From 436980d31c99bdee3c794e26e662e885eba928d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Fri, 21 Jan 2022 11:19:55 -0800
Subject: allowlist new Linux close_range() system call, use it in
 posix_spawn()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Linux kernel's close_range() system call (currently) allows:
  close() unshare() fcntl(F_SETFD, FD_CLOEXEC)
to be performed on ranges of fds.

All 3 of these are already allowed by seccomp bpf:
as such this doesn't allow you to do anything you can't already do.

We can't add close_range() properly to bionic because we'd need to
fiddle about with ltp and it's too late to add new T API anyway,
so let's just make the direct syscall() call.

We'll add proper support in U.

See also:
  https://man7.org/linux/man-pages/man2/close_range.2.html

Test: TreeHugger
Bug: 229913920
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I85586d544fc23bed6aee59f00bdb79ee7a8150d1
Merged-In: I85586d544fc23bed6aee59f00bdb79ee7a8150d1
---
 libc/SECCOMP_ALLOWLIST_COMMON.TXT | 2 ++
 libc/bionic/spawn.cpp             | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/libc/SECCOMP_ALLOWLIST_COMMON.TXT b/libc/SECCOMP_ALLOWLIST_COMMON.TXT
index 6650d7e32..c440f9b74 100644
--- a/libc/SECCOMP_ALLOWLIST_COMMON.TXT
+++ b/libc/SECCOMP_ALLOWLIST_COMMON.TXT
@@ -74,3 +74,5 @@ int futex_time64(int*, int, int, const timespec64*, int*, int) lp32
 int sched_rr_get_interval_time64(pid_t, timespec64*) lp32
 # Since Linux 5.4, not in glibc. Probed for and conditionally used by ART.
 int userfaultfd(int) all
+# Since Linux 5.9, used by POSIX_SPAWN_CLOEXEC_DEFAULT
+int close_range(unsigned int, unsigned int, int) all
diff --git a/libc/bionic/spawn.cpp b/libc/bionic/spawn.cpp
index 314a05669..59f763138 100644
--- a/libc/bionic/spawn.cpp
+++ b/libc/bionic/spawn.cpp
@@ -30,10 +30,12 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <linux/close_range.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/resource.h>
+#include <sys/syscall.h>
 #include <unistd.h>
 
 #include <android/fdsan.h>
@@ -49,6 +51,9 @@ static int set_cloexec(int i) {
 
 // mark all open fds except stdin/out/err as close-on-exec
 static int cloexec_except_stdioe() {
+  // requires 5.11+ or ACK 5.10-T kernel, otherwise returns ENOSYS or EINVAL
+  if (!syscall(SYS_close_range, 3, ~0U, CLOSE_RANGE_CLOEXEC)) return 0;
+
   // unfortunately getrlimit can lie:
   // - both soft and hard limits can be lowered to 0, with fds still open, so it can underestimate
   // - in practice it usually is some really large value (like 32K or more)
-- 
cgit v1.2.3


From 22dfc589eeacdd7e59b35ecdf9a8841bd1803f13 Mon Sep 17 00:00:00 2001
From: Elliott Hughes <enh@google.com>
Date: Fri, 29 Apr 2022 12:17:37 -0700
Subject: seccomp: allow stat() for ubsan.

We've had complaints about ubsan issues for years, but never got to the
bottom of them, or saw them ourselves in testing. For some reason (still
not understood) we've started to see this ourselves in T and downstream
branches. So for now, let's just punch that extra hole.

Longer term, ubsan should stop needing any of this, so once
https://reviews.llvm.org/D124212 is in an LTS NDK, we should be able to
get rid of this _and_ the existing sanitizer-related holes.

Bug: https://github.com/android/ndk/issues/1298
Bug: http://b/229989971
Test: treehugger
Change-Id: Id42cb29c4e943c0080c0d34ce4e5d6d1b32da9e8
(cherry picked from commit a0745cea5f8510c6bb53dfda16dcba9cca0905d1)
Merged-In: Id42cb29c4e943c0080c0d34ce4e5d6d1b32da9e8
---
 libc/SECCOMP_ALLOWLIST_COMMON.TXT | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libc/SECCOMP_ALLOWLIST_COMMON.TXT b/libc/SECCOMP_ALLOWLIST_COMMON.TXT
index c440f9b74..0366fdf0f 100644
--- a/libc/SECCOMP_ALLOWLIST_COMMON.TXT
+++ b/libc/SECCOMP_ALLOWLIST_COMMON.TXT
@@ -31,6 +31,8 @@ int	seccomp:seccomp(unsigned int operation, unsigned int flags, void *args)	all
 int open:open(const char*, int, ...)  arm,x86,x86_64
 int stat64:stat64(const char*, struct stat64*)  arm,x86
 ssize_t readlink:readlink(const char*, char*, size_t)  arm,x86,x86_64
+# Needed by ubsan in T? (http://b/229989971)
+int stat(const char*, struct stat*)  arm,x86,x86_64
 
 #
 # Useful new syscalls which we don't yet use in bionic.
-- 
cgit v1.2.3


From bbe7c690f1fbe714fe06c2107cb3e4d25bc791f2 Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer@google.com>
Date: Sat, 23 Apr 2022 01:46:25 +0000
Subject: Merge "Fix missing null-terminator to exec call." am: 7587e20eaf

Original change: https://android-review.googlesource.com/c/platform/bionic/+/2073947

Change-Id: Id15a4a4e86f6bb05378ec1f775fb07693bd9fbda
Ignore-AOSP-First: this is an automerge
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
(cherry picked from commit 0f465478006806541d5761ba9921c108036172dc)
---
 tests/gwp_asan_test.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/gwp_asan_test.cpp b/tests/gwp_asan_test.cpp
index b442f51e6..b2c7780b1 100644
--- a/tests/gwp_asan_test.cpp
+++ b/tests/gwp_asan_test.cpp
@@ -43,7 +43,7 @@ void RunGwpAsanTest(const char* test_name) {
   std::string filter_arg = "--gtest_filter=";
   filter_arg += test_name;
   std::string exec(testing::internal::GetArgvs()[0]);
-  eh.SetArgs({exec.c_str(), "--gtest_also_run_disabled_tests", filter_arg.c_str()});
+  eh.SetArgs({exec.c_str(), "--gtest_also_run_disabled_tests", filter_arg.c_str(), nullptr});
   eh.Run([&]() { execve(exec.c_str(), eh.GetArgs(), eh.GetEnv()); },
          /* expected_exit_status */ 0,
          // |expected_output_regex|, ensure at least one test ran:
-- 
cgit v1.2.3