c888d4e1d8
Copy from home:jones_tony:Factory/systemtap via accept of submit request 25952 revision 3. Request was accepted with message: OBS-URL: https://build.opensuse.org/request/show/25952 OBS-URL: https://build.opensuse.org/package/show/devel:tools/systemtap?expand=0&rev=7
76 lines
2.3 KiB
Diff
76 lines
2.3 KiB
Diff
From: Jan Lieskovsky <jlieskov@redhat.com>
|
|
Subject: Three SystemTap-1.0 denial of service issues
|
|
References: CVE-2009-2911, BNC#548361
|
|
Upstream: yes
|
|
|
|
Three denial of service flaws were found in the SystemTap
|
|
instrumentation system of version 1.0, when the --unprivileged mode was
|
|
activated:
|
|
|
|
a, Kernel stack overflow allows local attackers to cause denial of service or
|
|
execute arbitrary code via long number of parameters, provided to the print*
|
|
call.
|
|
|
|
diff --git a/buildrun.cxx b/buildrun.cxx
|
|
index 100cbc4..c86a442 100644
|
|
--- a/buildrun.cxx
|
|
+++ b/buildrun.cxx
|
|
@@ -200,6 +200,9 @@ compile_pass (systemtap_session& s)
|
|
|
|
// o << "CFLAGS += -fno-unit-at-a-time" << endl;
|
|
|
|
+ // 512 bytes should be enough for anybody
|
|
+ o << "EXTRA_CFLAGS += $(call cc-option,-Wframe-larger-than=512)" << endl;
|
|
+
|
|
// Assumes linux 2.6 kbuild
|
|
o << "EXTRA_CFLAGS += -Wno-unused -Werror" << endl;
|
|
#if CHECK_POINTER_ARITH_PR5947
|
|
diff --git a/testsuite/transko/varargs.stp b/testsuite/transko/varargs.stp
|
|
new file mode 100755
|
|
index 0000000..f38309a
|
|
--- /dev/null
|
|
+++ b/testsuite/transko/varargs.stp
|
|
@@ -0,0 +1,10 @@
|
|
+#! stap -p3
|
|
+
|
|
+probe begin {
|
|
+ // PR10750 enforces at most 32 print args
|
|
+ println(1, 2, 3, 4, 5, 6, 7, 8,
|
|
+ 9, 10, 11, 12, 13, 14, 15, 16,
|
|
+ 17, 18, 19, 20, 21, 22, 23, 24,
|
|
+ 25, 26, 27, 28, 29, 30, 31, 32,
|
|
+ 33)
|
|
+}
|
|
diff --git a/testsuite/transok/varargs.stp b/testsuite/transok/varargs.stp
|
|
new file mode 100755
|
|
index 0000000..216166f
|
|
--- /dev/null
|
|
+++ b/testsuite/transok/varargs.stp
|
|
@@ -0,0 +1,9 @@
|
|
+#! stap -p3
|
|
+
|
|
+probe begin {
|
|
+ // PR10750 enforces at most 32 print args
|
|
+ println(1, 2, 3, 4, 5, 6, 7, 8,
|
|
+ 9, 10, 11, 12, 13, 14, 15, 16,
|
|
+ 17, 18, 19, 20, 21, 22, 23, 24,
|
|
+ 25, 26, 27, 28, 29, 30, 31, 32)
|
|
+}
|
|
diff --git a/translate.cxx b/translate.cxx
|
|
index 04a9247..c73a5bd 100644
|
|
--- a/translate.cxx
|
|
+++ b/translate.cxx
|
|
@@ -4151,6 +4151,11 @@ c_unparser::visit_print_format (print_format* e)
|
|
{
|
|
stmt_expr block(*this);
|
|
|
|
+ // PR10750: Enforce a reasonable limit on # of varargs
|
|
+ // 32 varargs leads to max 256 bytes on the stack
|
|
+ if (e->args.size() > 32)
|
|
+ throw semantic_error("too many arguments to print", e->tok);
|
|
+
|
|
// Compute actual arguments
|
|
vector<tmpvar> tmp;
|
|
|
|
|