dtrace: add missing dtrace_*canload() for copyout() and copyoutstr().

On Solaris, where unprivileged tracing is permitted and zone tracing is
implemented, this is a security hole since it allows breaking through
both zone and unprivileged-dtrace boundaries.  Linux does not implement
either of these, so this fix is currently unobservable here.

Originally reported as a Solaris DTrace bug, it seems worth fixing here
too, against the day when we implement unprivileged tracing.

Signed-off-by: Nick Alcock <nick.alcock@oracle.com>
Acked-by: Kris Van Hees <kris.van.hees@oracle.com>

diff --git a/dtrace/dtrace_dif.c b/dtrace/dtrace_dif.c
index d09e17d8b78d4a9bab6e98c2d2d8edb825038475..9f830e15a06a725e77339579aaa7d17e5db7d19e 100644 (file)
--- a/dtrace/dtrace_dif.c
+++ b/dtrace/dtrace_dif.c
@@ -2679,7 +2679,8 @@ static void dtrace_dif_subr(uint_t subr, uint_t rd, uint64_t *regs,
 
                if (!dtrace_destructive_disallow &&
                    dtrace_priv_proc_control(state) &&
-                   !dtrace_istoxic(kaddr, size)) {
+                   !dtrace_istoxic(kaddr, size) &&
+                   dtrace_canload(kaddr, size, mstate, vstate)) {
                        DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
                        dtrace_copyout(kaddr, uaddr, size, flags);
                        DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
@@ -2694,7 +2695,8 @@ static void dtrace_dif_subr(uint_t subr, uint_t rd, uint64_t *regs,
 
                if (!dtrace_destructive_disallow &&
                    dtrace_priv_proc_control(state) &&
-                   !dtrace_istoxic(kaddr, size)) {
+                   !dtrace_istoxic(kaddr, size) &&
+                   dtrace_strcanload(kaddr, size, mstate, vstate)) {
                        DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
                        dtrace_copyoutstr(kaddr, uaddr, size, flags);
                        DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);