From cea402192274d90729e0b9befd3d735bf518b0e7 Mon Sep 17 00:00:00 2001
From: Nick Alcock <nick.alcock@oracle.com>
Date: Tue, 6 Oct 2015 22:06:28 +0100
Subject: [PATCH] dtrace: add missing dtrace_*canload() for copyout() and
 copyoutstr().

On Solaris, where unprivileged tracing is permitted and zone tracing is
implemented, this is a security hole since it allows breaking through
both zone and unprivileged-dtrace boundaries.  Linux does not implement
either of these, so this fix is currently unobservable here.

Originally reported as a Solaris DTrace bug, it seems worth fixing here
too, against the day when we implement unprivileged tracing.

Signed-off-by: Nick Alcock <nick.alcock@oracle.com>
Acked-by: Kris Van Hees <kris.van.hees@oracle.com>
---
 dtrace/dtrace_dif.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dtrace/dtrace_dif.c b/dtrace/dtrace_dif.c
index d09e17d8b78d..9f830e15a06a 100644
--- a/dtrace/dtrace_dif.c
+++ b/dtrace/dtrace_dif.c
@@ -2679,7 +2679,8 @@ static void dtrace_dif_subr(uint_t subr, uint_t rd, uint64_t *regs,
 
 		if (!dtrace_destructive_disallow &&
 		    dtrace_priv_proc_control(state) &&
-		    !dtrace_istoxic(kaddr, size)) {
+		    !dtrace_istoxic(kaddr, size) &&
+		    dtrace_canload(kaddr, size, mstate, vstate)) {
 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
 			dtrace_copyout(kaddr, uaddr, size, flags);
 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
@@ -2694,7 +2695,8 @@ static void dtrace_dif_subr(uint_t subr, uint_t rd, uint64_t *regs,
 
 		if (!dtrace_destructive_disallow &&
 		    dtrace_priv_proc_control(state) &&
-		    !dtrace_istoxic(kaddr, size)) {
+		    !dtrace_istoxic(kaddr, size) &&
+		    dtrace_strcanload(kaddr, size, mstate, vstate)) {
 			DTRACE_CPUFLAG_SET(CPU_DTRACE_NOFAULT);
 			dtrace_copyoutstr(kaddr, uaddr, size, flags);
 			DTRACE_CPUFLAG_CLEAR(CPU_DTRACE_NOFAULT);
-- 
2.50.1