View file File name : cve-2018-6485-templatized.stp Content :#!/usr/bin/stap -g -m CVE_2018_6485 // Work around CVE-2018-6485 and CVE-2018-6551 by imposing a limit // on the incoming $bytes parameter. If it's too close to SIZE_MAX, // pre-CVE code could overflow. With this band-aid, (a) the size will // be reduced, to a number beneath the overflow range, but high // enough that we are confident the subsequent malloc will still fail // and/or (b) the process is killed global kill_p = 0 probe process("/lib*/libc.so.6").function("_int_malloc"), process("/lib*/libc.so.6").function("_int_memalign") if(cve_enabled_p) { MALLOC_ALIGNMENT = 65536; /* over-estimate */ MINSIZE = 64 + MALLOC_ALIGNMENT; /* way over-estimate */ MAXSIZE = (probing_32bit_app() ? 4294967295 : 18446744073709551615) - MINSIZE*2; /* compare as numbers as if unsigned */ if ((MAXSIZE > 0 && $bytes > 0 && $bytes > MAXSIZE) || (MAXSIZE < 0 && $bytes < 0 && MAXSIZE < $bytes)) { cve_count_metric("hit") if (cve_notify_p) printf("cve-2018-6485 bandaid %s[%d] %d>%d kill?%d fix?%d\n", execname(), tid(), $bytes, MAXSIZE, kill_p, cve_fix_p) if (kill_p) raise (9); if (cve_fix_p) $bytes = MAXSIZE; } else cve_count_metric("miss") } probe timer.s(60) if(cve_enabled_p) { if (cve_notify_p) printf("cve-2018-6485 bandaid miss#%d hit#%d kill?%d fix?%d\n", cve_metrics["miss"], cve_metrics["hit"], kill_p, cve_fix_p) } # Take a look at /proc/systemtap/CVE_2018_6485/* for parameters and prometheus metrics