Load plugin libraries safely (openvinotoolkit#14034)

For security purposes load plugin libraries only by absolute path to prevent search from environment variables, working directory etc.
mryzhov · Nov 22, 2022 · 97878de · 97878de
1 parent 1910f42
commit 97878de
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 1 deletion.
diff --git a/src/common/util/CMakeLists.txt b/src/common/util/CMakeLists.txt
@@ -33,6 +33,9 @@ add_library(${TARGET_NAME} STATIC ${LIBRARY_SRC} ${PUBLIC_HEADERS})
 add_library(openvino::util ALIAS ${TARGET_NAME})
 
 target_link_libraries(${TARGET_NAME} PRIVATE ${CMAKE_DL_LIBS})
+if (WIN32)
+    target_link_libraries(${TARGET_NAME} PRIVATE Shlwapi)
+endif()
 target_include_directories(${TARGET_NAME} PUBLIC
     $<BUILD_INTERFACE:${UTIL_INCLUDE_DIR}>)
 

diff --git a/src/common/util/include/openvino/util/shared_object.hpp b/src/common/util/include/openvino/util/shared_object.hpp
@@ -23,13 +23,31 @@ namespace util {
  */
 std::shared_ptr<void> load_shared_object(const char* path);
 
+/**
+ * @brief Loads a library with absolute path specified.
+ * Prevents library search in working directory, environment
+ * variables etc.
+ * @param path Full path to the plugin library
+ * @return Reference to shared object
+ */
+std::shared_ptr<void> load_shared_object_safely(const char* path);
+
 #ifdef OPENVINO_ENABLE_UNICODE_PATH_SUPPORT
 /**
  * @brief Loads a library with the wide char name specified.
  * @param path Full or relative path to the plugin library
  * @return Reference to shared object
  */
 std::shared_ptr<void> load_shared_object(const wchar_t* path);
+
+/**
+ * @brief Loads a library with wide char absolute path specified.
+ * Prevents library search in working directory, environment
+ * variables etc.
+ * @param path Full path to the plugin library
+ * @return Reference to shared object
+ */
+std::shared_ptr<void> load_shared_object_safely(const wchar_t* path);
 #endif  // OPENVINO_ENABLE_UNICODE_PATH_SUPPORT
 /**
  * @brief Searches for a function symbol in the loaded module

diff --git a/src/common/util/src/os/lin/lin_shared_object_loader.cpp b/src/common/util/src/os/lin/lin_shared_object_loader.cpp
@@ -12,6 +12,14 @@
 
 namespace ov {
 namespace util {
+std::shared_ptr<void> load_shared_object_safely(const char* path) {
+    if (path == nullptr)
+        throw std::runtime_error("Cannot load library: path isn't specified.");
+    if (path[0] == '/')
+        return load_shared_object(path);
+    throw std::runtime_error("Cannot load library: path '" + static_cast<std::string>(path) + "' is not absolute.");
+}
+
 std::shared_ptr<void> load_shared_object(const char* path) {
     auto shared_object = std::shared_ptr<void>{dlopen(path, RTLD_NOW), [](void* shared_object) {
                                                    if (shared_object != nullptr) {
@@ -36,6 +44,10 @@ std::shared_ptr<void> load_shared_object(const char* path) {
 }
 
 #ifdef OPENVINO_ENABLE_UNICODE_PATH_SUPPORT
+std::shared_ptr<void> load_shared_object_safely(const wchar_t* path) {
+    return load_shared_object_safely(ov::util::wstring_to_string(path).c_str());
+}
+
 std::shared_ptr<void> load_shared_object(const wchar_t* path) {
     return load_shared_object(ov::util::wstring_to_string(path).c_str());
 }

diff --git a/src/common/util/src/os/win/win_shared_object_loader.cpp b/src/common/util/src/os/win/win_shared_object_loader.cpp
@@ -70,9 +70,18 @@
 #endif
 
 #include <windows.h>
+#include <Shlwapi.h>
 
 namespace ov {
 namespace util {
+std::shared_ptr<void> load_shared_object_safely(const char* path) {
+    if (path == nullptr)
+        throw std::runtime_error("Cannot load library: path isn't specified.");
+    if (!PathIsRelativeA(path))
+        return load_shared_object(path);
+    throw std::runtime_error("Cannot load library: path '" + static_cast<std::string>(path) + "' is not absolute.");
+}
+
 std::shared_ptr<void> load_shared_object(const char* path) {
     void* shared_object = nullptr;
     using GetDllDirectoryA_Fnc = DWORD (*)(DWORD, LPSTR);
@@ -124,6 +133,14 @@ std::shared_ptr<void> load_shared_object(const char* path) {
 }
 
 #ifdef OPENVINO_ENABLE_UNICODE_PATH_SUPPORT
+std::shared_ptr<void> load_shared_object_safely(const wchar_t* path) {
+    if (path == nullptr)
+        throw std::runtime_error("Cannot load library: path isn't specified.");
+    if (!PathIsRelativeW(path))
+        return load_shared_object(path);
+    throw std::runtime_error("Cannot load library: path '" + ov::util::wstring_to_string(std::wstring(path)) + "' is not absolute.");
+}
+
 std::shared_ptr<void> load_shared_object(const wchar_t* path) {
     void* shared_object = nullptr;
     using GetDllDirectoryW_Fnc = DWORD (*)(DWORD, LPWSTR);

diff --git a/src/inference/src/ie_core.cpp b/src/inference/src/ie_core.cpp
@@ -1161,7 +1161,7 @@ class CoreImpl : public ie::ICore, public std::enable_shared_from_this<ie::ICore
                 desc.pluginCreateFunc(plugin_impl);
                 plugin = InferencePlugin{plugin_impl, {}};
             } else {
-                so = ov::util::load_shared_object(desc.libraryLocation.c_str());
+                so = ov::util::load_shared_object_safely(desc.libraryLocation.c_str());
                 std::shared_ptr<ie::IInferencePlugin> plugin_impl;
                 reinterpret_cast<InferenceEngine::CreatePluginEngineFunc*>(
                     ov::util::get_symbol(so, InferenceEngine::create_plugin_function))(plugin_impl);