Multiple denial of service flaws were found in the SystemTap instrumentation system, when the --unprivileged mode was activated: a, Kernel stack overflow allows local attackers to cause denial of service or execute arbitrary code via long number of parameters, provided to the print* call. b, Kernel stack frame overflow allows local attackers to cause denial of service via specially-crafted user-provided DWARF information. c, Absent check(s) for the upper bound of the size of the unwind table and for the upper bound of the size of each of the CIE/CFI records, could allow an attacker to cause a denial of service (infinite loop). References: ----------- http://sources.redhat.com/bugzilla/show_bug.cgi?id=10750 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41633 Issue severity note: -------------------- The --unprivileged mode needs to be activated by the privileged user prior the unprivileged user could exploit these flaws. SystemTap 1.0 in the default configuration is not shipped with the --unprivileged mode activated, this is NOT vulnerable to these flaws. Information about vulnerable versions: -------------------------------------- These issues do NOT affect the versions of SystemTap instrumentation system, as shipped with Red Hat Enterprise Linux 4 and 5. These issues affect the versions of SystemTap instrumentation system, as shipped with Fedora releases of 10 and 11. See also above severity note.
Created attachment 365293 [details] Limit printf arguments This patch for SystemTap enforces a limit on the number of arguments in a print call, and also forces a tighter -Wframe-larger-than constraint than the default kernel build. This addresses all issues in sourceware #10750. http://sourceware.org/bugzilla/show_bug.cgi?id=10750
Created attachment 365294 [details] Limit DWARF expression stack size This patch for SystemTap enforces a limit on how deep a stack can be used in the DWARF expressions that read probe variables. It is a combination of upstream commit 85dfc5c8 which started reporting the stack size, and a new check to put an upper bound on that.
Created attachment 365413 [details] Unwind table size checks patch This patch adds a limit on the maximum size of the unwind tables we load this limits the amount of processing we do (scanning through the CIEs for an address in a module for which we want to backtrace). There are checks added for making sure the CIEs we find are actually inside the unwind table we are processing. And checks to make sure we only scan data until an end that falls within the same table. Finally a limit on the number of call frame instructions we process (hardcoded at 512 atm).
systemtap-1.0-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/systemtap-1.0-2.fc11
systemtap-1.0-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/systemtap-1.0-2.fc10
systemtap-1.0-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/systemtap-1.0-2.fc12
systemtap-1.0-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
systemtap-1.0-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.