maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

Use socketpair on all Unix platforms 

Using TCP sockets is insecure against local attackers, and possibly
against remote attackers too (some vulnerabilities may allow tricking a
browser to make a request to localhost). Use socketpair (which is immune
to such attacks) on all Unix platforms.

Patch by Demi Marie Obenour < demiobenour@gmail.com >

Differential Revision: https://reviews.llvm.org/D33213

llvm-svn: 314127
This commit is contained in:
Eugene Zemtsov 2017-09-25 17:41:16 +00:00
parent 761f0b660d
commit 3015341d45
2 changed files with 46 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lldb/source/Plugins/Process/gdb-remote/ProcessGDBRemote.cpp
View File

@ -3289,7 +3289,7 @@ ProcessGDBRemote::EstablishConnectionIfNeeded(const ProcessInfo &process_info) {
}
return error;
}
#if defined(__APPLE__)
#if !defined(_WIN32)
#define USE_SOCKETPAIR_FOR_LOCAL_CONNECTION 1
#endif
@ -3333,8 +3333,8 @@ Status ProcessGDBRemote::LaunchAndConnectToDebugserver(
lldb_utility::CleanUp<int, int> our_socket(-1, -1, close);
lldb_utility::CleanUp<int, int> gdb_socket(-1, -1, close);
// Use a socketpair on Apple for now until other platforms can verify it
// works and is fast enough
// Use a socketpair on non-Windows systems for security and performance
// reasons.
{
int sockets[2]; /* the pair of socket descriptors */
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) == -1) {

56
lldb/tools/lldb-server/lldb-gdbserver.cpp
View File

@ -106,6 +106,7 @@ static struct option g_long_options[] = {
// than llgs listening for a connection from address on port.
{"setsid", no_argument, NULL,
'S'}, // Call setsid() to make llgs run in its own session.
{"fd", required_argument, NULL, 'F'},
{NULL, 0, NULL, 0}};
//----------------------------------------------------------------------
@ -132,13 +133,13 @@ static void display_usage(const char *progname, const char *subcommand) {
"[--log-file log-file-name] "
"[--log-channels log-channel-list] "
"[--setsid] "
"[--fd file-descriptor]"
"[--named-pipe named-pipe-path] "
"[--native-regs] "
"[--attach pid] "
"[[HOST]:PORT] "
"[-- PROGRAM ARG1 ARG2 ...]\n",
progname, subcommand);
exit(0);
}
void handle_attach_to_pid(GDBRemoteCommunicationServerLLGS &gdb_server,
@ -232,10 +233,34 @@ void ConnectToRemote(MainLoop &mainloop,
GDBRemoteCommunicationServerLLGS &gdb_server,
bool reverse_connect, const char *const host_and_port,
const char *const progname, const char *const subcommand,
const char *const named_pipe_path, int unnamed_pipe_fd) {
const char *const named_pipe_path, int unnamed_pipe_fd,
int connection_fd) {
Status error;
if (host_and_port && host_and_port[0]) {
std::unique_ptr<Connection> connection_up;
if (connection_fd != -1) {
// Build the connection string.
char connection_url[512];
snprintf(connection_url, sizeof(connection_url), "fd://%d", connection_fd);
// Create the connection.
#if !defined LLDB_DISABLE_POSIX && !defined _WIN32
::fcntl(connection_fd, F_SETFD, FD_CLOEXEC);
#endif
connection_up.reset(new ConnectionFileDescriptor);
auto connection_result = connection_up->Connect(connection_url, &error);
if (connection_result != eConnectionStatusSuccess) {
fprintf(stderr, "error: failed to connect to client at '%s' "
"(connection status: %d)",
connection_url, static_cast<int>(connection_result));
exit(-1);
}
if (error.Fail()) {
fprintf(stderr, "error: failed to connect to client at '%s': %s",
connection_url, error.AsCString());
exit(-1);
}
} else if (host_and_port && host_and_port[0]) {
// Parse out host and port.
std::string final_host_and_port;
std::string connection_host;
@ -255,7 +280,6 @@ void ConnectToRemote(MainLoop &mainloop,
connection_portno = StringConvert::ToUInt32(connection_port.c_str(), 0);
}
std::unique_ptr<Connection> connection_up;
if (reverse_connect) {
// llgs will connect to the gdb-remote client.
@ -328,14 +352,14 @@ void ConnectToRemote(MainLoop &mainloop,
}
connection_up.reset(conn);
}
error = gdb_server.InitializeConnection(std::move(connection_up));
if (error.Fail()) {
fprintf(stderr, "Failed to initialize connection: %s\n",
error.AsCString());
exit(-1);
}
printf("Connection established.\n");
}
error = gdb_server.InitializeConnection(std::move(connection_up));
if (error.Fail()) {
fprintf(stderr, "Failed to initialize connection: %s\n",
error.AsCString());
exit(-1);
}
printf("Connection established.\n");
}
//----------------------------------------------------------------------
@ -364,6 +388,7 @@ int main_gdbserver(int argc, char *argv[]) {
log_channels; // e.g. "lldb process threads:gdb-remote default:linux all"
int unnamed_pipe_fd = -1;
bool reverse_connect = false;
int connection_fd = -1;
// ProcessLaunchInfo launch_info;
ProcessAttachInfo attach_info;
@ -413,6 +438,10 @@ int main_gdbserver(int argc, char *argv[]) {
reverse_connect = true;
break;
case 'F':
connection_fd = StringConvert::ToUInt32(optarg, -1);
break;
#ifndef _WIN32
case 'S':
// Put llgs into a new session. Terminals group processes
@ -472,7 +501,8 @@ int main_gdbserver(int argc, char *argv[]) {
argc -= optind;
argv += optind;
if (argc == 0) {
if (argc == 0 && connection_fd == -1) {
fputs("No arguments\n", stderr);
display_usage(progname, subcommand);
exit(255);
}
@ -501,7 +531,7 @@ int main_gdbserver(int argc, char *argv[]) {
ConnectToRemote(mainloop, gdb_server, reverse_connect, host_and_port,
progname, subcommand, named_pipe_path.c_str(),
unnamed_pipe_fd);
unnamed_pipe_fd, connection_fd);
if (!gdb_server.IsConnected()) {
fprintf(stderr, "no connection information provided, unable to run\n");