rpms/systemtap/devel systemtap-1.1-get_argv.patch, NONE, 1.1 systemtap.spec, 1.58, 1.59

[Mark Wielaard]

Author: mjw

Update of /cvs/pkgs/rpms/systemtap/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31947

Modified Files:
	systemtap.spec 
Added Files:
	systemtap-1.1-get_argv.patch 
Log Message:
- Add systemtap-1.1-get_argv.patch
  - Resolves CVE-2010-0411


systemtap-1.1-get_argv.patch:
 aux_syscalls.stp |  159 +++++++++++++++----------------------------------------
 1 file changed, 44 insertions(+), 115 deletions(-)

--- NEW FILE systemtap-1.1-get_argv.patch ---
commit a2d399c87a642190f08ede63dc6fc434a5a8363a
Author: Josh Stone <jistone at redhat.com>
Date:   Thu Feb 4 17:47:31 2010 -0800

    PR11234: Rewrite __get_argv without embedded-C
    
    We now implement __get_argv's string building in pure stap script.
    Also, every argument is now quoted, which is different than before, but
    it's much more robust about handling special characters.

diff --git a/tapset/aux_syscalls.stp b/tapset/aux_syscalls.stp
index bab0f64..e762b37 100644
--- a/tapset/aux_syscalls.stp
+++ b/tapset/aux_syscalls.stp
@@ -399,124 +399,53 @@ function __sem_flags:string(semflg:long)
 
 
 /* This function copies an argv from userspace. */
-function __get_argv:string(a:long, first:long)
-%{ /* pure */
-  	char __user *__user *argv = (char __user *__user *)(long)THIS->a;
-	char __user *vstr;
-	int space, rc, len = MAXSTRINGLEN;
-	char *str = THIS->__retvalue;
-	char buf[80];
-	char *ptr = buf;
-
-	
-	if (THIS->first && argv)
-		argv++;
-
-	while (argv != NULL) {
-		if (__stp_get_user (vstr, argv))
-      			break;
-
-		if (vstr == NULL)
-			break;
-
-		rc = _stp_strncpy_from_user(buf, vstr, 79);
-		if (rc <= 0)
-			break;
-
-		/* check for whitespace in string */
-		buf[rc] = 0;
-		ptr = buf;
-		space = 0;
-		while (*ptr && rc--) {
-			if (isspace(*ptr++)) {
-				space = 1;
-				break;
-			}
-		}
-
-		if (len != MAXSTRINGLEN && len) {
-			*str++=' ';
-			len--;
-		}
-
-		if (space && len) {
-			*str++='\"';
-			len--;
-		}
-	
-		rc = strlcpy (str, buf, len); 
-		str += rc;
-		len -= rc;
-
-		if (space && len) {
-			*str++='\"';
-			len--;
-		}
-
-		argv++;
+function __get_argv:string(argv:long, first:long)
+{
+%( CONFIG_64BIT == "y" %?
+	if (first && argv)
+		argv += 8
+	while (argv) {
+		vstr = user_long(argv)
+		if (!vstr)
+			break
+		if (len)
+			str .= " "
+		str .= user_string_quoted(vstr)
+
+		newlen = strlen(str)
+		if (newlen == len)
+			break
+		len = newlen
+		argv += 8
 	}
-	*str = 0;
-%}
-/* This function copies an argv from userspace. */
-function __get_compat_argv:string(a:long, first:long)
-%{ /* pure */
-#ifdef CONFIG_COMPAT
-  	compat_uptr_t __user *__user *argv = (compat_uptr_t __user *__user *)(long)THIS->a;
-	compat_uptr_t __user *vstr;
-	int space, rc, len = MAXSTRINGLEN;
-	char *str = THIS->__retvalue;
-	char buf[80];
-	char *ptr = buf;
-
-	if (THIS->first && argv)
-		argv++;
-
-	while (argv != NULL) {
-		if (__stp_get_user (vstr, argv))
-      			break;
-
-		if (vstr == NULL)
-			break;
-
-		rc = _stp_strncpy_from_user(buf, (char *)vstr, 79);
-		if (rc <= 0)
-			break;
-
-		/* check for whitespace in string */
-		buf[rc] = 0;
-		ptr = buf;
-		space = 0;
-		while (*ptr && rc--) {
-			if (isspace(*ptr++)) {
-				space = 1;
-				break;
-			}
-		}
-
-		if (len != MAXSTRINGLEN && len) {
-			*str++=' ';
-			len--;
-		}
-
-		if (space && len) {
-			*str++='\"';
-			len--;
-		}
-	
-		rc = strlcpy (str, buf, len); 
-		str += rc;
-		len -= rc;
-
-		if (space && len) {
-			*str++='\"';
-			len--;
-		}
 
-		argv++;
+	return str
+%:
+	return __get_compat_argv(argv, first)
+%)
+}
+/* This function copies an argv from userspace. */
+function __get_compat_argv:string(argv:long, first:long)
+{
+	if (first && argv)
+		argv += 4
+	while (argv) {
+		vstr = user_int(argv) & 0xffffffff
+		if (!vstr)
+			break
+		if (len)
+			str .= " "
+		str .= user_string_quoted(vstr)
+
+		newlen = strlen(str)
+		if (newlen == len)
+			break
+		len = newlen
+		argv += 4
 	}
-	*str = 0;
-#endif
-%}
+
+	return str
+}
 
 /*
  * Return the  symbolic string  representation


Index: systemtap.spec
===================================================================
RCS file: /cvs/pkgs/rpms/systemtap/devel/systemtap.spec,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -p -r1.58 -r1.59
--- systemtap.spec	15 Feb 2010 15:12:10 -0000	1.58
+++ systemtap.spec	15 Feb 2010 15:22:27 -0000	1.59
@@ -57,6 +57,7 @@ Requires: crash
 %endif
 
 Patch10: systemtap-1.1-cfi-cfa_ops-fixes.patch
+Patch11: systemtap-1.1-get_argv.patch
 
 %if %{with_docs}
 BuildRequires: /usr/bin/latex /usr/bin/dvips /usr/bin/ps2pdf latex2html
@@ -192,6 +193,7 @@ cd ..
 %endif
 
 %patch10 -p1
+%patch11 -p1
 
 %build
 
@@ -498,7 +500,9 @@ exit 0
 %changelog
 * Mon Feb 15 2010 Mark Wielaard <mjw at redhat.com> - 1.1-2
 - Add systemtap-1.1-cfi-cfa_ops-fixes.patch
-- Resolves RHBZ #564429
+  - Resolves RHBZ #564429
+- Add systemtap-1.1-get_argv.patch
+  - Resolves CVE-2010-0411
 
 * Mon Dec 21 2009 David Smith <dsmith at redhat.com> - 1.1-1
 - Upstream release.