  }
185
186  // If /dev/null is not one of the stdio file descriptors, close it.
187  if (dev_null > 2) {
188    if (close(dev_null) == -1) {
189      __early_abort(__LINE__);
190    }
191  }
192}
193
194// Check if the environment variable definition at 'envstr'
195// starts with '<name>=', and if so return the address of the
196// first character after the equal sign. Otherwise return null.
197static const char* env_match(const char* envstr, const char* name) {
198  size_t i = 0;
199
200  while (envstr[i] == name[i] && name[i] != '\0') {
201    ++i;
202  }
203
204  if (name[i] == '\0' && envstr[i] == '=') {
205    return envstr + i + 1;
206  }
207
208  return nullptr;
209}
210
211static bool __is_valid_environment_variable(const char* name) {
212  // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
213  // as the maximum size for an environment variable definition.
214  const int MAX_ENV_LEN = 32*4096;
215
216  if (name == nullptr) {
217    return false;
218  }
219
220  // Parse the string, looking for the first '=' there, and its size.
221  int pos = 0;
222  int first_equal_pos = -1;
223  while (pos < MAX_ENV_LEN) {
224    if (name[pos] == '\0') {
225      break;
226    }
227    if (name[pos] == '=' && first_equal_pos < 0) {
228      first_equal_pos = pos;
229    }
230    pos++;
231  }
232
233  // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
234  if (pos >= MAX_ENV_LEN) {
235    return false;
236  }
237
238  // Check that it contains at least one equal sign that is not the first character
239  if (first_equal_pos < 1) {
240    return false;
241  }
242
243  return true;
244}
245
246static bool __is_unsafe_environment_variable(const char* name) {
247  // None of these should be allowed when the AT_SECURE auxv
248  // flag is set. This flag is set to inform userspace that a
249  // security transition has occurred, for example, as a result
250  // of executing a setuid program or the result of an SELinux
251  // security transition.
252  static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
253    "ANDROID_DNS_MODE",
254    "GCONV_PATH",
255    "GETCONF_DIR",
256    "HOSTALIASES",
257    "JE_MALLOC_CONF",
258    "LD_AOUT_LIBRARY_PATH",
259    "LD_AOUT_PRELOAD",
260    "LD_AUDIT",
261    "LD_DEBUG",
262    "LD_DEBUG_OUTPUT",
263    "LD_DYNAMIC_WEAK",
264    "LD_LIBRARY_PATH",
265    "LD_ORIGIN_PATH",
266    "LD_PRELOAD",
267    "LD_PROFILE",
268    "LD_SHOW_AUXV",
269    "LD_USE_LOAD_BIAS",
270    "LIBC_DEBUG_MALLOC_OPTIONS",
271    "LOCALDOMAIN",
272    "LOCPATH",
273    "MALLOC_CHECK_",
274    "MALLOC_CONF",
275    "MALLOC_TRACE",
276    "NIS_PATH",
277    "NLSPATH",
278    "RESOLV_HOST_CONF",
279    "RES_OPTIONS",
280    "TMPDIR",
281    "TZDIR",
282  };
283  for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
284    if (env_match(name, unsafe_variable_name) != nullptr) {
285      return true;
286    }
287  }
288  return false;
289}
290
291static void __sanitize_environment_variables(char** env) {
292  bool is_AT_SECURE = getauxval(AT_SECURE);
293  char** src = env;
294  char** dst = env;
295  for (; src[0] != nullptr; ++src) {
296    if (!__is_valid_environment_variable(src[0])) {
297      continue;
298    }
299    // Remove various unsafe environment variables if we're loading a setuid program.
300    if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
301      continue;
302    }
303    dst[0] = src[0];
304    ++dst;
305  }
306  dst[0] = nullptr;
307}
308
309static void __initialize_personality() {
310#if !defined(__LP64__)
311  int old_value = personality(0xffffffff);
312  if (old_value == -1) {
313    async_safe_fatal("error getting old personality value: %s", strerror(errno));
314  }
315
316  if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
317    async_safe_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
318  }
319#endif
320}
321
322void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
323  __libc_auxv = args.auxv;
324  __abort_message_ptr = args.abort_message_ptr;
325
326  // Check that the kernel provided a value for AT_SECURE.
327  bool found_AT_SECURE = false;
328  for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
329    if (v->a_type == AT_SECURE) {
330      found_AT_SECURE = true;
331      break;
332    }
333  }
334  if (!found_AT_SECURE) __early_abort(__LINE__);
335
336  if (getauxval(AT_SECURE)) {
337    // If this is a setuid/setgid program, close the security hole described in
338    // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
339    __nullify_closed_stdio();
340
341    __sanitize_environment_variables(args.envp);
342  }
343
344  // Now the environment has been sanitized, make it available.
345  environ = args.envp;
346
347  __initialize_personality();
348}
349
350/* This function will be called during normal program termination
351 * to run the destructors that are listed in the .fini_array section
352 * of the executable, if any.
353 *
354 * 'fini_array' points to a list of function addresses. The first
355 * entry in the list has value -1, the last one has value 0.
356 */
357void __libc_fini(void* array) {
358  typedef void (*Dtor)();
359  Dtor* fini_array = reinterpret_cast<Dtor*>(array);
360  const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
361
362  // Sanity check - first entry must be -1.
363  if (array == NULL || fini_array[0] != minus1) {
364    return;
365  }
366
367  // Skip over it.
368  fini_array += 1;
369
370  // Count the number of destructors.
371  int count = 0;
372  while (fini_array[count] != NULL) {
373    ++count;
374  }
375
376  // Now call each destructor in reverse order.
377  while (count > 0) {
378    Dtor dtor = fini_array[--count];
379
380    // Sanity check, any -1 in the list is ignored.
381    if (dtor == minus1) {
382      continue;
383    }
384
385    dtor();
386  }
387}
388