Fix for CVE-2009-0784: stapusr module-path checking race

* runtime/staprun/staprun_funcs.c (check_path): Save fully
  canonicalized and checked module path for later loading.

diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 5e7fa10256f2819b93fad57acfb75f62ca086674..e94e5d1337d0ea18cca7a0848d0c09cf1d15aff2 100644 (file)
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -269,6 +269,15 @@ check_path(void)
                return -1;
        }
 
+        /* Overwrite the modpath with the canonicalized one, to defeat
+           a possible race between path checking below and somewhat later
+           module loading. */
+        modpath = strdup (module_realpath);
+        if (modpath == NULL) {
+               _perr("allocating memory failed");
+                exit (1);
+        }
+
        /* To make sure the user can't specify something like
         * /lib/modules/`uname -r`/systemtapmod.ko, put a '/' on the
         * end of staplib_dir_realpath. */