From 2396d5ccc645ff1cc66e4c876225e88ee544bb7a Mon Sep 17 00:00:00 2001 From: Josh Stone Date: Oct 21 2009 15:51:01 +0000 Subject: Fixes for CVE-2009-2911 --- diff --git a/SystemTap-1.0-limit-dwarf-expression-stack-size.patch b/SystemTap-1.0-limit-dwarf-expression-stack-size.patch new file mode 100644 index 0000000..c6d1ea9 --- /dev/null +++ b/SystemTap-1.0-limit-dwarf-expression-stack-size.patch @@ -0,0 +1,123 @@ +diff --git a/dwflpp.cxx b/dwflpp.cxx +index 636cd38..c31548d 100644 +--- a/dwflpp.cxx ++++ b/dwflpp.cxx +@@ -2272,7 +2272,15 @@ dwflpp::express_as_string (string prelude, + + fprintf(memstream, "{\n"); + fprintf(memstream, "%s", prelude.c_str()); +- bool deref = c_emit_location (memstream, head, 1); ++ ++ unsigned int stack_depth; ++ bool deref = c_emit_location (memstream, head, 1, &stack_depth); ++ ++ // Ensure that DWARF keeps loc2c to a "reasonable" stack size ++ // 32 intptr_t leads to max 256 bytes on the stack ++ if (stack_depth > 32) ++ throw semantic_error("oversized DWARF stack"); ++ + fprintf(memstream, "%s", postlude.c_str()); + fprintf(memstream, " goto out;\n"); + +diff --git a/loc2c-test.c b/loc2c-test.c +index 495a95f..ed7aa4b 100644 +--- a/loc2c-test.c ++++ b/loc2c-test.c +@@ -329,11 +329,14 @@ handle_variable (Dwarf_Die *lscopes, int lnscopes, int out, + "{\n" + " intptr_t value;"); + +- bool deref = c_emit_location (stdout, head, 1); ++ unsigned int stack_depth; ++ bool deref = c_emit_location (stdout, head, 1, &stack_depth); + + obstack_free (&pool, NULL); + +- puts (store ? " return;" : ++ printf (" /* max expression stack depth %u */\n", stack_depth); ++ ++ puts (store ? " return;" : + " printk (\" ---> %ld\\n\", (unsigned long) value);\n" + " return;"); + +diff --git a/loc2c.c b/loc2c.c +index 5d6b549..0716c7d 100644 +--- a/loc2c.c ++++ b/loc2c.c +@@ -2071,7 +2071,8 @@ emit_loc_address (FILE *out, struct location *loc, unsigned int indent, + assign it to an address-sized value. */ + static void + emit_loc_value (FILE *out, struct location *loc, unsigned int indent, +- const char *target, bool declare) ++ const char *target, bool declare, ++ bool *used_deref, unsigned int *max_stack) + { + if (declare) + emit ("%*s%s %s;\n", indent * 2, "", STACK_TYPE, target); +@@ -2091,6 +2092,9 @@ emit_loc_value (FILE *out, struct location *loc, unsigned int indent, + case loc_address: + case loc_value: + emit_loc_address (out, loc, indent, target); ++ *used_deref = *used_deref || loc->address.used_deref; ++ if (loc->address.stack_depth > *max_stack) ++ *max_stack = loc->address.stack_depth; + break; + } + +@@ -2098,7 +2102,8 @@ emit_loc_value (FILE *out, struct location *loc, unsigned int indent, + } + + bool +-c_emit_location (FILE *out, struct location *loc, int indent) ++c_emit_location (FILE *out, struct location *loc, int indent, ++ unsigned int *max_stack) + { + emit ("%*s{\n", indent * 2, ""); + +@@ -2134,9 +2139,11 @@ c_emit_location (FILE *out, struct location *loc, int indent) + } + + bool deref = false; ++ *max_stack = 0; + + if (loc->frame_base != NULL) +- emit_loc_value (out, loc->frame_base, indent, "frame_base", true); ++ emit_loc_value (out, loc->frame_base, indent, "frame_base", true, ++ &deref, max_stack); + + for (; loc->next != NULL; loc = loc->next) + switch (loc->type) +@@ -2144,8 +2151,7 @@ c_emit_location (FILE *out, struct location *loc, int indent) + case loc_address: + case loc_value: + /* Emit the program fragment to calculate the address. */ +- emit_loc_value (out, loc, indent + 1, "addr", false); +- deref = deref || loc->address.used_deref; ++ emit_loc_value (out, loc, indent + 1, "addr", false, &deref, max_stack); + break; + + case loc_fragment: +@@ -2172,6 +2178,9 @@ c_emit_location (FILE *out, struct location *loc, int indent) + + emit ("%s%*s}\n", loc->address.program, indent * 2, ""); + ++ if (loc->address.stack_depth > *max_stack) ++ *max_stack = loc->address.stack_depth; ++ + return deref || loc->address.used_deref; + } + +diff --git a/loc2c.h b/loc2c.h +index becf2d8..45d9382 100644 +--- a/loc2c.h ++++ b/loc2c.h +@@ -112,6 +112,7 @@ struct location *c_translate_argument (struct obstack *, + + Writes complete lines of C99, code forming a complete C block, to STREAM. + Return value is true iff that code uses the `deref' runtime macros. */ +-bool c_emit_location (FILE *stream, struct location *loc, int indent); ++bool c_emit_location (FILE *stream, struct location *loc, int indent, ++ unsigned int *max_stack); + + /* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */ + diff --git a/SystemTap-1.0-limit-printf-arguments.patch b/SystemTap-1.0-limit-printf-arguments.patch new file mode 100644 index 0000000..85c1ad4 --- /dev/null +++ b/SystemTap-1.0-limit-printf-arguments.patch @@ -0,0 +1,62 @@ +diff --git a/buildrun.cxx b/buildrun.cxx +index 100cbc4..c86a442 100644 +--- a/buildrun.cxx ++++ b/buildrun.cxx +@@ -200,6 +200,9 @@ compile_pass (systemtap_session& s) + + // o << "CFLAGS += -fno-unit-at-a-time" << endl; + ++ // 600 bytes should be enough for anybody ++ o << "EXTRA_CFLAGS += $(call cc-option,-Wframe-larger-than=600)" << endl; ++ + // Assumes linux 2.6 kbuild + o << "EXTRA_CFLAGS += -Wno-unused -Werror" << endl; + #if CHECK_POINTER_ARITH_PR5947 +diff --git a/testsuite/transko/varargs.stp b/testsuite/transko/varargs.stp +new file mode 100755 +index 0000000..f38309a +--- /dev/null ++++ b/testsuite/transko/varargs.stp +@@ -0,0 +1,10 @@ ++#! stap -p3 ++ ++probe begin { ++ // PR10750 enforces at most 32 print args ++ println(1, 2, 3, 4, 5, 6, 7, 8, ++ 9, 10, 11, 12, 13, 14, 15, 16, ++ 17, 18, 19, 20, 21, 22, 23, 24, ++ 25, 26, 27, 28, 29, 30, 31, 32, ++ 33) ++} +diff --git a/testsuite/transok/varargs.stp b/testsuite/transok/varargs.stp +new file mode 100755 +index 0000000..216166f +--- /dev/null ++++ b/testsuite/transok/varargs.stp +@@ -0,0 +1,9 @@ ++#! stap -p3 ++ ++probe begin { ++ // PR10750 enforces at most 32 print args ++ println(1, 2, 3, 4, 5, 6, 7, 8, ++ 9, 10, 11, 12, 13, 14, 15, 16, ++ 17, 18, 19, 20, 21, 22, 23, 24, ++ 25, 26, 27, 28, 29, 30, 31, 32) ++} +diff --git a/translate.cxx b/translate.cxx +index 04a9247..c73a5bd 100644 +--- a/translate.cxx ++++ b/translate.cxx +@@ -4151,6 +4151,11 @@ c_unparser::visit_print_format (print_format* e) + { + stmt_expr block(*this); + ++ // PR10750: Enforce a reasonable limit on # of varargs ++ // 32 varargs leads to max 256 bytes on the stack ++ if (e->args.size() > 32) ++ throw semantic_error("too many arguments to print", e->tok); ++ + // Compute actual arguments + vector tmp; + + diff --git a/SystemTap-1.0-unwind-table-size-checks.patch b/SystemTap-1.0-unwind-table-size-checks.patch new file mode 100644 index 0000000..4ff1ad9 --- /dev/null +++ b/SystemTap-1.0-unwind-table-size-checks.patch @@ -0,0 +1,180 @@ +diff --git a/runtime/unwind.c b/runtime/unwind.c +index 00108a3..7607770 100644 +--- a/runtime/unwind.c ++++ b/runtime/unwind.c +@@ -88,7 +88,7 @@ static sleb128_t get_sleb128(const u8 **pcur, const u8 *end) + + /* given an FDE, find its CIE */ + static const u32 *cie_for_fde(const u32 *fde, void *unwind_data, +- int is_ehframe) ++ uint32_t table_len, int is_ehframe) + { + const u32 *cie; + +@@ -118,6 +118,11 @@ static const u32 *cie_for_fde(const u32 *fde, void *unwind_data, + else + cie = unwind_data + fde[1]; + ++ /* Make sure address falls in the table */ ++ if (((void *)cie) < ((void*)unwind_data) ++ || ((void*)cie) > ((void*)(unwind_data + table_len))) ++ return NULL; ++ + if (*cie <= sizeof(*cie) + 4 || *cie >= fde[1] - sizeof(*fde) + || (*cie & (sizeof(*cie) - 1)) + || (cie[1] != 0xffffffff && cie[1] != 0)) { +@@ -200,7 +205,8 @@ static unsigned long read_pointer(const u8 **pLoc, const void *end, signed ptrTy + return value; + } + +-static signed fde_pointer_type(const u32 *cie) ++static signed fde_pointer_type(const u32 *cie, void *unwind_data, ++ uint32_t table_len) + { + const u8 *ptr = (const u8 *)(cie + 2); + unsigned version = *ptr; +@@ -212,11 +218,16 @@ static signed fde_pointer_type(const u32 *cie) + const u8 *end = (const u8 *)(cie + 1) + *cie; + uleb128_t len; + ++ /* end of cie should fall within unwind table. */ ++ if (((void*)end) < ((void *)unwind_data) ++ || ((void *)end) > ((void *)(unwind_data + table_len))) ++ return -1; ++ + /* check if augmentation size is first (and thus present) */ + if (*ptr != 'z') + return -1; + /* check if augmentation string is nul-terminated */ +- if ((ptr = memchr(aug = (const void *)ptr, 0, end - ptr)) == NULL) ++ if ((ptr = memchr(aug = (const void *)ptr, 0, end - ptr)) == NULL) + return -1; + ++ptr; /* skip terminator */ + get_uleb128(&ptr, end); /* skip code alignment */ +@@ -267,6 +278,10 @@ static void set_rule(uleb128_t reg, enum item_location where, uleb128_t value, s + } + } + ++/* Limit the number of instructions we process. Arbitrary limit. ++ 512 should be enough for anybody... */ ++#define MAX_CFI 512 ++ + static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc, signed ptrType, struct unwind_state *state) + { + union { +@@ -276,6 +291,9 @@ static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc, s + } ptr; + int result = 1; + ++ if (end - start > MAX_CFI) ++ return 0; ++ + dbug_unwind(1, "targetLoc=%lx state->loc=%lx\n", targetLoc, state->loc); + if (start != state->cieStart) { + state->loc = state->org; +@@ -606,10 +624,10 @@ static int unwind_frame(struct unwind_frame_info *frame, + + /* found the fde, now set startLoc and endLoc */ + if (fde != NULL) { +- cie = cie_for_fde(fde, table, is_ehframe); ++ cie = cie_for_fde(fde, table, table_len, is_ehframe); + if (likely(cie != NULL && cie != &bad_cie && cie != ¬_fde)) { + ptr = (const u8 *)(fde + 2); +- ptrType = fde_pointer_type(cie); ++ ptrType = fde_pointer_type(cie, table, table_len); + startLoc = read_pointer(&ptr, (const u8 *)(fde + 1) + *fde, ptrType); + startLoc = adjustStartLoc(startLoc, m, s, ptrType, is_ehframe); + +@@ -632,12 +650,12 @@ static int unwind_frame(struct unwind_frame_info *frame, + for (fde = table, tableSize = table_len; cie = NULL, tableSize > sizeof(*fde) + && tableSize - sizeof(*fde) >= *fde; tableSize -= sizeof(*fde) + *fde, fde += 1 + *fde / sizeof(*fde)) { + dbug_unwind(3, "fde=%lx tableSize=%d\n", (long)*fde, (int)tableSize); +- cie = cie_for_fde(fde, table, is_ehframe); ++ cie = cie_for_fde(fde, table, table_len, is_ehframe); + if (cie == &bad_cie) { + cie = NULL; + break; + } +- if (cie == NULL || cie == ¬_fde || (ptrType = fde_pointer_type(cie)) < 0) ++ if (cie == NULL || cie == ¬_fde || (ptrType = fde_pointer_type(cie, table, table_len)) < 0) + continue; + + ptr = (const u8 *)(fde + 2); +@@ -666,6 +684,12 @@ static int unwind_frame(struct unwind_frame_info *frame, + state.cieEnd = ptr; /* keep here temporarily */ + ptr = (const u8 *)(cie + 2); + end = (const u8 *)(cie + 1) + *cie; ++ ++ /* end should fall within unwind table. */ ++ if (((void *)end) < table ++ || ((void *)end) > ((void *)(table + table_len))) ++ goto err; ++ + frame->call_frame = 1; + if ((state.version = *ptr) != 1) { + dbug_unwind(1, "CIE version number is %d. 1 is supported.\n", state.version); +@@ -723,6 +747,11 @@ static int unwind_frame(struct unwind_frame_info *frame, + state.cieEnd = end; + end = (const u8 *)(fde + 1) + *fde; + ++ /* end should fall within unwind table. */ ++ if (((void*)end) < table ++ || ((void *)end) > ((void *)(table + table_len))) ++ goto err; ++ + /* skip augmentation */ + if (((const char *)(cie + 2))[1] == 'z') { + uleb128_t augSize = get_uleb128(&ptr, end); +diff --git a/runtime/unwind/unwind.h b/runtime/unwind/unwind.h +index 285a3a3..023ea60 100644 +--- a/runtime/unwind/unwind.h ++++ b/runtime/unwind/unwind.h +@@ -143,8 +143,10 @@ static unsigned long read_pointer(const u8 **pLoc, + const void *end, + signed ptrType); + static const u32 bad_cie, not_fde; +-static const u32 *cie_for_fde(const u32 *fde, void *table, int is_ehframe); +-static signed fde_pointer_type(const u32 *cie); ++static const u32 *cie_for_fde(const u32 *fde, void *table, ++ uint32_t table_len, int is_ehframe); ++static signed fde_pointer_type(const u32 *cie, ++ void *table, uint32_t table_len); + + + #endif /* STP_USE_DWARF_UNWINDER */ +diff --git a/translate.cxx b/translate.cxx +index bc5d615..9d456bc 100644 +--- a/translate.cxx ++++ b/translate.cxx +@@ -29,6 +29,11 @@ extern "C" { + #include + } + ++// Max unwind table size (debug or eh) per module. Somewhat arbitrary ++// limit (a bit more than twice the .debug_frame size of my local ++// vmlinux for 2.6.31.4-83.fc12.x86_64) ++#define MAX_UNWIND_TABLE_SIZE (3 * 1024 * 1024) ++ + using namespace std; + + struct var; +@@ -4785,6 +4790,9 @@ dump_unwindsyms (Dwfl_Module *m, + get_unwind_data (m, &debug_frame, &eh_frame, &debug_len, &eh_len, &eh_addr); + if (debug_frame != NULL && debug_len > 0) + { ++ if (debug_len > MAX_UNWIND_TABLE_SIZE) ++ throw semantic_error ("module debug unwind table size too big"); ++ + c->output << "#if defined(STP_USE_DWARF_UNWINDER) && defined(STP_NEED_UNWIND_DATA)\n"; + c->output << "static uint8_t _stp_module_" << stpmod_idx + << "_debug_frame[] = \n"; +@@ -4802,6 +4810,9 @@ dump_unwindsyms (Dwfl_Module *m, + + if (eh_frame != NULL && eh_len > 0) + { ++ if (eh_len > MAX_UNWIND_TABLE_SIZE) ++ throw semantic_error ("module eh unwind table size too big"); ++ + c->output << "#if defined(STP_USE_DWARF_UNWINDER) && defined(STP_NEED_UNWIND_DATA)\n"; + c->output << "static uint8_t _stp_module_" << stpmod_idx + << "_eh_frame[] = \n"; diff --git a/systemtap.spec b/systemtap.spec index 960d2e1..557e7f1 100644 --- a/systemtap.spec +++ b/systemtap.spec @@ -9,7 +9,7 @@ Name: systemtap Version: 1.0 -Release: 1%{?dist} +Release: 2%{?dist} # for version, see also configure.ac Summary: Instrumentation System Group: Development/System @@ -61,6 +61,11 @@ BuildRequires: xmlto /usr/share/xmlto/format/fo/pdf BuildRequires: gtkmm24-devel >= 2.8 %endif +# Fix three --unprivileged DOS issues (CVE-2009-2911) +Patch10: SystemTap-1.0-limit-printf-arguments.patch +Patch11: SystemTap-1.0-limit-dwarf-expression-stack-size.patch +Patch12: SystemTap-1.0-unwind-table-size-checks.patch + %description SystemTap is an instrumentation system for systems running Linux 2.6. Developers can write instrumentation to collect data on the operation @@ -164,6 +169,11 @@ find . \( -name configure -o -name config.h.in \) -print | xargs touch cd .. %endif +# Fix three --unprivileged DOS issues (CVE-2009-2911) +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 + %build %if %{with_bundled_elfutils} @@ -387,6 +397,9 @@ exit 0 %changelog +* Wed Oct 21 2009 Josh Stone - 1.0-2 +- Fix three --unprivileged DOS issues (CVE-2009-2911) + * Tue Sep 22 2009 Josh Stone - 1.0-1 - Upstream release.