Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linkage_checker: replace Fiddle.dlopen with libSystem call #18486

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

linkage_checker: replace Fiddle.dlopen with libSystem call #18486

wants to merge 2 commits into from
+29 −7

Conversation

carlocab
Copy link
Member

@carlocab carlocab commented Oct 3, 2024

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

dlopening a library executes potentially untrusted code (e.g. if the
library has initialisers). We can avoid the dlopen call by asking
libSystem directly about whether a library can be found in the shared
cache.

Of course, the dlopen happens after a ENOENT, so the attack surface here
is relatively small. But relying on this still exposes us to a potential
TOCTOU1 bug. Let's avoid it entirely by skipping dlopen altogether.

brew typecheck currently returns an error. Looks like the RBI for Fiddle will need updating.

Footnotes

  1. https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use

@carlocab
linkage_checker: replace Fiddle.dlopen with libSystem call
785b1a8 
`dlopen`ing a library executes potentially untrusted code (e.g. if the
library has initialisers). We can avoid the `dlopen` call by asking
`libSystem` directly about whether a library can be found in the shared
cache.

Of course, the `dlopen` happens after a `ENOENT`, so the attack surface here
is relatively small. But relying on this still exposes us to a potential
TOCTOU[^1] bug. Let's avoid it entirely by skipping `dlopen` altogether.

[^1]: https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
@carlocab carlocab requested a review from Bo98 October 3, 2024 11:08
MikeMcQuaid
MikeMcQuaid approved these changes Oct 3, 2024
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea!

Bo98
Bo98 approved these changes Oct 3, 2024
View reviewed changes
Copy link
Member

@Bo98 Bo98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Been meaning to look into this for a while.

@carlocab
Copy link
Member Author

carlocab commented Oct 3, 2024

Added an RBI patterned after upstream's to handle with the typecheck errors. Not sure if that's the best way forward.

@carlocab
Add RBI for Fiddle constants used in linkage_checker
54fec35 
Upstream don't have these definitions yet, so I've added an RBI for them
in the meantime.
@carlocab carlocab force-pushed the replace-dlopen-with-libc-call branch from 9aa5041 to 54fec35 Compare October 3, 2024 13:48
@Bo98
Copy link
Member

Bo98 commented Oct 3, 2024

Usually we add it to upstream.rbi along with a comment pointing to an upstream PR that updates fiddle.rbi to match brew ruby -e 'puts Fiddle.constants.sort.filter { |c| c.match?(/^(TYPE|SIZEOF)_/) }'

Seems like it's missing quite a few.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@Bo98 Bo98 Bo98 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@carlocab @Bo98 @MikeMcQuaid