1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include "libc_init_common.h"
30
31 #include <async_safe/log.h>
32 #include <elf.h>
33 #include <errno.h>
34 #include <fcntl.h>
35 #include <inttypes.h>
36 #include <stddef.h>
37 #include <stdint.h>
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <sys/auxv.h>
42 #include <sys/personality.h>
43 #include <sys/time.h>
44 #include <unistd.h>
45
46 #include "heap_tagging.h"
47 #include "private/ScopedPthreadMutexLocker.h"
48 #include "private/WriteProtected.h"
49 #include "private/bionic_defs.h"
50 #include "private/bionic_globals.h"
51 #include "private/bionic_tls.h"
52 #include "private/thread_private.h"
53 #include "pthread_internal.h"
54
55 extern "C" int __system_properties_init(void);
56 extern "C" void scudo_malloc_set_zero_contents(int);
57 extern "C" void scudo_malloc_set_pattern_fill_contents(int);
58
59 __LIBC_HIDDEN__ constinit WriteProtected<libc_globals> __libc_globals;
60 __LIBC_HIDDEN__ constinit _Atomic(bool) __libc_memtag_stack;
61 __LIBC_HIDDEN__ constinit bool __libc_memtag_stack_abi;
62
63 // Not public, but well-known in the BSDs.
64 __BIONIC_WEAK_VARIABLE_FOR_NATIVE_BRIDGE
65 const char* __progname;
66
67 #if defined(__i386__) || defined(__x86_64__)
68 // Default sizes based on the old hard-coded values for Atom/Silvermont (x86) and Core 2 (x86-64)...
69 size_t __x86_data_cache_size = 24 * 1024;
70 size_t __x86_data_cache_size_half = __x86_data_cache_size / 2;
71 size_t __x86_shared_cache_size = sizeof(long) == 8 ? 4096 * 1024 : 1024 * 1024;
72 size_t __x86_shared_cache_size_half = __x86_shared_cache_size / 2;
73 // ...overwritten at runtime based on the cpu's reported cache sizes.
__libc_init_x86_cache_info()74 static void __libc_init_x86_cache_info() {
75 // Handle the case where during early boot /sys fs may not yet be ready,
76 // resulting in sysconf() returning 0, leading to crashes.
77 // In that case (basically just init), we keep the defaults.
78 if (sysconf(_SC_LEVEL1_DCACHE_SIZE) != 0) {
79 __x86_data_cache_size = sysconf(_SC_LEVEL1_DCACHE_SIZE);
80 __x86_data_cache_size_half = __x86_data_cache_size / 2;
81 }
82 if (sysconf(_SC_LEVEL2_CACHE_SIZE) != 0) {
83 __x86_shared_cache_size = sysconf(_SC_LEVEL2_CACHE_SIZE);
84 __x86_shared_cache_size_half = __x86_shared_cache_size / 2;
85 }
86 }
87 #endif
88
__libc_init_globals()89 void __libc_init_globals() {
90 // Initialize libc globals that are needed in both the linker and in libc.
91 // In dynamic binaries, this is run at least twice for different copies of the
92 // globals, once for the linker's copy and once for the one in libc.so.
93 __libc_globals.initialize();
94 __libc_globals.mutate([](libc_globals* globals) {
95 __libc_init_vdso(globals);
96 __libc_init_setjmp_cookie(globals);
97 });
98 }
99
100 #if !defined(__LP64__)
__check_max_thread_id()101 static void __check_max_thread_id() {
102 if (gettid() > 65535) {
103 async_safe_fatal("32-bit pthread_mutex_t only supports pids <= 65535; "
104 "current pid %d; "
105 "`echo 65535 > /proc/sys/kernel/pid_max` as root",
106 gettid());
107 }
108 }
109 #endif
110
arc4random_fork_handler()111 static void arc4random_fork_handler() {
112 _rs_forked = 1;
113 _thread_arc4_lock();
114 }
115
116 __BIONIC_WEAK_FOR_NATIVE_BRIDGE
__libc_init_scudo()117 void __libc_init_scudo() {
118 // Heap tagging level *must* be set before interacting with Scudo, otherwise
119 // the primary will be mapped with PROT_MTE even if MTE is is not enabled in
120 // this process.
121 SetDefaultHeapTaggingLevel();
122
123 // TODO(b/158870657) make this unconditional when all devices support SCUDO.
124 #if defined(USE_SCUDO) && !__has_feature(hwaddress_sanitizer)
125 #if defined(SCUDO_PATTERN_FILL_CONTENTS)
126 scudo_malloc_set_pattern_fill_contents(1);
127 #elif defined(SCUDO_ZERO_CONTENTS)
128 scudo_malloc_set_zero_contents(1);
129 #endif
130 #endif
131 }
132
133 __BIONIC_WEAK_FOR_NATIVE_BRIDGE
134 __attribute__((no_sanitize("hwaddress", "memtag"))) void
__libc_init_mte_late()135 __libc_init_mte_late() {
136 #if defined(__aarch64__)
137 if (!__libc_shared_globals()->heap_tagging_upgrade_timer_sec) {
138 return;
139 }
140 struct sigevent event = {};
141 static timer_t timer;
142 event.sigev_notify = SIGEV_THREAD;
143 event.sigev_notify_function = [](union sigval) {
144 async_safe_format_log(ANDROID_LOG_INFO, "libc",
145 "Downgrading MTE to async.");
146 ScopedPthreadMutexLocker l(&g_heap_tagging_lock);
147 SetHeapTaggingLevel(M_HEAP_TAGGING_LEVEL_ASYNC);
148 timer_delete(timer);
149 };
150
151 if (timer_create(CLOCK_REALTIME, &event, &timer) == -1) {
152 async_safe_format_log(ANDROID_LOG_ERROR, "libc",
153 "Failed to create MTE downgrade timer: %m");
154 // Revert back to ASYNC. If we fail to create or arm the timer, otherwise
155 // the process would be indefinitely stuck in SYNC.
156 SetHeapTaggingLevel(M_HEAP_TAGGING_LEVEL_ASYNC);
157 return;
158 }
159
160 struct itimerspec timerspec = {};
161 timerspec.it_value.tv_sec =
162 __libc_shared_globals()->heap_tagging_upgrade_timer_sec;
163 if (timer_settime(timer, /* flags= */ 0, &timerspec, nullptr) == -1) {
164 async_safe_format_log(ANDROID_LOG_ERROR, "libc",
165 "Failed to arm MTE downgrade timer: %m");
166 // Revert back to ASYNC. If we fail to create or arm the timer, otherwise
167 // the process would be indefinitely stuck in SYNC.
168 SetHeapTaggingLevel(M_HEAP_TAGGING_LEVEL_ASYNC);
169 timer_delete(timer);
170 return;
171 }
172 async_safe_format_log(
173 ANDROID_LOG_INFO, "libc", "Armed MTE downgrade timer for %" PRId64 " s",
174 __libc_shared_globals()->heap_tagging_upgrade_timer_sec);
175 #endif
176 }
177
178 __BIONIC_WEAK_FOR_NATIVE_BRIDGE
__libc_add_main_thread()179 void __libc_add_main_thread() {
180 // Get the main thread from TLS and add it to the thread list.
181 pthread_internal_t* main_thread = __get_thread();
182 __pthread_internal_add(main_thread);
183 }
184
__libc_init_common()185 void __libc_init_common() {
186 // Initialize various globals.
187 environ = __libc_shared_globals()->init_environ;
188 errno = 0;
189 setprogname(__libc_shared_globals()->init_progname ?: "<unknown>");
190
191 #if !defined(__LP64__)
192 __check_max_thread_id();
193 #endif
194
195 __libc_add_main_thread();
196
197 __system_properties_init(); // Requires 'environ'.
198 __libc_init_fdsan(); // Requires system properties (for debug.fdsan).
199 __libc_init_fdtrack();
200
201 #if defined(__i386__) || defined(__x86_64__)
202 __libc_init_x86_cache_info();
203 #endif
204 }
205
__libc_init_fork_handler()206 void __libc_init_fork_handler() {
207 // Register atfork handlers to take and release the arc4random lock.
208 pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
209 }
210
211 extern "C" void scudo_malloc_set_add_large_allocation_slack(int add_slack);
212
__libc_set_target_sdk_version(int target_api_level __unused)213 __BIONIC_WEAK_FOR_NATIVE_BRIDGE void __libc_set_target_sdk_version(int target_api_level __unused) {
214 #if defined(USE_SCUDO) && !__has_feature(hwaddress_sanitizer)
215 scudo_malloc_set_add_large_allocation_slack(target_api_level < 31);
216 #endif
217 }
218
__early_abort(size_t line)219 __noreturn static void __early_abort(size_t line) {
220 // We can't write to stdout or stderr because we're aborting before we've checked that
221 // it's safe for us to use those file descriptors. We probably can't strace either, so
222 // we rely on the fact that if we dereference a low address, either debuggerd or the
223 // kernel's crash dump will show the fault address.
224 *reinterpret_cast<int*>(line) = 0;
225 _exit(EXIT_FAILURE);
226 }
227
228 // Force any of the stdin/stdout/stderr file descriptors that aren't
229 // open to be associated with /dev/null.
__nullify_closed_stdio()230 static void __nullify_closed_stdio() {
231 for (int i = 0; i < 3; i++) {
232 if (TEMP_FAILURE_RETRY(fcntl(i, F_GETFL)) == -1) {
233 // The only error we allow is that the file descriptor does not exist.
234 if (errno != EBADF) __early_abort(__LINE__);
235
236 // This file descriptor wasn't open, so open /dev/null.
237 // init won't have /dev/null available, but SELinux provides an equivalent.
238 // This takes advantage of the fact that open() will take the lowest free
239 // file descriptor, and we're iterating in order from 0, but we'll
240 // double-check we got the right fd anyway...
241 int fd;
242 if (((fd = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR))) == -1 &&
243 (fd = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR))) == -1) ||
244 fd != i) {
245 __early_abort(__LINE__);
246 }
247 }
248 }
249 }
250
251 // Check if the environment variable definition at 'envstr'
252 // starts with '<name>=', and if so return the address of the
253 // first character after the equal sign. Otherwise return null.
env_match(const char * envstr,const char * name)254 static const char* env_match(const char* envstr, const char* name) {
255 size_t i = 0;
256
257 while (envstr[i] == name[i] && name[i] != '\0') {
258 ++i;
259 }
260
261 if (name[i] == '\0' && envstr[i] == '=') {
262 return envstr + i + 1;
263 }
264
265 return nullptr;
266 }
267
__is_valid_environment_variable(const char * name)268 static bool __is_valid_environment_variable(const char* name) {
269 // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
270 // as the maximum size for an environment variable definition.
271 const int MAX_ENV_LEN = 32*4096;
272
273 if (name == nullptr) {
274 return false;
275 }
276
277 // Parse the string, looking for the first '=' there, and its size.
278 int pos = 0;
279 int first_equal_pos = -1;
280 while (pos < MAX_ENV_LEN) {
281 if (name[pos] == '\0') {
282 break;
283 }
284 if (name[pos] == '=' && first_equal_pos < 0) {
285 first_equal_pos = pos;
286 }
287 pos++;
288 }
289
290 // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
291 if (pos >= MAX_ENV_LEN) {
292 return false;
293 }
294
295 // Check that it contains at least one equal sign that is not the first character
296 if (first_equal_pos < 1) {
297 return false;
298 }
299
300 return true;
301 }
302
__is_unsafe_environment_variable(const char * name)303 static bool __is_unsafe_environment_variable(const char* name) {
304 // None of these should be allowed when the AT_SECURE auxv
305 // flag is set. This flag is set to inform userspace that a
306 // security transition has occurred, for example, as a result
307 // of executing a setuid program or the result of an SELinux
308 // security transition.
309 static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
310 "ANDROID_DNS_MODE",
311 "GCONV_PATH",
312 "GETCONF_DIR",
313 "HOSTALIASES",
314 "JE_MALLOC_CONF",
315 "LD_AOUT_LIBRARY_PATH",
316 "LD_AOUT_PRELOAD",
317 "LD_AUDIT",
318 "LD_CONFIG_FILE",
319 "LD_DEBUG",
320 "LD_DEBUG_OUTPUT",
321 "LD_DYNAMIC_WEAK",
322 "LD_HWASAN",
323 "LD_LIBRARY_PATH",
324 "LD_ORIGIN_PATH",
325 "LD_PRELOAD",
326 "LD_PROFILE",
327 "LD_SHOW_AUXV",
328 "LD_USE_LOAD_BIAS",
329 "LIBC_DEBUG_MALLOC_OPTIONS",
330 "LIBC_HOOKS_ENABLE",
331 "LOCALDOMAIN",
332 "LOCPATH",
333 "MALLOC_CHECK_",
334 "MALLOC_CONF",
335 "MALLOC_TRACE",
336 "NIS_PATH",
337 "NLSPATH",
338 "RESOLV_HOST_CONF",
339 "RES_OPTIONS",
340 "SCUDO_OPTIONS",
341 "TMPDIR",
342 "TZDIR",
343 };
344 for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
345 if (env_match(name, unsafe_variable_name) != nullptr) {
346 return true;
347 }
348 }
349 return false;
350 }
351
__sanitize_environment_variables(char ** env)352 static void __sanitize_environment_variables(char** env) {
353 char** src = env;
354 char** dst = env;
355 for (; src[0] != nullptr; ++src) {
356 if (!__is_valid_environment_variable(src[0])) {
357 continue;
358 }
359 // Remove various unsafe environment variables if we're loading a setuid program.
360 if (__is_unsafe_environment_variable(src[0])) {
361 continue;
362 }
363 dst[0] = src[0];
364 ++dst;
365 }
366 dst[0] = nullptr;
367 }
368
__initialize_personality()369 static void __initialize_personality() {
370 #if !defined(__LP64__)
371 int old_value = personality(0xffffffff);
372 if (old_value == -1) {
373 async_safe_fatal("error getting old personality value: %m");
374 }
375
376 if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
377 async_safe_fatal("error setting PER_LINUX32 personality: %m");
378 }
379 #endif
380 }
381
__libc_init_AT_SECURE(char ** env)382 void __libc_init_AT_SECURE(char** env) {
383 // Check that the kernel provided a value for AT_SECURE.
384 errno = 0;
385 unsigned long is_AT_SECURE = getauxval(AT_SECURE);
386 if (errno != 0) __early_abort(__LINE__);
387
388 // Always ensure that STDIN/STDOUT/STDERR exist. This prevents file
389 // descriptor confusion bugs where a parent process closes
390 // STD*, the exec()d process calls open() for an unrelated reason,
391 // the newly created file descriptor is assigned
392 // 0<=FD<=2, and unrelated code attempts to read / write to the STD*
393 // FDs.
394 // In particular, this can be a security bug for setuid/setgid programs.
395 // For example:
396 // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
397 // However, for robustness reasons, we don't limit these protections to
398 // just security critical executables.
399 //
400 // Init is excluded from these protections unless AT_SECURE is set, as
401 // /dev/null and/or /sys/fs/selinux/null will not be available at
402 // early boot.
403 if ((getpid() != 1) || is_AT_SECURE) {
404 __nullify_closed_stdio();
405 }
406
407 if (is_AT_SECURE) {
408 __sanitize_environment_variables(env);
409 }
410
411 // Now the environment has been sanitized, make it available.
412 environ = __libc_shared_globals()->init_environ = env;
413
414 __initialize_personality();
415 }
416
417 /* This function will be called during normal program termination
418 * to run the destructors that are listed in the .fini_array section
419 * of the executable, if any.
420 *
421 * 'fini_array' points to a list of function addresses. The first
422 * entry in the list has value -1, the last one has value 0.
423 */
__libc_fini(void * array)424 void __libc_fini(void* array) {
425 typedef void (*Dtor)();
426 Dtor* fini_array = reinterpret_cast<Dtor*>(array);
427 const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
428
429 // Validity check: the first entry must be -1.
430 if (array == nullptr || fini_array[0] != minus1) return;
431
432 // Skip over it.
433 fini_array += 1;
434
435 // Count the number of destructors.
436 int count = 0;
437 while (fini_array[count] != nullptr) {
438 ++count;
439 }
440
441 // Now call each destructor in reverse order, ignoring any -1s.
442 while (count > 0) {
443 Dtor dtor = fini_array[--count];
444 if (dtor != minus1) dtor();
445 }
446 }
447