mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-02-07 06:53:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
cosmopolitan/libc/crt/crt.S
Jōshin f94c11d978
Loader path security (#1012) 
The ape loader now passes the program executable name directly as a
register. `x2` is used on aarch64, `%rdx` on x86_64. This is passed
as the third argument to `cosmo()` (M1) or `Launch` (non-M1) and is
assigned to the global `__program_executable_name`.

`GetProgramExecutableName` now returns this global's value, setting
it if it is initially null. `InitProgramExecutableName` first tries
exotic, secure methods: `KERN_PROC_PATHNAME` on FreeBSD/NetBSD, and
`/proc` on Linux. If those produce a reasonable response (i.e., not
`"/usr/bin/ape"`, which happens with the loader before this change),
that is used. Otherwise, if `issetugid()`, the empty string is used.
Otherwise, the old argv/envp parsing code is run.

The value returned from the loader is always the full absolute path
of the binary to be executed, having passed through `realpath`. For
the non-M1 loader, this necessitated writing `RealPath`, which uses
`readlinkat` of `"/proc/self/fd/[progfd]"` on Linux, `F_GETPATH` on
Xnu, and the `__realpath` syscall on OpenBSD. On FreeBSD/NetBSD, it
punts to `GetProgramExecutableName`, which is secure on those OSes.

With the loader, all platforms now have a secure program executable
name. With no loader or an old loader, everything still works as it
did, but setuid/setgid is not supported if the insecure pathfinding
code would have been needed.

Fixes #991.
2023-12-15 12:23:58 -05:00

161 lines
5 KiB
ArmAsm
Raw Blame History

/*-*- mode:unix-assembly; indent-tabs-mode:t; tab-width:8; coding:utf-8 -*-│
vi: set noet ft=asm ts=8 sw=8 fenc=utf-8 :vi
Copyright 2020 Justine Alexandra Roberts Tunney
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
*/
#include "libc/dce.h"
#include "libc/macros.internal.h"
#include "libc/notice.inc"
.section .start,"ax",@progbits
#if SupportsXnu() && defined(__x86_64__)
// XNU AMD64 Entrypoint
//
// @note Rosetta barely implements MAC_LC_UNIXTHREAD
// @note Rosetta sets many registers to weird values
_apple: mov $_HOSTXNU,%cl
jmp 1f
.endfn _apple,weak,hidden
#endif
#if SupportsWindows() && defined(__x86_64__) && !IsTiny()
// implements all win32 apis on non-windows hosts
// it is just enough code to get a good backtrace
__oops_win32:
ud2
nop
.endfn __oops_win32
#endif
// System Five userspace program entrypoint.
//
// @param rsp is [n,argv₀..argvₙ₋₁,0,envp₀..,0,auxv₀..,0,..]
// @note FreeBSD is special (see freebsd/lib/csu/amd64/...)
// @note NetBSD will only zero the call-clobbered registers
// @note ape.S and ape-loader both set RCX to XNU on Darwin
// @noreturn
_start:
#ifdef __x86_64__
#if SupportsFreebsd()
// detect free besiyata dishmaya
test %rdi,%rdi
cmovnz %rdi,%rsp
jz 0f
movb $_HOSTFREEBSD,%cl
0:
#endif
// set operating system when already detected
1: mov %cl,__hostos(%rip)
mov %rdx,__program_executable_name(%rip)
// get startup timestamp as early as possible
// its used by --strace flag and kprintf() %T
rdtsc
ezlea kStartTsc,bx
mov %eax,(%rbx)
mov %edx,4(%rbx)
// translates arguments from old stack abi
mov (%rsp),%ebx // argc
lea 8(%rsp),%rsi // argv
lea 16(%rsp,%rbx,8),%rdx // envp
mov %rsp,__oldstack(%rip)
mov %rdx,__envp(%rip)
// setup stack
xor %ebp,%ebp
and $ape_stack_round,%rsp
#if SupportsWindows() && !IsTiny()
// make win32 imps crash
.weak ape_idata_iat
.weak ape_idata_iatend
ezlea __oops_win32,ax
ezlea ape_idata_iat,di
ezlea ape_idata_iatend,cx
sub %rdi,%rcx
shr $3,%ecx
rep stosq
#endif
// scan through environment varis
// find start of auxiliary values
xor %eax,%eax
or $-1,%ecx
mov %rdx,%rdi
repnz scasq
mov %rdi,%rcx // auxv
#if SupportsXnu()
// xnu doesn't have auxiliary values
testb IsXnu()
jz 1f // polyfill xnu auxv
push $0 // auxv[1][1]=0
push $0 // auxv[1][0]=0
mov %rsp,%rcx // auxv
#endif
// enter cosmopolitan runtime
1: mov %ebx,%edi
call cosmo
9: .unreachable
// strongly link main() function (discarded by linker)
// libc_runtime had to weakly link, due to package.com
.section .yoink
call main
.previous
////////////////////////////////////////////////////////////////////////////////
#elif defined(__aarch64__)
// save original stack pointer
// this is the first argument to cosmo() below
mov x0,sp
// setup the stack
mov x28,#0
mov x29,#0
mov x30,#0
ldr x1,=ape_stack_round
and x1,x0,x1
mov sp,x1
// second arg shall be struct Syslib passed by ape-m1.c
// used to talk to apple's authoritarian libraries
// should be set to zero on other platforms
mov x1,x15
// third arg (x2) is the program path passed by ape-m1.c
// switch to c code
bl cosmo
.unreachable
// strongly link main() function (discarded by linker)
// libc_runtime had to weakly link, due to package.com
.section .yoink
bl main
.previous
////////////////////////////////////////////////////////////////////////////////
#else
#error "architecture unsupported"
#endif /* __x86_64__ */
.endfn _start,weak,hidden
Reference in a new issue View git blame Copy permalink