Re: [LAD] jack1 unsafe with accidentally (?) internal exported functions

From: Tito Latini <tito.01beta@email-addr-hidden>
Date: Tue Mar 17 2015 - 00:29:10 EET

On Mon, Mar 16, 2015 at 01:22:56PM -0500, Paul Davis wrote:
> Although their export is a mistake, I really don't see this as of any
> particular importance.
>
> JACK is almost always a per-user system. JACK also allows clients to
> scribble all over each other ports. The fact that someone can write an
> application which does this is really not much of an issue compared to that.

live coding over net is trendy and there are tools linked to libjack,
often with the possibility to call foreign functions. In this context,
an user without particular privileges could cause a crash to the root.

Regardless, to complete the report, the hidden functions are:

cleanup_mlock default_jack_error_callback
default_jack_info_callback jack_attach_port_segment
jack_attach_shm jack_call_sync_client
jack_call_timebase_master jack_cleanup_shm
jack_client_alloc jack_client_alloc_internal
jack_client_deliver_request jack_client_fix_port_buffers
jack_client_handle_latency_callback jack_client_handle_port_connection
jack_client_handle_session_callback jack_client_open_aux
jack_clock_source_name jack_default_server_name
jack_destroy_shm jack_event_type_name
jack_generate_unique_id jack_get_all_descriptions
jack_get_description jack_get_free_shm_info
jack_get_mhz jack_get_microseconds_from_cycles
jack_get_microseconds_from_system jack_get_port_functions
jack_get_process_done_fd jack_hpet_init
jack_init_time jack_initialize_shm
jack_internal_client_load_aux jack_messagebuffer_add
jack_messagebuffer_exit jack_messagebuffer_init
jack_messagebuffer_thread_init jack_midi_internal_event_size
jack_pool_alloc jack_pool_release
jack_port_by_id_int jack_port_by_name_int
jack_port_name_equals jack_port_new
jack_port_type_buffer_size jack_register_server
jack_release_shm jack_release_shm_info
jack_resize_shm jack_server_dir
jack_set_clock_source jack_shmalloc
jack_start_freewheel jack_stop_freewheel
jack_transport_copy_position jack_unregister_server
jack_user_dir silent_jack_error_callback
start_server

(obtained with the follow imperfect script, useful to discover
exported internal functions also in other non-stripped libraries)

#!/bin/bash
# Discover JACK's hidden functions.
#
# example:
# ./jack_hidden_functions /usr/lib64/libjack.so /usr/include/jack/*
#

find_headers()
{
        local fname="$1"
        shift
        sed -n '/[^A-Za-z0-9_]*'"${fname}"'[^A-Za-z0-9_]/{\_^[ \t]*/\?\*_d;\_^[ \t]*//_d;p}' "$@"
}

globl_without_header()
{
        while read lib; do
                [ -z "$(find_headers ${lib} "$@" | head -1)" ] && echo "${lib}"
        done
}

main()
{
        if [ ! -f "$1" -o ! -f "$2" ]; then
                echo "Usage: $(basename $0) <libfile> <hfile> [hfile...]"
                exit 2
        fi

        local libpath="$1"
        shift
        nm "${libpath}" | awk '$2 == "T" {print $3}' | globl_without_header "$@"
}

main "$@"
_______________________________________________
Linux-audio-dev mailing list
Linux-audio-dev@email-addr-hidden
http://lists.linuxaudio.org/listinfo/linux-audio-dev
Received on Tue Mar 17 04:15:02 2015

This archive was generated by hypermail 2.1.8 : Tue Mar 17 2015 - 04:15:02 EET