diff options
author | Florian Weimer <fweimer@redhat.com> | 2019-08-19 15:41:29 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2019-08-19 15:41:29 +0200 |
commit | a289ea09ea843ced6e5277c2f2e63c357bc7f9a3 (patch) | |
tree | 0b8a004ed5794f6f6bff89dbdc44518cb41bb373 /sysdeps/posix | |
parent | 1d714fd95da16f0d97c8c670a2c899f99c01eb45 (diff) | |
download | glibc-a289ea09ea843ced6e5277c2f2e63c357bc7f9a3.tar.gz glibc-a289ea09ea843ced6e5277c2f2e63c357bc7f9a3.tar.xz glibc-a289ea09ea843ced6e5277c2f2e63c357bc7f9a3.zip |
Do not print backtraces on fatal glibc errors
If the process is in a bad state, we used to print backtraces in many cases. This is problematic because doing so could involve a lot of work, like loading libgcc_s using the dynamic linker, and this could itself be targeted by exploit writers. For example, if the crashing process was forked from a long-lived process, the addresses in the error message could be used to bypass ASLR. Commit ed421fca42fd9b4cab7c66e77894b8dd7ca57ed0 ("Avoid backtrace from __stack_chk_fail [BZ #12189]"), backtraces where no longer printed because backtrace_and_maps was always called with do_abort == 1. Rather than fixing this logic error, this change removes the backtrace functionality from the sources. With the prevalence of external crash handlers, it does not appear to be particularly useful. The crash handler may also destroy useful information for debugging. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'sysdeps/posix')
-rw-r--r-- | sysdeps/posix/libc_fatal.c | 35 |
1 files changed, 4 insertions, 31 deletions
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c index 3906af5ee7..9ddbfa7314 100644 --- a/sysdeps/posix/libc_fatal.c +++ b/sysdeps/posix/libc_fatal.c @@ -45,16 +45,6 @@ writev_for_fatal (int fd, const struct iovec *iov, size_t niov, size_t total) } #endif -#ifndef BEFORE_ABORT -# define BEFORE_ABORT before_abort -static void -before_abort (int do_abort __attribute__ ((unused)), - bool written __attribute__ ((unused)), - int fd __attribute__ ((unused))) -{ -} -#endif - struct str_list { const char *str; @@ -75,17 +65,6 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...) FATAL_PREPARE; #endif - /* Don't call __libc_secure_getenv if we aren't doing backtrace, which - may access the corrupted stack. */ - if ((action & do_backtrace)) - { - /* Open a descriptor for /dev/tty unless the user explicitly - requests errors on standard error. */ - const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); - if (on_2 == NULL || *on_2 == '\0') - fd = __open_nocancel (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); - } - if (fd == -1) fd = STDERR_FILENO; @@ -129,7 +108,6 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...) ++nlist; } - bool written = false; if (nlist > 0) { struct iovec *iov = alloca (nlist * sizeof (struct iovec)); @@ -143,7 +121,7 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...) list = list->next; } - written = WRITEV_FOR_FATAL (fd, iov, nlist, total); + WRITEV_FOR_FATAL (fd, iov, nlist, total); if ((action & do_abort)) { @@ -173,13 +151,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...) va_end (ap); if ((action & do_abort)) - { - if ((action & do_backtrace)) - BEFORE_ABORT (do_abort, written, fd); - - /* Kill the application. */ - abort (); - } + /* Kill the application. */ + abort (); } @@ -188,6 +161,6 @@ __libc_fatal (const char *message) { /* The loop is added only to keep gcc happy. */ while (1) - __libc_message (do_abort | do_backtrace, "%s", message); + __libc_message (do_abort, "%s", message); } libc_hidden_def (__libc_fatal) |