!71 FIX CVE-2024-2314

From: @zhang-mingyi66 
Reviewed-by: @bitcoffee 
Signed-off-by: @bitcoffee

backport-CVE-2024-2314-clang-check-header-owners.patch

@@ -0,0 +1,65 @@
+From 008ea09e891194c072f2a9305a3c872a241dc342 Mon Sep 17 00:00:00 2001
+From: Brendan Gregg <brendan@intel.com>
+Date: Thu, 7 Mar 2024 05:27:14 +1100
+Subject: [PATCH] clang: check header ownership (#4928)
+
+Example testing with a brendan-owned /tmp/kheaders file (note the "ERROR:" message):
+
+~/bcc/build$ sudo /usr/share/bcc/tools/biosnoop
+ERROR: header file ownership unexpected: /tmp/kheaders-5.15.47-internal
+<built-in>:1:10: fatal error: './include/linux/kconfig.h' file not found
+#include "./include/linux/kconfig.h"
+         ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+1 error generated.
+Traceback (most recent call last):
+  File "/usr/share/bcc/tools/biosnoop", line 335, in <module>
+    b = BPF(text=bpf_text)
+  File "/usr/lib/python3/dist-packages/bcc-0.1.5+6cd27218-py3.10.egg/bcc/__init__.py", line 479, in __init__
+Exception: Failed to compile BPF module <text>
+~/bcc/build$ ls -lhd /tmp/kheaders-5.15.47-internal
+drwxrwxr-x 2 brendan dev 4.0K Mar  6 02:50 /tmp/kheaders-5.15.47-internal
+
+No error when chown'd back to root.
+---
+ src/cc/frontends/clang/kbuild_helper.cc | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/cc/frontends/clang/kbuild_helper.cc b/src/cc/frontends/clang/kbuild_helper.cc
+index 50e2da9a7bc..d4b9d3e61c7 100644
+--- a/src/cc/frontends/clang/kbuild_helper.cc
++++ b/src/cc/frontends/clang/kbuild_helper.cc
+@@ -140,15 +140,22 @@ int KBuildHelper::get_flags(const char *uname_machine, vector<string> *cflags) {
+   return 0;
+ }
+ 
+-static inline int file_exists(const char *f)
++static inline int file_exists_and_ownedby(const char *f, uid_t uid)
+ {
+   struct stat buffer;
+-  return (stat(f, &buffer) == 0);
++  int ret;
++  if ((ret = stat(f, &buffer)) == 0) {
++    if (buffer.st_uid != uid) {
++      std::cout << "ERROR: header file ownership unexpected: " << std::string(f) << "\n";
++      return -1;
++    }
++  }
++  return ret;
+ }
+ 
+ static inline int proc_kheaders_exists(void)
+ {
+-  return file_exists(PROC_KHEADERS_PATH);
++  return file_exists_and_ownedby(PROC_KHEADERS_PATH, 0);
+ }
+ 
+ static inline const char *get_tmp_dir() {
+@@ -224,7 +231,7 @@ int get_proc_kheaders(std::string &dirpath)
+            uname_data.release);
+   dirpath = std::string(dirpath_tmp);
+ 
+-  if (file_exists(dirpath_tmp))
++  if (file_exists_and_ownedby(dirpath_tmp, 0))
+     return 0;
+ 
+   // First time so extract it

backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch

@@ -0,0 +1,132 @@
+From ce5c8938c494eb03f0784c6e4ae81507139ca779 Mon Sep 17 00:00:00 2001
+From: yonghong-song <ys114321@gmail.com>
+Date: Tue, 30 Jan 2024 09:13:04 -0800
+Subject: [PATCH 1/1] Fix ttysnoop.py with newer kernels (#4888)
+
+Jerome Marchand reported that ttysnoop.py won't work properly
+with newer kernels (#4884). I did some investigation and found
+that some kernel data structure change caused verification failure.
+The failure is caused by the following:
+  ; kvec  = from->kvec;
+  // R1=ptr_iov_iter()
+  15: (79) r1 = *(u64 *)(r1 +16)        ; R1_w=scalar()
+  ; count = kvec->iov_len;
+  16: (bf) r2 = r1                      ; R1_w=scalar(id=1) R2_w=scalar(id=1)
+  17: (07) r2 += 8                      ; R2_w=scalar()
+  18: (05) goto pc+3
+  ;
+  22: (79) r2 = *(u64 *)(r2 +0)
+  R2 invalid mem access 'scalar'
+
+So basically, loading 'iov_iter + 16' returns a scalar but verifier
+expects it to be a pointer.
+
+In v6.4, we have
+    struct iovec
+    {
+        void __user *iov_base;  /* BSD uses caddr_t (1003.1g requires void *) */
+        __kernel_size_t iov_len; /* Must be size_t (1003.1g) */
+    };
+    struct iov_iter {
+        u8 iter_type;
+        bool copy_mc;
+        bool nofault;
+        bool data_source;
+        bool user_backed;
+        union {
+                size_t iov_offset;
+                int last_offset;
+        };
+        union {
+                struct iovec __ubuf_iovec;
+                struct {
+                        union {
+                                const struct iovec *__iov;
+                                const struct kvec *kvec;
+                                const struct bio_vec *bvec;
+                                struct xarray *xarray;
+                                struct pipe_inode_info *pipe;
+                                void __user *ubuf;
+                        };
+                        size_t count;
+                };
+        };
+        union {
+                unsigned long nr_segs;
+                struct {
+                        unsigned int head;
+                        unsigned int start_head;
+                };
+                loff_t xarray_start;
+        };
+    };
+
+The kernel traversal chain will be
+   "struct iov_iter" -> "struct iovec __ubuf_iovec" -> "void __user *iov_base".
+Since the "iov_base" type is a ptr to void, the kernel considers the
+loaded value as a scalar which caused verification failure.
+
+But for old kernel like 5.19, we do not have this issue.
+    struct iovec
+    {
+        void __user *iov_base;  /* BSD uses caddr_t (1003.1g requires void *) */
+        __kernel_size_t iov_len; /* Must be size_t (1003.1g) */
+    };
+    struct iov_iter {
+        u8 iter_type;
+        bool nofault;
+        bool data_source;
+        bool user_backed;
+        size_t iov_offset;
+        size_t count;
+        union {
+                const struct iovec *iov;
+                const struct kvec *kvec;
+                const struct bio_vec *bvec;
+                struct xarray *xarray;
+                struct pipe_inode_info *pipe;
+                void __user *ubuf;
+        };
+        union {
+                unsigned long nr_segs;
+                struct {
+                        unsigned int head;
+                        unsigned int start_head;
+                };
+                loff_t xarray_start;
+        };
+    };
+
+The kernel traversal chain will be
+    "struct iov_iter" -> "const struct iovec *iov"
+Note that "const struct iovec *iov" is used since it is the *first* member
+inside the union. The traversal stops once we hit a pointer.
+So the kernel verifier returns a 'struct iovec' object (untrusted, cannot
+be used as a parameter to a call) and verifier can proceed.
+
+To fix the problem, let us use bpf_probe_read_kernel() instead
+so ttysnoop.py can continue to work with newer kernel.
+
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+---
+ tools/ttysnoop.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/ttysnoop.py b/tools/ttysnoop.py
+index 77f97b7c..aca09db4 100755
+--- a/tools/ttysnoop.py
++++ b/tools/ttysnoop.py
+@@ -162,8 +162,8 @@ PROBE_TTY_WRITE
+      */
+     case CASE_ITER_IOVEC_NAME:
+         kvec  = from->kvec;
+-        buf   = kvec->iov_base;
+-        count = kvec->iov_len;
++        bpf_probe_read_kernel(&buf, sizeof(buf), &kvec->iov_base);
++        bpf_probe_read_kernel(&count, sizeof(count), &kvec->iov_len);
+         break;
+     CASE_ITER_UBUF_TEXT
+     /* TODO: Support more type */
+-- 
+2.27.0
+

bcc.spec

@@ -1,19 +1,23 @@
 %bcond_without llvm_shared
 
 Name:           bcc
-Version:        0.26.0
-Release:        1
+Version:        0.29.1
+Release:        3
 Summary:        BPF Compiler Collection (BCC)
 License:        ASL 2.0
 URL:            https://github.com/iovisor/bcc
 # Upstream now provides a release with the git submodule embedded in it
 Source0:        %{url}/releases/download/v%{version}/%{name}-src-with-submodule.tar.gz
 
+Patch0001:	backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch
+Patch0002:	backport-CVE-2024-2314-clang-check-header-owners.patch
+
 # Arches will be included as upstream support is added and dependencies are
 # satisfied in the respective arches
 
+BuildRequires:  gcc gcc-c++
 BuildRequires:  bison cmake >= 2.8.7 flex libxml2-devel python3-devel
-BuildRequires:  elfutils-libelf-devel llvm-devel clang-devel
+BuildRequires:  elfutils-libelf-devel llvm-devel clang-devel llvm-test
 BuildRequires:  llvm-static ncurses-devel pkgconfig(luajit)
 BuildRequires:  libbpf-devel >= 0.8.0-1, libbpf-static >= 0.8.0-1
 # Additional dependency on util-linux for 'rename'
@@ -161,6 +165,22 @@ rm -rf %{buildroot}%{_datadir}/%{name}/tools/old/
 
 
 %changelog
+* Tue Dec 03 2024 zhangmingyi <zhangmingyi5@huawei.com> - 0.29.1-3
+- Fix CVE-2024-2314
+
+* Thu May 09 2024 jinzhiguang <jinzhiguang@kylinos.cn> - 0.29.1-2
+- backport patch from upstream
+  backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch
+
+* Mon Feb 19 2024 liweigang <izmirvii@gmail.com> - 0.29.1-1
+- update to version 0.29.1
+
+* Wed Dec 6 2023 zhoujing <zhoujing106@huawei.com> - 0.26.0-3
+- Fix build error with llvm17.
+
+* Sat Jul 15 2023 cf-zhao <zhaochuanfeng@huawei.com> - 0.26.0-2
+- Fix issue after clang and llvm upgrade.
+
 * Thu Feb 2 2023 JofDiamonds <kwb0523@163..com> - 0.26.0-1
 - upgrade bcc from 0.23.0 to 0.26.0