rpms/systemtap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2012-0875 rebuild

Browse Source
This commit is contained in:
Frank Ch. Eigler 2012-02-22 13:50:17 -05:00
parent 9da5ca9f79
commit 39b787b4c2
2 changed files with 95 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
CVE-2012-0875.patch Normal file
View File

@ -0,0 +1,87 @@
commit 64b0cff3bee6b00cb4193ed887439c66055f85b4
Author: Mark Wielaard <mjw@redhat.com>
Date: Tue Feb 21 15:08:58 2012 +0100
PR13714 - Make sure REG_STATE.cfa_is_expr is always set correctly.
runtime/unwind.c (processCFI): Always set REG_STATE.cfa_is_expr and
add new sanity checks to make sure the cfa definition rules are sane.
Since the cfa expr pointer and cfa register/offset rule shared a union
not setting REG_STATE.cfa_is_expr could result in compute_expr ()
wrongly being called and using the register/offset as expr pointer.
diff --git a/runtime/unwind.c b/runtime/unwind.c
index c0fc9c2..e440177 100644
--- a/runtime/unwind.c
+++ b/runtime/unwind.c
@@ -385,6 +385,7 @@ static void set_expr_rule(uleb128_t reg, enum item_location where,
uleb128_t len = get_uleb128(expr, end);
dbug_unwind(1, "reg=%lx, where=%d, expr=%lu@%p\n",
reg, where, len, *expr);
+ /* Sanity check that expr falls completely inside known data. */
if (end - *expr >= len && reg < ARRAY_SIZE(REG_STATE.regs)) {
REG_STATE.regs[reg].where = where;
REG_STATE.regs[reg].expr = start;
@@ -524,30 +525,46 @@ static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc,
case DW_CFA_def_cfa:
value = get_uleb128(&ptr.p8, end);
dbug_unwind(1, "map DW_CFA_def_cfa value %ld to reg_info idx %ld\n", value, DWARF_REG_MAP(value));
+ REG_STATE.cfa_is_expr = 0;
REG_STATE.cfa.reg = value;
dbug_unwind(1, "DW_CFA_def_cfa reg=%ld\n", REG_STATE.cfa.reg);
/*nobreak */
case DW_CFA_def_cfa_offset:
- REG_STATE.cfa.offs = get_uleb128(&ptr.p8, end);
- dbug_unwind(1, "DW_CFA_def_cfa_offset offs=%lx\n", REG_STATE.cfa.offs);
+ if (REG_STATE.cfa_is_expr != 0) {
+ _stp_warn("Unexpected DW_CFA_def_cfa_offset\n");
+ } else {
+ REG_STATE.cfa.offs = get_uleb128(&ptr.p8, end);
+ dbug_unwind(1, "DW_CFA_def_cfa_offset offs=%lx\n", REG_STATE.cfa.offs);
+ }
break;
case DW_CFA_def_cfa_sf:
value = get_uleb128(&ptr.p8, end);
dbug_unwind(1, "map DW_CFA_def_cfa_sf value %ld to reg_info idx %ld\n", value, DWARF_REG_MAP(value));
+ REG_STATE.cfa_is_expr = 0;
REG_STATE.cfa.reg = value;
/*nobreak */
case DW_CFA_def_cfa_offset_sf:
- REG_STATE.cfa.offs = get_sleb128(&ptr.p8, end) * state->dataAlign;
- dbug_unwind(1, "DW_CFA_def_cfa_offset_sf offs=%lx\n", REG_STATE.cfa.offs);
+ if (REG_STATE.cfa_is_expr != 0) {
+ _stp_warn("Unexpected DW_CFA_def_cfa_offset_sf\n");
+ } else {
+ REG_STATE.cfa.offs = get_sleb128(&ptr.p8, end) * state->dataAlign;
+ dbug_unwind(1, "DW_CFA_def_cfa_offset_sf offs=%lx\n", REG_STATE.cfa.offs);
+ }
break;
case DW_CFA_def_cfa_register:
- value = get_uleb128(&ptr.p8, end);
- dbug_unwind(1, "map DW_CFA_def_cfa_register value %ld to reg_info idx %ld\n", value, DWARF_REG_MAP(value));
- REG_STATE.cfa.reg = value;
+ if (REG_STATE.cfa_is_expr != 0) {
+ _stp_warn("Unexpected DW_CFA_def_cfa_register\n");
+ } else {
+ value = get_uleb128(&ptr.p8, end);
+ dbug_unwind(1, "map DW_CFA_def_cfa_register value %ld to reg_info idx %ld\n", value, DWARF_REG_MAP(value));
+ REG_STATE.cfa.reg = value;
+ }
break;
case DW_CFA_def_cfa_expression: {
const u8 *cfa_expr = ptr.p8;
value = get_uleb128(&ptr.p8, end);
+ /* Sanity check that cfa_expr falls completely
+ inside known data. */
if (ptr.p8 < end && end - ptr.p8 >= value) {
REG_STATE.cfa_is_expr = 1;
REG_STATE.cfa_expr = cfa_expr;
@@ -801,6 +818,7 @@ static int compute_expr(const u8 *expr, struct unwind_frame_info *frame,
{
/*
* We previously validated the length, so we won't read off the end.
+ * See sanity checks in set_expr() and for DW_CFA_def_cfa_expression.
*/
uleb128_t len = get_uleb128(&expr, (const u8 *) -1UL);
const u8 *const start = expr;

9
systemtap.spec
View File

@ -16,7 +16,7 @@
Name: systemtap Name: systemtap
Version: 1.7 Version: 1.7
Release: 1%{?dist} Release: 2%{?dist}
# for version, see also configure.ac # for version, see also configure.ac
@ -49,6 +49,8 @@ License: GPLv2+
URL: http://sourceware.org/systemtap/ URL: http://sourceware.org/systemtap/
Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz
Patch10: CVE-2012-0875.patch
# Build* # Build*
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gettext BuildRequires: gettext
@ -259,6 +261,8 @@ find . \( -name configure -o -name config.h.in \) -print | xargs touch
cd .. cd ..
%endif %endif
%patch10 -p1
%build %build
%if %{with_bundled_elfutils} %if %{with_bundled_elfutils}
@ -596,6 +600,9 @@ exit 0
# ------------------------------------------------------------------------ # ------------------------------------------------------------------------
%changelog %changelog
* Wed Feb 22 2012 Frank Ch. Eigler <fche@redhat.com> - 1.7-2
- CVE-2012-0875 (kernel panic when processing malformed DWARF unwind data)
* Wed Feb 01 2012 Frank Ch. Eigler <fche@redhat.com> - 1.7-1 * Wed Feb 01 2012 Frank Ch. Eigler <fche@redhat.com> - 1.7-1
- Upstream release. - Upstream release.
- Reorganize subpackages, new -client and -devel for subset installations. - Reorganize subpackages, new -client and -devel for subset installations.