Bug 529175 - (CVE-2009-2911) CVE-2009-2911 SystemTap 1.0: Multiple denial of service flaws once --unprivileged mode is activated
CVE-2009-2911 SystemTap 1.0: Multiple denial of service flaws once --unprivil...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://sources.redhat.com/bugzilla/sh...
impact=low,source=redhat,public=20091...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-15 06:30 EDT by Jan Lieskovsky
Modified: 2009-10-27 05:26 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-27 05:26:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Limit printf arguments (1.82 KB, patch)
2009-10-19 21:55 EDT, Josh Stone
no flags Details | Diff
Limit DWARF expression stack size (4.05 KB, patch)
2009-10-19 22:01 EDT, Josh Stone
no flags Details | Diff
Unwind table size checks patch (6.72 KB, patch)
2009-10-20 15:26 EDT, Mark Wielaard
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-10-15 06:30:15 EDT
Multiple denial of service flaws were found in the SystemTap
instrumentation system, when the --unprivileged mode was activated:

a, Kernel stack overflow allows local attackers to cause denial of service or execute arbitrary code via long number of parameters, provided to the print* call.

b, Kernel stack frame overflow allows local attackers to cause denial 
of service via specially-crafted user-provided DWARF information.

c, Absent check(s) for the upper bound of the size of the unwind table
   and for the upper bound of the size of each of the CIE/CFI records, could 
   allow an attacker to cause a denial of service (infinite loop).

References:
-----------
http://sources.redhat.com/bugzilla/show_bug.cgi?id=10750
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41633

Issue severity note:
--------------------
The --unprivileged mode needs to be activated by the privileged
user prior the unprivileged user could exploit these flaws.

SystemTap 1.0 in the default configuration is not shipped with
the --unprivileged mode activated, this is NOT vulnerable to 
these flaws.

Information about vulnerable versions:
--------------------------------------
These issues do NOT affect the versions of SystemTap instrumentation
system, as shipped with Red Hat Enterprise Linux 4 and 5.

These issues affect the versions of SystemTap instrumentation system,
as shipped with Fedora releases of 10 and 11. 
See also above severity note.
Comment 4 Josh Stone 2009-10-19 21:55:07 EDT
Created attachment 365293 [details]
Limit printf arguments

This patch for SystemTap enforces a limit on the number of arguments in a print call, and also forces a tighter -Wframe-larger-than constraint than the default kernel build.  This addresses all issues in sourceware #10750.
http://sourceware.org/bugzilla/show_bug.cgi?id=10750
Comment 5 Josh Stone 2009-10-19 22:01:27 EDT
Created attachment 365294 [details]
Limit DWARF expression stack size

This patch for SystemTap enforces a limit on how deep a stack can be used in the DWARF expressions that read probe variables.  It is a combination of upstream commit 85dfc5c8 which started reporting the stack size, and a new check to put an upper bound on that.
Comment 6 Mark Wielaard 2009-10-20 15:26:59 EDT
Created attachment 365413 [details]
Unwind table size checks patch

This patch adds a limit on the maximum size of the unwind tables we load this limits the amount of processing we do (scanning through the CIEs for an address in a module for which we want to backtrace). There are checks added for making sure the CIEs we find are actually inside the unwind table we are processing. And checks to make sure we only scan data until an end that falls within the same table. Finally a limit on the number of call frame instructions we process
(hardcoded at 512 atm).
Comment 8 Fedora Update System 2009-10-21 12:22:48 EDT
systemtap-1.0-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/systemtap-1.0-2.fc11
Comment 9 Fedora Update System 2009-10-21 12:22:56 EDT
systemtap-1.0-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/systemtap-1.0-2.fc10
Comment 10 Fedora Update System 2009-10-21 12:23:04 EDT
systemtap-1.0-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/systemtap-1.0-2.fc12
Comment 11 Fedora Update System 2009-10-27 02:27:56 EDT
systemtap-1.0-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-10-27 03:19:58 EDT
systemtap-1.0-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.