From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 52A8CA0519; Fri, 3 Jul 2020 12:24:00 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id AEE361DB3C; Fri, 3 Jul 2020 12:23:52 +0200 (CEST) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id 37BD01DB3C for ; Fri, 3 Jul 2020 12:23:51 +0200 (CEST) IronPort-SDR: V9rCE+EirZSw3ziJ1GNgvDJEGwv0LWIAuIzAvRxIpHRkP0uHNJD/4DGZIy5LKAcUvJgwyYYWvJ clLttb8CTgfg== X-IronPort-AV: E=McAfee;i="6000,8403,9670"; a="147142714" X-IronPort-AV: E=Sophos;i="5.75,307,1589266800"; d="scan'208";a="147142714" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Jul 2020 03:23:50 -0700 IronPort-SDR: EKgJI/oLBGsDLBeds4BRHj7CsXjrH5FPYIagkiddhx9ZtRs+yqYyZUd8Z7g+LRdbOTZ3SHPueD 8TJerLRcNe4w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,307,1589266800"; d="scan'208";a="481984331" Received: from silpixa00399126.ir.intel.com ([10.237.222.84]) by fmsmga006.fm.intel.com with ESMTP; 03 Jul 2020 03:23:49 -0700 From: Bruce Richardson To: thomas@monjalon.net Cc: dev@dpdk.org, Bruce Richardson Date: Fri, 3 Jul 2020 11:23:31 +0100 Message-Id: <20200703102332.1101232-4-bruce.richardson@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200703102332.1101232-1-bruce.richardson@intel.com> References: <20200618135049.489773-1-bruce.richardson@intel.com> <20200703102332.1101232-1-bruce.richardson@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH v3 3/4] eal: forbid loading drivers from insecure paths X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Any paths on the system which are world-writable are insecure and should not be used for loading drivers. Therefore, whenever an absolute or relative driver path is passed to EAL, check for world-writability and don't load any drivers from that path if it is insecure. Drivers loaded from system locations i.e. those passed without any path info and found automatically by the loader, are excluded from these checks as system paths are assumed to be secure. Signed-off-by: Bruce Richardson --- v3: add exception for case where we don't have a relative/absolute path we can access. Just assume system directories are secure. --- lib/librte_eal/common/eal_common_options.c | 85 ++++++++++++++++++++-- 1 file changed, 77 insertions(+), 8 deletions(-) diff --git a/lib/librte_eal/common/eal_common_options.c b/lib/librte_eal/common/eal_common_options.c index 176a98561..6c63b9364 100644 --- a/lib/librte_eal/common/eal_common_options.c +++ b/lib/librte_eal/common/eal_common_options.c @@ -15,6 +15,7 @@ #include #ifndef RTE_EXEC_ENV_WINDOWS #include +#include #endif #include #include @@ -358,7 +359,14 @@ eal_plugin_add(const char *path) return 0; } -#ifndef RTE_EXEC_ENV_WINDOWS +#ifdef RTE_EXEC_ENV_WINDOWS +int +eal_plugins_init(void) +{ + return 0; +} +#else + static int eal_plugindir_init(const char *path) { @@ -398,12 +406,75 @@ eal_plugindir_init(const char *path) /* XXX this ignores failures from readdir() itself */ return (dent == NULL) ? 0 : -1; } -#endif + +static int +verify_perms(const char *dirpath) +{ + struct stat st; + + /* if not root, check down one level first */ + if (strcmp(dirpath, "/") != 0) { + char copy[PATH_MAX]; + + strlcpy(copy, dirpath, PATH_MAX); + if (verify_perms(dirname(copy)) != 0) + return -1; + } + + /* call stat to check for permissions and ensure not world writable */ + if (stat(dirpath, &st) != 0) { + RTE_LOG(ERR, EAL, "Error with stat on %s, %s\n", + dirpath, strerror(errno)); + return -1; + } + if (st.st_mode & S_IWOTH) { + RTE_LOG(ERR, EAL, + "Error, directory path %s is world-writable and insecure\n", + dirpath); + return -1; + } + + return 0; +} + +static void * +eal_dlopen(const char *pathname) +{ + void *retval = NULL; + char *realp = realpath(pathname, NULL); + + if (realp == NULL && errno == ENOENT) { + /* not a full or relative path, try a load from system dirs */ + retval = dlopen(pathname, RTLD_NOW); + if (retval == NULL) + RTE_LOG(ERR, EAL, "%s\n", dlerror()); + return retval; + } + if (realp == NULL) { + RTE_LOG(ERR, EAL, "Error with realpath for %s, %s\n", + pathname, strerror(errno)); + goto out; + } + if (strnlen(realp, PATH_MAX) == PATH_MAX) { + RTE_LOG(ERR, EAL, "Error, driver path greater than PATH_MAX\n"); + goto out; + } + + /* do permissions checks */ + if (verify_perms(realp) != 0) + goto out; + + retval = dlopen(realp, RTLD_NOW); + if (retval == NULL) + RTE_LOG(ERR, EAL, "%s\n", dlerror()); +out: + free(realp); + return retval; +} int eal_plugins_init(void) { -#ifndef RTE_EXEC_ENV_WINDOWS struct shared_driver *solib = NULL; struct stat sb; @@ -423,17 +494,15 @@ eal_plugins_init(void) } else { RTE_LOG(DEBUG, EAL, "open shared lib %s\n", solib->name); - solib->lib_handle = dlopen(solib->name, RTLD_NOW); - if (solib->lib_handle == NULL) { - RTE_LOG(ERR, EAL, "%s\n", dlerror()); + solib->lib_handle = eal_dlopen(solib->name); + if (solib->lib_handle == NULL) return -1; - } } } -#endif return 0; } +#endif /* * Parse the coremask given as argument (hexadecimal string) and fill -- 2.25.1