Red Hat Bugzilla – Bug 529175
CVE-2009-2911 SystemTap 1.0: Multiple denial of service flaws once --unprivileged mode is activated
Last modified: 2009-10-27 05:26:54 EDT
Multiple denial of service flaws were found in the SystemTap
instrumentation system, when the --unprivileged mode was activated:
a, Kernel stack overflow allows local attackers to cause denial of service or execute arbitrary code via long number of parameters, provided to the print* call.
b, Kernel stack frame overflow allows local attackers to cause denial
of service via specially-crafted user-provided DWARF information.
c, Absent check(s) for the upper bound of the size of the unwind table
and for the upper bound of the size of each of the CIE/CFI records, could
allow an attacker to cause a denial of service (infinite loop).
Issue severity note:
The --unprivileged mode needs to be activated by the privileged
user prior the unprivileged user could exploit these flaws.
SystemTap 1.0 in the default configuration is not shipped with
the --unprivileged mode activated, this is NOT vulnerable to
Information about vulnerable versions:
These issues do NOT affect the versions of SystemTap instrumentation
system, as shipped with Red Hat Enterprise Linux 4 and 5.
These issues affect the versions of SystemTap instrumentation system,
as shipped with Fedora releases of 10 and 11.
See also above severity note.
Created attachment 365293 [details]
Limit printf arguments
This patch for SystemTap enforces a limit on the number of arguments in a print call, and also forces a tighter -Wframe-larger-than constraint than the default kernel build. This addresses all issues in sourceware #10750.
Created attachment 365294 [details]
Limit DWARF expression stack size
This patch for SystemTap enforces a limit on how deep a stack can be used in the DWARF expressions that read probe variables. It is a combination of upstream commit 85dfc5c8 which started reporting the stack size, and a new check to put an upper bound on that.
Created attachment 365413 [details]
Unwind table size checks patch
This patch adds a limit on the maximum size of the unwind tables we load this limits the amount of processing we do (scanning through the CIEs for an address in a module for which we want to backtrace). There are checks added for making sure the CIEs we find are actually inside the unwind table we are processing. And checks to make sure we only scan data until an end that falls within the same table. Finally a limit on the number of call frame instructions we process
(hardcoded at 512 atm).
systemtap-1.0-2.fc11 has been submitted as an update for Fedora 11.
systemtap-1.0-2.fc10 has been submitted as an update for Fedora 10.
systemtap-1.0-2.fc12 has been submitted as an update for Fedora 12.
systemtap-1.0-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
systemtap-1.0-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.