From patchwork Mon Nov 6 20:25:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 741452 Delivered-To: patch@linaro.org Received: by 2002:adf:fd90:0:b0:32d:baff:b0ca with SMTP id d16csp1294270wrr; Mon, 6 Nov 2023 12:26:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IGvWg7TgLcoMrsIHbTyQYdzZzYjJmzgbqfva9urZ/nAy+NJGLHYBal70upJx2ygkUjwNR7s X-Received: by 2002:a05:622a:114:b0:41e:217a:bad5 with SMTP id u20-20020a05622a011400b0041e217abad5mr33772701qtw.67.1699302368257; Mon, 06 Nov 2023 12:26:08 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1699302368; cv=pass; d=google.com; s=arc-20160816; b=ljhlJTGC4K/TeeYPHqVMdEz6gRARCOoDrIkXAhwB08GNEFiRLWHoh+wYAiA2jiyDHE 3a2CZUtgWc1V0tcVJpxqwxuUcEhC5aGvYQiYliSZ/Yej43ctPClJpJ4aDx/Abmes9zJE Qz8oBiCjRKzU1e817uOadutciaNBIG+BBLTGmjAhGYUTNYCDQ9KNO9XKfiJ41hgczBLH KVHyogN4h9gZVpa+uMmDdZwxSCWdXYSOoOexNfAlG3EzgFN3UD+FgSLaOvISuV82kfSo GGlQENU5BU8omDI1JcopYwXDDF2ifRg6UGEWE4gHmhSXWraXz9FrMBhQM+jljQ7FsZaa 4pvQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature:arc-filter:dmarc-filter:delivered-to; bh=ZNo3RMtxxUUYe2oJL8ABVJZaH14s4wpvQnBQDQ06lMY=; fh=+FUb54tScwW7D3lvWhZcQBi30wyNNn2DusdH7ahfqKk=; b=Si0Cs2OFXUE9oP1oHvbW4uCWjQ7QYxyLWxyBV/umdvuz2KNESPiiZUNjc37LVsHtf9 ItHfrNJJRgFBfgJh6wyb8ygPFiQowyjEDAyXI7lRtZGCQW3ou0NLUMY0csXDYK4ay4gl HB6YTYq8eFDYOhOVdfmkZlvLXIPoXJpcmMfRzc5ZegrVhrA4gyJeGxIM/vJnXo+xS4T/ CD33iJV09FU9gLgVPQ1wlg4t19630hscURScTVcDjJ9OGqrpnr+chO903+CwahkmRmiH UtkEo37doi4sY4AGgfX3vcFtJkWL0pPeiWgwx5XW0mF7Jm7sNT+NLCszpGkWejwcrlkI c91w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=t2rjl+Hn; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id t7-20020ac85887000000b0041cb4580e9asi6136979qta.674.2023.11.06.12.26.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Nov 2023 12:26:08 -0800 (PST) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=t2rjl+Hn; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E484B38582BC for ; Mon, 6 Nov 2023 20:26:07 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by sourceware.org (Postfix) with ESMTPS id 66FD53858CDB for ; Mon, 6 Nov 2023 20:26:01 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 66FD53858CDB Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 66FD53858CDB Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::112b ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699302362; cv=none; b=CA40IMyjAkriQb+BjCQ/KMvoesEKeNeAK7mblDjmbxhORYRpX4bq0R+QPB5+k2nUK69nJLxLbNLy/aK7S+X9WqihxlCjLWZ2q2mZ0Zq16MmVfBFSYSUmTfEuAqgf2K/PkwKvf0p17XmLEPe0OVJmmhmehoavcW27a+zW74mhRDA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699302362; c=relaxed/simple; bh=Z+Q65c2KgPXJiQvNU9zYIX00gatgiQffUy66t6qwvqs=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=OEL8N3vHtBLlKbqJafWzwg3Jicmvo/JdD/jniGC+guHM5kOX2sR8+p9fcVLKB5UdPKb3wJBcxS03+hW4Is+5qHp6JOmzaZNauGChYdP5ZcZ1Ob4os+ks+tRfLjyCPLvhAXkWfmSjGAmHs8QcE6L5HgTGg3DZUql6n4dOIn3xzbg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5a7afd45199so59236527b3.0 for ; Mon, 06 Nov 2023 12:26:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1699302360; x=1699907160; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZNo3RMtxxUUYe2oJL8ABVJZaH14s4wpvQnBQDQ06lMY=; b=t2rjl+HnqiUL4EOJgPQxoKfdwFvKvhoN7M8MZhLPLBNyKf0GtUrzZQVHpxH+3HrqK9 W+9XZIrEOhdQFR5y+nZBQv+klB3r+ph7SV9UisQPbQnxq0rrQTg//qJpvVXrHIc+PCsw tCh5e0hCl8pwE+QkMaZlCivezIkxPlzG7p+z5JNc46YL8IEFvkUfVaFLprpEuWWsuz8q afvHtUgoPS0jH23/6UQ03yexCxVdJFld7PL6ufDp+LAuegllBkXBGgIj76d/E4l3pIb8 kq5jzyLbtD+u9IfcFCCq6Frjb8IbyQjbAWNfT7Eai31JsL0jcncdOFoUox8ps0vtqzgs /GFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699302360; x=1699907160; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZNo3RMtxxUUYe2oJL8ABVJZaH14s4wpvQnBQDQ06lMY=; b=BsvOZP6febu84QNLoJSE2kEUh8Tbae9X/rgAVj5xzTwT0pOTXLFfUI+nGtlpqb0EL9 xSo6ax2D1C4MMZxUB9uE/NWVsuBtR17JG+Kcn3WNcpKsiAOmI/7dRzzWvvuhRLSe+ToG ZXKEl8cDXP8Vx7M1Ztce86Xza2yMhg46MpEtsGXP3gVdzYBjNmeAbLlxrgfVlPggDCjx b2QLVKYkvXTL2ba6cdi9A2nQAXuhCKrJ9NUOKm49LiEzS74Tw2XieafuyJvfD7kI0/+S /G3s2ONnPqSzwFPg+/ioQXj1lcLk+u+jr9yS1yZZB+qUPD55LkL55Jv8sfpmyW9M2Szy dIxg== X-Gm-Message-State: AOJu0YxDQyv3fGI58VJaTVgeu18s5oID50lmf67d5Lt9SRnpy4tgK+Cd ny37YYiKDIkxnnbuorYYLcIAl71KRjbnqx3TQOBnbw== X-Received: by 2002:a81:6903:0:b0:5a8:960d:9aef with SMTP id e3-20020a816903000000b005a8960d9aefmr11762057ywc.49.1699302360011; Mon, 06 Nov 2023 12:26:00 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c0:a715:c1a0:7281:6384:2ee9]) by smtp.gmail.com with ESMTPSA id ci7-20020a05690c0a8700b005a7b8fddfedsm4707154ywb.41.2023.11.06.12.25.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Nov 2023 12:25:59 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Siddhesh Poyarekar Subject: [PATCH v3 01/19] elf: Remove /etc/suid-debug support Date: Mon, 6 Nov 2023 17:25:34 -0300 Message-Id: <20231106202552.3404059-2-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231106202552.3404059-1-adhemerval.zanella@linaro.org> References: <20231106202552.3404059-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org Since malloc debug support moved to a different library (libc_malloc_debug.so), the glibc.malloc.check requires preloading the debug library to enable it. It means that suid-debug support has not been working since 2.34. To restore its support, it would require to add additional information and parsing to where to find libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar --- elf/dl-tunables.c | 16 ---------------- elf/rtld.c | 3 +-- manual/memory.texi | 4 +--- manual/tunables.texi | 4 +--- 4 files changed, 3 insertions(+), 24 deletions(-) diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c index cae67efa0a..24252af22c 100644 --- a/elf/dl-tunables.c +++ b/elf/dl-tunables.c @@ -252,20 +252,6 @@ parse_tunables (char *tunestr, char *valstring) tunestr[off] = '\0'; } -/* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when - the system administrator has created the /etc/suid-debug file. This is a - special case where we want to conditionally enable/disable a tunable even - for setuid binaries. We use the special version of access() to avoid - setting ERRNO, which is a TLS variable since TLS has not yet been set - up. */ -static __always_inline void -maybe_enable_malloc_check (void) -{ - tunable_id_t id = TUNABLE_ENUM_NAME (glibc, malloc, check); - if (__libc_enable_secure && __access_noerrno ("/etc/suid-debug", F_OK) == 0) - tunable_list[id].security_level = TUNABLE_SECLEVEL_NONE; -} - /* Initialize the tunables list from the environment. For now we only use the ENV_ALIAS to find values. Later we will also use the tunable names to find values. */ @@ -277,8 +263,6 @@ __tunables_init (char **envp) size_t len = 0; char **prev_envp = envp; - maybe_enable_malloc_check (); - while ((envp = get_next_env (envp, &envname, &len, &envval, &prev_envp)) != NULL) { diff --git a/elf/rtld.c b/elf/rtld.c index 5107d16fe3..51b6d9f326 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -2670,8 +2670,7 @@ process_envvars (struct dl_main_state *state) } while (*nextp != '\0'); - if (__access ("/etc/suid-debug", F_OK) != 0) - GLRO(dl_debug_mask) = 0; + GLRO(dl_debug_mask) = 0; if (state->mode != rtld_mode_normal) _exit (5); diff --git a/manual/memory.texi b/manual/memory.texi index 5781a64f35..258fdbd3a0 100644 --- a/manual/memory.texi +++ b/manual/memory.texi @@ -1379,9 +1379,7 @@ There is one problem with @code{MALLOC_CHECK_}: in SUID or SGID binaries it could possibly be exploited since diverging from the normal programs behavior it now writes something to the standard error descriptor. Therefore the use of @code{MALLOC_CHECK_} is disabled by default for -SUID and SGID binaries. It can be enabled again by the system -administrator by adding a file @file{/etc/suid-debug} (the content is -not important it could be empty). +SUID and SGID binaries. So, what's the difference between using @code{MALLOC_CHECK_} and linking with @samp{-lmcheck}? @code{MALLOC_CHECK_} is orthogonal with respect to diff --git a/manual/tunables.texi b/manual/tunables.texi index 776fd93fd9..347b5698b5 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -136,9 +136,7 @@ termination of the process. Like @env{MALLOC_CHECK_}, @code{glibc.malloc.check} has a problem in that it diverges from normal program behavior by writing to @code{stderr}, which could by exploited in SUID and SGID binaries. Therefore, @code{glibc.malloc.check} -is disabled by default for SUID and SGID binaries. This can be enabled again -by the system administrator by adding a file @file{/etc/suid-debug}; the -content of the file could be anything or even empty. +is disabled by default for SUID and SGID binaries. @end deftp @deftp Tunable glibc.malloc.top_pad