diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 8e9581bc9..497c55571 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,10 @@ +2012-02-27 Corinna Vinschen + + * cygtls.cc (dll_cmp): New comparison function for bsearch. + (well_known_dlls): New array containing well-known DLLs. + (_cygtls::call2): Add code for BLODA detection. + * net.cc (fdsock): Ditto. + 2012-02-26 Corinna Vinschen * environ.cc (enum settings): Add setbool. Rename justset to setdword diff --git a/winsup/cygwin/cygtls.cc b/winsup/cygwin/cygtls.cc index f45cfaa52..7b9c2a827 100644 --- a/winsup/cygwin/cygtls.cc +++ b/winsup/cygwin/cygtls.cc @@ -1,6 +1,7 @@ /* cygtls.cc - Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Red Hat, Inc. + Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, + 2012 Red Hat, Inc. This software is a copyrighted work licensed under the terms of the Cygwin license. Please consult the file "CYGWIN_LICENSE" for @@ -62,10 +63,68 @@ _cygtls::call (DWORD (*func) (void *, void *), void *arg) _my_tls.call2 (func, arg, buf); } +static int +dll_cmp (const void *a, const void *b) +{ + return wcscasecmp ((const wchar_t *) a, *(const wchar_t **) b); +} + +/* Keep sorted! + This is a list of well-known core system DLLs which contain code + whiuch is started in its own thread by the system. Kernel32.dll, + for instance, contains the thread called on every Ctrl-C keypress + in a console window. The DLLs in this list are not recognized as + BLODAs. */ +const wchar_t *well_known_dlls[] = +{ + L"kernel32.dll", + L"mswsock.dll", + L"ntdll.dll", + L"ws2_32.dll", +}; + void _cygtls::call2 (DWORD (*func) (void *, void *), void *arg, void *buf) { init_thread (buf, func); + + /* Optional BLODA detection. The idea is that the function address is + supposed to be within Cygwin itself. This is also true for pthreads, + since pthreads are always calling thread_wrapper in miscfuncs.cc. + Therefore, every function call to a function outside of the Cygwin DLL + is potentially a thread injected into the Cygwin process by some BLODA. + + But that's a bit too simple. Assuming the application itself calls + CreateThread, then this is a bad idea, but not really invalid. So we + shouldn't print a BLODA message if the address is within the loaded + image of the application. Also, ntdll.dll starts threads into the + application which */ + if (detect_bloda) + { + PIMAGE_DOS_HEADER img_start = (PIMAGE_DOS_HEADER) GetModuleHandle (NULL); + PIMAGE_NT_HEADERS32 ntheader = (PIMAGE_NT_HEADERS32) + ((PBYTE) img_start + img_start->e_lfanew); + void *img_end = (void *) ((PBYTE) img_start + + ntheader->OptionalHeader.SizeOfImage); + if (((void *) func < (void *) cygwin_hmodule + || (void *) func > (void *) cygheap) + && ((void *) func < (void *) img_start || (void *) func >= img_end)) + { + MEMORY_BASIC_INFORMATION mbi; + wchar_t modname[PATH_MAX]; + + VirtualQuery ((PVOID) func, &mbi, sizeof mbi); + GetModuleFileNameW ((HMODULE) mbi.AllocationBase, modname, PATH_MAX); + /* Fetch basename and check against list of above system DLLs. */ + const wchar_t *modbasename = wcsrchr (modname, L'\\') + 1; + if (!bsearch (modbasename, well_known_dlls, + sizeof well_known_dlls / sizeof well_known_dlls[0], + sizeof well_known_dlls[0], dll_cmp)) + small_printf ("\n\nPotential BLODA detected! Thread function " + "called outside of Cygwin DLL:\n %W\n\n", modname); + } + } + DWORD res = func (arg, buf); remove (INFINITE); /* Don't call ExitThread on the main thread since we may have been diff --git a/winsup/cygwin/net.cc b/winsup/cygwin/net.cc index 2115debab..40ab47bf3 100644 --- a/winsup/cygwin/net.cc +++ b/winsup/cygwin/net.cc @@ -1,7 +1,7 @@ /* net.cc: network-related routines. Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, - 2005, 2006, 2007, 2008, 2009, 2010, 2011 Red Hat, Inc. + 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. This file is part of Cygwin. @@ -532,19 +532,33 @@ fdsock (cygheap_fdmanip& fd, const device *dev, SOCKET soc) sizeof (base_soc), &bret, NULL, NULL); if (ret) debug_printf ("WSAIoctl: %lu", WSAGetLastError ()); - else if (base_soc != soc - && GetHandleInformation ((HANDLE) base_soc, &flags) - && (flags & HANDLE_FLAG_INHERIT)) + else if (base_soc != soc) { - if (!DuplicateHandle (GetCurrentProcess (), (HANDLE) base_soc, - GetCurrentProcess (), (PHANDLE) &base_soc, - 0, TRUE, DUPLICATE_SAME_ACCESS)) - debug_printf ("DuplicateHandle failed, %E"); - else + /* LSPs are often BLODAs as well. So we print an info about + detecting an LSP if BLODA detection is desired. */ + if (detect_bloda) { - closesocket (soc); - soc = base_soc; - fixup = false; + WSAPROTOCOL_INFO prot; + + memset (&prot, 0, sizeof prot); + ::getsockopt (soc, SOL_SOCKET, SO_PROTOCOL_INFO, (char *) &prot, + (size = sizeof prot, &size)); + small_printf ("\n\nPotential BLODA detected! Layered Socket " + "Service Provider:\n %s\n\n", prot.szProtocol); + } + if (GetHandleInformation ((HANDLE) base_soc, &flags) + && (flags & HANDLE_FLAG_INHERIT)) + { + if (!DuplicateHandle (GetCurrentProcess (), (HANDLE) base_soc, + GetCurrentProcess (), (PHANDLE) &base_soc, + 0, TRUE, DUPLICATE_SAME_ACCESS)) + debug_printf ("DuplicateHandle failed, %E"); + else + { + closesocket (soc); + soc = base_soc; + fixup = false; + } } } }