- Add systemtap-1.1-tighten-server-params.patch (excluding testsuite)

- Resolves CVE-2010-0412, CVE-2009-4273
This commit is contained in:
Mark Wielaard 2010-02-15 15:36:37 +00:00
parent 319a435d51
commit ee4919ba12
2 changed files with 266 additions and 0 deletions

View File

@ -0,0 +1,262 @@
Note: Not including testsuite part.
commit c0d1b5a004b9949bb455b7dbe17b335b7cab9ead
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Feb 12 10:25:43 2010 -0500
PR11105 part 2: tighten constraints on stap-server parameters passed to make
* util.h, util.cxx (assert_match_regexp): New function.
* main.cxx (main): Constrain -R, -r, -a, -D, -S, -q, -B flags.
* stap-serverd (listen): Harden stap-server-connect with ulimit/loop.
diff --git a/main.cxx b/main.cxx
index 8f5ee72..2dba179 100644
--- a/main.cxx
+++ b/main.cxx
@@ -57,7 +57,7 @@ version ()
<< "SystemTap translator/driver "
<< "(version " << VERSION << "/" << dwfl_version (NULL)
<< " " << GIT_MESSAGE << ")" << endl
- << "Copyright (C) 2005-2009 Red Hat, Inc. and others" << endl
+ << "Copyright (C) 2005-2010 Red Hat, Inc. and others" << endl
<< "This is free software; see the source for copying conditions." << endl;
}
@@ -708,12 +708,12 @@ main (int argc, char * const argv [])
break;
case 'o':
+ // NB: client_options not a problem, since pass 1-4 does not use output_file.
s.output_file = string (optarg);
break;
case 'R':
- if (client_options)
- client_options_disallowed += client_options_disallowed.empty () ? "-R" : ", -R";
+ if (client_options) { cerr << "ERROR: -R invalid with --client-options" << endl; usage(s,1); }
s.runtime_path = string (optarg);
break;
@@ -722,6 +722,7 @@ main (int argc, char * const argv [])
client_options_disallowed += client_options_disallowed.empty () ? "-m" : ", -m";
s.module_name = string (optarg);
save_module = true;
+ // XXX: convert to assert_regexp_match()
{
string::size_type len = s.module_name.length();
@@ -766,15 +767,14 @@ main (int argc, char * const argv [])
break;
case 'r':
- if (client_options)
- client_options_disallowed += client_options_disallowed.empty () ? "-r" : ", -r";
+ if (client_options) // NB: no paths!
+ assert_regexp_match("-r parameter from client", optarg, "^[a-z0-9_\\.-]+$");
setup_kernel_release(s, optarg);
break;
case 'a':
- if (client_options)
- client_options_disallowed += client_options_disallowed.empty () ? "-a" : ", -a";
- s.architecture = string(optarg);
+ assert_regexp_match("-a parameter", optarg, "^[a-z0-9_-]+$");
+ s.architecture = string(optarg);
break;
case 'k':
@@ -821,16 +821,19 @@ main (int argc, char * const argv [])
break;
case 'D':
+ assert_regexp_match ("-D parameter", optarg, "^[a-z_][a-z_0-9]*(=[a-z_0-9]+)?$");
if (client_options)
client_options_disallowed += client_options_disallowed.empty () ? "-D" : ", -D";
s.macros.push_back (string (optarg));
break;
case 'S':
+ assert_regexp_match ("-S parameter", optarg, "^[0-9]+(,[0-9]+)?$");
s.size_option = string (optarg);
break;
case 'q':
+ if (client_options) { cerr << "ERROR: -q invalid with --client-options" << endl; usage(s,1); }
s.tapset_compile_coverage = true;
break;
@@ -861,9 +864,8 @@ main (int argc, char * const argv [])
break;
case 'B':
- if (client_options)
- client_options_disallowed += client_options_disallowed.empty () ? "-B" : ", -B";
- s.kbuildflags.push_back (string (optarg));
+ if (client_options) { cerr << "ERROR: -B invalid with --client-options" << endl; usage(s,1); }
+ s.kbuildflags.push_back (string (optarg));
break;
case 0:
diff --git a/stap-serverd b/stap-serverd
index eda9711..5820286 100755
--- a/stap-serverd
+++ b/stap-serverd
@@ -360,11 +360,19 @@ function advertise_presence {
function listen {
# The stap-server-connect program will listen forever
# accepting requests.
- ${stap_pkglibexecdir}stap-server-connect \
- -p $port -n $nss_cert -d $ssl_db -w $nss_pw \
- -s "$stap_options" \
- >> $logfile 2>&1 &
- wait '%${stap_pkglibexecdir}stap-server-connect' >> $logfile 2>&1
+ # CVE-2009-4273 ... or at least, until resource limits fire
+ while true; do # NB: loop to avoid DoS by deliberate rlimit-induced halt
+ # NB: impose resource limits in case of mischevious data inducing
+ # too much / long computation
+ (ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000;
+ exec ${stap_pkglibexecdir}stap-server-connect \
+ -p $port -n $nss_cert -d $ssl_db -w $nss_pw \
+ -s "$stap_options") &
+ stap_server_connect_pid=$!
+ wait
+ # NB: avoid superfast spinning in case of a ulimit or other failure
+ sleep 1
+ done >> $logfile 2>&1
}
# function: warning [ MESSAGE ]
@@ -396,8 +404,8 @@ function terminate {
wait '%avahi-publish-service' >> $logfile 2>&1
# Kill any running 'stap-server-connect' job.
- kill -s SIGTERM '%${stap_pkglibexecdir}stap-server-connect' >> $logfile 2>&1
- wait '%${stap_pkglibexecdir}stap-server-connect' >> $logfile 2>&1
+ kill -s SIGTERM $stap_server_connect_pid >> $logfile 2>&1
+ wait $stap_server_connect_pid >> $logfile 2>&1
exit
}
diff --git a/util.cxx b/util.cxx
index 736e5a3..73ba167 100644
--- a/util.cxx
+++ b/util.cxx
@@ -1,5 +1,5 @@
// Copyright (C) Andrew Tridgell 2002 (original file)
-// Copyright (C) 2006, 2009 Red Hat Inc. (systemtap changes)
+// Copyright (C) 2006-2010 Red Hat Inc. (systemtap changes)
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License as
@@ -19,6 +19,8 @@
#include "sys/sdt.h"
#include <stdexcept>
#include <cerrno>
+#include <map>
+#include <string>
extern "C" {
#include <fcntl.h>
@@ -31,6 +33,7 @@ extern "C" {
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
+#include <regex.h>
}
using namespace std;
@@ -413,4 +416,35 @@ kill_stap_spawn(int sig)
return spawned_pid ? kill(spawned_pid, sig) : 0;
}
+
+void assert_regexp_match (const string& name, const string& value, const string& re)
+{
+ typedef map<string,regex_t*> cache;
+ static cache compiled;
+ cache::iterator it = compiled.find (re);
+ regex_t* r = 0;
+ if (it == compiled.end())
+ {
+ r = new regex_t;
+ int rc = regcomp (r, re.c_str(), REG_ICASE|REG_NOSUB|REG_EXTENDED);
+ if (rc) {
+ cerr << "regcomp " << re << " (" << name << ") error rc=" << rc << endl;
+ exit(1);
+ }
+ compiled[re] = r;
+ }
+ else
+ r = it->second;
+
+ // run regexec
+ int rc = regexec (r, value.c_str(), 0, 0, 0);
+ if (rc)
+ {
+ cerr << "ERROR: Safety pattern mismatch for " << name
+ << " ('" << value << "' vs. '" << re << "') rc=" << rc << endl;
+ exit(1);
+ }
+}
+
+
/* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */
diff --git a/util.h b/util.h
index 8fc64cb..75e198c 100644
--- a/util.h
+++ b/util.h
@@ -21,7 +21,7 @@ const std::string cmdstr_quoted(const std::string& cmd);
std::string git_revision(const std::string& path);
int stap_system(int verbose, const std::string& command);
int kill_stap_spawn(int sig);
-
+void assert_regexp_match (const std::string& name, const std::string& value, const std::string& re);
// stringification generics
commit cc9e5488d82b728e568bca1f8d6094856fc8e641
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Feb 12 10:39:58 2010 -0500
PR11105 part 2a, fix buggy \\. in -r option regexp
diff --git a/main.cxx b/main.cxx
index 2dba179..b5fdbc0 100644
--- a/main.cxx
+++ b/main.cxx
@@ -768,7 +768,7 @@ main (int argc, char * const argv [])
case 'r':
if (client_options) // NB: no paths!
- assert_regexp_match("-r parameter from client", optarg, "^[a-z0-9_\\.-]+$");
+ assert_regexp_match("-r parameter from client", optarg, "^[a-z0-9_.-]+$");
setup_kernel_release(s, optarg);
break;
commit c8408b459b88a5aa5f4325e690aef95b5da7c2eb
Author: Mark Wielaard <mjw@redhat.com>
Date: Sun Feb 14 21:42:06 2010 +0100
PR11281 Allow negative values for -D argument.
Change regexp match to "^[a-z_][a-z_0-9]*(=-?[a-z_0-9]+)?$".
* main.cxx (main): case 'D' allow optional single minus sign after equal
in assert_regexp_match().
diff --git a/main.cxx b/main.cxx
index b5fdbc0..faac7f8 100644
--- a/main.cxx
+++ b/main.cxx
@@ -821,7 +821,7 @@ main (int argc, char * const argv [])
break;
case 'D':
- assert_regexp_match ("-D parameter", optarg, "^[a-z_][a-z_0-9]*(=[a-z_0-9]+)?$");
+ assert_regexp_match ("-D parameter", optarg, "^[a-z_][a-z_0-9]*(=-?[a-z_0-9]+)?$");
if (client_options)
client_options_disallowed += client_options_disallowed.empty () ? "-D" : ", -D";
s.macros.push_back (string (optarg));

View File

@ -58,6 +58,7 @@ Requires: crash
Patch10: systemtap-1.1-cfi-cfa_ops-fixes.patch
Patch11: systemtap-1.1-get_argv.patch
Patch12: systemtap-1.1-tighten-server-params.patch
%if %{with_docs}
BuildRequires: /usr/bin/latex /usr/bin/dvips /usr/bin/ps2pdf latex2html
@ -194,6 +195,7 @@ cd ..
%patch10 -p1
%patch11 -p1
%patch12 -p1
%build
@ -503,6 +505,8 @@ exit 0
- Resolves RHBZ #564429
- Add systemtap-1.1-get_argv.patch
- Resolves CVE-2010-0411
- Add systemtap-1.1-tighten-server-params.patch (excluding testsuite)
- Resolves CVE-2010-0412, CVE-2009-4273
* Mon Dec 21 2009 David Smith <dsmith@redhat.com> - 1.1-1
- Upstream release.