SHA256
1
0
forked from pool/systemtap
systemtap/systemtap-CVE-2010-0411.diff
Tony Jones 5165295d2f Accepting request 34652 from home:jones_tony:Factory
Copy from home:jones_tony:Factory/systemtap via accept of submit request 34652 revision 6.
Request was accepted with message:

OBS-URL: https://build.opensuse.org/request/show/34652
OBS-URL: https://build.opensuse.org/package/show/devel:tools/systemtap?expand=0&rev=10
2010-03-12 00:04:39 +00:00

188 lines
3.6 KiB
Diff

Subject: VUL-1: systemtap: DoS issue in __get_argv() function
References: bnc#577382
Signed-Off-By: Tony Jones <tonyj@suse.de>
commit a2d399c87a642190f08ede63dc6fc434a5a8363a
Author: Josh Stone <jistone@redhat.com>
Date: Thu Feb 4 17:47:31 2010 -0800
PR11234: Rewrite __get_argv without embedded-C
We now implement __get_argv's string building in pure stap script.
Also, every argument is now quoted, which is different than before, but
it's much more robust about handling special characters.
diff --git a/tapset/aux_syscalls.stp b/tapset/aux_syscalls.stp
index bab0f64..e762b37 100644
--- a/tapset/aux_syscalls.stp
+++ b/tapset/aux_syscalls.stp
@@ -399,124 +399,53 @@ function __sem_flags:string(semflg:long)
/* This function copies an argv from userspace. */
-function __get_argv:string(a:long, first:long)
-%{ /* pure */
- char __user *__user *argv = (char __user *__user *)(long)THIS->a;
- char __user *vstr;
- int space, rc, len = MAXSTRINGLEN;
- char *str = THIS->__retvalue;
- char buf[80];
- char *ptr = buf;
-
-
- if (THIS->first && argv)
- argv++;
-
- while (argv != NULL) {
- if (__stp_get_user (vstr, argv))
- break;
-
- if (vstr == NULL)
- break;
-
- rc = _stp_strncpy_from_user(buf, vstr, 79);
- if (rc <= 0)
- break;
-
- /* check for whitespace in string */
- buf[rc] = 0;
- ptr = buf;
- space = 0;
- while (*ptr && rc--) {
- if (isspace(*ptr++)) {
- space = 1;
- break;
- }
- }
-
- if (len != MAXSTRINGLEN && len) {
- *str++=' ';
- len--;
- }
-
- if (space && len) {
- *str++='\"';
- len--;
- }
-
- rc = strlcpy (str, buf, len);
- str += rc;
- len -= rc;
-
- if (space && len) {
- *str++='\"';
- len--;
- }
-
- argv++;
+function __get_argv:string(argv:long, first:long)
+{
+%( CONFIG_64BIT == "y" %?
+ if (first && argv)
+ argv += 8
+ while (argv) {
+ vstr = user_long(argv)
+ if (!vstr)
+ break
+ if (len)
+ str .= " "
+ str .= user_string_quoted(vstr)
+
+ newlen = strlen(str)
+ if (newlen == len)
+ break
+ len = newlen
+ argv += 8
}
- *str = 0;
-%}
-/* This function copies an argv from userspace. */
-function __get_compat_argv:string(a:long, first:long)
-%{ /* pure */
-#ifdef CONFIG_COMPAT
- compat_uptr_t __user *__user *argv = (compat_uptr_t __user *__user *)(long)THIS->a;
- compat_uptr_t __user *vstr;
- int space, rc, len = MAXSTRINGLEN;
- char *str = THIS->__retvalue;
- char buf[80];
- char *ptr = buf;
-
- if (THIS->first && argv)
- argv++;
-
- while (argv != NULL) {
- if (__stp_get_user (vstr, argv))
- break;
-
- if (vstr == NULL)
- break;
-
- rc = _stp_strncpy_from_user(buf, (char *)vstr, 79);
- if (rc <= 0)
- break;
-
- /* check for whitespace in string */
- buf[rc] = 0;
- ptr = buf;
- space = 0;
- while (*ptr && rc--) {
- if (isspace(*ptr++)) {
- space = 1;
- break;
- }
- }
-
- if (len != MAXSTRINGLEN && len) {
- *str++=' ';
- len--;
- }
-
- if (space && len) {
- *str++='\"';
- len--;
- }
-
- rc = strlcpy (str, buf, len);
- str += rc;
- len -= rc;
-
- if (space && len) {
- *str++='\"';
- len--;
- }
- argv++;
+ return str
+%:
+ return __get_compat_argv(argv, first)
+%)
+}
+/* This function copies an argv from userspace. */
+function __get_compat_argv:string(argv:long, first:long)
+{
+ if (first && argv)
+ argv += 4
+ while (argv) {
+ vstr = user_int(argv) & 0xffffffff
+ if (!vstr)
+ break
+ if (len)
+ str .= " "
+ str .= user_string_quoted(vstr)
+
+ newlen = strlen(str)
+ if (newlen == len)
+ break
+ len = newlen
+ argv += 4
}
- *str = 0;
-#endif
-%}
+
+ return str
+}
/*
* Return the symbolic string representation