Bug 6697 - need more access_ok() checks in runtime/tapsets
Summary: need more access_ok() checks in runtime/tapsets
Status: RESOLVED FIXED
Alias: None
Product: systemtap
Classification: Unclassified
Component: runtime (show other bugs)
Version: unspecified
: P2 critical
Target Milestone: ---
Assignee: Unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-25 18:27 UTC by Frank Ch. Eigler
Modified: 2013-01-17 16:15 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Ch. Eigler 2008-06-25 18:27:35 UTC 
Each user_*() tapset call in conversions.stp should set_fs(USER_DS) and restore it;
Each user/kernel_*() tapset or runtime type call should check the pointers with
access_ok(), redundantly if necessary.

See also bug #1288, which could be started upon with an access_ok()-based
address filtering function.

See also: https://bugzilla.redhat.com/show_bug.cgi?id=452759
Comment 1 Masami Hiramatsu 2008-06-25 20:04:15 UTC 
on ia64, access_ok() is defined as below:

#define __access_ok(addr, size, segment)                                       
        \
({                                                                             
        \
        __chk_user_ptr(addr);                                                  
        \
        (likely((unsigned long) (addr) <= (segment).seg)                       
        \
         && ((segment).seg == KERNEL_DS.seg                                    
        \
             || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT)));
       \
})
#define access_ok(type, addr, size)     __access_ok((addr), (size), get_fs())

and KERNEL_DS.seg = 0xffffffffffffffff

This means, if we set segment=KERNEL_DS, access_ok() always returns 1. :-(
Comment 2 Frank Ch. Eigler 2013-01-17 16:15:43 UTC 
Recent loc2c changes do this.