* [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading]
@ 2010-09-29 13:27 Jon Bernard
2010-09-29 13:32 ` David Goulet
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Jon Bernard @ 2010-09-29 13:27 UTC (permalink / raw)
I just received this bug report and wanted to forward it here to get any
thoughts and/or opinions.
--
Jon
----- Forwarded message from Raphael Geissert <geissert at debian.org> -----
Date: Tue, 28 Sep 2010 04:23:22 +0000
From: Raphael Geissert <geissert@debian.org>
To: submit at bugs.debian.org
Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading
Reply-To: Raphael Geissert <geissert at debian.org>, 598309 at bugs.debian.org
Package: ust-bin
Version: 0.7-1
Severity: grave
Tags: security
User: team at security.debian.org
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/bin/usttrace line 136:
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
/usr/bin/usttrace line 144:
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
[1] http://security-tracker.debian.org/tracker/CVE-2010-3386
Sincerely,
Raphael Geissert
----- End forwarded message -----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading]
2010-09-29 13:27 [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] Jon Bernard
@ 2010-09-29 13:32 ` David Goulet
2010-09-29 13:47 ` Mathieu Desnoyers
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2 siblings, 0 replies; 15+ messages in thread
From: David Goulet @ 2010-09-29 13:32 UTC (permalink / raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nice thanks!!
We will address that immediately!
David
On 10-09-29 09:27 AM, Jon Bernard wrote:
> I just received this bug report and wanted to forward it here to get any
> thoughts and/or opinions.
>
- --
David Goulet
LTTng project, DORSAL Lab.
1024D/16BD8563
BE3C 672B 9331 9796 291A 14C6 4AF7 C14B 16BD 8563
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyjP/oACgkQSvfBSxa9hWOhYgCfVhRKpRunXU7zuU+RKF6+ltOb
HZ0An2QH3JzquUama6kYP6pGvV7yaW9X
=1TXY
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading]
2010-09-29 13:27 [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] Jon Bernard
2010-09-29 13:32 ` David Goulet
@ 2010-09-29 13:47 ` Mathieu Desnoyers
2010-09-29 15:16 ` Alexandre Montplaisir
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2 siblings, 1 reply; 15+ messages in thread
From: Mathieu Desnoyers @ 2010-09-29 13:47 UTC (permalink / raw)
* Jon Bernard (jbernard at debian.org) wrote:
> I just received this bug report and wanted to forward it here to get any
> thoughts and/or opinions.
>
> --
> Jon
>
> ----- Forwarded message from Raphael Geissert <geissert at debian.org> -----
>
> Date: Tue, 28 Sep 2010 04:23:22 +0000
> From: Raphael Geissert <geissert@debian.org>
> To: submit at bugs.debian.org
> Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading
> Reply-To: Raphael Geissert <geissert at debian.org>, 598309 at bugs.debian.org
>
> Package: ust-bin
> Version: 0.7-1
> Severity: grave
> Tags: security
> User: team at security.debian.org
> Usertags: ldpath
>
> Hello,
>
> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
>
> The vulnerability is introduced by an insecure change to
> LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
> libraries on a directory other than the standard paths.
>
> Vulnerable code follows:
>
> /usr/bin/usttrace line 136:
> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> /usr/bin/usttrace line 144:
> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
Changing this for something like the following should do the trick:
if [ "x${LD_LIBRARY_PATH}" != "x" ]; then
export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${LIBUST_PATH%libust.so}"
else
export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
fi
(untested, but should do the trick)
Note that I added extra braces ( ${} ) to delimit the variable more
clearly.
Thanks,
Mathieu
>
> When there's an empty item on the colon-separated list of
> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> If the given script is executed from a directory where a potential,
> local, attacker can write files to, there's a chance to exploit this
> bug.
>
> This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
> you mention it when forwarding this report to upstream and when fixing
> this bug (everywhere: upstream and here at Debian.)
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
> [1] http://security-tracker.debian.org/tracker/CVE-2010-3386
>
> Sincerely,
> Raphael Geissert
>
>
>
> ----- End forwarded message -----
>
> _______________________________________________
> ltt-dev mailing list
> ltt-dev at lists.casi.polymtl.ca
> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
>
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386)
2010-09-29 13:27 [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] Jon Bernard
2010-09-29 13:32 ` David Goulet
2010-09-29 13:47 ` Mathieu Desnoyers
@ 2010-09-29 15:06 ` Mathieu Desnoyers
2010-09-29 16:32 ` David Goulet
` (2 more replies)
2 siblings, 3 replies; 15+ messages in thread
From: Mathieu Desnoyers @ 2010-09-29 15:06 UTC (permalink / raw)
Thanks to Raphael Geissert for spotting this, and to Jon Bernard for forwarding
the information to us.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
CC: Raphael Geissert <geissert at debian.org>
CC: Jon Bernard <jbernard at debian.org>
---
usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
1 file changed, 37 insertions(+), 10 deletions(-)
Index: ust/usttrace
===================================================================
--- ust.orig/usttrace
+++ ust/usttrace
@@ -132,27 +132,54 @@ fi
if [ "$arg_preload_libust" = "1" ];
then
- if [ -n "${LIBUST_PATH%libust.so}" ] ; then
- export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ if [ -n "${LIBUST_PATH%libust.so}" ];
+ then
+ if [ -n "$LD_LIBRARY_PATH" ];
+ then
+ export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ else
+ export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
+ fi
+ fi
+ if [ -n "$LIBUST_PATH" ];
+ then
+ if [ -n "$LD_PRELOAD" ];
+ then
+ export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
+ else
+ export LD_PRELOAD="$LIBUST_PATH"
+ fi
fi
- export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
fi
- if [ "$arg_ld_std_ust" = "1" ];
+ if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
then
- if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
- export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ if [ -n "$LD_LIBRARY_PATH" ];
+ then
+ export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ else
+ export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
fi
fi
- if [ "$arg_preload_malloc" = "1" ];
+ if [ "$arg_preload_malloc" = "1" ] && [ -n $LIBMALLOCWRAP_PATH ];
then
- export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
+ if [ -n "$LD_PRELOAD" ];
+ then
+ export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
+ else
+ export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
+ fi
fi
- if [ "$arg_preload_fork" = "1" ];
+ if [ "$arg_preload_fork" = "1" ] && [ -n $LIBINTERFORK_PATH ];
then
- export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
+ if [ -n "$LD_PRELOAD" ];
+ then
+ export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
+ else
+ export LD_PRELOAD="$LIBINTERFORK_PATH"
+ fi
fi
# Execute the command
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading]
2010-09-29 13:47 ` Mathieu Desnoyers
@ 2010-09-29 15:16 ` Alexandre Montplaisir
2010-09-29 15:47 ` Mathieu Desnoyers
0 siblings, 1 reply; 15+ messages in thread
From: Alexandre Montplaisir @ 2010-09-29 15:16 UTC (permalink / raw)
On 10-09-29 09:47 AM, Mathieu Desnoyers wrote:
> * Jon Bernard (jbernard at debian.org) wrote:
>> I just received this bug report and wanted to forward it here to get any
>> thoughts and/or opinions.
>>
>> --
>> Jon
>>
>> ----- Forwarded message from Raphael Geissert<geissert at debian.org> -----
>>
>> Date: Tue, 28 Sep 2010 04:23:22 +0000
>> From: Raphael Geissert<geissert@debian.org>
>> To: submit at bugs.debian.org
>> Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading
>> Reply-To: Raphael Geissert<geissert at debian.org>, 598309 at bugs.debian.org
>>
>> Package: ust-bin
>> Version: 0.7-1
>> Severity: grave
>> Tags: security
>> User: team at security.debian.org
>> Usertags: ldpath
>>
>> Hello,
>>
>> During a review of the Debian archive, I've found your package to
>> contain a script that can be abused by an attacker to execute arbitrary
>> code.
>>
>> The vulnerability is introduced by an insecure change to
>> LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
>> libraries on a directory other than the standard paths.
>>
>> Vulnerable code follows:
>>
>> /usr/bin/usttrace line 136:
>> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> /usr/bin/usttrace line 144:
>> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> Changing this for something like the following should do the trick:
>
> if [ "x${LD_LIBRARY_PATH}" != "x" ]; then
> export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${LIBUST_PATH%libust.so}"
> else
> export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> fi
>
Don't we still have the same problem, that if LD_LIBRARY_PATH *already*
contains a " " in the list, it will still be there after we append
LIBUST_PATH?
libust.so gets installed in /usr/lib for those who install the package.
For the others, don't we add an entry in ld.so.cache?
Alexandre
> (untested, but should do the trick)
>
> Note that I added extra braces ( ${} ) to delimit the variable more
> clearly.
>
> Thanks,
>
> Mathieu
>
>
>> When there's an empty item on the colon-separated list of
>> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
>> If the given script is executed from a directory where a potential,
>> local, attacker can write files to, there's a chance to exploit this
>> bug.
>>
>> This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
>> you mention it when forwarding this report to upstream and when fixing
>> this bug (everywhere: upstream and here at Debian.)
>>
>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
>> [1] http://security-tracker.debian.org/tracker/CVE-2010-3386
>>
>> Sincerely,
>> Raphael Geissert
>>
>>
>>
>> ----- End forwarded message -----
>>
>> _______________________________________________
>> ltt-dev mailing list
>> ltt-dev at lists.casi.polymtl.ca
>> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading]
2010-09-29 15:16 ` Alexandre Montplaisir
@ 2010-09-29 15:47 ` Mathieu Desnoyers
0 siblings, 0 replies; 15+ messages in thread
From: Mathieu Desnoyers @ 2010-09-29 15:47 UTC (permalink / raw)
* Alexandre Montplaisir (alexandre.montplaisir at polymtl.ca) wrote:
>
>
> On 10-09-29 09:47 AM, Mathieu Desnoyers wrote:
>> * Jon Bernard (jbernard at debian.org) wrote:
>>> I just received this bug report and wanted to forward it here to get any
>>> thoughts and/or opinions.
>>>
>>> --
>>> Jon
>>>
>>> ----- Forwarded message from Raphael Geissert<geissert at debian.org> -----
>>>
>>> Date: Tue, 28 Sep 2010 04:23:22 +0000
>>> From: Raphael Geissert<geissert@debian.org>
>>> To: submit at bugs.debian.org
>>> Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading
>>> Reply-To: Raphael Geissert<geissert at debian.org>, 598309 at bugs.debian.org
>>>
>>> Package: ust-bin
>>> Version: 0.7-1
>>> Severity: grave
>>> Tags: security
>>> User: team at security.debian.org
>>> Usertags: ldpath
>>>
>>> Hello,
>>>
>>> During a review of the Debian archive, I've found your package to
>>> contain a script that can be abused by an attacker to execute arbitrary
>>> code.
>>>
>>> The vulnerability is introduced by an insecure change to
>>> LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
>>> libraries on a directory other than the standard paths.
>>>
>>> Vulnerable code follows:
>>>
>>> /usr/bin/usttrace line 136:
>>> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>>> /usr/bin/usttrace line 144:
>>> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> Changing this for something like the following should do the trick:
>>
>> if [ "x${LD_LIBRARY_PATH}" != "x" ]; then
>> export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${LIBUST_PATH%libust.so}"
>> else
>> export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
>> fi
>>
>
> Don't we still have the same problem, that if LD_LIBRARY_PATH *already*
> contains a " " in the list, it will still be there after we append
> LIBUST_PATH?
I think these "constrained" shells will disallow setting LD_LIBRARY_PATH
altogether from the shell, so we should not have to deal with a
LD_LIBRARY_PATH=" "
The problem comes when LD_LIBRARY_PATH is unset: in this case, usttrace
sets the new variable to ":otherpath", where the ": part acts as if
the "./" path was in the path, which is the security issue.
> libust.so gets installed in /usr/lib for those who install the package.
> For the others, don't we add an entry in ld.so.cache?
Not sure, this will require more discussion involving other usttrace
developers. For now, my job of patching the security issue is done. ;)
Thanks,
Mathieu
>
> Alexandre
>
>
>> (untested, but should do the trick)
>>
>> Note that I added extra braces ( ${} ) to delimit the variable more
>> clearly.
>>
>> Thanks,
>>
>> Mathieu
>>
>>
>>> When there's an empty item on the colon-separated list of
>>> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
>>> If the given script is executed from a directory where a potential,
>>> local, attacker can write files to, there's a chance to exploit this
>>> bug.
>>>
>>> This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
>>> you mention it when forwarding this report to upstream and when fixing
>>> this bug (everywhere: upstream and here at Debian.)
>>>
>>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
>>> [1] http://security-tracker.debian.org/tracker/CVE-2010-3386
>>>
>>> Sincerely,
>>> Raphael Geissert
>>>
>>>
>>>
>>> ----- End forwarded message -----
>>>
>>> _______________________________________________
>>> ltt-dev mailing list
>>> ltt-dev at lists.casi.polymtl.ca
>>> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
>>>
>
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386)
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
@ 2010-09-29 16:32 ` David Goulet
2010-09-29 17:25 ` Mathieu Desnoyers
2010-09-29 18:57 ` Nils Carlson
2010-09-30 10:18 ` Nils Carlson
2 siblings, 1 reply; 15+ messages in thread
From: David Goulet @ 2010-09-29 16:32 UTC (permalink / raw)
I think you should add the CVE code to the commit message :
CVE-2010-3386
David
On 10-09-29 11:06 AM, Mathieu Desnoyers wrote:
> Thanks to Raphael Geissert for spotting this, and to Jon Bernard for forwarding
> the information to us.
>
> Signed-off-by: Mathieu Desnoyers<mathieu.desnoyers at efficios.com>
> CC: Raphael Geissert<geissert at debian.org>
> CC: Jon Bernard<jbernard at debian.org>
> ---
> usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 37 insertions(+), 10 deletions(-)
>
> Index: ust/usttrace
> ===================================================================
> --- ust.orig/usttrace
> +++ ust/usttrace
> @@ -132,27 +132,54 @@ fi
>
> if [ "$arg_preload_libust" = "1" ];
> then
> - if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + if [ -n "${LIBUST_PATH%libust.so}" ];
> + then
> + if [ -n "$LD_LIBRARY_PATH" ];
> + then
> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + else
> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> + fi
> + fi
> + if [ -n "$LIBUST_PATH" ];
> + then
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> + else
> + export LD_PRELOAD="$LIBUST_PATH"
> + fi
> fi
> - export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> fi
>
> - if [ "$arg_ld_std_ust" = "1" ];
> + if [ "$arg_ld_std_ust" = "1" ]&& [ -n "${LIBUST_PATH%libust.so}" ];
> then
> - if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + if [ -n "$LD_LIBRARY_PATH" ];
> + then
> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + else
> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> fi
> fi
>
> - if [ "$arg_preload_malloc" = "1" ];
> + if [ "$arg_preload_malloc" = "1" ]&& [ -n $LIBMALLOCWRAP_PATH ];
> then
> - export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> + else
> + export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> + fi
> fi
>
> - if [ "$arg_preload_fork" = "1" ];
> + if [ "$arg_preload_fork" = "1" ]&& [ -n $LIBINTERFORK_PATH ];
> then
> - export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> + else
> + export LD_PRELOAD="$LIBINTERFORK_PATH"
> + fi
> fi
>
> # Execute the command
>
--
David Goulet
LTTng project, DORSAL Lab.
PGP/GPG : 1024D/16BD8563
BE3C 672B 9331 9796 291A 14C6 4AF7 C14B 16BD 8563
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386)
2010-09-29 16:32 ` David Goulet
@ 2010-09-29 17:25 ` Mathieu Desnoyers
0 siblings, 0 replies; 15+ messages in thread
From: Mathieu Desnoyers @ 2010-09-29 17:25 UTC (permalink / raw)
* David Goulet (david.goulet at polymtl.ca) wrote:
> I think you should add the CVE code to the commit message :
>
> CVE-2010-3386
It's in the patch subject already, but feel free to add it to the commit message
too.
Thanks,
Mathieu
>
> David
>
> On 10-09-29 11:06 AM, Mathieu Desnoyers wrote:
>> Thanks to Raphael Geissert for spotting this, and to Jon Bernard for forwarding
>> the information to us.
>>
>> Signed-off-by: Mathieu Desnoyers<mathieu.desnoyers at efficios.com>
>> CC: Raphael Geissert<geissert at debian.org>
>> CC: Jon Bernard<jbernard at debian.org>
>> ---
>> usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
>> 1 file changed, 37 insertions(+), 10 deletions(-)
>>
>> Index: ust/usttrace
>> ===================================================================
>> --- ust.orig/usttrace
>> +++ ust/usttrace
>> @@ -132,27 +132,54 @@ fi
>>
>> if [ "$arg_preload_libust" = "1" ];
>> then
>> - if [ -n "${LIBUST_PATH%libust.so}" ] ; then
>> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + if [ -n "${LIBUST_PATH%libust.so}" ];
>> + then
>> + if [ -n "$LD_LIBRARY_PATH" ];
>> + then
>> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + else
>> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
>> + fi
>> + fi
>> + if [ -n "$LIBUST_PATH" ];
>> + then
>> + if [ -n "$LD_PRELOAD" ];
>> + then
>> + export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
>> + else
>> + export LD_PRELOAD="$LIBUST_PATH"
>> + fi
>> fi
>> - export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
>> fi
>>
>> - if [ "$arg_ld_std_ust" = "1" ];
>> + if [ "$arg_ld_std_ust" = "1" ]&& [ -n "${LIBUST_PATH%libust.so}" ];
>> then
>> - if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
>> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + if [ -n "$LD_LIBRARY_PATH" ];
>> + then
>> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + else
>> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
>> fi
>> fi
>>
>> - if [ "$arg_preload_malloc" = "1" ];
>> + if [ "$arg_preload_malloc" = "1" ]&& [ -n $LIBMALLOCWRAP_PATH ];
>> then
>> - export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
>> + if [ -n "$LD_PRELOAD" ];
>> + then
>> + export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
>> + else
>> + export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
>> + fi
>> fi
>>
>> - if [ "$arg_preload_fork" = "1" ];
>> + if [ "$arg_preload_fork" = "1" ]&& [ -n $LIBINTERFORK_PATH ];
>> then
>> - export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
>> + if [ -n "$LD_PRELOAD" ];
>> + then
>> + export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
>> + else
>> + export LD_PRELOAD="$LIBINTERFORK_PATH"
>> + fi
>> fi
>>
>> # Execute the command
>>
>
> --
> David Goulet
> LTTng project, DORSAL Lab.
>
> PGP/GPG : 1024D/16BD8563
> BE3C 672B 9331 9796 291A 14C6 4AF7 C14B 16BD 8563
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386)
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2010-09-29 16:32 ` David Goulet
@ 2010-09-29 18:57 ` Nils Carlson
2010-09-29 20:40 ` [ltt-dev] [UST] malloc error found by david Mathieu Desnoyers
2010-09-29 23:11 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) David Goulet
2010-09-30 10:18 ` Nils Carlson
2 siblings, 2 replies; 15+ messages in thread
From: Nils Carlson @ 2010-09-29 18:57 UTC (permalink / raw)
Looks good,
I will test it and integrate it tomorrow. Hopefully I can make a new
release by the end of the week.
/Nils
On Sep 29, 2010, at 5:06 PM, Mathieu Desnoyers wrote:
> Thanks to Raphael Geissert for spotting this, and to Jon Bernard for
> forwarding
> the information to us.
>
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
> CC: Raphael Geissert <geissert at debian.org>
> CC: Jon Bernard <jbernard at debian.org>
> ---
> usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 37 insertions(+), 10 deletions(-)
>
> Index: ust/usttrace
> ===================================================================
> --- ust.orig/usttrace
> +++ ust/usttrace
> @@ -132,27 +132,54 @@ fi
>
> if [ "$arg_preload_libust" = "1" ];
> then
> - if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH
> %libust.so}"
> + if [ -n "${LIBUST_PATH%libust.so}" ];
> + then
> + if [ -n "$LD_LIBRARY_PATH" ];
> + then
> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + else
> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> + fi
> + fi
> + if [ -n "$LIBUST_PATH" ];
> + then
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> + else
> + export LD_PRELOAD="$LIBUST_PATH"
> + fi
> fi
> - export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> fi
>
> - if [ "$arg_ld_std_ust" = "1" ];
> + if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH
> %libust.so}" ];
> then
> - if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH
> %libust.so}"
> + if [ -n "$LD_LIBRARY_PATH" ];
> + then
> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + else
> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> fi
> fi
>
> - if [ "$arg_preload_malloc" = "1" ];
> + if [ "$arg_preload_malloc" = "1" ] && [ -n $LIBMALLOCWRAP_PATH ];
> then
> - export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> + else
> + export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> + fi
> fi
>
> - if [ "$arg_preload_fork" = "1" ];
> + if [ "$arg_preload_fork" = "1" ] && [ -n $LIBINTERFORK_PATH ];
> then
> - export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> + else
> + export LD_PRELOAD="$LIBINTERFORK_PATH"
> + fi
> fi
>
> # Execute the command
>
> --
> Mathieu Desnoyers
> Operating System Efficiency R&D Consultant
> EfficiOS Inc.
> http://www.efficios.com
>
> _______________________________________________
> ltt-dev mailing list
> ltt-dev at lists.casi.polymtl.ca
> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [UST] malloc error found by david
2010-09-29 18:57 ` Nils Carlson
@ 2010-09-29 20:40 ` Mathieu Desnoyers
2010-09-29 23:01 ` David Goulet
2010-09-29 23:11 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) David Goulet
1 sibling, 1 reply; 15+ messages in thread
From: Mathieu Desnoyers @ 2010-09-29 20:40 UTC (permalink / raw)
Hi Nils,
Please double-check that you ported commit
38516ab59fbc5b3bb278cf5e1fe2867c70cff32e
tracing: Let tracepoints have data passed to tracepoint callbacks
correctly from mainline. There is at least a bug in
static inline void *allocate_probes(int count)
(sizeof(void *) should be changed for sizeof(struct tracepoint_func))
Hopefully no other bugs crept in.
Credits go to David Goulet, how just spent 2 days hunting this one down.
Thanks,
Mathieu
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [UST] malloc error found by david
2010-09-29 20:40 ` [ltt-dev] [UST] malloc error found by david Mathieu Desnoyers
@ 2010-09-29 23:01 ` David Goulet
2010-09-30 19:21 ` Nils Carlson
0 siblings, 1 reply; 15+ messages in thread
From: David Goulet @ 2010-09-29 23:01 UTC (permalink / raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10-09-29 04:40 PM, Mathieu Desnoyers wrote:
> Hi Nils,
>
> Please double-check that you ported commit
>
> 38516ab59fbc5b3bb278cf5e1fe2867c70cff32e
>
> tracing: Let tracepoints have data passed to tracepoint callbacks
>
> correctly from mainline. There is at least a bug in
>
> static inline void *allocate_probes(int count)
>
> (sizeof(void *) should be changed for sizeof(struct tracepoint_func))
Yes, but for UST, it's sizeof(struct probe), actually almost the same but
different name :P
This was introduce in UST from commit (in libust/tracepoint.c)
1dba3e6c054da18f238d051da5b1839bd5e4e4dd
I really have NO idea how it came in because for that commit I only changed the
malloc to zmalloc. So I think, somekind of "merge" between patches went wrong
and git didn't notice. Shit happens ;)
Thanks
David
>
> Hopefully no other bugs crept in.
>
> Credits go to David Goulet, how just spent 2 days hunting this one down.
>
> Thanks,
>
> Mathieu
>
>
>
- --
David Goulet
LTTng project, DORSAL Lab.
1024D/16BD8563
BE3C 672B 9331 9796 291A 14C6 4AF7 C14B 16BD 8563
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyjxWEACgkQSvfBSxa9hWPcUQCePVOAXil4Qi5L53XPY5sx1yH3
U+AAoLqnA+GDQz1BM3Cp6c1rMMgq+Lcp
=Uken
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386)
2010-09-29 18:57 ` Nils Carlson
2010-09-29 20:40 ` [ltt-dev] [UST] malloc error found by david Mathieu Desnoyers
@ 2010-09-29 23:11 ` David Goulet
1 sibling, 0 replies; 15+ messages in thread
From: David Goulet @ 2010-09-29 23:11 UTC (permalink / raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Nils,
Good thing for the release. Important side note. We *must* detail very carefully
in the changelog the change of the API for tracepoints that needs a data
pointer. The old tracepoints, on next release, will only dump warnings at
compile time and the tracepoints will *not* works. (There is an error at compile
if the register_trace_* is used at init() though).
Just a reminder
Thanks!
David
On 10-09-29 02:57 PM, Nils Carlson wrote:
> Looks good,
>
> I will test it and integrate it tomorrow. Hopefully I can make a new
> release by the end of the week.
>
> /Nils
> On Sep 29, 2010, at 5:06 PM, Mathieu Desnoyers wrote:
>
>> Thanks to Raphael Geissert for spotting this, and to Jon Bernard for
>> forwarding
>> the information to us.
>>
>> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
>> CC: Raphael Geissert <geissert at debian.org>
>> CC: Jon Bernard <jbernard at debian.org>
>> ---
>> usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
>> 1 file changed, 37 insertions(+), 10 deletions(-)
>>
>> Index: ust/usttrace
>> ===================================================================
>> --- ust.orig/usttrace
>> +++ ust/usttrace
>> @@ -132,27 +132,54 @@ fi
>>
>> if [ "$arg_preload_libust" = "1" ];
>> then
>> - if [ -n "${LIBUST_PATH%libust.so}" ] ; then
>> - export
>> LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + if [ -n "${LIBUST_PATH%libust.so}" ];
>> + then
>> + if [ -n "$LD_LIBRARY_PATH" ];
>> + then
>> + export
>> LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + else
>> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
>> + fi
>> + fi
>> + if [ -n "$LIBUST_PATH" ];
>> + then
>> + if [ -n "$LD_PRELOAD" ];
>> + then
>> + export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
>> + else
>> + export LD_PRELOAD="$LIBUST_PATH"
>> + fi
>> fi
>> - export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
>> fi
>>
>> - if [ "$arg_ld_std_ust" = "1" ];
>> + if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
>> then
>> - if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
>> - export
>> LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + if [ -n "$LD_LIBRARY_PATH" ];
>> + then
>> + export
>> LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> + else
>> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
>> fi
>> fi
>>
>> - if [ "$arg_preload_malloc" = "1" ];
>> + if [ "$arg_preload_malloc" = "1" ] && [ -n $LIBMALLOCWRAP_PATH ];
>> then
>> - export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
>> + if [ -n "$LD_PRELOAD" ];
>> + then
>> + export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
>> + else
>> + export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
>> + fi
>> fi
>>
>> - if [ "$arg_preload_fork" = "1" ];
>> + if [ "$arg_preload_fork" = "1" ] && [ -n $LIBINTERFORK_PATH ];
>> then
>> - export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
>> + if [ -n "$LD_PRELOAD" ];
>> + then
>> + export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
>> + else
>> + export LD_PRELOAD="$LIBINTERFORK_PATH"
>> + fi
>> fi
>>
>> # Execute the command
>>
>> --
>> Mathieu Desnoyers
>> Operating System Efficiency R&D Consultant
>> EfficiOS Inc.
>> http://www.efficios.com
>>
>> _______________________________________________
>> ltt-dev mailing list
>> ltt-dev at lists.casi.polymtl.ca
>> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
>
>
> _______________________________________________
> ltt-dev mailing list
> ltt-dev at lists.casi.polymtl.ca
> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
- --
David Goulet
LTTng project, DORSAL Lab.
1024D/16BD8563
BE3C 672B 9331 9796 291A 14C6 4AF7 C14B 16BD 8563
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyjx5UACgkQSvfBSxa9hWOgPwCfVnk6+akGcVZk9KTYe8Gr9evo
lbIAoKzRP2TIpgR6wEkEYXQjHU7tbIcA
=Mv+g
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386)
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2010-09-29 16:32 ` David Goulet
2010-09-29 18:57 ` Nils Carlson
@ 2010-09-30 10:18 ` Nils Carlson
2010-09-30 14:49 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) (v2) Mathieu Desnoyers
2 siblings, 1 reply; 15+ messages in thread
From: Nils Carlson @ 2010-09-30 10:18 UTC (permalink / raw)
Comments below.
On Wed, 29 Sep 2010, Mathieu Desnoyers wrote:
> Thanks to Raphael Geissert for spotting this, and to Jon Bernard for forwarding
> the information to us.
>
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
> CC: Raphael Geissert <geissert at debian.org>
> CC: Jon Bernard <jbernard at debian.org>
> ---
> usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 37 insertions(+), 10 deletions(-)
>
> Index: ust/usttrace
> ===================================================================
> --- ust.orig/usttrace
> +++ ust/usttrace
> @@ -132,27 +132,54 @@ fi
>
> if [ "$arg_preload_libust" = "1" ];
> then
> - if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + if [ -n "${LIBUST_PATH%libust.so}" ];
> + then
> + if [ -n "$LD_LIBRARY_PATH" ];
> + then
> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + else
> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> + fi
> + fi
> + if [ -n "$LIBUST_PATH" ];
> + then
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> + else
> + export LD_PRELOAD="$LIBUST_PATH"
> + fi
> fi
> - export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> fi
>
> - if [ "$arg_ld_std_ust" = "1" ];
> + if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
> then
> - if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + if [ -n "$LD_LIBRARY_PATH" ];
> + then
> + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> + else
> + export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> fi
> fi
>
> - if [ "$arg_preload_malloc" = "1" ];
> + if [ "$arg_preload_malloc" = "1" ] && [ -n $LIBMALLOCWRAP_PATH ];
All -n tests have to be in "", otherwise they will pass even though the
string is empty.
> then
> - export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> + else
> + export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> + fi
> fi
>
> - if [ "$arg_preload_fork" = "1" ];
> + if [ "$arg_preload_fork" = "1" ] && [ -n $LIBINTERFORK_PATH ];
Same here.
> then
> - export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> + if [ -n "$LD_PRELOAD" ];
> + then
> + export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> + else
> + export LD_PRELOAD="$LIBINTERFORK_PATH"
> + fi
> fi
>
Looks good otherwise!
/Nils
> # Execute the command
>
> --
> Mathieu Desnoyers
> Operating System Efficiency R&D Consultant
> EfficiOS Inc.
> http://www.efficios.com
>
> _______________________________________________
> ltt-dev mailing list
> ltt-dev at lists.casi.polymtl.ca
> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) (v2)
2010-09-30 10:18 ` Nils Carlson
@ 2010-09-30 14:49 ` Mathieu Desnoyers
0 siblings, 0 replies; 15+ messages in thread
From: Mathieu Desnoyers @ 2010-09-30 14:49 UTC (permalink / raw)
Thanks to Raphael Geissert for spotting this, and to Jon Bernard for forwarding
the information to us.
Changelog since v1:
Apply comments from Nils.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
Reviewed-by: Nils Carlson <nils.carlson at ericsson.com>
CC: Raphael Geissert <geissert at debian.org>
CC: Jon Bernard <jbernard at debian.org>
---
usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
1 file changed, 37 insertions(+), 10 deletions(-)
Index: ust/usttrace
===================================================================
--- ust.orig/usttrace
+++ ust/usttrace
@@ -132,27 +132,54 @@ fi
if [ "$arg_preload_libust" = "1" ];
then
- if [ -n "${LIBUST_PATH%libust.so}" ] ; then
- export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ if [ -n "${LIBUST_PATH%libust.so}" ];
+ then
+ if [ -n "$LD_LIBRARY_PATH" ];
+ then
+ export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ else
+ export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
+ fi
+ fi
+ if [ -n "$LIBUST_PATH" ];
+ then
+ if [ -n "$LD_PRELOAD" ];
+ then
+ export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
+ else
+ export LD_PRELOAD="$LIBUST_PATH"
+ fi
fi
- export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
fi
- if [ "$arg_ld_std_ust" = "1" ];
+ if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
then
- if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
- export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ if [ -n "$LD_LIBRARY_PATH" ];
+ then
+ export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
+ else
+ export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
fi
fi
- if [ "$arg_preload_malloc" = "1" ];
+ if [ "$arg_preload_malloc" = "1" ] && [ -n "$LIBMALLOCWRAP_PATH" ];
then
- export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
+ if [ -n "$LD_PRELOAD" ];
+ then
+ export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
+ else
+ export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
+ fi
fi
- if [ "$arg_preload_fork" = "1" ];
+ if [ "$arg_preload_fork" = "1" ] && [ -n "$LIBINTERFORK_PATH" ];
then
- export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
+ if [ -n "$LD_PRELOAD" ];
+ then
+ export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
+ else
+ export LD_PRELOAD="$LIBINTERFORK_PATH"
+ fi
fi
# Execute the command
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [ltt-dev] [UST] malloc error found by david
2010-09-29 23:01 ` David Goulet
@ 2010-09-30 19:21 ` Nils Carlson
0 siblings, 0 replies; 15+ messages in thread
From: Nils Carlson @ 2010-09-30 19:21 UTC (permalink / raw)
On Sep 30, 2010, at 1:01 AM, David Goulet wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 10-09-29 04:40 PM, Mathieu Desnoyers wrote:
>> Hi Nils,
>>
>> Please double-check that you ported commit
>>
>> 38516ab59fbc5b3bb278cf5e1fe2867c70cff32e
>>
>> tracing: Let tracepoints have data passed to tracepoint callbacks
>>
>> correctly from mainline. There is at least a bug in
>>
>> static inline void *allocate_probes(int count)
>>
>> (sizeof(void *) should be changed for sizeof(struct tracepoint_func))
>
> Yes, but for UST, it's sizeof(struct probe), actually almost the
> same but
> different name :P
>
> This was introduce in UST from commit (in libust/tracepoint.c)
>
> 1dba3e6c054da18f238d051da5b1839bd5e4e4dd
>
> I really have NO idea how it came in because for that commit I only
> changed the
> malloc to zmalloc. So I think, somekind of "merge" between patches
> went wrong
> and git didn't notice. Shit happens ;)
>
Yepp. Applied fix, haven't done any digging in how it got in there.
/Nils
> Thanks
> David
>
>>
>> Hopefully no other bugs crept in.
>>
>> Credits go to David Goulet, how just spent 2 days hunting this one
>> down.
>>
>> Thanks,
>>
>> Mathieu
>>
>>
>>
>
> - --
> David Goulet
> LTTng project, DORSAL Lab.
>
> 1024D/16BD8563
> BE3C 672B 9331 9796 291A 14C6 4AF7 C14B 16BD 8563
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkyjxWEACgkQSvfBSxa9hWPcUQCePVOAXil4Qi5L53XPY5sx1yH3
> U+AAoLqnA+GDQz1BM3Cp6c1rMMgq+Lcp
> =Uken
> -----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2010-09-30 19:21 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-29 13:27 [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] Jon Bernard
2010-09-29 13:32 ` David Goulet
2010-09-29 13:47 ` Mathieu Desnoyers
2010-09-29 15:16 ` Alexandre Montplaisir
2010-09-29 15:47 ` Mathieu Desnoyers
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2010-09-29 16:32 ` David Goulet
2010-09-29 17:25 ` Mathieu Desnoyers
2010-09-29 18:57 ` Nils Carlson
2010-09-29 20:40 ` [ltt-dev] [UST] malloc error found by david Mathieu Desnoyers
2010-09-29 23:01 ` David Goulet
2010-09-30 19:21 ` Nils Carlson
2010-09-29 23:11 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) David Goulet
2010-09-30 10:18 ` Nils Carlson
2010-09-30 14:49 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) (v2) Mathieu Desnoyers
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox