LibC: Protect the atexit() handler list when not writing to it

Remap the list of atexit handlers as read-only while we're not actively writing to it. This prevents an attacker from using a memory write primitive to gain code execution via the atexit list. This is based on a technique used in OpenBSD. :^)
Author: https://github.com/awesomekling Commit: 553361d83f
2025-04-28 23:39:02 +00:00 · 2021-01-30 10:34:41 +01:00 · 2021-01-30 10:34:41 +01:00 · 553361d83f · 2024-07-18 22:44:21 +09:00
commit 553361d83f
parent 123c37e1c0
1 changed files with 45 additions and 17 deletions
--- a/Userland/Libraries/LibC/cxxabi.cpp
+++ b/Userland/Libraries/LibC/cxxabi.cpp
@ -25,29 +25,59 @@
 */
 #include <AK/Debug.h>
 #include <AK/LogStream.h>
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/internals.h>
 #include <sys/mman.h>
 extern "C" {
-struct __exit_entry {
+struct AtExitEntry {
-    AtExitFunction method;
+    AtExitFunction method { nullptr };
-    void* parameter;
+    void* parameter { nullptr };
-    void* dso_handle;
+    void* dso_handle { nullptr };
-    bool has_been_called;
+    bool has_been_called { false };
 };
-static __exit_entry __exit_entries[1024] {};
+static constexpr size_t max_atexit_entry_count = PAGE_SIZE / sizeof(AtExitEntry);
-static int __exit_entry_count = 0;
+
 static AtExitEntry* atexit_entries;
 static size_t atexit_entry_count = 0;
 static void lock_atexit_handlers()
 {
    if (mprotect(atexit_entries, PAGE_SIZE, PROT_READ) < 0) {
        perror("lock_atexit_handlers");
        _exit(1);
    }
 }
 static void unlock_atexit_handlers()
 {
    if (mprotect(atexit_entries, PAGE_SIZE, PROT_READ | PROT_WRITE) < 0) {
        perror("unlock_atexit_handlers");
        _exit(1);
    }
 }
 int __cxa_atexit(AtExitFunction exit_function, void* parameter, void* dso_handle)
 {
-    if (__exit_entry_count >= 1024)
+    if (atexit_entry_count >= max_atexit_entry_count)
        return -1;
-    __exit_entries[__exit_entry_count++] = { exit_function, parameter, dso_handle, false };
+    if (!atexit_entries) {
        atexit_entries = (AtExitEntry*)mmap(nullptr, PAGE_SIZE, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
        if (atexit_entries == MAP_FAILED) {
            perror("__cxa_atexit mmap");
            _exit(1);
        }
    }
    unlock_atexit_handlers();
    atexit_entries[atexit_entry_count++] = { exit_function, parameter, dso_handle, false };
    lock_atexit_handlers();
    return 0;
 }
@ -61,21 +91,19 @@ void __cxa_finalize(void* dso_handle)
    // Multiple calls to __cxa_finalize shall not result in calling termination function entries multiple times;
    // the implementation may either remove entries or mark them finished.
-    int entry_index = __exit_entry_count;
+    ssize_t entry_index = atexit_entry_count;
-#if GLOBAL_DTORS_DEBUG
+    dbgln<GLOBAL_DTORS_DEBUG>("__cxa_finalize: {} entries in the finalizer list", entry_index);
    dbgprintf("__cxa_finalize: %d entries in the finalizer list\n", entry_index);
 #endif
    while (--entry_index >= 0) {
-        auto& exit_entry = __exit_entries[entry_index];
+        auto& exit_entry = atexit_entries[entry_index];
        bool needs_calling = !exit_entry.has_been_called && (!dso_handle || dso_handle == exit_entry.dso_handle);
        if (needs_calling) {
-#if GLOBAL_DTORS_DEBUG
+            dbgln<GLOBAL_DTORS_DEBUG>("__cxa_finalize: calling entry[{}] {:p}({:p}) dso: {:p}", entry_index, exit_entry.method, exit_entry.parameter, exit_entry.dso_handle);
            dbgprintf("__cxa_finalize: calling entry[%d] %p(%p) dso: %p\n", entry_index, exit_entry.method, exit_entry.parameter, exit_entry.dso_handle);
 #endif
            exit_entry.method(exit_entry.parameter);
            unlock_atexit_handlers();
            exit_entry.has_been_called = true;
            lock_atexit_handlers();
        }
    }
 }