This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lldb/source/Core/
-
source/
-
Core/
-
ModuleList.cpp
-
llvm/
-
include/llvm/Support/
-
llvm/
-
Support/
-
FileSystem.h
-
Path.h
-
lib/Support/
-
Support/
-
Path.cpp

Differential D82259

Deprecate error prone temporary directory APIs
AbandonedPublic

Authored by davezarzycki on Jun 20 2020, 8:23 AM.

Download Raw Diff

Details

Reviewers

compnerd
aprantl
jakehehrlich
• espindola
respindola
ilya-biryukov
pcc
sammccall

Summary

Naive usage of shared temporary directories in Unix is a classic security problem. Let's deprecate two APIs that enable unsafe code and encourage people to use createUniqueFile or createUniqueDirectory instead.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

davezarzycki created this revision.Jun 20 2020, 8:23 AM

Herald added a project: Restricted Project. · View Herald TranscriptJun 20 2020, 8:23 AM

Herald added subscribers: cfe-commits, hiraditya. · View Herald Transcript

Harbormaster failed remote builds in B61138: Diff 272260!Jun 20 2020, 8:27 AM

Hi Dave,

This is doing two things - changing the behavior of clang (where it stores its module cache) and deprecating an API. I'd recommend we start by focusing on whether the first part is the right thing to do, and just remove the API if this is the only client of it.

compnerd added inline comments.Jun 21 2020, 4:31 PM

clang/lib/Driver/ToolChains/Clang.cpp
3177 ↗	(On Diff #272260)	This default path is not ideal for Linux. On Linux, if we want to put this into the home directory, we should follow XDG and put this into the `~/.cache/org.llvm.clang/ModuleCache`, respecting the environment variable `XDG_CACHE_DIR`.

Sure, we can honor XDG_CACHE_DIR. Maybe as a followup, somebody can wire up Darwin's cache directory (which is retrievable via a BSD specific confstr() API with _CS_DARWIN_USER_CACHE_DIR). I'm not sure about other platforms.

I'll wait for more feedback before updating the patch.

In D82259#2106279, @davezarzycki wrote:

Sure, we can honor XDG_CACHE_DIR. Maybe as a followup, somebody can wire up Darwin's cache directory (which is retrievable via a BSD specific confstr() API with _CS_DARWIN_USER_CACHE_DIR). I'm not sure about other platforms.

I'll wait for more feedback before updating the patch.

llvm::sys::path::cache_directory exists, it doesn't do anything special on Darwin (though would be the right place), but it does handle windows.

I'm not sure what the original motivation for org.llvm.clang.$USER format was, but it doesn't seem to be worth carrying over vs $CONFIG/clang/ to me - clang is well-known enough to "own" the name and most tools don't seem to add reverse-domains to these paths.

Respect Darwin and XDG cache directories.
Drop atypical reverse DNS in the path.
Make clang more robust if the default module path cannot be determined.

Harbormaster failed remote builds in B61234: Diff 272434!Jun 22 2020, 8:35 AM

Thanks @davezarzycki! Minor nit: git-clang-format the patch please, there was at least one linter warning in the changed code.

I do wonder if we can get away with the removal of the API though doing that in a follow up is pretty reasonable to me.

I think that one minor change is needed for this - an entry in the release notes would be nice to indicate to users that the cache paths have changed. Its difficult to say if anyone is depending on it being in TMP, but it is a user visible change to the driver (though they still have control via -fmodules-cache-path).

aprantl added inline comments.Jun 22 2020, 9:27 AM

lib/Driver/ToolChains/Clang.cpp
3176 ↗	(On Diff #272434)	I would prefer to separate this out into its own patch. This is going to silently(!) break all sorts of scripts — for example many buildbots have a "clean module cache" action that searches for a directory with this name.

Moved clang specific changes to: https://reviews.llvm.org/D82362

Herald added a project: Restricted Project. · View Herald TranscriptJun 23 2020, 3:16 AM

Herald added a subscriber: lldb-commits. · View Herald Transcript

Harbormaster failed remote builds in B61362: Diff 272661!Jun 23 2020, 5:17 AM

Now that my core concern is addressed (moving clang's default module cache out of /tmp), I don't have the time to push for this deprecation. Sorry.

Revision Contents

Path

Size

lldb/

source/

Core/

ModuleList.cpp

4 lines

llvm/

include/

llvm/

Support/

FileSystem.h

6 lines

Path.h

5 lines

lib/

Support/

Path.cpp

60 lines

Diff 272661

lldb/source/Core/ModuleList.cpp

	//===-- ModuleList.cpp ----------------------------------------------------===//			//===-- ModuleList.cpp ----------------------------------------------------===//
	//			//
	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.			// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
	// See https://llvm.org/LICENSE.txt for license information.			// See https://llvm.org/LICENSE.txt for license information.
	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception			// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
	//			//
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	#include "lldb/Core/ModuleList.h"			#include "lldb/Core/ModuleList.h"
				Lint: Pre-merge checks Inline Actions clang-tidy: error: 'lldb/Core/ModuleList.h' file not found [clang-diagnostic-error] not useful Lint: Pre-merge checks: clang-tidy: error: 'lldb/Core/ModuleList.h' file not found [clang-diagnostic-error] [[https…
	#include "lldb/Core/FileSpecList.h"			#include "lldb/Core/FileSpecList.h"
	#include "lldb/Core/Module.h"			#include "lldb/Core/Module.h"
	#include "lldb/Core/ModuleSpec.h"			#include "lldb/Core/ModuleSpec.h"
	#include "lldb/Host/FileSystem.h"			#include "lldb/Host/FileSystem.h"
	#include "lldb/Interpreter/OptionValueFileSpec.h"			#include "lldb/Interpreter/OptionValueFileSpec.h"
	#include "lldb/Interpreter/OptionValueFileSpecList.h"			#include "lldb/Interpreter/OptionValueFileSpecList.h"
	#include "lldb/Interpreter/OptionValueProperties.h"			#include "lldb/Interpreter/OptionValueProperties.h"
	#include "lldb/Interpreter/Property.h"			#include "lldb/Interpreter/Property.h"
	▲ Show 20 Lines • Show All 59 Lines • ▼ Show 20 Lines
	ModuleListProperties::ModuleListProperties() {			ModuleListProperties::ModuleListProperties() {
	m_collection_sp =			m_collection_sp =
	std::make_shared<OptionValueProperties>(ConstString("symbols"));			std::make_shared<OptionValueProperties>(ConstString("symbols"));
	m_collection_sp->Initialize(g_modulelist_properties);			m_collection_sp->Initialize(g_modulelist_properties);
	m_collection_sp->SetValueChangedCallback(ePropertySymLinkPaths,			m_collection_sp->SetValueChangedCallback(ePropertySymLinkPaths,
	[this] { UpdateSymlinkMappings(); });			[this] { UpdateSymlinkMappings(); });

	llvm::SmallString<128> path;			llvm::SmallString<128> path;
	clang::driver::Driver::getDefaultModuleCachePath(path);			if (clang::driver::Driver::getDefaultModuleCachePath(path))
	SetClangModulesCachePath(path);			SetClangModulesCachePath(path);
	}			}

	bool ModuleListProperties::GetEnableExternalLookup() const {			bool ModuleListProperties::GetEnableExternalLookup() const {
	const uint32_t idx = ePropertyEnableExternalLookup;			const uint32_t idx = ePropertyEnableExternalLookup;
	return m_collection_sp->GetPropertyAtIndexAsBoolean(			return m_collection_sp->GetPropertyAtIndexAsBoolean(
	nullptr, idx, g_modulelist_properties[idx].default_uint_value != 0);			nullptr, idx, g_modulelist_properties[idx].default_uint_value != 0);
	}			}

	▲ Show 20 Lines • Show All 932 Lines • Show Last 20 Lines

llvm/include/llvm/Support/FileSystem.h

	Show First 20 Lines • Show All 794 Lines • ▼ Show 20 Lines
	/// in your model to ensure this. Each '%' gives 4-bits of entropy so you can			/// in your model to ensure this. Each '%' gives 4-bits of entropy so you can
	/// use 32 of them to get 128 bits of entropy.			/// use 32 of them to get 128 bits of entropy.
	///			///
	/// Example: clang-%%-%%-%%-%%-%%.s => clang-a0-b1-c2-d3-e4.s			/// Example: clang-%%-%%-%%-%%-%%.s => clang-a0-b1-c2-d3-e4.s
	///			///
	/// @param Model Name to base unique path off of.			/// @param Model Name to base unique path off of.
	/// @param ResultPath Set to the file's path.			/// @param ResultPath Set to the file's path.
	/// @param MakeAbsolute Whether to use the system temp directory.			/// @param MakeAbsolute Whether to use the system temp directory.
				LLVM_ATTRIBUTE_DEPRECATED(
	void createUniquePath(const Twine &Model, SmallVectorImpl<char> &ResultPath,			void createUniquePath(const Twine &Model, SmallVectorImpl<char> &ResultPath,
	bool MakeAbsolute);			bool MakeAbsolute),
				"Use createUniqueFile() or createUniqueDirectory()");

	/// Create a uniquely named file.			/// Create a uniquely named file.
	///			///
	/// Generates a unique path suitable for a temporary file and then opens it as a			/// Generates a unique path suitable for a temporary file and then opens it as a
	/// file. The name is based on \a Model with '%' replaced by a random char in			/// file. The name is based on \a Model with '%' replaced by a random char in
	/// [0-9a-f]. If \a Model is not an absolute path, the temporary file will be			/// [0-9a-f]. If \a Model is not an absolute path, the temporary file will be
	/// created in the current directory.			/// created in the current directory.
	///			///
	▲ Show 20 Lines • Show All 632 Lines • Show Last 20 Lines

llvm/include/llvm/Support/Path.h

	Show First 20 Lines • Show All 357 Lines • ▼ Show 20 Lines
	/// "/var/tmp" or "C:/TEMP"			/// "/var/tmp" or "C:/TEMP"
	///			///
	/// @param erasedOnReboot Whether to favor a path that is erased on reboot			/// @param erasedOnReboot Whether to favor a path that is erased on reboot
	/// rather than one that potentially persists longer. This parameter will be			/// rather than one that potentially persists longer. This parameter will be
	/// ignored if the user or system has set the typical environment variable			/// ignored if the user or system has set the typical environment variable
	/// (e.g., TEMP on Windows, TMPDIR on *nix) to specify a temporary directory.			/// (e.g., TEMP on Windows, TMPDIR on *nix) to specify a temporary directory.
	///			///
	/// @param result Holds the resulting path name.			/// @param result Holds the resulting path name.
	void system_temp_directory(bool erasedOnReboot, SmallVectorImpl<char> &result);			LLVM_ATTRIBUTE_DEPRECATED(
				void system_temp_directory(bool erasedOnReboot,
				SmallVectorImpl<char> &result),
				"Only meant for debugging due to trivial security problems");

	/// Get the user's home directory.			/// Get the user's home directory.
	///			///
	/// @param result Holds the resulting path name.			/// @param result Holds the resulting path name.
	/// @result True if a home directory is set, false otherwise.			/// @result True if a home directory is set, false otherwise.
	bool home_directory(SmallVectorImpl<char> &result);			bool home_directory(SmallVectorImpl<char> &result);

	/// Get the directory where installed packages should put their			/// Get the directory where installed packages should put their
	▲ Show 20 Lines • Show All 102 Lines • Show Last 20 Lines

llvm/lib/Support/Path.cpp

Show First 20 Lines • Show All 158 Lines • ▼ Show 20 Lines
} // end unnamed namespace		} // end unnamed namespace

enum FSEntity {		enum FSEntity {
FS_Dir,		FS_Dir,
FS_File,		FS_File,
FS_Name		FS_Name
};		};

		// Avoid a deprecation warning by moving the createUniquePath body here.
		static void _createUniquePath(const Twine &Model,
		Lint: Pre-merge checks Inline Actions clang-tidy: warning: invalid case style for function '_createUniquePath' [readability-identifier-naming] not useful Lint: Pre-merge checks: clang-tidy: warning: invalid case style for function '_createUniquePath' [readability…
		SmallVectorImpl<char> &ResultPath,
		bool MakeAbsolute) {
		SmallString<128> ModelStorage;
		Model.toVector(ModelStorage);

		if (MakeAbsolute) {
		// Make model absolute by prepending a temp directory if it's not already.
		if (!sys::path::is_absolute(Twine(ModelStorage))) {
		SmallString<128> TDir;
		#ifdef __clang__
		#pragma clang diagnostic push
		#pragma clang diagnostic ignored "-Wdeprecated-declarations"
		#endif
		sys::path::system_temp_directory(true, TDir);
		#ifdef __clang__
		#pragma clang diagnostic pop
		#endif
		sys::path::append(TDir, Twine(ModelStorage));
		ModelStorage.swap(TDir);
		}
		}

		ResultPath = ModelStorage;
		ResultPath.push_back(0);
		ResultPath.pop_back();

		// Replace '%' with random chars.
		for (unsigned i = 0, e = ModelStorage.size(); i != e; ++i) {
		Lint: Pre-merge checks Inline Actions clang-tidy: warning: invalid case style for variable 'i' [readability-identifier-naming] not useful clang-tidy: warning: invalid case style for variable 'e' [readability-identifier-naming] not useful Lint: Pre-merge checks: clang-tidy: warning: invalid case style for variable 'i' [readability-identifier-naming]…
		if (ModelStorage[i] == '%')
		ResultPath[i] = "0123456789abcdef"[sys::Process::GetRandomNumber() & 15];
		}
		}

static std::error_code		static std::error_code
createUniqueEntity(const Twine &Model, int &ResultFD,		createUniqueEntity(const Twine &Model, int &ResultFD,
SmallVectorImpl<char> &ResultPath, bool MakeAbsolute,		SmallVectorImpl<char> &ResultPath, bool MakeAbsolute,
unsigned Mode, FSEntity Type,		unsigned Mode, FSEntity Type,
sys::fs::OpenFlags Flags = sys::fs::OF_None) {		sys::fs::OpenFlags Flags = sys::fs::OF_None) {

// Limit the number of attempts we make, so that we don't infinite loop. E.g.		// Limit the number of attempts we make, so that we don't infinite loop. E.g.
// "permission denied" could be for a specific file (so we retry with a		// "permission denied" could be for a specific file (so we retry with a
// different name) or for the whole directory (retry would always fail).		// different name) or for the whole directory (retry would always fail).
// Checking which is racy, so we try a number of times, then give up.		// Checking which is racy, so we try a number of times, then give up.
std::error_code EC;		std::error_code EC;
for (int Retries = 128; Retries > 0; --Retries) {		for (int Retries = 128; Retries > 0; --Retries) {
sys::fs::createUniquePath(Model, ResultPath, MakeAbsolute);		_createUniquePath(Model, ResultPath, MakeAbsolute);
// Try to open + create the file.		// Try to open + create the file.
switch (Type) {		switch (Type) {
case FS_File: {		case FS_File: {
EC = sys::fs::openFileForReadWrite(Twine(ResultPath.begin()), ResultFD,		EC = sys::fs::openFileForReadWrite(Twine(ResultPath.begin()), ResultFD,
sys::fs::CD_CreateNew, Flags, Mode);		sys::fs::CD_CreateNew, Flags, Mode);
if (EC) {		if (EC) {
// errc::permission_denied happens on Windows when we try to open a file		// errc::permission_denied happens on Windows when we try to open a file
// that has been marked for deletion.		// that has been marked for deletion.
▲ Show 20 Lines • Show All 585 Lines • ▼ Show 20 Lines	std::error_code getUniqueID(const Twine Path, UniqueID &Result) {
if (EC)		if (EC)
return EC;		return EC;
Result = Status.getUniqueID();		Result = Status.getUniqueID();
return std::error_code();		return std::error_code();
}		}

void createUniquePath(const Twine &Model, SmallVectorImpl<char> &ResultPath,		void createUniquePath(const Twine &Model, SmallVectorImpl<char> &ResultPath,
bool MakeAbsolute) {		bool MakeAbsolute) {
SmallString<128> ModelStorage;		return _createUniquePath(Model, ResultPath, MakeAbsolute);
Model.toVector(ModelStorage);

if (MakeAbsolute) {
// Make model absolute by prepending a temp directory if it's not already.
if (!sys::path::is_absolute(Twine(ModelStorage))) {
SmallString<128> TDir;
sys::path::system_temp_directory(true, TDir);
sys::path::append(TDir, Twine(ModelStorage));
ModelStorage.swap(TDir);
}
}

ResultPath = ModelStorage;
ResultPath.push_back(0);
ResultPath.pop_back();

// Replace '%' with random chars.
for (unsigned i = 0, e = ModelStorage.size(); i != e; ++i) {
if (ModelStorage[i] == '%')
ResultPath[i] = "0123456789abcdef"[sys::Process::GetRandomNumber() & 15];
}
}		}

std::error_code createUniqueFile(const Twine &Model, int &ResultFd,		std::error_code createUniqueFile(const Twine &Model, int &ResultFd,
SmallVectorImpl<char> &ResultPath,		SmallVectorImpl<char> &ResultPath,
unsigned Mode) {		unsigned Mode) {
return createUniqueEntity(Model, ResultFd, ResultPath, false, Mode, FS_File);		return createUniqueEntity(Model, ResultFd, ResultPath, false, Mode, FS_File);
}		}

▲ Show 20 Lines • Show All 477 Lines • Show Last 20 Lines