2 * Copyright (C) 2008 The Android Open Source Project
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include "libc_init_common.h"
40 #include <sys/personality.h>
44 #include "private/KernelArgumentBlock.h"
45 #include "private/WriteProtected.h"
46 #include "private/bionic_auxv.h"
47 #include "private/bionic_globals.h"
48 #include "private/bionic_tls.h"
49 #include "private/libc_logging.h"
50 #include "private/thread_private.h"
51 #include "pthread_internal.h"
53 extern "C" abort_msg_t** __abort_message_ptr;
54 extern "C" int __system_properties_init(void);
56 __LIBC_HIDDEN__ WriteProtected<libc_globals> __libc_globals;
58 // Not public, but well-known in the BSDs.
59 const char* __progname;
61 // Declared in <unistd.h>.
65 __LIBC_HIDDEN__ void* __libc_sysinfo = nullptr;
67 __LIBC_HIDDEN__ void __libc_init_sysinfo(KernelArgumentBlock& args) {
68 __libc_sysinfo = reinterpret_cast<void*>(args.getauxval(AT_SYSINFO));
71 // TODO: lose this function and just access __libc_sysinfo directly.
72 __LIBC_HIDDEN__ extern "C" void* __kernel_syscall() {
73 return __libc_sysinfo;
77 void __libc_init_globals(KernelArgumentBlock& args) {
79 __libc_init_sysinfo(args);
81 // Initialize libc globals that are needed in both the linker and in libc.
82 // In dynamic binaries, this is run at least twice for different copies of the
83 // globals, once for the linker's copy and once for the one in libc.so.
84 __libc_auxv = args.auxv;
85 __libc_globals.initialize();
86 __libc_globals.mutate([&args](libc_globals* globals) {
87 __libc_init_vdso(globals, args);
88 __libc_init_setjmp_cookie(globals, args);
92 #if !defined(__LP64__)
93 static void __check_max_thread_id() {
94 if (gettid() > 65535) {
95 __libc_fatal("Limited by the size of pthread_mutex_t, 32 bit bionic libc only accepts "
96 "pid <= 65535, but current pid is %d", gettid());
101 static void arc4random_fork_handler() {
106 void __libc_init_common(KernelArgumentBlock& args) {
107 // Initialize various globals.
110 __progname = args.argv[0] ? args.argv[0] : "<unknown>";
111 __abort_message_ptr = args.abort_message_ptr;
113 #if !defined(__LP64__)
114 __check_max_thread_id();
117 // Register atfork handlers to take and release the arc4random lock.
118 pthread_atfork(arc4random_fork_handler, _thread_arc4_unlock, _thread_arc4_unlock);
120 __system_properties_init(); // Requires 'environ'.
123 __noreturn static void __early_abort(int line) {
124 // We can't write to stdout or stderr because we're aborting before we've checked that
125 // it's safe for us to use those file descriptors. We probably can't strace either, so
126 // we rely on the fact that if we dereference a low address, either debuggerd or the
127 // kernel's crash dump will show the fault address.
128 *reinterpret_cast<int*>(line) = 0;
132 // Force any of the closed stdin, stdout and stderr to be associated with /dev/null.
133 static void __nullify_closed_stdio() {
134 int dev_null = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
135 if (dev_null == -1) {
136 // init won't have /dev/null available, but SELinux provides an equivalent.
137 dev_null = TEMP_FAILURE_RETRY(open("/sys/fs/selinux/null", O_RDWR));
139 if (dev_null == -1) {
140 __early_abort(__LINE__);
143 // If any of the stdio file descriptors is valid and not associated
144 // with /dev/null, dup /dev/null to it.
145 for (int i = 0; i < 3; i++) {
146 // If it is /dev/null already, we are done.
151 // Is this fd already open?
152 int status = TEMP_FAILURE_RETRY(fcntl(i, F_GETFL));
157 // The only error we allow is that the file descriptor does not
158 // exist, in which case we dup /dev/null to it.
159 if (errno == EBADF) {
160 // Try dupping /dev/null to this stdio file descriptor and
161 // repeat if there is a signal. Note that any errors in closing
162 // the stdio descriptor are lost.
163 status = TEMP_FAILURE_RETRY(dup2(dev_null, i));
165 __early_abort(__LINE__);
168 __early_abort(__LINE__);
172 // If /dev/null is not one of the stdio file descriptors, close it.
174 if (close(dev_null) == -1) {
175 __early_abort(__LINE__);
180 // Check if the environment variable definition at 'envstr'
181 // starts with '<name>=', and if so return the address of the
182 // first character after the equal sign. Otherwise return null.
183 static const char* env_match(const char* envstr, const char* name) {
186 while (envstr[i] == name[i] && name[i] != '\0') {
190 if (name[i] == '\0' && envstr[i] == '=') {
191 return envstr + i + 1;
197 static bool __is_valid_environment_variable(const char* name) {
198 // According to the kernel source, by default the kernel uses 32*PAGE_SIZE
199 // as the maximum size for an environment variable definition.
200 const int MAX_ENV_LEN = 32*4096;
202 if (name == nullptr) {
206 // Parse the string, looking for the first '=' there, and its size.
208 int first_equal_pos = -1;
209 while (pos < MAX_ENV_LEN) {
210 if (name[pos] == '\0') {
213 if (name[pos] == '=' && first_equal_pos < 0) {
214 first_equal_pos = pos;
219 // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
220 if (pos >= MAX_ENV_LEN) {
224 // Check that it contains at least one equal sign that is not the first character
225 if (first_equal_pos < 1) {
232 static bool __is_unsafe_environment_variable(const char* name) {
233 // None of these should be allowed when the AT_SECURE auxv
234 // flag is set. This flag is set to inform userspace that a
235 // security transition has occurred, for example, as a result
236 // of executing a setuid program or the result of an SELinux
237 // security transition.
238 static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
243 "LD_AOUT_LIBRARY_PATH",
267 for (const auto& unsafe_variable_name : UNSAFE_VARIABLE_NAMES) {
268 if (env_match(name, unsafe_variable_name) != nullptr) {
275 static void __sanitize_environment_variables(char** env) {
276 bool is_AT_SECURE = getauxval(AT_SECURE);
279 for (; src[0] != nullptr; ++src) {
280 if (!__is_valid_environment_variable(src[0])) {
283 // Remove various unsafe environment variables if we're loading a setuid program.
284 if (is_AT_SECURE && __is_unsafe_environment_variable(src[0])) {
293 static void __initialize_personality() {
294 #if !defined(__LP64__)
295 int old_value = personality(0xffffffff);
296 if (old_value == -1) {
297 __libc_fatal("error getting old personality value: %s", strerror(errno));
300 if (personality((static_cast<unsigned int>(old_value) & ~PER_MASK) | PER_LINUX32) == -1) {
301 __libc_fatal("error setting PER_LINUX32 personality: %s", strerror(errno));
306 void __libc_init_AT_SECURE(KernelArgumentBlock& args) {
307 __libc_auxv = args.auxv;
308 __abort_message_ptr = args.abort_message_ptr;
310 // Check that the kernel provided a value for AT_SECURE.
311 bool found_AT_SECURE = false;
312 for (ElfW(auxv_t)* v = __libc_auxv; v->a_type != AT_NULL; ++v) {
313 if (v->a_type == AT_SECURE) {
314 found_AT_SECURE = true;
318 if (!found_AT_SECURE) __early_abort(__LINE__);
320 if (getauxval(AT_SECURE)) {
321 // If this is a setuid/setgid program, close the security hole described in
322 // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
323 __nullify_closed_stdio();
325 __sanitize_environment_variables(args.envp);
328 // Now the environment has been sanitized, make it available.
331 __initialize_personality();
334 /* This function will be called during normal program termination
335 * to run the destructors that are listed in the .fini_array section
336 * of the executable, if any.
338 * 'fini_array' points to a list of function addresses. The first
339 * entry in the list has value -1, the last one has value 0.
341 void __libc_fini(void* array) {
342 typedef void (*Dtor)();
343 Dtor* fini_array = reinterpret_cast<Dtor*>(array);
344 const Dtor minus1 = reinterpret_cast<Dtor>(static_cast<uintptr_t>(-1));
346 // Sanity check - first entry must be -1.
347 if (array == NULL || fini_array[0] != minus1) {
354 // Count the number of destructors.
356 while (fini_array[count] != NULL) {
360 // Now call each destructor in reverse order.
362 Dtor dtor = fini_array[--count];
364 // Sanity check, any -1 in the list is ignored.
365 if (dtor == minus1) {