mirror of
https://sourceware.org/git/glibc.git
synced 2025-11-03 20:53:13 +03:00
ed6a68bac7
The 7bb8045ec0 path made the '%n' fortify check ignore EMFILE errors
while trying to open /proc/self/maps, and this added a security
issue where EMFILE can be attacker-controlled thus making it
ineffective for some cases.
The EMFILE failure is reinstated but with a different error
message. Also, to improve the false positive of the hardening for
the cases where no new files can be opened, the
_dl_readonly_area now uses _dl_find_object to check if the
memory area is within a writable ELF segment. The procfs method is
still used as fallback.
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
100 lines
2.7 KiB
C
100 lines
2.7 KiB
C
/* Copyright (C) 2004-2025 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include <errno.h>
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdio_ext.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include "libio/libioP.h"
|
|
|
|
enum readonly_error_type
|
|
__readonly_area_fallback (const void *ptr, size_t size)
|
|
{
|
|
const void *ptr_end = ptr + size;
|
|
|
|
FILE *fp = fopen ("/proc/self/maps", "rce");
|
|
if (fp == NULL)
|
|
{
|
|
/* It is the system administrator's choice to not have /proc
|
|
available to this process (e.g., because it runs in a chroot
|
|
environment. Don't fail in this case. */
|
|
if (errno == ENOENT
|
|
/* The kernel has a bug in that a process is denied access
|
|
to the /proc filesystem if it is set[ug]id. There has
|
|
been no willingness to change this in the kernel so
|
|
far. */
|
|
|| errno == EACCES)
|
|
return readonly_procfs_inaccessible;
|
|
/* Process has reached the maximum number of open files or another
|
|
unusual error. */
|
|
return readonly_procfs_open_fail;
|
|
}
|
|
|
|
/* We need no locking. */
|
|
__fsetlocking (fp, FSETLOCKING_BYCALLER);
|
|
|
|
char *line = NULL;
|
|
size_t linelen = 0;
|
|
|
|
while (! __feof_unlocked (fp))
|
|
{
|
|
if (__getdelim (&line, &linelen, '\n', fp) <= 0)
|
|
break;
|
|
|
|
char *p;
|
|
uintptr_t from = strtoul (line, &p, 16);
|
|
|
|
if (p == line || *p++ != '-')
|
|
break;
|
|
|
|
char *q;
|
|
uintptr_t to = strtoul (p, &q, 16);
|
|
|
|
if (q == p || *q++ != ' ')
|
|
break;
|
|
|
|
if (from < (uintptr_t) ptr_end && to > (uintptr_t) ptr)
|
|
{
|
|
/* Found an entry that at least partially covers the area. */
|
|
if (*q++ != 'r' || *q++ != '-')
|
|
break;
|
|
|
|
if (from <= (uintptr_t) ptr && to >= (uintptr_t) ptr_end)
|
|
{
|
|
size = 0;
|
|
break;
|
|
}
|
|
else if (from <= (uintptr_t) ptr)
|
|
size -= to - (uintptr_t) ptr;
|
|
else if (to >= (uintptr_t) ptr_end)
|
|
size -= (uintptr_t) ptr_end - from;
|
|
else
|
|
size -= to - from;
|
|
|
|
if (!size)
|
|
break;
|
|
}
|
|
}
|
|
|
|
fclose (fp);
|
|
free (line);
|
|
|
|
return size == 0 ? readonly_noerror : readonly_area_writable;
|
|
}
|