2017-12-15 21:15:13 +08:00
|
|
|
#undef _GNU_SOURCE
|
|
|
|
#define _GNU_SOURCE
|
|
|
|
#undef _POSIX_C_SOURCE
|
|
|
|
#define _POSIX_C_SOURCE 200809L
|
2017-12-22 00:30:17 +08:00
|
|
|
#define _DARWIN_C_SOURCE
|
2018-01-08 16:28:43 +08:00
|
|
|
#define _XOPEN_SOURCE 600
|
2017-12-15 21:15:13 +08:00
|
|
|
#include <limits.h>
|
2012-11-07 23:49:14 +08:00
|
|
|
#include <pthread.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <sys/select.h>
|
|
|
|
#include <assert.h>
|
2012-11-08 03:11:14 +08:00
|
|
|
#include <string.h>
|
|
|
|
#include <stdint.h>
|
2012-11-08 04:11:03 +08:00
|
|
|
#include <stddef.h>
|
2013-01-21 08:54:45 +08:00
|
|
|
#include <errno.h>
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
#include <sys/mman.h>
|
2012-11-08 03:11:14 +08:00
|
|
|
#include "allocator_thread.h"
|
2012-11-07 23:49:14 +08:00
|
|
|
#include "debug.h"
|
2012-11-08 03:11:14 +08:00
|
|
|
#include "ip_type.h"
|
|
|
|
#include "mutex.h"
|
2012-11-08 08:18:19 +08:00
|
|
|
#include "hash.h"
|
2012-11-08 03:11:14 +08:00
|
|
|
|
|
|
|
/* stuff for our internal translation table */
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
uint32_t hash;
|
|
|
|
char* string;
|
|
|
|
} string_hash_tuple;
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
uint32_t counter;
|
|
|
|
uint32_t capa;
|
|
|
|
string_hash_tuple** list;
|
|
|
|
} internal_ip_lookup_table;
|
|
|
|
|
2015-06-06 18:41:36 +08:00
|
|
|
static void *dumpstring(char* s, size_t len) {
|
|
|
|
char* p = malloc(len);
|
|
|
|
if(p) memcpy(p, s, len);
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
static pthread_mutex_t *internal_ips_lock;
|
|
|
|
static internal_ip_lookup_table *internal_ips;
|
2012-11-08 03:11:14 +08:00
|
|
|
|
2015-08-10 23:59:31 +08:00
|
|
|
uint32_t index_from_internal_ip(ip_type4 internalip) {
|
2012-11-08 03:11:14 +08:00
|
|
|
PFUNC();
|
2015-08-10 23:59:31 +08:00
|
|
|
ip_type4 tmp = internalip;
|
2012-11-08 03:11:14 +08:00
|
|
|
uint32_t ret;
|
|
|
|
ret = tmp.octet[3] + (tmp.octet[2] << 8) + (tmp.octet[1] << 16);
|
|
|
|
ret -= 1;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2015-08-10 23:59:31 +08:00
|
|
|
char *string_from_internal_ip(ip_type4 internalip) {
|
2012-11-08 03:11:14 +08:00
|
|
|
PFUNC();
|
|
|
|
char *res = NULL;
|
|
|
|
uint32_t index = index_from_internal_ip(internalip);
|
|
|
|
if(index < internal_ips->counter)
|
|
|
|
res = internal_ips->list[index]->string;
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
extern unsigned int remote_dns_subnet;
|
2015-08-10 23:59:31 +08:00
|
|
|
ip_type4 make_internal_ip(uint32_t index) {
|
|
|
|
ip_type4 ret;
|
2012-11-08 03:11:14 +08:00
|
|
|
index++; // so we can start at .0.0.1
|
|
|
|
if(index > 0xFFFFFF)
|
2015-08-10 23:59:31 +08:00
|
|
|
return ip_type_invalid.addr.v4;
|
2012-11-08 03:11:14 +08:00
|
|
|
ret.octet[0] = remote_dns_subnet & 0xFF;
|
|
|
|
ret.octet[1] = (index & 0xFF0000) >> 16;
|
|
|
|
ret.octet[2] = (index & 0xFF00) >> 8;
|
|
|
|
ret.octet[3] = index & 0xFF;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2015-08-10 23:59:31 +08:00
|
|
|
static ip_type4 ip_from_internal_list(char* name, size_t len) {
|
2012-11-08 03:11:14 +08:00
|
|
|
uint32_t hash = dalias_hash((char *) name);
|
|
|
|
size_t i;
|
2015-08-10 23:59:31 +08:00
|
|
|
ip_type4 res;
|
2012-11-08 03:11:14 +08:00
|
|
|
void* new_mem;
|
|
|
|
// see if we already have this dns entry saved.
|
|
|
|
if(internal_ips->counter) {
|
|
|
|
for(i = 0; i < internal_ips->counter; i++) {
|
|
|
|
if(internal_ips->list[i]->hash == hash && !strcmp(name, internal_ips->list[i]->string)) {
|
|
|
|
res = make_internal_ip(i);
|
|
|
|
PDEBUG("got cached ip for %s\n", name);
|
|
|
|
goto have_ip;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// grow list if needed.
|
|
|
|
if(internal_ips->capa < internal_ips->counter + 1) {
|
|
|
|
PDEBUG("realloc\n");
|
|
|
|
new_mem = realloc(internal_ips->list, (internal_ips->capa + 16) * sizeof(void *));
|
|
|
|
if(new_mem) {
|
|
|
|
internal_ips->capa += 16;
|
|
|
|
internal_ips->list = new_mem;
|
|
|
|
} else {
|
|
|
|
oom:
|
|
|
|
PDEBUG("out of mem\n");
|
|
|
|
goto err_plus_unlock;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
res = make_internal_ip(internal_ips->counter);
|
2015-08-10 23:59:31 +08:00
|
|
|
if(res.as_int == ip_type_invalid.addr.v4.as_int)
|
2012-11-08 03:11:14 +08:00
|
|
|
goto err_plus_unlock;
|
|
|
|
|
|
|
|
string_hash_tuple tmp = { 0 };
|
2012-11-08 08:18:19 +08:00
|
|
|
new_mem = dumpstring((char*) &tmp, sizeof(string_hash_tuple));
|
2012-11-08 03:11:14 +08:00
|
|
|
if(!new_mem)
|
|
|
|
goto oom;
|
|
|
|
|
|
|
|
PDEBUG("creating new entry %d for ip of %s\n", (int) internal_ips->counter, name);
|
|
|
|
|
|
|
|
internal_ips->list[internal_ips->counter] = new_mem;
|
|
|
|
internal_ips->list[internal_ips->counter]->hash = hash;
|
|
|
|
|
2012-11-08 08:18:19 +08:00
|
|
|
new_mem = dumpstring((char*) name, len + 1);
|
2012-11-08 03:11:14 +08:00
|
|
|
|
|
|
|
if(!new_mem) {
|
|
|
|
internal_ips->list[internal_ips->counter] = 0;
|
|
|
|
goto oom;
|
|
|
|
}
|
|
|
|
internal_ips->list[internal_ips->counter]->string = new_mem;
|
|
|
|
|
|
|
|
internal_ips->counter += 1;
|
|
|
|
|
|
|
|
have_ip:
|
|
|
|
|
|
|
|
return res;
|
|
|
|
err_plus_unlock:
|
|
|
|
|
|
|
|
PDEBUG("return err\n");
|
2015-08-10 23:59:31 +08:00
|
|
|
return ip_type_invalid.addr.v4;
|
2012-11-08 03:11:14 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* stuff for communication with the allocator thread */
|
2012-11-07 23:49:14 +08:00
|
|
|
|
|
|
|
enum at_msgtype {
|
2012-11-08 03:11:14 +08:00
|
|
|
ATM_GETIP,
|
|
|
|
ATM_GETNAME,
|
2012-11-07 23:49:14 +08:00
|
|
|
ATM_EXIT,
|
|
|
|
};
|
|
|
|
|
2012-11-08 03:11:14 +08:00
|
|
|
enum at_direction {
|
|
|
|
ATD_SERVER = 0,
|
|
|
|
ATD_CLIENT,
|
|
|
|
ATD_MAX,
|
|
|
|
};
|
|
|
|
|
|
|
|
struct at_msghdr {
|
|
|
|
enum at_msgtype msgtype;
|
|
|
|
size_t datalen;
|
|
|
|
};
|
|
|
|
|
2012-11-07 23:49:14 +08:00
|
|
|
static pthread_t allocator_thread;
|
2013-01-21 08:54:45 +08:00
|
|
|
int req_pipefd[2];
|
|
|
|
int resp_pipefd[2];
|
2012-11-07 23:49:14 +08:00
|
|
|
|
2012-11-08 03:11:14 +08:00
|
|
|
static int wait_data(int readfd) {
|
|
|
|
PFUNC();
|
2012-11-07 23:49:14 +08:00
|
|
|
fd_set fds;
|
|
|
|
FD_ZERO(&fds);
|
|
|
|
FD_SET(readfd, &fds);
|
|
|
|
int ret;
|
2012-11-08 03:11:14 +08:00
|
|
|
while((ret = select(readfd+1, &fds, NULL, NULL, NULL)) <= 0) {
|
|
|
|
if(ret < 0) {
|
2013-01-21 08:54:45 +08:00
|
|
|
int e = errno;
|
|
|
|
if(e == EINTR) continue;
|
|
|
|
#ifdef __GLIBC__
|
|
|
|
char emsg[1024];
|
|
|
|
char* x = strerror_r(errno, emsg, sizeof emsg);
|
|
|
|
dprintf(2, "select2: %s\n", x);
|
|
|
|
#endif
|
2012-11-08 03:11:14 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-02-23 09:08:03 +08:00
|
|
|
static int trywrite(int fd, void* buf, size_t bytes) {
|
|
|
|
ssize_t ret;
|
|
|
|
unsigned char *out = buf;
|
|
|
|
again:
|
|
|
|
ret = write(fd, out, bytes);
|
|
|
|
switch(ret) {
|
|
|
|
case -1:
|
|
|
|
if(errno == EINTR) goto again;
|
|
|
|
case 0:
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
if(ret == bytes || !bytes) return 1;
|
|
|
|
out += ret;
|
|
|
|
bytes -= ret;
|
|
|
|
goto again;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-11-08 03:11:14 +08:00
|
|
|
static int sendmessage(enum at_direction dir, struct at_msghdr *hdr, void* data) {
|
|
|
|
static int* destfd[ATD_MAX] = { [ATD_SERVER] = &req_pipefd[1], [ATD_CLIENT] = &resp_pipefd[1] };
|
2017-02-23 09:08:03 +08:00
|
|
|
int ret = trywrite(*destfd[dir], hdr, sizeof *hdr);
|
2012-11-08 03:11:14 +08:00
|
|
|
if(ret && hdr->datalen) {
|
|
|
|
assert(hdr->datalen <= MSG_LEN_MAX);
|
2017-02-23 09:08:03 +08:00
|
|
|
ret = trywrite(*destfd[dir], data, hdr->datalen);
|
2012-11-08 03:11:14 +08:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2017-02-23 09:08:03 +08:00
|
|
|
static int tryread(int fd, void* buf, size_t bytes) {
|
|
|
|
ssize_t ret;
|
|
|
|
unsigned char *out = buf;
|
|
|
|
again:
|
|
|
|
ret = read(fd, out, bytes);
|
|
|
|
switch(ret) {
|
|
|
|
case -1:
|
|
|
|
if(errno == EINTR) goto again;
|
|
|
|
case 0:
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
if(ret == bytes || !bytes) return 1;
|
|
|
|
out += ret;
|
|
|
|
bytes -= ret;
|
|
|
|
goto again;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-11-08 03:11:14 +08:00
|
|
|
static int getmessage(enum at_direction dir, struct at_msghdr *hdr, void* data) {
|
|
|
|
static int* readfd[ATD_MAX] = { [ATD_SERVER] = &req_pipefd[0], [ATD_CLIENT] = &resp_pipefd[0] };
|
2017-02-23 09:08:03 +08:00
|
|
|
ssize_t ret;
|
2012-11-08 03:11:14 +08:00
|
|
|
if((ret = wait_data(*readfd[dir]))) {
|
2017-02-23 09:08:03 +08:00
|
|
|
if(!tryread(*readfd[dir], hdr, sizeof *hdr))
|
|
|
|
return 0;
|
2012-11-08 03:11:14 +08:00
|
|
|
assert(hdr->datalen <= MSG_LEN_MAX);
|
2017-02-23 09:08:03 +08:00
|
|
|
if(hdr->datalen) {
|
|
|
|
ret = tryread(*readfd[dir], data, hdr->datalen);
|
2012-11-08 03:11:14 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void* threadfunc(void* x) {
|
|
|
|
(void) x;
|
|
|
|
int ret;
|
|
|
|
struct at_msghdr msg;
|
|
|
|
union {
|
|
|
|
char host[MSG_LEN_MAX];
|
2015-08-10 23:59:31 +08:00
|
|
|
ip_type4 ip;
|
2012-11-08 03:11:14 +08:00
|
|
|
} readbuf;
|
|
|
|
while((ret = getmessage(ATD_SERVER, &msg, &readbuf))) {
|
|
|
|
switch(msg.msgtype) {
|
|
|
|
case ATM_GETIP:
|
|
|
|
/* client wants an ip for a DNS name. iterate our list and check if we have an existing entry.
|
|
|
|
* if not, create a new one. */
|
|
|
|
readbuf.ip = ip_from_internal_list(readbuf.host, msg.datalen - 1);
|
2015-08-10 23:59:31 +08:00
|
|
|
msg.datalen = sizeof(ip_type4);
|
2012-11-08 03:11:14 +08:00
|
|
|
break;
|
|
|
|
case ATM_GETNAME: {
|
|
|
|
char *host = string_from_internal_ip(readbuf.ip);
|
|
|
|
if(host) {
|
|
|
|
size_t l = strlen(host);
|
|
|
|
assert(l < MSG_LEN_MAX);
|
|
|
|
memcpy(readbuf.host, host, l + 1);
|
|
|
|
msg.datalen = l + 1;
|
|
|
|
}
|
|
|
|
break;
|
2012-11-07 23:49:14 +08:00
|
|
|
}
|
2012-11-08 03:11:14 +08:00
|
|
|
case ATM_EXIT:
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
abort();
|
2012-11-07 23:49:14 +08:00
|
|
|
}
|
2012-11-08 03:11:14 +08:00
|
|
|
ret = sendmessage(ATD_CLIENT, &msg, &readbuf);
|
2012-11-07 23:49:14 +08:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-11-08 04:11:03 +08:00
|
|
|
/* API to access the internal ip mapping */
|
|
|
|
|
2015-08-10 23:59:31 +08:00
|
|
|
ip_type4 at_get_ip_for_host(char* host, size_t len) {
|
|
|
|
ip_type4 readbuf;
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
MUTEX_LOCK(internal_ips_lock);
|
2012-11-08 03:11:14 +08:00
|
|
|
if(len > MSG_LEN_MAX) goto inv;
|
|
|
|
struct at_msghdr msg = {.msgtype = ATM_GETIP, .datalen = len + 1 };
|
|
|
|
if(sendmessage(ATD_SERVER, &msg, host) &&
|
2012-11-08 04:11:03 +08:00
|
|
|
getmessage(ATD_CLIENT, &msg, &readbuf));
|
|
|
|
else {
|
|
|
|
inv:
|
2015-08-10 23:59:31 +08:00
|
|
|
readbuf = ip_type_invalid.addr.v4;
|
2012-11-08 04:11:03 +08:00
|
|
|
}
|
2017-12-19 08:32:45 +08:00
|
|
|
assert(msg.msgtype == ATM_GETIP);
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
MUTEX_UNLOCK(internal_ips_lock);
|
2012-11-08 04:11:03 +08:00
|
|
|
return readbuf;
|
2012-11-08 03:11:14 +08:00
|
|
|
}
|
|
|
|
|
2015-08-10 23:59:31 +08:00
|
|
|
size_t at_get_host_for_ip(ip_type4 ip, char* readbuf) {
|
|
|
|
struct at_msghdr msg = {.msgtype = ATM_GETNAME, .datalen = sizeof(ip_type4) };
|
2012-11-08 04:11:03 +08:00
|
|
|
size_t res = 0;
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
MUTEX_LOCK(internal_ips_lock);
|
2012-11-08 04:11:03 +08:00
|
|
|
if(sendmessage(ATD_SERVER, &msg, &ip) && getmessage(ATD_CLIENT, &msg, readbuf)) {
|
|
|
|
if((ptrdiff_t) msg.datalen <= 0) res = 0;
|
|
|
|
else res = msg.datalen - 1;
|
|
|
|
}
|
2017-12-19 08:32:45 +08:00
|
|
|
assert(msg.msgtype == ATM_GETNAME);
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
MUTEX_UNLOCK(internal_ips_lock);
|
2012-11-08 04:11:03 +08:00
|
|
|
return res;
|
2012-11-08 03:11:14 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2012-11-07 23:49:14 +08:00
|
|
|
static void initpipe(int* fds) {
|
2012-11-08 04:13:41 +08:00
|
|
|
if(pipe(fds) == -1) {
|
2012-11-07 23:49:14 +08:00
|
|
|
perror("pipe");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-12-15 21:15:13 +08:00
|
|
|
#ifndef MAX
|
|
|
|
#define MAX(x, y) ((x) > (y) ? (x) : (y))
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if !defined(PTHREAD_STACK_MIN) || defined(__APPLE__)
|
|
|
|
/* MAC says its min is 8KB, but then crashes in our face. thx hunkOLard */
|
|
|
|
#define PTHREAD_STACK_MIN 64*1024
|
|
|
|
#endif
|
|
|
|
|
2012-11-07 23:49:14 +08:00
|
|
|
/* initialize with pointers to shared memory. these will
|
|
|
|
* be used to place responses and arguments */
|
2012-11-08 03:11:14 +08:00
|
|
|
void at_init(void) {
|
2012-11-07 23:49:14 +08:00
|
|
|
PFUNC();
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
void *shm = mmap(0, 4096, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0);
|
|
|
|
assert(shm);
|
|
|
|
internal_ips_lock = shm;
|
|
|
|
internal_ips = (void*)((char*)shm + 2048);
|
|
|
|
|
|
|
|
MUTEX_INIT(internal_ips_lock);
|
2012-11-08 03:11:14 +08:00
|
|
|
memset(internal_ips, 0, sizeof *internal_ips);
|
2012-11-07 23:49:14 +08:00
|
|
|
initpipe(req_pipefd);
|
|
|
|
initpipe(resp_pipefd);
|
2017-12-15 21:15:13 +08:00
|
|
|
pthread_attr_t allocator_thread_attr;
|
2012-11-07 23:49:14 +08:00
|
|
|
pthread_attr_init(&allocator_thread_attr);
|
2017-12-15 21:15:13 +08:00
|
|
|
pthread_attr_setstacksize(&allocator_thread_attr, MAX(16 * 1024, PTHREAD_STACK_MIN));
|
2012-11-07 23:49:14 +08:00
|
|
|
pthread_create(&allocator_thread, &allocator_thread_attr, threadfunc, 0);
|
2017-12-15 21:15:13 +08:00
|
|
|
pthread_attr_destroy(&allocator_thread_attr);
|
2012-11-07 23:49:14 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void at_close(void) {
|
|
|
|
PFUNC();
|
|
|
|
const int msg = ATM_EXIT;
|
|
|
|
write(req_pipefd[1], &msg, sizeof(int));
|
|
|
|
pthread_join(allocator_thread, NULL);
|
|
|
|
close(req_pipefd[0]);
|
|
|
|
close(req_pipefd[1]);
|
|
|
|
close(resp_pipefd[0]);
|
|
|
|
close(resp_pipefd[1]);
|
allocator_thread: fix segfault with weechat 2.0
it was reported that weechat 2.0 on ubuntu 16.04 LTS x86_64 segfaulted like this:
4 0x00007f6bf0e7e0c0 in __stack_chk_fail () at stack_chk_fail.c:28
5 0x00007f6bf2536bce in at_get_ip_for_host (host=0x339c4d0 "abcdefghijklmnop.onion", len=22) at src/allocator_thread.c:290
readbuf = {octet = "irc.", as_int = 778269289} msg = {msgtype = ATM_GETNAME, datalen = 13}
what happened was that weechat forked, thus got its own private copy of the VM
and thus a private copy of the mutex which should prevent parallel use of
at_get_ip_for_host() & friends. therefore the following race was possible:
- process A writes a message of type ATM_GETIP into the server pipe
- process B writes a message of type ATM_GETNAME into the server pipe
- process A write transaction is finished, and goes into receive mode
- server thread reads process B's message and responds with a ATM_GETNAME msg
- process A reads the response which was intended for process B into the 4 byte
ip address buffer, but ATM_GETNAME are much larger than ATM_GETIP responses,
resulting in stack corruption.
to prevent this issue, the storage of the mutex must reside in shared memory,
which we achieve via mmap. alternatively, shm_open() or sysvipc shm stuff could
be used. the former requires the mmap call to happen before the fork, the latter
not, however the shm would require a named object in /dev/shm (which requires
generating a unique name per proxychains instance, and subsequent cleanup).
so in the end, the mmap is easier to deal with, and we can be reasonably
certain that our constructor is being run before the hooked application forks.
2017-12-19 08:10:13 +08:00
|
|
|
MUTEX_DESTROY(internal_ips_lock);
|
2012-11-07 23:49:14 +08:00
|
|
|
}
|