Older blog entries for wingo (starting at number 115)

I still can’t figure out whether Ulrich Drepper’s DSO optimization paper is just picking nits, showing the young whippershnappers their (our) place, or whether he really has a point.

In any case, he makes the case that text relocations, caused by non-PIC code in shared libraries, are bad, because they prevent those memory pages from being shared. Fine. But he goes on to mention some other aspects of text relocations as well:

Generating DSOs so that text relocations are necessary (see section 2) means that the dynamic linker has to make memory pages, which are otherwise read-only, temporarily writable. The period in which the pages are writable is usually brief, only until all non-lazy relocations for the object are handled. But even this brief period could be exploited by an attacker. In a malicious attack code regions could be overwritten with code of the attacker’s choice and the program will execute the code blindly if it reaches those addresses.

During the program startup period this is not possible since there is no other thread available which could perform the attack while the pages are writable. The same is not true if later, when the program already executes normal code and might have start threads, some DSOs are loaded dynamically with dlopen. For this reason creating DSOs with text relocation means unnecessarily increasing the security problems of the system.

A quick look to see what libraries generate text relocations on my system:

$ for i in /usr/lib/*.so; do
    readelf -d $i 2>/dev/null | sed -e \"s,^,$i: ,\" | grep TEXTREL
  done
/usr/lib/libdv.so:  0x00000016 (TEXTREL)            0x0
/usr/lib/libfftw3f.so:  0x00000016 (TEXTREL)        0x0
/usr/lib/libglide3.so:  0x00000016 (TEXTREL)        0x0
/usr/lib/libglide3x.so:  0x00000016 (TEXTREL)       0x0
/usr/lib/libHermes.so:  0x00000016 (TEXTREL)        0x0
/usr/lib/libmpeg2convert.so:  0x00000016 (TEXTREL)  0x0
/usr/lib/libmpeg2.so:  0x00000016 (TEXTREL)         0x0

Sounds like exactly the situation with GStreamer (or other media processors): take an untrusted data source, run it through your code, based on the type load up some dynamic libraries, then run. And it just so happens that most of the libraries that have textrels are the kinds that would be dynamically loaded to process untrusted data. Multiple beers for the first one to make an exploit on this, I’d like to see it. A bit trickier than a simple stack smashing.

with apologies to mr. guthrie

They got a building down New York City, it’s called Whitehall Street, where you walk in, you get injected, inspected, detected, infected, neglected and selected. I went down to get my physical examination one day, and I walked in, I sat down, got good and drunk the night before, so I looked and felt my best when I went in that morning. `Cause I wanted to look like the all-American kid from New York City, man I wanted, I wanted to feel like the all-, I wanted to be the all American kid from New York, and I walked in, sat down, I was hung down, brung down, hung up, and all kinds o’ mean nasty ugly things. And I waked in and sat down and they gave me a piece of paper, said, “Kid, see the psychiatrist, room 604.”

Criminal record check, check. Medical check, check. Two 3″ by 2″ color glossy photos, sans circles and arrows, check. Watch out spanish embassy here I come.

#

Interesting explanation of continuations in a comment on a weblog entry on continuations and parrot, by Autrijus:

Just today I tried to explain continuations to two fellow Perl programmers, and I came up with the notion that it’s just:

$continuation = \&return;

They grokked it instantly.

Update: Interesting, posting this on my site works, and it crossposts to advo, but viewing the site itself doesn’t work. It’s surprising that *anything* works, considering the drive hosting / is totally borked and sitting in a colo somewhere.

#

How to pick up and carry your iMac G5.

I’m speechless.

#

It seems it’s drink-before-work day. At least that’s my conclusion from going to the bar this morning for a breakfast sandwich.

#

happenings

Went to Madrid last weekend to see my sister Ellen and friend Erinn. Good folks, pleasant town. Hadn’t been there for five years, but it’s more the same than different.

And, El made me banana bread and gumbo. Taste-o-home in a foreign city.

By star-alignment I met up with some friends from Namibia there in Madrid. They had been travelling four months through west Africa, and had loads of crazy stories to tell. We came back to Barcelona Sunday night, and they flew back to the states this morning. We had a great time listening to all my music from there, our memories of being crunched in bush taxis growing somehow fonder in the distance.

The hardest part of the trip is stopping, though. Two and a half years is a lot of momentum.

code

Ran across this article on intentional types in dynamic languages the other day. Seems relevant to the D-BUS bindings discussion going on p.g.o, especially the part at the end about input and output. Old is new again.

advo

Fixed a couple bugs in the crossposter, added some regexps to deal with the images.

#

(ignore)

(i hate php)

(ignore)

(ignore me :-/)

I updated my advogato plugin for wordpress to work with wordpress 1.5.

Besides that, I added a piece of meta-data on the wordpress posts so that when you edit a post in wordpress, it will edit the proper post on advogato. Also, there are fun elanthis-style permalinks at the bottom ;)

See also the advogato importer for wordpress.

#