rpms/systemtap
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

removed obsolete/unused patches

Browse Source
This commit is contained in:
Frank Ch. Eigler 2011-07-28 12:48:23 -04:00
parent 03c3a473bf
commit 6f0d3e4c3f
5 changed files with 0 additions and 428 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
cve-2011-2502.patch
View File

@ -1,60 +0,0 @@
commit e75e70e736ea53078eaa9fd36a5f7186e3e2235c
Author: Josh Stone <jistone@redhat.com>
Date: Fri Jun 24 14:21:26 2011 -0700
rhbz716476: Don't allow path-based auth for uprobes
For users that are only members of stapusr, and not stapdev, we only
allow loading modules that are either signed with a trusted certificate
or located in controlled paths. For the script itself, that path is
/lib/modules/.../systemtap/, and for uprobes it is the runtime. When
this policy was first written, uprobes only ever came from the runtime
path, so the path check just returned 1 always.
Later, commit 474d17ad added an optional argument to staprun -u, to
allow the user to specify their own signed copy of uprobes to load.
Unfortunately, if presented with an unsigned module, that would still
fall back to the path check, which blissfully approved it anyway.
Our policy is now that stapusr can only load a signed uprobes.ko, so the
path check for uprobes now unconditionally returns 0.
diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 74eef9c..82754d4 100644
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -387,8 +387,10 @@ check_stap_module_path(const char *module_path, int module_fd)
}
/*
- * Members of the 'stapusr' group can load the uprobes module freely,
- * since it is loaded from a fixed path in the installed runtime.
+ * Don't allow path-based authorization for the uprobes module at all.
+ * Members of the 'stapusr' group can load a signed uprobes module, but
+ * nothing else. Later we could consider allowing specific paths, like
+ * the installed runtime or /lib/modules/...
*
* Returns: -1 on errors, 0 on failure, 1 on success.
*/
@@ -398,7 +400,7 @@ check_uprobes_module_path (
int module_fd __attribute__ ((unused))
)
{
- return 1;
+ return 0;
}
/*
@@ -596,10 +598,8 @@ void assert_uprobes_module_permissions(
if (check_signature_rc == MODULE_ALTERED)
exit(-1);
#else
- /* If we don't have NSS, then the uprobes module is considered trusted.
- Otherwise a member of the group 'stapusr' will not be able to load it.
- */
- check_signature_rc = MODULE_OK;
+ /* If we don't have NSS, the uprobes module is considered untrusted. */
+ check_signature_rc = MODULE_UNTRUSTED;
#endif
/* root can still load this module. */

88
cve-2011-2503.patch
View File

@ -1,88 +0,0 @@
commit fa6b56faaa56c98203dcc3fbdda5eab3d91ec62d
Author: Josh Stone <jistone@redhat.com>
Date: Fri Jun 24 15:00:41 2011 -0700
rhbz716489: read instead of mmap to load modules
As staprun is preparing to load a kernel module, we first mmap the whole
module as MAP_PRIVATE. Then we proceed with our security checks,
including a trusted-signature validation on the mapped region, and if
all checks out, we'll call init_module() with that same mapped region.
However, MMAP(2) says of MAP_PRIVATE, "It is unspecified whether changes
made to the file after the mmap() call are visible in the mapped
region." From my testing, it appears that file changes do indeed show
up in our mapped memory. This means we have a TOCTOU race between
verifying the signature of that memory and then calling init_module().
By using read() instead of mmap(), we ensure that we have a fully
private copy of the module to verify and load, without fear of change.
diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 74eef9c..e0a5a46 100644
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -49,7 +49,7 @@ int insert_module(
assert_permissions_func assert_permissions
) {
int i;
- long ret;
+ long ret, module_read;
void *module_file;
char *opts;
int saved_errno;
@@ -109,17 +109,39 @@ int insert_module(
return -1;
}
- /* mmap in the entire module. Work with the memory mapped data from this
- point on to avoid a TOCTOU race between path and signature checking
- below and module loading. */
- module_file = mmap(NULL, sbuf.st_size, PROT_READ, MAP_PRIVATE, module_fd, 0);
- if (module_file == MAP_FAILED) {
- _perr("Error mapping '%s'", module_realpath);
+ /* Allocate memory for the entire module. */
+ module_file = calloc(1, sbuf.st_size);
+ if (module_file == NULL) {
+ _perr("Error allocating memory to read '%s'", module_realpath);
close(module_fd);
free(opts);
return -1;
}
+ /* read in the entire module. Work with this copy of the data from this
+ point on to avoid a TOCTOU race between path and signature checking
+ below and module loading. */
+ module_read = 0;
+ while (module_read < sbuf.st_size) {
+ ret = read(module_fd, module_file + module_read,
+ sbuf.st_size - module_read);
+ if (ret > 0)
+ module_read += ret;
+ else if (ret == 0) {
+ _err("Unexpected EOF reading '%s'", module_realpath);
+ free(module_file);
+ close(module_fd);
+ free(opts);
+ return -1;
+ } else if (errno != EINTR) {
+ _perr("Error reading '%s'", module_realpath);
+ free(module_file);
+ close(module_fd);
+ free(opts);
+ return -1;
+ }
+ }
+
/* Check whether this module can be loaded by the current user.
* check_permissions will exit(-1) if permissions are insufficient*/
assert_permissions (module_realpath, module_fd, module_file, sbuf.st_size);
@@ -131,7 +153,7 @@ int insert_module(
/* Cleanup. */
free(opts);
- munmap(module_file, sbuf.st_size);
+ free(module_file);
close(module_fd);
if (ret != 0) {

178
swbz12899.patch
View File

@ -1,178 +0,0 @@
commit b571f9347c4a54facadb5e948e1430bd2b89158a
Author: Stan Cox <scox@redhat.com>
Date: Fri Jun 10 09:42:43 2011 -0400
Don't process the dtrace -o FILENAME.
dtrace.in (main): Use suffix for both -h and -G. Check gcc return code.
dtrace.exp: Massage results accordingly.
commit f6b267eb5f999ce380f1169ba4aa81945b8b8fd2
Author: Stan Cox <scox@redhat.com>
Date: Tue Jun 14 16:16:59 2011 -0400
Improve dtrace handling of CC environment variable.
* dtrace.in (main): Split CC to allow for application Makefile abuse.
commit 4c353c3a6d5a7b75c3e897f1605ae6a98b0b1951
Author: Stan Cox <scox@redhat.com>
Date: Tue Jun 14 17:36:23 2011 -0400
Split command line pieces with shlex
dtrace.in (main): Use shlex.split for CPP, CC, and CFLAGS
commit 12aad6f0ee85529fa29d6b0790f7afc6f075a808
Author: Stan Cox <scox@redhat.com>
Date: Wed Jun 15 15:52:38 2011 -0400
Do status setting and exit at the top level.
* dtrace.in (main): Use return instead of sys.exit; move sys.exit to top.
diff --git a/dtrace.in b/dtrace.in
index a64d110..c1ea1fe 100755
--- a/dtrace.in
+++ b/dtrace.in
@@ -17,6 +17,7 @@ import os
import posix
import string
import sys
+import shlex
from subprocess import call
from tempfile import mkstemp
@@ -179,7 +180,7 @@ def help ():
def main():
if (len(sys.argv) < 2):
usage()
- sys.exit(1)
+ return 1
i = 1
build_header = False
@@ -187,7 +188,7 @@ def main():
add_typedefs = False
keep_temps = False
use_cpp = False
- h_ext = '.h'
+ suffix = ""
filename = ""
s_filename = ""
includes = []
@@ -205,10 +206,12 @@ def main():
defines.append(sys.argv[i])
elif (sys.argv[i] == "-h"):
build_header = True
+ suffix = ".h"
elif (sys.argv[i].startswith("-I")):
includes.append(sys.argv[i])
elif (sys.argv[i] == "-G"):
build_source = True
+ suffix = ".o"
elif (sys.argv[i] == "-k"):
keep_temps = True
elif (sys.argv[i] == "--types"):
@@ -218,17 +221,16 @@ def main():
i += 1
if (build_header == False and build_source == False):
usage()
- sys.exit(1)
+ return 1
if (s_filename != "" and use_cpp):
(d,fn) = mkstemp(suffix=".d")
CPP = os.environ.get("CPP", "cpp")
- args = [CPP] + includes + defines + [s_filename, fn]
- retcode = call(args)
+ retcode = call(shlex.split(CPP) + includes + defines + [s_filename, fn])
if (retcode != 0):
print "\"cpp includes s_filename\" failed"
usage()
- sys.exit(1)
+ return 1
s_filename = fn
if (filename == ""):
if (s_filename != ""):
@@ -236,15 +238,12 @@ def main():
filename = os.path.basename(filename)
else:
usage()
- sys.exit(1)
+ return 1
else:
- if (build_header):
- h_ext = ""
- else:
- (filename,ext) = os.path.splitext(filename)
+ suffix = ""
if (build_header):
providers = _provider()
- providers.generate(s_filename, filename + h_ext, add_typedefs)
+ providers.generate(s_filename, filename + suffix, add_typedefs)
elif (build_source):
(basename,ext) = os.path.splitext(s_filename)
@@ -265,9 +264,13 @@ def main():
f.close()
CC = os.environ.get("CC", "gcc")
CFLAGS = "-g " + os.environ.get("CFLAGS", "")
- call([CC, "-fPIC"] + defines + includes + CFLAGS.split() +
- ["-I.", "-I@prefix@/include", "-c", fn, "-o",
- filename + ".o"], shell=False)
+ retcode = call(shlex.split(CC) + defines + includes + shlex.split(CFLAGS) +
+ ["-fPIC", "-I.", "-I@prefix@/include", "-c", fn, "-o",
+ filename + suffix], shell=False)
+ if (retcode != 0):
+ print "\"gcc " + fn + "\" failed"
+ usage()
+ return 1
if (not keep_temps):
os.remove(fn)
else:
@@ -277,6 +280,7 @@ def main():
os.remove(s_filename)
else:
print "cpp: " + s_filename
+ return 0
if __name__ == "__main__":
- main()
+ sys.exit(main())
diff --git a/testsuite/systemtap.base/dtrace.exp b/testsuite/systemtap.base/dtrace.exp
index b301793..cd97c79 100644
--- a/testsuite/systemtap.base/dtrace.exp
+++ b/testsuite/systemtap.base/dtrace.exp
@@ -60,12 +60,12 @@ exec rm -f XXX.o
verbose -log "$dtrace -G -s $dpath -o XXX"
catch {exec $dtrace -G -s $dpath -o XXX}
-if {[file exists XXX.o]} then {
+if {[file exists XXX]} then {
pass "dtrace -G -o XXX"
} else {
fail "dtrace -G -o XXX"
}
-exec rm -f XXX.o
+exec rm -f XXX
verbose -log "$dtrace -h -s $dpath -o XXX.h"
catch {exec $dtrace -h -s $dpath -o XXX.h}
@@ -96,12 +96,12 @@ exec rm -f /tmp/XXX.o
verbose -log "$dtrace -G -s $dpath -o /tmp/XXX"
catch {exec $dtrace -G -s $dpath -o /tmp/XXX}
-if {[file exists /tmp/XXX.o]} then {
- pass "dtrace -G -o /tmp/XXX.o"
+if {[file exists /tmp/XXX]} then {
+ pass "dtrace -G -o /tmp/XXX"
} else {
- fail "dtrace -G -o /tmp/XXX.o"
+ fail "dtrace -G -o /tmp/XXX"
}
-exec rm -f /tmp/XXX.o
+exec rm -f /tmp/XXX
verbose -log "$dtrace -h -s $dpath -o /tmp/XXX.h"
catch {exec $dtrace -h -s $dpath -o /tmp/XXX.h}

72
swbz12927.patch
View File

@ -1,72 +0,0 @@
commit 0bbb80098decc9c4c43a1800538007d86b600bba
Author: Josh Stone <jistone@redhat.com>
Date: Tue Jun 7 11:23:13 2011 -0700
stapconf: Conditionalize stacktrace_ops.warning{,_symbol}
Kernel commit 449a66f removed these fields.
* buildrun.cxx: Include the new test.
* runtime/autoconf-stacktrace_ops-warning.c: Check the warning field.
* runtime/stack.c: Conditionalize the warning initialization.
diff --git a/buildrun.cxx b/buildrun.cxx
index 0bebc35..79f8818 100644
--- a/buildrun.cxx
+++ b/buildrun.cxx
@@ -215,6 +215,8 @@ compile_pass (systemtap_session& s)
output_autoconf(s, o, "autoconf-ring_buffer-flags.c", "STAPCONF_RING_BUFFER_FLAGS", NULL);
output_autoconf(s, o, "autoconf-kallsyms-on-each-symbol.c", "STAPCONF_KALLSYMS_ON_EACH_SYMBOL", NULL);
output_autoconf(s, o, "autoconf-walk-stack.c", "STAPCONF_WALK_STACK", NULL);
+ output_autoconf(s, o, "autoconf-stacktrace_ops-warning.c",
+ "STAPCONF_STACKTRACE_OPS_WARNING", NULL);
output_autoconf(s, o, "autoconf-mm-context-vdso.c", "STAPCONF_MM_CONTEXT_VDSO", NULL);
output_autoconf(s, o, "autoconf-blk-types.c", "STAPCONF_BLK_TYPES", NULL);
output_autoconf(s, o, "autoconf-perf-structpid.c", "STAPCONF_PERF_STRUCTPID", NULL);
diff --git a/runtime/autoconf-stacktrace_ops-warning.c b/runtime/autoconf-stacktrace_ops-warning.c
new file mode 100644
index 0000000..9c00f05
--- /dev/null
+++ b/runtime/autoconf-stacktrace_ops-warning.c
@@ -0,0 +1,10 @@
+/* Some kernels have warning fields in stacktrace_ops. */
+#include <linux/sched.h>
+#include <asm/stacktrace.h>
+
+void foo (void)
+{
+ struct stacktrace_ops t;
+ t.warning = 0;
+ (void) t;
+}
diff --git a/runtime/stack.c b/runtime/stack.c
index 68a7e4f..b2d5d1d 100644
--- a/runtime/stack.c
+++ b/runtime/stack.c
@@ -73,6 +73,7 @@ struct print_stack_data
int level;
};
+#if defined(STAPCONF_STACKTRACE_OPS_WARNING)
static void print_stack_warning(void *data, char *msg)
{
}
@@ -81,6 +82,7 @@ static void
print_stack_warning_symbol(void *data, char *msg, unsigned long symbol)
{
}
+#endif
static int print_stack_stack(void *data, char *name)
{
@@ -95,8 +97,10 @@ static void print_stack_address(void *data, unsigned long addr, int reliable)
}
static const struct stacktrace_ops print_stack_ops = {
+#if defined(STAPCONF_STACKTRACE_OPS_WARNING)
.warning = print_stack_warning,
.warning_symbol = print_stack_warning_symbol,
+#endif
.stack = print_stack_stack,
.address = print_stack_address,
#if defined(STAPCONF_WALK_STACK)

30
systemtap-sdt.patch
View File

@ -1,30 +0,0 @@
From c02332052959e4213a59ce0ff40354f51506103a Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Wed, 6 Jul 2011 23:07:51 +0200
Subject: [PATCH] Silence sys/sdt.h comparison of unsigned expression < 0 is always false.
Some arm g++ setups would complain about the wchar_t "signedness detection":
sys/sdt.h:102: error: comparison of unsigned expression < 0 is always false
jistone said: "((T)(-1) < 1)" would still get the right boolean value,
and shouldn't trigger range errors like "unsigned is never < 0".
---
includes/sys/sdt.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/includes/sys/sdt.h b/includes/sys/sdt.h
index f7e1360..0a9fd40 100644
--- a/includes/sys/sdt.h
+++ b/includes/sys/sdt.h
@@ -77,7 +77,7 @@ struct __sdt_type
#define __SDT_ALWAYS_SIGNED(T) \
template<> struct __sdt_type<T> { static const bool __sdt_signed = true; };
#define __SDT_COND_SIGNED(T) \
-template<> struct __sdt_type<T> { static const bool __sdt_signed = ((T)(-1) < 0); };
+template<> struct __sdt_type<T> { static const bool __sdt_signed = ((T)(-1) < 1); };
__SDT_ALWAYS_SIGNED(signed char)
__SDT_ALWAYS_SIGNED(short)
__SDT_ALWAYS_SIGNED(int)
--
1.7.3.4