forked from pool/systemtap
af8494b7bc
Copy from home:vuntz:branches:devel:tools/systemtap via accept of submit request 43603 revision 2. Request was accepted with message: Reviewed ok OBS-URL: https://build.opensuse.org/request/show/43603 OBS-URL: https://build.opensuse.org/package/show/devel:tools/systemtap?expand=0&rev=12
188 lines
3.6 KiB
Diff
188 lines
3.6 KiB
Diff
Subject: VUL-1: systemtap: DoS issue in __get_argv() function
|
|
References: bnc#577382
|
|
Signed-Off-By: Tony Jones <tonyj@suse.de>
|
|
|
|
commit a2d399c87a642190f08ede63dc6fc434a5a8363a
|
|
Author: Josh Stone <jistone@redhat.com>
|
|
Date: Thu Feb 4 17:47:31 2010 -0800
|
|
|
|
PR11234: Rewrite __get_argv without embedded-C
|
|
|
|
We now implement __get_argv's string building in pure stap script.
|
|
Also, every argument is now quoted, which is different than before, but
|
|
it's much more robust about handling special characters.
|
|
|
|
diff --git a/tapset/aux_syscalls.stp b/tapset/aux_syscalls.stp
|
|
index bab0f64..e762b37 100644
|
|
--- a/tapset/aux_syscalls.stp
|
|
+++ b/tapset/aux_syscalls.stp
|
|
@@ -399,124 +399,53 @@ function __sem_flags:string(semflg:long)
|
|
|
|
|
|
/* This function copies an argv from userspace. */
|
|
-function __get_argv:string(a:long, first:long)
|
|
-%{ /* pure */
|
|
- char __user *__user *argv = (char __user *__user *)(long)THIS->a;
|
|
- char __user *vstr;
|
|
- int space, rc, len = MAXSTRINGLEN;
|
|
- char *str = THIS->__retvalue;
|
|
- char buf[80];
|
|
- char *ptr = buf;
|
|
-
|
|
-
|
|
- if (THIS->first && argv)
|
|
- argv++;
|
|
-
|
|
- while (argv != NULL) {
|
|
- if (__stp_get_user (vstr, argv))
|
|
- break;
|
|
-
|
|
- if (vstr == NULL)
|
|
- break;
|
|
-
|
|
- rc = _stp_strncpy_from_user(buf, vstr, 79);
|
|
- if (rc <= 0)
|
|
- break;
|
|
-
|
|
- /* check for whitespace in string */
|
|
- buf[rc] = 0;
|
|
- ptr = buf;
|
|
- space = 0;
|
|
- while (*ptr && rc--) {
|
|
- if (isspace(*ptr++)) {
|
|
- space = 1;
|
|
- break;
|
|
- }
|
|
- }
|
|
-
|
|
- if (len != MAXSTRINGLEN && len) {
|
|
- *str++=' ';
|
|
- len--;
|
|
- }
|
|
-
|
|
- if (space && len) {
|
|
- *str++='\"';
|
|
- len--;
|
|
- }
|
|
-
|
|
- rc = strlcpy (str, buf, len);
|
|
- str += rc;
|
|
- len -= rc;
|
|
-
|
|
- if (space && len) {
|
|
- *str++='\"';
|
|
- len--;
|
|
- }
|
|
-
|
|
- argv++;
|
|
+function __get_argv:string(argv:long, first:long)
|
|
+{
|
|
+%( CONFIG_64BIT == "y" %?
|
|
+ if (first && argv)
|
|
+ argv += 8
|
|
+ while (argv) {
|
|
+ vstr = user_long(argv)
|
|
+ if (!vstr)
|
|
+ break
|
|
+ if (len)
|
|
+ str .= " "
|
|
+ str .= user_string_quoted(vstr)
|
|
+
|
|
+ newlen = strlen(str)
|
|
+ if (newlen == len)
|
|
+ break
|
|
+ len = newlen
|
|
+ argv += 8
|
|
}
|
|
- *str = 0;
|
|
-%}
|
|
-/* This function copies an argv from userspace. */
|
|
-function __get_compat_argv:string(a:long, first:long)
|
|
-%{ /* pure */
|
|
-#ifdef CONFIG_COMPAT
|
|
- compat_uptr_t __user *__user *argv = (compat_uptr_t __user *__user *)(long)THIS->a;
|
|
- compat_uptr_t __user *vstr;
|
|
- int space, rc, len = MAXSTRINGLEN;
|
|
- char *str = THIS->__retvalue;
|
|
- char buf[80];
|
|
- char *ptr = buf;
|
|
-
|
|
- if (THIS->first && argv)
|
|
- argv++;
|
|
-
|
|
- while (argv != NULL) {
|
|
- if (__stp_get_user (vstr, argv))
|
|
- break;
|
|
-
|
|
- if (vstr == NULL)
|
|
- break;
|
|
-
|
|
- rc = _stp_strncpy_from_user(buf, (char *)vstr, 79);
|
|
- if (rc <= 0)
|
|
- break;
|
|
-
|
|
- /* check for whitespace in string */
|
|
- buf[rc] = 0;
|
|
- ptr = buf;
|
|
- space = 0;
|
|
- while (*ptr && rc--) {
|
|
- if (isspace(*ptr++)) {
|
|
- space = 1;
|
|
- break;
|
|
- }
|
|
- }
|
|
-
|
|
- if (len != MAXSTRINGLEN && len) {
|
|
- *str++=' ';
|
|
- len--;
|
|
- }
|
|
-
|
|
- if (space && len) {
|
|
- *str++='\"';
|
|
- len--;
|
|
- }
|
|
-
|
|
- rc = strlcpy (str, buf, len);
|
|
- str += rc;
|
|
- len -= rc;
|
|
-
|
|
- if (space && len) {
|
|
- *str++='\"';
|
|
- len--;
|
|
- }
|
|
|
|
- argv++;
|
|
+ return str
|
|
+%:
|
|
+ return __get_compat_argv(argv, first)
|
|
+%)
|
|
+}
|
|
+/* This function copies an argv from userspace. */
|
|
+function __get_compat_argv:string(argv:long, first:long)
|
|
+{
|
|
+ if (first && argv)
|
|
+ argv += 4
|
|
+ while (argv) {
|
|
+ vstr = user_int(argv) & 0xffffffff
|
|
+ if (!vstr)
|
|
+ break
|
|
+ if (len)
|
|
+ str .= " "
|
|
+ str .= user_string_quoted(vstr)
|
|
+
|
|
+ newlen = strlen(str)
|
|
+ if (newlen == len)
|
|
+ break
|
|
+ len = newlen
|
|
+ argv += 4
|
|
}
|
|
- *str = 0;
|
|
-#endif
|
|
-%}
|
|
+
|
|
+ return str
|
|
+}
|
|
|
|
/*
|
|
* Return the symbolic string representation
|