Linux: don't use GOT patching to intercept localtime(_r)

chrome/browser/zygote_main_linux.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <dlfcn.h>
 #include <unistd.h>
 #include <sys/epoll.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/signal.h>
 #include <sys/prctl.h>
 #include <sys/wait.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
@@ skipping 183 matching lines @@
 
    error:
     LOG(WARNING) << "Error parsing fork request from browser";
     for (std::vector<int>::const_iterator
          i = fds.begin(); i != fds.end(); ++i)
       close(*i);
     return false;
   }
 };
 
-// Patched dynamic symbol wrapper functions...
-namespace sandbox_wrapper {
-
-void do_localtime(time_t input, struct tm* output, char* timezone_out,
-                  size_t timezone_out_len) {
+static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
+                                        char* timezone_out,
+                                        size_t timezone_out_len) {
   Pickle request;
   request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
   request.WriteString(
       std::string(reinterpret_cast<char*>(&input), sizeof(input)));
 
   uint8_t reply_buf[512];
   const ssize_t r = base::SendRecvMsg(
       kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, request);
   if (r == -1) {
     memset(output, 0, sizeof(struct tm));
@@ skipping 14 matching lines @@
   if (timezone_out_len) {
     const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
     memcpy(timezone_out, timezone.data(), copy_len);
     timezone_out[copy_len] = 0;
     output->tm_zone = timezone_out;
   } else {
     output->tm_zone = NULL;
   }
 }
 
+static bool g_am_zygote_or_renderer = false;
+
+// Sandbox interception of libc calls.
+//
+// Because we are running in a sandbox certain libc calls will fail (localtime
+// being the motivating example - it needs to read /etc/localtime). We need to
+// intercept these calls and proxy them to the browser. However, these calls
+// may come from us or from our libraries. In some cases we can't just change
+// our code.
+//
+// It's for these cases that we have the following setup:
+//
+// We define global functions for those functions which we wish to override.
+// Since we will be first in the dynamic resolution order, the dynamic linker
+// will point callers to our versions of these functions. However, we have the
+// same binary for both the browser and the renderers, which means that our
+// overrides will apply in the browser too.
+//
+// The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
+// renderer process. It's set in ZygoteMain and inherited by the renderers when
+// they fork. (This means that it'll be incorrect for global constructor
+// functions and before ZygoteMain is called - beware).
+//
+// Our replacement functions can check this global and either proxy
+// the call to the browser over the sandbox IPC
+// (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
+// dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
+// current module.
+//
+// Other avenues:
+//
+// Our first attempt involved some assembly to patch the GOT of the current
+// module. This worked, but was platform specific and doesn't catch the case
+// where a library makes a call rather than current module.
+//
+// We also considered patching the function in place, but this would again by
+// platform specific and the above technique seems to work well enough.
+
 struct tm* localtime(const time_t* timep) {
-  static struct tm time_struct;
-  static char timezone_string[64];
-  do_localtime(*timep, &time_struct, timezone_string, sizeof(timezone_string));
-  return &time_struct;
+  if (g_am_zygote_or_renderer) {
+    static struct tm time_struct;
+    static char timezone_string[64];
+    ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
+                                sizeof(timezone_string));
+    return &time_struct;
+  } else {
+    typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
+    static LocaltimeFunction libc_localtime;
+    if (!libc_localtime)
+      libc_localtime = (LocaltimeFunction) dlsym(RTLD_NEXT, "localtime");
+
+    return libc_localtime(timep);
+  }
 }
 
 struct tm* localtime_r(const time_t* timep, struct tm* result) {
-  do_localtime(*timep, result, NULL, 0);
-  return result;
+  if (g_am_zygote_or_renderer) {
+    ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
+    return result;
+  } else {
+    typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
+                                             struct tm* result);
+    static LocaltimeRFunction libc_localtime_r;
+    if (!libc_localtime_r)
+      libc_localtime_r = (LocaltimeRFunction) dlsym(RTLD_NEXT, "localtime_r");
+
+    return libc_localtime_r(timep, result);
+  }
 }
 
-}  // namespace sandbox_wrapper
-
-/* On IA-32, function calls which need to be resolved by the dynamic linker are
- * directed to the producure linking table (PLT). Each PLT entry contains code
- * which jumps (indirectly) via the global offset table (GOT):
- *   Dump of assembler code for function f@plt:
- *   0x0804830c <f@plt+0>:   jmp    *0x804a004  # GOT indirect jump
- *   0x08048312 <f@plt+6>:   push   $0x8
- *   0x08048317 <f@plt+11>:  jmp    0x80482ec <_init+48>
- *
- * At the beginning of a process's lifetime, the GOT entry jumps back to
- * <f@plt+6> end then enters the dynamic linker. Once the symbol has been
- * resolved, the GOT entry is patched so that future calls go directly to the
- * resolved function.
- *
- * This macro finds the PLT entry for a given symbol, |symbol|, and reads the
- * GOT entry address from the first instruction. It then patches that address
- * with the address of a replacement function, |replacement|.
- */
-#define PATCH_GLOBAL_OFFSET_TABLE(symbol, replacement) \
-       /* First, get the current instruction pointer since the PLT address */ \
-       /* is IP relative */ \
-  asm ("call 0f\n" \
-       "0: pop %%ecx\n" \
-       /* Move the IP relative address of the PLT entry into EAX */ \
-       "mov $" #symbol "@plt,%%eax\n" \
-       /* Add EAX to ECX to get an absolute entry */ \
-       "add %%eax,%%ecx\n" \
-       /* The value in ECX was relative to the add instruction, however, */ \
-       /* the IP value was that of the pop. The pop and mov take 6 */ \
-       /* bytes, so adding 6 gets us the correct address for the PLT. The */ \
-       /* first instruction at the PLT is FF 25 <abs address>, so we skip 2 */ \
-       /* bytes to get to the address. 6 + 2 = 8: */ \
-       "movl 8(%%ecx),%%ecx\n" \
-       /* Now ECX contains the address of the GOT entry, we poke our */ \
-       /* replacement function in there: */ \
-       "movl %0,(%%ecx)\n" \
-       :  /* no output */ \
-       :  "r" (replacement) \
-       : "memory", "%eax", "%ecx");
-
 static bool MaybeEnterChroot() {
   const char* const sandbox_fd_string = getenv("SBX_D");
   if (sandbox_fd_string) {
     // The SUID sandbox sets this environment variable to a file descriptor
     // over which we can signal that we have completed our startup and can be
     // chrooted.
 
     char* endptr;
     const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
     if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX)
       return false;
     const int fd = fd_long;
 
     // Before entering the sandbox, "prime" any systems that need to open
     // files and cache the results or the descriptors.
     base::RandUint64();
 
     base::SysInfo::MaxSharedMemorySize();
 
     // To make wcstombs/mbstowcs work in a renderer, setlocale() has to be
     // called before the sandbox is triggered. It's possible to avoid calling
     // setlocale() by pulling out the conversion between FilePath and
     // WebCore String out of the renderer and using string16 in place of
     // FilePath for IPC.
     const char* locale = setlocale(LC_ALL, "");
     LOG_IF(WARNING, locale == NULL) << "setlocale failed.";
 
-#if defined(ARCH_CPU_X86)
-    PATCH_GLOBAL_OFFSET_TABLE(localtime, sandbox_wrapper::localtime);
-    PATCH_GLOBAL_OFFSET_TABLE(localtime_r, sandbox_wrapper::localtime_r);
-#endif
-
     FilePath module_path;
     if (PathService::Get(base::DIR_MODULE, &module_path))
       media::InitializeMediaLibrary(module_path);
 
     static const char kChrootMe = 'C';
     static const char kChrootMeSuccess = 'O';
 
     if (HANDLE_EINTR(write(fd, &kChrootMe, 1)) != 1) {
       LOG(ERROR) << "Failed to write to chroot pipe: " << errno;
       return false;
@@ skipping 41 matching lines @@
       }
     }
   } else {
     SkiaFontConfigUseDirectImplementation();
   }
 
   return true;
 }
 
 bool ZygoteMain(const MainFunctionParams& params) {
+  g_am_zygote_or_renderer = true;
+
   if (!MaybeEnterChroot()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   Zygote zygote;
   return zygote.ProcessRequests();
 }