From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 14171 invoked from network); 17 Aug 2022 16:11:30 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 17 Aug 2022 16:11:30 -0000 Received: (qmail 26243 invoked by uid 550); 17 Aug 2022 16:11:28 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 26198 invoked from network); 17 Aug 2022 16:11:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=tkaAJW+9YSZceVpinastSVob5XS6plepw8Uwh+j7Y4Q=; b=HW0A4khQgLcsK22qJUqXoktCJv7NOYnmGk3ZuaDleWVVaNINMtYtilKDfH7PiqIVgO TRVb03oC7RwtbQBPh47UpuWIFgqNqgv5CF8oTdZi4KZgJ7bCkvxoSsgpV5a9pRbA5hLc etlsPnHDT4rhJBh7b0r6/j4xOi8rmQ+xhTCMNjqQCQXbN6L38gpz7hIesCbxvHJEXFXk Su+9UYI+as+4/UtJFI4UMii+wMo1/xCb+9kwLTlbmiUqSaVUjyk8Q7I9amB6vRdjn2Jb x28LPqn5EiFZB6ItK4TL1lNrTc7sTkQcvtyXRZp80vA35Ir5nSy/YQFpN81Pse75AuYL injg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=tkaAJW+9YSZceVpinastSVob5XS6plepw8Uwh+j7Y4Q=; b=BQDHQoh2FRQRbrK3RxYzsEcujVV9u/vzqTaCNylBWUHGDRA7ZpG9VDFF9fY6nHORlz IzFU6TPOYfoMVy8AZ22mNVkT7yX8hQvgWhMMIn8XrAiCsJZB93wZtvYoIkbkSQMrE+hF iEecdMLsR/ssEB200ppJ2y0zKX8BauKC+MSV2orfYqFdHPY8k3wOMDasAomRjlj1u+L+ zeFqk76WqetImaStQACidl4pyw1Cv+SFjhaD/Ht6PCS3R4IJq1cyXaEkj9LVGJNjAdHu 3uD/ArdKzc1RETvOl+Py2bF99tEx3cw5tyUlPm5hs2oOArJDWpSiFv600I6AhG04Xn3R T4vg== X-Gm-Message-State: ACgBeo372Q+bF29gq54ibKDUH8LKedxHLXfURJdVhiaBTK99kohcWnF1 rJywN6Ln/FYvmRbW5qIKQUgeO07bdiN9tGFt9weTwoE0/JklmA== X-Google-Smtp-Source: AA6agR6bOKIhl2TdqoscbF3URhxNReU0IaSevYpIFMPIDMgJeiRahXK/Kp4UTYF8p0hapECbD8ZZNVxgf8jaGbGV4zM= X-Received: by 2002:a81:4ed7:0:b0:334:626c:2011 with SMTP id c206-20020a814ed7000000b00334626c2011mr5638127ywb.369.1660752674815; Wed, 17 Aug 2022 09:11:14 -0700 (PDT) MIME-Version: 1.0 References: <3818608.tdWV9SEqCh@vulcan.edgedb.net> In-Reply-To: <3818608.tdWV9SEqCh@vulcan.edgedb.net> From: James Y Knight Date: Wed, 17 Aug 2022 12:10:48 -0400 Message-ID: To: musl@lists.openwall.com Cc: elvis@edgedb.com Content-Type: multipart/alternative; boundary="0000000000003e824a05e6721d37" Subject: Re: [musl] [PATCH] ldso/dynlink: Protect LD_ env vars from getting clobbered by apps --0000000000003e824a05e6721d37 Content-Type: text/plain; charset="UTF-8" Sidenote: Linux does support a less awful way to change the kernel's view of argv these days, using prctl(PR_SET_MM, PR_SET_MM_ARG_START (or _END), addr, 0, 0). Sadly, it only allows root (CAP_SYS_RESOURCE) to use it. I'm not sure why, perhaps that restriction could be relaxed for future kernels... See https://github.com/systemd/systemd/blob/87305b0fbfc0e40a948cf0a683bcf9d47b8a41a3/src/basic/process-util.c#L256 for an example of use (including ugly workaround for the API being silly and setting START/END with separate syscalls, but requiring START <= END at all times) On Wed, Aug 17, 2022 at 6:05 AM Elvis Pranskevichus wrote: > There is no guarantee that the environment block will remain intact. > For example, PostgreSQL clobbers argv/environ area to implement its > "setproctitle" emulation on non-BSD [1], and there is a popular Python > library inspired by it [2]. As a result, setting `LD_LIBRARY_PATH` > or `LD_PRELOAD` has no effect on Postgres subprocesses when linking > against musl. > > Protect against this by making a copies instead of storing the > original pointers directly. > > (please CC me, I'm not subscribed to the list) > > --- > ldso/dynlink.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/ldso/dynlink.c b/ldso/dynlink.c > index cc677952..703342b8 100644 > --- a/ldso/dynlink.c > +++ b/ldso/dynlink.c > @@ -1756,8 +1756,8 @@ void __dls3(size_t *sp, size_t *auxv) > > /* Only trust user/env if kernel says we're not suid/sgid */ > if (!libc.secure) { > - env_path = getenv("LD_LIBRARY_PATH"); > - env_preload = getenv("LD_PRELOAD"); > + env_path = strdup(getenv("LD_LIBRARY_PATH")); > + env_preload = strdup(getenv("LD_PRELOAD")); > } > > /* Activate error handler function */ > > > > > --0000000000003e824a05e6721d37 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Sidenote: Linux does support a less awful way to change th= e kernel's view of argv these days, using prctl(PR_SET_MM, PR_SET_MM_AR= G_START (or _END), addr, 0, 0). Sadly, it only allows root (CAP_SYS_RESOURC= E) to use it. I'm not sure why, perhaps that restriction could be relax= ed for future kernels...

See https://github.com/systemd/systemd/blob/87305b0fb= fc0e40a948cf0a683bcf9d47b8a41a3/src/basic/process-util.c#L256 for an ex= ample of use (including ugly workaround for the API being silly and setting= START/END with separate syscalls, but requiring START <=3D END at all t= imes)

On Wed, Aug 17, 2022 at 6:05 AM Elvis Pranskevichus &l= t;elvis@edgedb.com> wrote:
The= re is no guarantee that the environment block will remain intact.
For example, PostgreSQL clobbers argv/environ area to implement its
"setproctitle" emulation on non-BSD [1], and there is a popular P= ython
library inspired by it [2].=C2=A0 As a result, setting `LD_LIBRARY_PATH` or `LD_PRELOAD` has no effect on Postgres subprocesses when linking
against musl.

Protect against this by making a copies instead of storing the
original pointers directly.

(please CC me, I'm not subscribed to the list)

---
=C2=A0ldso/dynlink.c | 4 ++--
=C2=A01 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index cc677952..703342b8 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -1756,8 +1756,8 @@ void __dls3(size_t *sp, size_t *auxv)

=C2=A0 =C2=A0 =C2=A0 =C2=A0 /* Only trust user/env if kernel says we're= not suid/sgid */
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (!libc.secure) {
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0env_path =3D getenv= ("LD_LIBRARY_PATH");
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0env_preload =3D get= env("LD_PRELOAD");
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0env_path =3D strdup= (getenv("LD_LIBRARY_PATH"));
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0env_preload =3D str= dup(getenv("LD_PRELOAD"));
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }

=C2=A0 =C2=A0 =C2=A0 =C2=A0 /* Activate error handler function */




--0000000000003e824a05e6721d37--