| /* Copyright (c) 2020, Google Inc. |
| * |
| * Permission to use, copy, modify, and/or distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
| * copyright notice and this permission notice appear in all copies. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| |
| #if !defined(_GNU_SOURCE) |
| #define _GNU_SOURCE // needed for madvise() and MAP_ANONYMOUS on Linux. |
| #endif |
| |
| #include "../bcm_support.h" |
| |
| #if defined(OPENSSL_FORK_DETECTION_MADVISE) |
| #include <unistd.h> |
| #include <stdlib.h> |
| #include <assert.h> |
| #include <sys/mman.h> |
| #if defined(MADV_WIPEONFORK) |
| static_assert(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18"); |
| #else |
| #define MADV_WIPEONFORK 18 |
| #endif |
| #elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK) |
| #include <unistd.h> |
| #include <stdlib.h> |
| #include <pthread.h> |
| #endif // OPENSSL_FORK_DETECTION_MADVISE |
| |
| #include "../internal.h" |
| |
| #if defined(OPENSSL_FORK_DETECTION_MADVISE) |
| static int g_force_madv_wipeonfork; |
| static int g_force_madv_wipeonfork_enabled; |
| static CRYPTO_once_t g_fork_detect_once = CRYPTO_ONCE_INIT; |
| static CRYPTO_MUTEX g_fork_detect_lock = CRYPTO_MUTEX_INIT; |
| static CRYPTO_atomic_u32 * g_fork_detect_addr; |
| static uint64_t g_fork_generation; |
| |
| static void init_fork_detect(void) { |
| if (g_force_madv_wipeonfork) { |
| return; |
| } |
| |
| long page_size = sysconf(_SC_PAGESIZE); |
| if (page_size <= 0) { |
| return; |
| } |
| |
| void *addr = mmap(NULL, (size_t)page_size, PROT_READ | PROT_WRITE, |
| MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); |
| if (addr == MAP_FAILED) { |
| return; |
| } |
| |
| // Some versions of qemu (up to at least 5.0.0-rc4, see linux-user/syscall.c) |
| // ignore |madvise| calls and just return zero (i.e. success). But we need to |
| // know whether MADV_WIPEONFORK actually took effect. Therefore try an invalid |
| // call to check that the implementation of |madvise| is actually rejecting |
| // unknown |advice| values. |
| if (madvise(addr, (size_t)page_size, -1) == 0 || |
| madvise(addr, (size_t)page_size, MADV_WIPEONFORK) != 0) { |
| munmap(addr, (size_t)page_size); |
| return; |
| } |
| |
| CRYPTO_atomic_store_u32(addr, 1); |
| g_fork_detect_addr = addr; |
| g_fork_generation = 1; |
| |
| } |
| |
| uint64_t CRYPTO_get_fork_generation(void) { |
| CRYPTO_once(&g_fork_detect_once, init_fork_detect); |
| |
| // In a single-threaded process, there are obviously no races because there's |
| // only a single mutator in the address space. |
| // |
| // In a multi-threaded environment, |CRYPTO_once| ensures that the flag byte |
| // is initialised atomically, even if multiple threads enter this function |
| // concurrently. |
| // |
| // Additionally, while the kernel will only clear WIPEONFORK at a point when a |
| // child process is single-threaded, the child may become multi-threaded |
| // before it observes this. Therefore, we must synchronize the logic below. |
| |
| CRYPTO_atomic_u32 *const flag_ptr = g_fork_detect_addr; |
| if (flag_ptr == NULL) { |
| // Our kernel is too old to support |MADV_WIPEONFORK| or |
| // |g_force_madv_wipeonfork| is set. |
| if (g_force_madv_wipeonfork && |
| g_force_madv_wipeonfork_enabled) { |
| // A constant generation number to simulate support, even if the kernel |
| // doesn't support it. |
| return 42; |
| } |
| // With Linux and clone(), we do not believe that pthread_atfork() is |
| // sufficient for detecting all forms of address space duplication. At this |
| // point we have a kernel that does not support MADV_WIPEONFORK. We could |
| // return the generation number from pthread_atfork() here and it would |
| // probably be safe in almost any situation, but to ensure safety we return |
| // 0 and force an entropy draw on every call. |
| return 0; |
| } |
| |
| // In the common case, try to observe the flag without taking a lock. This |
| // avoids cacheline contention in the PRNG. |
| uint64_t *const generation_ptr = &g_fork_generation; |
| if (CRYPTO_atomic_load_u32(flag_ptr) != 0) { |
| // If we observe a non-zero flag, it is safe to read |generation_ptr| |
| // without a lock. The flag and generation number are fixed for this copy of |
| // the address space. |
| return *generation_ptr; |
| } |
| |
| // The flag was zero. The generation number must be incremented, but other |
| // threads may have concurrently observed the zero, so take a lock before |
| // incrementing. |
| CRYPTO_MUTEX *const lock = &g_fork_detect_lock; |
| CRYPTO_MUTEX_lock_write(lock); |
| uint64_t current_generation = *generation_ptr; |
| if (CRYPTO_atomic_load_u32(flag_ptr) == 0) { |
| // A fork has occurred. |
| current_generation++; |
| if (current_generation == 0) { |
| // Zero means fork detection isn't supported, so skip that value. |
| current_generation = 1; |
| } |
| |
| // We must update |generation_ptr| before |flag_ptr|. Other threads may |
| // observe |flag_ptr| without taking a lock. |
| *generation_ptr = current_generation; |
| CRYPTO_atomic_store_u32(flag_ptr, 1); |
| } |
| CRYPTO_MUTEX_unlock_write(lock); |
| |
| return current_generation; |
| } |
| |
| void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(int on) { |
| g_force_madv_wipeonfork = 1; |
| g_force_madv_wipeonfork_enabled = on; |
| } |
| |
| #elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK) |
| |
| static CRYPTO_once_t g_pthread_fork_detection_once = CRYPTO_ONCE_INIT; |
| static uint64_t g_atfork_fork_generation; |
| |
| static void we_are_forked(void) { |
| // Immediately after a fork, the process must be single-threaded. |
| uint64_t value = g_atfork_fork_generation + 1; |
| if (value == 0) { |
| value = 1; |
| } |
| g_atfork_fork_generation = value; |
| } |
| |
| static void init_pthread_fork_detection(void) { |
| if (pthread_atfork(NULL, NULL, we_are_forked) != 0) { |
| abort(); |
| } |
| g_atfork_fork_generation = 1; |
| } |
| |
| uint64_t CRYPTO_get_fork_generation(void) { |
| CRYPTO_once(&g_pthread_fork_detection_once, init_pthread_fork_detection); |
| |
| return g_atfork_fork_generation; |
| } |
| |
| #elif defined(OPENSSL_DOES_NOT_FORK) |
| |
| // These platforms are guaranteed not to fork, and therefore do not require |
| // fork detection support. Returning a constant non zero value makes BoringSSL |
| // assume address space duplication is not a concern and adding entropy to |
| // every RAND_bytes call is not needed. |
| uint64_t CRYPTO_get_fork_generation(void) { return 0xc0ffee; } |
| |
| #else |
| |
| // These platforms may fork, but we do not have a mitigation mechanism in |
| // place. Returning a constant zero value makes BoringSSL assume that address |
| // space duplication could have occured on any call entropy must be added to |
| // every RAND_bytes call. |
| uint64_t CRYPTO_get_fork_generation(void) { return 0; } |
| |
| #endif |