Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Load dependencies by name #1594

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

Conversation

aleksei-fedotov
Copy link
Contributor

Description

This PR applies RFC:

  • Signatures of loaded modules are verified.
  • There is possibility to load by module name instead of specifying full path
  • Changes loading of Thread Composability Manager by module name

Fixes # - issue number(s) if exists

Type of change

Choose one or multiple, leave empty if none of the other choices apply

Add a respective label(s) to PR if you have permissions

  • bug fix - change that fixes an issue
  • new feature - change that adds functionality
  • tests - change in tests
  • infrastructure - change in infrastructure and CI
  • documentation - documentation update

Tests

  • added - required for new features and some bug fixes
  • not needed

Documentation

  • updated in # - add PR number
  • needs to be updated
  • not needed

Breaks backward compatibility

  • Yes
  • No
  • Unknown

Notify the following users

List users with @ to send notifications

Other information

@aleksei-fedotov aleksei-fedotov marked this pull request as ready for review January 8, 2025 16:11
@aleksei-fedotov aleksei-fedotov requested review from pavelkumbrasev and removed request for pavelkumbrasev January 8, 2025 16:11
CMakeLists.txt Outdated
message(WARNING
"Dependency signature verification during dynamic run-time linking is disabled. This may "
"lead to security vulnerabilities. It is recommended to leave it enabled in production "
"environment. Unset TBB_VERIFY_DEPENDENCY_SIGNATURE or set it ON to enable it again.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will unsetting TBB_VERIFY_DEPENDENCY_SIGNATURE not disable it instead? Did you mean "Set TBB_VERIFY_DEPENDENCY_SIGNATURE ..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I clarified the messaging.

error = va_arg(args, dlerr_t);
// TODO: Use fprintf_s once dynamic link functionality is extracted into a separate
// module (e.g., a static library)
std::fprintf(stdout, "%s The module \"%s\" was not loaded because it was not found. "
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please look up and use the more secured version fprintf_s

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

case dl_sys_fail:
str = va_arg(args, const char*);
error = va_arg(args, dlerr_t);
std::fprintf(stdout, "oneTBB: A call to \"%s\" failed with error " DLERROR_SPECIFIER
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and all other locations of fprintf

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

}

va_end(args);
} // library_warning
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a case that covers a certificate that has expired?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see comments in this conversation

DYNAMIC_LINK_WARNING( dl_sig_other_error, filepath, retval);
break;
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar here: Is the case for an expired certificate covered somewhere?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is covered by untrusted root case as the whole chain of certificates is checked.

}

bool has_valid_signature(const char* filepath, const std::size_t length) {
__TBB_ASSERT_EX(length <= PATH_MAX, "Too small buffer for path conversion");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is minor:
Is length too small when it is equal to PATH_MAX? (Maybe length < PATH_MAX)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is just enough as it includes the null-terminating character.

else()
set(TBB_COMPILER_MACRO_SWITCH -D)
endif()
set(TBB_LIB_COMPILE_FLAGS ${TBB_LIB_COMPILE_FLAGS} ${TBB_COMPILER_MACRO_SWITCH}__TBB_VERIFY_DEPENDENCY_SIGNATURE)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can target_compile_definitions be used instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course! Thanks! Implemented.

pWVTData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL | WTD_REVOCATION_CHECK_CHAIN;
pWVTData.dwUIContext = WTD_UICONTEXT_EXECUTE; // UI Context to run the file

const auto rc = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &pgActionID, &pWVTData);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to use LONG instead of auto to prevent ambiguity and unintended typecasting when doing comparisons later with the return code from WinVerifyTrust

Copy link
Contributor

@egfefey egfefey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the security standpoint, this is good for now.
A few notes:

  • This is still up for discussion but anything beside ERROR_SUCCESS from WinVerifyTrust should result in an error instead of a warning sometimes. The user always has to option to turn off signature verification if they want, so once it's on, it's either success or failure.
  • Might also need review from the TBB team.
  • If there are some testing results that we can share, that will be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants