|
If an app installs its own memory allocator by overriding the internal
glibc symbols, then we can easily hit a loop that cannot be broken: the
dlsym functions can attempt to allocate memory, and sandbox relies on
them to find the "real" functions. So when someone calls a symbol that
the sandbox protects, we call dlsym, and that calls malloc, which calls
back into the app, and their allocator might use another symbol such as
open ... which is protected by the sandbox. So we hit the loop like:
-> open -> libsandbox:open -> dlsym -> malloc -> open ->
libsandbox:open -> dlsym -> malloc -> ...
Change the exec checking logic to scan the ELF instead. If it exports
these glibc symbols, then we have to assume it can trigger a loop, so
scrub the sandbox environment to prevent us from being loaded. Then we
use the out-of-process tracer (i.e. ptrace). This should generally be
as robust anyways ... if it's not, that's a bug we want to fix as this
is the same code used for static apps.
URL: http://crbug.com/586444
Reported-by: Ryo Hashimoto <hashimoto@chromium.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|