Try to use file descriptors in the 2000+ range to avoid mis-behaving client

Abseil Team · copybara-github · commit e281c1790b22 · 2024-12-17T11:05:39.000-08:00
interference.

PiperOrigin-RevId: 707171366
Change-Id: I8b79eda8e20bbb25016389ce10a899c3a870de72
diff --git a/absl/debugging/symbolize_elf.inc b/absl/debugging/symbolize_elf.inc
@@ -52,6 +52,7 @@
 #include <elf.h>
 #include <fcntl.h>
 #include <link.h>  // For ElfW() macro.
+#include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -376,6 +377,40 @@ class Symbolizer {
   SymbolCacheLine symbol_cache_[SYMBOL_CACHE_LINES];
 };
 
+// Protect against client code closing low-valued file descriptors it doesn't
+// actually own, as has happened in b/384213477.
+int SaferOpen(const char *fname, int flags) {
+  static int high_fd = [] {
+    struct rlimit rlim{};
+    const int rc = getrlimit(RLIMIT_NOFILE, &rlim);
+    if (rc == 0 && rlim.rlim_cur >= 2000) {
+      const int max_fd = static_cast<int>(rlim.rlim_cur);
+
+      // This will return 2000 on reasonably-configured systems.
+      return std::min<int>(2000, max_fd - 1000);
+    }
+    ABSL_RAW_LOG(WARNING, "Unable to get high fd: rc=%d, limit=%ld",  //
+                 rc, static_cast<long>(rlim.rlim_cur));
+    return -1;
+  }();
+  if (high_fd >= 1000) {
+    const int fd = open(fname, flags);
+    if (fd != -1 && fd < high_fd) {
+      // Try to relocate fd to high range.
+      const int fd2 = fcntl(fd, F_DUPFD, high_fd);
+      if (fd2 != -1) {
+        // Successfully obtained high fd. Use it.
+        close(fd);
+        return fd2;
+      }
+    }
+    // Either open failed and fd==-1, or fd is already above high_fd, or fcntl
+    // failed and fd is valid (but low).
+    return fd;
+  }
+  return open(fname, flags);
+}
+
 static std::atomic<Symbolizer *> g_cached_symbolizer;
 
 }  // namespace
@@ -1064,7 +1099,7 @@ static ABSL_ATTRIBUTE_NOINLINE bool ReadAddrMap(
   snprintf(maps_path, sizeof(maps_path), "/proc/self/task/%d/maps", getpid());
 
   int maps_fd;
-  NO_INTR(maps_fd = open(maps_path, O_RDONLY));
+  NO_INTR(maps_fd = SaferOpen(maps_path, O_RDONLY));
   FileDescriptor wrapped_maps_fd(maps_fd);
   if (wrapped_maps_fd.get() < 0) {
     ABSL_RAW_LOG(WARNING, "%s: errno=%d", maps_path, errno);
@@ -1338,7 +1373,7 @@ static void MaybeOpenFdFromSelfExe(ObjFile *obj) {
   if (memcmp(obj->start_addr, ELFMAG, SELFMAG) != 0) {
     return;
   }
-  int fd = open("/proc/self/exe", O_RDONLY);
+  int fd = SaferOpen("/proc/self/exe", O_RDONLY);
   if (fd == -1) {
     return;
   }
@@ -1362,15 +1397,15 @@ static void MaybeOpenFdFromSelfExe(ObjFile *obj) {
 
 static bool MaybeInitializeObjFile(ObjFile *obj) {
   if (obj->fd < 0) {
-    obj->fd = open(obj->filename, O_RDONLY);
+    obj->fd = SaferOpen(obj->filename, O_RDONLY);
 
     if (obj->fd < 0) {
       // Getting /proc/self/exe here means that we were hinted.
       if (strcmp(obj->filename, "/proc/self/exe") == 0) {
         // /proc/self/exe may be inaccessible (due to setuid, etc.), so try
         // accessing the binary via argv0.
         if (argv0_value != nullptr) {
-          obj->fd = open(argv0_value, O_RDONLY);
+          obj->fd = SaferOpen(argv0_value, O_RDONLY);
         }
       } else {
         MaybeOpenFdFromSelfExe(obj);
