- Add systemtap-1.1-cfi-cfa_ops-fixes.patch
- Resolves RHBZ #564429 - Add systemtap-1.1-get_argv.patch - Resolves CVE-2010-0411 - Add systemtap-1.1-tighten-server-params.patch (excluding testsuite) - Resolves CVE-2010-0412, CVE-2009-4273
This commit is contained in:
parent
fbc37f47a1
commit
42cafcb7a1
283
systemtap-1.1-cfi-cfa_ops-fixes.patch
Normal file
283
systemtap-1.1-cfi-cfa_ops-fixes.patch
Normal file
@ -0,0 +1,283 @@
|
|||||||
|
commit 08d1d520616557f6ff7dd023e260ad6577e9e0e8
|
||||||
|
Author: Mark Wielaard <mjw@redhat.com>
|
||||||
|
Date: Mon Jan 18 09:13:30 2010 +0100
|
||||||
|
|
||||||
|
PR11173 Markers get a bad address in prelinked libraries.
|
||||||
|
|
||||||
|
Our literal_addr_to_sym_addr() function was just wrong. To compensate for
|
||||||
|
raw addresses read from elf (either given by the user or through a mark
|
||||||
|
transformation) we need to know what the elf_bias is (as returned by
|
||||||
|
dwfl_module_getelf) before feeding them to any libdwfl functions.
|
||||||
|
|
||||||
|
* tapsets.cxx (query_module_dwarf): Always add elf_bias to raw function or
|
||||||
|
statement addresses before calling query_addr().
|
||||||
|
(query_addr): Don't call literal_addr_to_sym_addr().
|
||||||
|
* dwflpp.h (literal_addr_to_sym_addr): Removed.
|
||||||
|
* dwflpp.cxx (literal_addr_to_sym_addr): Likewise.
|
||||||
|
|
||||||
|
diff --git a/dwflpp.cxx b/dwflpp.cxx
|
||||||
|
index 7dd31d0..e6fe017 100644
|
||||||
|
--- a/dwflpp.cxx
|
||||||
|
+++ b/dwflpp.cxx
|
||||||
|
@@ -2771,45 +2771,6 @@ dwflpp::relocate_address(Dwarf_Addr dw_addr, string& reloc_section)
|
||||||
|
return reloc_addr;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* Converts a "global" literal address to the module symbol address
|
||||||
|
- * space. If necessary (not for kernel and executables using absolute
|
||||||
|
- * addresses), this adjust the address for the current module symbol
|
||||||
|
- * bias. Literal addresses are provided by the user (or contained on
|
||||||
|
- * the .probes section) based on the "on disk" layout of the module.
|
||||||
|
- */
|
||||||
|
-Dwarf_Addr
|
||||||
|
-dwflpp::literal_addr_to_sym_addr(Dwarf_Addr lit_addr)
|
||||||
|
-{
|
||||||
|
- if (sess.verbose > 2)
|
||||||
|
- clog << "literal_addr_to_sym_addr 0x" << hex << lit_addr << dec << endl;
|
||||||
|
-
|
||||||
|
- // Assume the address came from the symbol list.
|
||||||
|
- // If we cannot get the symbol bias fall back on the dw bias.
|
||||||
|
- // The kernel (and other absolute executable modules) is special though.
|
||||||
|
- if (module_name != TOK_KERNEL
|
||||||
|
- && dwfl_module_relocations (module) > 0)
|
||||||
|
- {
|
||||||
|
- Dwarf_Addr symbias = ~0;
|
||||||
|
- if (dwfl_module_getsymtab (module) != -1)
|
||||||
|
- dwfl_module_info (module, NULL, NULL, NULL, NULL,
|
||||||
|
- &symbias, NULL, NULL);
|
||||||
|
-
|
||||||
|
- if (sess.verbose > 3)
|
||||||
|
- clog << "symbias 0x" << hex << symbias << dec
|
||||||
|
- << ", dwbias 0x" << hex << module_bias << dec << endl;
|
||||||
|
-
|
||||||
|
- if (symbias == (Dwarf_Addr) ~0)
|
||||||
|
- symbias = module_bias;
|
||||||
|
-
|
||||||
|
- lit_addr += symbias;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (sess.verbose > 2)
|
||||||
|
- clog << "literal_addr_to_sym_addr ret 0x" << hex << lit_addr << dec << endl;
|
||||||
|
-
|
||||||
|
- return lit_addr;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
/* Returns the call frame address operations for the given program counter
|
||||||
|
* in the libdw address space.
|
||||||
|
*/
|
||||||
|
diff --git a/dwflpp.h b/dwflpp.h
|
||||||
|
index cdc6ad9..523dd88 100644
|
||||||
|
--- a/dwflpp.h
|
||||||
|
+++ b/dwflpp.h
|
||||||
|
@@ -284,8 +284,6 @@ struct dwflpp
|
||||||
|
|
||||||
|
Dwarf_Addr relocate_address(Dwarf_Addr addr, std::string& reloc_section);
|
||||||
|
|
||||||
|
- Dwarf_Addr literal_addr_to_sym_addr(Dwarf_Addr lit_addr);
|
||||||
|
-
|
||||||
|
|
||||||
|
private:
|
||||||
|
DwflPtr dwfl_ptr;
|
||||||
|
diff --git a/tapsets.cxx b/tapsets.cxx
|
||||||
|
index 071f92d..d5c6b25 100644
|
||||||
|
--- a/tapsets.cxx
|
||||||
|
+++ b/tapsets.cxx
|
||||||
|
@@ -761,6 +761,13 @@ dwarf_query::query_module_dwarf()
|
||||||
|
// number plus the module's bias.
|
||||||
|
Dwarf_Addr addr = has_function_num ?
|
||||||
|
function_num_val : statement_num_val;
|
||||||
|
+
|
||||||
|
+ // These are raw addresses, we need to know what the elf_bias
|
||||||
|
+ // is to feed it to libdwfl based functions.
|
||||||
|
+ Dwarf_Addr elf_bias;
|
||||||
|
+ Elf *elf = dwfl_module_getelf (dw.module, &elf_bias);
|
||||||
|
+ assert(elf);
|
||||||
|
+ addr += elf_bias;
|
||||||
|
query_addr(addr, this);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1168,8 +1175,8 @@ query_addr(Dwarf_Addr addr, dwarf_query *q)
|
||||||
|
{
|
||||||
|
dwflpp &dw = q->dw;
|
||||||
|
|
||||||
|
- // Translate to and actual sumbol address.
|
||||||
|
- addr = dw.literal_addr_to_sym_addr(addr);
|
||||||
|
+ if (q->sess.verbose > 2)
|
||||||
|
+ clog << "query_addr 0x" << hex << addr << dec << endl;
|
||||||
|
|
||||||
|
// First pick which CU contains this address
|
||||||
|
Dwarf_Die* cudie = dw.query_cu_containing_address(addr);
|
||||||
|
|
||||||
|
commit 87748e2b87e574d3c83866ccd0d83678c3c68d93
|
||||||
|
Author: Mark Wielaard <mjw@redhat.com>
|
||||||
|
Date: Tue Feb 2 13:47:19 2010 +0100
|
||||||
|
|
||||||
|
Make sure cfa_ops are always retrieved through dwfl global address.
|
||||||
|
|
||||||
|
dwflpp::translate_location() works on the dw address space, but
|
||||||
|
get_cfa_ops() starts out with dwfl calls (only dwarf_cfi_addrframe()
|
||||||
|
needs to be adjusted for bias).
|
||||||
|
|
||||||
|
* dwflpp.cxx (translate_location): Pass pc plus module bias through to
|
||||||
|
get_cfa_ops.
|
||||||
|
(get_cfa_ops): Adjust for bias when calling dwarf_cfi_addrframe(),
|
||||||
|
add frame start/end address when found if verbose logging.
|
||||||
|
* testsuite/systemtap.exelib/lib.stp: Add $foo and $bar variables to
|
||||||
|
process.function probes.
|
||||||
|
* testsuite/systemtap.exelib/libmarkunamestack.stp: Likewise.
|
||||||
|
* testsuite/systemtap.exelib/lib.tcl: Expect correct values for
|
||||||
|
process.function probe variables.
|
||||||
|
* testsuite/systemtap.exelib/libmarkunamestack.tcl: Likewise.
|
||||||
|
|
||||||
|
diff --git a/dwflpp.cxx b/dwflpp.cxx
|
||||||
|
index e6fe017..d16411c 100644
|
||||||
|
--- a/dwflpp.cxx
|
||||||
|
+++ b/dwflpp.cxx
|
||||||
|
@@ -1726,9 +1726,10 @@ dwflpp::translate_location(struct obstack *pool,
|
||||||
|
e->tok);
|
||||||
|
}
|
||||||
|
|
||||||
|
- // pc is relative to current module, which is what get_cfa_ops
|
||||||
|
- // and c_translate_location expects.
|
||||||
|
- Dwarf_Op *cfa_ops = get_cfa_ops (pc);
|
||||||
|
+ // pc is in the dw address space of the current module, which is what
|
||||||
|
+ // c_translate_location expects. get_cfa_ops wants the global dwfl address.
|
||||||
|
+ Dwarf_Addr addr = pc + module_bias;
|
||||||
|
+ Dwarf_Op *cfa_ops = get_cfa_ops (addr);
|
||||||
|
return c_translate_location (pool, &loc2c_error, this,
|
||||||
|
&loc2c_emit_address,
|
||||||
|
1, 0 /* PR9768 */,
|
||||||
|
@@ -2783,17 +2784,17 @@ dwflpp::get_cfa_ops (Dwarf_Addr pc)
|
||||||
|
clog << "get_cfa_ops @0x" << hex << pc << dec
|
||||||
|
<< ", module_start @0x" << hex << module_start << dec << endl;
|
||||||
|
|
||||||
|
-#if _ELFUTILS_PREREQ(0,142)
|
||||||
|
// Try debug_frame first, then fall back on eh_frame.
|
||||||
|
- size_t cfa_nops;
|
||||||
|
- Dwarf_Addr bias;
|
||||||
|
+ size_t cfa_nops = 0;
|
||||||
|
+ Dwarf_Addr bias = 0;
|
||||||
|
+ Dwarf_Frame *frame = NULL;
|
||||||
|
+#if _ELFUTILS_PREREQ(0,142)
|
||||||
|
Dwarf_CFI *cfi = dwfl_module_dwarf_cfi (module, &bias);
|
||||||
|
if (cfi != NULL)
|
||||||
|
{
|
||||||
|
if (sess.verbose > 3)
|
||||||
|
clog << "got dwarf cfi bias: 0x" << hex << bias << dec << endl;
|
||||||
|
- Dwarf_Frame *frame = NULL;
|
||||||
|
- if (dwarf_cfi_addrframe (cfi, pc, &frame) == 0)
|
||||||
|
+ if (dwarf_cfi_addrframe (cfi, pc - bias, &frame) == 0)
|
||||||
|
dwarf_frame_cfa (frame, &cfa_ops, &cfa_nops);
|
||||||
|
else if (sess.verbose > 3)
|
||||||
|
clog << "dwarf_cfi_addrframe failed: " << dwarf_errmsg(-1) << endl;
|
||||||
|
@@ -2809,7 +2810,7 @@ dwflpp::get_cfa_ops (Dwarf_Addr pc)
|
||||||
|
if (sess.verbose > 3)
|
||||||
|
clog << "got eh cfi bias: 0x" << hex << bias << dec << endl;
|
||||||
|
Dwarf_Frame *frame = NULL;
|
||||||
|
- if (dwarf_cfi_addrframe (cfi, pc, &frame) == 0)
|
||||||
|
+ if (dwarf_cfi_addrframe (cfi, pc - bias, &frame) == 0)
|
||||||
|
dwarf_frame_cfa (frame, &cfa_ops, &cfa_nops);
|
||||||
|
else if (sess.verbose > 3)
|
||||||
|
clog << "dwarf_cfi_addrframe failed: " << dwarf_errmsg(-1) << endl;
|
||||||
|
@@ -2821,7 +2822,20 @@ dwflpp::get_cfa_ops (Dwarf_Addr pc)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (sess.verbose > 2)
|
||||||
|
- clog << (cfa_ops == NULL ? "not " : " ") << "found cfa" << endl;
|
||||||
|
+ {
|
||||||
|
+ if (cfa_ops == NULL)
|
||||||
|
+ clog << "not found cfa" << endl;
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ Dwarf_Addr frame_start, frame_end;
|
||||||
|
+ bool frame_signalp;
|
||||||
|
+ int info = dwarf_frame_info (frame, &frame_start, &frame_end,
|
||||||
|
+ &frame_signalp);
|
||||||
|
+ clog << "found cfa, info:" << info << " [start: 0x" << hex
|
||||||
|
+ << frame_start << dec << ", end: 0x" << hex << frame_end
|
||||||
|
+ << dec << "), nops: " << cfa_nops << endl;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return cfa_ops;
|
||||||
|
}
|
||||||
|
diff --git a/testsuite/systemtap.exelib/lib.stp b/testsuite/systemtap.exelib/lib.stp
|
||||||
|
index 0151282..3fdc6db 100644
|
||||||
|
--- a/testsuite/systemtap.exelib/lib.stp
|
||||||
|
+++ b/testsuite/systemtap.exelib/lib.stp
|
||||||
|
@@ -6,7 +6,7 @@ probe process(@1).function("main") {
|
||||||
|
}
|
||||||
|
|
||||||
|
probe process(@1).function("main_func") {
|
||||||
|
- printf("main_func\n");
|
||||||
|
+ printf("main_func %d\n", $foo);
|
||||||
|
}
|
||||||
|
|
||||||
|
probe process(@2).function("lib_main") {
|
||||||
|
@@ -14,5 +14,5 @@ probe process(@2).function("lib_main") {
|
||||||
|
}
|
||||||
|
|
||||||
|
probe process(@2).function("lib_func") {
|
||||||
|
- printf("lib_func\n");
|
||||||
|
+ printf("lib_func %d\n", $bar);
|
||||||
|
}
|
||||||
|
diff --git a/testsuite/systemtap.exelib/lib.tcl b/testsuite/systemtap.exelib/lib.tcl
|
||||||
|
index c5b7402..a33290b 100644
|
||||||
|
--- a/testsuite/systemtap.exelib/lib.tcl
|
||||||
|
+++ b/testsuite/systemtap.exelib/lib.tcl
|
||||||
|
@@ -1,11 +1,11 @@
|
||||||
|
set ::result_string {main
|
||||||
|
-main_func
|
||||||
|
-main_func
|
||||||
|
-main_func
|
||||||
|
+main_func 3
|
||||||
|
+main_func 2
|
||||||
|
+main_func 1
|
||||||
|
lib_main
|
||||||
|
-lib_func
|
||||||
|
-lib_func
|
||||||
|
-lib_func}
|
||||||
|
+lib_func 3
|
||||||
|
+lib_func 2
|
||||||
|
+lib_func 1}
|
||||||
|
|
||||||
|
# Only run on make installcheck
|
||||||
|
if {! [installtest_p]} { untested "lib-$testname"; return }
|
||||||
|
diff --git a/testsuite/systemtap.exelib/libmarkunamestack.stp b/testsuite/systemtap.exelib/libmarkunamestack.stp
|
||||||
|
index 0efbae0..5ee229d 100644
|
||||||
|
--- a/testsuite/systemtap.exelib/libmarkunamestack.stp
|
||||||
|
+++ b/testsuite/systemtap.exelib/libmarkunamestack.stp
|
||||||
|
@@ -7,7 +7,7 @@ probe process(@1).function("main") {
|
||||||
|
}
|
||||||
|
|
||||||
|
probe process(@1).function("main_func") {
|
||||||
|
- printf("main_func\n");
|
||||||
|
+ printf("main_func: %d\n", $foo);
|
||||||
|
}
|
||||||
|
|
||||||
|
probe process(@2).function("lib_main") {
|
||||||
|
@@ -15,7 +15,7 @@ probe process(@2).function("lib_main") {
|
||||||
|
}
|
||||||
|
|
||||||
|
probe process(@2).function("lib_func") {
|
||||||
|
- printf("lib_func\n");
|
||||||
|
+ printf("lib_func: %d\n", $bar);
|
||||||
|
}
|
||||||
|
|
||||||
|
#mark
|
||||||
|
diff --git a/testsuite/systemtap.exelib/libmarkunamestack.tcl b/testsuite/systemtap.exelib/libmarkunamestack.tcl
|
||||||
|
index 55dc10e..20111b3 100644
|
||||||
|
--- a/testsuite/systemtap.exelib/libmarkunamestack.tcl
|
||||||
|
+++ b/testsuite/systemtap.exelib/libmarkunamestack.tcl
|
||||||
|
@@ -47,9 +47,9 @@ expect {
|
||||||
|
|
||||||
|
# lib
|
||||||
|
-re {^main\r\n} {incr lib; exp_continue}
|
||||||
|
- -re {^main_func\r\n} {incr lib; exp_continue}
|
||||||
|
+ -re {^main_func: [1-3]\r\n} {incr lib; exp_continue}
|
||||||
|
-re {^lib_main\r\n} {incr lib; exp_continue}
|
||||||
|
- -re {^lib_func\r\n} {incr lib; exp_continue}
|
||||||
|
+ -re {^lib_func: [1-3]\r\n} {incr lib; exp_continue}
|
||||||
|
|
||||||
|
# mark
|
||||||
|
-re {^main_count: [1-3]\r\n} {incr mark; exp_continue}
|
183
systemtap-1.1-get_argv.patch
Normal file
183
systemtap-1.1-get_argv.patch
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
commit a2d399c87a642190f08ede63dc6fc434a5a8363a
|
||||||
|
Author: Josh Stone <jistone@redhat.com>
|
||||||
|
Date: Thu Feb 4 17:47:31 2010 -0800
|
||||||
|
|
||||||
|
PR11234: Rewrite __get_argv without embedded-C
|
||||||
|
|
||||||
|
We now implement __get_argv's string building in pure stap script.
|
||||||
|
Also, every argument is now quoted, which is different than before, but
|
||||||
|
it's much more robust about handling special characters.
|
||||||
|
|
||||||
|
diff --git a/tapset/aux_syscalls.stp b/tapset/aux_syscalls.stp
|
||||||
|
index bab0f64..e762b37 100644
|
||||||
|
--- a/tapset/aux_syscalls.stp
|
||||||
|
+++ b/tapset/aux_syscalls.stp
|
||||||
|
@@ -399,124 +399,53 @@ function __sem_flags:string(semflg:long)
|
||||||
|
|
||||||
|
|
||||||
|
/* This function copies an argv from userspace. */
|
||||||
|
-function __get_argv:string(a:long, first:long)
|
||||||
|
-%{ /* pure */
|
||||||
|
- char __user *__user *argv = (char __user *__user *)(long)THIS->a;
|
||||||
|
- char __user *vstr;
|
||||||
|
- int space, rc, len = MAXSTRINGLEN;
|
||||||
|
- char *str = THIS->__retvalue;
|
||||||
|
- char buf[80];
|
||||||
|
- char *ptr = buf;
|
||||||
|
-
|
||||||
|
-
|
||||||
|
- if (THIS->first && argv)
|
||||||
|
- argv++;
|
||||||
|
-
|
||||||
|
- while (argv != NULL) {
|
||||||
|
- if (__stp_get_user (vstr, argv))
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- if (vstr == NULL)
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- rc = _stp_strncpy_from_user(buf, vstr, 79);
|
||||||
|
- if (rc <= 0)
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- /* check for whitespace in string */
|
||||||
|
- buf[rc] = 0;
|
||||||
|
- ptr = buf;
|
||||||
|
- space = 0;
|
||||||
|
- while (*ptr && rc--) {
|
||||||
|
- if (isspace(*ptr++)) {
|
||||||
|
- space = 1;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (len != MAXSTRINGLEN && len) {
|
||||||
|
- *str++=' ';
|
||||||
|
- len--;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (space && len) {
|
||||||
|
- *str++='\"';
|
||||||
|
- len--;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- rc = strlcpy (str, buf, len);
|
||||||
|
- str += rc;
|
||||||
|
- len -= rc;
|
||||||
|
-
|
||||||
|
- if (space && len) {
|
||||||
|
- *str++='\"';
|
||||||
|
- len--;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- argv++;
|
||||||
|
+function __get_argv:string(argv:long, first:long)
|
||||||
|
+{
|
||||||
|
+%( CONFIG_64BIT == "y" %?
|
||||||
|
+ if (first && argv)
|
||||||
|
+ argv += 8
|
||||||
|
+ while (argv) {
|
||||||
|
+ vstr = user_long(argv)
|
||||||
|
+ if (!vstr)
|
||||||
|
+ break
|
||||||
|
+ if (len)
|
||||||
|
+ str .= " "
|
||||||
|
+ str .= user_string_quoted(vstr)
|
||||||
|
+
|
||||||
|
+ newlen = strlen(str)
|
||||||
|
+ if (newlen == len)
|
||||||
|
+ break
|
||||||
|
+ len = newlen
|
||||||
|
+ argv += 8
|
||||||
|
}
|
||||||
|
- *str = 0;
|
||||||
|
-%}
|
||||||
|
-/* This function copies an argv from userspace. */
|
||||||
|
-function __get_compat_argv:string(a:long, first:long)
|
||||||
|
-%{ /* pure */
|
||||||
|
-#ifdef CONFIG_COMPAT
|
||||||
|
- compat_uptr_t __user *__user *argv = (compat_uptr_t __user *__user *)(long)THIS->a;
|
||||||
|
- compat_uptr_t __user *vstr;
|
||||||
|
- int space, rc, len = MAXSTRINGLEN;
|
||||||
|
- char *str = THIS->__retvalue;
|
||||||
|
- char buf[80];
|
||||||
|
- char *ptr = buf;
|
||||||
|
-
|
||||||
|
- if (THIS->first && argv)
|
||||||
|
- argv++;
|
||||||
|
-
|
||||||
|
- while (argv != NULL) {
|
||||||
|
- if (__stp_get_user (vstr, argv))
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- if (vstr == NULL)
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- rc = _stp_strncpy_from_user(buf, (char *)vstr, 79);
|
||||||
|
- if (rc <= 0)
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- /* check for whitespace in string */
|
||||||
|
- buf[rc] = 0;
|
||||||
|
- ptr = buf;
|
||||||
|
- space = 0;
|
||||||
|
- while (*ptr && rc--) {
|
||||||
|
- if (isspace(*ptr++)) {
|
||||||
|
- space = 1;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (len != MAXSTRINGLEN && len) {
|
||||||
|
- *str++=' ';
|
||||||
|
- len--;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (space && len) {
|
||||||
|
- *str++='\"';
|
||||||
|
- len--;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- rc = strlcpy (str, buf, len);
|
||||||
|
- str += rc;
|
||||||
|
- len -= rc;
|
||||||
|
-
|
||||||
|
- if (space && len) {
|
||||||
|
- *str++='\"';
|
||||||
|
- len--;
|
||||||
|
- }
|
||||||
|
|
||||||
|
- argv++;
|
||||||
|
+ return str
|
||||||
|
+%:
|
||||||
|
+ return __get_compat_argv(argv, first)
|
||||||
|
+%)
|
||||||
|
+}
|
||||||
|
+/* This function copies an argv from userspace. */
|
||||||
|
+function __get_compat_argv:string(argv:long, first:long)
|
||||||
|
+{
|
||||||
|
+ if (first && argv)
|
||||||
|
+ argv += 4
|
||||||
|
+ while (argv) {
|
||||||
|
+ vstr = user_int(argv) & 0xffffffff
|
||||||
|
+ if (!vstr)
|
||||||
|
+ break
|
||||||
|
+ if (len)
|
||||||
|
+ str .= " "
|
||||||
|
+ str .= user_string_quoted(vstr)
|
||||||
|
+
|
||||||
|
+ newlen = strlen(str)
|
||||||
|
+ if (newlen == len)
|
||||||
|
+ break
|
||||||
|
+ len = newlen
|
||||||
|
+ argv += 4
|
||||||
|
}
|
||||||
|
- *str = 0;
|
||||||
|
-#endif
|
||||||
|
-%}
|
||||||
|
+
|
||||||
|
+ return str
|
||||||
|
+}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return the symbolic string representation
|
262
systemtap-1.1-tighten-server-params.patch
Normal file
262
systemtap-1.1-tighten-server-params.patch
Normal file
@ -0,0 +1,262 @@
|
|||||||
|
Note: Not including testsuite part.
|
||||||
|
|
||||||
|
commit c0d1b5a004b9949bb455b7dbe17b335b7cab9ead
|
||||||
|
Author: Frank Ch. Eigler <fche@elastic.org>
|
||||||
|
Date: Fri Feb 12 10:25:43 2010 -0500
|
||||||
|
|
||||||
|
PR11105 part 2: tighten constraints on stap-server parameters passed to make
|
||||||
|
|
||||||
|
* util.h, util.cxx (assert_match_regexp): New function.
|
||||||
|
* main.cxx (main): Constrain -R, -r, -a, -D, -S, -q, -B flags.
|
||||||
|
* stap-serverd (listen): Harden stap-server-connect with ulimit/loop.
|
||||||
|
|
||||||
|
diff --git a/main.cxx b/main.cxx
|
||||||
|
index 8f5ee72..2dba179 100644
|
||||||
|
--- a/main.cxx
|
||||||
|
+++ b/main.cxx
|
||||||
|
@@ -57,7 +57,7 @@ version ()
|
||||||
|
<< "SystemTap translator/driver "
|
||||||
|
<< "(version " << VERSION << "/" << dwfl_version (NULL)
|
||||||
|
<< " " << GIT_MESSAGE << ")" << endl
|
||||||
|
- << "Copyright (C) 2005-2009 Red Hat, Inc. and others" << endl
|
||||||
|
+ << "Copyright (C) 2005-2010 Red Hat, Inc. and others" << endl
|
||||||
|
<< "This is free software; see the source for copying conditions." << endl;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -708,12 +708,12 @@ main (int argc, char * const argv [])
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'o':
|
||||||
|
+ // NB: client_options not a problem, since pass 1-4 does not use output_file.
|
||||||
|
s.output_file = string (optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'R':
|
||||||
|
- if (client_options)
|
||||||
|
- client_options_disallowed += client_options_disallowed.empty () ? "-R" : ", -R";
|
||||||
|
+ if (client_options) { cerr << "ERROR: -R invalid with --client-options" << endl; usage(s,1); }
|
||||||
|
s.runtime_path = string (optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -722,6 +722,7 @@ main (int argc, char * const argv [])
|
||||||
|
client_options_disallowed += client_options_disallowed.empty () ? "-m" : ", -m";
|
||||||
|
s.module_name = string (optarg);
|
||||||
|
save_module = true;
|
||||||
|
+ // XXX: convert to assert_regexp_match()
|
||||||
|
{
|
||||||
|
string::size_type len = s.module_name.length();
|
||||||
|
|
||||||
|
@@ -766,15 +767,14 @@ main (int argc, char * const argv [])
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'r':
|
||||||
|
- if (client_options)
|
||||||
|
- client_options_disallowed += client_options_disallowed.empty () ? "-r" : ", -r";
|
||||||
|
+ if (client_options) // NB: no paths!
|
||||||
|
+ assert_regexp_match("-r parameter from client", optarg, "^[a-z0-9_\\.-]+$");
|
||||||
|
setup_kernel_release(s, optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'a':
|
||||||
|
- if (client_options)
|
||||||
|
- client_options_disallowed += client_options_disallowed.empty () ? "-a" : ", -a";
|
||||||
|
- s.architecture = string(optarg);
|
||||||
|
+ assert_regexp_match("-a parameter", optarg, "^[a-z0-9_-]+$");
|
||||||
|
+ s.architecture = string(optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'k':
|
||||||
|
@@ -821,16 +821,19 @@ main (int argc, char * const argv [])
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'D':
|
||||||
|
+ assert_regexp_match ("-D parameter", optarg, "^[a-z_][a-z_0-9]*(=[a-z_0-9]+)?$");
|
||||||
|
if (client_options)
|
||||||
|
client_options_disallowed += client_options_disallowed.empty () ? "-D" : ", -D";
|
||||||
|
s.macros.push_back (string (optarg));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'S':
|
||||||
|
+ assert_regexp_match ("-S parameter", optarg, "^[0-9]+(,[0-9]+)?$");
|
||||||
|
s.size_option = string (optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'q':
|
||||||
|
+ if (client_options) { cerr << "ERROR: -q invalid with --client-options" << endl; usage(s,1); }
|
||||||
|
s.tapset_compile_coverage = true;
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -861,9 +864,8 @@ main (int argc, char * const argv [])
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'B':
|
||||||
|
- if (client_options)
|
||||||
|
- client_options_disallowed += client_options_disallowed.empty () ? "-B" : ", -B";
|
||||||
|
- s.kbuildflags.push_back (string (optarg));
|
||||||
|
+ if (client_options) { cerr << "ERROR: -B invalid with --client-options" << endl; usage(s,1); }
|
||||||
|
+ s.kbuildflags.push_back (string (optarg));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 0:
|
||||||
|
diff --git a/stap-serverd b/stap-serverd
|
||||||
|
index eda9711..5820286 100755
|
||||||
|
--- a/stap-serverd
|
||||||
|
+++ b/stap-serverd
|
||||||
|
@@ -360,11 +360,19 @@ function advertise_presence {
|
||||||
|
function listen {
|
||||||
|
# The stap-server-connect program will listen forever
|
||||||
|
# accepting requests.
|
||||||
|
- ${stap_pkglibexecdir}stap-server-connect \
|
||||||
|
- -p $port -n $nss_cert -d $ssl_db -w $nss_pw \
|
||||||
|
- -s "$stap_options" \
|
||||||
|
- >> $logfile 2>&1 &
|
||||||
|
- wait '%${stap_pkglibexecdir}stap-server-connect' >> $logfile 2>&1
|
||||||
|
+ # CVE-2009-4273 ... or at least, until resource limits fire
|
||||||
|
+ while true; do # NB: loop to avoid DoS by deliberate rlimit-induced halt
|
||||||
|
+ # NB: impose resource limits in case of mischevious data inducing
|
||||||
|
+ # too much / long computation
|
||||||
|
+ (ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000;
|
||||||
|
+ exec ${stap_pkglibexecdir}stap-server-connect \
|
||||||
|
+ -p $port -n $nss_cert -d $ssl_db -w $nss_pw \
|
||||||
|
+ -s "$stap_options") &
|
||||||
|
+ stap_server_connect_pid=$!
|
||||||
|
+ wait
|
||||||
|
+ # NB: avoid superfast spinning in case of a ulimit or other failure
|
||||||
|
+ sleep 1
|
||||||
|
+ done >> $logfile 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
|
# function: warning [ MESSAGE ]
|
||||||
|
@@ -396,8 +404,8 @@ function terminate {
|
||||||
|
wait '%avahi-publish-service' >> $logfile 2>&1
|
||||||
|
|
||||||
|
# Kill any running 'stap-server-connect' job.
|
||||||
|
- kill -s SIGTERM '%${stap_pkglibexecdir}stap-server-connect' >> $logfile 2>&1
|
||||||
|
- wait '%${stap_pkglibexecdir}stap-server-connect' >> $logfile 2>&1
|
||||||
|
+ kill -s SIGTERM $stap_server_connect_pid >> $logfile 2>&1
|
||||||
|
+ wait $stap_server_connect_pid >> $logfile 2>&1
|
||||||
|
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
diff --git a/util.cxx b/util.cxx
|
||||||
|
index 736e5a3..73ba167 100644
|
||||||
|
--- a/util.cxx
|
||||||
|
+++ b/util.cxx
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
// Copyright (C) Andrew Tridgell 2002 (original file)
|
||||||
|
-// Copyright (C) 2006, 2009 Red Hat Inc. (systemtap changes)
|
||||||
|
+// Copyright (C) 2006-2010 Red Hat Inc. (systemtap changes)
|
||||||
|
//
|
||||||
|
// This program is free software; you can redistribute it and/or
|
||||||
|
// modify it under the terms of the GNU General Public License as
|
||||||
|
@@ -19,6 +19,8 @@
|
||||||
|
#include "sys/sdt.h"
|
||||||
|
#include <stdexcept>
|
||||||
|
#include <cerrno>
|
||||||
|
+#include <map>
|
||||||
|
+#include <string>
|
||||||
|
|
||||||
|
extern "C" {
|
||||||
|
#include <fcntl.h>
|
||||||
|
@@ -31,6 +33,7 @@ extern "C" {
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/wait.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
+#include <regex.h>
|
||||||
|
}
|
||||||
|
|
||||||
|
using namespace std;
|
||||||
|
@@ -413,4 +416,35 @@ kill_stap_spawn(int sig)
|
||||||
|
return spawned_pid ? kill(spawned_pid, sig) : 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+void assert_regexp_match (const string& name, const string& value, const string& re)
|
||||||
|
+{
|
||||||
|
+ typedef map<string,regex_t*> cache;
|
||||||
|
+ static cache compiled;
|
||||||
|
+ cache::iterator it = compiled.find (re);
|
||||||
|
+ regex_t* r = 0;
|
||||||
|
+ if (it == compiled.end())
|
||||||
|
+ {
|
||||||
|
+ r = new regex_t;
|
||||||
|
+ int rc = regcomp (r, re.c_str(), REG_ICASE|REG_NOSUB|REG_EXTENDED);
|
||||||
|
+ if (rc) {
|
||||||
|
+ cerr << "regcomp " << re << " (" << name << ") error rc=" << rc << endl;
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ compiled[re] = r;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ r = it->second;
|
||||||
|
+
|
||||||
|
+ // run regexec
|
||||||
|
+ int rc = regexec (r, value.c_str(), 0, 0, 0);
|
||||||
|
+ if (rc)
|
||||||
|
+ {
|
||||||
|
+ cerr << "ERROR: Safety pattern mismatch for " << name
|
||||||
|
+ << " ('" << value << "' vs. '" << re << "') rc=" << rc << endl;
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */
|
||||||
|
diff --git a/util.h b/util.h
|
||||||
|
index 8fc64cb..75e198c 100644
|
||||||
|
--- a/util.h
|
||||||
|
+++ b/util.h
|
||||||
|
@@ -21,7 +21,7 @@ const std::string cmdstr_quoted(const std::string& cmd);
|
||||||
|
std::string git_revision(const std::string& path);
|
||||||
|
int stap_system(int verbose, const std::string& command);
|
||||||
|
int kill_stap_spawn(int sig);
|
||||||
|
-
|
||||||
|
+void assert_regexp_match (const std::string& name, const std::string& value, const std::string& re);
|
||||||
|
|
||||||
|
// stringification generics
|
||||||
|
|
||||||
|
|
||||||
|
commit cc9e5488d82b728e568bca1f8d6094856fc8e641
|
||||||
|
Author: Frank Ch. Eigler <fche@elastic.org>
|
||||||
|
Date: Fri Feb 12 10:39:58 2010 -0500
|
||||||
|
|
||||||
|
PR11105 part 2a, fix buggy \\. in -r option regexp
|
||||||
|
|
||||||
|
diff --git a/main.cxx b/main.cxx
|
||||||
|
index 2dba179..b5fdbc0 100644
|
||||||
|
--- a/main.cxx
|
||||||
|
+++ b/main.cxx
|
||||||
|
@@ -768,7 +768,7 @@ main (int argc, char * const argv [])
|
||||||
|
|
||||||
|
case 'r':
|
||||||
|
if (client_options) // NB: no paths!
|
||||||
|
- assert_regexp_match("-r parameter from client", optarg, "^[a-z0-9_\\.-]+$");
|
||||||
|
+ assert_regexp_match("-r parameter from client", optarg, "^[a-z0-9_.-]+$");
|
||||||
|
setup_kernel_release(s, optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
|
||||||
|
commit c8408b459b88a5aa5f4325e690aef95b5da7c2eb
|
||||||
|
Author: Mark Wielaard <mjw@redhat.com>
|
||||||
|
Date: Sun Feb 14 21:42:06 2010 +0100
|
||||||
|
|
||||||
|
PR11281 Allow negative values for -D argument.
|
||||||
|
|
||||||
|
Change regexp match to "^[a-z_][a-z_0-9]*(=-?[a-z_0-9]+)?$".
|
||||||
|
|
||||||
|
* main.cxx (main): case 'D' allow optional single minus sign after equal
|
||||||
|
in assert_regexp_match().
|
||||||
|
|
||||||
|
diff --git a/main.cxx b/main.cxx
|
||||||
|
index b5fdbc0..faac7f8 100644
|
||||||
|
--- a/main.cxx
|
||||||
|
+++ b/main.cxx
|
||||||
|
@@ -821,7 +821,7 @@ main (int argc, char * const argv [])
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'D':
|
||||||
|
- assert_regexp_match ("-D parameter", optarg, "^[a-z_][a-z_0-9]*(=[a-z_0-9]+)?$");
|
||||||
|
+ assert_regexp_match ("-D parameter", optarg, "^[a-z_][a-z_0-9]*(=-?[a-z_0-9]+)?$");
|
||||||
|
if (client_options)
|
||||||
|
client_options_disallowed += client_options_disallowed.empty () ? "-D" : ", -D";
|
||||||
|
s.macros.push_back (string (optarg));
|
@ -12,7 +12,7 @@
|
|||||||
|
|
||||||
Name: systemtap
|
Name: systemtap
|
||||||
Version: 1.1
|
Version: 1.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
# for version, see also configure.ac
|
# for version, see also configure.ac
|
||||||
Summary: Instrumentation System
|
Summary: Instrumentation System
|
||||||
Group: Development/System
|
Group: Development/System
|
||||||
@ -56,6 +56,10 @@ BuildRequires: elfutils-devel >= %{elfutils_version}
|
|||||||
Requires: crash
|
Requires: crash
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
Patch10: systemtap-1.1-cfi-cfa_ops-fixes.patch
|
||||||
|
Patch11: systemtap-1.1-get_argv.patch
|
||||||
|
Patch12: systemtap-1.1-tighten-server-params.patch
|
||||||
|
|
||||||
%if %{with_docs}
|
%if %{with_docs}
|
||||||
BuildRequires: /usr/bin/latex /usr/bin/dvips /usr/bin/ps2pdf latex2html
|
BuildRequires: /usr/bin/latex /usr/bin/dvips /usr/bin/ps2pdf latex2html
|
||||||
# On F10, xmlto's pdf support was broken off into a sub-package,
|
# On F10, xmlto's pdf support was broken off into a sub-package,
|
||||||
@ -189,6 +193,10 @@ find . \( -name configure -o -name config.h.in \) -print | xargs touch
|
|||||||
cd ..
|
cd ..
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
%if %{with_bundled_elfutils}
|
%if %{with_bundled_elfutils}
|
||||||
@ -492,6 +500,14 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 15 2010 Mark Wielaard <mjw@redhat.com> - 1.1-2
|
||||||
|
- Add systemtap-1.1-cfi-cfa_ops-fixes.patch
|
||||||
|
- Resolves RHBZ #564429
|
||||||
|
- Add systemtap-1.1-get_argv.patch
|
||||||
|
- Resolves CVE-2010-0411
|
||||||
|
- Add systemtap-1.1-tighten-server-params.patch (excluding testsuite)
|
||||||
|
- Resolves CVE-2010-0412, CVE-2009-4273
|
||||||
|
|
||||||
* Mon Dec 21 2009 David Smith <dsmith@redhat.com> - 1.1-1
|
* Mon Dec 21 2009 David Smith <dsmith@redhat.com> - 1.1-1
|
||||||
- Upstream release.
|
- Upstream release.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user