blob: e6c64defadc465131bab2d62b6eef0ee53c47036 [file] [log] [blame]
Alex Vakulenkof6024732016-01-22 16:52:43 -08001// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// Note: any code in this file MUST be async-signal safe.
6
7#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
8
Alex Vakulenko24854742016-01-22 16:55:13 -08009#include <stddef.h>
10#include <stdint.h>
Alex Vakulenkof6024732016-01-22 16:52:43 -080011#include <sys/syscall.h>
12#include <unistd.h>
13
Jay Civelli3a83cdd2017-03-22 17:31:44 -070014#include "base/debug/crash_logging.h"
Alex Vakulenkof6024732016-01-22 16:52:43 -080015#include "base/logging.h"
16#include "base/posix/eintr_wrapper.h"
17#include "build/build_config.h"
18#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
19#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
20#include "sandbox/linux/seccomp-bpf/syscall.h"
21#include "sandbox/linux/services/syscall_wrappers.h"
22#include "sandbox/linux/system_headers/linux_syscalls.h"
23
24#if defined(__mips__)
25// __NR_Linux, is defined in <asm/unistd.h>.
26#include <asm/unistd.h>
27#endif
28
29#define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure"
30#define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure"
31#define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure"
32#define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure"
33#define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure"
34#define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure"
35
36namespace {
37
38inline bool IsArchitectureX86_64() {
39#if defined(__x86_64__)
40 return true;
41#else
42 return false;
43#endif
44}
45
46// Write |error_message| to stderr. Similar to RawLog(), but a bit more careful
47// about async-signal safety. |size| is the size to write and should typically
48// not include a terminating \0.
49void WriteToStdErr(const char* error_message, size_t size) {
50 while (size > 0) {
51 // TODO(jln): query the current policy to check if send() is available and
52 // use it to perform a non-blocking write.
Jay Civelli3a83cdd2017-03-22 17:31:44 -070053 const int ret = HANDLE_EINTR(
54 sandbox::sys_write(STDERR_FILENO, error_message, size));
Alex Vakulenkof6024732016-01-22 16:52:43 -080055 // We can't handle any type of error here.
56 if (ret <= 0 || static_cast<size_t>(ret) > size) break;
57 size -= ret;
58 error_message += ret;
59 }
60}
61
62// Invalid syscall values are truncated to zero.
63// On architectures where base value is zero (Intel and Arm),
64// syscall number is the same as offset from base.
65// This function returns values between 0 and 1023 on all architectures.
66// On architectures where base value is different than zero (currently only
67// Mips), we are truncating valid syscall values to offset from base.
68uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) {
69#if defined(__mips__)
70 // On MIPS syscall numbers are in different range than on x86 and ARM.
71 // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for
72 // simplicity.
73 sysno = sysno - __NR_Linux;
74#endif
75
76 if (sysno >= 1024)
77 sysno = 0;
78
79 return sysno;
80}
81
82// Print a seccomp-bpf failure to handle |sysno| to stderr in an
83// async-signal safe way.
84void PrintSyscallError(uint32_t sysno) {
85 if (sysno >= 1024)
86 sysno = 0;
87 // TODO(markus): replace with async-signal safe snprintf when available.
88 const size_t kNumDigits = 4;
89 char sysno_base10[kNumDigits];
90 uint32_t rem = sysno;
91 uint32_t mod = 0;
92 for (int i = kNumDigits - 1; i >= 0; i--) {
93 mod = rem % 10;
94 rem /= 10;
95 sysno_base10[i] = '0' + mod;
96 }
Jay Civelli3a83cdd2017-03-22 17:31:44 -070097
Alex Vakulenkof6024732016-01-22 16:52:43 -080098#if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
99 static const char kSeccompErrorPrefix[] = __FILE__
100 ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall 4000 + ";
101#else
102 static const char kSeccompErrorPrefix[] =
103 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall ";
104#endif
105 static const char kSeccompErrorPostfix[] = "\n";
106 WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1);
107 WriteToStdErr(sysno_base10, sizeof(sysno_base10));
108 WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1);
109}
110
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700111// Helper to convert a number of type T to a hexadecimal string using
112// stack-allocated storage.
113template <typename T>
114class NumberToHex {
115 public:
116 explicit NumberToHex(T value) {
117 static const char kHexChars[] = "0123456789abcdef";
118
119 memset(str_, '0', sizeof(str_));
120 str_[1] = 'x';
121 str_[sizeof(str_) - 1] = '\0';
122
123 T rem = value;
124 T mod = 0;
125 for (size_t i = sizeof(str_) - 2; i >= 2; --i) {
126 mod = rem % 16;
127 rem /= 16;
128 str_[i] = kHexChars[mod];
129 }
130 }
131
132 const char* str() const { return str_; }
133
134 static size_t length() { return sizeof(str_) - 1; }
135
136 private:
137 // HEX uses two characters per byte, with a leading '0x', and a trailing NUL.
138 char str_[sizeof(T) * 2 + 3];
139};
140
141// Records the syscall number and first four arguments in a crash key, to help
142// debug the failure.
143void SetSeccompCrashKey(const struct sandbox::arch_seccomp_data& args) {
144#if !defined(OS_NACL_NONSFI)
145 NumberToHex<int> nr(args.nr);
146 NumberToHex<uint64_t> arg1(args.args[0]);
147 NumberToHex<uint64_t> arg2(args.args[1]);
148 NumberToHex<uint64_t> arg3(args.args[2]);
149 NumberToHex<uint64_t> arg4(args.args[3]);
150
151 // In order to avoid calling into libc sprintf functions from an unsafe signal
152 // context, manually construct the crash key string.
153 const char* const prefixes[] = {
154 "nr=",
155 " arg1=",
156 " arg2=",
157 " arg3=",
158 " arg4=",
159 };
160 const char* const values[] = {
161 nr.str(),
162 arg1.str(),
163 arg2.str(),
164 arg3.str(),
165 arg4.str(),
166 };
167
168 size_t crash_key_length = nr.length() + arg1.length() + arg2.length() +
169 arg3.length() + arg4.length();
170 for (auto* prefix : prefixes) {
171 crash_key_length += strlen(prefix);
172 }
173 ++crash_key_length; // For the trailing NUL byte.
174
175 char crash_key[crash_key_length];
176 memset(crash_key, '\0', crash_key_length);
177
178 size_t offset = 0;
179 for (size_t i = 0; i < arraysize(values); ++i) {
180 const char* strings[2] = { prefixes[i], values[i] };
181 for (auto* string : strings) {
182 size_t string_len = strlen(string);
183 memmove(&crash_key[offset], string, string_len);
184 offset += string_len;
185 }
186 }
187
188 base::debug::SetCrashKeyValue("seccomp-sigsys", crash_key);
189#endif
190}
191
192} // namespace
Alex Vakulenkof6024732016-01-22 16:52:43 -0800193
194namespace sandbox {
195
196intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
197 uint32_t syscall = SyscallNumberToOffsetFromBase(args.nr);
198
199 PrintSyscallError(syscall);
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700200 SetSeccompCrashKey(args);
Alex Vakulenkof6024732016-01-22 16:52:43 -0800201
202 // Encode 8-bits of the 1st two arguments too, so we can discern which socket
203 // type, which fcntl, ... etc., without being likely to hit a mapped
204 // address.
205 // Do not encode more bits here without thinking about increasing the
206 // likelihood of collision with mapped pages.
207 syscall |= ((args.args[0] & 0xffUL) << 12);
208 syscall |= ((args.args[1] & 0xffUL) << 20);
209 // Purposefully dereference the syscall as an address so it'll show up very
210 // clearly and easily in crash dumps.
211 volatile char* addr = reinterpret_cast<volatile char*>(syscall);
212 *addr = '\0';
213 // In case we hit a mapped address, hit the null page with just the syscall,
214 // for paranoia.
215 syscall &= 0xfffUL;
216 addr = reinterpret_cast<volatile char*>(syscall);
217 *addr = '\0';
218 for (;;)
219 _exit(1);
220}
221
222// TODO(jln): refactor the reporting functions.
223
224intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) {
225 static const char kSeccompCloneError[] =
226 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n";
227 WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1);
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700228 SetSeccompCrashKey(args);
Alex Vakulenkof6024732016-01-22 16:52:43 -0800229 // "flags" is the first argument in the kernel's clone().
230 // Mark as volatile to be able to find the value on the stack in a minidump.
231 volatile uint64_t clone_flags = args.args[0];
232 volatile char* addr;
233 if (IsArchitectureX86_64()) {
234 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
235 *addr = '\0';
236 }
237 // Hit the NULL page if this fails to fault.
238 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
239 *addr = '\0';
240 for (;;)
241 _exit(1);
242}
243
244intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args,
245 void* /* aux */) {
246 static const char kSeccompPrctlError[] =
247 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n";
248 WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1);
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700249 SetSeccompCrashKey(args);
Alex Vakulenkof6024732016-01-22 16:52:43 -0800250 // Mark as volatile to be able to find the value on the stack in a minidump.
251 volatile uint64_t option = args.args[0];
252 volatile char* addr =
253 reinterpret_cast<volatile char*>(option & 0xFFF);
254 *addr = '\0';
255 for (;;)
256 _exit(1);
257}
258
259intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args,
260 void* /* aux */) {
261 static const char kSeccompIoctlError[] =
262 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n";
263 WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1);
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700264 SetSeccompCrashKey(args);
Alex Vakulenkof6024732016-01-22 16:52:43 -0800265 // Make "request" volatile so that we can see it on the stack in a minidump.
266 volatile uint64_t request = args.args[1];
267 volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF);
268 *addr = '\0';
269 // Hit the NULL page if this fails.
270 addr = reinterpret_cast<volatile char*>(request & 0xFFF);
271 *addr = '\0';
272 for (;;)
273 _exit(1);
274}
275
276intptr_t SIGSYSKillFailure(const struct arch_seccomp_data& args,
277 void* /* aux */) {
278 static const char kSeccompKillError[] =
279 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT "\n";
280 WriteToStdErr(kSeccompKillError, sizeof(kSeccompKillError) - 1);
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700281 SetSeccompCrashKey(args);
Alex Vakulenkof6024732016-01-22 16:52:43 -0800282 // Make "pid" volatile so that we can see it on the stack in a minidump.
283 volatile uint64_t my_pid = sys_getpid();
284 volatile char* addr = reinterpret_cast<volatile char*>(my_pid & 0xFFF);
285 *addr = '\0';
286 for (;;)
287 _exit(1);
288}
289
290intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data& args,
291 void* /* aux */) {
292 static const char kSeccompFutexError[] =
293 __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n";
294 WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1);
Jay Civelli3a83cdd2017-03-22 17:31:44 -0700295 SetSeccompCrashKey(args);
Alex Vakulenkof6024732016-01-22 16:52:43 -0800296 volatile int futex_op = args.args[1];
297 volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF);
298 *addr = '\0';
299 for (;;)
300 _exit(1);
301}
302
303intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
304 void* aux) {
305 switch (args.nr) {
306 case __NR_sched_getaffinity:
307 case __NR_sched_getattr:
308 case __NR_sched_getparam:
309 case __NR_sched_getscheduler:
310 case __NR_sched_rr_get_interval:
311 case __NR_sched_setaffinity:
312 case __NR_sched_setattr:
313 case __NR_sched_setparam:
314 case __NR_sched_setscheduler:
315 const pid_t tid = sys_gettid();
316 // The first argument is the pid. If is our thread id, then replace it
317 // with 0, which is equivalent and allowed by the policy.
318 if (args.args[0] == static_cast<uint64_t>(tid)) {
319 return Syscall::Call(args.nr,
320 0,
321 static_cast<intptr_t>(args.args[1]),
322 static_cast<intptr_t>(args.args[2]),
323 static_cast<intptr_t>(args.args[3]),
324 static_cast<intptr_t>(args.args[4]),
325 static_cast<intptr_t>(args.args[5]));
326 }
327 break;
328 }
329
330 CrashSIGSYS_Handler(args, aux);
331
332 // Should never be reached.
333 RAW_CHECK(false);
334 return -ENOSYS;
335}
336
337bpf_dsl::ResultExpr CrashSIGSYS() {
338 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
339}
340
341bpf_dsl::ResultExpr CrashSIGSYSClone() {
342 return bpf_dsl::Trap(SIGSYSCloneFailure, NULL);
343}
344
345bpf_dsl::ResultExpr CrashSIGSYSPrctl() {
346 return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL);
347}
348
349bpf_dsl::ResultExpr CrashSIGSYSIoctl() {
350 return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL);
351}
352
353bpf_dsl::ResultExpr CrashSIGSYSKill() {
354 return bpf_dsl::Trap(SIGSYSKillFailure, NULL);
355}
356
357bpf_dsl::ResultExpr CrashSIGSYSFutex() {
358 return bpf_dsl::Trap(SIGSYSFutexFailure, NULL);
359}
360
361bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
362 return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
363}
364
365const char* GetErrorMessageContentForTests() {
366 return SECCOMP_MESSAGE_COMMON_CONTENT;
367}
368
369const char* GetCloneErrorMessageContentForTests() {
370 return SECCOMP_MESSAGE_CLONE_CONTENT;
371}
372
373const char* GetPrctlErrorMessageContentForTests() {
374 return SECCOMP_MESSAGE_PRCTL_CONTENT;
375}
376
377const char* GetIoctlErrorMessageContentForTests() {
378 return SECCOMP_MESSAGE_IOCTL_CONTENT;
379}
380
381const char* GetKillErrorMessageContentForTests() {
382 return SECCOMP_MESSAGE_KILL_CONTENT;
383}
384
385const char* GetFutexErrorMessageContentForTests() {
386 return SECCOMP_MESSAGE_FUTEX_CONTENT;
387}
388
389} // namespace sandbox.