diff mbox series

[v5,3/5] elf: Ignore loader debug env vars for setuid

Message ID 20231122204325.4058222-4-adhemerval.zanella@linaro.org
State Accepted
Commit 876a12e51323b4c0f7b6f32ec76f4a5280b7f0b9
Headers show
Series Improve loader environment variable handling | expand

Commit Message

Adhemerval Zanella Netto Nov. 22, 2023, 8:43 p.m. UTC
Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and
LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to
LD_DEBUG, in the sense they enable additional checks and debug
information, so it makes sense to disable them.

Also add both LD_VERBOSE and LD_WARN on filtered environment variables
for setuid binaries.

Checked on x86_64-linux-gnu.
---
 elf/rtld.c                  | 22 ++++++++++++++--------
 elf/tst-env-setuid.c        |  4 ++++
 sysdeps/generic/unsecvars.h |  2 ++
 3 files changed, 20 insertions(+), 8 deletions(-)

Comments

Siddhesh Poyarekar Dec. 1, 2023, 3:34 p.m. UTC | #1
On 2023-11-22 15:43, Adhemerval Zanella wrote:
> Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and
> LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to
> LD_DEBUG, in the sense they enable additional checks and debug
> information, so it makes sense to disable them.
> 
> Also add both LD_VERBOSE and LD_WARN on filtered environment variables
> for setuid binaries.

LGTM.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

I think patches 3-5 are independent of the remaining two patches, so you 
could push them if you want.

Thanks,
Sid

> 
> Checked on x86_64-linux-gnu.
> ---
>   elf/rtld.c                  | 22 ++++++++++++++--------
>   elf/tst-env-setuid.c        |  4 ++++
>   sysdeps/generic/unsecvars.h |  2 ++
>   3 files changed, 20 insertions(+), 8 deletions(-)
> 
> diff --git a/elf/rtld.c b/elf/rtld.c
> index 0553c05edb..d1017ba9e9 100644
> --- a/elf/rtld.c
> +++ b/elf/rtld.c
> @@ -2550,13 +2550,15 @@ process_envvars (struct dl_main_state *state)
>   	{
>   	case 4:
>   	  /* Warning level, verbose or not.  */
> -	  if (memcmp (envline, "WARN", 4) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "WARN", 4) == 0)
>   	    GLRO(dl_verbose) = envline[5] != '\0';
>   	  break;
>   
>   	case 5:
>   	  /* Debugging of the dynamic linker?  */
> -	  if (memcmp (envline, "DEBUG", 5) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "DEBUG", 5) == 0)
>   	    {
>   	      process_dl_debug (state, &envline[6]);
>   	      break;
> @@ -2571,7 +2573,8 @@ process_envvars (struct dl_main_state *state)
>   
>   	case 7:
>   	  /* Print information about versions.  */
> -	  if (memcmp (envline, "VERBOSE", 7) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "VERBOSE", 7) == 0)
>   	    {
>   	      state->version_info = envline[8] != '\0';
>   	      break;
> @@ -2630,7 +2633,8 @@ process_envvars (struct dl_main_state *state)
>   	    }
>   
>   	  /* Where to place the profiling data file.  */
> -	  if (memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
>   	    {
>   	      debug_output = &envline[13];
>   	      break;
> @@ -2651,7 +2655,8 @@ process_envvars (struct dl_main_state *state)
>   
>   	case 20:
>   	  /* The mode of the dynamic linker can be set.  */
> -	  if (memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
>   	    {
>   	      state->mode = rtld_mode_trace;
>   	      state->mode_trace_program
> @@ -2673,9 +2678,10 @@ process_envvars (struct dl_main_state *state)
>   	}
>         while (*nextp != '\0');
>   
> -      GLRO(dl_debug_mask) = 0;
> -
> -      if (state->mode != rtld_mode_normal)
> +      if (GLRO(dl_debug_mask) != 0
> +	  || GLRO(dl_verbose) != 0
> +	  || state->mode != rtld_mode_normal
> +	  || state->version_info)
>   	_exit (5);
>       }
>     /* If we have to run the dynamic linker in debugging mode and the
> diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
> index 76b8e1fb45..b1d64ac085 100644
> --- a/elf/tst-env-setuid.c
> +++ b/elf/tst-env-setuid.c
> @@ -59,6 +59,10 @@ static const struct envvar_t filtered_envvars[] =
>     { "MALLOC_TRACE",            FILTERED_VALUE },
>     { "MALLOC_TRIM_THRESHOLD_",  FILTERED_VALUE },
>     { "RES_OPTIONS",             FILTERED_VALUE },
> +  { "LD_DEBUG",                "all" },
> +  { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
> +  { "LD_WARN",                 FILTERED_VALUE },
> +  { "LD_VERBOSE",              FILTERED_VALUE },
>   };
>   
>   static const struct envvar_t unfiltered_envvars[] =
> diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
> index f7ebed60e5..8975df4a14 100644
> --- a/sysdeps/generic/unsecvars.h
> +++ b/sysdeps/generic/unsecvars.h
> @@ -16,6 +16,8 @@
>     "LD_PRELOAD\0"							      \
>     "LD_PROFILE\0"							      \
>     "LD_SHOW_AUXV\0"							      \
> +  "LD_VERBOSE\0"							      \
> +  "LD_WARN\0"								      \
>     "LOCALDOMAIN\0"							      \
>     "LOCPATH\0"								      \
>     "MALLOC_ARENA_MAX\0"							      \
diff mbox series

Patch

diff --git a/elf/rtld.c b/elf/rtld.c
index 0553c05edb..d1017ba9e9 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2550,13 +2550,15 @@  process_envvars (struct dl_main_state *state)
 	{
 	case 4:
 	  /* Warning level, verbose or not.  */
-	  if (memcmp (envline, "WARN", 4) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "WARN", 4) == 0)
 	    GLRO(dl_verbose) = envline[5] != '\0';
 	  break;
 
 	case 5:
 	  /* Debugging of the dynamic linker?  */
-	  if (memcmp (envline, "DEBUG", 5) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "DEBUG", 5) == 0)
 	    {
 	      process_dl_debug (state, &envline[6]);
 	      break;
@@ -2571,7 +2573,8 @@  process_envvars (struct dl_main_state *state)
 
 	case 7:
 	  /* Print information about versions.  */
-	  if (memcmp (envline, "VERBOSE", 7) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "VERBOSE", 7) == 0)
 	    {
 	      state->version_info = envline[8] != '\0';
 	      break;
@@ -2630,7 +2633,8 @@  process_envvars (struct dl_main_state *state)
 	    }
 
 	  /* Where to place the profiling data file.  */
-	  if (memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
 	    {
 	      debug_output = &envline[13];
 	      break;
@@ -2651,7 +2655,8 @@  process_envvars (struct dl_main_state *state)
 
 	case 20:
 	  /* The mode of the dynamic linker can be set.  */
-	  if (memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
 	    {
 	      state->mode = rtld_mode_trace;
 	      state->mode_trace_program
@@ -2673,9 +2678,10 @@  process_envvars (struct dl_main_state *state)
 	}
       while (*nextp != '\0');
 
-      GLRO(dl_debug_mask) = 0;
-
-      if (state->mode != rtld_mode_normal)
+      if (GLRO(dl_debug_mask) != 0
+	  || GLRO(dl_verbose) != 0
+	  || state->mode != rtld_mode_normal
+	  || state->version_info)
 	_exit (5);
     }
   /* If we have to run the dynamic linker in debugging mode and the
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index 76b8e1fb45..b1d64ac085 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -59,6 +59,10 @@  static const struct envvar_t filtered_envvars[] =
   { "MALLOC_TRACE",            FILTERED_VALUE },
   { "MALLOC_TRIM_THRESHOLD_",  FILTERED_VALUE },
   { "RES_OPTIONS",             FILTERED_VALUE },
+  { "LD_DEBUG",                "all" },
+  { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
+  { "LD_WARN",                 FILTERED_VALUE },
+  { "LD_VERBOSE",              FILTERED_VALUE },
 };
 
 static const struct envvar_t unfiltered_envvars[] =
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index f7ebed60e5..8975df4a14 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -16,6 +16,8 @@ 
   "LD_PRELOAD\0"							      \
   "LD_PROFILE\0"							      \
   "LD_SHOW_AUXV\0"							      \
+  "LD_VERBOSE\0"							      \
+  "LD_WARN\0"								      \
   "LOCALDOMAIN\0"							      \
   "LOCPATH\0"								      \
   "MALLOC_ARENA_MAX\0"							      \