From 98f5e8eb9613399ceeaadeb46acb61fa99a34ab5 Mon Sep 17 00:00:00 2001 From: Zack Weinberg Date: Tue, 3 Apr 2018 18:26:44 -0400 Subject: Avoid cancellable I/O primitives in ld.so. Neither the entry points, nor lazy symbol resolution, nor initial shared library load-up, are cancellation points, so ld.so should exclusively use I/O primitives that are not cancellable. We currently achieve this by having the cancellation hooks compile as no-ops when IS_IN(rtld); this patch changes to using exclusively _nocancel primitives in the source code instead, which makes the intent clearer and significantly reduces the amount of code compiled under IS_IN(rtld) as well as IS_IN(libc) -- in particular, elf/Makefile no longer thinks we require a copy of unwind.c in rtld-libc.a. (The older mechanism is preserved as a backstop.) The bulk of the change is splitting up the files that define the _nocancel I/O functions, so they don't also define the variants that *are* cancellation points; after which, the existing logic for picking out the bits of libc that need to be recompiled as part of ld.so Just Works. I did this for all of the _nocancel functions, not just the ones used by ld.so, for consistency. fcntl was a little tricky because it's only a cancellation point for certain opcodes (F_SETLKW(64), which can block), and the existing __fcntl_nocancel wasn't applying the FCNTL_ADJUST_CMD hook, which strikes me as asking for trouble, especially as the only nontrivial definition of FCNTL_ADJUST_CMD (for powerpc64) changes F_*LK* opcodes. To fix this, fcntl_common moves to fcntl_nocancel.c along with __fcntl_nocancel, and changes its name to the extern (but hidden) symbol __fcntl_nocancel_adjusted, so that regular fcntl can continue calling it. __fcntl_nocancel now applies FCNTL_ADJUST_CMD; so that both both fcntl.c and fcntl_nocancel.c can see it, the only nontrivial definition moves from sysdeps/u/s/l/powerpc/powerpc64/fcntl.c to .../powerpc64/sysdep.h and becomes entirely a macro, instead of a macro that calls an inline function. The nptl version of libpthread also changes a little, because its "compat-routines" formerly included files that defined all the _nocancel functions it uses; instead of continuing to duplicate them, I exported the relevant ones from libc.so as GLIBC_PRIVATE. Since the Linux fcntl.c calls a function defined by fcntl_nocancel.c, it can no longer be used from libpthread.so; instead, introduce a custom forwarder, pt-fcntl.c, and export __libc_fcntl from libc.so as GLIBC_PRIVATE. The nios2-linux ABI doesn't include a copy of vfork() in libpthread, and it was handling that by manipulating libpthread-routines in .../linux/nios2/Makefile; it is cleaner to do what other such ports do, and have a pt-vfork.S that defines no symbols. Right now, it appears that Hurd does not implement _nocancel I/O, so sysdeps/generic/not-cancel.h will forward everything back to the regular functions. This changed the names of some of the functions that sysdeps/mach/hurd/dl-sysdep.c needs to interpose. * elf/dl-load.c, elf/dl-misc.c, elf/dl-profile.c, elf/rtld.c * sysdeps/unix/sysv/linux/dl-sysdep.c Include not-cancel.h. Use __close_nocancel instead of __close, __open64_nocancel instead of __open, __read_nocancel instead of __libc_read, and __write_nocancel instead of __libc_write. * csu/check_fds.c (check_one_fd) * sysdeps/posix/fdopendir.c (__fdopendir) * sysdeps/posix/opendir.c (__alloc_dir): Use __fcntl_nocancel instead of __fcntl and/or __libc_fcntl. * sysdeps/unix/sysv/linux/pthread_setname.c (pthread_setname_np) * sysdeps/unix/sysv/linux/pthread_getname.c (pthread_getname_np) * sysdeps/unix/sysv/linux/i386/smp.h (is_smp_system): Use __open64_nocancel instead of __open_nocancel. * sysdeps/unix/sysv/linux/not-cancel.h: Move all of the hidden_proto declarations to the end and issue them if either IS_IN(libc) or IS_IN(rtld). * sysdeps/unix/sysv/linux/Makefile [subdir=io] (sysdep_routines): Add close_nocancel, fcntl_nocancel, nanosleep_nocancel, open_nocancel, open64_nocancel, openat_nocancel, pause_nocancel, read_nocancel, waitpid_nocancel, write_nocancel. * io/Versions [GLIBC_PRIVATE]: Add __libc_fcntl, __fcntl_nocancel, __open64_nocancel, __write_nocancel. * posix/Versions: Add __nanosleep_nocancel, __pause_nocancel. * nptl/pt-fcntl.c: New file. * nptl/Makefile (pthread-compat-wrappers): Remove fcntl. (libpthread-routines): Add pt-fcntl. * include/fcntl.h (__fcntl_nocancel_adjusted): New function. (__libc_fcntl): Remove attribute_hidden. * sysdeps/unix/sysv/linux/fcntl.c (__libc_fcntl): Call __fcntl_nocancel_adjusted, not fcntl_common. (__fcntl_nocancel): Move to new file fcntl_nocancel.c. (fcntl_common): Rename to __fcntl_nocancel_adjusted; also move to fcntl_nocancel.c. * sysdeps/unix/sysv/linux/fcntl_nocancel.c: New file. * sysdeps/unix/sysv/linux/powerpc/powerpc64/fcntl.c: Remove file. * sysdeps/unix/sysv/linux/powerpc/powerpc64/sysdep.h: Define FCNTL_ADJUST_CMD here, as a self-contained macro. * sysdeps/unix/sysv/linux/close.c: Move __close_nocancel to... * sysdeps/unix/sysv/linux/close_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/nanosleep.c: Move __nanosleep_nocancel to... * sysdeps/unix/sysv/linux/nanosleep_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/open.c: Move __open_nocancel to... * sysdeps/unix/sysv/linux/open_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/open64.c: Move __open64_nocancel to... * sysdeps/unix/sysv/linux/open64_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/openat.c: Move __openat_nocancel to... * sysdeps/unix/sysv/linux/openat_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/openat64.c: Move __openat64_nocancel to... * sysdeps/unix/sysv/linux/openat64_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/pause.c: Move __pause_nocancel to... * sysdeps/unix/sysv/linux/pause_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/read.c: Move __read_nocancel to... * sysdeps/unix/sysv/linux/read_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/waitpid.c: Move __waitpid_nocancel to... * sysdeps/unix/sysv/linux/waitpid_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/write.c: Move __write_nocancel to... * sysdeps/unix/sysv/linux/write_nocancel.c: ...this new file. * sysdeps/unix/sysv/linux/nios2/Makefile: Don't override libpthread-routines. * sysdeps/unix/sysv/linux/nios2/pt-vfork.S: New file which defines nothing. * sysdeps/mach/hurd/dl-sysdep.c: Define __read instead of __libc_read, and __write instead of __libc_write. Define __open64 in addition to __open. (cherry picked from commit 329ea513b451ae8322aa7a24ed84da13992af2dd) --- elf/dl-load.c | 34 ++++++++++++++++++---------------- elf/dl-misc.c | 6 +++--- elf/dl-profile.c | 14 +++++++------- elf/rtld.c | 3 ++- 4 files changed, 30 insertions(+), 27 deletions(-) (limited to 'elf') diff --git a/elf/dl-load.c b/elf/dl-load.c index 957f1b9..5369410 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -48,6 +48,7 @@ /* Code below to add offset to symbol names references itoa. */ #include <_itoa.h> +#include #include #if BYTE_ORDER == BIG_ENDIAN @@ -786,7 +787,7 @@ lose (int code, int fd, const char *name, char *realname, struct link_map *l, { /* The file might already be closed. */ if (fd != -1) - (void) __close (fd); + (void) __close_nocancel (fd); if (l != NULL && l->l_origin != (char *) -1l) free ((char *) l->l_origin); free (l); @@ -1016,7 +1017,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, off_t of { /* The object is already loaded. Just bump its reference count and return it. */ - __close (fd); + __close_nocancel (fd); free (realname); @@ -1045,7 +1046,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, off_t of /* No need to bump the refcount of the real object, ld.so will never be unloaded. */ - __close (fd); + __close_nocancel (fd); /* Add the map for the mirrored object to the object list. */ _dl_add_to_namespace_list (l, nsid); @@ -1059,7 +1060,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, off_t of /* We are not supposed to load the object unless it is already loaded. So return now. */ free (realname); - __close (fd); + __close_nocancel (fd); return NULL; } @@ -1078,7 +1079,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, off_t of if (_dl_zerofd == -1) { free (realname); - __close (fd); + __close_nocancel (fd); _dl_signal_error (errno, NULL, NULL, N_("cannot open zero fill device")); } @@ -1165,7 +1166,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, off_t of { phdr = alloca (maplength); __lseek (fd, header->e_phoff, SEEK_SET); - if ((size_t) __libc_read (fd, (void *) phdr, maplength) != maplength) + if ((size_t) __read_nocancel (fd, (void *) phdr, maplength) != maplength) { errstring = N_("cannot read file data"); goto call_lose_errno; @@ -1446,7 +1447,7 @@ cannot enable executable stack as shared object requires"); l->l_tls_initimage = (char *) l->l_tls_initimage + l->l_addr; /* We are done mapping in the file. We no longer need the descriptor. */ - if (__glibc_unlikely (__close (fd) != 0)) + if (__glibc_unlikely (__close_nocancel (fd) != 0)) { errstring = N_("cannot close file descriptor"); goto call_lose_errno; @@ -1660,7 +1661,7 @@ open_verify (const char *name, int fd, off_t offset, { /* An audit library changed what we're supposed to open, so FD no longer matches it. */ - __close (fd); + __close_nocancel (fd); fd = -1; } } @@ -1668,7 +1669,7 @@ open_verify (const char *name, int fd, off_t offset, if (fd == -1) /* Open the file. We always open files read-only. */ - fd = __open (name, O_RDONLY | O_CLOEXEC); + fd = __open64_nocancel (name, O_RDONLY | O_CLOEXEC); if (fd != -1) { @@ -1690,8 +1691,8 @@ open_verify (const char *name, int fd, off_t offset, /* Read in the header. */ do { - ssize_t retlen = __libc_read (fd, fbp->buf + fbp->len, - sizeof (fbp->buf) - fbp->len); + ssize_t retlen = __read_nocancel (fd, fbp->buf + fbp->len, + sizeof (fbp->buf) - fbp->len); if (retlen <= 0) break; fbp->len += retlen; @@ -1814,7 +1815,8 @@ open_verify (const char *name, int fd, off_t offset, { phdr = alloca (maplength); __lseek (fd, ehdr->e_phoff, SEEK_SET); - if ((size_t) __libc_read (fd, (void *) phdr, maplength) != maplength) + if ((size_t) __read_nocancel (fd, (void *) phdr, maplength) + != maplength) { read_error: errval = errno; @@ -1864,7 +1866,7 @@ open_verify (const char *name, int fd, off_t offset, abi_note = abi_note_malloced; } __lseek (fd, ph->p_offset, SEEK_SET); - if (__libc_read (fd, (void *) abi_note, size) != size) + if (__read_nocancel (fd, (void *) abi_note, size) != size) { free (abi_note_malloced); goto read_error; @@ -1896,7 +1898,7 @@ open_verify (const char *name, int fd, off_t offset, || (GLRO(dl_osversion) && GLRO(dl_osversion) < osversion)) { close_and_out: - __close (fd); + __close_nocancel (fd); __set_errno (ENOENT); fd = -1; } @@ -2013,7 +2015,7 @@ open_path (const char *name, size_t namelen, off_t offset, int mode, /* The shared object cannot be tested for being SUID or this bit is not set. In this case we must not use this object. */ - __close (fd); + __close_nocancel (fd); fd = -1; /* We simply ignore the file, signal this by setting the error value which would have been set by `open'. */ @@ -2034,7 +2036,7 @@ open_path (const char *name, size_t namelen, off_t offset, int mode, { /* No memory for the name, we certainly won't be able to load and link it. */ - __close (fd); + __close_nocancel (fd); return -1; } } diff --git a/elf/dl-misc.c b/elf/dl-misc.c index ed90394..1cf06b6 100644 --- a/elf/dl-misc.c +++ b/elf/dl-misc.c @@ -33,7 +33,7 @@ #include #include <_itoa.h> #include - +#include /* Read the whole contents of FILE into new mmap'd space with given protections. *SIZEP gets the size of the file. On error MAP_FAILED @@ -44,7 +44,7 @@ _dl_sysdep_read_whole_file (const char *file, size_t *sizep, int prot) { void *result = MAP_FAILED; struct stat64 st; - int fd = __open (file, O_RDONLY | O_CLOEXEC); + int fd = __open64_nocancel (file, O_RDONLY | O_CLOEXEC); if (fd >= 0) { if (__fxstat64 (_STAT_VER, fd, &st) >= 0) @@ -65,7 +65,7 @@ _dl_sysdep_read_whole_file (const char *file, size_t *sizep, int prot) #endif , fd, 0); } - __close (fd); + __close_nocancel (fd); } return result; } diff --git a/elf/dl-profile.c b/elf/dl-profile.c index 7f15352..bac3718 100644 --- a/elf/dl-profile.c +++ b/elf/dl-profile.c @@ -35,6 +35,7 @@ #include #include #include +#include /* The LD_PROFILE feature has to be implemented different to the normal profiling using the gmon/ functions. The problem is that an @@ -324,7 +325,7 @@ _dl_start_profile (void) *cp++ = '/'; __stpcpy (__stpcpy (cp, GLRO(dl_profile)), ".profile"); - fd = __open (filename, O_RDWR | O_CREAT | O_NOFOLLOW, DEFFILEMODE); + fd = __open64_nocancel (filename, O_RDWR|O_CREAT|O_NOFOLLOW, DEFFILEMODE); if (fd == -1) { char buf[400]; @@ -335,7 +336,7 @@ _dl_start_profile (void) print_error: errnum = errno; if (fd != -1) - __close (fd); + __close_nocancel (fd); _dl_error_printf (errstr, filename, __strerror_r (errnum, buf, sizeof buf)); return; @@ -364,15 +365,14 @@ _dl_start_profile (void) goto print_error; } - if (TEMP_FAILURE_RETRY (__libc_write (fd, buf, (expected_size - & (GLRO(dl_pagesize) - - 1)))) + if (TEMP_FAILURE_RETRY + (__write_nocancel (fd, buf, (expected_size & (GLRO(dl_pagesize) - 1)))) < 0) goto cannot_create; } else if (st.st_size != expected_size) { - __close (fd); + __close_nocancel (fd); wrong_format: if (addr != NULL) @@ -392,7 +392,7 @@ _dl_start_profile (void) } /* We don't need the file descriptor anymore. */ - __close (fd); + __close_nocancel (fd); /* Pointer to data after the header. */ hist = (char *) (addr + 1); diff --git a/elf/rtld.c b/elf/rtld.c index 3b60b49..b12b511 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -41,6 +41,7 @@ #include #include #include +#include #include @@ -2756,7 +2757,7 @@ process_envvars (enum mode *modep) *--startp = '.'; startp = memcpy (startp - name_len, debug_output, name_len); - GLRO(dl_debug_fd) = __open (startp, flags, DEFFILEMODE); + GLRO(dl_debug_fd) = __open64_nocancel (startp, flags, DEFFILEMODE); if (GLRO(dl_debug_fd) == -1) /* We use standard output if opening the file failed. */ GLRO(dl_debug_fd) = STDOUT_FILENO; -- cgit v1.1