dev-util/systemtap/files/systemtap-1.0-CVE-2009-2911-unwind.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

https://bugzilla.redhat.com/show_bug.cgi?id=529175
https://bugzilla.redhat.com/attachment.cgi?id=365413

diff --git a/runtime/unwind.c b/runtime/unwind.c
index 00108a3..7607770 100644
--- a/runtime/unwind.c
+++ b/runtime/unwind.c
@@ -88,7 +88,7 @@ static sleb128_t get_sleb128(const u8 **pcur, const u8 *end)
 
 /* given an FDE, find its CIE */
 static const u32 *cie_for_fde(const u32 *fde, void *unwind_data,
-			      int is_ehframe)
+			      uint32_t table_len, int is_ehframe)
 {
 	const u32 *cie;
 
@@ -118,6 +118,11 @@ static const u32 *cie_for_fde(const u32 *fde, void *unwind_data,
 	else
 		cie = unwind_data + fde[1];
 
+	/* Make sure address falls in the table */
+	if (((void *)cie) < ((void*)unwind_data)
+	    || ((void*)cie) > ((void*)(unwind_data + table_len)))
+	  return NULL;
+
 	if (*cie <= sizeof(*cie) + 4 || *cie >= fde[1] - sizeof(*fde)
 	    || (*cie & (sizeof(*cie) - 1))
 	    || (cie[1] != 0xffffffff && cie[1] != 0)) {
@@ -200,7 +205,8 @@ static unsigned long read_pointer(const u8 **pLoc, const void *end, signed ptrTy
 	return value;
 }
 
-static signed fde_pointer_type(const u32 *cie)
+static signed fde_pointer_type(const u32 *cie, void *unwind_data,
+			       uint32_t table_len)
 {
 	const u8 *ptr = (const u8 *)(cie + 2);
 	unsigned version = *ptr;
@@ -212,11 +218,16 @@ static signed fde_pointer_type(const u32 *cie)
 		const u8 *end = (const u8 *)(cie + 1) + *cie;
 		uleb128_t len;
 
+		/* end of cie should fall within unwind table. */
+		if (((void*)end) < ((void *)unwind_data)
+		    || ((void *)end) > ((void *)(unwind_data + table_len)))
+		  return -1;
+
 		/* check if augmentation size is first (and thus present) */
 		if (*ptr != 'z')
 			return -1;
 		/* check if augmentation string is nul-terminated */
-		if ((ptr = memchr(aug = (const void *)ptr, 0, end - ptr)) == NULL)
+		if ((ptr = memchr(aug = (const void *)ptr, 0, end - ptr)) == NULL) 
 			return -1;
 		++ptr;		/* skip terminator */
 		get_uleb128(&ptr, end);	/* skip code alignment */
@@ -267,6 +278,10 @@ static void set_rule(uleb128_t reg, enum item_location where, uleb128_t value, s
 	}
 }
 
+/* Limit the number of instructions we process. Arbitrary limit.
+   512 should be enough for anybody... */
+#define MAX_CFI 512
+
 static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc, signed ptrType, struct unwind_state *state)
 {
 	union {
@@ -276,6 +291,9 @@ static int processCFI(const u8 *start, const u8 *end, unsigned long targetLoc, s
 	} ptr;
 	int result = 1;
 
+	if (end - start > MAX_CFI)
+	  return 0;
+
 	dbug_unwind(1, "targetLoc=%lx state->loc=%lx\n", targetLoc, state->loc);
 	if (start != state->cieStart) {
 		state->loc = state->org;
@@ -606,10 +624,10 @@ static int unwind_frame(struct unwind_frame_info *frame,
 
 	/* found the fde, now set startLoc and endLoc */
 	if (fde != NULL) {
-		cie = cie_for_fde(fde, table, is_ehframe);
+		cie = cie_for_fde(fde, table, table_len, is_ehframe);
 		if (likely(cie != NULL && cie != &bad_cie && cie != &not_fde)) {
 			ptr = (const u8 *)(fde + 2);
-			ptrType = fde_pointer_type(cie);
+			ptrType = fde_pointer_type(cie, table, table_len);
 			startLoc = read_pointer(&ptr, (const u8 *)(fde + 1) + *fde, ptrType);
 			startLoc = adjustStartLoc(startLoc, m, s, ptrType, is_ehframe);
 
@@ -632,12 +650,12 @@ static int unwind_frame(struct unwind_frame_info *frame,
 	    for (fde = table, tableSize = table_len; cie = NULL, tableSize > sizeof(*fde)
 		 && tableSize - sizeof(*fde) >= *fde; tableSize -= sizeof(*fde) + *fde, fde += 1 + *fde / sizeof(*fde)) {
 			dbug_unwind(3, "fde=%lx tableSize=%d\n", (long)*fde, (int)tableSize);
-			cie = cie_for_fde(fde, table, is_ehframe);
+			cie = cie_for_fde(fde, table, table_len, is_ehframe);
 			if (cie == &bad_cie) {
 				cie = NULL;
 				break;
 			}
-			if (cie == NULL || cie == &not_fde || (ptrType = fde_pointer_type(cie)) < 0)
+			if (cie == NULL || cie == &not_fde || (ptrType = fde_pointer_type(cie, table, table_len)) < 0)
 				continue;
 
 			ptr = (const u8 *)(fde + 2);
@@ -666,6 +684,12 @@ static int unwind_frame(struct unwind_frame_info *frame,
 	state.cieEnd = ptr;	/* keep here temporarily */
 	ptr = (const u8 *)(cie + 2);
 	end = (const u8 *)(cie + 1) + *cie;
+
+	/* end should fall within unwind table. */
+	if (((void *)end) < table
+	    || ((void *)end) > ((void *)(table + table_len)))
+	  goto err;
+
 	frame->call_frame = 1;
 	if ((state.version = *ptr) != 1) {
 		dbug_unwind(1, "CIE version number is %d.  1 is supported.\n", state.version);
@@ -723,6 +747,11 @@ static int unwind_frame(struct unwind_frame_info *frame,
 	state.cieEnd = end;
 	end = (const u8 *)(fde + 1) + *fde;
 
+	/* end should fall within unwind table. */
+	if (((void*)end) < table
+	    || ((void *)end) > ((void *)(table + table_len)))
+	  goto err;
+
 	/* skip augmentation */
 	if (((const char *)(cie + 2))[1] == 'z') {
 		uleb128_t augSize = get_uleb128(&ptr, end);
diff --git a/runtime/unwind/unwind.h b/runtime/unwind/unwind.h
index 285a3a3..023ea60 100644
--- a/runtime/unwind/unwind.h
+++ b/runtime/unwind/unwind.h
@@ -143,8 +143,10 @@ static unsigned long read_pointer(const u8 **pLoc,
                                   const void *end,
                                   signed ptrType);
 static const u32 bad_cie, not_fde;
-static const u32 *cie_for_fde(const u32 *fde, void *table, int is_ehframe);
-static signed fde_pointer_type(const u32 *cie);
+static const u32 *cie_for_fde(const u32 *fde, void *table,
+			      uint32_t table_len, int is_ehframe);
+static signed fde_pointer_type(const u32 *cie,
+			       void *table, uint32_t table_len);
 
 
 #endif /* STP_USE_DWARF_UNWINDER */
diff --git a/translate.cxx b/translate.cxx
index bc5d615..9d456bc 100644
--- a/translate.cxx
+++ b/translate.cxx
@@ -29,6 +29,11 @@ extern "C" {
 #include <elfutils/libdwfl.h>
 }
 
+// Max unwind table size (debug or eh) per module. Somewhat arbitrary
+// limit (a bit more than twice the .debug_frame size of my local
+// vmlinux for 2.6.31.4-83.fc12.x86_64)
+#define MAX_UNWIND_TABLE_SIZE (3 * 1024 * 1024)
+
 using namespace std;
 
 struct var;
@@ -4785,6 +4790,9 @@ dump_unwindsyms (Dwfl_Module *m,
   get_unwind_data (m, &debug_frame, &eh_frame, &debug_len, &eh_len, &eh_addr);
   if (debug_frame != NULL && debug_len > 0)
     {
+      if (debug_len > MAX_UNWIND_TABLE_SIZE)
+	throw semantic_error ("module debug unwind table size too big");
+
       c->output << "#if defined(STP_USE_DWARF_UNWINDER) && defined(STP_NEED_UNWIND_DATA)\n";
       c->output << "static uint8_t _stp_module_" << stpmod_idx
 		<< "_debug_frame[] = \n";
@@ -4802,6 +4810,9 @@ dump_unwindsyms (Dwfl_Module *m,
 
   if (eh_frame != NULL && eh_len > 0)
     {
+      if (eh_len > MAX_UNWIND_TABLE_SIZE)
+	throw semantic_error ("module eh unwind table size too big");
+
       c->output << "#if defined(STP_USE_DWARF_UNWINDER) && defined(STP_NEED_UNWIND_DATA)\n";
       c->output << "static uint8_t _stp_module_" << stpmod_idx
 		<< "_eh_frame[] = \n";