From ed6a68bac7cd056abda9008019c71b167f0362dc Mon Sep 17 00:00:00 2001
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Fri, 14 Mar 2025 16:09:57 -0300
Subject: debug: Improve '%n' fortify detection (BZ 30932)

The 7bb8045ec0 path made the '%n' fortify check ignore EMFILE errors
while trying to open /proc/self/maps, and this added a security
issue where EMFILE can be attacker-controlled thus making it
ineffective for some cases.

The EMFILE failure is reinstated but with a different error
message.  Also, to improve the false positive of the hardening for
the cases where no new files can be opened, the
_dl_readonly_area now uses  _dl_find_object to check if the
memory area is within a writable ELF segment.  The procfs method is
still used as fallback.

Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
---
 sysdeps/unix/sysv/linux/readonly-area-fallback.c |  99 +++++++++++++++++++++
 sysdeps/unix/sysv/linux/readonly-area.c          | 104 -----------------------
 2 files changed, 99 insertions(+), 104 deletions(-)
 create mode 100644 sysdeps/unix/sysv/linux/readonly-area-fallback.c
 delete mode 100644 sysdeps/unix/sysv/linux/readonly-area.c

(limited to 'sysdeps/unix/sysv/linux')

diff --git a/sysdeps/unix/sysv/linux/readonly-area-fallback.c b/sysdeps/unix/sysv/linux/readonly-area-fallback.c
new file mode 100644
index 0000000..c93ad2a
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/readonly-area-fallback.c
@@ -0,0 +1,99 @@
+/* Copyright (C) 2004-2025 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+#include <string.h>
+#include "libio/libioP.h"
+
+enum readonly_error_type
+__readonly_area_fallback (const void *ptr, size_t size)
+{
+  const void *ptr_end = ptr + size;
+
+  FILE *fp = fopen ("/proc/self/maps", "rce");
+  if (fp == NULL)
+    {
+      /* It is the system administrator's choice to not have /proc
+	 available to this process (e.g., because it runs in a chroot
+	 environment.  Don't fail in this case.  */
+      if (errno == ENOENT
+	  /* The kernel has a bug in that a process is denied access
+	     to the /proc filesystem if it is set[ug]id.  There has
+	     been no willingness to change this in the kernel so
+	     far.  */
+	  || errno == EACCES)
+	return readonly_procfs_inaccessible;
+      /* Process has reached the maximum number of open files or another
+	 unusual error.  */
+      return readonly_procfs_open_fail;
+    }
+
+  /* We need no locking.  */
+  __fsetlocking (fp, FSETLOCKING_BYCALLER);
+
+  char *line = NULL;
+  size_t linelen = 0;
+
+  while (! __feof_unlocked (fp))
+    {
+      if (__getdelim (&line, &linelen, '\n', fp) <= 0)
+	break;
+
+      char *p;
+      uintptr_t from = strtoul (line, &p, 16);
+
+      if (p == line || *p++ != '-')
+	break;
+
+      char *q;
+      uintptr_t to = strtoul (p, &q, 16);
+
+      if (q == p || *q++ != ' ')
+	break;
+
+      if (from < (uintptr_t) ptr_end && to > (uintptr_t) ptr)
+	{
+	  /* Found an entry that at least partially covers the area.  */
+	  if (*q++ != 'r' || *q++ != '-')
+	    break;
+
+	  if (from <= (uintptr_t) ptr && to >= (uintptr_t) ptr_end)
+	    {
+	      size = 0;
+	      break;
+	    }
+	  else if (from <= (uintptr_t) ptr)
+	    size -= to - (uintptr_t) ptr;
+	  else if (to >= (uintptr_t) ptr_end)
+	    size -= (uintptr_t) ptr_end - from;
+	  else
+	    size -= to - from;
+
+	  if (!size)
+	    break;
+	}
+    }
+
+  fclose (fp);
+  free (line);
+
+  return size == 0 ? readonly_noerror : readonly_area_writable;
+}
diff --git a/sysdeps/unix/sysv/linux/readonly-area.c b/sysdeps/unix/sysv/linux/readonly-area.c
deleted file mode 100644
index 62d2070..0000000
--- a/sysdeps/unix/sysv/linux/readonly-area.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/* Copyright (C) 2004-2025 Free Software Foundation, Inc.
-   This file is part of the GNU C Library.
-
-   The GNU C Library is free software; you can redistribute it and/or
-   modify it under the terms of the GNU Lesser General Public
-   License as published by the Free Software Foundation; either
-   version 2.1 of the License, or (at your option) any later version.
-
-   The GNU C Library is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   Lesser General Public License for more details.
-
-   You should have received a copy of the GNU Lesser General Public
-   License along with the GNU C Library; if not, see
-   <https://www.gnu.org/licenses/>.  */
-
-#include <errno.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdio_ext.h>
-#include <stdlib.h>
-#include <string.h>
-#include "libio/libioP.h"
-
-/* Return 1 if the whole area PTR .. PTR+SIZE is not writable.
-   Return -1 if it is writable.  */
-
-int
-__readonly_area (const char *ptr, size_t size)
-{
-  const void *ptr_end = ptr + size;
-
-  FILE *fp = fopen ("/proc/self/maps", "rce");
-  if (fp == NULL)
-    {
-      /* It is the system administrator's choice to not have /proc
-	 available to this process (e.g., because it runs in a chroot
-	 environment.  Don't fail in this case.  */
-      if (errno == ENOENT
-	  /* The kernel has a bug in that a process is denied access
-	     to the /proc filesystem if it is set[ug]id.  There has
-	     been no willingness to change this in the kernel so
-	     far.  */
-	  || errno == EACCES
-	  /* Process has reached the maximum number of open files.  */
-	  || errno == EMFILE)
-	return 1;
-      return -1;
-    }
-
-  /* We need no locking.  */
-  __fsetlocking (fp, FSETLOCKING_BYCALLER);
-
-  char *line = NULL;
-  size_t linelen = 0;
-
-  while (! __feof_unlocked (fp))
-    {
-      if (__getdelim (&line, &linelen, '\n', fp) <= 0)
-	break;
-
-      char *p;
-      uintptr_t from = strtoul (line, &p, 16);
-
-      if (p == line || *p++ != '-')
-	break;
-
-      char *q;
-      uintptr_t to = strtoul (p, &q, 16);
-
-      if (q == p || *q++ != ' ')
-	break;
-
-      if (from < (uintptr_t) ptr_end && to > (uintptr_t) ptr)
-	{
-	  /* Found an entry that at least partially covers the area.  */
-	  if (*q++ != 'r' || *q++ != '-')
-	    break;
-
-	  if (from <= (uintptr_t) ptr && to >= (uintptr_t) ptr_end)
-	    {
-	      size = 0;
-	      break;
-	    }
-	  else if (from <= (uintptr_t) ptr)
-	    size -= to - (uintptr_t) ptr;
-	  else if (to >= (uintptr_t) ptr_end)
-	    size -= (uintptr_t) ptr_end - from;
-	  else
-	    size -= to - from;
-
-	  if (!size)
-	    break;
-	}
-    }
-
-  fclose (fp);
-  free (line);
-
-  /* If the whole area between ptr and ptr_end is covered by read-only
-     VMAs, return 1.  Otherwise return -1.  */
-  return size == 0 ? 1 : -1;
-}
-- 
cgit v1.1