// Copyright 2018 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifdef UNSAFE_BUFFERS_BUILD // TODO(crbug.com/351564777): Remove this and convert code to safer constructs. #pragma allow_unsafe_buffers #endif #include "sandbox/linux/services/libc_interceptor.h" #include <dlfcn.h> #include <fcntl.h> #include <netdb.h> #include <pthread.h> #include <signal.h> #include <stddef.h> #include <stdint.h> #include <string.h> #include <sys/prctl.h> #include <sys/socket.h> #include <sys/types.h> #include <time.h> #include <unistd.h> #include <set> #include <string> #include "base/compiler_specific.h" #include "base/debug/dump_without_crashing.h" #include "base/lazy_instance.h" #include "base/logging.h" #include "base/numerics/safe_conversions.h" #include "base/pickle.h" #include "base/posix/eintr_wrapper.h" #include "base/posix/global_descriptors.h" #include "base/posix/unix_domain_socket.h" #include "base/sanitizer_buildflags.h" #include "base/synchronization/lock.h" #include "base/time/time.h" #if BUILDFLAG(USING_SANITIZER) && !defined(COMPONENT_BUILD) // Sanitizers may override certain libc functions with a weak symbol that points // the real symbol to an interceptor symbol. E.g. getaddrinfo -> // __interceptor_getaddrinfo. However our own libc overrides below prevent the // weak symbol from binding, which leads to errors (especially msan errors) when // the sanitizer interception code doesn't run. So we want to call the // sanitizer's __interceptor_* version of the symbol if it exists. // // So here, using a weak symbol we can detect whether a sanitizer has overridden // a libc symbol with its own __interceptor_* function. If it's been // intercepted, we can call the sanitizer's version instead of the normal // RTLD_NEXT version. // // Note that in component builds this isn't necessary because our override is in // a shared object, but the sanitizer interceptor is always in the main // executable so it is always first in the binding order. That means the // interceptor will call our override, and calling the interceptor again is // infinite recursion. // // INTERCEPTOR_DECL declares the weak symbol for the __interceptor_* version and // REAL(func) should return the address of the __interceptor_* version of |func| // if it exists, otherwise it returns dlsym(RTLD_NEXT, func). #define INTERCEPTOR_DECL … #define REAL … #else // BUILDFLAG(USING_SANITIZER) #define INTERCEPTOR_DECL(...) … #define REAL(func) … #endif // BUILDFLAG(USING_SANITIZER) // When Chrome's interceptors have overridden a libc function but need to call // the actual libc version, the following macros take care of calling // dlsym(RTLD_NEXT, func), storing the result, handling failures, and disabling // CFI checks when calling the resulting pointer. See below for examples. #define DLSYM_FUNC_DECL(ret_type, func, ...) … #define DLSYM_FUNC_BODY(func, dlsym_failed_return_val, ...) … // Used to call a |func| that's been declared with DLSYM_FUNC_DECL. #define CALL_FUNC(func, ...) … // A wrapper that calls libc's getaddrinfo(). DLSYM_FUNC_DECL(int, getaddrinfo, const char* node, const char* service, const struct addrinfo* hints, struct addrinfo** res) { … } namespace sandbox { namespace { // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or // renderer process. It's set in ZygoteMain and inherited by the renderers when // they fork. (This means that it'll be incorrect for global constructor // functions and before ZygoteMain is called - beware). bool g_am_zygote_or_renderer = …; int g_backchannel_fd = …; base::LazyInstance<std::set<std::string>>::Leaky g_timezones = …; base::LazyInstance<base::Lock>::Leaky g_timezones_lock = …; bool ReadTimeStruct(base::PickleIterator* iter, struct tm* output, char* timezone_out, size_t timezone_out_len) { … } void WriteTimeStruct(base::Pickle* pickle, const struct tm& time) { … } // See // https://chromium.googlesource.com/chromium/src/+/main/docs/linux/zygote.md void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output, char* timezone_out, size_t timezone_out_len) { … } // The other side of this call is ProxyLocaltimeCallToBrowser(). bool HandleLocalTime(int fd, base::PickleIterator iter, const std::vector<base::ScopedFD>& fds) { … } } // namespace LocaltimeFunction; LocaltimeRFunction; static pthread_once_t g_libc_localtime_funcs_guard = …; static LocaltimeFunction g_libc_localtime; static LocaltimeFunction g_libc_localtime64; static LocaltimeRFunction g_libc_localtime_r; static LocaltimeRFunction g_libc_localtime64_r; static void InitLibcLocaltimeFunctionsImpl() { … } // Define localtime_override() function with asm name "localtime", so that all // references to localtime() will resolve to this function. Notice that we need // to set visibility attribute to "default" to export the symbol, as it is set // to "hidden" by default in chrome per build/common.gypi. __attribute__((__visibility__("default"))) struct tm* localtime_override( const time_t* timep) __asm__("localtime"); NO_SANITIZE("cfi-icall") __attribute__((__visibility__("default"))) struct tm* localtime_override( const time_t* timep) { … } // Use same trick to override localtime64(), localtime_r() and localtime64_r(). __attribute__((__visibility__("default"))) struct tm* localtime64_override( const time_t* timep) __asm__("localtime64"); NO_SANITIZE("cfi-icall") __attribute__((__visibility__("default"))) struct tm* localtime64_override( const time_t* timep) { … } __attribute__((__visibility__("default"))) struct tm* localtime_r_override( const time_t* timep, struct tm* result) __asm__("localtime_r"); NO_SANITIZE("cfi-icall") __attribute__((__visibility__("default"))) struct tm* localtime_r_override( const time_t* timep, struct tm* result) { … } __attribute__((__visibility__("default"))) struct tm* localtime64_r_override( const time_t* timep, struct tm* result) __asm__("localtime64_r"); NO_SANITIZE("cfi-icall") __attribute__((__visibility__("default"))) struct tm* localtime64_r_override( const time_t* timep, struct tm* result) { … } void SetAmZygoteOrRenderer(bool enable, int backchannel_fd) { … } bool HandleInterceptedCall(int kind, int fd, base::PickleIterator iter, const std::vector<base::ScopedFD>& fds) { … } void InitLibcLocaltimeFunctions() { … } namespace { std::atomic<bool> g_getaddrinfo_discouraged{ … }; } // namespace extern "C" { __attribute__((visibility("default"), noinline)) int getaddrinfo( const char* node, const char* service, const struct addrinfo* hints, struct addrinfo** res) { … } } void DiscourageGetaddrinfo() { … } } // namespace sandbox
Codebase Browser
chromium