From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) by sourceware.org (Postfix) with ESMTPS id 0E3033858D3C for ; Mon, 6 Nov 2023 20:25:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0E3033858D3C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0E3033858D3C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::112a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699302360; cv=none; b=o9qXBBQAE6mEoOa/Tfjs2ny9a7MXTfYM+Sy0LskPvI1EHkBq86wAZ3qXcu4T11a9bz5f0aYyOONxrBa0ewohtktlqlKLcuSwdikol7FkR65Cf/dOiAMVTogRgkkVuwJFid7yYMBmc6rcdfSrOxOTji5ySvPDjms595+zyvhxuCA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699302360; c=relaxed/simple; bh=waF0AIsNGBfUsLoRh9KyEyWVXyZlcYTTBKF94GHvVSw=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=iXuAOVDa3crxdJoRrcUX0IBEdDqKxnU0XX7PMSih0WmVbAN9RKLEy+NtZoK0hw0gerqTrTgvhRZxwcbyBZp9dL5Tb2iWKTsba65vgXe1S6Q8WcD88P1E5ZkcNWLXp8F3NLGfxKbgP8SA+1HW8qE0Wc9zvXnE2ycWVmA2WXTCnl4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-5a7b91faf40so57888147b3.1 for ; Mon, 06 Nov 2023 12:25:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1699302357; x=1699907157; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=kkS70t99HEDbc2kSESq4grvSOSrArTxdqB8FcV9Re8s=; b=LfamsePibuRjT3SmflMkT4vBdy0bB1K/TETi+ZwyRtmP/8sG/6XEu5E0/djXMi9Ypt zrQNDCzENRArw9GpFNBfuc9vKrBqqzeMdHCofPAh7TH61VK9nbdoNQLxMN5eBTcic2A8 7p5u3iitFI8zjJvccD9AHws20OCtKmeEp2/ODwpWzQ+iC8nhQrHsHMlod1elkJXF0Buk 4yqQteEA0g89mkPN6lFdMudyc7beVZL8zTnf7iL2CY/+BP/5+qfwUODn7vFVv88+eUsc UT3Hr/VFXuQlEDmxZCT/zqz0Ag9f5ltJJjDyGdjsdcAzSxQRTgydigJAZtLuK5mod5He LL/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699302357; x=1699907157; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kkS70t99HEDbc2kSESq4grvSOSrArTxdqB8FcV9Re8s=; b=aK8F/OyIDpPlJbgJtIJ4ymWHbnXls8ohuOuKxZd23aw9fKhqKC/MsHuxySunw6yMtk g7n1JGoSTwR0JTBcyCuRpikUCWDlbC8HqDHByICBtuPY25hW4H1HGAlMyT/m3yPAKcAc gJdyHY5QnFwMZwPSUYVryFQoNuEKFUwGj4Pj6S46r7IPNma3L0sSY2mrL30+ty0+dQpI NUy9JADGpGLrLMx5XJ2sUAIPTVBIW+uoerWO3sbG0TTx8bzxZKuqzB+wZU2cj9a2aNJ2 dbbXYkdDf6lzkHteCfgL4EKgRg32UHmV72LnCSUipGCB0PBzJcvqIE3RGVHWdVQiHLKz pbrA== X-Gm-Message-State: AOJu0YxvvVNjuxNYojgPxut5N7E7RPTNMdrb7d7soZ2VB2spJ++C6Wi8 mJxeaCAHoadEQZd9cwxmGtwM4pUB5jBbulhzz5ijtg== X-Google-Smtp-Source: AGHT+IF43CO1ekGej6dAvnqm4OKB5c5ZzaPhN3a7EPJMxDrmeKD0t5btWZQbUClI6GcPYjOTPiJQ+g== X-Received: by 2002:a05:690c:387:b0:5a8:1aa2:1ac1 with SMTP id bh7-20020a05690c038700b005a81aa21ac1mr12441583ywb.12.1699302356746; Mon, 06 Nov 2023 12:25:56 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:a715:c1a0:7281:6384:2ee9]) by smtp.gmail.com with ESMTPSA id ci7-20020a05690c0a8700b005a7b8fddfedsm4707154ywb.41.2023.11.06.12.25.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Nov 2023 12:25:56 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Siddhesh Poyarekar Subject: [PATCH v3 00/19] Improve loader environment variable handling Date: Mon, 6 Nov 2023 17:25:33 -0300 Message-Id: <20231106202552.3404059-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: The recent CVE-2023-4911 fix [1] and tunable change to SXID_ERASE discussion [2] brought some issues with the current environment handling by the loader. Besides the bugs in tuning parsing, some other questions are: * What should be the security boundaries for tunable and other tuning environment variables? * Should tunables be filtered out or be disabled altogether in setuid binaries [3]? * How should ld.so handle security-sensitive tunable (like malloc options)? * How to handle ill-formatted tunable definition [4]? * Is tunable copy/parsing (through tunable_strdup) required [5]? * Which other environment variables the loader should ignore and/or filter in security-sensitive context. On this patchset, I followed the idea laid out in the discussion on whether to apply SXID_ERASE to all tunables [6]: 1. ignore any tunable on AT_SECURE binaries (as some Linux distributions do already [7]); 2. Add malloc tunables along with GLIBC_TUNABLES to unsecvars; 3. Do not parse ill-formatted GLIBC_TUNABLES strings; 4. Remove the requirement of duplicating the GLIBC_TUNABLES string for parsing. 5. Ignore most of the environment variables on security-sensitive mode (AT_SECURE/setuid/setgid). Patch #1 removes '/etc/suid-debug', which has not been working since malloc debugging supported moved to libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Patch #2 removed tunables parsing and applying for setuid/setgid binaries (similar to Alt Linux patch). Patch #3 and #4 add all malloc tunable and GLIBC_TUNABLES to unsecvars and improve tst-env-setuid.c to test all possible environment variables. Patch #5 and #6 improved the GLIBC_TUNABLES handling to avoid handling ill-formatted inputs. Patch #7 makes _dl_debug_vdprintf usable before self-relocation so patch #8 can add a loader warning that ill-formatted GLIBC_TUNABLES inputs are ignored (it also fixes the issue where the GLIBC_TUNABLE allocation failure will trigger a SEGFAULT on some architecture for PIE). Patch #9, #10, and #11 remove the tunable_strdup and make the GLIBC_TUNABLE parsing in place (no more possible allocation failure). The parsing now tracks the tunable start and its size. The dl-tunable-parse.h adds helper functions to help to parse, like an strcmp that also checks for size and an iterator for suboptions that are comma-separated (used on hwcap parsing by x86, powerpc, and s390x). Patch #12, #13, #14, #16, and #18 make loader ignore all but just LD_PRELOAD and LD_AUDIT for setuid binaries. For both options, loader ensures that pathnames containing slashes are ignored and shared libraries are loaded only from the standard search directories and only if they have set-user-ID mode bit enabled. [1] https://sourceware.org/pipermail/libc-alpha/2023-October/151921.html [2] https://sourceware.org/pipermail/libc-alpha/2023-October/151936.html [3] https://www.openwall.com/lists/oss-security/2023/10/03/3 [4] https://sourceware.org/pipermail/libc-alpha/2023-October/151927.html [5] https://sourceware.org/pipermail/libc-alpha/2023-October/151959.html [6] https://sourceware.org/pipermail/libc-alpha/2023-October/152011.html [7] https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9 Changes from v2: * Extend tst-tunables with tunables aliases tests. * Use warning instead of an error to indicate invalid tunables. * Fixed tunable_initialize for string aliases. Changes from v1: * Ignore most of the environment variables on security-sensitive mode. * Extend tests. Adhemerval Zanella (19): elf: Remove /etc/suid-debug support elf: Add GLIBC_TUNABLES to unsecvars elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries elf: Add all malloc tunable to unsecvars elf: Do not process invalid tunable format elf: Do not parse ill-formatted strings elf: Fix _dl_debug_vdprintf to work before self-relocation elf: Emit warning if tunable is ill-formatted x86: Use dl-symbol-redir-ifunc.h on cpu-tunables s390: Use dl-symbol-redir-ifunc.h on cpu-tunables elf: Do not duplicate the GLIBC_TUNABLES string elf: Ignore LD_PROFILE for setuid binaries elf: Remove LD_PROFILE for static binaries elf: Ignore loader debug env vars for setuid elf: Remove any_debug from dl_main_state elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secure elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries elf: Refactor process_envvars elf/Makefile | 26 +- elf/dl-load.c | 10 +- elf/dl-main.h | 3 - elf/dl-printf.c | 16 +- elf/dl-runtime.c | 12 +- elf/dl-support.c | 41 +-- elf/dl-tunable-types.h | 10 - elf/dl-tunables.c | 219 ++++-------- elf/dl-tunables.h | 6 +- elf/dl-tunables.list | 17 - elf/{dl-profstub.c => libc-dl-profstub.c} | 0 elf/rtld.c | 122 +++++-- elf/tst-env-setuid-static.c | 1 + elf/tst-env-setuid-tunables.c | 59 ++-- elf/tst-env-setuid.c | 140 +++++--- elf/tst-tunables.c | 321 ++++++++++++++++++ include/dlfcn.h | 5 + manual/README.tunables | 9 - manual/memory.texi | 4 +- manual/tunables.texi | 4 +- scripts/gen-tunables.awk | 18 +- stdio-common/Makefile | 5 + stdio-common/_itoa.c | 5 + sysdeps/aarch64/dl-machine.h | 4 +- sysdeps/aarch64/dl-trampoline.S | 2 +- sysdeps/alpha/dl-machine.h | 6 +- sysdeps/alpha/dl-trampoline.S | 4 + sysdeps/arm/dl-machine.h | 4 +- sysdeps/arm/dl-trampoline.S | 2 +- sysdeps/generic/dl-tunables-parse.h | 129 +++++++ sysdeps/generic/unsecvars.h | 10 + sysdeps/hppa/dl-machine.h | 36 +- sysdeps/hppa/dl-trampoline.S | 2 + sysdeps/i386/dl-machine.h | 2 + sysdeps/i386/dl-trampoline.S | 2 +- .../i686/multiarch/dl-symbol-redir-ifunc.h | 5 + sysdeps/ia64/dl-machine.h | 10 +- sysdeps/ia64/dl-trampoline.S | 2 +- sysdeps/loongarch/dl-machine.h | 6 +- sysdeps/loongarch/dl-trampoline.h | 2 + sysdeps/m68k/dl-machine.h | 4 +- sysdeps/m68k/dl-trampoline.S | 2 + sysdeps/powerpc/powerpc32/dl-machine.c | 2 +- sysdeps/powerpc/powerpc32/dl-machine.h | 10 +- sysdeps/powerpc/powerpc32/dl-trampoline.S | 2 +- sysdeps/powerpc/powerpc64/dl-machine.h | 20 +- sysdeps/powerpc/powerpc64/dl-trampoline.S | 2 +- sysdeps/s390/cpu-features.c | 169 ++++----- .../s390/multiarch/dl-symbol-redir-ifunc.h | 2 + sysdeps/s390/s390-32/dl-machine.h | 8 +- sysdeps/s390/s390-32/dl-trampoline.h | 2 +- sysdeps/s390/s390-64/dl-machine.h | 8 +- sysdeps/s390/s390-64/dl-trampoline.h | 2 +- sysdeps/sh/dl-machine.h | 2 + sysdeps/sh/dl-trampoline.S | 2 + sysdeps/sparc/sparc32/dl-machine.h | 4 +- sysdeps/sparc/sparc32/dl-trampoline.S | 2 + sysdeps/sparc/sparc64/dl-machine.h | 4 +- sysdeps/sparc/sparc64/dl-trampoline.S | 2 + .../unix/sysv/linux/aarch64/cpu-features.c | 38 ++- .../sysv/linux/i386/dl-writev.h} | 18 +- .../unix/sysv/linux/powerpc/cpu-features.c | 45 +-- .../sysv/linux/powerpc/tst-hwcap-tunables.c | 6 +- sysdeps/x86/Makefile | 4 +- sysdeps/x86/cpu-tunables.c | 135 +++----- sysdeps/x86/tst-hwcap-tunables.c | 148 ++++++++ sysdeps/x86_64/64/dl-tunables.list | 1 - sysdeps/x86_64/dl-machine.h | 2 + sysdeps/x86_64/dl-trampoline.S | 64 ++-- .../x86_64/multiarch/dl-symbol-redir-ifunc.h | 15 + 70 files changed, 1281 insertions(+), 725 deletions(-) rename elf/{dl-profstub.c => libc-dl-profstub.c} (100%) create mode 100644 elf/tst-env-setuid-static.c create mode 100644 elf/tst-tunables.c create mode 100644 sysdeps/generic/dl-tunables-parse.h rename sysdeps/{x86_64/memcmp-isa-default-impl.h => unix/sysv/linux/i386/dl-writev.h} (62%) create mode 100644 sysdeps/x86/tst-hwcap-tunables.c -- 2.34.1