From b0d3818ac1eba753f86a78a24aa95e293528632d Mon Sep 17 00:00:00 2001 From: Josh Stone Date: Aug 02 2011 21:02:40 +0000 Subject: Merge branch 'master' into f14 --- diff --git a/.gitignore b/.gitignore index dbafe51..3ab1bb9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ systemtap-1.3.tar.gz /systemtap-1.4.tar.gz /systemtap-1.5.tar.gz +/systemtap-1.6.tar.gz diff --git a/cve-2011-2502.patch b/cve-2011-2502.patch deleted file mode 100644 index a681b62..0000000 --- a/cve-2011-2502.patch +++ /dev/null @@ -1,60 +0,0 @@ -commit e75e70e736ea53078eaa9fd36a5f7186e3e2235c -Author: Josh Stone -Date: Fri Jun 24 14:21:26 2011 -0700 - - rhbz716476: Don't allow path-based auth for uprobes - - For users that are only members of stapusr, and not stapdev, we only - allow loading modules that are either signed with a trusted certificate - or located in controlled paths. For the script itself, that path is - /lib/modules/.../systemtap/, and for uprobes it is the runtime. When - this policy was first written, uprobes only ever came from the runtime - path, so the path check just returned 1 always. - - Later, commit 474d17ad added an optional argument to staprun -u, to - allow the user to specify their own signed copy of uprobes to load. - Unfortunately, if presented with an unsigned module, that would still - fall back to the path check, which blissfully approved it anyway. - - Our policy is now that stapusr can only load a signed uprobes.ko, so the - path check for uprobes now unconditionally returns 0. - -diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c -index 74eef9c..82754d4 100644 ---- a/runtime/staprun/staprun_funcs.c -+++ b/runtime/staprun/staprun_funcs.c -@@ -387,8 +387,10 @@ check_stap_module_path(const char *module_path, int module_fd) - } - - /* -- * Members of the 'stapusr' group can load the uprobes module freely, -- * since it is loaded from a fixed path in the installed runtime. -+ * Don't allow path-based authorization for the uprobes module at all. -+ * Members of the 'stapusr' group can load a signed uprobes module, but -+ * nothing else. Later we could consider allowing specific paths, like -+ * the installed runtime or /lib/modules/... - * - * Returns: -1 on errors, 0 on failure, 1 on success. - */ -@@ -398,7 +400,7 @@ check_uprobes_module_path ( - int module_fd __attribute__ ((unused)) - ) - { -- return 1; -+ return 0; - } - - /* -@@ -596,10 +598,8 @@ void assert_uprobes_module_permissions( - if (check_signature_rc == MODULE_ALTERED) - exit(-1); - #else -- /* If we don't have NSS, then the uprobes module is considered trusted. -- Otherwise a member of the group 'stapusr' will not be able to load it. -- */ -- check_signature_rc = MODULE_OK; -+ /* If we don't have NSS, the uprobes module is considered untrusted. */ -+ check_signature_rc = MODULE_UNTRUSTED; - #endif - - /* root can still load this module. */ diff --git a/cve-2011-2503.patch b/cve-2011-2503.patch deleted file mode 100644 index 652b61f..0000000 --- a/cve-2011-2503.patch +++ /dev/null @@ -1,88 +0,0 @@ -commit fa6b56faaa56c98203dcc3fbdda5eab3d91ec62d -Author: Josh Stone -Date: Fri Jun 24 15:00:41 2011 -0700 - - rhbz716489: read instead of mmap to load modules - - As staprun is preparing to load a kernel module, we first mmap the whole - module as MAP_PRIVATE. Then we proceed with our security checks, - including a trusted-signature validation on the mapped region, and if - all checks out, we'll call init_module() with that same mapped region. - - However, MMAP(2) says of MAP_PRIVATE, "It is unspecified whether changes - made to the file after the mmap() call are visible in the mapped - region." From my testing, it appears that file changes do indeed show - up in our mapped memory. This means we have a TOCTOU race between - verifying the signature of that memory and then calling init_module(). - - By using read() instead of mmap(), we ensure that we have a fully - private copy of the module to verify and load, without fear of change. - -diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c -index 74eef9c..e0a5a46 100644 ---- a/runtime/staprun/staprun_funcs.c -+++ b/runtime/staprun/staprun_funcs.c -@@ -49,7 +49,7 @@ int insert_module( - assert_permissions_func assert_permissions - ) { - int i; -- long ret; -+ long ret, module_read; - void *module_file; - char *opts; - int saved_errno; -@@ -109,17 +109,39 @@ int insert_module( - return -1; - } - -- /* mmap in the entire module. Work with the memory mapped data from this -- point on to avoid a TOCTOU race between path and signature checking -- below and module loading. */ -- module_file = mmap(NULL, sbuf.st_size, PROT_READ, MAP_PRIVATE, module_fd, 0); -- if (module_file == MAP_FAILED) { -- _perr("Error mapping '%s'", module_realpath); -+ /* Allocate memory for the entire module. */ -+ module_file = calloc(1, sbuf.st_size); -+ if (module_file == NULL) { -+ _perr("Error allocating memory to read '%s'", module_realpath); - close(module_fd); - free(opts); - return -1; - } - -+ /* read in the entire module. Work with this copy of the data from this -+ point on to avoid a TOCTOU race between path and signature checking -+ below and module loading. */ -+ module_read = 0; -+ while (module_read < sbuf.st_size) { -+ ret = read(module_fd, module_file + module_read, -+ sbuf.st_size - module_read); -+ if (ret > 0) -+ module_read += ret; -+ else if (ret == 0) { -+ _err("Unexpected EOF reading '%s'", module_realpath); -+ free(module_file); -+ close(module_fd); -+ free(opts); -+ return -1; -+ } else if (errno != EINTR) { -+ _perr("Error reading '%s'", module_realpath); -+ free(module_file); -+ close(module_fd); -+ free(opts); -+ return -1; -+ } -+ } -+ - /* Check whether this module can be loaded by the current user. - * check_permissions will exit(-1) if permissions are insufficient*/ - assert_permissions (module_realpath, module_fd, module_file, sbuf.st_size); -@@ -131,7 +153,7 @@ int insert_module( - - /* Cleanup. */ - free(opts); -- munmap(module_file, sbuf.st_size); -+ free(module_file); - close(module_fd); - - if (ret != 0) { diff --git a/sources b/sources index 5c5ccb1..85f2b81 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e85bb19b8c2b5fc627b065c04c8ca595 systemtap-1.5.tar.gz +b845ec58bc04cf4cad5c897f67de1308 systemtap-1.6.tar.gz diff --git a/systemtap-sdt.patch b/systemtap-sdt.patch deleted file mode 100644 index f933c85..0000000 --- a/systemtap-sdt.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c02332052959e4213a59ce0ff40354f51506103a Mon Sep 17 00:00:00 2001 -From: Mark Wielaard -Date: Wed, 6 Jul 2011 23:07:51 +0200 -Subject: [PATCH] Silence sys/sdt.h comparison of unsigned expression < 0 is always false. - -Some arm g++ setups would complain about the wchar_t "signedness detection": -sys/sdt.h:102: error: comparison of unsigned expression < 0 is always false - -jistone said: "((T)(-1) < 1)" would still get the right boolean value, -and shouldn't trigger range errors like "unsigned is never < 0". ---- - includes/sys/sdt.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/includes/sys/sdt.h b/includes/sys/sdt.h -index f7e1360..0a9fd40 100644 ---- a/includes/sys/sdt.h -+++ b/includes/sys/sdt.h -@@ -77,7 +77,7 @@ struct __sdt_type - #define __SDT_ALWAYS_SIGNED(T) \ - template<> struct __sdt_type { static const bool __sdt_signed = true; }; - #define __SDT_COND_SIGNED(T) \ --template<> struct __sdt_type { static const bool __sdt_signed = ((T)(-1) < 0); }; -+template<> struct __sdt_type { static const bool __sdt_signed = ((T)(-1) < 1); }; - __SDT_ALWAYS_SIGNED(signed char) - __SDT_ALWAYS_SIGNED(short) - __SDT_ALWAYS_SIGNED(int) --- -1.7.3.4 - diff --git a/systemtap.spec b/systemtap.spec index 0018150..659ac44 100644 --- a/systemtap.spec +++ b/systemtap.spec @@ -1,5 +1,5 @@ %{!?with_sqlite: %global with_sqlite 1} -%{!?with_docs: %global with_docs 0} +%{!?with_docs: %global with_docs 1} %ifarch ppc %{sparc} %{arm} # crash is not available %{!?with_crash: %global with_crash 0} %else @@ -7,7 +7,7 @@ %endif %{!?with_rpm: %global with_rpm 1} %{!?with_bundled_elfutils: %global with_bundled_elfutils 0} -%{!?elfutils_version: %global elfutils_version 0.127} +%{!?elfutils_version: %global elfutils_version 0.142} %{!?pie_supported: %global pie_supported 1} %{!?with_grapher: %global with_grapher 1} %{!?with_boost: %global with_boost 0} @@ -15,8 +15,8 @@ %{!?publican_brand: %global publican_brand fedora} Name: systemtap -Version: 1.5 -Release: 8%{?dist} +Version: 1.6 +Release: 1%{?dist} # for version, see also configure.ac Summary: Instrumentation System Group: Development/System @@ -24,8 +24,6 @@ License: GPLv2+ URL: http://sourceware.org/systemtap/ Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz -Patch25: systemtap-sdt.patch - Obsoletes: systemtap-client < 1.5 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -66,9 +64,6 @@ BuildRequires: m4 BuildRequires: elfutils-devel >= %{elfutils_version} %endif -Patch4: cve-2011-2502.patch -Patch5: cve-2011-2503.patch - %if %{with_docs} BuildRequires: /usr/bin/latex /usr/bin/dvips /usr/bin/ps2pdf latex2html # On F10, xmlto's pdf support was broken off into a sub-package, @@ -93,7 +88,7 @@ BuildRequires: boost-devel BuildRequires: gettext-devel %description -SystemTap is an instrumentation system for systems running Linux 2.6. +SystemTap is an instrumentation system for systems running Linux. Developers can write instrumentation to collect data on the operation of the system. @@ -107,7 +102,7 @@ Requires(pre): shadow-utils %description runtime SystemTap runtime is the runtime component of an instrumentation -system for systems running Linux 2.6. Developers can write +system for systems running Linux. Developers can write instrumentation to collect data on the operation of the system. %package testsuite @@ -115,7 +110,9 @@ Summary: Instrumentation System Testsuite Group: Development/System License: GPLv2+ URL: http://sourceware.org/systemtap/ -Requires: systemtap systemtap-sdt-devel dejagnu which prelink +Requires: systemtap = %{version}-%{release} +Requires: systemtap-sdt-devel = %{version}-%{release} +Requires: dejagnu which prelink %description testsuite The testsuite allows testing of the entire SystemTap toolchain @@ -126,7 +123,7 @@ Summary: Instrumentation System Server Group: Development/System License: GPLv2+ URL: http://sourceware.org/systemtap/ -Requires: systemtap +Requires: systemtap = %{version}-%{release} Requires: avahi avahi-tools nss mktemp Requires: zip unzip Requires(post): chkconfig @@ -153,7 +150,7 @@ Summary: Systemtap Initscripts Group: Development/System License: GPLv2+ URL: http://sourceware.org/systemtap/ -Requires: systemtap-runtime +Requires: systemtap-runtime = %{version}-%{release} Requires(post): chkconfig Requires(preun): chkconfig Requires(preun): initscripts @@ -168,7 +165,7 @@ Summary: Instrumentation System Grapher Group: Development/System License: GPLv2+ URL: http://sourceware.org/systemtap/ -Requires: systemtap-runtime +Requires: systemtap-runtime = %{version}-%{release} %description grapher SystemTap grapher is a utility for real-time visualization of @@ -188,11 +185,6 @@ find . \( -name configure -o -name config.h.in \) -print | xargs touch cd .. %endif -%patch4 -p1 -%patch5 -p1 - -%patch25 -p1 - %build %if %{with_bundled_elfutils} @@ -410,7 +402,7 @@ exit 0 %files -f %{name}.lang %defattr(-,root,root) -%doc README AUTHORS NEWS COPYING examples +%doc README README.unprivileged AUTHORS NEWS COPYING examples %if %{with_docs} %doc docs.installed/*.pdf %doc docs.installed/tapsets @@ -423,7 +415,6 @@ exit 0 %{_bindir}/stap-prep %{_bindir}/stap-report %{_mandir}/man1/stap.1* -%{_mandir}/man1/stapgraph.1* %{_mandir}/man1/stap-merge.1* %{_mandir}/man3/* %{_mandir}/man7/stappaths.7* @@ -454,7 +445,7 @@ exit 0 %{_mandir}/man7/stappaths.7* %{_mandir}/man8/staprun.8* -%doc README AUTHORS NEWS COPYING +%doc README README.security AUTHORS NEWS COPYING %files testsuite %defattr(-,root,root) @@ -504,10 +495,14 @@ exit 0 %defattr(-,root,root) %{_bindir}/stapgraph %{_datadir}/%{name}/*.glade +%{_mandir}/man1/stapgraph.1* %endif %changelog +* Mon Jul 25 2011 Stan Cox - 1.6-1 +- Upstream release. + * Mon Jul 25 2011 Frank Ch. Eigler - 1.5-8 - CVE-2011-2502, CVE-2011-2503