If the process is in a bad state, we used to print backtraces in
many cases. This is problematic because doing so could involve
a lot of work, like loading libgcc_s using the dynamic linker,
and this could itself be targeted by exploit writers. For example,
if the crashing process was forked from a long-lived process, the
addresses in the error message could be used to bypass ASLR.
Commit ed421fca42 ("Avoid backtrace from
__stack_chk_fail [BZ #12189]"), backtraces where no longer printed
because backtrace_and_maps was always called with do_abort == 1.
Rather than fixing this logic error, this change removes the backtrace
functionality from the sources. With the prevalence of external crash
handlers, it does not appear to be particularly useful. The crash
handler may also destroy useful information for debugging.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
__libc_argv[0] points to address on stack and __libc_secure_getenv
accesses environment variables which are on stack. We should avoid
accessing stack when stack is corrupted.
This patch also renames function argument in __fortify_fail_abort
from do_backtrace to need_backtrace to avoid confusion with do_backtrace
from enum __libc_message_action.
[BZ #21752]
* debug/fortify_fail.c (__fortify_fail_abort): Don't pass down
__libc_argv[0] if we aren't doing backtrace. Rename do_backtrace
to need_backtrace.
* sysdeps/posix/libc_fatal.c (__libc_message): Don't call
__libc_secure_getenv if we aren't doing backtrace.
__stack_chk_fail is called on corrupted stack. Stack backtrace is very
unreliable against corrupted stack. __libc_message is changed to accept
enum __libc_message_action and call BEFORE_ABORT only if action includes
do_backtrace. __fortify_fail_abort is added to avoid backtrace from
__stack_chk_fail.
[BZ #12189]
* debug/Makefile (CFLAGS-tst-ssp-1.c): New.
(tests): Add tst-ssp-1 if -fstack-protector works.
* debug/fortify_fail.c: Include <stdbool.h>.
(_fortify_fail_abort): New function.
(__fortify_fail): Call _fortify_fail_abort.
(__fortify_fail_abort): Add a hidden definition.
* debug/stack_chk_fail.c: Include <stdbool.h>.
(__stack_chk_fail): Call __fortify_fail_abort, instead of
__fortify_fail.
* debug/tst-ssp-1.c: New file.
* include/stdio.h (__libc_message_action): New enum.
(__libc_message): Replace int with enum __libc_message_action.
(__fortify_fail_abort): New hidden prototype.
* malloc/malloc.c (malloc_printerr): Update __libc_message calls.
* sysdeps/posix/libc_fatal.c (__libc_message): Replace int
with enum __libc_message_action. Call BEFORE_ABORT only if
action includes do_backtrace.
(__libc_fatal): Update __libc_message call.
* rt/Makefile (headers): Add bits/mqueue2.h.
* rt/mqueue.h: Include bits/mqueue2.h if -D_FORTIFY_SOURCE=2,
optimizing with GCC and __va_arg_pack_len is defined.
* rt/bits/mqueue2.h: New file.
* rt/mq_open.c (__mq_open): Renamed from mq_open.
(mq_open): New strong_alias.
(__mq_open_2): New function.
* sysdeps/unix/sysv/linux/mq_open.c (__mq_open): Renamed from mq_open.
(mq_open): New strong_alias.
(__mq_open_2): New function.
* debug/Versions (libc): Export __fortify_fail@@GLIBC_PRIVATE.
* Versions.def (librt): Add GLIBC_2.7 version.
* debug/fortify_fail.c (__fortify_fail): Add libc_hidden_def.
* include/stdio.h (__fortify_fail): Add libc_hidden_proto.
* misc/sys/cdefs.h (__errordecl, __va_arg_pack_len): Define.
* io/fcntl.h: Include bits/fcntl2.h when __va_arg_pack_len
is defined rather than when not C++.
* io/bits/fcntl2.h (__open_alias, __open64_alias, __openat_alias,
__openat64_alias): New redirects.
(__open_too_many_args, __open_missing_mode, __open64_too_many_args,
__open64_missing_mode, __openat_too_many_args, __openat_missing_mode,
__openat64_too_many_args, __openat64_missing_mode): New __errordecls.
(open, open64, openat, openat64): Rewrite as __extern_always_inline
functions instead of function-like macros.