Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linkage_checker: replace Fiddle.dlopen with libSystem call #18486

Merged
merged 1 commit into from
Oct 3, 2024
Merged

linkage_checker: replace Fiddle.dlopen with libSystem call #18486

merged 1 commit into from
Oct 3, 2024

Conversation

carlocab
Copy link
Member

@carlocab carlocab commented Oct 3, 2024

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

dlopening a library executes potentially untrusted code (e.g. if the
library has initialisers). We can avoid the dlopen call by asking
libSystem directly about whether a library can be found in the shared
cache.

Of course, the dlopen happens after a ENOENT, so the attack surface here
is relatively small. But relying on this still exposes us to a potential
TOCTOU1 bug. Let's avoid it entirely by skipping dlopen altogether.

brew typecheck currently returns an error. Looks like the RBI for Fiddle will need updating.

Footnotes

  1. https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use

@carlocab carlocab requested a review from Bo98 October 3, 2024 11:08
MikeMcQuaid
MikeMcQuaid approved these changes Oct 3, 2024
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea!

Bo98
Bo98 approved these changes Oct 3, 2024
View reviewed changes
Copy link
Member

@Bo98 Bo98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Been meaning to look into this for a while.

@carlocab
Copy link
Member Author

carlocab commented Oct 3, 2024

Added an RBI patterned after upstream's to handle with the typecheck errors. Not sure if that's the best way forward.

@carlocab carlocab force-pushed the replace-dlopen-with-libc-call branch from 9aa5041 to 54fec35 Compare October 3, 2024 13:48
@Bo98
Copy link
Member

Bo98 commented Oct 3, 2024

Usually we add it to upstream.rbi along with a comment pointing to an upstream PR that updates fiddle.rbi to match brew ruby -e 'puts Fiddle.constants.sort.filter { |c| c.match?(/^(TYPE|SIZEOF)_/) }'

Seems like it's missing quite a few.

@carlocab
Copy link
Member Author

carlocab commented Oct 3, 2024

Their definitions seemed tied to Ruby 2.7, so wasn't sure if sending it upstream was the right move. Will go ahead and do that.

@Bo98
Copy link
Member

Bo98 commented Oct 3, 2024

It was just initially imported from Ruby 2.7. Adding new constants from 3.3 is fine - I've done so before.

@carlocab carlocab mentioned this pull request Oct 3, 2024
Merged
@carlocab carlocab force-pushed the replace-dlopen-with-libc-call branch from 54fec35 to 6acd7ec Compare October 3, 2024 15:19
@carlocab
Copy link
Member Author

carlocab commented Oct 3, 2024

Done in sorbet/sorbet#8215.

@carlocab
linkage_checker: replace Fiddle.dlopen with libSystem call
d77c039 
`dlopen`ing a library executes potentially untrusted code (e.g. if the
library has initialisers). We can avoid the `dlopen` call by asking
`libSystem` directly about whether a library can be found in the shared
cache.

Of course, the `dlopen` happens after a `ENOENT`, so the attack surface here
is relatively small. But relying on this still exposes us to a potential
TOCTOU[^1] bug. Let's avoid it entirely by skipping `dlopen` altogether.

Also: add RBI for `Fiddle` constants used in `linkage_checker`

Upstream don't have these definitions yet, so I've added an RBI for them
in the meantime.

[^1]: https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
@carlocab carlocab force-pushed the replace-dlopen-with-libc-call branch from 6acd7ec to d77c039 Compare October 3, 2024 15:21
@carlocab carlocab merged commit 993d8c2 into master Oct 3, 2024
27 checks passed
@carlocab carlocab deleted the replace-dlopen-with-libc-call branch October 3, 2024 15:40
@Bo98 Bo98 mentioned this pull request Nov 8, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Bo98 Bo98 Bo98 approved these changes

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@carlocab @Bo98 @MikeMcQuaid