Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 1 | // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | // Note: any code in this file MUST be async-signal safe. |
| 6 | |
| 7 | #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 8 | |
Alex Vakulenko | 2485474 | 2016-01-22 16:55:13 -0800 | [diff] [blame] | 9 | #include <stddef.h> |
| 10 | #include <stdint.h> |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 11 | #include <sys/syscall.h> |
| 12 | #include <unistd.h> |
| 13 | |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 14 | #include "base/debug/crash_logging.h" |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 15 | #include "base/logging.h" |
| 16 | #include "base/posix/eintr_wrapper.h" |
| 17 | #include "build/build_config.h" |
| 18 | #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 19 | #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 20 | #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 21 | #include "sandbox/linux/services/syscall_wrappers.h" |
| 22 | #include "sandbox/linux/system_headers/linux_syscalls.h" |
| 23 | |
| 24 | #if defined(__mips__) |
| 25 | // __NR_Linux, is defined in <asm/unistd.h>. |
| 26 | #include <asm/unistd.h> |
| 27 | #endif |
| 28 | |
| 29 | #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" |
| 30 | #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" |
| 31 | #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" |
| 32 | #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" |
| 33 | #define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure" |
| 34 | #define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure" |
| 35 | |
| 36 | namespace { |
| 37 | |
| 38 | inline bool IsArchitectureX86_64() { |
| 39 | #if defined(__x86_64__) |
| 40 | return true; |
| 41 | #else |
| 42 | return false; |
| 43 | #endif |
| 44 | } |
| 45 | |
| 46 | // Write |error_message| to stderr. Similar to RawLog(), but a bit more careful |
| 47 | // about async-signal safety. |size| is the size to write and should typically |
| 48 | // not include a terminating \0. |
| 49 | void WriteToStdErr(const char* error_message, size_t size) { |
| 50 | while (size > 0) { |
| 51 | // TODO(jln): query the current policy to check if send() is available and |
| 52 | // use it to perform a non-blocking write. |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 53 | const int ret = HANDLE_EINTR( |
| 54 | sandbox::sys_write(STDERR_FILENO, error_message, size)); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 55 | // We can't handle any type of error here. |
| 56 | if (ret <= 0 || static_cast<size_t>(ret) > size) break; |
| 57 | size -= ret; |
| 58 | error_message += ret; |
| 59 | } |
| 60 | } |
| 61 | |
| 62 | // Invalid syscall values are truncated to zero. |
| 63 | // On architectures where base value is zero (Intel and Arm), |
| 64 | // syscall number is the same as offset from base. |
| 65 | // This function returns values between 0 and 1023 on all architectures. |
| 66 | // On architectures where base value is different than zero (currently only |
| 67 | // Mips), we are truncating valid syscall values to offset from base. |
| 68 | uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) { |
| 69 | #if defined(__mips__) |
| 70 | // On MIPS syscall numbers are in different range than on x86 and ARM. |
| 71 | // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for |
| 72 | // simplicity. |
| 73 | sysno = sysno - __NR_Linux; |
| 74 | #endif |
| 75 | |
| 76 | if (sysno >= 1024) |
| 77 | sysno = 0; |
| 78 | |
| 79 | return sysno; |
| 80 | } |
| 81 | |
| 82 | // Print a seccomp-bpf failure to handle |sysno| to stderr in an |
| 83 | // async-signal safe way. |
| 84 | void PrintSyscallError(uint32_t sysno) { |
| 85 | if (sysno >= 1024) |
| 86 | sysno = 0; |
| 87 | // TODO(markus): replace with async-signal safe snprintf when available. |
| 88 | const size_t kNumDigits = 4; |
| 89 | char sysno_base10[kNumDigits]; |
| 90 | uint32_t rem = sysno; |
| 91 | uint32_t mod = 0; |
| 92 | for (int i = kNumDigits - 1; i >= 0; i--) { |
| 93 | mod = rem % 10; |
| 94 | rem /= 10; |
| 95 | sysno_base10[i] = '0' + mod; |
| 96 | } |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 97 | |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 98 | #if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32) |
| 99 | static const char kSeccompErrorPrefix[] = __FILE__ |
| 100 | ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall 4000 + "; |
| 101 | #else |
| 102 | static const char kSeccompErrorPrefix[] = |
| 103 | __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall "; |
| 104 | #endif |
| 105 | static const char kSeccompErrorPostfix[] = "\n"; |
| 106 | WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); |
| 107 | WriteToStdErr(sysno_base10, sizeof(sysno_base10)); |
| 108 | WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1); |
| 109 | } |
| 110 | |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 111 | // Helper to convert a number of type T to a hexadecimal string using |
| 112 | // stack-allocated storage. |
| 113 | template <typename T> |
| 114 | class NumberToHex { |
| 115 | public: |
| 116 | explicit NumberToHex(T value) { |
| 117 | static const char kHexChars[] = "0123456789abcdef"; |
| 118 | |
| 119 | memset(str_, '0', sizeof(str_)); |
| 120 | str_[1] = 'x'; |
| 121 | str_[sizeof(str_) - 1] = '\0'; |
| 122 | |
| 123 | T rem = value; |
| 124 | T mod = 0; |
| 125 | for (size_t i = sizeof(str_) - 2; i >= 2; --i) { |
| 126 | mod = rem % 16; |
| 127 | rem /= 16; |
| 128 | str_[i] = kHexChars[mod]; |
| 129 | } |
| 130 | } |
| 131 | |
| 132 | const char* str() const { return str_; } |
| 133 | |
| 134 | static size_t length() { return sizeof(str_) - 1; } |
| 135 | |
| 136 | private: |
| 137 | // HEX uses two characters per byte, with a leading '0x', and a trailing NUL. |
| 138 | char str_[sizeof(T) * 2 + 3]; |
| 139 | }; |
| 140 | |
| 141 | // Records the syscall number and first four arguments in a crash key, to help |
| 142 | // debug the failure. |
| 143 | void SetSeccompCrashKey(const struct sandbox::arch_seccomp_data& args) { |
| 144 | #if !defined(OS_NACL_NONSFI) |
| 145 | NumberToHex<int> nr(args.nr); |
| 146 | NumberToHex<uint64_t> arg1(args.args[0]); |
| 147 | NumberToHex<uint64_t> arg2(args.args[1]); |
| 148 | NumberToHex<uint64_t> arg3(args.args[2]); |
| 149 | NumberToHex<uint64_t> arg4(args.args[3]); |
| 150 | |
| 151 | // In order to avoid calling into libc sprintf functions from an unsafe signal |
| 152 | // context, manually construct the crash key string. |
| 153 | const char* const prefixes[] = { |
| 154 | "nr=", |
| 155 | " arg1=", |
| 156 | " arg2=", |
| 157 | " arg3=", |
| 158 | " arg4=", |
| 159 | }; |
| 160 | const char* const values[] = { |
| 161 | nr.str(), |
| 162 | arg1.str(), |
| 163 | arg2.str(), |
| 164 | arg3.str(), |
| 165 | arg4.str(), |
| 166 | }; |
| 167 | |
| 168 | size_t crash_key_length = nr.length() + arg1.length() + arg2.length() + |
| 169 | arg3.length() + arg4.length(); |
| 170 | for (auto* prefix : prefixes) { |
| 171 | crash_key_length += strlen(prefix); |
| 172 | } |
| 173 | ++crash_key_length; // For the trailing NUL byte. |
| 174 | |
| 175 | char crash_key[crash_key_length]; |
| 176 | memset(crash_key, '\0', crash_key_length); |
| 177 | |
| 178 | size_t offset = 0; |
| 179 | for (size_t i = 0; i < arraysize(values); ++i) { |
| 180 | const char* strings[2] = { prefixes[i], values[i] }; |
| 181 | for (auto* string : strings) { |
| 182 | size_t string_len = strlen(string); |
| 183 | memmove(&crash_key[offset], string, string_len); |
| 184 | offset += string_len; |
| 185 | } |
| 186 | } |
| 187 | |
| 188 | base::debug::SetCrashKeyValue("seccomp-sigsys", crash_key); |
| 189 | #endif |
| 190 | } |
| 191 | |
| 192 | } // namespace |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 193 | |
| 194 | namespace sandbox { |
| 195 | |
| 196 | intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { |
| 197 | uint32_t syscall = SyscallNumberToOffsetFromBase(args.nr); |
| 198 | |
| 199 | PrintSyscallError(syscall); |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 200 | SetSeccompCrashKey(args); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 201 | |
| 202 | // Encode 8-bits of the 1st two arguments too, so we can discern which socket |
| 203 | // type, which fcntl, ... etc., without being likely to hit a mapped |
| 204 | // address. |
| 205 | // Do not encode more bits here without thinking about increasing the |
| 206 | // likelihood of collision with mapped pages. |
| 207 | syscall |= ((args.args[0] & 0xffUL) << 12); |
| 208 | syscall |= ((args.args[1] & 0xffUL) << 20); |
| 209 | // Purposefully dereference the syscall as an address so it'll show up very |
| 210 | // clearly and easily in crash dumps. |
| 211 | volatile char* addr = reinterpret_cast<volatile char*>(syscall); |
| 212 | *addr = '\0'; |
| 213 | // In case we hit a mapped address, hit the null page with just the syscall, |
| 214 | // for paranoia. |
| 215 | syscall &= 0xfffUL; |
| 216 | addr = reinterpret_cast<volatile char*>(syscall); |
| 217 | *addr = '\0'; |
| 218 | for (;;) |
| 219 | _exit(1); |
| 220 | } |
| 221 | |
| 222 | // TODO(jln): refactor the reporting functions. |
| 223 | |
| 224 | intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { |
| 225 | static const char kSeccompCloneError[] = |
| 226 | __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n"; |
| 227 | WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1); |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 228 | SetSeccompCrashKey(args); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 229 | // "flags" is the first argument in the kernel's clone(). |
| 230 | // Mark as volatile to be able to find the value on the stack in a minidump. |
| 231 | volatile uint64_t clone_flags = args.args[0]; |
| 232 | volatile char* addr; |
| 233 | if (IsArchitectureX86_64()) { |
| 234 | addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF); |
| 235 | *addr = '\0'; |
| 236 | } |
| 237 | // Hit the NULL page if this fails to fault. |
| 238 | addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF); |
| 239 | *addr = '\0'; |
| 240 | for (;;) |
| 241 | _exit(1); |
| 242 | } |
| 243 | |
| 244 | intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, |
| 245 | void* /* aux */) { |
| 246 | static const char kSeccompPrctlError[] = |
| 247 | __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n"; |
| 248 | WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1); |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 249 | SetSeccompCrashKey(args); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 250 | // Mark as volatile to be able to find the value on the stack in a minidump. |
| 251 | volatile uint64_t option = args.args[0]; |
| 252 | volatile char* addr = |
| 253 | reinterpret_cast<volatile char*>(option & 0xFFF); |
| 254 | *addr = '\0'; |
| 255 | for (;;) |
| 256 | _exit(1); |
| 257 | } |
| 258 | |
| 259 | intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, |
| 260 | void* /* aux */) { |
| 261 | static const char kSeccompIoctlError[] = |
| 262 | __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n"; |
| 263 | WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1); |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 264 | SetSeccompCrashKey(args); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 265 | // Make "request" volatile so that we can see it on the stack in a minidump. |
| 266 | volatile uint64_t request = args.args[1]; |
| 267 | volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF); |
| 268 | *addr = '\0'; |
| 269 | // Hit the NULL page if this fails. |
| 270 | addr = reinterpret_cast<volatile char*>(request & 0xFFF); |
| 271 | *addr = '\0'; |
| 272 | for (;;) |
| 273 | _exit(1); |
| 274 | } |
| 275 | |
| 276 | intptr_t SIGSYSKillFailure(const struct arch_seccomp_data& args, |
| 277 | void* /* aux */) { |
| 278 | static const char kSeccompKillError[] = |
| 279 | __FILE__":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT "\n"; |
| 280 | WriteToStdErr(kSeccompKillError, sizeof(kSeccompKillError) - 1); |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 281 | SetSeccompCrashKey(args); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 282 | // Make "pid" volatile so that we can see it on the stack in a minidump. |
| 283 | volatile uint64_t my_pid = sys_getpid(); |
| 284 | volatile char* addr = reinterpret_cast<volatile char*>(my_pid & 0xFFF); |
| 285 | *addr = '\0'; |
| 286 | for (;;) |
| 287 | _exit(1); |
| 288 | } |
| 289 | |
| 290 | intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data& args, |
| 291 | void* /* aux */) { |
| 292 | static const char kSeccompFutexError[] = |
| 293 | __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n"; |
| 294 | WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1); |
Jay Civelli | 3a83cdd | 2017-03-22 17:31:44 -0700 | [diff] [blame^] | 295 | SetSeccompCrashKey(args); |
Alex Vakulenko | f602473 | 2016-01-22 16:52:43 -0800 | [diff] [blame] | 296 | volatile int futex_op = args.args[1]; |
| 297 | volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF); |
| 298 | *addr = '\0'; |
| 299 | for (;;) |
| 300 | _exit(1); |
| 301 | } |
| 302 | |
| 303 | intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args, |
| 304 | void* aux) { |
| 305 | switch (args.nr) { |
| 306 | case __NR_sched_getaffinity: |
| 307 | case __NR_sched_getattr: |
| 308 | case __NR_sched_getparam: |
| 309 | case __NR_sched_getscheduler: |
| 310 | case __NR_sched_rr_get_interval: |
| 311 | case __NR_sched_setaffinity: |
| 312 | case __NR_sched_setattr: |
| 313 | case __NR_sched_setparam: |
| 314 | case __NR_sched_setscheduler: |
| 315 | const pid_t tid = sys_gettid(); |
| 316 | // The first argument is the pid. If is our thread id, then replace it |
| 317 | // with 0, which is equivalent and allowed by the policy. |
| 318 | if (args.args[0] == static_cast<uint64_t>(tid)) { |
| 319 | return Syscall::Call(args.nr, |
| 320 | 0, |
| 321 | static_cast<intptr_t>(args.args[1]), |
| 322 | static_cast<intptr_t>(args.args[2]), |
| 323 | static_cast<intptr_t>(args.args[3]), |
| 324 | static_cast<intptr_t>(args.args[4]), |
| 325 | static_cast<intptr_t>(args.args[5])); |
| 326 | } |
| 327 | break; |
| 328 | } |
| 329 | |
| 330 | CrashSIGSYS_Handler(args, aux); |
| 331 | |
| 332 | // Should never be reached. |
| 333 | RAW_CHECK(false); |
| 334 | return -ENOSYS; |
| 335 | } |
| 336 | |
| 337 | bpf_dsl::ResultExpr CrashSIGSYS() { |
| 338 | return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); |
| 339 | } |
| 340 | |
| 341 | bpf_dsl::ResultExpr CrashSIGSYSClone() { |
| 342 | return bpf_dsl::Trap(SIGSYSCloneFailure, NULL); |
| 343 | } |
| 344 | |
| 345 | bpf_dsl::ResultExpr CrashSIGSYSPrctl() { |
| 346 | return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL); |
| 347 | } |
| 348 | |
| 349 | bpf_dsl::ResultExpr CrashSIGSYSIoctl() { |
| 350 | return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL); |
| 351 | } |
| 352 | |
| 353 | bpf_dsl::ResultExpr CrashSIGSYSKill() { |
| 354 | return bpf_dsl::Trap(SIGSYSKillFailure, NULL); |
| 355 | } |
| 356 | |
| 357 | bpf_dsl::ResultExpr CrashSIGSYSFutex() { |
| 358 | return bpf_dsl::Trap(SIGSYSFutexFailure, NULL); |
| 359 | } |
| 360 | |
| 361 | bpf_dsl::ResultExpr RewriteSchedSIGSYS() { |
| 362 | return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); |
| 363 | } |
| 364 | |
| 365 | const char* GetErrorMessageContentForTests() { |
| 366 | return SECCOMP_MESSAGE_COMMON_CONTENT; |
| 367 | } |
| 368 | |
| 369 | const char* GetCloneErrorMessageContentForTests() { |
| 370 | return SECCOMP_MESSAGE_CLONE_CONTENT; |
| 371 | } |
| 372 | |
| 373 | const char* GetPrctlErrorMessageContentForTests() { |
| 374 | return SECCOMP_MESSAGE_PRCTL_CONTENT; |
| 375 | } |
| 376 | |
| 377 | const char* GetIoctlErrorMessageContentForTests() { |
| 378 | return SECCOMP_MESSAGE_IOCTL_CONTENT; |
| 379 | } |
| 380 | |
| 381 | const char* GetKillErrorMessageContentForTests() { |
| 382 | return SECCOMP_MESSAGE_KILL_CONTENT; |
| 383 | } |
| 384 | |
| 385 | const char* GetFutexErrorMessageContentForTests() { |
| 386 | return SECCOMP_MESSAGE_FUTEX_CONTENT; |
| 387 | } |
| 388 | |
| 389 | } // namespace sandbox. |