From patchwork Tue Oct 10 18:01:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 731459 Delivered-To: patch@linaro.org Received: by 2002:ab3:7922:0:b0:23f:8cfb:5ad7 with SMTP id j2csp2262247ltl; Tue, 10 Oct 2023 11:01:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEQV+E0wH0uTctqL2rjpa4lMj/h/2xQL72mzfcrD7YktVR7IchMFcVJm2//gKGq7Lv3RJKh X-Received: by 2002:a17:907:1dc4:b0:9ba:1d86:23fb with SMTP id og4-20020a1709071dc400b009ba1d8623fbmr5711212ejc.7.1696960885491; Tue, 10 Oct 2023 11:01:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696960885; cv=none; d=google.com; s=arc-20160816; b=xnXgvI6DOx9ZQwm23mW2CT9ihs2T5VTRYAShBWfUNU9a8OtD4joILin0ABaHuRx/1Y k1gFf3Y8XW3xdUmrZaATfykI/p7EipbZeSt0KyKmQmpmqsXMWVb2NqIZHiV+K3RROR99 GcdKNiAJBlwtfcDgyObQ5ApAHm++DCN4w+5hijqThvEtoY3Y3LVTLiZq8S8CLqj8f2+J WfoHQNr41Tndz+1etFP3cWkGacBlI1Ov14FYUVTPW6n+PWtEGLjS4Yi4vGyEUNxPj/94 1U8rMZ55Je/1oJ90xMRWfMC1c9pAQ5Ky9BCYhWe8WTwMdMu7NFIfcGV0yDVUTeYbJfqt jo6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:to:from:dkim-signature :dmarc-filter:delivered-to; bh=aoMDDye2+lsSRjriyKLDVMEFF42cJMdHZ2m/hlzpkms=; fh=+FUb54tScwW7D3lvWhZcQBi30wyNNn2DusdH7ahfqKk=; b=MADGGwDVzF3RqVEjjGs0z2XVzetU8OVdaR5L45lB9MlnyVqOCS5/dDF8yw9aIBVUcE SHlOMuKOWC5FUi6nT/qcv+f34XI0OxP6muBC0koUK+gbB1liCa0+BpxjVR45jxGCO6Ec G0X9EOrkQ4ZH26JOtBVfKvdVPj50mlEuNAstB/wsawZxH8E6VrtRbWSvgAEU1ryq8wOP HM3AzzrFuYnnDoTXBRlaoNRiW5alQr2Ze7nZ8fJr/nrLT/mGr8XDkumUbzOMsWCKrhYX eJyNsGmcKTBaW27JXE/CF6PETDOZYZhtsSx3w13kV14EKf2lOGkK4UUT+cOwvd8sWT9W IB5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YTVLO1ze; spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id fi10-20020a170906da0a00b009b2ca29cc7asi5651995ejb.1052.2023.10.10.11.01.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 11:01:25 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YTVLO1ze; spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 71C6F385843A for ; Tue, 10 Oct 2023 18:01:24 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by sourceware.org (Postfix) with ESMTPS id 9258B3858C54 for ; Tue, 10 Oct 2023 18:01:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9258B3858C54 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1c760b34d25so41751965ad.3 for ; Tue, 10 Oct 2023 11:01:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1696960875; x=1697565675; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=aoMDDye2+lsSRjriyKLDVMEFF42cJMdHZ2m/hlzpkms=; b=YTVLO1zeC4/nPyvIPE+F3b2Gnrl2K5u/8kHmg23rRzum1T/RIU0B4tvo9+cwc5eKi8 pxoY5d7Hx+LqwVSTkfaqdd11Hh8Q7ByfHP/e1huRKHs3hLqgN2lMK2MTVALgpING1BdC NF7cczPkHdUk13F6OFwNZBgfgI/LVI2yPsuYr2MD8n3QHtrrno+gA341XbSgwl8216Gz nFdsvqKogTYJPbvKKgwoda9tBM5t07t7GSYqDWEtQ86d0B7kXRW3WgZSpaFyp+DMInsI L9yTqu3Xb6PC+mmkyYqJ5QNKFs/KlMupHbSRcwIx6YiTXnbUZKO1baFl/GsiKc+PL4hI nYww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696960875; x=1697565675; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aoMDDye2+lsSRjriyKLDVMEFF42cJMdHZ2m/hlzpkms=; b=vmaU84axHLPfpICUp0DgE2VE7y2Zjt5i9MyQHcAL6FrdU887sQlczp/lm1JQbAo9XI ZOPhSOdkd2XcvDode2d7fZFtzFUOiLRvMeGlF6XLh9UTrx9K8ol3oX/kschFhs6lkcBi 8TVbdXO5DAAXjw7z33Bzzue0LLsl9u3xJjQmBU+vvJPN0wDtDISKdmGZ7nNER7SxI6HV hYkJU80+ZYBdzdzehWb70o8AlVePYwQAdhCeyVZ3MTNpVYl/RLICjFgr+l/TgBfq/ieh ZUh6rTJiz4Y9zp7M3X8EYtjeRdwqpZtkjGs6bTWFE/49DAbwE5s4nVzi1yQw/HvthlN8 nzIg== X-Gm-Message-State: AOJu0YwWhbqDhD2MdRf0/KKD6yrgc9pLEHXjM1IS1KrvnLbImgJCJbcn 7wYFRS7apsgBO6CqmnZplxAlgOOw5zBrrkvt9H1V0A== X-Received: by 2002:a17:902:e5c7:b0:1c6:ec8:4c67 with SMTP id u7-20020a170902e5c700b001c60ec84c67mr18880970plf.18.1696960875439; Tue, 10 Oct 2023 11:01:15 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c2:d09b:ef2e:7c42:5ecf:a4ef]) by smtp.gmail.com with ESMTPSA id 5-20020a170902c24500b001bb9d6b1baasm12088022plg.198.2023.10.10.11.01.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 11:01:14 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Siddhesh Poyarekar Subject: [PATCH 00/11] Improve tunable handling Date: Tue, 10 Oct 2023 15:01:00 -0300 Message-Id: <20231010180111.561793-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org The recent CVE-2023-4911 fix [1] and tunable change to SXID_ERASE discussion [2] brought some issues with the current tunable handling by the loader. Besides the bugs in tuning parsing, some other questions are: * What should be the security boundaries for tunable and other tuning * environment variables? * Should tunables be filtered out or be disabled altogether in setuid * binaries [3]? * How should ld.so handle security-sensitive tunable (like malloc * options)? * How to handle ill-formatted tunable definition [4]? * Is tunable copy/parsing (through tunable_strdup) required [5]? On this patchset, I followed the idea laid out in the discussion on whether to apply SXID_ERASE to all tunables [6]: Ignore any tunable on AT_SECURE binaries (as some Linux distributions are already [7]); Add malloc tunables along with GLIBC_TUNABLES to unsecvars; Do not parse ill-formatted GLIBC_TUNABLES strings; Remove the requirement of duplicating the GLIBC_TUNABLES string for parsing. Patch #1 removes '/etc/suid-debug', which has not been working since malloc debugging supported moved to libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Patch #2 removed tunables parsing and applying for setuid/setgid binaries (similar to Alt Linux patch). Patch #3 and #4 add all malloc tunable and GLIBC_TUNABLES to unsecvars and improve tst-env-setuid.c to test all possible environment variables. Patch #5 and #6 improved the GLIBC_TUNABLES handling to avoid handling ill-formatted inputs. Patch #7 makes _dl_debug_vdprintf usable before self-relocation so patch #8 can add a loader warning that ill-formatted GLIBC_TUNABLES inputs are ignored (it also fixes the issue where the GLIBC_TUNABLE allocation failure will trigger a SEGFAULT on some architecture for PIE). Patch #9, #10, and #11 remove the tunable_strdup and make the GLIBC_TUNABLE parsing in place (no more possible allocation failure). The parsing now tracks the tunable start and its size. The dl-tunable-parse.h adds helper functions to help to parse, like an strcmp that also checks for size and an iterator for suboptions that are comma-separated (used on hwcap parsing by x86, powerpc, and s390x). [1] https://sourceware.org/pipermail/libc-alpha/2023-October/151921.html [2] https://sourceware.org/pipermail/libc-alpha/2023-October/151936.html [3] https://www.openwall.com/lists/oss-security/2023/10/03/3 [4] https://sourceware.org/pipermail/libc-alpha/2023-October/151927.html [5] https://sourceware.org/pipermail/libc-alpha/2023-October/151959.html [6] https://sourceware.org/pipermail/libc-alpha/2023-October/152011.html [7] https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9 Adhemerval Zanella (11): elf: Remove /etc/suid-debug support elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries elf: Add all malloc tunable to unsecvars elf: Add GLIBC_TUNABLES to unsecvars elf: Do not process invalid tunable format elf: Do not parse ill-formatted strings elf: Fix _dl_debug_vdprintf to work before self-relocation elf: Emit warning if tunable is ill-formatted x86: Use dl-symbol-redir-ifunc.h on cpu-tunables s390: Use dl-symbol-redir-ifunc.h on cpu-tunables elf: Do not duplicate the GLIBC_TUNABLES string elf/Makefile | 5 +- elf/dl-printf.c | 16 +- elf/dl-tunable-types.h | 10 - elf/dl-tunables.c | 219 +++++---------- elf/dl-tunables.h | 6 +- elf/dl-tunables.list | 9 - elf/rtld.c | 3 - elf/tst-env-setuid-tunables.c | 58 ++-- elf/tst-env-setuid.c | 87 ++---- elf/tst-tunables.c | 260 ++++++++++++++++++ manual/README.tunables | 9 - manual/memory.texi | 4 +- manual/tunables.texi | 4 +- scripts/gen-tunables.awk | 18 +- stdio-common/Makefile | 5 + stdio-common/_itoa.c | 5 + sysdeps/generic/dl-tunables-parse.h | 128 +++++++++ sysdeps/generic/unsecvars.h | 8 + .../i686/multiarch/dl-symbol-redir-ifunc.h | 5 + sysdeps/s390/cpu-features.c | 169 +++++------- .../s390/multiarch/dl-symbol-redir-ifunc.h | 2 + .../unix/sysv/linux/aarch64/cpu-features.c | 38 ++- .../sysv/linux/i386/dl-writev.h} | 18 +- .../unix/sysv/linux/powerpc/cpu-features.c | 45 +-- .../sysv/linux/powerpc/tst-hwcap-tunables.c | 6 +- sysdeps/x86/Makefile | 4 +- sysdeps/x86/cpu-tunables.c | 135 +++------ sysdeps/x86/tst-hwcap-tunables.c | 151 ++++++++++ sysdeps/x86_64/64/dl-tunables.list | 1 - .../x86_64/multiarch/dl-symbol-redir-ifunc.h | 15 + 30 files changed, 888 insertions(+), 555 deletions(-) create mode 100644 elf/tst-tunables.c create mode 100644 sysdeps/generic/dl-tunables-parse.h rename sysdeps/{x86_64/memcmp-isa-default-impl.h => unix/sysv/linux/i386/dl-writev.h} (62%) create mode 100644 sysdeps/x86/tst-hwcap-tunables.c