diff options
| author | Josh Stone <jistone@redhat.com> | 2010-02-04 17:44:59 -0800 |
|---|---|---|
| committer | Josh Stone <jistone@redhat.com> | 2010-02-04 17:44:59 -0800 |
| commit | 463d666cc53a2f9d2df0f68310d6575ccae42bfe (patch) | |
| tree | e23c567c3b94aafd3eadeac8bbc8d43d309ba236 | |
| parent | 6462165c7a381c3eac8b097647122905f561e5a5 (diff) | |
| download | systemtap-steved-463d666cc53a2f9d2df0f68310d6575ccae42bfe.tar.gz systemtap-steved-463d666cc53a2f9d2df0f68310d6575ccae42bfe.tar.xz systemtap-steved-463d666cc53a2f9d2df0f68310d6575ccae42bfe.zip | |
Revert "PR11234: Ensure __get_argv doesn't overflow"
This reverts commit f75409719f120a3dbee66d761cf23a64092d1414.
| -rw-r--r-- | tapset/aux_syscalls.stp | 26 | ||||
| -rw-r--r-- | testsuite/systemtap.base/overflow-get_argv.exp | 5 | ||||
| -rw-r--r-- | testsuite/systemtap.base/overflow-get_argv.stp | 62 |
3 files changed, 11 insertions, 82 deletions
diff --git a/tapset/aux_syscalls.stp b/tapset/aux_syscalls.stp index 2d0ba210..bab0f640 100644 --- a/tapset/aux_syscalls.stp +++ b/tapset/aux_syscalls.stp @@ -401,20 +401,20 @@ function __sem_flags:string(semflg:long) /* This function copies an argv from userspace. */ function __get_argv:string(a:long, first:long) %{ /* pure */ - char __user *__user *argv = (char __user *__user *)(long)THIS->a; + char __user *__user *argv = (char __user *__user *)(long)THIS->a; char __user *vstr; int space, rc, len = MAXSTRINGLEN; char *str = THIS->__retvalue; char buf[80]; char *ptr = buf; - + if (THIS->first && argv) argv++; - while (argv != NULL && len) { + while (argv != NULL) { if (__stp_get_user (vstr, argv)) - break; + break; if (vstr == NULL) break; @@ -443,8 +443,8 @@ function __get_argv:string(a:long, first:long) *str++='\"'; len--; } - - rc = min(len, (int) strlcpy (str, buf, len)); + + rc = strlcpy (str, buf, len); str += rc; len -= rc; @@ -455,15 +455,13 @@ function __get_argv:string(a:long, first:long) argv++; } - if (!len) - --str; *str = 0; %} /* This function copies an argv from userspace. */ function __get_compat_argv:string(a:long, first:long) %{ /* pure */ #ifdef CONFIG_COMPAT - compat_uptr_t __user *__user *argv = (compat_uptr_t __user *__user *)(long)THIS->a; + compat_uptr_t __user *__user *argv = (compat_uptr_t __user *__user *)(long)THIS->a; compat_uptr_t __user *vstr; int space, rc, len = MAXSTRINGLEN; char *str = THIS->__retvalue; @@ -473,9 +471,9 @@ function __get_compat_argv:string(a:long, first:long) if (THIS->first && argv) argv++; - while (argv != NULL && len) { + while (argv != NULL) { if (__stp_get_user (vstr, argv)) - break; + break; if (vstr == NULL) break; @@ -504,8 +502,8 @@ function __get_compat_argv:string(a:long, first:long) *str++='\"'; len--; } - - rc = min(len, (int) strlcpy (str, buf, len)); + + rc = strlcpy (str, buf, len); str += rc; len -= rc; @@ -516,8 +514,6 @@ function __get_compat_argv:string(a:long, first:long) argv++; } - if (!len) - --str; *str = 0; #endif %} diff --git a/testsuite/systemtap.base/overflow-get_argv.exp b/testsuite/systemtap.base/overflow-get_argv.exp deleted file mode 100644 index ac7fddc5..00000000 --- a/testsuite/systemtap.base/overflow-get_argv.exp +++ /dev/null @@ -1,5 +0,0 @@ -# PR11234: __get_argv can overflow its return buffer - -set test "overflow-get_argv" - -stap_run $srcdir/$subdir/$test.stp no_load $all_pass_string -g -c "/bin/true /usr/bin/*" diff --git a/testsuite/systemtap.base/overflow-get_argv.stp b/testsuite/systemtap.base/overflow-get_argv.stp deleted file mode 100644 index 159ef4a8..00000000 --- a/testsuite/systemtap.base/overflow-get_argv.stp +++ /dev/null @@ -1,62 +0,0 @@ -// PR11234: __get_argv can overflow its return buffer - -// __get_argv has a signature like this: -// struct function___get_argv_locals { -// int64_t a; -// int64_t first; -// string_t __retvalue; -// } function___get_argv; -// -// These functions are meant to have an overlap such that we can tell if -// __get_argv overran its __retvalue. -// -// int64_t x; -// int64_t y; -// string_t z; -// string_t __retvalue; -// -// NB: __retvalue[0] always gets cleared on call, but the rest should be -// untouched, so we can use it as a sentinal. - -function clear:string(x:long, y:long, z:string) %{ - memset(THIS->__retvalue, 0, MAXSTRINGLEN); -%} - -function check:string(x:long, y:long, z:string) %{ - int i, bad = 0; - for (i=1; i<MAXSTRINGLEN; ++i) - if (THIS->__retvalue[i]) - ++bad; - - if (bad) - snprintf(THIS->__retvalue, MAXSTRINGLEN, "%d non-zero bytes", bad); - else - strlcpy(THIS->__retvalue, "ok", MAXSTRINGLEN); -%} - -global result = "untested" - -probe syscall.execve { - if (pid() != target()) - next - - clear(0, 0, "") - foo = __get_argv($argv, 0) - result = check(0, 0, "") - - // ensure that foo isn't optimized away - if (foo == "foo") - next -} - -probe begin { - println("systemtap starting probe") -} - -probe end { - println("systemtap ending probe") - if (result == "ok") - println("systemtap test success") - else - println("systemtap test failure: ", result) -} |