NativeBridge: Tighten security on libnativebridge

Do not allow arbitrary paths for the native bridge - only allow simple names. Do not allow re-setup of the native bridge. Bug: 16404669 Change-Id: Ie22de356d2307fe2758f9094a85d44e61a4098a1
author: Andreas Gampe <agampe@google.com> 2014-08-19 22:31:31 -0700
committer: Andreas Gampe <agampe@google.com> 2014-08-21 14:33:44 -0700
commit: cd2ef4c1af69727231b84ebc82864c170ff0e8ad (patch)
tree: db2aa475689e96e3050ccfd917682f4aea97af71 /libnativebridge
parent: 6ba555f2ad878129cd1da9dd7b7613ab166090ab (diff)
download: system_core-cd2ef4c1af69727231b84ebc82864c170ff0e8ad.zip
system_core-cd2ef4c1af69727231b84ebc82864c170ff0e8ad.tar.gz
system_core-cd2ef4c1af69727231b84ebc82864c170ff0e8ad.tar.bz2
8 files changed, 298 insertions, 9 deletions
diff --git a/libnativebridge/Android.mk b/libnativebridge/Android.mk
index 017ce02..9403fd2 100644
--- a/libnativebridge/Android.mk
+++ b/libnativebridge/Android.mk
@@ -10,10 +10,11 @@ include $(CLEAR_VARS)
 LOCAL_MODULE:= libnativebridge
 
 LOCAL_SRC_FILES:= $(NATIVE_BRIDGE_COMMON_SRC_FILES)
+LOCAL_SHARED_LIBRARIES := liblog
 LOCAL_CLANG := true
 LOCAL_CPP_EXTENSION := .cc
 LOCAL_CFLAGS := -Werror
-LOCAL_CPPFLAGS := -std=gnu++11
+LOCAL_CPPFLAGS := -std=gnu++11 -fvisibility=protected
 LOCAL_LDFLAGS := -ldl
 LOCAL_MULTILIB := both
 
@@ -26,10 +27,11 @@ include $(CLEAR_VARS)
 LOCAL_MODULE:= libnativebridge
 
 LOCAL_SRC_FILES:= $(NATIVE_BRIDGE_COMMON_SRC_FILES)
+LOCAL_SHARED_LIBRARIES := liblog
 LOCAL_CLANG := true
 LOCAL_CPP_EXTENSION := .cc
 LOCAL_CFLAGS := -Werror
-LOCAL_CPPFLAGS := -std=gnu++11
+LOCAL_CPPFLAGS := -std=gnu++11 -fvisibility=protected
 LOCAL_LDFLAGS := -ldl
 LOCAL_MULTILIB := both
 
diff --git a/libnativebridge/native_bridge.cc b/libnativebridge/native_bridge.cc
index ad4ee73..2205f45 100644
--- a/libnativebridge/native_bridge.cc
+++ b/libnativebridge/native_bridge.cc
@@ -16,6 +16,7 @@
 
 #include "nativebridge/native_bridge.h"
 
+#include <cutils/log.h>
 #include <dlfcn.h>
 #include <stdio.h>
 #include "utils/Mutex.h"
@@ -28,27 +29,92 @@ static Mutex native_bridge_lock("native bridge lock");
 // The symbol name exposed by native-bridge with the type of NativeBridgeCallbacks.
 static constexpr const char* kNativeBridgeInterfaceSymbol = "NativeBridgeItf";
 
-// The path of the library we are supposed to load.
-static const char* native_bridge_library_path = nullptr;
+// The filename of the library we are supposed to load.
+static const char* native_bridge_library_filename = nullptr;
 
 // Whether a native bridge is available (loaded and ready).
 static bool available = false;
 // Whether we have already initialized (or tried to).
 static bool initialized = false;
+// Whether we had an error at some point.
+static bool had_error = false;
 
 static NativeBridgeCallbacks* callbacks = nullptr;
 static const NativeBridgeRuntimeCallbacks* runtime_callbacks = nullptr;
 
-void SetupNativeBridge(const char* nb_library_path,
+// Characters allowed in a native bridge filename. The first character must
+// be in [a-zA-Z] (expected 'l' for "libx"). The rest must be in [a-zA-Z0-9._-].
+static bool CharacterAllowed(char c, bool first) {
+  if (first) {
+    return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z');
+  } else {
+    return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') || ('0' <= c && c <= '9') ||
+           (c == '.') || (c == '_') || (c == '-');
+  }
+}
+
+// We only allow simple names for the library. It is supposed to be a file in
+// /system/lib or /vendor/lib. Only allow a small range of characters, that is
+// names consisting of [a-zA-Z0-9._-] and starting with [a-zA-Z].
+bool NativeBridgeNameAcceptable(const char* nb_library_filename) {
+  const char* ptr = nb_library_filename;
+  if (*ptr == 0) {
+    // Emptry string. Allowed, means no native bridge.
+    return true;
+  } else {
+    // First character must be [a-zA-Z].
+    if (!CharacterAllowed(*ptr, true))  {
+      // Found an invalid fist character, don't accept.
+      ALOGE("Native bridge library %s has been rejected for first character %c", nb_library_filename, *ptr);
+      return false;
+    } else {
+      // For the rest, be more liberal.
+      ptr++;
+      while (*ptr != 0) {
+        if (!CharacterAllowed(*ptr, false)) {
+          // Found an invalid character, don't accept.
+          ALOGE("Native bridge library %s has been rejected for %c", nb_library_filename, *ptr);
+          return false;
+        }
+        ptr++;
+      }
+    }
+    return true;
+  }
+}
+
+void SetupNativeBridge(const char* nb_library_filename,
                        const NativeBridgeRuntimeCallbacks* runtime_cbs) {
   Mutex::Autolock auto_lock(native_bridge_lock);
 
-  native_bridge_library_path = nb_library_path;
+  if (initialized || native_bridge_library_filename != nullptr) {
+    // Setup has been called before. Ignore this call.
+    ALOGW("Called SetupNativeBridge for an already set up native bridge.");
+    // Note: counts as an error, even though the bridge may be functional.
+    had_error = true;
+    return;
+  }
+
   runtime_callbacks = runtime_cbs;
 
-  if (native_bridge_library_path == nullptr) {
-    initialized = true;
+  if (nb_library_filename == nullptr) {
     available = false;
+    initialized = true;
+  } else {
+    // Check whether it's an empty string.
+    if (*nb_library_filename == 0) {
+      available = false;
+      initialized = true;
+    } else if (!NativeBridgeNameAcceptable(nb_library_filename)) {
+      available = false;
+      initialized = true;
+      had_error = true;
+    }
+
+    if (!initialized) {
+      // Didn't find a name error or empty string, assign it.
+      native_bridge_library_filename = nb_library_filename;
+    }
   }
 }
 
@@ -62,7 +128,15 @@ static bool NativeBridgeInitialize() {
 
   available = false;
 
-  void* handle = dlopen(native_bridge_library_path, RTLD_LAZY);
+  if (native_bridge_library_filename == nullptr) {
+    // Called initialize without setup. dlopen has special semantics for nullptr input.
+    // So just call it a day here. This counts as an error.
+    initialized = true;
+    had_error = true;
+    return false;
+  }
+
+  void* handle = dlopen(native_bridge_library_filename, RTLD_LAZY);
   if (handle != nullptr) {
     callbacks = reinterpret_cast<NativeBridgeCallbacks*>(dlsym(handle,
                                                                kNativeBridgeInterfaceSymbol));
@@ -72,8 +146,13 @@ static bool NativeBridgeInitialize() {
     }
 
     if (!available) {
+      // If we fail initialization, this counts as an error.
+      had_error = true;
       dlclose(handle);
     }
+  } else {
+    // Being unable to open the library counts as an error.
+    had_error = true;
   }
 
   initialized = true;
@@ -81,6 +160,14 @@ static bool NativeBridgeInitialize() {
   return available;
 }
 
+bool NativeBridgeError() {
+  return had_error;
+}
+
+bool NativeBridgeAvailable() {
+  return NativeBridgeInitialize();
+}
+
 void* NativeBridgeLoadLibrary(const char* libpath, int flag) {
   if (NativeBridgeInitialize()) {
     return callbacks->loadLibrary(libpath, flag);
diff --git a/libnativebridge/tests/Android.mk b/libnativebridge/tests/Android.mk
new file mode 100644
index 0000000..457b163
--- /dev/null
+++ b/libnativebridge/tests/Android.mk
@@ -0,0 +1,34 @@
+# Build the unit tests.
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# Build the unit tests.
+test_src_files := \
+    InvalidCharsNativeBridge_test.cpp \
+    ReSetupNativeBridge_test.cpp \
+    UnavailableNativeBridge_test.cpp \
+    ValidNameNativeBridge_test.cpp
+
+shared_libraries := \
+    liblog \
+    libnativebridge
+
+$(foreach file,$(test_src_files), \
+    $(eval include $(CLEAR_VARS)) \
+    $(eval LOCAL_CLANG := true) \
+    $(eval LOCAL_CPPFLAGS := -std=gnu++11) \
+    $(eval LOCAL_SHARED_LIBRARIES := $(shared_libraries)) \
+    $(eval LOCAL_SRC_FILES := $(file)) \
+    $(eval LOCAL_MODULE := $(notdir $(file:%.cpp=%))) \
+    $(eval include $(BUILD_NATIVE_TEST)) \
+)
+
+$(foreach file,$(test_src_files), \
+    $(eval include $(CLEAR_VARS)) \
+    $(eval LOCAL_CLANG := true) \
+    $(eval LOCAL_CPPFLAGS := -std=gnu++11) \
+    $(eval LOCAL_SHARED_LIBRARIES := $(shared_libraries)) \
+    $(eval LOCAL_SRC_FILES := $(file)) \
+    $(eval LOCAL_MODULE := $(notdir $(file:%.cpp=%))) \
+    $(eval include $(BUILD_HOST_NATIVE_TEST)) \
+)
+\ No newline at end of file
diff --git a/libnativebridge/tests/InvalidCharsNativeBridge_test.cpp b/libnativebridge/tests/InvalidCharsNativeBridge_test.cpp
new file mode 100644
index 0000000..f37e9c1
--- /dev/null
+++ b/libnativebridge/tests/InvalidCharsNativeBridge_test.cpp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "NativeBridgeTest.h"
+
+namespace android {
+
+static const char* kTestName = "../librandom$@-bridge_not.existing.so";
+
+TEST_F(NativeBridgeTest, InvalidChars) {
+    // Do one test actually calling setup.
+    EXPECT_EQ(false, NativeBridgeError());
+    SetupNativeBridge(kTestName, nullptr);
+    // This should lead to an error for invalid characters.
+    EXPECT_EQ(true, NativeBridgeError());
+
+    // Further tests need to use NativeBridgeNameAcceptable, as the error
+    // state can't be changed back.
+    EXPECT_EQ(false, NativeBridgeNameAcceptable("."));
+    EXPECT_EQ(false, NativeBridgeNameAcceptable(".."));
+    EXPECT_EQ(false, NativeBridgeNameAcceptable("_"));
+    EXPECT_EQ(false, NativeBridgeNameAcceptable("-"));
+    EXPECT_EQ(false, NativeBridgeNameAcceptable("lib@.so"));
+    EXPECT_EQ(false, NativeBridgeNameAcceptable("lib$.so"));
+}
+
+}  // namespace android
diff --git a/libnativebridge/tests/NativeBridgeTest.h b/libnativebridge/tests/NativeBridgeTest.h
new file mode 100644
index 0000000..0d731cb
--- /dev/null
+++ b/libnativebridge/tests/NativeBridgeTest.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef NATIVE_BRIDGE_TEST_H_
+#define NATIVE_BRIDGE_TEST_H_
+
+#define LOG_TAG "NativeBridge_test"
+
+#include <nativebridge/native_bridge.h>
+#include <gtest/gtest.h>
+
+namespace android {
+
+class NativeBridgeTest : public testing::Test {
+};
+
+};  // namespace android
+
+#endif  // NATIVE_BRIDGE_H_
+
diff --git a/libnativebridge/tests/ReSetupNativeBridge_test.cpp b/libnativebridge/tests/ReSetupNativeBridge_test.cpp
new file mode 100644
index 0000000..ef5bfce
--- /dev/null
+++ b/libnativebridge/tests/ReSetupNativeBridge_test.cpp
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "NativeBridgeTest.h"
+
+namespace android {
+
+static const char* kTestName = "librandom-bridge_not.existing.so";
+
+TEST_F(NativeBridgeTest, ReSetup) {
+    EXPECT_EQ(false, NativeBridgeError());
+    SetupNativeBridge(kTestName, nullptr);
+    EXPECT_EQ(false, NativeBridgeError());
+    SetupNativeBridge(kTestName, nullptr);
+    // This should lead to an error for trying to re-setup a native bridge.
+    EXPECT_EQ(true, NativeBridgeError());
+}
+
+}  // namespace android
diff --git a/libnativebridge/tests/UnavailableNativeBridge_test.cpp b/libnativebridge/tests/UnavailableNativeBridge_test.cpp
new file mode 100644
index 0000000..27d1233
--- /dev/null
+++ b/libnativebridge/tests/UnavailableNativeBridge_test.cpp
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2011 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "NativeBridgeTest.h"
+
+namespace android {
+
+TEST_F(NativeBridgeTest, NoNativeBridge) {
+    EXPECT_EQ(false, NativeBridgeAvailable());
+    // This should lead to an error for trying to initialize a not-setup
+    // native bridge.
+    EXPECT_EQ(true, NativeBridgeError());
+}
+
+}  // namespace android
diff --git a/libnativebridge/tests/ValidNameNativeBridge_test.cpp b/libnativebridge/tests/ValidNameNativeBridge_test.cpp
new file mode 100644
index 0000000..3e01923
--- /dev/null
+++ b/libnativebridge/tests/ValidNameNativeBridge_test.cpp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2011 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <NativeBridgeTest.h>
+
+namespace android {
+
+static const char* kTestName = "librandom-bridge_not.existing.so";
+
+TEST_F(NativeBridgeTest, ValidName) {
+    EXPECT_EQ(false, NativeBridgeError());
+    SetupNativeBridge(kTestName, nullptr);
+    EXPECT_EQ(false, NativeBridgeError());
+    EXPECT_EQ(false, NativeBridgeAvailable());
+    // This should lead to an error for trying to initialize a not-existing
+    // native bridge.
+    EXPECT_EQ(true, NativeBridgeError());
+}
+
+}  // namespace android
author	Andreas Gampe <agampe@google.com>	2014-08-19 22:31:31 -0700
committer	Andreas Gampe <agampe@google.com>	2014-08-21 14:33:44 -0700
commit	cd2ef4c1af69727231b84ebc82864c170ff0e8ad (patch)
tree	db2aa475689e96e3050ccfd917682f4aea97af71 /libnativebridge
parent	6ba555f2ad878129cd1da9dd7b7613ab166090ab (diff)
download	system_core-cd2ef4c1af69727231b84ebc82864c170ff0e8ad.zip system_core-cd2ef4c1af69727231b84ebc82864c170ff0e8ad.tar.gz system_core-cd2ef4c1af69727231b84ebc82864c170ff0e8ad.tar.bz2