From f55661b0d7a5e0f0e2755138ed332620a00f7ec0 Mon Sep 17 00:00:00 2001
From: David Smith <dsmith@redhat.com>
Date: Tue, 16 Nov 2010 14:28:25 -0600
Subject: [PATCH] CVE-2010-4170 and CVE-2010-4171 fix.

---
 rhbz653606,653604.patch | 115 ++++++++++++++++++++++++++++++++++++++++
 systemtap.spec          |  15 ++++--
 2 files changed, 126 insertions(+), 4 deletions(-)
 create mode 100644 rhbz653606,653604.patch

diff --git a/rhbz653606,653604.patch b/rhbz653606,653604.patch
new file mode 100644
index 0000000..dbd9690
--- /dev/null
+++ b/rhbz653606,653604.patch
@@ -0,0 +1,115 @@
+diff --git a/runtime/staprun/staprun.c b/runtime/staprun/staprun.c
+index d72e335..ca245e3 100644
+--- a/runtime/staprun/staprun.c
++++ b/runtime/staprun/staprun.c
+@@ -119,19 +119,7 @@ static int enable_uprobes(void)
+ 	if (run_as(0, uid, gid, argv[0], argv) == 0)
+ 		return 0;
+ 
+-	/*
+-	 * TODO: If user can't setresuid to root here, staprun will exit.
+-	 * Is there a situation where that would fail but the subsequent
+-	 * attempt to insert_module() would succeed?
+-	 */
+-	dbug(2, "Inserting uprobes module from /lib/modules, if any.\n");
+-	i = 0;
+-	argv[i++] = "/sbin/modprobe";
+-	argv[i++] = "-q";
+-	argv[i++] = "uprobes";
+-	argv[i] = NULL;
+-	if (run_as(0, 0, 0, argv[0], argv) == 0)
+-		return 0;
++        /* NB: don't use /sbin/modprobe, without more env. sanitation. */
+ 
+ 	/* This module may be signed, so use insert_module to load it.  */
+ 	snprintf (runtimeko, sizeof(runtimeko), "%s/uprobes/uprobes.ko",
+@@ -190,9 +178,16 @@ static int remove_module(const char *name, int verb)
+ 		return 0;
+ 	}
+ 
+-        /* We could call init_ctl_channel / close_ctl_channel here, as a heuristic
+-           to determine whether the module is being used by some other stapio process.
+-           However, delete_module() does basically the same thing. */
++        /* We call init_ctl_channel/close_ctl_channel to check whether
++           the module is a systemtap-built one (having the right files),
++           and that it's already unattached (because otherwise it'd EBUSY
++           the opens. */
++        ret = init_ctl_channel (name, 0);
++        if (ret < 0) {
++                err("Error, '%s' is not a zombie systemtap module.\n", name);
++                return ret;
++        }
++        close_ctl_channel ();
+ 
+ 	dbug(2, "removing module %s\n", name);
+ 	STAP_PROBE1(staprun, remove__module, name);
+@@ -227,7 +222,7 @@ int init_staprun(void)
+                      without first removing the kernel module.  This would block
+                      a subsequent rerun attempt.  So here we gingerly try to
+                      unload it first. */
+-		  int ret = delete_module (modname, O_NONBLOCK);
++                  int ret = remove_module (modname, 0);
+ 		  err("Retrying, after attempted removal of module %s (rc %d)\n", modname, ret);
+ 		  /* Then we try an insert a second time.  */
+ 		  if (insert_stap_module() < 0)
+diff --git a/README.security b/README.security
+index 124ad8d..998bf3d 100644
+--- a/README.security
++++ b/README.security
+@@ -15,7 +15,7 @@ following:
+ 
+  * the root user;
+ 
+- * a member of the 'stapdev' group; or
++ * a member of both 'stapdev' and 'stapusr' groups; or
+ 
+  * a member of the 'stapusr' group.  Members of the stapusr group can
+    only use modules located in the /lib/modules/VERSION/systemtap
+@@ -23,8 +23,8 @@ following:
+    directory must be owned by root and not be world writable.
+ 
+ So, there are two classes of users: systemtap developers (the root user
+-and members of the stapdev group) and systemtap users (members of the
+-stapusr group).  Systemtap developers can compile and run any
++and members of the stapdev/stapusr groups) and systemtap users (members of
++only the stapusr group).  Systemtap developers can compile and run any
+ systemtap script.  Systemtap users can only run "approved"
+ pre-compiled modules located in /lib/modules/VERSION/systemtap.
+ 
+diff --git a/staprun.8 b/staprun.8
+index f4a5a08..7523031 100644
+--- a/staprun.8
++++ b/staprun.8
+@@ -205,14 +205,14 @@ structures and potentially private user information.  See the
+ .IR stap (1)
+ manual page for additional information on safety and security.
+ .PP
+-To increase system security, only the root user and members of the
+-.I stapdev
+-group can use
++To increase system security, only the root user and members of both
++.I stapdev " and " staprun
++groups can use
+ .I staprun
+ to insert systemtap modules (or attach to existing ones).
+ Members of the
+ .I stapusr
+-group can use
++group only can use
+ .I staprun
+ to insert or remove systemtap modules (or attach to existing systemtap modules)
+ under the following conditions:
+diff --git a/runtime/staprun/ctl.c b/runtime/staprun/ctl.c
+index 335006e..8baf0db 100644
+--- a/runtime/staprun/ctl.c
++++ b/runtime/staprun/ctl.c
+@@ -27,6 +27,9 @@ int init_ctl_channel(const char *name, int verb)
+ 			return -2;
+ 	}
+ 
++	if (access(buf, R_OK|W_OK) != 0)
++		return -5;
++
+ 	control_channel = open(buf, O_RDWR);
+ 	dbug(2, "Opened %s (%d)\n", buf, control_channel);
+ 	if (control_channel < 0) {
diff --git a/systemtap.spec b/systemtap.spec
index 972068a..bc7f08f 100644
--- a/systemtap.spec
+++ b/systemtap.spec
@@ -16,7 +16,7 @@
 
 Name: systemtap
 Version: 1.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 # for version, see also configure.ac
 Summary: Instrumentation System
 Group: Development/System
@@ -24,6 +24,8 @@ License: GPLv2+
 URL: http://sourceware.org/systemtap/
 Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz
 
+#Patch1 is elfutils-portability.patch below
+Patch2: rhbz653606,653604.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Requires: kernel >= 2.6.9-11
@@ -189,6 +191,7 @@ sleep 1
 find . \( -name configure -o -name config.h.in \) -print | xargs touch
 cd ..
 %endif
+%patch2 -p1
 
 %build
 
@@ -270,10 +273,10 @@ mv $RPM_BUILD_ROOT%{_datadir}/doc/systemtap/examples examples
 # Fix paths in the example & testsuite scripts
 find examples testsuite -type f -name '*.stp' -print0 | xargs -0 sed -i -r -e '1s@^#!.+stap@#!%{_bindir}/stap@'
 
-# Because "make install" may install staprun with mode 04111, the
+# Because "make install" may install staprun with whatever mode, the
 # post-processing programs rpmbuild runs won't be able to read it.
 # So, we change permissions so that they can read it.  We'll set the
-# permissions back to 04111 in the %files section below.
+# permissions back to 04110 in the %files section below.
 chmod 755 $RPM_BUILD_ROOT%{_bindir}/staprun
 
 #install the useful stap-prep script
@@ -432,7 +435,7 @@ exit 0
 
 %files runtime
 %defattr(-,root,root)
-%attr(4111,root,root) %{_bindir}/staprun
+%attr(4110,root,stapusr) %{_bindir}/staprun
 %{_bindir}/stap-report
 %{_bindir}/stap-authorize-signing-cert
 %{_libexecdir}/%{name}/stapio
@@ -511,6 +514,10 @@ exit 0
 
 
 %changelog
+* Tue Nov 16 2010 David Smith <dsmith@redhat.com> - 1.3-3
+- CVE-2010-4170
+- CVE-2010-4171
+
 * Wed Jul 21 2010 Josh Stone <jistone@redhat.com> - 1.3-2
 - Disable crash on ppc.