glibc/debug/test-strcpy_chk.c
Adhemerval Zanella d40ac01cbb stdlib: Make abort/_Exit AS-safe (BZ 26275)
The recursive lock used on abort does not synchronize with a new process
creation (either by fork-like interfaces or posix_spawn ones), nor it
is reinitialized after fork().

Also, the SIGABRT unblock before raise() shows another race condition,
where a fork or posix_spawn() call by another thread, just after the
recursive lock release and before the SIGABRT signal, might create
programs with a non-expected signal mask.  With the default option
(without POSIX_SPAWN_SETSIGDEF), the process can see SIG_DFL for
SIGABRT, where it should be SIG_IGN.

To fix the AS-safe, raise() does not change the process signal mask,
and an AS-safe lock is used if a SIGABRT is installed or the process
is blocked or ignored.  With the signal mask change removal,
there is no need to use a recursive loc.  The lock is also taken on
both _Fork() and posix_spawn(), to avoid the spawn process to see the
abort handler as SIG_DFL.

A read-write lock is used to avoid serialize _Fork and posix_spawn
execution.  Both sigaction (SIGABRT) and abort() requires to lock
as writer (since both change the disposition).

The fallback is also simplified: there is no need to use a loop of
ABORT_INSTRUCTION after _exit() (if the syscall does not terminate the
process, the system is broken).

The proposed fix changes how setjmp works on a SIGABRT handler, where
glibc does not save the signal mask.  So usage like the below will now
always abort.

  static volatile int chk_fail_ok;
  static jmp_buf chk_fail_buf;

  static void
  handler (int sig)
  {
    if (chk_fail_ok)
      {
        chk_fail_ok = 0;
        longjmp (chk_fail_buf, 1);
      }
    else
      _exit (127);
  }
  [...]
  signal (SIGABRT, handler);
  [....]
  chk_fail_ok = 1;
  if (! setjmp (chk_fail_buf))
    {
      // Something that can calls abort, like a failed fortify function.
      chk_fail_ok = 0;
      printf ("FAIL\n");
    }

Such cases will need to use sigsetjmp instead.

The _dl_start_profile calls sigaction through _profil, and to avoid
pulling abort() on loader the call is replaced with __libc_sigaction.

Checked on x86_64-linux-gnu and aarch64-linux-gnu.

Reviewed-by: DJ Delorie <dj@redhat.com>
2024-10-08 14:40:12 -03:00

356 lines
8.0 KiB
C

/* Test and measure __strcpy_chk functions.
Copyright (C) 1999-2024 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
#ifndef STRCPY_RESULT
# define STRCPY_RESULT(dst, len) dst
# define TEST_MAIN
# define TEST_NAME "strcpy_chk"
# include <string/test-string.h>
/* This test case implicitly tests the availability of the __chk_fail
symbol, which is part of the public ABI and may be used
externally. */
extern void __attribute__ ((noreturn)) __chk_fail (void);
char *simple_strcpy_chk (char *, const char *, size_t);
extern char *normal_strcpy (char *, const char *, size_t)
__asm ("strcpy");
extern char *__strcpy_chk (char *, const char *, size_t);
IMPL (simple_strcpy_chk, 0)
IMPL (normal_strcpy, 1)
IMPL (__strcpy_chk, 2)
char *
simple_strcpy_chk (char *dst, const char *src, size_t len)
{
char *ret = dst;
if (! len)
__chk_fail ();
while ((*dst++ = *src++) != '\0')
if (--len == 0)
__chk_fail ();
return ret;
}
#endif
#include <fcntl.h>
#include <paths.h>
#include <setjmp.h>
#include <signal.h>
static int test_main (void);
#define TEST_FUNCTION test_main
#include <support/test-driver.c>
#include <support/support.h>
volatile int chk_fail_ok;
sigjmp_buf chk_fail_buf;
static void
handler (int sig)
{
if (chk_fail_ok)
{
chk_fail_ok = 0;
longjmp (chk_fail_buf, 1);
}
else
_exit (127);
}
typedef char *(*proto_t) (char *, const char *, size_t);
static void
do_one_test (impl_t *impl, char *dst, const char *src,
size_t len, size_t dlen)
{
char *res;
if (dlen <= len)
{
if (impl->test == 1)
return;
chk_fail_ok = 1;
if (sigsetjmp (chk_fail_buf, 1) == 0)
{
res = CALL (impl, dst, src, dlen);
printf ("*** Function %s (%zd; %zd) did not __chk_fail\n",
impl->name, len, dlen);
chk_fail_ok = 0;
ret = 1;
}
return;
}
else
res = CALL (impl, dst, src, dlen);
if (res != STRCPY_RESULT (dst, len))
{
printf ("Wrong result in function %s %p %p\n", impl->name,
res, STRCPY_RESULT (dst, len));
ret = 1;
return;
}
if (strcmp (dst, src) != 0)
{
printf ("Wrong result in function %s dst \"%s\" src \"%s\"\n",
impl->name, dst, src);
ret = 1;
return;
}
}
static void
do_test (size_t align1, size_t align2, size_t len, size_t dlen, int max_char)
{
size_t i;
char *s1, *s2;
align1 &= 7;
if (align1 + len >= page_size)
return;
align2 &= 7;
if (align2 + len >= page_size)
return;
s1 = (char *) buf1 + align1;
s2 = (char *) buf2 + align2;
for (i = 0; i < len; i++)
s1[i] = 32 + 23 * i % (max_char - 32);
s1[len] = 0;
FOR_EACH_IMPL (impl, 0)
do_one_test (impl, s2, s1, len, dlen);
}
static void
do_random_tests (void)
{
size_t i, j, n, align1, align2, len, dlen;
unsigned char *p1 = buf1 + page_size - 512;
unsigned char *p2 = buf2 + page_size - 512;
unsigned char *res;
for (n = 0; n < ITERATIONS; n++)
{
align1 = random () & 31;
if (random () & 1)
align2 = random () & 31;
else
align2 = align1 + (random () & 24);
len = random () & 511;
j = align1;
if (align2 > j)
j = align2;
if (len + j >= 511)
len = 510 - j - (random () & 7);
j = len + align1 + 64;
if (j > 512)
j = 512;
for (i = 0; i < j; i++)
{
if (i == len + align1)
p1[i] = 0;
else
{
p1[i] = random () & 255;
if (i >= align1 && i < len + align1 && !p1[i])
p1[i] = (random () & 127) + 3;
}
}
switch (random () & 7)
{
case 0:
dlen = len - (random () & 31);
if (dlen > len)
dlen = len;
break;
case 1:
dlen = (size_t) -1;
break;
case 2:
dlen = len + 1 + (random () & 65535);
break;
case 3:
dlen = len + 1 + (random () & 255);
break;
case 4:
dlen = len + 1 + (random () & 31);
break;
case 5:
dlen = len + 1 + (random () & 7);
break;
case 6:
dlen = len + 1 + (random () & 3);
break;
default:
dlen = len + 1;
break;
}
FOR_EACH_IMPL (impl, 1)
{
if (dlen <= len)
{
if (impl->test != 1)
{
chk_fail_ok = 1;
if (sigsetjmp (chk_fail_buf, 1) == 0)
{
res = (unsigned char *)
CALL (impl, (char *) p2 + align2,
(char *) p1 + align1, dlen);
printf ("Iteration %zd - did not __chk_fail\n", n);
chk_fail_ok = 0;
ret = 1;
}
}
continue;
}
memset (p2 - 64, '\1', 512 + 64);
res = (unsigned char *)
CALL (impl, (char *) p2 + align2, (char *) p1 + align1, dlen);
if (res != STRCPY_RESULT (p2 + align2, len))
{
printf ("\
Iteration %zd - wrong result in function %s (%zd, %zd, %zd) %p != %p\n",
n, impl->name, align1, align2, len, res,
STRCPY_RESULT (p2 + align2, len));
ret = 1;
}
for (j = 0; j < align2 + 64; ++j)
{
if (p2[j - 64] != '\1')
{
printf ("\
Iteration %zd - garbage before, %s (%zd, %zd, %zd)\n",
n, impl->name, align1, align2, len);
ret = 1;
break;
}
}
for (j = align2 + len + 1; j < 512; ++j)
{
if (p2[j] != '\1')
{
printf ("\
Iteration %zd - garbage after, %s (%zd, %zd, %zd)\n",
n, impl->name, align1, align2, len);
ret = 1;
break;
}
}
if (memcmp (p1 + align1, p2 + align2, len + 1))
{
printf ("\
Iteration %zd - different strings, %s (%zd, %zd, %zd)\n",
n, impl->name, align1, align2, len);
ret = 1;
}
}
}
}
static int
test_main (void)
{
size_t i;
set_fortify_handler (handler);
test_init ();
printf ("%23s", "");
FOR_EACH_IMPL (impl, 0)
printf ("\t%s", impl->name);
putchar ('\n');
for (i = 0; i < 16; ++i)
{
do_test (0, 0, i, i + 1, 127);
do_test (0, 0, i, i + 1, 255);
do_test (0, i, i, i + 1, 127);
do_test (i, 0, i, i + 1, 255);
}
for (i = 1; i < 8; ++i)
{
do_test (0, 0, 8 << i, (8 << i) + 1, 127);
do_test (8 - i, 2 * i, (8 << i), (8 << i) + 1, 127);
}
for (i = 1; i < 8; ++i)
{
do_test (i, 2 * i, (8 << i), (8 << i) + 1, 127);
do_test (2 * i, i, (8 << i), (8 << i) + 1, 255);
do_test (i, i, (8 << i), (8 << i) + 1, 127);
do_test (i, i, (8 << i), (8 << i) + 1, 255);
}
for (i = 0; i < 16; ++i)
{
do_test (0, 0, i, i + 256, 127);
do_test (0, 0, i, i + 256, 255);
do_test (0, i, i, i + 256, 127);
do_test (i, 0, i, i + 256, 255);
}
for (i = 1; i < 8; ++i)
{
do_test (0, 0, 8 << i, (8 << i) + 256, 127);
do_test (8 - i, 2 * i, (8 << i), (8 << i) + 256, 127);
}
for (i = 1; i < 8; ++i)
{
do_test (i, 2 * i, (8 << i), (8 << i) + 256, 127);
do_test (2 * i, i, (8 << i), (8 << i) + 256, 255);
do_test (i, i, (8 << i), (8 << i) + 256, 127);
do_test (i, i, (8 << i), (8 << i) + 256, 255);
}
for (i = 0; i < 16; ++i)
{
do_test (0, 0, i, i, 127);
do_test (0, 0, i, i + 2, 255);
do_test (0, i, i, i + 3, 127);
do_test (i, 0, i, i + 4, 255);
}
for (i = 1; i < 8; ++i)
{
do_test (0, 0, 8 << i, (8 << i) - 15, 127);
do_test (8 - i, 2 * i, (8 << i), (8 << i) + 5, 127);
}
for (i = 1; i < 8; ++i)
{
do_test (i, 2 * i, (8 << i), (8 << i) + i, 127);
do_test (2 * i, i, (8 << i), (8 << i) + (i - 1), 255);
do_test (i, i, (8 << i), (8 << i) + i + 2, 127);
do_test (i, i, (8 << i), (8 << i) + i + 3, 255);
}
do_random_tests ();
return ret;
}