Older blog entries for huagang (starting at number 9)

STATE support done

Although I thought maybe I should release it before the state support, anyway, after I finished the lidstools part support, and the kernel part code seems easy to do. The only problem let me stop for a while is the a new file/inode created in a privilege directory. Before that, it is easy, just copy what the current dir's inode-i_security, but now, the default acl and current state's acl need to copy into the new one.

One problem I always think is the dynamic inode, which has the same filename. for example, /etc/shadow will be change the inode after a new user has been added/detected. for now, it will just be the same as the "/etc/", can not be hidden any longer.

inode,dentry, file, dir.

6 Mar 2004 (updated 7 Mar 2004 at 01:19 UTC) »
locking locking locking

Wish the world do not share and lock go way.

Rusty Russell's Unreliable Guide To Locking give a very good introductionto the locking in linux kernel. The most important thing is to indentify the critical region and then apply lock on them.

here are two main types of kernel locks. The fundamental type is the spinlock (include/asm/spinlock.h), which is a very simple single-holder lock: if you can't get the spinlock, you keep trying (spinning) until you can. Spinlocks are very small and fast, and can be used anywhere. The second type is a semaphore (include/asm/semaphore.h): it can have more than one holder at any time (the number decided at initialization time), although it is most commonly used as a single-holder lock (a mutex). If you can't get a semaphore, your task will put itself on the queue, and be woken up when the semaphore is released. This means the CPU will do something else while you are waiting, but there are many cases when you simply can't sleep (see Chapter 9), and so have to use a spinlock instead.

Sleep sleep sleep Zzzzzzzz

Yeah..if you can not sleep, you can not use semaphore! If you hold a lock, you can not sleep!! That is the rule. You can not take something back home and sleep, you need to take care someone else who still running and need your unlock to get some thing.

LIDS with the lock and sleep

I fight with the sleep while hold a lock for a few times. This time, I learn to not using sleepable function like kmalloc(GFP_KERNEL), getxattr, setxattr etc while within a lock. Instead, just put what you want to process into a list and then unlock it and process the list one by one to get what you want to done.
Locking? yeah..task->security need to be lock each time you set it. inode->i_security need spin_lock(&i_lock) as well. And for each subject_acl, yes, each task_acl has a t_lock and each inode_acl got a i_lock too. Go bless this lock! I still remember year 2000, I forget to init a spin_lock and a lot of problems coming out without any sense..:-((

6 Mar 2004 (updated 6 Mar 2004 at 10:26 UTC) »
XATTR/EA support is coming out

After almost 2 weeks hard working..XATTR/EA is working with LIDS now. the supporting lidstools also has the support to "-A" , "-D"..but the code still need to clean up before release.

With XATTR support, LIDS will have better performance vs old way. Because the ACL now store in inode->xattr and the checking will not need a big loop to get its own ACL.

Kernel hacking/programming is more difficult than user space programming, is because you need to know how the kernel implement first. But good thing is, the source is there, you can always check it by yourself.

Thanks to Chris Wright of ODSL for the support.

LIDS 2.0.4pre1 for 2.6.2 is out

This version merge the fixed from purna. put it on www.lids.org

23 Jan 2004 (updated 23 Jan 2004 at 22:17 UTC) »

LIDS new version

Purna just sent me a patch to fixed some minor bugs in 2.0.3. just tested it and seems ok for me.

Seems Kernel 2.6.2 will be out, maybe I will just test for a few days and wait to release a version for 2.6.2.

NT ROOTKIT

From a post on bugtraq, I track down to a rootkit website http://www.rootkit.com . It contains a lot of useful downloads for various rootkit.

1. FU_rootkit.

This rootkit use a device driver and a userspace application which can then hide process, change the privilege of a process/thread, etc. It works on windows NT/2k/XP. The technology seems the same as linux rootkit which need a kernel modules to complete the job.

The interface between the userspace and kernel space is via the IOCTL command, and it has been defined specifically in the deveice driver code. It is easy to extend it and make it work more extensive.

2. Winlogon_injection.

This one use DLL Injection Technic to do the job. In most case, the DLL Injection will allocate a memory in the process, and copy the code into that area and then change the privlege of the that area, and finally change the EIP to pointer that the entry of the injected code.

The most intersting part is where the code injected and where should I change the runing route to the injected function.

Some other interesting stuff is on the website. Go get your own.

16 Jan 2004 (updated 16 Jan 2004 at 22:14 UTC) »

Qmail crash bug??

http://www.guninski.com/qmailcrash.html show a code for a overly long smtp message-body data will make qmail crash and even executing code. The problem is no one will send such a big file > 0x80000000 bytes, so it maybe safe for this kind of software to have a restriction on the data they received. and that will make things easier.

Integer overflow is hard to find but easy to exploit. Do some asserting on "int" "unsigned int" etc could help. I guess.

16 Jan 2004 (updated 16 Jan 2004 at 22:16 UTC) »
Play with RSS

seems work perfect.

RSS is pretty nice..actually, a very useful mailing RSS is at http://www.djeaux.com/rss, I also use the ISC's xml feed.

16 Jan 2004 (updated 16 Jan 2004 at 22:29 UTC) »
kernel mremap bug

An interesting bug, people in isec.pl is really genius :-)..they found and wrote several critical bug already. http://isec.pl/vulnerabilities/isec-0013-mremap.txt

When I tried the code, the kscand (a kernel thread) come to OOPS and after a while, no process can be forked. I just gave up.

The idea is to use the 0-size vma to overwrite a children's vma counter, to make it to 1 and when exit, kernel will make it into a free-list and then reused it to other propose, but the parent still have access to this page which can then read/write to the task-structure. <">

My first log.
try to see if it works?

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!