[LAD] jack1 unsafe with accidentally (?) internal exported functions
Paul Davis
paul at linuxaudiosystems.com
Mon Mar 16 22:42:57 UTC 2015
using a word like "root" is disingenuous. almost all JACK instances belong
to a user who is the only one to run processes who access the server. and
every single one of those processes can stomp on memory used by the others.
symbol visibility in unix libraries has been a historical weak spot. gcc
makes all symbols visible by default (opposite of MS-based compilers).
i'm happy to accept a patch that fixes visibility, but i'm not interested
in continuing discussion of the scope or details about it.
On Mon, Mar 16, 2015 at 5:29 PM, Tito Latini <tito.01beta at gmail.com> wrote:
> On Mon, Mar 16, 2015 at 01:22:56PM -0500, Paul Davis wrote:
> > Although their export is a mistake, I really don't see this as of any
> > particular importance.
> >
> > JACK is almost always a per-user system. JACK also allows clients to
> > scribble all over each other ports. The fact that someone can write an
> > application which does this is really not much of an issue compared to
> that.
>
> live coding over net is trendy and there are tools linked to libjack,
> often with the possibility to call foreign functions. In this context,
> an user without particular privileges could cause a crash to the root.
>
> Regardless, to complete the report, the hidden functions are:
>
> cleanup_mlock default_jack_error_callback
> default_jack_info_callback jack_attach_port_segment
> jack_attach_shm jack_call_sync_client
> jack_call_timebase_master jack_cleanup_shm
> jack_client_alloc jack_client_alloc_internal
> jack_client_deliver_request jack_client_fix_port_buffers
> jack_client_handle_latency_callback jack_client_handle_port_connection
> jack_client_handle_session_callback jack_client_open_aux
> jack_clock_source_name jack_default_server_name
> jack_destroy_shm jack_event_type_name
> jack_generate_unique_id jack_get_all_descriptions
> jack_get_description jack_get_free_shm_info
> jack_get_mhz jack_get_microseconds_from_cycles
> jack_get_microseconds_from_system jack_get_port_functions
> jack_get_process_done_fd jack_hpet_init
> jack_init_time jack_initialize_shm
> jack_internal_client_load_aux jack_messagebuffer_add
> jack_messagebuffer_exit jack_messagebuffer_init
> jack_messagebuffer_thread_init jack_midi_internal_event_size
> jack_pool_alloc jack_pool_release
> jack_port_by_id_int jack_port_by_name_int
> jack_port_name_equals jack_port_new
> jack_port_type_buffer_size jack_register_server
> jack_release_shm jack_release_shm_info
> jack_resize_shm jack_server_dir
> jack_set_clock_source jack_shmalloc
> jack_start_freewheel jack_stop_freewheel
> jack_transport_copy_position jack_unregister_server
> jack_user_dir silent_jack_error_callback
> start_server
>
>
> (obtained with the follow imperfect script, useful to discover
> exported internal functions also in other non-stripped libraries)
>
>
> #!/bin/bash
> # Discover JACK's hidden functions.
> #
> # example:
> # ./jack_hidden_functions /usr/lib64/libjack.so /usr/include/jack/*
> #
>
> find_headers()
> {
> local fname="$1"
> shift
> sed -n '/[^A-Za-z0-9_]*'"${fname}"'[^A-Za-z0-9_]/{\_^[
> \t]*/\?\*_d;\_^[ \t]*//_d;p}' "$@"
> }
>
> globl_without_header()
> {
> while read lib; do
> [ -z "$(find_headers ${lib} "$@" | head -1)" ] && echo
> "${lib}"
> done
> }
>
> main()
> {
> if [ ! -f "$1" -o ! -f "$2" ]; then
> echo "Usage: $(basename $0) <libfile> <hfile> [hfile...]"
> exit 2
> fi
>
> local libpath="$1"
> shift
> nm "${libpath}" | awk '$2 == "T" {print $3}' |
> globl_without_header "$@"
> }
>
> main "$@"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxaudio.org/pipermail/linux-audio-dev/attachments/20150316/19e7cfab/attachment.html>
More information about the Linux-audio-dev
mailing list