[v2,05/19] elf: Do not process invalid tunable format

Message ID	20231017130526.2216827-6-adhemerval.zanella@linaro.org
State	Superseded
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E2EE8385843A From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: libc-alpha@sourceware.org, Siddhesh Poyarekar <siddhesh@sourceware.org> Subject: [PATCH v2 05/19] elf: Do not process invalid tunable format Date: Tue, 17 Oct 2023 10:05:12 -0300 Message-Id: <20231017130526.2216827-6-adhemerval.zanella@linaro.org> In-Reply-To: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> References: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org
Series	Improve loader environment variable handling \| expand [v2,00/19] Improve loader environment variable handling [v2,01/19] elf: Remove /etc/suid-debug support [v2,02/19] elf: Add GLIBC_TUNABLES to unsecvars [v2,03/19] elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries [v2,04/19] elf: Add all malloc tunable to unsecvars [v2,05/19] elf: Do not process invalid tunable format [v2,06/19] elf: Do not parse ill-formatted strings [v2,07/19] elf: Fix _dl_debug_vdprintf to work before self-relocation [v2,08/19] elf: Emit warning if tunable is ill-formatted [v2,09/19] x86: Use dl-symbol-redir-ifunc.h on cpu-tunables [v2,10/19] s390: Use dl-symbol-redir-ifunc.h on cpu-tunables [v2,11/19] elf: Do not duplicate the GLIBC_TUNABLES string [v2,12/19] elf: Ignore LD_PROFILE for setuid binaries [v2,13/19] elf: Remove LD_PROFILE for static binaries [v2,14/19] elf: Ignore loader debug env vars for setuid [v2,15/19] elf: Remove any_debug from dl_main_state [v2,16/19] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static [v2,17/19] elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secure [v2,18/19] elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries [v2,19/19] elf: Refactor process_envvars

Message ID

20231017130526.2216827-6-adhemerval.zanella@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: domain of
 libc-alpha-bounces+patch=linaro.org@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 client-ip=2620:52:3:1:0:246e:9693:128c;
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E2EE8385843A
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org,
	Siddhesh Poyarekar <siddhesh@sourceware.org>
Subject: [PATCH v2 05/19] elf: Do not process invalid tunable format
Date: Tue, 17 Oct 2023 10:05:12 -0300
Message-Id: <20231017130526.2216827-6-adhemerval.zanella@linaro.org>
In-Reply-To: <20231017130526.2216827-1-adhemerval.zanella@linaro.org>
References: <20231017130526.2216827-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org

Series

Improve loader environment variable handling | expand

Commit Message

Adhemerval Zanella Netto Oct. 17, 2023, 1:05 p.m. UTC

Tunable definitions with more than one '=' on are parsed and enabled,
and any subsequent '=' are ignored.  It means that tunables in the form
'tunable=tunable=value' or 'tunable=value=value' are handled as
'tunable=value'.  These inputs are likely user input errors, which
should not be accepted.

Checked on x86_64-linux-gnu.
---
 elf/dl-tunables.c  |  6 ++++--
 elf/tst-tunables.c | 22 +++++++++++++++++-----
 2 files changed, 21 insertions(+), 7 deletions(-)

Comments

Siddhesh Poyarekar Oct. 18, 2023, 1:42 p.m. UTC | #1

On 2023-10-17 09:05, Adhemerval Zanella wrote:
> Tunable definitions with more than one '=' on are parsed and enabled,
> and any subsequent '=' are ignored.  It means that tunables in the form
> 'tunable=tunable=value' or 'tunable=value=value' are handled as
> 'tunable=value'.  These inputs are likely user input errors, which
> should not be accepted.
> 
> Checked on x86_64-linux-gnu.
> ---
>   elf/dl-tunables.c  |  6 ++++--
>   elf/tst-tunables.c | 22 +++++++++++++++++-----
>   2 files changed, 21 insertions(+), 7 deletions(-)
> 
> diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
> index a83bd2b8bc..59bee61124 100644
> --- a/elf/dl-tunables.c
> +++ b/elf/dl-tunables.c
> @@ -192,10 +192,12 @@ parse_tunables (char *valstring)
>   
>         const char *value = p;
>   
> -      while (*p != ':' && *p != '\0')
> +      while (*p != '=' && *p != ':' && *p != '\0')
>   	p++;
>   
> -      if (*p == '\0')
> +      if (*p == '=')
> +	break;
> +      else if (*p == '\0')

So we're not going to attempt to parse any tunables after the malformed 
one.  A bit harsh, but probably safer.  OK.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

>   	done = true;
>         else
>   	*p++ = '\0';
> diff --git a/elf/tst-tunables.c b/elf/tst-tunables.c
> index 57cf532fc4..03039b5260 100644
> --- a/elf/tst-tunables.c
> +++ b/elf/tst-tunables.c
> @@ -161,24 +161,36 @@ static const struct test_t
>       0,
>       0,
>     },
> -  /* The ill-formatted tunable is also skipped.  */
> +  /* If there is a ill-formatted key=value, everything after is also ignored.  */
>     {
>       "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096:glibc.malloc.check=2",
> -    2,
> +    0,
>       0,
>       0,
>     },
> -  /* For an integer tunable, parse will stop on non number character.  */
>     {
>       "glibc.malloc.check=2=2",
> -    2,
> +    0,
>       0,
>       0,
>     },
>     {
>       "glibc.malloc.check=2=2:glibc.malloc.mmap_threshold=4096",
> +    0,
> +    0,
> +    0,
> +  },
> +  {
> +    "glibc.malloc.check=2=2:glibc.malloc.check=2",
> +    0,
> +    0,
> +    0,
> +  },
> +  /* Valid tunables set before ill-formatted ones are set.  */
> +  {
> +    "glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096=4096",
>       2,
> -    4096,
> +    0,
>       0,
>     }
>   };

diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index a83bd2b8bc..59bee61124 100644
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -192,10 +192,12 @@  parse_tunables (char *valstring)
 
       const char *value = p;
 
-      while (*p != ':' && *p != '\0')
+      while (*p != '=' && *p != ':' && *p != '\0')
 	p++;
 
-      if (*p == '\0')
+      if (*p == '=')
+	break;
+      else if (*p == '\0')
 	done = true;
       else
 	*p++ = '\0';
diff --git a/elf/tst-tunables.c b/elf/tst-tunables.c
index 57cf532fc4..03039b5260 100644
--- a/elf/tst-tunables.c
+++ b/elf/tst-tunables.c
@@ -161,24 +161,36 @@  static const struct test_t
     0,
     0,
   },
-  /* The ill-formatted tunable is also skipped.  */
+  /* If there is a ill-formatted key=value, everything after is also ignored.  */
   {
     "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096:glibc.malloc.check=2",
-    2,
+    0,
     0,
     0,
   },
-  /* For an integer tunable, parse will stop on non number character.  */
   {
     "glibc.malloc.check=2=2",
-    2,
+    0,
     0,
     0,
   },
   {
     "glibc.malloc.check=2=2:glibc.malloc.mmap_threshold=4096",
+    0,
+    0,
+    0,
+  },
+  {
+    "glibc.malloc.check=2=2:glibc.malloc.check=2",
+    0,
+    0,
+    0,
+  },
+  /* Valid tunables set before ill-formatted ones are set.  */
+  {
+    "glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096=4096",
     2,
-    4096,
+    0,
     0,
   }
 };

[v2,05/19] elf: Do not process invalid tunable format

Commit Message

Comments

Patch