LibC: Don't honor LIBC_* malloc debugging flags in AT_SECURE context

Just ignore all these environment flags if the AT_SECURE flag is set in the program's auxiliary vector. This prevents a user from tricking set-uid programs into dumping debug information via environment flags.
2025-05-31 13:38:11 +00:00 · 2021-01-31 14:31:13 +01:00 · 2021-01-31 14:31:13 +01:00 · fc4eae87f8
commit fc4eae87f8
parent 9984201634
3 changed files with 35 additions and 6 deletions
--- a/Userland/Libraries/LibC/malloc.cpp
+++ b/Userland/Libraries/LibC/malloc.cpp
@ -29,6 +29,7 @@
 #include <AK/LogStream.h>
 #include <AK/ScopedValueRollback.h>
 #include <AK/Vector.h>
+#include <LibELF/AuxiliaryVector.h>
 #include <LibThread/Lock.h>
 #include <assert.h>
 #include <mallocdefs.h>
@ -430,13 +431,14 @@ void* realloc(void* ptr, size_t size)
 void __malloc_init()
 {
    new (&malloc_lock()) LibThread::Lock();
-    if (getenv("LIBC_NOSCRUB_MALLOC"))
+
+    if (secure_getenv("LIBC_NOSCRUB_MALLOC"))
        s_scrub_malloc = false;
-    if (getenv("LIBC_NOSCRUB_FREE"))
+    if (secure_getenv("LIBC_NOSCRUB_FREE"))
        s_scrub_free = false;
-    if (getenv("LIBC_LOG_MALLOC"))
+    if (secure_getenv("LIBC_LOG_MALLOC"))
        s_log_malloc = true;
-    if (getenv("LIBC_PROFILE_MALLOC"))
+    if (secure_getenv("LIBC_PROFILE_MALLOC"))
        s_profiling = true;

    for (size_t i = 0; i < num_size_classes; ++i) {
--- a/Userland/Libraries/LibC/stdlib.cpp
+++ b/Userland/Libraries/LibC/stdlib.cpp
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
+ * Copyright (c) 2018-2021, Andreas Kling <kling@serenityos.org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -31,6 +31,7 @@
 #include <AK/Types.h>
 #include <AK/Utf8View.h>
 #include <Kernel/API/Syscall.h>
+#include <LibELF/AuxiliaryVector.h>
 #include <alloca.h>
 #include <assert.h>
 #include <ctype.h>
@ -195,11 +196,27 @@ inline int generate_unique_filename(char* pattern, Callback callback)

 extern "C" {

+long getauxval(long type)
+{
+    errno = 0;
+    char** env;
+    for (env = environ; *env; ++env) {
+    }
+
+    auxv_t* auxvp = (auxv_t*)++env;
+    for (; auxvp->a_type != AT_NULL; ++auxvp) {
+        if (auxvp->a_type == type)
+            return auxvp->a_un.a_val;
+    }
+    errno = ENOENT;
+    return 0;
+}
+
 void exit(int status)
 {
    __cxa_finalize(nullptr);

-    if (getenv("LIBC_DUMP_MALLOC_STATS"))
+    if (secure_getenv("LIBC_DUMP_MALLOC_STATS"))
        serenity_dump_malloc_stats();

    extern void _fini();
@ -256,6 +273,13 @@ char* getenv(const char* name)
    return nullptr;
 }

+char* secure_getenv(const char* name)
+{
+    if (getauxval(AT_SECURE))
+        return nullptr;
+    return getenv(name);
+}
+
 int unsetenv(const char* name)
 {
    auto new_var_len = strlen(name);
--- a/Userland/Libraries/LibC/stdlib.h
+++ b/Userland/Libraries/LibC/stdlib.h
@ -45,6 +45,7 @@ void serenity_dump_malloc_stats(void);
 void free(void*);
 __attribute__((alloc_size(2))) void* realloc(void* ptr, size_t);
 char* getenv(const char* name);
+char* secure_getenv(const char* name);
 int putenv(char*);
 int unsetenv(const char*);
 int clearenv(void);
@ -106,4 +107,6 @@ int posix_openpt(int flags);
 int grantpt(int fd);
 int unlockpt(int fd);

+long getauxval(long type);
+
 __END_DECLS