From: Jan Lieskovsky Subject: Three SystemTap-1.0 denial of service issues References: CVE-2009-2911, BNC#548361 Upstream: yes Three denial of service flaws were found in the SystemTap instrumentation system of version 1.0, when the --unprivileged mode was activated: a, Kernel stack overflow allows local attackers to cause denial of service or execute arbitrary code via long number of parameters, provided to the print* call. diff --git a/buildrun.cxx b/buildrun.cxx index 100cbc4..c86a442 100644 --- a/buildrun.cxx +++ b/buildrun.cxx @@ -200,6 +200,9 @@ compile_pass (systemtap_session& s) // o << "CFLAGS += -fno-unit-at-a-time" << endl; + // 512 bytes should be enough for anybody + o << "EXTRA_CFLAGS += $(call cc-option,-Wframe-larger-than=512)" << endl; + // Assumes linux 2.6 kbuild o << "EXTRA_CFLAGS += -Wno-unused -Werror" << endl; #if CHECK_POINTER_ARITH_PR5947 diff --git a/testsuite/transko/varargs.stp b/testsuite/transko/varargs.stp new file mode 100755 index 0000000..f38309a --- /dev/null +++ b/testsuite/transko/varargs.stp @@ -0,0 +1,10 @@ +#! stap -p3 + +probe begin { + // PR10750 enforces at most 32 print args + println(1, 2, 3, 4, 5, 6, 7, 8, + 9, 10, 11, 12, 13, 14, 15, 16, + 17, 18, 19, 20, 21, 22, 23, 24, + 25, 26, 27, 28, 29, 30, 31, 32, + 33) +} diff --git a/testsuite/transok/varargs.stp b/testsuite/transok/varargs.stp new file mode 100755 index 0000000..216166f --- /dev/null +++ b/testsuite/transok/varargs.stp @@ -0,0 +1,9 @@ +#! stap -p3 + +probe begin { + // PR10750 enforces at most 32 print args + println(1, 2, 3, 4, 5, 6, 7, 8, + 9, 10, 11, 12, 13, 14, 15, 16, + 17, 18, 19, 20, 21, 22, 23, 24, + 25, 26, 27, 28, 29, 30, 31, 32) +} diff --git a/translate.cxx b/translate.cxx index 04a9247..c73a5bd 100644 --- a/translate.cxx +++ b/translate.cxx @@ -4151,6 +4151,11 @@ c_unparser::visit_print_format (print_format* e) { stmt_expr block(*this); + // PR10750: Enforce a reasonable limit on # of varargs + // 32 varargs leads to max 256 bytes on the stack + if (e->args.size() > 32) + throw semantic_error("too many arguments to print", e->tok); + // Compute actual arguments vector tmp;