DPDK patches and discussions
 help / color / mirror / Atom feed
From: Bruce Richardson <bruce.richardson@intel.com>
To: thomas@monjalon.net
Cc: dev@dpdk.org, Bruce Richardson <bruce.richardson@intel.com>
Subject: [dpdk-dev] [PATCH v3 3/4] eal: forbid loading drivers from insecure paths
Date: Fri,  3 Jul 2020 11:23:31 +0100	[thread overview]
Message-ID: <20200703102332.1101232-4-bruce.richardson@intel.com> (raw)
In-Reply-To: <20200703102332.1101232-1-bruce.richardson@intel.com>

Any paths on the system which are world-writable are insecure and should
not be used for loading drivers. Therefore, whenever an absolute or
relative driver path is passed to EAL, check for world-writability and
don't load any drivers from that path if it is insecure. Drivers loaded
from system locations i.e. those passed without any path info and found
automatically by the loader, are excluded from these checks as system paths
are assumed to be secure.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
v3: add exception for case where we don't have a relative/absolute
    path we can access. Just assume system directories are secure.
---
 lib/librte_eal/common/eal_common_options.c | 85 ++++++++++++++++++++--
 1 file changed, 77 insertions(+), 8 deletions(-)

diff --git a/lib/librte_eal/common/eal_common_options.c b/lib/librte_eal/common/eal_common_options.c
index 176a98561..6c63b9364 100644
--- a/lib/librte_eal/common/eal_common_options.c
+++ b/lib/librte_eal/common/eal_common_options.c
@@ -15,6 +15,7 @@
 #include <getopt.h>
 #ifndef RTE_EXEC_ENV_WINDOWS
 #include <dlfcn.h>
+#include <libgen.h>
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -358,7 +359,14 @@ eal_plugin_add(const char *path)
 	return 0;
 }
 
-#ifndef RTE_EXEC_ENV_WINDOWS
+#ifdef RTE_EXEC_ENV_WINDOWS
+int
+eal_plugins_init(void)
+{
+	return 0;
+}
+#else
+
 static int
 eal_plugindir_init(const char *path)
 {
@@ -398,12 +406,75 @@ eal_plugindir_init(const char *path)
 	/* XXX this ignores failures from readdir() itself */
 	return (dent == NULL) ? 0 : -1;
 }
-#endif
+
+static int
+verify_perms(const char *dirpath)
+{
+	struct stat st;
+
+	/* if not root, check down one level first */
+	if (strcmp(dirpath, "/") != 0) {
+		char copy[PATH_MAX];
+
+		strlcpy(copy, dirpath, PATH_MAX);
+		if (verify_perms(dirname(copy)) != 0)
+			return -1;
+	}
+
+	/* call stat to check for permissions and ensure not world writable */
+	if (stat(dirpath, &st) != 0) {
+		RTE_LOG(ERR, EAL, "Error with stat on %s, %s\n",
+				dirpath, strerror(errno));
+		return -1;
+	}
+	if (st.st_mode & S_IWOTH) {
+		RTE_LOG(ERR, EAL,
+				"Error, directory path %s is world-writable and insecure\n",
+				dirpath);
+		return -1;
+	}
+
+	return 0;
+}
+
+static void *
+eal_dlopen(const char *pathname)
+{
+	void *retval = NULL;
+	char *realp = realpath(pathname, NULL);
+
+	if (realp == NULL && errno == ENOENT) {
+		/* not a full or relative path, try a load from system dirs */
+		retval = dlopen(pathname, RTLD_NOW);
+		if (retval == NULL)
+			RTE_LOG(ERR, EAL, "%s\n", dlerror());
+		return retval;
+	}
+	if (realp == NULL) {
+		RTE_LOG(ERR, EAL, "Error with realpath for %s, %s\n",
+				pathname, strerror(errno));
+		goto out;
+	}
+	if (strnlen(realp, PATH_MAX) == PATH_MAX) {
+		RTE_LOG(ERR, EAL, "Error, driver path greater than PATH_MAX\n");
+		goto out;
+	}
+
+	/* do permissions checks */
+	if (verify_perms(realp) != 0)
+		goto out;
+
+	retval = dlopen(realp, RTLD_NOW);
+	if (retval == NULL)
+		RTE_LOG(ERR, EAL, "%s\n", dlerror());
+out:
+	free(realp);
+	return retval;
+}
 
 int
 eal_plugins_init(void)
 {
-#ifndef RTE_EXEC_ENV_WINDOWS
 	struct shared_driver *solib = NULL;
 	struct stat sb;
 
@@ -423,17 +494,15 @@ eal_plugins_init(void)
 		} else {
 			RTE_LOG(DEBUG, EAL, "open shared lib %s\n",
 				solib->name);
-			solib->lib_handle = dlopen(solib->name, RTLD_NOW);
-			if (solib->lib_handle == NULL) {
-				RTE_LOG(ERR, EAL, "%s\n", dlerror());
+			solib->lib_handle = eal_dlopen(solib->name);
+			if (solib->lib_handle == NULL)
 				return -1;
-			}
 		}
 
 	}
-#endif
 	return 0;
 }
+#endif
 
 /*
  * Parse the coremask given as argument (hexadecimal string) and fill
-- 
2.25.1


  parent reply	other threads:[~2020-07-03 10:24 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-18 13:50 [dpdk-dev] [PATCH 0/4] improve runtime loading of shared drivers Bruce Richardson
2020-06-18 13:50 ` [dpdk-dev] [PATCH 1/4] eal: remove unnecessary null-termination Bruce Richardson
2020-06-18 13:50 ` [dpdk-dev] [PATCH 2/4] eal: only load shared libs from driver plugin directory Bruce Richardson
2020-06-18 13:50 ` [dpdk-dev] [PATCH 3/4] eal: don't load drivers from insecure paths Bruce Richardson
2020-06-18 13:50 ` [dpdk-dev] [PATCH 4/4] eal: cache last directory permissions checked Bruce Richardson
2020-06-22 14:33 ` [dpdk-dev] [PATCH v2 0/4] improve runtime loading of shared drivers Bruce Richardson
2020-06-22 14:33   ` [dpdk-dev] [PATCH v2 1/4] eal: remove unnecessary null-termination Bruce Richardson
2020-06-22 14:33   ` [dpdk-dev] [PATCH v2 2/4] eal: only load shared libs from driver plugin directory Bruce Richardson
2020-06-22 14:33   ` [dpdk-dev] [PATCH v2 3/4] eal: don't load drivers from insecure paths Bruce Richardson
2020-06-22 14:33   ` [dpdk-dev] [PATCH v2 4/4] eal: cache last directory permissions checked Bruce Richardson
2020-07-02 21:13   ` [dpdk-dev] [PATCH v2 0/4] improve runtime loading of shared drivers Thomas Monjalon
2020-07-03 10:25     ` Bruce Richardson
2020-07-02 21:16   ` Thomas Monjalon
2020-07-03  8:33     ` Bruce Richardson
2020-07-03 10:23 ` [dpdk-dev] [PATCH v3 " Bruce Richardson
2020-07-03 10:23   ` [dpdk-dev] [PATCH v3 1/4] eal: remove unnecessary null-termination in plugin path Bruce Richardson
2020-07-03 10:23   ` [dpdk-dev] [PATCH v3 2/4] eal: load only shared libs from driver plugin directories Bruce Richardson
2020-07-03 10:23   ` Bruce Richardson [this message]
2020-07-03 10:23   ` [dpdk-dev] [PATCH v3 4/4] eal: cache last directory permissions checked Bruce Richardson
2020-07-05 17:50   ` [dpdk-dev] [PATCH v3 0/4] improve runtime loading of shared drivers Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200703102332.1101232-4-bruce.richardson@intel.com \
    --to=bruce.richardson@intel.com \
    --cc=dev@dpdk.org \
    --cc=thomas@monjalon.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).