[Lldb-commits] [lldb] r314127 - Use socketpair on all Unix platforms

Eugene Zemtsov via lldb-commits lldb-commits at lists.llvm.org
Mon Sep 25 10:41:16 PDT 2017 

Author: eugene
Date: Mon Sep 25 10:41:16 2017
New Revision: 314127

URL: http://llvm.org/viewvc/llvm-project?rev=314127&view=rev
Log:
Use socketpair on all Unix platforms

Using TCP sockets is insecure against local attackers, and possibly
against remote attackers too (some vulnerabilities may allow tricking a
browser to make a request to localhost). Use socketpair (which is immune
to such attacks) on all Unix platforms.

Patch by Demi Marie Obenour < demiobenour at gmail.com >

Differential Revision: https://reviews.llvm.org/D33213

Modified:
    lldb/trunk/source/Plugins/Process/gdb-remote/ProcessGDBRemote.cpp
    lldb/trunk/tools/lldb-server/lldb-gdbserver.cpp

Modified: lldb/trunk/source/Plugins/Process/gdb-remote/ProcessGDBRemote.cpp
URL: http://llvm.org/viewvc/llvm-project/lldb/trunk/source/Plugins/Process/gdb-remote/ProcessGDBRemote.cpp?rev=314127&r1=314126&r2=314127&view=diff
==============================================================================
--- lldb/trunk/source/Plugins/Process/gdb-remote/ProcessGDBRemote.cpp (original)
+++ lldb/trunk/source/Plugins/Process/gdb-remote/ProcessGDBRemote.cpp Mon Sep 25 10:41:16 2017
@@ -3289,7 +3289,7 @@ ProcessGDBRemote::EstablishConnectionIfN
   }
   return error;
 }
-#if defined(__APPLE__)
+#if !defined(_WIN32)
 #define USE_SOCKETPAIR_FOR_LOCAL_CONNECTION 1
 #endif
 
@@ -3333,8 +3333,8 @@ Status ProcessGDBRemote::LaunchAndConnec
     lldb_utility::CleanUp<int, int> our_socket(-1, -1, close);
     lldb_utility::CleanUp<int, int> gdb_socket(-1, -1, close);
 
-    // Use a socketpair on Apple for now until other platforms can verify it
-    // works and is fast enough
+    // Use a socketpair on non-Windows systems for security and performance
+    // reasons.
     {
       int sockets[2]; /* the pair of socket descriptors */
       if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) == -1) {

Modified: lldb/trunk/tools/lldb-server/lldb-gdbserver.cpp
URL: http://llvm.org/viewvc/llvm-project/lldb/trunk/tools/lldb-server/lldb-gdbserver.cpp?rev=314127&r1=314126&r2=314127&view=diff
==============================================================================
--- lldb/trunk/tools/lldb-server/lldb-gdbserver.cpp (original)
+++ lldb/trunk/tools/lldb-server/lldb-gdbserver.cpp Mon Sep 25 10:41:16 2017
@@ -106,6 +106,7 @@ static struct option g_long_options[] =
            // than llgs listening for a connection from address on port.
     {"setsid", no_argument, NULL,
      'S'}, // Call setsid() to make llgs run in its own session.
+    {"fd", required_argument, NULL, 'F'},
     {NULL, 0, NULL, 0}};
 
 //----------------------------------------------------------------------
@@ -132,13 +133,13 @@ static void display_usage(const char *pr
                   "[--log-file log-file-name] "
                   "[--log-channels log-channel-list] "
                   "[--setsid] "
+                  "[--fd file-descriptor]"
                   "[--named-pipe named-pipe-path] "
                   "[--native-regs] "
                   "[--attach pid] "
                   "[[HOST]:PORT] "
                   "[-- PROGRAM ARG1 ARG2 ...]\n",
           progname, subcommand);
-  exit(0);
 }
 
 void handle_attach_to_pid(GDBRemoteCommunicationServerLLGS &gdb_server,
@@ -232,10 +233,34 @@ void ConnectToRemote(MainLoop &mainloop,
                      GDBRemoteCommunicationServerLLGS &gdb_server,
                      bool reverse_connect, const char *const host_and_port,
                      const char *const progname, const char *const subcommand,
-                     const char *const named_pipe_path, int unnamed_pipe_fd) {
+                     const char *const named_pipe_path, int unnamed_pipe_fd,
+                     int connection_fd) {
   Status error;
 
-  if (host_and_port && host_and_port[0]) {
+  std::unique_ptr<Connection> connection_up;
+  if (connection_fd != -1) {
+    // Build the connection string.
+    char connection_url[512];
+    snprintf(connection_url, sizeof(connection_url), "fd://%d", connection_fd);
+
+    // Create the connection.
+#if !defined LLDB_DISABLE_POSIX && !defined _WIN32
+    ::fcntl(connection_fd, F_SETFD, FD_CLOEXEC);
+#endif
+    connection_up.reset(new ConnectionFileDescriptor);
+    auto connection_result = connection_up->Connect(connection_url, &error);
+    if (connection_result != eConnectionStatusSuccess) {
+      fprintf(stderr, "error: failed to connect to client at '%s' "
+                      "(connection status: %d)",
+              connection_url, static_cast<int>(connection_result));
+      exit(-1);
+    }
+    if (error.Fail()) {
+      fprintf(stderr, "error: failed to connect to client at '%s': %s",
+              connection_url, error.AsCString());
+      exit(-1);
+    }
+  } else if (host_and_port && host_and_port[0]) {
     // Parse out host and port.
     std::string final_host_and_port;
     std::string connection_host;
@@ -255,7 +280,6 @@ void ConnectToRemote(MainLoop &mainloop,
       connection_portno = StringConvert::ToUInt32(connection_port.c_str(), 0);
     }
 
-    std::unique_ptr<Connection> connection_up;
 
     if (reverse_connect) {
       // llgs will connect to the gdb-remote client.
@@ -328,14 +352,14 @@ void ConnectToRemote(MainLoop &mainloop,
       }
       connection_up.reset(conn);
     }
-    error = gdb_server.InitializeConnection(std::move(connection_up));
-    if (error.Fail()) {
-      fprintf(stderr, "Failed to initialize connection: %s\n",
-              error.AsCString());
-      exit(-1);
-    }
-    printf("Connection established.\n");
   }
+  error = gdb_server.InitializeConnection(std::move(connection_up));
+  if (error.Fail()) {
+    fprintf(stderr, "Failed to initialize connection: %s\n",
+            error.AsCString());
+    exit(-1);
+  }
+  printf("Connection established.\n");
 }
 
 //----------------------------------------------------------------------
@@ -364,6 +388,7 @@ int main_gdbserver(int argc, char *argv[
       log_channels; // e.g. "lldb process threads:gdb-remote default:linux all"
   int unnamed_pipe_fd = -1;
   bool reverse_connect = false;
+  int connection_fd = -1;
 
   // ProcessLaunchInfo launch_info;
   ProcessAttachInfo attach_info;
@@ -413,6 +438,10 @@ int main_gdbserver(int argc, char *argv[
       reverse_connect = true;
       break;
 
+    case 'F':
+      connection_fd = StringConvert::ToUInt32(optarg, -1);
+      break;
+
 #ifndef _WIN32
     case 'S':
       // Put llgs into a new session. Terminals group processes
@@ -472,7 +501,8 @@ int main_gdbserver(int argc, char *argv[
   argc -= optind;
   argv += optind;
 
-  if (argc == 0) {
+  if (argc == 0 && connection_fd == -1) {
+    fputs("No arguments\n", stderr);
     display_usage(progname, subcommand);
     exit(255);
   }
@@ -501,7 +531,7 @@ int main_gdbserver(int argc, char *argv[
 
   ConnectToRemote(mainloop, gdb_server, reverse_connect, host_and_port,
                   progname, subcommand, named_pipe_path.c_str(),
-                  unnamed_pipe_fd);
+                  unnamed_pipe_fd, connection_fd);
 
   if (!gdb_server.IsConnected()) {
     fprintf(stderr, "no connection information provided, unable to run\n");

More information about the lldb-commits mailing list