| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return value from __errno_location() is an int*. My syntax had
erroneously specified that it returned an int. Nothing spotted this
bug because the expression is evaluated by gdb whose C interpreter is
very strange. In particular, gdb lets you dereference an int, even on
a platform where ints are 32-bit and pointers are 64-bit.
If you are on a 32-bit platform, this does not matter. Likewise if
you are on a 64-bit platform and the address of errno happens, by
luck, to be within the 32-bit addressable part of the space.
If you are mildly lucky the result of this is an error like this:
gdb.MemoryError: Cannot access memory at address 0x2f24ef10
buried in stack traces from fishdescriptor.
If you are unlucky, fishdescriptor will successfully access some wrong
location. This means it does not actually save and restore errno,
since it saves and restores somewhere else instead. So fishdescriptor
will corrupt the errno value of the thread that it happens to
be (ab)using, overwriting it with the errno from fishdescriptor's own
calls, possibly causing the target program to become confused about
the error(s) from system call(s) it is making.
If you are very unlucky, fishdescriptor will successfully access some
wrong location which is actively in use by something outside the
target process (eg, direct IO, shared memory0. fishdescriptor will
save the value (a single int) and then restore it a bit later. This
might in principle cause any kind of arbitrary lossage.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
| |
This is correct, since we are operating in our environment but we are
going to use the path in the target's root.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
| |
No functional change.
We are going to use this in a moment.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`our_sockname' contains something like
/proc/DONOR/root/run/user/UID/fishdescriptor/SOCKET
When I tested this I did it in a chroot where /proc was mounted. In
such a chroot /proc/DONOR/root -> /. So this works.
But if there is no /proc, it does not work.
Instead, we can can and should assume that the path in the donor is
relative to its own root. Ie, we can just use `sockname'.
CC: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
| |
Otherwise we will probably try to move the new-defunct open-file
somewhere when we try to make the descriptor refer to the intended
open-file.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
|
| |
We make a socket, normally in /var/run/user for the victim process,
which is therefore accessible only to the victim uid (and to root).
If we are running as root, the socket will typically not be writeable
by the user, and this will fail. We need to chmod it.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
| |
The fd permutation algorithm would fail in nontrivial cases because it
tries to update individual members of the tupes in the fdmap. That is
not permitted in Python. Make the tuples into lists.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
This reverts commit 33545a21597767a50443a717b015fc9e3c8dd553.
|
|
|
|
|
|
| |
Actually this works for reading errno but not for setting it.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
| |
Suggestion by Colin Watson.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
This reverts commit 22677ae542431ce09a8de83fecc3a22163a8d490.
|
|
|
|
|
|
|
| |
Actually we don't want to do this. It is better to use the python dl
or os modules, so we will do that in a moment.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
| |
Still very incomplete
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(gdb) print (void*)dlopen("/u/iwj/things/chiark-utils.git/fishdescriptor/libfishdescriptor-donate.so.1.0",2)
$5 = (void *) 0x8f0d408
(gdb) print (void*)dlsym($5, "fishdescriptor_donate")
$6 = (void *) 0xf6953620 <fishdescriptor_donate>
(gdb) print (( int (*)(const char *, const int *) )$6)("/dev/enoent", (int[2]){0,-1})
$7 = 2
(gdb) print strerror(2)
$8 = 0xf74697e8 "No such file or directory"
(gdb)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
|
|
|
|
| |
See LGPL-2.1 s3. This is necessary to preserve the copyright and
licence status of chiark-utils as a whole.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
Copy int libxl__sendmsg_fds from libxl so we can clone and hack it.
Source was:
xen.git#38ab259f559be5457f6866ba24185e013f27defb
tools/libxl/libxl_utils.c
libxl is LGPL2.1-only. We will upgrade this licence to be compatible
with the rest of chiark utils (GPL3+) in a moment. This is permitted
by LGPL-2.1 section 3.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|