[Bug 176582] Review Request: freedt -- Reimplementation of Dan Bernstein's daemontools under the GNU GPL
bugzilla at redhat.com
bugzilla at redhat.com
Sun Feb 26 18:00:21 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: freedt -- Reimplementation of Dan Bernstein's daemontools under the GNU GPL
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176582
------- Additional Comments From enrico.scholz at informatik.tu-chemnitz.de 2006-02-26 13:00 EST -------
1. linking dynamically creates significantly larger binaries (>50%);
e.g. building with default settings and with '--without dietlibc'
creates binaries with the following sizes (bytes):
diet glibc glibc/diet
anonidentd 6732 11572 171%
argv0 6580 10304 156%
dumblog 8636 11784 136%
envdir 7448 11288 151%
envuidgid 8624 10752 124%
mkservice 1286 1286 100%
ratelimit 8400 13288 158%
recordio 34 34 100%
setlock 7112 11372 159%
setuidgid 8852 11160 126%
softlimit 7440 11696 157%
supervise 8628 14436 167%
svc 6828 11572 169%
svok 5964 10432 174%
svscan 8632 13200 152%
svstat 6356 11248 176%
--------------------------------------------
107552 165424 153%
2. linking dynamically slows down some programs significantly. To
measure the time, I used
http://ensc.de/freedt/rep.c
http://ensc.de/freedt/nop.S
and executed sequences like
| for i in `seq 0 4`; do
| for F in diet glibc; do
| echo $F/$i;
| ( time ~/tmp/rep 100000 @@@CMD@@@ ) &>res.argv0.$F.$i;
| done;
| done
which starts '@@@CMD@@@' 100000 times. This resulted into the
following times:
argv0 (@@@CMD@@@ = 'argv0.$F /tmp/nop foo')
diet glibc glibc/diet
real: 15.964s 52.879s 331%
user: 0.136s 3.557s 2615%
sys: 5.396s 14.604s 270%
envuid (@@@CMD@@@ = 'envuid.$F bin /tmp/nop')
diet glibc glibc/diet
real: 25.500s 83.016s 325%
user: 1.722s 6.920s 401%
sys: 6.965s 20.451s 293%
3. the security aspects of dynamic linking are not interesting for the
freedt programs:
* argv0, envdir, envuidgid, setuidgid, softlimit
are pure command wrappers; they are not suid and you can not gain
additional rights with an exploit
* anonidentd: this server imports the following symbols from the
libc:
- getpid, write, setgroups, setgid, chdir, fcntl, exit, setuid,
read, chroot
these are pure syscall wrappers which are implemented correctly
and can not be exploited
- sleep
simple wrapper around nanosleep(2); can not be exploited
- strchr, strncmp, strcat, strcpy, memcpy, memchr, memmove
trivial memory operations which are implemented correctly by
dietlibc and can not be exploited
- getenv
* lib/getenv.c implementation is correct
* optimized i386/getenv.S implementation is correct
* read environment will be set by calling process and can not
be influenced by client-input
- malloc, free, realloc
* code (incl. comments) is 202 lines and reviewable; it takes
care about integer-overflows, and the handling of internal
hunk lists is correct. Underlying algorithms are simple,
possible inputs are limited so based upon my review these
functions are unexploitable
- getopt
* complicated, unreviewed code. But input can not be influenced
by client-input so its usage within anonidentd is unexploitable
* dumplog: input reading is the only, potential exploitable code;
there only the following functions will be used from libc
- read, malloc, free, realloc, memcpy: see above; these functions
are implemented correctly
* ratelimit: ditto to 'dumplog'
* setlock: just an 'fcntl' wrapper; not suid and you could not gain
additionals rights with an exploit
* supervise: only user input is coming from a fifo which reads a
single char. This is evaluated in a 'switch {}' statement without
using a libc function
* svc, svok, svstat: not suid, you can not gain additional rights
with it
* svscan:
- uses opendir, readdir, closedir: <20 lines of code; could not
detect something suspicious while reviewing them; only assumption
is that MAP_ANON zeros the mmap'ed memory which is true on linux
platforms
4. this statement is not proved with numbers for this case, but memory
consumption of dietlibc programs is significantly lower than with
traditional glibc
SUMMARY: linking 'freedt' against dietlibc generates significantly
smaller and faster binaries without lowering security. Therefore,
it would be an error to use glibc in this case.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fedora-extras-list
mailing list