Merge pull request #41429 from ClickHouse/forbid-dlopen-2

Forbid invocations of `dlopen`
2024-11-10 09:32:06 +00:00 · 2022-09-18 07:05:56 +03:00 · 2022-09-18 07:05:56 +03:00 · 32efe6952e
commit 32efe6952e
parent c8c728e740 25dfbba8dd
2 changed files with 39 additions and 1 deletions
--- a/programs/main.cpp
+++ b/programs/main.cpp
@ -402,6 +402,36 @@ void checkHarmfulEnvironmentVariables(char ** argv)
 }


+/// Don't allow dlopen in the main ClickHouse binary, because it is harmful and insecure.
+/// We don't use it. But it can be used by some libraries for implementation of "plugins".
+/// We absolutely discourage the ancient technique of loading
+/// 3rd-party uncontrolled dangerous libraries into the process address space,
+/// because it is insane.
+
+extern "C"
+{
+    void * dlopen(const char *, int)
+    {
+        return nullptr;
+    }
+
+    void * dlmopen(long, const char *, int) // NOLINT
+    {
+        return nullptr;
+    }
+
+    int dlclose(void *)
+    {
+        return 0;
+    }
+
+    const char * dlerror()
+    {
+        return "ClickHouse does not allow dynamic library loading";
+    }
+}
+
+
 /// This allows to implement assert to forbid initialization of a class in static constructors.
 /// Usage:
 ///
--- a/src/Functions/trap.cpp
+++ b/src/Functions/trap.cpp
@ -14,6 +14,7 @@
 #include <cstdlib>
 #include <unistd.h>
 #include <sys/mman.h>
+#include <dlfcn.h>


 namespace DB
@ -25,6 +26,7 @@ namespace ErrorCodes
    extern const int ILLEGAL_TYPE_OF_ARGUMENT;
    extern const int BAD_ARGUMENTS;
    extern const int CANNOT_ALLOCATE_MEMORY;
+    extern const int CANNOT_DLOPEN;
 }


@ -136,7 +138,7 @@ public:
            }
            else if (mode == "access context")
            {
-                (void)context.getCurrentQueryId();
+                (void)context->getCurrentQueryId();
            }
            else if (mode == "stack overflow")
            {
@ -166,6 +168,12 @@ public:
                    maps.push_back(map);
                }
            }
+            else if (mode == "dlopen")
+            {
+                void * handle = dlopen("libc.so.6", RTLD_NOW);
+                if (!handle)
+                    throw Exception(ErrorCodes::CANNOT_DLOPEN, "Cannot dlopen: ({})", dlerror()); // NOLINT(concurrency-mt-unsafe) // MT-Safe on Linux, see man dlerror
+            }
            else
                throw Exception("Unknown trap mode", ErrorCodes::BAD_ARGUMENTS);
        }