Fixed: Abort execve() with a debug error if argv[0] length is >= 128 on Android < 6 instead of letting process fail post execve() without an error

agnostic-apollo · agnostic-apollo · commit 3d7eecac5556 · 2025-03-22T02:22:42.000+05:00
For Android `< 6`, the length must not be `>= 128` for the `argv[0]` string of an `execve()` call or library path of a `dlopen()` call. The `soinfo_alloc()` function in `linker.cpp` of Android `/system/bin/linker*` that loaded the `soinfo` of a library/executable had a `SOINFO_NAME_LEN=128` limit on the path/name passed to it before aae859cc, after which it was increased to `PATH_MAX`. Earlier, if path passed was `>= 128`, then `library name "<library_name>" too long` error would occur. Before dcaef371, the `__linker_init_post_relocation()` function also passed `argv[0]` as executable path to `soinfo_alloc()` function to load its `soinfo`, instead of the actual absolute path of the executable. So before aae859cc, if either length was `>= 128`, then the process would abort with exit code `1`. Note that the `execve()` call itself will not fail, failure occurs before `main()` is called. The limit also applies to the interpreter defined in scripts, as interpreter is passed as `argv[0]` during execution. Both fixes are only available in Android `>= 6`. For earlier versions like Android 5, the path for executables and libraries must be kept below the limit. However, for executables, to allow execution, the `argv[0]` can be shortened even if executable path is longer, or by first changing current working directory to executable's parent directory and then executing it with a relative path. See also `TERMUX__PREFIX_DIR___MAX_LEN`, `TERMUX__PREFIX__BIN_FILE___SAFE_MAX_LEN`, `FILE_HEADER__BINPRM_BUF_SIZE` and `TERMUX__FILE_HEADER__BUFFER_SIZE`. ``` LD_DEBUG=3 /data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-binary arg1; echo $? 1 linker W [ android linker & debugger ] linker D DEBUG: library name "/data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-binary" too long ``` ``` (exec -a print-args-binary /data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-binary arg1); echo $? arg1 0 ``` ``` (cd /data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files && ./print-args-binary arg1); echo $? arg1 0 ``` - https://cs.android.com/android/_/android/platform/bionic/+/dcaef371 - https://cs.android.com/android/_/android/platform/bionic/+/aae859cc - termux/termux-app#213 Credits to @Grimler91 for finding that it was path length that was causing execution failure for binaries.
diff --git a/Makefile b/Makefile
@@ -201,6 +201,11 @@ override LIBTERMUX_EXEC__NOS__C__CPPFLAGS := \
 override LIBTERMUX_EXEC__NOS__C__TESTS_BUILD_OUTPUT_DIR := $(TESTS_BUILD_OUTPUT_DIR)/lib/termux-exec_nos_c_tre
 
 
+ifneq ($(LIBTERMUX_EXEC__NOS__C__EXECVE_CALL__CHECK_ARGV0_BUFFER_OVERFLOW),1)
+	override LIBTERMUX_EXEC__NOS__C__EXECVE_CALL__CHECK_ARGV0_BUFFER_OVERFLOW := 0
+endif
+
+
 
 override TERMUX_EXEC__MAIN_APP__TESTS_BUILD_OUTPUT_DIR := $(TESTS_BUILD_OUTPUT_DIR)/app/main
 
@@ -284,6 +289,7 @@ build-libtermux-exec_nos_c_tre:
 		mkdir -p "$$(dirname "$(TMP_BUILD_OUTPUT_DIR)/$$source_file")" || exit $$?; \
 		$(CC) -c $(CFLAGS) $(LIBTERMUX_EXEC__NOS__C__CPPFLAGS) \
 			$(TERMUX__CONSTANTS__MACRO_FLAGS) \
+			-DLIBTERMUX_EXEC__NOS__C__EXECVE_CALL__CHECK_ARGV0_BUFFER_OVERFLOW=$(LIBTERMUX_EXEC__NOS__C__EXECVE_CALL__CHECK_ARGV0_BUFFER_OVERFLOW) \
 			-fPIC -fvisibility=default \
 			-o $(TMP_BUILD_OUTPUT_DIR)/"$$(echo "$$source_file" | sed -E "s/(.*)\.c$$/\1.o/")" \
 			"$$source_file" || exit $$?; \
diff --git a/lib/termux-exec_nos_c_tre/include/termux/termux_exec__nos__c/v1/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept.h b/lib/termux-exec_nos_c_tre/include/termux/termux_exec__nos__c/v1/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept.h
@@ -55,6 +55,65 @@ extern "C" {
  * - https://github.com/bminor/bash/blob/bash-5.2/execute_cmd.c#L5964
  * - https://github.com/bminor/bash/blob/bash-5.2/execute_cmd.c#L5988
  * - https://github.com/bminor/bash/blob/bash-5.2/execute_cmd.c#L6048
+ *
+ *
+ *
+ * For Android `< 6`, the length must not be `>= 128` for the `argv[0]`
+ * string of an `execve()` call or library path of a `dlopen()` call.
+ *
+ * The `soinfo_alloc()` function in `linker.cpp` of Android `/system/bin/linker*`
+ * that loaded the `soinfo` of a library/executable had a `SOINFO_NAME_LEN=128`
+ * limit on the path/name passed to it before aae859cc, after which it
+ * was increased to `PATH_MAX`. Earlier, if path passed was `>= 128`,
+ * then `library name "<library_name>" too long` error would occur.
+ *
+ * Before dcaef371, the `__linker_init_post_relocation()` function also
+ * passed `argv[0]` as executable path to `soinfo_alloc()` function to
+ * load its `soinfo`, instead of the actual absolute path of the
+ * executable. So before aae859cc, if either length was `>= 128`, then
+ * the process would abort with exit code `1`. Note that the `execve()`
+ * call itself will not fail, failure occurs before `main()` is called.
+ * The limit also applies to the interpreter defined in scripts, as
+ * interpreter is passed as `argv[0]` during execution.
+ *
+ * Both fixes are only available in Android `>= 6`. For earlier
+ * versions like Android 5, the path for executables and libraries
+ * must be kept below the limit. However, for executables, to allow
+ * execution, the `argv[0]` can be shortened even if executable path
+ * is longer, or by first changing current working directory to
+ * executable's parent directory and then executing it with a relative
+ * path.
+ *
+ * ```
+ * LD_DEBUG=3 /data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-binary arg1; echo $?
+ * 1
+ *
+ * # Logcat
+ * linker W  [ android linker & debugger ]
+ * linker D  DEBUG: library name "/data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-binary" too long
+ * ```
+ *
+ * ```
+ * (exec -a print-args-binary /data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files/print-args-binary arg1); echo $?
+ * arg1
+ * 0
+ * ```
+ *
+ * ```
+ * (cd /data/data/com.termux/files/usr/libexec/installed-tests/termux-exec/lib/termux-exec_nos_c_tre/scripts/termux/api/termux_exec/ld_preload/direct/exec/files && ./print-args-binary arg1); echo $?
+ * arg1
+ * 0
+ * ```
+ *
+ * - https://cs.android.com/android/_/android/platform/bionic/+/dcaef371
+ * - https://cs.android.com/android/_/android/platform/bionic/+/aae859cc
+ * - https://github.com/termux/termux-app/issues/213
+ *
+ * See also `TERMUX__PREFIX__BIN_FILE___SAFE_MAX_LEN` in
+ * https://github.com/termux/termux-core-package/blob/master/lib/termux-core_nos_c_tre/include/termux/termux_core__nos__c/v1/termux/file/TermuxFile.h
+ *
+ * **See Also:**
+ * - https://github.com/termux/termux-packages/wiki/Termux-file-system-layout#file-path-limits
  */
 
 /**
@@ -276,6 +335,31 @@ int modifyExecArgs(char *const *argv, const char ***newArgvPointer,
 
 
 
+/**
+ * Check if `argv[0]` length is `>= 128` on Android `< 6` as commands
+ * will fail with exit code 1 without any error on stderr,
+ * but with the `library name "<library_name>" too long` error in
+ * `logcat` if linker debugging is enabled.
+ *
+ * See comment at top of this file.
+ *
+ * @param argv The current arguments pointer.
+ * @param origExecutablePath The originnal executable path passed to
+ *                             `execve()`.
+ * @param executablePath The **normalized** executable or interpreter
+ *                        path that will actually be executed.
+ * @param processedExecutablePath The **normalized** executable path
+ *                        that was passed to `execve()`.
+ * @param interpreterSet Whether a interpreter is set in the executable
+ *                       file.
+ * @return Returns `0` `argv[0]` length is `< 128` or running on
+ * Android `>= 6`, otherwise `-1` with errno set to `ENAMETOOLONG` if
+ * buffer overflow would occur..
+ */
+int checkExecArg0BufferOverflow(char *const *argv,
+    const char *executablePath, const char *processedExecutablePath,
+    bool interpreterSet);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/termux-exec_nos_c_tre/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept.c b/lib/termux-exec_nos_c_tre/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept.c
@@ -295,6 +295,14 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
 
 
 
+    #if defined LIBTERMUX_EXEC__NOS__C__EXECVE_CALL__CHECK_ARGV0_BUFFER_OVERFLOW && LIBTERMUX_EXEC__NOS__C__EXECVE_CALL__CHECK_ARGV0_BUFFER_OVERFLOW == 1
+    if (checkExecArg0BufferOverflow(argv, executablePath, processedExecutablePath, interpreterSet) != 0) {
+        return -1;
+    }
+    #endif
+
+
+
     if (debugLoggingEnabled) {
         logErrorVerbose(LOG_TAG, "Calling syscall execve");
         logErrorVerbose(LOG_TAG, "executable = '%s'", executablePath);
@@ -654,3 +662,45 @@ int modifyExecArgs(char *const *argv, const char ***newArgvPointer,
 
     return 0;
 }
+
+
+
+int checkExecArg0BufferOverflow(char *const *argv,
+    const char *executablePath, const char *processedExecutablePath,
+    bool interpreterSet) {
+    logErrorVVerbose(LOG_TAG, "Checking argv[0] buffer overflow");
+
+    size_t argv0Length = strlen(argv[0]);
+    if (argv0Length >= 128) {
+        int androidBuildVersionSdk = android_buildVersionSdk_get();
+        if (androidBuildVersionSdk < 23) {
+            bool shouldAbort = false;
+            char* label = "";
+            if (interpreterSet) {
+                char interpreterHeader[TERMUX__FILE_HEADER__BUFFER_SIZE];
+                ssize_t interpreterHeaderLength = readFileHeader("interpreter", executablePath, interpreterHeader, sizeof(interpreterHeader));
+                if (interpreterHeaderLength < 0) {
+                    return interpreterHeaderLength;
+                }
+
+                if (isElfFile(interpreterHeader, interpreterHeaderLength)) {
+                    shouldAbort = true;
+                    label = "interpreted";
+                }
+            } else {
+                // Is elf.
+                shouldAbort = true;
+                label = "executable";
+            }
+
+            if (shouldAbort) {
+                logStrerrorDebug(LOG_TAG, "Cannot execute %s file '%s' as argv[0] '%s' length '%zu' is '>= 128' while running on Android SDK %d",
+                    label, processedExecutablePath, argv[0], argv0Length, androidBuildVersionSdk);
+                errno = ENAMETOOLONG;
+                return -1;
+            }
+        }
+    }
+
+    return 0;
+}
diff --git a/lib/termux-exec_nos_c_tre/tests/libtermux-exec_nos_c_tre_tests.in b/lib/termux-exec_nos_c_tre/tests/libtermux-exec_nos_c_tre_tests.in
@@ -70,11 +70,16 @@ libtermux_exec__nos__c__unit_binary_tests__run_command() {
     termux_exec__tests__log 1 "Running 'libtermux-exec_nos_c_tre_${unit_binary_tests_variant}'"
 
     output="$(
+        # cd first and execute with relative path to shorten `argv[0]`,
+        # otherwise command will fail with exit code `1` on Android `< 6`
+        # without any error if `argv[0]` length is `>= 128`.
+        # Check `checkExecArg0BufferOverflow()` function in `ExecIntercept.h`.
+        cd "$TERMUX_EXEC__TESTS__TESTS_PATH/lib/termux-exec_nos_c_tre/bin" || exit $?
         printf -v "$TERMUX_EXEC__TESTS__LOG_LEVEL___N" "%s" "$TERMUX_EXEC__TESTS__LOG_LEVEL" || exit $?
         export "${TERMUX_EXEC__TESTS__LOG_LEVEL___N?}" || exit $?
         export LD_PRELOAD="$TERMUX_EXEC__TESTS__PRIMARY_LD_PRELOAD_FILE_PATH" || exit $?
         ASAN_OPTIONS="fast_unwind_on_malloc=false:detect_leaks=$TERMUX_EXEC__TESTS__DETECT_LEAKS" LSAN_OPTIONS="report_objects=$TERMUX_EXEC__TESTS__DETECT_LEAKS" \
-            "$TERMUX_EXEC__TESTS__TESTS_PATH/lib/termux-exec_nos_c_tre/bin/libtermux-exec_nos_c_tre_${unit_binary_tests_variant}" 2>&1)"
+            "./libtermux-exec_nos_c_tre_${unit_binary_tests_variant}" 2>&1)"
     return_value=$?
     if [ $return_value -eq 0 ] ||
         { [ $return_value -eq 141 ] &&
@@ -144,10 +149,15 @@ libtermux_exec__nos__c__runtime_binary_tests__run_command() {
 
     termux_exec__tests__log 1 "Running 'libtermux-exec_nos_c_tre_${runtime_binary_tests_variant}'"
     (
+        # cd first and execute with relative path to shorten `argv[0]`,
+        # otherwise command will fail with exit code `1` on Android `< 6`
+        # without any error if `argv[0]` length is `>= 128`.
+        # Check `checkExecArg0BufferOverflow()` function in `ExecIntercept.h`.
+        cd "$TERMUX_EXEC__TESTS__TESTS_PATH/lib/termux-exec_nos_c_tre/bin" || exit $?
         printf -v "$TERMUX_EXEC__TESTS__LOG_LEVEL___N" "%s" "$TERMUX_EXEC__TESTS__LOG_LEVEL" || exit $?
         export "${TERMUX_EXEC__TESTS__LOG_LEVEL___N?}" || exit $?
         ASAN_OPTIONS="fast_unwind_on_malloc=false:detect_leaks=$TERMUX_EXEC__TESTS__DETECT_LEAKS" LSAN_OPTIONS="report_objects=$TERMUX_EXEC__TESTS__DETECT_LEAKS" \
-            "$TERMUX_EXEC__TESTS__TESTS_PATH/lib/termux-exec_nos_c_tre/bin/libtermux-exec_nos_c_tre_${runtime_binary_tests_variant}"
+            "./libtermux-exec_nos_c_tre_${runtime_binary_tests_variant}"
     )
     return_value=$?
     if [ $return_value -ne 0 ]; then
diff --git a/lib/termux-exec_nos_c_tre/tests/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept_RuntimeBinaryTests.c b/lib/termux-exec_nos_c_tre/tests/src/termux/api/termux_exec/ld_preload/direct/exec/ExecIntercept_RuntimeBinaryTests.c
