nptl/nptl_setxid.c

   1 /* Copyright (C) 2002-2021 Free Software Foundation, Inc.
   2    This file is part of the GNU C Library.
   3    Contributed by Ulrich Drepper <drepper@redhat.com>, 2002.
   4
   5    The GNU C Library is free software; you can redistribute it and/or
   6    modify it under the terms of the GNU Lesser General Public
   7    License as published by the Free Software Foundation; either
   8    version 2.1 of the License, or (at your option) any later version.
   9
  10    The GNU C Library is distributed in the hope that it will be useful,
  11    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13    Lesser General Public License for more details.
  14
  15    You should have received a copy of the GNU Lesser General Public
  16    License along with the GNU C Library; if not, see
  17    <https://www.gnu.org/licenses/>.  */
  18
  19 #include <futex-internal.h>
  20 #include <ldsodefs.h>
  21 #include <list.h>
  22 #include <lowlevellock.h>
  23 #include <pthreadP.h>
  24 #include <unistd.h>
  25
  26 /* Check for consistency across set*id system call results.  The abort
  27    should not happen as long as all privileges changes happen through
  28    the glibc wrappers.  ERROR must be 0 (no error) or an errno
  29    code.  */
  30 static void
  31 setxid_error (struct xid_command *cmdp, int error)
  32 {
  33   do
  34     {
  35       int olderror = cmdp->error;
  36       if (olderror == error)
  37         break;
  38       if (olderror != -1)
  39         {
  40           /* Mismatch between current and previous results.  Save the
  41              error value to memory so that is not clobbered by the
  42              abort function and preserved in coredumps.  */
  43           volatile int xid_err __attribute__ ((unused)) = error;
  44           abort ();
  45         }
  46     }
  47   while (atomic_compare_and_exchange_bool_acq (&cmdp->error, error, -1));
  48 }
  49
  50 /* Set by __nptl_setxid and used by __nptl_setxid_sighandler.  */
  51 static struct xid_command *xidcmd;
  52
  53 /* We use the SIGSETXID signal in the setuid, setgid, etc. implementations to
  54    tell each thread to call the respective setxid syscall on itself.  This is
  55    the handler.  */
  56 void
  57 __nptl_setxid_sighandler (int sig, siginfo_t *si, void *ctx)
  58 {
  59   int result;
  60
  61   /* Safety check.  It would be possible to call this function for
  62      other signals and send a signal from another process.  This is not
  63      correct and might even be a security problem.  Try to catch as
  64      many incorrect invocations as possible.  */
  65   if (sig != SIGSETXID
  66       || si->si_pid != __getpid ()
  67       || si->si_code != SI_TKILL)
  68     return;
  69
  70   result = INTERNAL_SYSCALL_NCS (xidcmd->syscall_no, 3, xidcmd->id[0],
  71                                  xidcmd->id[1], xidcmd->id[2]);
  72   int error = 0;
  73   if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result)))
  74     error = INTERNAL_SYSCALL_ERRNO (result);
  75   setxid_error (xidcmd, error);
  76
  77   /* Reset the SETXID flag.  */
  78   struct pthread *self = THREAD_SELF;
  79   int flags, newval;
  80   do
  81     {
  82       flags = THREAD_GETMEM (self, cancelhandling);
  83       newval = THREAD_ATOMIC_CMPXCHG_VAL (self, cancelhandling,
  84                                           flags & ~SETXID_BITMASK, flags);
  85     }
  86   while (flags != newval);
  87
  88   /* And release the futex.  */
  89   self->setxid_futex = 1;
  90   futex_wake (&self->setxid_futex, 1, FUTEX_PRIVATE);
  91
  92   if (atomic_decrement_val (&xidcmd->cntr) == 0)
  93     futex_wake ((unsigned int *) &xidcmd->cntr, 1, FUTEX_PRIVATE);
  94 }
  95 libc_hidden_def (__nptl_setxid_sighandler)
  96
  97 static void
  98 setxid_mark_thread (struct xid_command *cmdp, struct pthread *t)
  99 {
 100   int ch;
 101
 102   /* Wait until this thread is cloned.  */
 103   if (t->setxid_futex == -1
 104       && ! atomic_compare_and_exchange_bool_acq (&t->setxid_futex, -2, -1))
 105     do
 106       futex_wait_simple (&t->setxid_futex, -2, FUTEX_PRIVATE);
 107     while (t->setxid_futex == -2);
 108
 109   /* Don't let the thread exit before the setxid handler runs.  */
 110   t->setxid_futex = 0;
 111
 112   do
 113     {
 114       ch = t->cancelhandling;
 115
 116       /* If the thread is exiting right now, ignore it.  */
 117       if ((ch & EXITING_BITMASK) != 0)
 118         {
 119           /* Release the futex if there is no other setxid in
 120              progress.  */
 121           if ((ch & SETXID_BITMASK) == 0)
 122             {
 123               t->setxid_futex = 1;
 124               futex_wake (&t->setxid_futex, 1, FUTEX_PRIVATE);
 125             }
 126           return;
 127         }
 128     }
 129   while (atomic_compare_and_exchange_bool_acq (&t->cancelhandling,
 130                                                ch | SETXID_BITMASK, ch));
 131 }
 132
 133
 134 static void
 135 setxid_unmark_thread (struct xid_command *cmdp, struct pthread *t)
 136 {
 137   int ch;
 138
 139   do
 140     {
 141       ch = t->cancelhandling;
 142       if ((ch & SETXID_BITMASK) == 0)
 143         return;
 144     }
 145   while (atomic_compare_and_exchange_bool_acq (&t->cancelhandling,
 146                                                ch & ~SETXID_BITMASK, ch));
 147
 148   /* Release the futex just in case.  */
 149   t->setxid_futex = 1;
 150   futex_wake (&t->setxid_futex, 1, FUTEX_PRIVATE);
 151 }
 152
 153
 154 static int
 155 setxid_signal_thread (struct xid_command *cmdp, struct pthread *t)
 156 {
 157   if ((t->cancelhandling & SETXID_BITMASK) == 0)
 158     return 0;
 159
 160   int val;
 161   pid_t pid = __getpid ();
 162   val = INTERNAL_SYSCALL_CALL (tgkill, pid, t->tid, SIGSETXID);
 163
 164   /* If this failed, it must have had not started yet or else exited.  */
 165   if (!INTERNAL_SYSCALL_ERROR_P (val))
 166     {
 167       atomic_increment (&cmdp->cntr);
 168       return 1;
 169     }
 170   else
 171     return 0;
 172 }
 173
 174 int
 175 attribute_hidden
 176 __nptl_setxid (struct xid_command *cmdp)
 177 {
 178   int signalled;
 179   int result;
 180   lll_lock (GL (dl_stack_cache_lock), LLL_PRIVATE);
 181
 182   xidcmd = cmdp;
 183   cmdp->cntr = 0;
 184   cmdp->error = -1;
 185
 186   struct pthread *self = THREAD_SELF;
 187
 188   /* Iterate over the list with system-allocated threads first.  */
 189   list_t *runp;
 190   list_for_each (runp, &GL (dl_stack_used))
 191     {
 192       struct pthread *t = list_entry (runp, struct pthread, list);
 193       if (t == self)
 194         continue;
 195
 196       setxid_mark_thread (cmdp, t);
 197     }
 198
 199   /* Now the list with threads using user-allocated stacks.  */
 200   list_for_each (runp, &GL (dl_stack_user))
 201     {
 202       struct pthread *t = list_entry (runp, struct pthread, list);
 203       if (t == self)
 204         continue;
 205
 206       setxid_mark_thread (cmdp, t);
 207     }
 208
 209   /* Iterate until we don't succeed in signalling anyone.  That means
 210      we have gotten all running threads, and their children will be
 211      automatically correct once started.  */
 212   do
 213     {
 214       signalled = 0;
 215
 216       list_for_each (runp, &GL (dl_stack_used))
 217         {
 218           struct pthread *t = list_entry (runp, struct pthread, list);
 219           if (t == self)
 220             continue;
 221
 222           signalled += setxid_signal_thread (cmdp, t);
 223         }
 224
 225       list_for_each (runp, &GL (dl_stack_user))
 226         {
 227           struct pthread *t = list_entry (runp, struct pthread, list);
 228           if (t == self)
 229             continue;
 230
 231           signalled += setxid_signal_thread (cmdp, t);
 232         }
 233
 234       int cur = cmdp->cntr;
 235       while (cur != 0)
 236         {
 237           futex_wait_simple ((unsigned int *) &cmdp->cntr, cur,
 238                              FUTEX_PRIVATE);
 239           cur = cmdp->cntr;
 240         }
 241     }
 242   while (signalled != 0);
 243
 244   /* Clean up flags, so that no thread blocks during exit waiting
 245      for a signal which will never come.  */
 246   list_for_each (runp, &GL (dl_stack_used))
 247     {
 248       struct pthread *t = list_entry (runp, struct pthread, list);
 249       if (t == self)
 250         continue;
 251
 252       setxid_unmark_thread (cmdp, t);
 253     }
 254
 255   list_for_each (runp, &GL (dl_stack_user))
 256     {
 257       struct pthread *t = list_entry (runp, struct pthread, list);
 258       if (t == self)
 259         continue;
 260
 261       setxid_unmark_thread (cmdp, t);
 262     }
 263
 264   /* This must be last, otherwise the current thread might not have
 265      permissions to send SIGSETXID syscall to the other threads.  */
 266   result = INTERNAL_SYSCALL_NCS (cmdp->syscall_no, 3,
 267                                  cmdp->id[0], cmdp->id[1], cmdp->id[2]);
 268   int error = 0;
 269   if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result)))
 270     {
 271       error = INTERNAL_SYSCALL_ERRNO (result);
 272       __set_errno (error);
 273       result = -1;
 274     }
 275   setxid_error (cmdp, error);
 276
 277   lll_unlock (GL (dl_stack_cache_lock), LLL_PRIVATE);
 278   return result;
 279 }