Josh Stone [Tue, 16 Aug 2011 00:30:17 +0000 (17:30 -0700)]
Add a compat #define FIELD_SIZEOF
This was added in kernel 2.6.18. RHEL4 backported this definition, but
it was reported missing in another enterprise distro. It's an easy
one-line definition to add for compatibility though.
Mark Wielaard [Sun, 14 Aug 2011 21:07:46 +0000 (23:07 +0200)]
Implement and use select to wait for cmd channel data.
Add a poll implementation to runtime/transport/control.c
(_stp_ctl_poll_cmd) based on the _stp_ctl_ready_q wait queue.
Check whether select is supported in runtime/staprun/mainloop.c
(stp_main_loop) and use pselect with a sigmask that includes
SIGURG to get EINTR notifications whenever an interruptable
event occurred.
Mark Wielaard [Fri, 12 Aug 2011 17:34:20 +0000 (19:34 +0200)]
Remove _stp_ctl_work_timer from module transport layer.
The _stp_ctl_work_timer would trigger every 20ms to check whether
there were cmd messages queued, but not announced yet and to
check the _stp_exit_flag was set.
This commit makes all control messages announce themselves and
check the _stp_exit_flag in the _stp_ctl_read_cmd loop (delivery
is still possibly delayed since the messages are just pushed on
a wait queue).
Josh Stone [Thu, 11 Aug 2011 21:30:05 +0000 (14:30 -0700)]
Fix the uprobes.ko path when used with remotes
When uprobes.ko is sent through stapsh, it will go in a temp path that
only stapsh knows. However, we were sending -u/path/to/uprobes.ko with
a client side path, which would only work for --remote localhost. :/
Now the path is sanitized to ./ for the stapsh working directory.
* buildrun.cxx (make_run_command): Take a remotedir instead of a module
name. When set, use it to normalize both the uprobes and module path.
Also check versions that a uprobes path is even supported (>=1.4).
* remote.cxx (stapsh::start): The remotedir is simply "." for stapsh.
(ssh_legacy_remote:start): The remotedir is the known from the prior
mktemp -d. Also start sending the module signature across, add a note
why we unfortunately can't send uprobes in legacy mode, and specify
the staprun command without any path in case the remote is different.
Mark Wielaard [Thu, 11 Aug 2011 16:53:01 +0000 (18:53 +0200)]
Be more explicit about when the session needs symbol data. pragma:symbols.
Introduce /* pragma:symbols */ which is added to those tapset functions
that use print_addr or print_stack with symbol resolving. Now we no longer
have to output the symbol tables at translate time if unnecessary.
Although we could do even less work (see the new comment in translate.cxx).
Mark Wielaard [Thu, 11 Aug 2011 10:34:01 +0000 (12:34 +0200)]
Only collect and emit unwind data in translator if the session needs it.
When we hit the translator the session already knows whether or not it
will possibly need the unwind data. Only collect and emit it, if the
session does. This can save writing out tens of MB to stap-symbols.h
for simple scripts that never call any backtrace() function.
Chris Meek [Thu, 4 Aug 2011 14:11:38 +0000 (10:11 -0400)]
PR12773: Use abrt to download and install debuginfo
dwflpp.cxx
In setup_user(), pass the session to setup_dwfl_user().
setupdwfl.cxx
Added internal_find_debuginfo() and
execute_abrt_action_install_debuginfo_to_abrt_cache() to call
abrt to automatically download and install the needed debuginfo.
setupdwfl.h
Added function declarations.
util.h
Added hex_dump() to convert a binary string to a hex string.
Mark Wielaard [Mon, 8 Aug 2011 09:08:42 +0000 (11:08 +0200)]
sdt*exp: When the compiler doesn't recognize flag, mark test as UNTESTED.
Older gcc compilers don't recognize all the -std=[c|gnu]++0x flags we
throw at them. Instead of marking these compilations as FAIL, mark them
as UNTESTED now, so we only see real FAILures in the result (there are
still a couple left against -pedantic).
Mark Wielaard [Sun, 7 Aug 2011 13:44:58 +0000 (15:44 +0200)]
Add NULL context when creating perf event counter, remove nmi from handler.
More fallout of kernel commit 4dc0da "perf: Add context field to perf_event"
and commit a8b0ca "perf: Remove the nmi parameter from the swevent and
verflow interface". And new autoconf checks for both.
Mark Wielaard [Fri, 5 Aug 2011 12:13:21 +0000 (14:13 +0200)]
Check for hw_breakpoint context argument.
Kernel commit 4dc0da8 "perf: Add context field to perf_event" added
a new void *context field to the register_*_hw_breakpoint() functions.
Detect with a new runtime/autoconf-hw_breakpoint_context.c plus
STAPCONF_HW_BREAKPOINT_CONTEXT conditional.
Mark Wielaard [Thu, 4 Aug 2011 10:24:35 +0000 (12:24 +0200)]
Use $dfd not $mode in testsuite/transok/tval-opt.stp.
Kernel commit 47c805 "switch do_filp_open() to struct open_flags"
changed the arguments of do_filp_open. Use another int argument
that hasn't changed in testcase.
Mark Wielaard [Wed, 3 Aug 2011 22:26:49 +0000 (00:26 +0200)]
Check whether syscalls2.stp sigprocmask argument is set or nset.
kernel commit b013c3 "signal: cleanup sys_sigprocmask()" renamed the set
parameter to nset. commit bb7efe "signal: cleanup sys_rt_sigprocmask()"
did the same. Check with @defined($set) to see if we want the old or
new definition.
Mark Wielaard [Wed, 3 Aug 2011 17:30:37 +0000 (19:30 +0200)]
testsuite warn_overflow be more precise and a bit more lenient.
log exactly once for syscall probe hit and counter i == 256.
But do allow more than 3 overflow warning messages to occur
in case stap miraculously recovers and overflows immediately
afterwards.
Mark Wielaard [Wed, 3 Aug 2011 09:17:00 +0000 (11:17 +0200)]
common_probe_context.h: Put Individual Probe State (ips) into a union.
Various probe handlers have dedicated fields in the common probe context
struct. Since the handlers cannot be active at the same time (on the same
cpu) these can just be put into a union to save space. In runtime code
when there might be ambiguity about which probe handler is running, the
CONTEXT->probe_type field can be used to check which field has actual
life data.
Mark Wielaard [Tue, 2 Aug 2011 14:42:38 +0000 (16:42 +0200)]
Add probe_type to common probe context.
This exposes the type of probe handler for use in runtime functions,
so they can better anticipate which common probe context is valid at
runtime. Also introduces a new context tapset function probe_type()
that exposes a (informational) probe handler string to scripts. Mainly
useful for debugging, when the user wants to find out which kind of
low level probe handler a high-level probe translates to for a particular
kernel/systemtap version.
Josh Stone [Mon, 1 Aug 2011 18:58:36 +0000 (11:58 -0700)]
PR12135: Prefer subclass members if they mask the superclass
* dwflpp.cxx (dwflpp::find_struct_member): Use a breadth-first search
through inheritance trees, so masked members will be pulled from the
subclass rather than the superclass.
* testsuite/systemtap.base/inherit.*: New test for inheritance games.
Mark Wielaard [Mon, 1 Aug 2011 14:00:05 +0000 (16:00 +0200)]
Probe context data field is only used for procfs. Rename to procfs_data.
itrace and mark probes would also scribble (useless) data into this
context field, without ever using it, for no apparent reason, except
that they had "data" around. Renamed the field to procfs_data to make
clear it has a specific purpose.
Also add documentation for remaining undocumented common_probe_context fields.
Mark Wielaard [Mon, 1 Aug 2011 10:39:36 +0000 (12:39 +0200)]
Only add probe_name to the common probe context when really needed.
Guard probe_name with STP_NEED_PROBE_NAME. It is only needed when we include
the pn() tapset function. All this needed was moving the STP_NEED_PROBE_NAME
define from the tapset function to a top-level embedded C block (which are
included early, unlike the tapset functions themselves).
Also document common_probe_context.h busy, probe_point and probe_name fields.
Mark Wielaard [Fri, 29 Jul 2011 11:35:06 +0000 (13:35 +0200)]
Put common probe and session context state definitions in their own files.
translate.cxx contained code to produce the common probe and session
context state as C code snippets. Large parts were not dependent on the
session state at all, so they really were just static blobs of C code
wrapped in c++ io stream operators. These have been put in their own
C runtime header files (common_session_state.h, common_probe_context.h
and runtime_defines.h) to make it easier to edit and document.
Mark Wielaard [Thu, 28 Jul 2011 16:10:20 +0000 (18:10 +0200)]
Guard regparm in probe context with STAP_NEED_REGPARM.
regparm is only used on i386 (and x86_64 when probing 32bit) for
signaling what the parameter packing is for the probed function
as set in register.stp. So only include it in the probe context
struct when actually used in a stap script.
Also updated docs and fixed signature on other arches.
Mark Wielaard [Thu, 28 Jul 2011 12:02:09 +0000 (14:02 +0200)]
PR13037 Make lock blacklist more specific.
The dwflpp::build_blacklist() would also match things like _nolock,
block or clock. Be more specific that we want to only match things
like _lock, _unlock, _trylock or seq[un]lock.
David Smith [Wed, 27 Jul 2011 17:32:50 +0000 (12:32 -0500)]
Two task_finder cleanups.
* runtime/task_finder.c: Two cleanup fixes. Merged 2 different state
variables into 1. Reversed utrace compatibility fix. Instead of
making new utrace look like old utrace, made old utrace look like new
utrace (i.e. use 'utrace_engine' instead of 'utrace_attached_engine').
* runtime/utrace_compatibility.h: Reversed utrace compatibility fix (use
'utrace_engine' instead of 'utrace_attached_engine').
Mark Wielaard [Tue, 26 Jul 2011 21:31:01 +0000 (23:31 +0200)]
Allow gcc to optimize away uprobe_get_pc() calls in some situations.
If a call is made to the stack-x86.c __stp_stack_print() it might
try to call uprobe_get_pc(). If this is just a kernel backtrace
then uprobes might not be loaded. Add a hint by explicitly clearing
the struct uretprobe_instance *ri variable in that cass in the
calling function _stp_stack_print() in stack.c, so that gcc
optimizes away the uprobe_get_pc() call, so that the symbol isn't
in the module anymore.
Would cause issues like:
WARNING: "uprobe_get_pc" [stap_d46895_3786.ko] undefined!
Error inserting module 'stap_d46895_3786.ko': Unknown symbol in module
Josh Stone [Tue, 26 Jul 2011 19:25:34 +0000 (12:25 -0700)]
PR12895: Use NOSTDINC_FLAGS in kernel stapconf checks
We should never be looking in /usr/include/ for headers when building
for the kernel. This particularly bit us in a case where RHEL6 gained
blk_types.h in newer kernels. So if the system had kernel-headers.rpm
with this new header in /usr/include/, but was still running an older
kernel that lacked it in /lib/modules/`uname -r`/build/, then we'd
misidentify that header's availability in stapconf.
* buildrun.cxx (compile_pass): Add NOSTDINC_FLAGS to CHECK_BUILD.
Mark Wielaard [Tue, 26 Jul 2011 13:10:30 +0000 (15:10 +0200)]
Push all stack logic into stack.c. tapset functions just pass flags.
Some of the logic determining what to print, which register sets to use
and whether the context was valid was repeated multiple times in the
[u]context-unwind.stp functions. Just do all the logic in one place
(_stp_print_stack) and make the tapset functions just push the context
and symbols/stack flags.
Josh Stone [Mon, 25 Jul 2011 15:48:31 +0000 (11:48 -0400)]
CVE-2011-2503: read instead of mmap to load modules
As staprun is preparing to load a kernel module, we first mmap the whole
module as MAP_PRIVATE. Then we proceed with our security checks,
including a trusted-signature validation on the mapped region, and if
all checks out, we'll call init_module() with that same mapped region.
However, MMAP(2) says of MAP_PRIVATE, "It is unspecified whether changes
made to the file after the mmap() call are visible in the mapped
region." From my testing, it appears that file changes do indeed show
up in our mapped memory. This means we have a TOCTOU race between
verifying the signature of that memory and then calling init_module().
By using read() instead of mmap(), we ensure that we have a fully
private copy of the module to verify and load, without fear of change.
Josh Stone [Mon, 25 Jul 2011 13:54:28 +0000 (09:54 -0400)]
CVE-2011-2502: Don't allow path-based auth for uprobes
For users that are only members of stapusr, and not stapdev, we only
allow loading modules that are either signed with a trusted certificate
or located in controlled paths. For the script itself, that path is
/lib/modules/.../systemtap/, and for uprobes it is the runtime. When
this policy was first written, uprobes only ever came from the runtime
path, so the path check just returned 1 always.
Later, commit 474d17ad added an optional argument to staprun -u, to
allow the user to specify their own signed copy of uprobes to load.
Unfortunately, if presented with an unsigned module, that would still
fall back to the path check, which blissfully approved it anyway.
Our policy is now that stapusr can only load a signed uprobes.ko, so the
path check for uprobes now unconditionally returns 0.