From 650ffdc9644ca82c0ae241276244be39c33dd67f Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 17 Apr 2017 16:43:22 -0500 Subject: [PATCH] Revamp lib/roken/getauxval.c --- cf/roken-frag.m4 | 1 + lib/roken/Makefile.am | 2 + lib/roken/NTMakefile | 1 + lib/roken/getauxval.c | 254 +++++++++++++++++++++++++++++++++++ lib/roken/getauxval.h | 157 ++++++++++++++++++++++ lib/roken/roken.h.in | 3 - lib/roken/test-auxval.c | 42 +++++- lib/roken/version-script.map | 3 +- 8 files changed, 453 insertions(+), 10 deletions(-) create mode 100644 lib/roken/getauxval.c create mode 100644 lib/roken/getauxval.h diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4 index f077cf8a5..3dd73b564 100644 --- a/cf/roken-frag.m4 +++ b/cf/roken-frag.m4 @@ -42,6 +42,7 @@ AC_HAVE_TYPE([ssize_t],[#include ]) AC_REQUIRE([AC_TYPE_PID_T]) AC_REQUIRE([AC_TYPE_UID_T]) AC_HAVE_TYPE([long long]) +AC_HAVE_TYPE([auxv_t],[#include ]) AC_REQUIRE([rk_RETSIGTYPE]) diff --git a/lib/roken/Makefile.am b/lib/roken/Makefile.am index a717da16b..bf1483f99 100644 --- a/lib/roken/Makefile.am +++ b/lib/roken/Makefile.am @@ -93,6 +93,8 @@ libroken_la_SOURCES = \ get_default_username.c \ get_window_size.c \ getarg.c \ + getauxval.c \ + getauxval.h \ getnameinfo_verified.c \ getprogname.c \ getxxyyy.c \ diff --git a/lib/roken/NTMakefile b/lib/roken/NTMakefile index 57ef7506f..fa3a9f709 100644 --- a/lib/roken/NTMakefile +++ b/lib/roken/NTMakefile @@ -55,6 +55,7 @@ libroken_la_OBJS = \ $(OBJ)\ewrite.obj \ $(OBJ)\flock.obj \ $(OBJ)\fnmatch.obj \ + $(OBJ)\getauxval.obj \ $(OBJ)\getaddrinfo_hostspec.obj \ $(OBJ)\get_default_username.obj \ $(OBJ)\get_window_size.obj \ diff --git a/lib/roken/getauxval.c b/lib/roken/getauxval.c new file mode 100644 index 000000000..bb1091e65 --- /dev/null +++ b/lib/roken/getauxval.c @@ -0,0 +1,254 @@ +/* + * Copyright (c) 2016 - 2017 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +#ifdef HAVE_SYS_AUXV_H +#include +#endif + +#if defined(ENABLE_PTHREAD_SUPPORT) && defined(HAVE_PTHREAD_H) +#include +#endif + +#include + +#include "roken.h" +#include "getauxval.h" + +int rk_injected_auxv = 0; /* shared with issuid() for testing */ +static int has_proc_auxv = 1; +static int proc_auxv_ret = 0; + +#if defined(ENABLE_PTHREAD_SUPPORT) && defined(HAVE_PTHREAD_H) +pthread_once_t readprocauxv_once = PTHREAD_ONCE_INIT; +#endif + +/* + * There's no standard maximum. + * + * At the time of this writing we observe some 20 or so auxv entries. + * If eventually that grows much larger then rk_getprocaux*() will see a + * truncated auxv. + */ +#define MAX_AUXV_COUNT 128 +static auxv_t auxv[MAX_AUXV_COUNT]; + +static void +do_readprocauxv(void) +{ + char *p = (void *)auxv; + ssize_t bytes; + size_t sz = sizeof(auxv) - sizeof(auxv[0]); /* leave terminator */ + int save_errno = errno; + int fd; + + errno = 0; + memset(auxv, 0, sizeof(auxv)); /* terminates our copy */ + if ((fd = open("/proc/self/auxv", O_RDONLY)) == -1) { + if (errno == ENOENT) + has_proc_auxv = 0; + goto out; + } + + do { + if ((bytes = read(fd, p, sz)) > 0) { + sz -= bytes; + p += bytes; + } + } while (sz && ((bytes == -1 && errno == EINTR) || bytes > 0)); + +out: + proc_auxv_ret = errno; + if (fd != -1) + (void) close(fd); + if (sz == 0 && bytes > 0) + warnx("/proc/self/auxv has more entries than expected"); + errno = save_errno; + return; +} + +static int +readprocauxv(void) +{ +#if defined(ENABLE_PTHREAD_SUPPORT) && defined(HAVE_PTHREAD_H) + pthread_once(&readprocauxv_once, do_readprocauxv); +#else + do_readprocauxv(); +#endif + return proc_auxv_ret; +} + +/** + * Looks up an auxv entry in /proc/self/auxv. Preserves errno. + * + * @return a pointer to an auxv_t if found, else NULL. + */ +ROKEN_LIB_FUNCTION const auxv_t * ROKEN_LIB_CALL +rk_getauxv(unsigned long type) +{ + auxv_t *a; + + if (!has_proc_auxv || type > INT_MAX) + return NULL; + + if (readprocauxv() != 0) + return NULL; + + for (a = auxv; a - auxv < MAX_AUXV_COUNT; a++) { + if ((int)a->a_type == (int)type) + return a; + if (a->a_type == 0 && a->a_un.a_val == 0) + break; + } + return NULL; +} + +static unsigned long +rk_getprocauxval(unsigned long type) +{ + const auxv_t *a = rk_getauxv(type); + + if (a == NULL) { + errno = ENOENT; + return 0; + } + return a->a_un.a_val; +} + +/** + * Like the nearly-standard getauxval(). If the auxval is not found + * returns zero and always sets errno to ENOENT. Otherwise if auxval is + * found it leaves errno as it was, even if the value is zero. + * + * @return The value of the ELF auxiliary value for the given type, or + * zero and sets errno to ENOENT. + */ +ROKEN_LIB_FUNCTION unsigned long ROKEN_LIB_CALL +rk_getauxval(unsigned long type) +{ +#ifdef HAVE_GETAUXVAL +#ifdef GETAUXVAL_SETS_ERRNO + if (rk_injected_auxv) + return rk_getprocauxval(type); + return getauxval(type); +#else + unsigned long ret; + unsigned long ret2; + static int getauxval_sets_errno = -1; + int save_errno = errno; + + if (rk_injected_auxv) + return rk_getprocauxval(type); + + errno = 0; + ret = getauxval(type); + if (ret != 0 || errno == ENOENT || getauxval_sets_errno == 1) { + if (ret != 0) + errno = save_errno; + else if (getauxval_sets_errno > 0 && errno == 0) + errno = save_errno; + return ret; + } + + if (getauxval_sets_errno == 0) { + errno = save_errno; + if ((a = rk_getauxv(type)) == NULL) { + errno = ENOENT; + return 0; + } + return a->a_un.a_val; + } + + /* + * We've called getauxval() and it returned 0, but we don't know if + * getauxval() sets errno = ENOENT when entries are not found. + * + * Attempt to detect whether getauxval() sets errno = ENOENT by + * calling it with what should be a bogus type. + */ + + errno = 0; + ret2 = getauxval(~type); + if (ret2 == 0 && errno == ENOENT) { + getauxval_sets_errno = 1; + errno = save_errno; + return ret; + } + + getauxval_sets_errno = 0; + errno = save_errno; +#endif +#else + const auxv_t *a; + + if ((a = rk_getauxv(type)) == NULL) { + errno = ENOENT; + return 0; + } + return a->a_un.a_val; +#endif +} + +/** + * *Internal* function for testing by injecting or overwriting an ELF + * auxiliary vector entry. + * + * @return zero on success or ENOSPC if there are too many ELF auxiliary + * entries. + */ +ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL +rk_injectauxv(auxv_t *e) +{ + size_t i; + int ret; + + /* + * This function is racy, but as an internal function never meant to + * be called in a threaded program, we don't care. + */ + + if ((ret = readprocauxv()) != 0) + return ret; + + rk_injected_auxv = 1; + for (i = 0; i < MAX_AUXV_COUNT - 1 && auxv[i].a_type != 0; i++) { + /* e->a_type == 0 -> truncate auxv, delete all entries */ + if (auxv[i].a_type == e->a_type || e->a_type == 0) + break; + } + if (i == MAX_AUXV_COUNT - 1) + return ENOSPC; + auxv[i] = e[0]; + return 0; +} diff --git a/lib/roken/getauxval.h b/lib/roken/getauxval.h new file mode 100644 index 000000000..9b90a59b3 --- /dev/null +++ b/lib/roken/getauxval.h @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2016 - 2017 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef RK_GETAUXVAL_H +#define RK_GETAUXVAL_H + +#include + +#ifdef HAVE_SYS_AUXV_H +#include +#endif + +#ifndef HAVE_AUXV_T +/* + * Illumos defines auxv_t per the ABI standards, but all other OSes seem + * to use { long; long; } instead, depends on sizeof(long) == + * sizeof(void *), and they do not define an auxv_t. + * + * sizeof(long) != sizeof(void *) on WIN64, but Windows doesn't have + * /proc/self/auxv anyways. Just in case we use uintptr_t. + */ +typedef struct rk_auxv { + uintptr_t a_type; + union { + uintptr_t a_val; + uintptr_t a_ptr; /* This would be void * */ + uintptr_t a_fnc; /* This would be void (*)(void) */ + } a_un; +} auxv_t; +#endif + +#ifdef __linux__ +/* + * Older glibcs have no , but do nonetheless have an ELF + * auxiliary vector, and with the values for these types that appear in + * in later versions. + * + * Note that Travis-CI still uses Ubuntu 14 for its Linux build + * environment, which has such an older glibc version. + */ +#ifndef AT_UID +#define AT_UID 11 +#endif +#ifndef AT_EUID +#define AT_EUID 12 +#endif +#ifndef AT_GID +#define AT_GID 13 +#endif +#ifndef AT_EGID +#define AT_EGID 14 +#endif +#ifndef AT_SECURE +#define AT_SECURE 23 +#endif +#endif + +/* NetBSD calls AT_UID AT_RUID. Everyone else calls it AT_UID. */ +#if defined(AT_EUID) && defined(AT_RUID) && !defined(AT_UID) +#define AT_UID AT_RUID +#endif +#if defined(AT_EGID) && defined(AT_RGID) && !defined(AT_GID) +#define AT_GID AT_RGID +#endif + +#if defined(AT_EUID) && defined(AT_UID) && !defined(AT_RUID) +#define AT_RUID AT_UID +#endif +#if defined(AT_EGID) && defined(AT_GID) && !defined(AT_RGID) +#define AT_RGID AT_GID +#endif + + +/* + * There are three different names for the type whose value is the path + * to the executable being run by the process. + */ +#if defined(AT_EXECFN) && !defined(AT_EXECPATH) +#define AT_EXECPATH AT_EXECFN +#endif +#if defined(AT_EXECFN) && !defined(AT_SUN_EXECNAME) +#define AT_SUN_EXECNAME AT_EXECFN +#endif +#if defined(AT_EXECPATH) && !defined(AT_EXECFN) +#define AT_EXECFN AT_EXECPATH +#endif +#if defined(AT_EXECPATH) && !defined(AT_SUN_EXECNAME) +#define AT_SUN_EXECNAME AT_EXECPATH +#endif +#if defined(AT_SUN_EXECNAME) && !defined(AT_EXECFN) +#define AT_EXECFN AT_SUN_EXECNAME +#endif +#if defined(AT_SUN_EXECNAME) && !defined(AT_EXECPATH) +#define AT_EXECPATH AT_SUN_EXECNAME +#endif + +/* We need this for part of the getauxval() brokenness detection below */ +#ifdef __GLIBC__ +#ifdef __GLIBC_PREREQ +#define HAVE_GLIBC_API_VERSION_SUPPORT(maj, min) __GLIBC_PREREQ(maj, min) +#else +#define HAVE_GLIBC_API_VERSION_SUPPORT(maj, min) \ + ((__GLIBC << 16) + GLIBC_MINOR >= ((maj) << 16) + (min)) +#endif + +/* + * Detect whether getauxval() is broken. + * + * Do change this check in order to manually test rk_getauxval() for + * older glibcs. + */ +#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 19) +#define GETAUXVAL_SETS_ERRNO +/* #else it's broken */ +#endif +#endif + +ROKEN_LIB_FUNCTION const auxv_t * ROKEN_LIB_CALL + rk_getauxv(unsigned long type); + +ROKEN_LIB_FUNCTION unsigned long ROKEN_LIB_CALL + rk_getauxval(unsigned long); + +ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL + rk_injectauxv(auxv_t *e); + +#endif /* RK_GETAUXVAL_H */ diff --git a/lib/roken/roken.h.in b/lib/roken/roken.h.in index 3e9063ea6..9391fa622 100644 --- a/lib/roken/roken.h.in +++ b/lib/roken/roken.h.in @@ -827,9 +827,6 @@ ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL net_read (rk_socket_t, void *, size_t); -ROKEN_LIB_FUNCTION unsigned long ROKEN_LIB_CALL - rk_getprocauxval(unsigned long); - ROKEN_LIB_FUNCTION unsigned long ROKEN_LIB_CALL rk_getauxval(unsigned long); diff --git a/lib/roken/test-auxval.c b/lib/roken/test-auxval.c index 4a8b74231..a14bdbfde 100644 --- a/lib/roken/test-auxval.c +++ b/lib/roken/test-auxval.c @@ -41,19 +41,49 @@ #include #include #include "roken.h" +#include "getauxval.h" + +static +unsigned long +getprocauxval(unsigned long type) +{ + const auxv_t *e; + + if ((e = rk_getauxv(type)) == NULL) { + errno = ENOENT; + return 0; + } + return e->a_un.a_val; +} int -main() +main(int argc, char **argv, char **env) { unsigned long max_t = 0; unsigned long a[2]; unsigned long v; ssize_t bytes; + int am_suid = issuid(); int fd; + (void) argc; + (void) argv; + + if (getuid() == geteuid() && getgid() == getegid()) { + if (issuid()) + errx(1, "issuid() false positive? Check AT_SECURE?"); + } else { + if (!issuid()) + errx(1, "issuid() did not detect set-uid-ness!"); + } + if ((fd = open("/proc/self/auxv", O_RDONLY)) == -1) return 0; + /* + * Check that for every ELF auxv entry in /proc/self/auxv we + * find the correct answer from the rk_get*auxval() functions. + */ do { bytes = read(fd, a, sizeof(a)); if (bytes != sizeof(a)) { @@ -82,11 +112,11 @@ main() if (errno != EACCES) errx(1, "rk_getauxval(%lu) did not preserve errno", a[0]); - if ((v = rk_getprocauxval(a[0])) != a[1]) + if ((v = getprocauxval(a[0])) != a[1]) errx(1, "rk_getauxval(%lu) should have been %lu, was %lu", a[0], a[1], v); if (errno != EACCES) - errx(1, "rk_getprocauxval(%lu) did not preserve errno", a[0]); + errx(1, "rk_getauxv(%lu) did not preserve errno", a[0]); printf("auxv type %lu -> %lu\n", a[0], a[1]); } while (a[0] != 0 || a[1] != 0); @@ -108,11 +138,11 @@ main() "errno = ENOENT!", max_t); errno = EACCES; - if ((v = rk_getprocauxval(max_t + 1)) != 0) - errx(1, "rk_getprocauxval((max_type_seen = %lu) + 1) should have been " + if ((v = getprocauxval(max_t + 1)) != 0) + errx(1, "rk_getauxv((max_type_seen = %lu) + 1) should have been " "0, was %lu", max_t, v); if (errno != ENOENT) - errx(1, "rk_getprocauxval((max_type_seen = %lu) + 1) did not set " + errx(1, "rk_getauxv((max_type_seen = %lu) + 1) did not set " "errno = ENOENT!", max_t); return 0; } diff --git a/lib/roken/version-script.map b/lib/roken/version-script.map index 3864d7eb5..d67224c53 100644 --- a/lib/roken/version-script.map +++ b/lib/roken/version-script.map @@ -68,12 +68,12 @@ HEIMDAL_ROKEN_1.0 { rk_freeifaddrs; rk_gai_strerror; rk_getaddrinfo; + rk_getauxv; rk_getauxval; rk_getifaddrs; rk_getipnodebyaddr; rk_getipnodebyname; rk_getnameinfo; - rk_getprocauxval; rk_getprogname; rk_glob; rk_globfree; @@ -82,6 +82,7 @@ HEIMDAL_ROKEN_1.0 { rk_hostent_find_fqdn; rk_inet_ntop; rk_inet_pton; + rk_injectauxv; rk_localtime_r; rk_memset_s; rk_mkdir;