Mercurial > dropbear

diff svr-main.c @ 1861:2b3a8026a6ce

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.
author Matt Johnston <matt@ucc.asn.au>
date Sun, 30 Jan 2022 10:14:56 +0800
parents 6ea18ca8fc03
children adfcdfb161a4
line wrap: on
line diff
--- a/svr-main.c	Thu Jan 27 15:09:29 2022 +0800
+++ b/svr-main.c	Sun Jan 30 10:14:56 2022 +0800
@@ -35,12 +35,8 @@
 static void sigchld_handler(int dummy);
 static void sigsegv_handler(int);
 static void sigintterm_handler(int fish);
-#if INETD_MODE
 static void main_inetd(void);
-#endif
-#if NON_INETD_MODE
-static void main_noinetd(void);
-#endif
+static void main_noinetd(int argc, char ** argv);
 static void commonsetup(void);
 
 #if defined(DBMULTI_dropbear) || !DROPBEAR_MULTI
@@ -55,6 +51,10 @@
 
 	disallow_core();
 
+	if (argc < 1) {
+		dropbear_exit("Bad argc");
+	}
+
 	/* get commandline options */
 	svr_getopts(argc, argv);
 
@@ -66,8 +66,21 @@
 	}
 #endif
 
+#if DROPBEAR_DO_REEXEC
+	if (svr_opts.reexec_child) {
+#ifdef PR_SET_NAME
+		/* Fix the "Name:" in /proc/pid/status, otherwise it's
+		a FD number from fexecve.
+		Failure doesn't really matter, it's mostly aesthetic */
+		prctl(PR_SET_NAME, basename(argv[0]), 0, 0);
+#endif
+		main_inetd();
+		/* notreached */
+	}
+#endif
+
 #if NON_INETD_MODE
-	main_noinetd();
+	main_noinetd(argc, argv);
 	/* notreached */
 #endif
 
@@ -76,7 +89,7 @@
 }
 #endif
 
-#if INETD_MODE
+#if INETD_MODE || DROPBEAR_DO_REEXEC
 static void main_inetd() {
 	char *host, *port = NULL;
 
@@ -85,23 +98,18 @@
 
 	seedrandom();
 
-#if DEBUG_TRACE
-	if (debug_trace) {
-		/* -v output goes to stderr which would get sent over the inetd network socket */
-		dropbear_exit("Dropbear inetd mode is incompatible with debug -v");
-	}
-#endif
+	if (!svr_opts.reexec_child) {
+		/* In case our inetd was lax in logging source addresses */
+		get_socket_address(0, NULL, NULL, &host, &port, 0);
+			dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
+		m_free(host);
+		m_free(port);
 
-	/* In case our inetd was lax in logging source addresses */
-	get_socket_address(0, NULL, NULL, &host, &port, 0);
-	dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
-	m_free(host);
-	m_free(port);
-
-	/* Don't check the return value - it may just fail since inetd has
-	 * already done setsid() after forking (xinetd on Darwin appears to do
-	 * this */
-	setsid();
+		/* Don't check the return value - it may just fail since inetd has
+		 * already done setsid() after forking (xinetd on Darwin appears to do
+		 * this */
+		setsid();
+	}
 
 	/* Start service program 
 	 * -1 is a dummy childpipe, just something we can close() without 
@@ -113,7 +121,7 @@
 #endif /* INETD_MODE */
 
 #if NON_INETD_MODE
-static void main_noinetd() {
+static void main_noinetd(int argc, char ** argv) {
 	fd_set fds;
 	unsigned int i, j;
 	int val;
@@ -121,6 +129,7 @@
 	int listensocks[MAX_LISTEN_ADDR];
 	size_t listensockcount = 0;
 	FILE *pidfile = NULL;
+	int execfd = -1;
 
 	int childpipes[MAX_UNAUTH_CLIENTS];
 	char * preauth_addrs[MAX_UNAUTH_CLIENTS];
@@ -128,6 +137,9 @@
 	int childsock;
 	int childpipe[2];
 
+	(void)argc;
+	(void)argv;
+
 	/* Note: commonsetup() must happen before we daemon()ise. Otherwise
 	   daemon() will chdir("/"), and we won't be able to find local-dir
 	   hostkeys. */
@@ -138,7 +150,7 @@
 		childpipes[i] = -1;
 	}
 	memset(preauth_addrs, 0x0, sizeof(preauth_addrs));
-	
+
 	/* Set up the listening sockets */
 	listensockcount = listensockets(listensocks, MAX_LISTEN_ADDR, &maxsock);
 	if (listensockcount == 0)
@@ -150,6 +162,14 @@
 		FD_SET(listensocks[i], &fds);
 	}
 
+#if DROPBEAR_DO_REEXEC
+	execfd = open(argv[0], O_CLOEXEC|O_RDONLY);
+	if (execfd < 0) {
+		/* Just fallback to straight fork */
+		TRACE(("Couldn't open own binary %s, disabling re-exec: %s", argv[0], strerror(errno)))
+	}
+#endif
+
 	/* fork */
 	if (svr_opts.forkbg) {
 		int closefds = 0;
@@ -181,7 +201,7 @@
 	for(;;) {
 
 		DROPBEAR_FD_ZERO(&fds);
-		
+
 		/* listening sockets */
 		for (i = 0; i < listensockcount; i++) {
 			FD_SET(listensocks[i], &fds);
@@ -201,7 +221,7 @@
 			unlink(svr_opts.pidfile);
 			dropbear_exit("Terminated by signal");
 		}
-		
+
 		if (val == 0) {
 			/* timeout reached - shouldn't happen. eh */
 			continue;
@@ -286,7 +306,7 @@
 			}
 
 			addrandom((void*)&fork_ret, sizeof(fork_ret));
-			
+
 			if (fork_ret > 0) {
 
 				/* parent */
@@ -316,6 +336,27 @@
 
 				m_close(childpipe[0]);
 
+				if (execfd >= 0) {
+#if DROPBEAR_DO_REEXEC
+					/* Add "-2" to the args and re-execute ourself */
+					char **new_argv = m_malloc(sizeof(char*) * (argc+1));
+					memcpy(new_argv, argv, sizeof(char*) * argc);
+					new_argv[argc] = "-2";
+
+					if ((dup2(childsock, STDIN_FILENO) < 0)) {
+						dropbear_exit("dup2 failed: %s", strerror(errno));
+					}
+					m_close(childsock);
+					/* Re-execute ourself */
+					fexecve(execfd, new_argv, environ);
+					/* Not reached on success */
+
+					/* Fall back on plain fork otherwise */
+					TRACE(("fexecve failed, disabling re-exec: %s", strerror(errno)))
+					m_free(new_argv);
+#endif /* DROPBEAR_DO_REEXEC */
+				}
+
 				/* start the session */
 				svr_session(childsock, childpipe[1]);
 				/* don't return */