belated ghostbusting with systemtap

The GLIBC "ghost" bug was published & fixed a few weeks ago. Just for completeness, here is a strictly unofficial systemtap-based band-aid for this security bug, tested on RHEL5/RHEL6 era glibc versions 2.5 and 2.12. Of course you should get a properly patched glibc, but this could tide one over for a while.

#! /usr/bin/stap -g

global added%
global trap = 1  /* stap -G trap=0 to only trace, not fix */

/* CVE-2015-0235 "ghostbuster" band-aid

Works by incrementing the size_needed variable set around line 86
of glibc nss/digits_dots.c, so as to account for the missing sizeof
(*h_alias_ptr).  This makes the subsequent comparisons work and
return error codes for buffer-overflow situations.

GLIBC DWARF debuginfo is needed, because we insert a statement
probe just after the initial assignment.  stap -g (guru mode)
is needed because we're modifying state. 

85
86   size_needed = (sizeof (*host_addr)
87                 + sizeof (*h_addr_ptrs) + strlen (name) + 1);
88
89   if (buffer_size == NULL)
90     {
91       if (buflen < size_needed)
92         {
93           if (h_errnop != NULL)
94           *h_errnop = TRY_AGAIN;
95           __set_errno (ERANGE);
96           goto done;
97         }
98     }
99   else if (buffer_size != NULL && *buffer_size < size_needed)
100    {
101      char *new_buf;
102      *buffer_size = size_needed;
103      new_buf = (char *) realloc (*buffer, *buffer_size);
*/


probe process("/lib*/libc.so.6") /* Adjust wildcard for your distro. */
      .statement("__nss_hostname_digits_dots@*:87-102")
      /* We use a range here because optimized glibc may only have
         a few clear-cut PC-ranges for statements.  This particular
         line range is unusually reliable, because the digits_dots.c
         file has seen very little change in glibc, up until the
         CVE bug fix.  We use the added[] array to make sure we only
         increment once per thread per function invocation. */
{
   if (! added[tid()])
     {
        added[tid()] = 1; # we only want to add once
        printf("%s[%d] BOO! size_needed=%d ", execname(), tid(), $size_needed)
        if (trap)
           {
              /* The &@cast() business is a fancy sizeof(uintptr_t),
                 which makes this script work for both 32- and 64-bit glibc's. */
              $size_needed = $size_needed + &@cast(0, "uintptr_t")[1]
              printf("ghostbusted to %d", $size_needed)
           }
        printf("\n")
     }
}

probe process("/lib*/libc.so.6").function("__nss_hostname_digits_dots").return
{
   delete added[tid()]
}