[hotfix] Security fixes for MLE

PullRequest: graalpython/252

Author: timfel

graalpython/com.oracle.graal.python.test/src/tests/cpyext/__init__.py

@@ -71,6 +71,12 @@ def setUp(self):
 
 
 def ccompile(self, name):
+    if getattr(sys, "graal_python_opaque_filesystem", False):
+        # distutils won't fully work with an opaque filesystem,
+        # because we cannot read bytes from files and manipulate
+        # them. We hope the code was already compiled.
+        return
+
     from distutils.core import setup, Extension
     source_file = '%s/%s.c' % (__dir__, name)
     file_not_empty(source_file)
@@ -459,7 +465,7 @@ def CPyExtType(name, code, **kwargs):
         {nb_inplace_matrix_multiply},
     """ if sys.version_info.minor >= 6 else "") + """
     }};
-    
+
     static struct PyMethodDef {name}_methods[] = {{
         {tp_methods},
         {{NULL, NULL, 0, NULL}}

graalpython/com.oracle.graal.python.test/src/tests/cpyext/test_err.py

@@ -152,23 +152,24 @@ def compile_module(self, name):
         cmpfunc=unhandled_error_compare
     )
 
-    test_PyErr_PrintEx = CPyExtFunction(
-        lambda args: None,
-        lambda: (
-            (True,),
-        ),
-        code="""PyObject* wrap_PyErr_PrintEx(int n) {
-            PyErr_SetString(PyExc_KeyError, "unknown key whatsoever");
-            PyErr_PrintEx(n);
-            return Py_None;
-        }
-        """,
-        resultspec="O",
-        argspec='i',
-        arguments=["int n"],
-        callfunction="wrap_PyErr_PrintEx",
-        cmpfunc=unhandled_error_compare
-    )
+    if not getattr(sys, "graal_python_opaque_filesystem", False):
+        test_PyErr_PrintEx = CPyExtFunction(
+            lambda args: None,
+            lambda: (
+                (True,),
+            ),
+            code="""PyObject* wrap_PyErr_PrintEx(int n) {
+                 PyErr_SetString(PyExc_KeyError, "unknown key whatsoever");
+                 PyErr_PrintEx(n);
+                 return Py_None;
+             }
+             """,
+            resultspec="O",
+            argspec='i',
+            arguments=["int n"],
+            callfunction="wrap_PyErr_PrintEx",
+            cmpfunc=unhandled_error_compare
+        )
 
     test_PyErr_GivenExceptionMatches = CPyExtFunction(
         _reference_givenexceptionmatches,
@@ -266,16 +267,17 @@ def compile_module(self, name):
         cmpfunc=unhandled_error_compare
     )
 
-    test_PyErr_WarnEx = CPyExtFunctionVoid(
-        lambda args: warnings.warn(args[1], args[0], args[2]),
-        lambda: (
-            (UserWarning, "custom warning", 1),
-        ),
-        resultspec="O",
-        argspec='Osn',
-        arguments=["PyObject* category", "char* msg", "Py_ssize_t level"],
-        cmpfunc=unhandled_error_compare
-    )
+    if not getattr(sys, "graal_python_opaque_filesystem", False):
+        test_PyErr_WarnEx = CPyExtFunctionVoid(
+            lambda args: warnings.warn(args[1], args[0], args[2]),
+            lambda: (
+                (UserWarning, "custom warning", 1),
+            ),
+            resultspec="O",
+            argspec='Osn',
+            arguments=["PyObject* category", "char* msg", "Py_ssize_t level"],
+            cmpfunc=unhandled_error_compare
+        )
 
     test_PyErr_NoMemory = CPyExtFunctionVoid(
         _reference_nomemory,

graalpython/com.oracle.graal.python.test/src/tests/test_pyio.py

@@ -176,3 +176,11 @@ def test_builtin_open():
         unlink(file_name)
 
     assert success
+
+
+import sys
+if getattr(sys, "graal_python_opaque_filesystem", False):
+    # this cannot possibly work with opaque files
+    for k in globals():
+        if k.startswith("test_"):
+            del globals()[k]

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/PythonLanguage.java

@@ -74,7 +74,6 @@
 import com.oracle.truffle.api.TruffleFile;
 import com.oracle.truffle.api.TruffleLanguage;
 import com.oracle.truffle.api.TruffleLogger;
-import com.oracle.truffle.api.TruffleOptions;
 import com.oracle.truffle.api.debug.DebuggerTags;
 import com.oracle.truffle.api.frame.Frame;
 import com.oracle.truffle.api.frame.MaterializedFrame;
@@ -107,7 +106,6 @@ public final class PythonLanguage extends TruffleLanguage<PythonContext> {
 
     public Assumption singleContextAssumption = Truffle.getRuntime().createAssumption("Only a single context is active");
 
-    @CompilationFinal private boolean nativeBuildTime = TruffleOptions.AOT;
     private final NodeFactory nodeFactory;
     public final ConcurrentHashMap<Class<? extends PythonBuiltinBaseNode>, RootCallTarget> builtinCallTargetCache = new ConcurrentHashMap<>();
 
@@ -130,7 +128,6 @@ protected void finalizeContext(PythonContext context) {
 
     @Override
     protected boolean patchContext(PythonContext context, Env newEnv) {
-        nativeBuildTime = false; // now we're running
         ensureHomeInOptions(newEnv);
         PythonCore.writeInfo("Using preinitialized context.");
         context.patch(newEnv);
@@ -458,10 +455,6 @@ private static Source newSource(PythonContext ctxt, SourceBuilder srcBuilder, St
         return newBuilder.build();
     }
 
-    public boolean isNativeBuildTime() {
-        return nativeBuildTime;
-    }
-
     @Override
     protected void initializeMultipleContexts() {
         super.initializeMultipleContexts();

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/Python3Core.java

@@ -42,6 +42,8 @@
 import java.util.ServiceLoader;
 import java.util.function.Supplier;
 
+import org.graalvm.nativeimage.ImageInfo;
+
 import com.oracle.graal.python.PythonLanguage;
 import com.oracle.graal.python.builtins.modules.ArrayModuleBuiltins;
 import com.oracle.graal.python.builtins.modules.AstModuleBuiltins;
@@ -144,8 +146,8 @@
 import com.oracle.truffle.api.CompilerDirectives.TruffleBoundary;
 import com.oracle.truffle.api.RootCallTarget;
 import com.oracle.truffle.api.TruffleFile;
-import com.oracle.truffle.api.TruffleLanguage.Env;
 import com.oracle.truffle.api.TruffleOptions;
+import com.oracle.truffle.api.TruffleLanguage.Env;
 import com.oracle.truffle.api.nodes.Node;
 import com.oracle.truffle.api.nodes.RootNode;
 import com.oracle.truffle.api.source.Source;
@@ -359,7 +361,7 @@ private void initializePythonCore() {
 
     @Override
     public void postInitialize() {
-        if (!getLanguage().isNativeBuildTime()) {
+        if (!TruffleOptions.AOT || ImageInfo.inImageRuntimeCode()) {
             initialized = false;
 
             loadFile(__BUILTINS_PATCHES__, PythonCore.getCoreHomeOrFail());

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/BuiltinFunctions.java

@@ -82,6 +82,7 @@
 import com.oracle.graal.python.builtins.objects.PNone;
 import com.oracle.graal.python.builtins.objects.PNotImplemented;
 import com.oracle.graal.python.builtins.objects.bytes.BytesNodes;
+import com.oracle.graal.python.builtins.objects.bytes.OpaqueBytes;
 import com.oracle.graal.python.builtins.objects.bytes.PBytes;
 import com.oracle.graal.python.builtins.objects.bytes.PIBytesLike;
 import com.oracle.graal.python.builtins.objects.cell.PCell;
@@ -601,6 +602,12 @@ Object compile(PBytes source, String filename, String mode, Object kwFlags, Obje
             return compile(new String(toBytesNode.execute(source)), filename, mode, kwFlags, kwDontInherit, kwOptimize);
         }
 
+        @Specialization
+        @TruffleBoundary
+        Object compile(OpaqueBytes source, String filename, String mode, Object kwFlags, Object kwDontInherit, Object kwOptimize) {
+            return compile(new String(source.getBytes()), filename, mode, kwFlags, kwDontInherit, kwOptimize);
+        }
+
         @SuppressWarnings("unused")
         @Specialization
         @TruffleBoundary

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/PosixModuleBuiltins.java

@@ -66,6 +66,7 @@
 import com.oracle.graal.python.builtins.modules.PosixModuleBuiltinsFactory.ConvertPathlikeObjectNodeGen;
 import com.oracle.graal.python.builtins.modules.PosixModuleBuiltinsFactory.StatNodeFactory;
 import com.oracle.graal.python.builtins.objects.PNone;
+import com.oracle.graal.python.builtins.objects.bytes.OpaqueBytes;
 import com.oracle.graal.python.builtins.objects.bytes.PByteArray;
 import com.oracle.graal.python.builtins.objects.bytes.PBytes;
 import com.oracle.graal.python.builtins.objects.bytes.PIBytesLike;
@@ -100,6 +101,7 @@
 import com.oracle.truffle.api.dsl.NodeFactory;
 import com.oracle.truffle.api.dsl.Specialization;
 import com.oracle.truffle.api.dsl.TypeSystemReference;
+import com.oracle.truffle.api.frame.VirtualFrame;
 import com.oracle.truffle.api.profiles.ValueProfile;
 
 @CoreFunctions(defineModule = "posix")
@@ -263,8 +265,12 @@ public abstract static class CwdNode extends PythonBuiltinNode {
         @TruffleBoundary
         @Specialization
         String cwd() {
-            // TODO(fa) that should actually be retrieved from native code
-            return System.getProperty("user.dir");
+            if (getContext().isExecutableAccessAllowed()) {
+                // TODO(fa) that should actually be retrieved from native code
+                return System.getProperty("user.dir");
+            } else {
+                return "";
+            }
         }
 
     }
@@ -275,14 +281,16 @@ public abstract static class ChdirNode extends PythonBuiltinNode {
         @TruffleBoundary
         @Specialization
         PNone chdir(String spath) {
-            // TODO(fa) that should actually be set via native code
-            try {
-                if (Files.exists(Paths.get(spath))) {
-                    System.setProperty("user.dir", spath);
-                    return PNone.NONE;
+            if (getContext().isExecutableAccessAllowed()) {
+                // TODO(fa) that should actually be set via native code
+                try {
+                    if (Files.exists(Paths.get(spath))) {
+                        System.setProperty("user.dir", spath);
+                        return PNone.NONE;
+                    }
+                } catch (InvalidPathException e) {
+                    // fall through
                 }
-            } catch (InvalidPathException e) {
-                // fall through
             }
             throw raise(PythonErrorType.FileNotFoundError, "No such file or directory: '%s'", spath);
         }
@@ -795,22 +803,44 @@ public static WriteNode create() {
     @GenerateNodeFactory
     @TypeSystemReference(PythonArithmeticTypes.class)
     public abstract static class ReadNode extends PythonFileNode {
-        @Specialization
-        @TruffleBoundary
-        Object read(int fd, long requestedSize) {
+        @Specialization(guards = "readOpaque(frame)")
+        Object readOpaque(@SuppressWarnings("unused") VirtualFrame frame, int fd, @SuppressWarnings("unused") Object requestedSize) {
             SeekableByteChannel channel = getFileChannel(fd);
             try {
-                long size = Math.min(requestedSize, channel.size() - channel.position());
-                // cast below will always succeed, since requestedSize was an int,
-                // and must thus will always be smaller than a long that cannot be
-                // downcast
-                ByteBuffer dst = ByteBuffer.allocate((int) size);
-                getFileChannel(fd).read(dst);
-                return factory().createBytes(dst.array());
+                return new OpaqueBytes(doRead(channel, Integer.MAX_VALUE));
             } catch (IOException e) {
                 throw raise(OSError, e.getMessage());
             }
         }
+
+        @Specialization(guards = "!readOpaque(frame)")
+        Object read(@SuppressWarnings("unused") VirtualFrame frame, int fd, long requestedSize) {
+            SeekableByteChannel channel = getFileChannel(fd);
+            try {
+                byte[] array = doRead(channel, (int) requestedSize);
+                return factory().createBytes(array);
+            } catch (IOException e) {
+                throw raise(OSError, e.getMessage());
+            }
+        }
+
+        @TruffleBoundary
+        private static byte[] doRead(SeekableByteChannel channel, int requestedSize) throws IOException {
+            long size = Math.min(requestedSize, channel.size() - channel.position());
+            // cast below will always succeed, since requestedSize was an int,
+            // and must thus will always be smaller than a long that cannot be
+            // downcast
+            ByteBuffer dst = ByteBuffer.allocate((int) size);
+            channel.read(dst);
+            return dst.array();
+        }
+
+        /**
+         * @param frame - only used so the DSL sees this as a dynamic check
+         */
+        protected boolean readOpaque(VirtualFrame frame) {
+            return OpaqueBytes.isEnabled(getContext());
+        }
     }
 
     @Builtin(name = "isatty", fixedNumOfPositionalArgs = 1)
@@ -1026,6 +1056,9 @@ public void run() {
         @TruffleBoundary
         @Specialization
         int system(String cmd) {
+            if (!getContext().isExecutableAccessAllowed()) {
+                return -1;
+            }
             String[] command = new String[]{shell[0], shell[1], cmd};
             try {
                 Runtime rt = Runtime.getRuntime();

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/modules/SysModuleBuiltins.java

@@ -104,7 +104,7 @@ public void initialize(PythonCore core) {
         builtinConstants.put("byteorder", ByteOrder.nativeOrder() == ByteOrder.LITTLE_ENDIAN ? "little" : "big");
         builtinConstants.put("copyright", LICENSE);
         builtinConstants.put("dont_write_bytecode", true);
-        if (TruffleOptions.AOT) {
+        if (TruffleOptions.AOT || !core.getContext().isExecutableAccessAllowed()) {
             // cannot set the path at this time since the binary is not yet known; will be patched
             // in the context
             builtinConstants.put("executable", PNone.NONE);
@@ -149,6 +149,7 @@ public void initialize(PythonCore core) {
         }));
         builtinConstants.put("graal_python_core_home", PythonOptions.getOption(core.getContext(), PythonOptions.CoreHome));
         builtinConstants.put("graal_python_stdlib_home", PythonOptions.getOption(core.getContext(), PythonOptions.StdLibHome));
+        builtinConstants.put("graal_python_opaque_filesystem", PythonOptions.getOption(core.getContext(), PythonOptions.OpaqueFilesystem));
         // the default values taken from JPython
         builtinConstants.put("float_info", core.factory().createTuple(new Object[]{
                         Double.MAX_VALUE,       // DBL_MAX

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/bytes/BytesBuiltins.java

@@ -56,6 +56,7 @@
 import com.oracle.graal.python.builtins.objects.common.SequenceStorageNodes;
 import com.oracle.graal.python.builtins.objects.common.SequenceStorageNodes.NormalizeIndexNode;
 import com.oracle.graal.python.builtins.objects.iterator.PSequenceIterator;
+import com.oracle.graal.python.builtins.objects.list.PList;
 import com.oracle.graal.python.nodes.PNodeWithContext;
 import com.oracle.graal.python.nodes.function.PythonBuiltinBaseNode;
 import com.oracle.graal.python.nodes.function.PythonBuiltinNode;
@@ -295,7 +296,33 @@ public Object repr(PBytes self,
     @Builtin(name = "join", fixedNumOfPositionalArgs = 2)
     @GenerateNodeFactory
     public abstract static class JoinNode extends PythonBinaryBuiltinNode {
-        @Specialization
+        /**
+         * @param bytes - the parameter is used to force the DSL to make this a dynamic check
+         */
+        protected boolean readOpaque(PBytes bytes) {
+            return OpaqueBytes.isEnabled(getContext());
+        }
+
+        @Specialization(guards = {"readOpaque(bytes)"})
+        public Object join(PBytes bytes, PList iterable,
+                        @Cached("create()") SequenceStorageNodes.GetItemNode getItemNode,
+                        @Cached("create()") SequenceStorageNodes.LenNode lenNode,
+                        @Cached("create()") SequenceStorageNodes.ToByteArrayNode toByteArrayNode,
+                        @Cached("create()") BytesNodes.BytesJoinNode bytesJoinNode) {
+            int len = lenNode.execute(iterable.getSequenceStorage());
+            if (len == 1) {
+                // branch profiles aren't really needed, because of the specialization
+                // happening in the getItemNode on first execution and the assumption
+                // in OpaqueBytes.isInstance
+                Object firstItem = getItemNode.execute(iterable.getSequenceStorage(), 0);
+                if (OpaqueBytes.isInstance(firstItem)) {
+                    return firstItem;
+                }
+            }
+            return join(bytes, iterable, toByteArrayNode, bytesJoinNode);
+        }
+
+        @Specialization(guards = {"!readOpaque(bytes)"})
         public PBytes join(PBytes bytes, Object iterable,
                         @Cached("create()") SequenceStorageNodes.ToByteArrayNode toByteArrayNode,
                         @Cached("create()") BytesNodes.BytesJoinNode bytesJoinNode) {