1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include "libc_init_common.h"
30
31 #include <elf.h>
32 #include <errno.h>
33 #include <fcntl.h>
34 #include <stddef.h>
35 #include <stdint.h>
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <string.h>
39 #include <sys/auxv.h>
40 #include <sys/personality.h>
41 #include <sys/time.h>
42 #include <unistd.h>
43
44 #include <async_safe/log.h>
45
46 #include "private/WriteProtected.h"
47 #include "private/bionic_defs.h"
48 #include "private/bionic_globals.h"
49 #include "private/bionic_tls.h"
50 #include "private/thread_private.h"
51 #include "pthread_internal.h"
52
53 extern "C" int __system_properties_init(void);
54
55 __LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
56
57 // Not public, but well-known in the BSDs.
58 const char* __progname;
59
__libc_init_globals()60 void __libc_init_globals() {
61 // Initialize libc globals that are needed in both the linker and in libc.
62 // In dynamic binaries, this is run at least twice for different copies of the
63 // globals, once for the linker's copy and once for the one in libc.so.
64 __libc_globals.initialize();
65 __libc_globals.mutate([](libc_globals* globals) {
66 __libc_init_vdso(globals);
67 __libc_init_setjmp_cookie(globals);
68 });
69 }
70
71 #if !defined(__LP64__)
__check_max_thread_id()72 static void __check_max_thread_id() {
73 if (gettid() > 65535) {
74 async_safe_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
75 "pid <= 65535, but current pid is %d", gettid());
76 }
77 }
78 #endif
79
arc4random_fork_handler()80 static void arc4random_fork_handler() {
81 _rs_forked = 1;
82 _thread_arc4_lock();
83 }
84
85 __BIONIC_WEAK_FOR_NATIVE_BRIDGE
__libc_add_main_thread()86 void __libc_add_main_thread() {
87 // Get the main thread from TLS and add it to the thread list.
88 pthread_internal_t* main_thread = __get_thread();
89 __pthread_internal_add(main_thread);
90 }
91
__libc_init_common()92 void __libc_init_common() {
93 // Initialize various globals.
94 environ = __libc_shared_globals()->init_environ;
95 errno = 0;
96 __progname = __libc_shared_globals()->init_progname ?: "<unknown>";
97
98 #if !defined(__LP64__)
99 __check_max_thread_id();
100 #endif
101
102 __libc_add_main_thread();
103
104 // Register atfork handlers to take and release the arc4random lock.
105 pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
106
107 __system_properties_init(); // Requires 'environ'.
108 __libc_init_fdsan(); // Requires system properties (for debug.fdsan).
109 }
110
__early_abort(int line)111 __noreturn static void __early_abort(int line) {
112 // We can't write to stdout or stderr because we're aborting before we've checked that
113 // it's safe for us to use those file descriptors. We probably can't strace either, so
114 // we rely on the fact that if we dereference a low address, either debuggerd or the
115 // kernel's crash dump will show the fault address.
116 *reinterpret_cast<int*>(line) = 0;
117 _exit(EXIT_FAILURE);
118 }
119
120 // Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
__nullify_closed_stdio()121 static void __nullify_closed_stdio() {
122 int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
123 if (dev_null == -1) {
124 // init won't have /dev/null available, but SELinux provides an equivalent.
125 dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
126 }
127 if (dev_null == -1) {
128 __early_abort(__LINE__);
129 }
130
131 // If any of the stdio file descriptors is valid and not associated
132 // with /dev/null, dup /dev/null to it.
133 for (int i = 0; i < 3; i++) {
134 // If it is /dev/null already, we are done.
135 if (i == dev_null) {
136 continue;
137 }
138
139 // Is this fd already open?
140 int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
141 if (status != -1) {
142 continue;
143 }
144
145 // The only error we allow is that the file descriptor does not
146 // exist, in which case we dup /dev/null to it.
147 if (errno == EBADF) {
148 // Try dupping /dev/null to this stdio file descriptor and
149 // repeat if there is a signal. Note that any errors in closing
150 // the stdio descriptor are lost.
151 status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
152 if (status == -1) {
153 __early_abort(__LINE__);
154 }
155 } else {
156 __early_abort(__LINE__);
157 }
158 }
159
160 // If /dev/null is not one of the stdio file descriptors, close it.
161 if (dev_null > 2) {
162 if (close(dev_null) == -1) {
163 __early_abort(__LINE__);
164 }
165 }
166 }
167
168 // Check if the environment variable definition at 'envstr'
169 // starts with '<name>=', and if so return the address of the
170 // first character after the equal sign. Otherwise return null.
env_match(const char * envstr,const char * name)171 static const char* env_match(const char* envstr, const char* name) {
172 size_t i = 0;
173
174 while (envstr[i] == name[i] && name[i] != '\0') {
175 ++i;
176 }
177
178 if (name[i] == '\0' && envstr[i] == '=') {
179 return envstr + i + 1;
180 }
181
182 return nullptr;
183 }
184
__is_valid_environment_variable(const char * name)185 static bool __is_valid_environment_variable(const char* name) {
186 // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
187 // as the maximum size for an environment variable definition.
188 const int MAX_ENV_LEN = 32*4096;
189
190 if (name == nullptr) {
191 return false;
192 }
193
194 // Parse the string, looking for the first '=' there, and its size.
195 int pos = 0;
196 int first_equal_pos = -1;
197 while (pos < MAX_ENV_LEN) {
198 if (name[pos] == '\0') {
199 break;
200 }
201 if (name[pos] == '=' && first_equal_pos < 0) {
202 first_equal_pos = pos;
203 }
204 pos++;
205 }
206
207 // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
208 if (pos >= MAX_ENV_LEN) {
209 return false;
210 }
211
212 // Check that it contains at least one equal sign that is not the first character
213 if (first_equal_pos < 1) {
214 return false;
215 }
216
217 return true;
218 }
219
__is_unsafe_environment_variable(const char * name)220 static bool __is_unsafe_environment_variable(const char* name) {
221 // None of these should be allowed when the AT_SECURE auxv
222 // flag is set. This flag is set to inform userspace that a
223 // security transition has occurred, for example, as a result
224 // of executing a setuid program or the result of an SELinux
225 // security transition.
226 static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
227 "ANDROID_DNS_MODE",
228 "GCONV_PATH",
229 "GETCONF_DIR",
230 "HOSTALIASES",
231 "JE_MALLOC_CONF",
232 "LD_AOUT_LIBRARY_PATH",
233 "LD_AOUT_PRELOAD",
234 "LD_AUDIT",
235 "LD_DEBUG",
236 "LD_DEBUG_OUTPUT",
237 "LD_DYNAMIC_WEAK",
238 "LD_LIBRARY_PATH",
239 "LD_ORIGIN_PATH",
240 "LD_PRELOAD",
241 "LD_PROFILE",
242 "LD_SHOW_AUXV",
243 "LD_USE_LOAD_BIAS",
244 "LIBC_DEBUG_MALLOC_OPTIONS",
245 "LOCALDOMAIN",
246 "LOCPATH",
247 "MALLOC_CHECK_",
248 "MALLOC_CONF",
249 "MALLOC_TRACE",
250 "NIS_PATH",
251 "NLSPATH",
252 "RESOLV_HOST_CONF",
253 "RES_OPTIONS",
254 "TMPDIR",
255 "TZDIR",
256 };
257 for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
258 if (env_match(name, unsafe_variable_name) != nullptr) {
259 return true;
260 }
261 }
262 return false;
263 }
264
__sanitize_environment_variables(char ** env)265 static void __sanitize_environment_variables(char** env) {
266 char** src = env;
267 char** dst = env;
268 for (; src[0] != nullptr; ++src) {
269 if (!__is_valid_environment_variable(src[0])) {
270 continue;
271 }
272 // Remove various unsafe environment variables if we're loading a setuid program.
273 if (__is_unsafe_environment_variable(src[0])) {
274 continue;
275 }
276 dst[0] = src[0];
277 ++dst;
278 }
279 dst[0] = nullptr;
280 }
281
__initialize_personality()282 static void __initialize_personality() {
283 #if !defined(__LP64__)
284 int old_value = personality(0xffffffff);
285 if (old_value == -1) {
286 async_safe_fatal("error getting old personality value: %s", strerror(errno));
287 }
288
289 if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
290 async_safe_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
291 }
292 #endif
293 }
294
__libc_init_AT_SECURE(char ** env)295 void __libc_init_AT_SECURE(char** env) {
296 // Check that the kernel provided a value for AT_SECURE.
297 errno = 0;
298 unsigned long is_AT_SECURE = getauxval(AT_SECURE);
299 if (errno != 0) __early_abort(__LINE__);
300
301 // Always ensure that STDIN/STDOUT/STDERR exist. This prevents file
302 // descriptor confusion bugs where a parent process closes
303 // STD*, the exec()d process calls open() for an unrelated reason,
304 // the newly created file descriptor is assigned
305 // 0<=FD<=2, and unrelated code attempts to read / write to the STD*
306 // FDs.
307 // In particular, this can be a security bug for setuid/setgid programs.
308 // For example:
309 // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
310 // However, for robustness reasons, we don't limit these protections to
311 // just security critical executables.
312 //
313 // Init is excluded from these protections unless AT_SECURE is set, as
314 // /dev/null and/or /sys/fs/selinux/null will not be available at
315 // early boot.
316 if ((getpid() != 1) || is_AT_SECURE) {
317 __nullify_closed_stdio();
318 }
319
320 if (is_AT_SECURE) {
321 __sanitize_environment_variables(env);
322 }
323
324 // Now the environment has been sanitized, make it available.
325 environ = __libc_shared_globals()->init_environ = env;
326
327 __initialize_personality();
328 }
329
330 /* This function will be called during normal program termination
331 * to run the destructors that are listed in the .fini_array section
332 * of the executable, if any.
333 *
334 * 'fini_array' points to a list of function addresses. The first
335 * entry in the list has value -1, the last one has value 0.
336 */
__libc_fini(void * array)337 void __libc_fini(void* array) {
338 typedef void (*Dtor)();
339 Dtor* fini_array = reinterpret_cast<Dtor*>(array);
340 const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
341
342 // Sanity check - first entry must be -1.
343 if (array == nullptr || fini_array[0] != minus1) {
344 return;
345 }
346
347 // Skip over it.
348 fini_array += 1;
349
350 // Count the number of destructors.
351 int count = 0;
352 while (fini_array[count] != nullptr) {
353 ++count;
354 }
355
356 // Now call each destructor in reverse order.
357 while (count > 0) {
358 Dtor dtor = fini_array[--count];
359
360 // Sanity check, any -1 in the list is ignored.
361 if (dtor == minus1) {
362 continue;
363 }
364
365 dtor();
366 }
367 }
368