ClickHouse/base/harmful/harmful.c

292 lines
6.4 KiB
C
Raw Normal View History

2020-12-21 00:35:43 +00:00
/** This library provides runtime instrumentation (hardening)
* that ensures no "harmful" functions from libc are called
* (by terminating the program immediately).
*/
2020-12-21 00:36:18 +00:00
/// It is only enabled in debug build (its intended use is for CI checks).
2020-12-21 00:35:43 +00:00
#if !defined(NDEBUG)
2024-03-03 23:11:55 +00:00
#pragma clang diagnostic ignored "-Wincompatible-library-redeclaration"
2020-10-26 01:54:35 +00:00
2020-12-21 00:35:43 +00:00
/// We cannot use libc headers here.
2020-12-21 00:22:07 +00:00
long write(int, const void *, unsigned long);
#define TRAP(func) void func() { write(2, #func "\n", __builtin_strlen(#func) + 1); __builtin_trap(); }
2020-10-26 01:54:35 +00:00
/// Trap all non thread-safe functions:
/// nm -D /lib/x86_64-linux-gnu/{libc.so.6,libdl.so.2,libm.so.6,libpthread.so.0,librt.so.1,libnss_dns.so.2,libresolv.so.2} | grep -P '_r@?$' | awk '{ print $3 }' | sed -r -e 's/_r//' | grep -vP '^_'
2020-12-17 18:39:04 +00:00
/// See also https://reviews.llvm.org/D90944
2020-12-21 00:35:43 +00:00
/// You can edit this list and even comment out some functions.
/// The only purpose of the library is to force you to pay attention.
2020-12-17 18:39:04 +00:00
TRAP(argp_error)
TRAP(argp_help)
TRAP(argp_parse)
TRAP(argp_state_help)
TRAP(argp_usage)
2020-10-26 01:54:35 +00:00
TRAP(asctime)
2020-12-17 18:39:04 +00:00
TRAP(clearenv)
2023-04-28 18:54:18 +00:00
// Redefined at contrib/libbcrypt/crypt_blowfish/wrapper.c:186
// TRAP(crypt)
2020-10-26 01:54:35 +00:00
TRAP(ctime)
2020-12-17 18:39:04 +00:00
TRAP(cuserid)
2020-10-26 01:54:35 +00:00
TRAP(drand48)
TRAP(ecvt)
2020-12-17 18:39:04 +00:00
TRAP(encrypt)
TRAP(endfsent)
TRAP(endgrent)
TRAP(endhostent)
TRAP(endnetent)
TRAP(endnetgrent)
TRAP(endprotoent)
TRAP(endpwent)
TRAP(endservent)
TRAP(endutent)
TRAP(endutxent)
2020-10-26 01:54:35 +00:00
TRAP(erand48)
2020-12-17 18:39:04 +00:00
TRAP(error_at_line)
2020-12-21 21:03:02 +00:00
///TRAP(exit)
2020-12-17 18:39:04 +00:00
TRAP(fcloseall)
2020-10-26 01:54:35 +00:00
TRAP(fcvt)
TRAP(fgetgrent)
TRAP(fgetpwent)
2020-12-17 18:39:04 +00:00
TRAP(gammal)
TRAP(getchar_unlocked)
2020-10-26 01:54:35 +00:00
TRAP(getdate)
2020-12-17 18:39:04 +00:00
TRAP(getfsent)
TRAP(getfsfile)
TRAP(getfsspec)
2020-10-26 01:54:35 +00:00
TRAP(getgrent)
2020-12-17 18:39:04 +00:00
TRAP(getgrent_r)
2020-10-26 01:54:35 +00:00
TRAP(getgrgid)
TRAP(getgrnam)
TRAP(gethostbyaddr)
TRAP(gethostbyname)
2020-12-17 18:39:04 +00:00
TRAP(gethostbyname2)
2020-10-26 01:54:35 +00:00
TRAP(gethostent)
TRAP(getlogin)
TRAP(getmntent)
TRAP(getnetbyaddr)
TRAP(getnetbyname)
TRAP(getnetent)
TRAP(getnetgrent)
2020-12-17 18:39:04 +00:00
TRAP(getnetgrent_r)
TRAP(getopt)
TRAP(getopt_long)
TRAP(getopt_long_only)
TRAP(getpass)
2020-10-26 01:54:35 +00:00
TRAP(getprotobyname)
TRAP(getprotobynumber)
TRAP(getprotoent)
TRAP(getpwent)
2020-12-17 18:39:04 +00:00
TRAP(getpwent_r)
2020-10-26 01:54:35 +00:00
TRAP(getpwnam)
TRAP(getpwuid)
TRAP(getservbyname)
TRAP(getservbyport)
TRAP(getservent)
TRAP(getutent)
2020-12-17 18:39:04 +00:00
TRAP(getutent_r)
2020-10-26 01:54:35 +00:00
TRAP(getutid)
2020-12-17 18:39:04 +00:00
TRAP(getutid_r)
2020-10-26 01:54:35 +00:00
TRAP(getutline)
2020-12-17 18:39:04 +00:00
TRAP(getutline_r)
TRAP(getutxent)
TRAP(getutxid)
TRAP(getutxline)
TRAP(getwchar_unlocked)
//TRAP(glob)
//TRAP(glob64)
2020-10-26 01:54:35 +00:00
TRAP(gmtime)
TRAP(hcreate)
TRAP(hdestroy)
TRAP(hsearch)
2020-12-17 18:39:04 +00:00
TRAP(innetgr)
2020-10-26 01:54:35 +00:00
TRAP(jrand48)
2020-12-17 18:39:04 +00:00
TRAP(l64a)
2020-10-26 01:54:35 +00:00
TRAP(lcong48)
2020-12-17 18:39:04 +00:00
TRAP(lgammafNx)
TRAP(localeconv)
2020-10-26 01:54:35 +00:00
TRAP(localtime)
2020-12-17 18:39:04 +00:00
TRAP(login)
TRAP(login_tty)
TRAP(logout)
TRAP(logwtmp)
2020-10-26 01:54:35 +00:00
TRAP(lrand48)
2020-12-17 18:39:04 +00:00
TRAP(mallinfo)
2021-01-20 11:12:33 +00:00
#if !defined(SANITIZER)
TRAP(mallopt) // Used by tsan
#endif
2020-12-17 18:39:04 +00:00
TRAP(mblen)
TRAP(mbrlen)
TRAP(mbrtowc)
TRAP(mbsnrtowcs)
TRAP(mbsrtowcs)
2020-12-21 00:22:07 +00:00
//TRAP(mbtowc) // Used by Standard C++ library
2020-12-17 18:39:04 +00:00
TRAP(mcheck)
TRAP(mprobe)
2020-10-26 01:54:35 +00:00
TRAP(mrand48)
2020-12-17 18:39:04 +00:00
TRAP(mtrace)
TRAP(muntrace)
2020-10-26 01:54:35 +00:00
TRAP(nrand48)
2020-12-17 18:39:04 +00:00
TRAP(__ppc_get_timebase_freq)
2020-10-26 01:54:35 +00:00
TRAP(ptsname)
2020-12-17 18:39:04 +00:00
TRAP(putchar_unlocked)
TRAP(putenv)
TRAP(pututline)
TRAP(pututxline)
TRAP(putwchar_unlocked)
2020-10-26 01:54:35 +00:00
TRAP(qecvt)
TRAP(qfcvt)
2020-12-17 18:39:04 +00:00
TRAP(register_printf_function)
2020-10-26 01:54:35 +00:00
TRAP(seed48)
//TRAP(setenv)
2020-12-17 18:39:04 +00:00
TRAP(setfsent)
TRAP(setgrent)
TRAP(sethostent)
TRAP(sethostid)
TRAP(setkey)
2020-12-21 00:22:07 +00:00
//TRAP(setlocale) // Used by replxx at startup
2020-12-17 18:39:04 +00:00
TRAP(setlogmask)
TRAP(setnetent)
TRAP(setnetgrent)
TRAP(setprotoent)
TRAP(setpwent)
TRAP(setservent)
TRAP(setutent)
TRAP(setutxent)
TRAP(siginterrupt)
TRAP(sigpause)
2020-12-21 21:03:02 +00:00
//TRAP(sigprocmask)
2020-12-17 18:39:04 +00:00
TRAP(sigsuspend)
TRAP(sleep)
2020-10-26 01:54:35 +00:00
TRAP(srand48)
2020-12-21 00:22:07 +00:00
//TRAP(strerror) // Used by RocksDB and many other libraries, unfortunately.
2021-01-08 05:09:30 +00:00
//TRAP(strsignal) // This function is imported from Musl and is thread safe.
2020-10-26 01:54:35 +00:00
TRAP(strtok)
2020-12-17 18:39:04 +00:00
TRAP(tcflow)
TRAP(tcsendbreak)
2020-10-26 01:54:35 +00:00
TRAP(tmpnam)
TRAP(ttyname)
2020-12-17 18:39:04 +00:00
TRAP(unsetenv)
TRAP(updwtmp)
TRAP(utmpname)
TRAP(utmpxname)
//TRAP(valloc)
TRAP(vlimit)
2020-12-21 00:28:19 +00:00
//TRAP(wcrtomb) // Used by Standard C++ library
2020-12-17 18:39:04 +00:00
TRAP(wcsnrtombs)
TRAP(wcsrtombs)
TRAP(wctomb)
TRAP(basename)
TRAP(catgets)
TRAP(dbm_clearerr)
TRAP(dbm_close)
TRAP(dbm_delete)
TRAP(dbm_error)
TRAP(dbm_fetch)
TRAP(dbm_firstkey)
TRAP(dbm_nextkey)
TRAP(dbm_open)
TRAP(dbm_store)
TRAP(dirname)
2021-12-22 18:54:29 +00:00
// TRAP(dlerror) // It is not thread-safe. But it is used by dynamic linker to load some name resolution plugins. Also used by TSan.
/// Note: we should better get rid of glibc, dynamic linking and all that sort of annoying garbage altogether.
2020-12-17 18:39:04 +00:00
TRAP(ftw)
TRAP(getc_unlocked)
2020-12-21 00:22:07 +00:00
//TRAP(getenv) // Ok at program startup
2020-12-17 18:39:04 +00:00
TRAP(inet_ntoa)
TRAP(lgamma)
TRAP(lgammaf)
TRAP(lgammal)
TRAP(nftw)
TRAP(nl_langinfo)
TRAP(putc_unlocked)
TRAP(rand)
2020-12-21 00:22:07 +00:00
/** In the current POSIX.1 specification (POSIX.1-2008), readdir() is not required to be thread-safe. However, in modern
* implementations (including the glibc implementation), concurrent calls to readdir() that specify different directory streams
* are thread-safe. In cases where multiple threads must read from the same directory stream, using readdir() with external
* synchronization is still preferable to the use of the deprecated readdir_r(3) function. It is expected that a future
* version of POSIX.1 will require that readdir() be thread-safe when concurrently employed on different directory streams.
* - man readdir
*/
//TRAP(readdir)
2020-12-17 18:39:04 +00:00
TRAP(system)
TRAP(wcstombs)
TRAP(ether_aton)
TRAP(ether_ntoa)
TRAP(fgetsgent)
TRAP(fgetspent)
TRAP(getaliasbyname)
TRAP(getaliasent)
TRAP(getrpcbyname)
TRAP(getrpcbynumber)
TRAP(getrpcent)
TRAP(getsgent)
TRAP(getsgnam)
TRAP(getspent)
TRAP(getspnam)
TRAP(initstate)
TRAP(random)
TRAP(setstate)
TRAP(sgetsgent)
TRAP(sgetspent)
TRAP(srandom)
2020-10-26 01:54:35 +00:00
TRAP(twalk)
TRAP(lgammaf128)
TRAP(lgammaf32)
TRAP(lgammaf32x)
TRAP(lgammaf64)
TRAP(lgammaf64x)
2020-12-21 00:35:43 +00:00
2021-12-22 19:06:06 +00:00
/// These functions are unused by ClickHouse and we should be aware if they are accidentally get used.
2021-12-22 18:54:29 +00:00
/// Sometimes people report that these function contain vulnerabilities (these reports are bogus for ClickHouse).
TRAP(mq_close)
TRAP(mq_getattr)
TRAP(mq_setattr)
TRAP(mq_notify)
TRAP(mq_open)
TRAP(mq_receive)
TRAP(mq_send)
TRAP(mq_unlink)
TRAP(mq_timedsend)
TRAP(mq_timedreceive)
/// These functions are also unused by ClickHouse.
TRAP(wordexp)
TRAP(wordfree)
2022-06-15 17:54:46 +00:00
/// C11 threading primitives are not supported by ThreadSanitizer.
/// Also we should avoid using them for compatibility with old libc.
TRAP(thrd_create)
TRAP(thrd_equal)
TRAP(thrd_current)
TRAP(thrd_sleep)
TRAP(thrd_yield)
TRAP(thrd_exit)
TRAP(thrd_detach)
TRAP(thrd_join)
TRAP(mtx_init)
TRAP(mtx_lock)
TRAP(mtx_timedlock)
TRAP(mtx_trylock)
TRAP(mtx_unlock)
TRAP(mtx_destroy)
TRAP(call_once)
TRAP(cnd_init)
TRAP(cnd_signal)
TRAP(cnd_broadcast)
TRAP(cnd_wait)
TRAP(cnd_timedwait)
TRAP(cnd_destroy)
TRAP(tss_create)
TRAP(tss_get)
TRAP(tss_set)
TRAP(tss_delete)
2020-12-21 00:35:43 +00:00
#endif