Fixed(ExecIntercept): Fix LD_VARS not being unset for system executables if executed with fexecve() or fd path, and their file header being read instead of skipped as per 3300bfb

agnostic-apollo · agnostic-apollo · commit 4477568e3e24 · 2025-03-27T02:37:12.000+05:00
File descriptor executable paths are in the format `/proc/self/fd/&lt;num&gt;` or `/proc/&lt;pid&gt;/fd/&lt;num&gt;`, normally for `fexecve()`, but can be passed manually by callers. For such paths, checks would fail for if the path is under system directories with `isExecutableUnderSystemDir()` or if `LD_VARS` should be unset with `shouldUnsetLDVarsFromEnv()`, as path would start with `/proc` instead of one of the system directories. Now we find the real path before any checks are done by calling `readlink()` via `getRegularFileFdRealPath()` on the fd path.

Note that `fexecve()` is only supported for Android `&gt;= 9` and `CANNOT LINK EXECUTABLE` errors due to `LD_VARS` being set like `LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib` when calling system binaries only seem to occur on older Android versions. So we simulate `fexecve()` for tests by opening a system executable, generating fd path manually and then executing it.

Following are examples of errors caused by `LD_LIBRARY_PATH` being set. Termux app only exports it for Android `5` and `6` though.

```
$ LD_PRELOAD= bash

$ LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/system/bin /system/bin/{am,pm}
CANNOT LINK EXECUTABLE: could not load library "libandroid_runtime.so" needed by "app_process"; caused by could not load library "libhwui.so" needed by "libandroid_runtime.so"; caused by could not load library "libRS.so" needed by "libhwui.so"; caused by could not load library "libbcc.so" needed by "libRS.so"; caused by could not load library "libbcinfo.so" needed by "libbcc.so"; caused by cannot locate symbol "_ZNK4llvm6MDNode10getOperandEj" referenced by "libbcinfo.so"...

$ LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/system/bin /system/bin/dalvikvm
Aborted
dlopen("libjavacore.so", RTLD_LAZY) failed: dlopen failed: cannot locate symbol "bn_expand2" referenced by "libjavacore.so"...

LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/system/bin /system/bin/{am,pm}
CANNOT LINK EXECUTABLE: cannot locate symbol "u_charMirror_55" referenced by "/system/lib64/libandroid_runtime.so"...

$ LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/system/bin /system/bin/dalvikvm
Aborted
art/runtime/runtime.cc:1149] LoadNativeLibrary failed for "libjavacore.so": dlopen failed: cannot locate symbol "_ZTVN6icu_5513UnicodeStringE" referenced by "/system/lib64/libjavacore.so"...

~ $ LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/system/bin /system/bin/{am,pm}
CANNOT LINK EXECUTABLE "app_process": cannot locate symbol "glTexGenxvOES" referenced by "/system/lib64/libandroid_runtime.so"...
Aborted
$ LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/system/bin /system/bin/dalvikvm
Failed to initialize JNI invocation API from (null)
Failed to dlopen libart.so: dlopen failed: cannot locate symbol "XzUnpacker_Construct" referenced by "/system/lib64/libunwind.so"...
```
diff --git a/lib/termux-exec_nos_c_tre/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept.c b/lib/termux-exec_nos_c_tre/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept.c
@@ -91,6 +91,12 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
     //   For instance, `$TERMUX__PREFIX/bin/ls` is a symlink to `$TERMUX__PREFIX/bin/coreutils`,
     //   but we need to execute `$TERMUX__PREFIX/bin/ls` `/system/bin/linker $TERMUX__PREFIX/bin/ls`
     //   so that coreutils knows what to execute.
+    // - For an fd path, like `/proc/self/fd/<num>` or `/proc/<pid>/fd/<num>`,
+    //   normally for the `fexecve()` call, we find its real path,
+    //   so that so if its not under a system directory. then its file
+    //   header is always read. And if it is under a system directory,
+    //   then `LD_VARS_TO_UNSET` are unset properly as per
+    //   `unsetLdVarsFromEnv` or `unsetLdPreloadFromEnv`.
     // - For an absolute path, we need to normalize first so that an
     //   unnormalized prefix like `/usr/./bin` is replaced with `/usr/bin`
     //   so that `termuxPrefixPath()` can successfully match it to
@@ -117,7 +123,24 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
 
 
     char processedExecutablePathBuffer[PATH_MAX];
-    if (executablePath[0] == '/') {
+    if (isFdPath(executablePath)) {
+        executablePath = getRegularFileFdRealPath(LOG_TAG, executablePath,
+            processedExecutablePathBuffer, sizeof(processedExecutablePathBuffer));
+        if (executablePath == NULL) {
+            // `execve()` is expected to return `EACCES` for
+            // non-regular files and is also mentioned in its man page.
+            // > EACCES The file or a script interpreter is not a regular file.
+            // The `getRegularFileFdRealPath()` function will return
+            // following `errno` for non-regular files.
+            if (errno == EISDIR || errno == ENXIO) {
+                errno = EACCES;
+            }
+            logStrerrorDebug(LOG_TAG, "Failed to get real path for fd executable path '%s'", origExecutablePath);
+            return -1;
+        }
+
+        logErrorVVerbose(LOG_TAG, "real_executable: '%s'", executablePath);
+    } else if (executablePath[0] == '/') {
         // If path is absolute, then normalize first and then replace termux prefix.
         executablePath = normalizePath(executablePathBuffer, false, true);
         if (executablePath == NULL) {
@@ -210,6 +233,22 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
     //     - https://github.com/termux/termux-exec-package/issues/32
     // - `/system/bin/app_process`.
     //     - https://github.com/termux/termux-app/issues/4440#issuecomment-2746002438
+    //
+    // A script running with `system_linker_exec` must always be run
+    // with its interpreter in the shebang instead of directly,
+    // otherwise execution will fail with errors like following.
+    // The `system_linker_exec` is only used if path is under
+    // Termux app data directory, and we skip reading file header only
+    // if its under a system directory. Since app data directories
+    // are either under `/data` or `/mnt`, there is no conflict with
+    // system directories, and so file headers for files under app
+    // data directories should always be read.
+    // error: "/data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-linux-script.sh" \
+    //     is too small to be an ELF executable: only found 52 bytes
+    // - https://cs.android.com/android/platform/superproject/+/android-14.0.0_r1:bionic/linker/linker_phdr.cpp;l=216
+    // error: "/data/data/com.termux/files/usr/bin/login" \
+    //     has bad ELF magic: 23212f64
+    // - https://cs.android.com/android/platform/superproject/+/android-14.0.0_r1:bionic/linker/linker_phdr.cpp;l=234
     if (isExecutableUnderSystemDir(executablePath)) {
         logErrorVVerbose(LOG_TAG, "read_file_header: '0'");
     } else {
diff --git a/lib/termux-exec_nos_c_tre/tests/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept_RuntimeBinaryTests.c b/lib/termux-exec_nos_c_tre/tests/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept_RuntimeBinaryTests.c
@@ -275,6 +275,7 @@ FEXECVE_CALL_IMPL()
 
 
 void test__execIntercept__Basic();
+void test__execIntercept__AndroidTools(char* envCurrentPath);
 void test__execIntercept__Files(const char* termuxExec_tests_testsPath, const char* currentPath, char* envCurrentPath);
 void test__execIntercept__PackageManager();
 
@@ -317,6 +318,7 @@ void test__execIntercept() {
     // - https://cs.android.com/android/platform/superproject/+/android-14.0.0_r18:bionic/tests/utils.h;l=200
 
     test__execIntercept__Basic();
+    test__execIntercept__AndroidTools(envCurrentPath);
     test__execIntercept__Files(termuxExec_tests_testsPath, currentPath, envCurrentPath);
     test__execIntercept__PackageManager();
 
@@ -328,6 +330,14 @@ void test__execIntercept() {
 
 
 
+static void test__execIntercept_initChildWithRedirectedFd(ForkInfo *info) {
+    initChild(info);
+
+    info->redirectChildStdinToDevNull = true;
+}
+
+
+
 void test__execIntercept__Basic() {
     logVVerbose(LOG_TAG, "test__execIntercept__Basic()");
 
@@ -350,6 +360,127 @@ void test__execIntercept__Basic() {
         NULL);
 }
 
+void test__execIntercept__AndroidTools(char* envCurrentPath) {
+    logVVerbose(LOG_TAG, "test__execIntercept__AndroidTools()");
+
+    onExecTestChildFork = test__execIntercept_initChildWithRedirectedFd;
+
+     // execlp(), execvp() and execvpe() search for file to be executed in $PATH,
+    // so set it to `/system/bin` directory.
+    char* envNewPath = NULL;
+
+    if (asprintf(&envNewPath, "%s%s", ENV_PREFIX__PATH, "/apex/com.android.art/bin:/system/bin") == -1) {
+        errno = ENOMEM;
+        logStrerrorDebug(LOG_TAG, "asprintf failed for new '%s%s'", ENV_PREFIX__PATH, "/apex/com.android.art/bin:/system/bin");
+        exit(1);
+    }
+
+    putenv(envNewPath);
+
+
+    // On Android `14`, `/system/bin/am` can only be run with `adb`
+    // and `root` users and will normally have no output and exit code
+    // will be `255`.
+    // - https://github.com/termux/TermuxAm/commit/8a08e9bd
+    if (android_buildVersionSdk_get() < 34) {
+        char* amPath = "/system/bin/am";
+
+        runAllExecWrappersTest("android-am",
+            0, 0, 0, 0,
+            -1, "^.*<INTENT> specifications.*", -1, "^.*<INTENT> specifications.*", REG_EXTENDED | REG_ICASE,
+            "am", amPath, environ,
+            NULL);
+
+
+        // Simulate `fexecve()`, especially for Android `< 9`.
+        // This will also test `LD_LIBRARY_PATH` being unset on older
+        // Android versions to prevent `CANNOT LINK EXECUTABLE` errors.
+        int amFd = open(amPath, 0);
+        if (amFd == -1) {
+            logStrerror(LOG_TAG, "open() call failed for am at path '%s'", amPath);
+            exit(1);
+        }
+
+        char amFdPath[40];
+        snprintf(amFdPath, sizeof(amFdPath), "/proc/self/fd/%d", amFd);
+
+        logVVerbose(LOG_TAG, "%s_exec()", "android-am-fd");                                                   \
+        runExecTest("android-am-fd",
+            0, 0,
+            -1, "^.*<INTENT> specifications.*", REG_EXTENDED | REG_ICASE,
+            ExecVE, amFdPath, environ, amPath, NULL);
+    }
+
+
+    // On Android `< 9`, `/system/bin/pm` did not have a `#!/system/bin/sh`
+    // interpreter and `execve` would fail with `Exec format error (ENOEXEC)`.
+    // So interpret the `pm` script with `sh` instead of executing it.
+    // - https://cs.android.com/android/_/android/platform/frameworks/base/+/6c168885
+    char* pmPath = "/system/bin/pm";
+    if (android_buildVersionSdk_get() < 29) {
+        runAllExecWrappersTest("android-pm",
+            0, 0, 0, 0,
+            -1, "^.*path to the \\.apk.*", -1, "^.*path to the \\.apk.*", REG_EXTENDED | REG_ICASE,
+            NULL, "/system/bin/sh", environ,
+            pmPath, NULL);
+
+    } else {
+        runAllExecWrappersTest("android-pm",
+            0, 0, 0, 0,
+            -1, "^.*path to the \\.apk.*", -1, "^.*path to the \\.apk.*", REG_EXTENDED | REG_ICASE,
+            "pm", pmPath, environ,
+            NULL);
+    }
+
+
+    // On Android `>= 13`, `dalvikvm` is part of Android Runtime APEX module.
+    // - https://cs.android.com/android/_/android/platform/art/+/38a938e2
+    // - https://cs.android.com/android/_/android/platform/bionic/+/6d5277db
+    char* dalvikvmPath;
+    if (access("/apex/com.android.art/bin/dalvikvm", X_OK) == 0) {
+        dalvikvmPath = "/apex/com.android.art/bin/dalvikvm";
+    } else {
+        dalvikvmPath = "/system/bin/dalvikvm";
+    }
+
+    char* dalvikvmOutputRegex = "^.*((-classpath ((classpath)|(\\{string value\\})))|(Class name required)).*";
+
+    // The `-h` flag does not print help on Android `7`, but Android `6` does.
+    runAllExecWrappersTest("android-dalvikvm",
+        0, 0, 0, 0,
+        -1, dalvikvmOutputRegex, -1, dalvikvmOutputRegex, REG_EXTENDED | REG_ICASE,
+        "dalvikvm", dalvikvmPath, environ,
+        "-h", NULL);
+
+
+    // Simulate `fexecve()`, especially for Android `< 9`.
+    // This will also test `LD_LIBRARY_PATH` being unset on older
+    // Android versions to prevent `CANNOT LINK EXECUTABLE` errors.
+    int dalvikvmFd = open(dalvikvmPath, 0);
+    if (dalvikvmFd == -1) {
+        logStrerror(LOG_TAG, "open() call failed for dalvikvm at path '%s'", dalvikvmPath);
+        exit(1);
+    }
+
+    char dalvikvmFdPath[40];
+    snprintf(dalvikvmFdPath, sizeof(dalvikvmFdPath), "/proc/self/fd/%d", dalvikvmFd);
+
+    logVVerbose(LOG_TAG, "%s_exec()", "android-dalvikvm-fd");                                                   \
+    runExecTest("android-dalvikvm-fd",
+        0, 0,
+        -1, dalvikvmOutputRegex, REG_EXTENDED | REG_ICASE,
+        ExecVE, dalvikvmFdPath, environ, dalvikvmPath, "-h", NULL);
+
+
+    putenv(envCurrentPath);
+
+
+    free(envNewPath);
+
+    onExecTestChildFork = initChild;
+
+}
+
 void test__execIntercept__Files(const char* termuxExec_tests_testsPath, const char* currentPath, char* envCurrentPath) {
     logVVerbose(LOG_TAG, "test__execIntercept__Files()");
 
