Skip to content

Don't leak compartment name pointers after dlclose() #2389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Don't leak compartment name pointers after dlclose() #2389

wants to merge 2 commits into from
+22 −13

Conversation

bsdjhb
Copy link
Collaborator

@bsdjhb bsdjhb commented Apr 3, 2025

  • proc: Update c18n compartments sysctl handler for struct rtld_c18n_compart
  • proc: Validate bounds of entire c18n comparts array once
  • proc: Better handle short reads in proc_read_string_properly

jrtc27
jrtc27 reviewed Apr 3, 2025
View reviewed changes
@bsdjhb bsdjhb force-pushed the c18n_eprot branch 2 times, most recently from 1b92c75 to 6f4be69 Compare April 5, 2025 02:18
@bsdjhb
Copy link
Collaborator Author

bsdjhb commented Apr 5, 2025

This no longer has any kernel changes, just fixes to rtld to avoid leaking pointers after dlclose(). This fixes chromium child processes for me, but note that rtld currently doesn't ever delete compartments, so compartments for dlclosed objects still remain and still list the unloaded objects as members. Fixing that requires larger changes to rtld_c18n and in particular avoiding pre-creating compartments for the internal policy.

bsdjhb added 2 commits April 16, 2025 12:02
@bsdjhb
rtld c18n: Always allocate a copy of the name for a new compartment
4ad9ac3 
In particular, the names allocated for sub-object compartments can be
freed after dlclose() leaving a dangling pointer in the comparts
entry.

While here, add a wrapper for strdup() so that the bytes used for the
allocated names are accounted for.
@bsdjhb
rtld: Retire Compart_Entry.compart_name
2125105 
Now that compart_id_allocate() allocates its own internal storage for
compartment names, this allocated copy doesn't need to persist while
an object file is loaded.
@bsdjhb
Copy link
Collaborator Author

bsdjhb commented Apr 16, 2025

I've dropped the last change for now so it can be a separate PR, this is now just the fixes to make the sysctl work after dlclose().

@bsdjhb bsdjhb changed the title Cleanups to c18n compartments sysctl Don't leak compartment name pointers after dlclose() Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrtc27 jrtc27 jrtc27 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bsdjhb @jrtc27