1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
// CVE-2018-10000001 glibc realpath() buffer underflow
// getcwd(2) can return non-absolute paths, which glibc should reject
// from its getcwd(3) wrapper.
//
// Approach: intercept the
// getcwd INLINE_SYSCALL. If it returned a success but without a
// leading "/" in the path, overwrite the success with a failure rc.
global misscount
global hitcount
global kill_p = 0
global fix_p = 0
global notify_p = 1
probe process("/lib64/libc.so.6").statement("__getcwd@../sysdeps/unix/sysv/linux/getcwd.c:82")
{
if ($retval >= 0 && $path[0] != 47 /* '/' */) {
hitcount<<<1;
if (notify_p)
printf("cve-2018-1000001 bandaid %s[%d] %s\n",
execname(), tid(),
$path$)
if (kill_p)
raise (9);
if (fix_p) {
$retval = -2; /* ENOENT */
// @var("errno") = 2; <<<<<< need systemtap PR14013 for errno access
}
} else {
misscount <<< 1;
}
}
probe timer.s(60) if (notify_p) {
printf("cve-2018-1000001 bandaid miss#%d hit#%d kill?%d fix?%d\n",
@count(misscount), @count(hitcount), kill_p, fix_p)
}
|
