[compiler-rt] [sanitizer] Disable writes to log files for binaries in a secure context. (PR #92593)

via llvm-commits llvm-commits at lists.llvm.org
Mon May 20 10:23:54 PDT 2024 

https://github.com/bigb4ng updated https://github.com/llvm/llvm-project/pull/92593

>From 5fd2d1c8c4bea393ecaaa6a25c8087abd6f3b9ae Mon Sep 17 00:00:00 2001
From: bigb4ng <130478744+bigb4ng at users.noreply.github.com>
Date: Fri, 17 May 2024 07:26:39 +0300
Subject: [PATCH] [sanitizer] Disable using log_path with AT_SECURE and/or
 setuid binaries.

Fix for https://github.com/google/sanitizers/issues/1130.

An original issue described by Szabolcs Nagy at https://seclists.org/oss-sec/2016/q1/363.
---
 compiler-rt/lib/sanitizer_common/sanitizer_common.h |  5 +++++
 .../sanitizer_common/sanitizer_common_nolibc.cpp    |  1 +
 compiler-rt/lib/sanitizer_common/sanitizer_file.cpp | 10 ++++++++++
 .../sanitizer_common/sanitizer_posix_libcdep.cpp    | 13 +++++++++++++
 compiler-rt/lib/sanitizer_common/sanitizer_win.cpp  |  2 ++
 5 files changed, 31 insertions(+)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common.h b/compiler-rt/lib/sanitizer_common/sanitizer_common.h
index c451fc962c529..ef03b47e89929 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common.h
@@ -1096,6 +1096,11 @@ inline u32 GetNumberOfCPUsCached() {
   return NumberOfCPUsCached;
 }
 
+// Returns true if the our runtime has special privileges (e.g. setuid) and
+// should be treated with caution when dealing with untrusted user input.
+// For example, when writing files or executing user-specified binaries.
+bool ShouldTreatRuntimeSecurely();
+
 }  // namespace __sanitizer
 
 inline void *operator new(__sanitizer::usize size,
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_nolibc.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_common_nolibc.cpp
index 67e77a8777818..104f4634e875b 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_nolibc.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_nolibc.cpp
@@ -26,6 +26,7 @@ void LogMessageOnPrintf(const char *str) {}
 void WriteToSyslog(const char *buffer) {}
 void Abort() { internal__exit(1); }
 bool CreateDir(const char *pathname) { return false; }
+bool ShouldTreatRuntimeSecurely() { return false; }
 #endif // !SANITIZER_WINDOWS
 
 #if !SANITIZER_WINDOWS && !SANITIZER_APPLE
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_file.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_file.cpp
index 7ef499ce07b13..a4b89d8198a52 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_file.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_file.cpp
@@ -104,6 +104,16 @@ void ReportFile::SetReportPath(const char *path) {
     }
   }
 
+  if (path && ShouldTreatRuntimeSecurely() &&
+      internal_strcmp(path, "stderr") != 0 &&
+      internal_strcmp(path, "stdout") != 0) {
+    Report(
+        "ERROR: log_path must be 'stderr' or 'stdout' for AT_SECURE and/or "
+        "setuid binaries, is '%s'\n",
+        path);
+    Die();
+  }
+
   SpinMutexLock l(mu);
   if (fd != kStdoutFd && fd != kStderrFd && fd != kInvalidFd)
     CloseFile(fd);
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp
index ece2d7d63dd61..b282d3c1cf5b0 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp
@@ -43,6 +43,10 @@
 #define MAP_NORESERVE 0
 #endif
 
+#  if SANITIZER_LINUX
+#    include "sanitizer_getauxval.h"
+#  endif
+
 typedef void (*sa_sigaction_t)(int, siginfo_t *, void *);
 
 namespace __sanitizer {
@@ -518,6 +522,15 @@ bool IsStateDetached(int state) {
   return state == PTHREAD_CREATE_DETACHED;
 }
 
+bool ShouldTreatRuntimeSecurely() {
+#  if SANITIZER_LINUX
+  // So we can use weak reference from sanitizer_getauxval.h
+  if (&getauxval)
+    return getauxval(/* AT_SECURE */ 23) != 0;
+#  endif
+  return getuid() == geteuid() && getgid() == getegid();
+}
+
 } // namespace __sanitizer
 
 #endif // SANITIZER_POSIX
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp
index 4e5ad8e4693b4..be4b06442ca58 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp
@@ -1199,6 +1199,8 @@ void LogFullErrorReport(const char *buffer) {
 
 void InitializePlatformCommonFlags(CommonFlags *cf) {}
 
+bool ShouldTreatRuntimeSecurely() { return false; }
+
 }  // namespace __sanitizer
 
 #endif  // _WIN32

More information about the llvm-commits mailing list