From patchwork Tue Jun 25 09:17:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Liebler X-Patchwork-Id: 1952042 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=GV7spzU9; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W7hzY06gWz20Z9 for ; Tue, 25 Jun 2024 21:14:00 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E31CB386D61D for ; Tue, 25 Jun 2024 11:13:58 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by sourceware.org (Postfix) with ESMTPS id E5E3C386D621 for ; Tue, 25 Jun 2024 11:13:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E5E3C386D621 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linux.ibm.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E5E3C386D621 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=148.163.156.1 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1719313986; cv=none; b=PrudD8013Z7+ruRTpn7NUUFbQuL68bJThZ/fsP7rPVuTL0KeNWWaXMi9KS/0CJhqXEKHuh8JvKMHFGaAwZCgO9gA9nV+nroKkLrm3S3DooDk7O6oXH8onVEL7Lb7eXbkgEv3fnZhnTF/FkRqFvWNx0ccq/x/gMPzStYxGNuSfqQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1719313986; c=relaxed/simple; bh=mu2ewyvwIiouAJsJoyBXdKmUVeZAceFVoOxt+MA38/M=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=A6Ghz5x2K2fRmaKF1EJ/akCAHfcrN+SfuBrVEdC8tU/SW5Sg4q+69Df+YP512RLC+97v/YlFJImoEQPPvFCPhmjYIn/pMttUgW8WPq7i2r97GqLqZZk0RY+Wm4WIhNzVxcysTQkVeqqy26MbzW4NQYr7XvZVJAPIJc9X4sJ/bwA= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from pps.filterd (m0353727.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45P8upKK029952 for ; Tue, 25 Jun 2024 09:17:37 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from :to:cc:subject:date:message-id:content-transfer-encoding :mime-version; s=pp1; bh=YieqRmh+PBxqYJFWgF936T9Uq9kOIgcuP0tvGDO 3P9Q=; b=GV7spzU9isMgF9GkU7QvCHN78Q2j0N1CllwAi8+z07tudZsnV/egcJ4 GqPBzuAVf1fGOIo1oOFMxyvPihEFlQyhZucxvcr/kNjAl5HJAJd1GwyczY0MTQfn rle471Rv6eP/Ok8bPzgEbhU+GCiEk12yTdruGHOQVpo5Maqp8oECIbQL8KaOgbrW EZnJkXjwW0bMiAd/gG0zaIiXnACGScNnLcZjB/CfF7AiO+P2+4KXy594dzeQK2nP NW1sPPuLC5CPfllCTdOkgT8EmQ/uNRIOIoKMgehW91oo2E06hetSGNU7/fKnw+fk 9EnibLRarvJh88fvRYM2vs/kQ+bVR4w== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3yyqg8rkmn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 25 Jun 2024 09:17:37 +0000 (GMT) Received: from m0353727.ppops.net (m0353727.ppops.net [127.0.0.1]) by pps.reinject (8.18.0.8/8.18.0.8) with ESMTP id 45P9Hb9U031315; Tue, 25 Jun 2024 09:17:37 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3yyqg8rkmm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jun 2024 09:17:37 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 45P8YbDb020058; Tue, 25 Jun 2024 09:17:36 GMT Received: from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 3yxb5mda2b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jun 2024 09:17:36 +0000 Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com [10.20.54.101]) by smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 45P9HV6u44368328 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 25 Jun 2024 09:17:33 GMT Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DC0832004B; Tue, 25 Jun 2024 09:17:30 +0000 (GMT) Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AB9E520040; Tue, 25 Jun 2024 09:17:30 +0000 (GMT) Received: from a35lp68.lnxne.boe (unknown [9.152.108.100]) by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTP; Tue, 25 Jun 2024 09:17:30 +0000 (GMT) From: Stefan Liebler To: libc-alpha@sourceware.org Cc: Joe Simmons-Talbott , Stefan Liebler Subject: [PATCH] elf/rtld: Fix auxiliary vector for enable_secure Date: Tue, 25 Jun 2024 11:17:19 +0200 Message-ID: <20240625091719.2084892-1-stli@linux.ibm.com> X-Mailer: git-send-email 2.45.1 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: bZooVa-5qJxHtWicTUbudgaptr30wdvt X-Proofpoint-GUID: srYBr_UwtKg9Nep-16eHoCTgJ7IbV8yj X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-25_04,2024-06-24_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 mlxlogscore=761 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2406140001 definitions=main-2406250064 X-Spam-Status: No, score=-10.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_EF, GIT_PATCH_0, KAM_ASCII_DIVIDERS, KAM_SHORT, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Starting with commit 59974938fe1f4add843f5325f78e2a7ccd8db853 elf/rtld: Count skipped environment variables for enable_secure The new testcase elf/tst-tunables-enable_secure-env segfaults on s390 (31bit). There _start parses the auxiliary vector for some additional checks. Therefore it skips over the zeros after the environment variables ... 0x7fffac20: 0x7fffbd17 0x7fffbd32 0x7fffbd69 0x00000000 ------------------------------------------------^^^last environment variable ... and then it parses the auxiliary vector and stops at AT_NULL. 0x7fffac30: 0x00000000 0x00000021 0x00000000 0x00000000 --------------------------------^^^AT_SYSINFO_EHDR--------------^^^AT_NULL ----------------^^^newp-----------------------------------------^^^oldp Afterwards it tries to access AT_PHDR which points to somewhere and segfaults. Due to not incorporating the skip_env variable in the computation of oldp when shuffling down the auxv in rtld.c, it just copies one entry with AT_NULL and value 0x00000021 and stops the loop. In reality we have skipped GLIBC_TUNABLES environment variable (=> skip_env=1). Thus we should copy from here: 0x7fffac40: 0x00000021 0x7ffff000 0x00000010 0x007fffff ----------------^^^fixed-oldp This patch fixes the computation of oldp when shuffling down auxiliary vector. It also adds some checks in the testcase. Those checks also fail on s390x (64bit) and x86_64 without the fix. --- elf/rtld.c | 2 +- elf/tst-tunables-enable_secure-env.c | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/elf/rtld.c b/elf/rtld.c index e9525ea987..883c651d48 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -1325,7 +1325,7 @@ _dl_start_args_adjust (int skip_args, int skip_env) /* Shuffle auxv down. */ ElfW(auxv_t) ax; - char *oldp = (char *) (p + 1); + char *oldp = (char *) (p + 1 + skip_env); char *newp = (char *) (sp + 1); do { diff --git a/elf/tst-tunables-enable_secure-env.c b/elf/tst-tunables-enable_secure-env.c index 24e846f299..c78e113c21 100644 --- a/elf/tst-tunables-enable_secure-env.c +++ b/elf/tst-tunables-enable_secure-env.c @@ -17,8 +17,12 @@ License along with the GNU C Library; if not, see . */ +#include #include #include +#ifdef __linux__ + #include +#endif static int do_test (int argc, char *argv[]) @@ -26,6 +30,21 @@ do_test (int argc, char *argv[]) /* Ensure that no assertions are hit when a dynamically linked application runs. This test requires that GLIBC_TUNABLES=glibc.rtld.enable_secure=1 is set. */ + + /* The environment variable GLIBC_TUNABLES is skipped for secure + execution. */ + TEST_VERIFY (getenv ("GLIBC_TUNABLES") == NULL); + +#ifdef __linux__ + /* On linux, the auxiliary vector is located after the environment variables. + Check that some of them are available as those are also shuffled down by + ld.so. */ + TEST_VERIFY (getauxval (AT_PHDR) != 0); + TEST_VERIFY (getauxval (AT_PHENT) != 0); + TEST_VERIFY (getauxval (AT_PHNUM) != 0); + TEST_VERIFY (getauxval (AT_ENTRY) != 0); +#endif + return 0; }