CVE-2010-4170 and CVE-2010-4171 fix.

This commit is contained in:
David Smith 2010-11-16 14:28:25 -06:00
parent 3031bf90d6
commit f55661b0d7
2 changed files with 126 additions and 4 deletions

115
rhbz653606,653604.patch Normal file
View File

@ -0,0 +1,115 @@
diff --git a/runtime/staprun/staprun.c b/runtime/staprun/staprun.c
index d72e335..ca245e3 100644
--- a/runtime/staprun/staprun.c
+++ b/runtime/staprun/staprun.c
@@ -119,19 +119,7 @@ static int enable_uprobes(void)
if (run_as(0, uid, gid, argv[0], argv) == 0)
return 0;
- /*
- * TODO: If user can't setresuid to root here, staprun will exit.
- * Is there a situation where that would fail but the subsequent
- * attempt to insert_module() would succeed?
- */
- dbug(2, "Inserting uprobes module from /lib/modules, if any.\n");
- i = 0;
- argv[i++] = "/sbin/modprobe";
- argv[i++] = "-q";
- argv[i++] = "uprobes";
- argv[i] = NULL;
- if (run_as(0, 0, 0, argv[0], argv) == 0)
- return 0;
+ /* NB: don't use /sbin/modprobe, without more env. sanitation. */
/* This module may be signed, so use insert_module to load it. */
snprintf (runtimeko, sizeof(runtimeko), "%s/uprobes/uprobes.ko",
@@ -190,9 +178,16 @@ static int remove_module(const char *name, int verb)
return 0;
}
- /* We could call init_ctl_channel / close_ctl_channel here, as a heuristic
- to determine whether the module is being used by some other stapio process.
- However, delete_module() does basically the same thing. */
+ /* We call init_ctl_channel/close_ctl_channel to check whether
+ the module is a systemtap-built one (having the right files),
+ and that it's already unattached (because otherwise it'd EBUSY
+ the opens. */
+ ret = init_ctl_channel (name, 0);
+ if (ret < 0) {
+ err("Error, '%s' is not a zombie systemtap module.\n", name);
+ return ret;
+ }
+ close_ctl_channel ();
dbug(2, "removing module %s\n", name);
STAP_PROBE1(staprun, remove__module, name);
@@ -227,7 +222,7 @@ int init_staprun(void)
without first removing the kernel module. This would block
a subsequent rerun attempt. So here we gingerly try to
unload it first. */
- int ret = delete_module (modname, O_NONBLOCK);
+ int ret = remove_module (modname, 0);
err("Retrying, after attempted removal of module %s (rc %d)\n", modname, ret);
/* Then we try an insert a second time. */
if (insert_stap_module() < 0)
diff --git a/README.security b/README.security
index 124ad8d..998bf3d 100644
--- a/README.security
+++ b/README.security
@@ -15,7 +15,7 @@ following:
* the root user;
- * a member of the 'stapdev' group; or
+ * a member of both 'stapdev' and 'stapusr' groups; or
* a member of the 'stapusr' group. Members of the stapusr group can
only use modules located in the /lib/modules/VERSION/systemtap
@@ -23,8 +23,8 @@ following:
directory must be owned by root and not be world writable.
So, there are two classes of users: systemtap developers (the root user
-and members of the stapdev group) and systemtap users (members of the
-stapusr group). Systemtap developers can compile and run any
+and members of the stapdev/stapusr groups) and systemtap users (members of
+only the stapusr group). Systemtap developers can compile and run any
systemtap script. Systemtap users can only run "approved"
pre-compiled modules located in /lib/modules/VERSION/systemtap.
diff --git a/staprun.8 b/staprun.8
index f4a5a08..7523031 100644
--- a/staprun.8
+++ b/staprun.8
@@ -205,14 +205,14 @@ structures and potentially private user information. See the
.IR stap (1)
manual page for additional information on safety and security.
.PP
-To increase system security, only the root user and members of the
-.I stapdev
-group can use
+To increase system security, only the root user and members of both
+.I stapdev " and " staprun
+groups can use
.I staprun
to insert systemtap modules (or attach to existing ones).
Members of the
.I stapusr
-group can use
+group only can use
.I staprun
to insert or remove systemtap modules (or attach to existing systemtap modules)
under the following conditions:
diff --git a/runtime/staprun/ctl.c b/runtime/staprun/ctl.c
index 335006e..8baf0db 100644
--- a/runtime/staprun/ctl.c
+++ b/runtime/staprun/ctl.c
@@ -27,6 +27,9 @@ int init_ctl_channel(const char *name, int verb)
return -2;
}
+ if (access(buf, R_OK|W_OK) != 0)
+ return -5;
+
control_channel = open(buf, O_RDWR);
dbug(2, "Opened %s (%d)\n", buf, control_channel);
if (control_channel < 0) {

View File

@ -16,7 +16,7 @@
Name: systemtap Name: systemtap
Version: 1.3 Version: 1.3
Release: 2%{?dist} Release: 3%{?dist}
# for version, see also configure.ac # for version, see also configure.ac
Summary: Instrumentation System Summary: Instrumentation System
Group: Development/System Group: Development/System
@ -24,6 +24,8 @@ License: GPLv2+
URL: http://sourceware.org/systemtap/ URL: http://sourceware.org/systemtap/
Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz Source: ftp://sourceware.org/pub/%{name}/releases/%{name}-%{version}.tar.gz
#Patch1 is elfutils-portability.patch below
Patch2: rhbz653606,653604.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: kernel >= 2.6.9-11 Requires: kernel >= 2.6.9-11
@ -189,6 +191,7 @@ sleep 1
find . \( -name configure -o -name config.h.in \) -print | xargs touch find . \( -name configure -o -name config.h.in \) -print | xargs touch
cd .. cd ..
%endif %endif
%patch2 -p1
%build %build
@ -270,10 +273,10 @@ mv $RPM_BUILD_ROOT%{_datadir}/doc/systemtap/examples examples
# Fix paths in the example & testsuite scripts # Fix paths in the example & testsuite scripts
find examples testsuite -type f -name '*.stp' -print0 | xargs -0 sed -i -r -e '1s@^#!.+stap@#!%{_bindir}/stap@' find examples testsuite -type f -name '*.stp' -print0 | xargs -0 sed -i -r -e '1s@^#!.+stap@#!%{_bindir}/stap@'
# Because "make install" may install staprun with mode 04111, the # Because "make install" may install staprun with whatever mode, the
# post-processing programs rpmbuild runs won't be able to read it. # post-processing programs rpmbuild runs won't be able to read it.
# So, we change permissions so that they can read it. We'll set the # So, we change permissions so that they can read it. We'll set the
# permissions back to 04111 in the %files section below. # permissions back to 04110 in the %files section below.
chmod 755 $RPM_BUILD_ROOT%{_bindir}/staprun chmod 755 $RPM_BUILD_ROOT%{_bindir}/staprun
#install the useful stap-prep script #install the useful stap-prep script
@ -432,7 +435,7 @@ exit 0
%files runtime %files runtime
%defattr(-,root,root) %defattr(-,root,root)
%attr(4111,root,root) %{_bindir}/staprun %attr(4110,root,stapusr) %{_bindir}/staprun
%{_bindir}/stap-report %{_bindir}/stap-report
%{_bindir}/stap-authorize-signing-cert %{_bindir}/stap-authorize-signing-cert
%{_libexecdir}/%{name}/stapio %{_libexecdir}/%{name}/stapio
@ -511,6 +514,10 @@ exit 0
%changelog %changelog
* Tue Nov 16 2010 David Smith <dsmith@redhat.com> - 1.3-3
- CVE-2010-4170
- CVE-2010-4171
* Wed Jul 21 2010 Josh Stone <jistone@redhat.com> - 1.3-2 * Wed Jul 21 2010 Josh Stone <jistone@redhat.com> - 1.3-2
- Disable crash on ppc. - Disable crash on ppc.