How to test for FORTIFY_SOURCE?
According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE
OpenBSD implements glibc bounds checking on certain functions. I am
trying to detect FORTIFY_SOURCE without looking up operating system
names and versions.
The following code works for Linux, but fails under OpenBSD (it is
part of an autoconf test):
#include
int main(int argc, char** argv)
{
[char msg[16];]
#[strcpy(msg, argv[0]);]
#[return (int)(msg[0] & ~msg[1]);]
[memcpy(msg, argv[0], strlen(argv[0]));]
[return msg[0] != msg[strlen(argv[0])-1];]
}
I then compile it and scan for the fortified function call:
if $CC -D_FORTIFY_SOURCE=2 $CPPFLAGS -O2 $CFLAGS fortify_test.c -o
fortify_test.exe;
then
count=`readelf --relocs fortify_test.exe | grep -i -c '_chk'`
if test "$count" -ne 0; then
AC_MSG_RESULT([yes]); NSD_CPPFLAGS="$NSD_CPPFLAGS -D_FORTIFY_SOURCE=2"
else
AC_MSG_RESULT([no])
fi
fi
The problem is, OpenBSD is not using the fortified function even
though the destination buffer size can be deduced:
$ readelf --relocs fortify_test.exe | grep -i -c '_chk'
0
And:
$ readelf --relocs fortify_test.exe
Relocation section '.rela.dyn' at offset 0x488 contains 2 entries:
Offset Info Type Sym. ValueSym. Name + Addend
2168 0008 R_X86_64_RELATIVE13e0
2160 00030006 R_X86_64_GLOB_DAT
_Jv_RegisterClasses + 0
Relocation section '.rela.plt' at offset 0x4b8 contains 7 entries:
Offset Info Type Sym. ValueSym. Name + Addend
2188 00010007 R_X86_64_JUMP_SLO _csu_finish + 0
2190 00020007 R_X86_64_JUMP_SLO exit + 0
2198 00030007 R_X86_64_JUMP_SLO
_Jv_RegisterClasses + 0
21a0 00040007 R_X86_64_JUMP_SLO atexit + 0
21a8 00050007 R_X86_64_JUMP_SLO strlen + 0
21b0 00060007 R_X86_64_JUMP_SLO memcpy + 0
21b8 00070007 R_X86_64_JUMP_SLO
__stack_smash_handler + 0
I expect to see memcpy_chk or strcpy_chk.
Do I have a misunderstanding of OpenBSD's implementation?
If someone could point out what is wrong I would greatly appreciate it.
Re: Hosting a CDN question
In that case, relayd would be the most likely port of call. On Wed, Mar 18, 2020 at 10:06 AM Flipchan wrote: > > Yeah the point with a cdn is to lower the latency of it so therefor you what > is needed is just not only a fast http server but a traffic redirector > depending on the end users origin > > On March 17, 2020 3:44:27 AM GMT+01:00, Aaron Mason > wrote: >> >> You can easily "write" one in Go with 9 lines of code. And since Go >> builds static binaries, you can chroot it for security. >> >> I just did a quick test between httpd and a web server written in Go >> and on a simple text file with 20,000 requests from 10 threads I saw a >> 2.3x improvement on a pair of tests. >> >> On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: >>> >>> >>> Hey all, >>> >>> My company needs to put up a cdn for fast hosting of javascript, images >>> and css for websites, and then i would need something faster then httpd. >>> >>> >>> Does anyone here run a cdn for static website content? >>> >>> If so what software did u use to set it up ? >>> >>> have a good one >>> Sincerely >>> Filip >> >> >> > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hosting a CDN question
Yeah the point with a cdn is to lower the latency of it so therefor you what is needed is just not only a fast http server but a traffic redirector depending on the end users origin On March 17, 2020 3:44:27 AM GMT+01:00, Aaron Mason wrote: >You can easily "write" one in Go with 9 lines of code. And since Go >builds static binaries, you can chroot it for security. > >I just did a quick test between httpd and a web server written in Go >and on a simple text file with 20,000 requests from 10 threads I saw a >2.3x improvement on a pair of tests. > >On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: >> >> Hey all, >> >> My company needs to put up a cdn for fast hosting of javascript, >images and css for websites, and then i would need something faster >then httpd. >> >> >> Does anyone here run a cdn for static website content? >> >> If so what software did u use to set it up ? >> >> have a good one >> Sincerely >> Filip > > > >-- >Aaron Mason - Programmer, open source addict >I've taken my software vows - for beta or for worse -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Help: System hang/Lockup using snapshots on Intel i5 NUC?
On Thu, Mar 05, 2020 at 11:45:30PM +0100, Why 42? wrote: > ... > When this happens the mouse is frozen, the capslock LED on the (USB) > keyboard doesn't light up and the system doesn't respond to ssh. To > recover I have to hold down the power switch to shutoff the system, then > turn it on again, reboot and examine the resulting fsck errors. > ... Just to follow up, since sysupgrading to the latest snapshot (on 15.3) I cannot reproduce this problem. (All packages were updated too.) Also my tentative test case, which resulted in the same symptoms, also now functions without issue (fyi: run "vblank_mode=0 glxgears" and drag the resulting window around wildly being sure to get it to go into/out of fullscreen by hitting the edge of the desktop). So now just have to decide if I continue using Firefox or revert back to Iridium (or Chrome). Decisions, decisions ... :) Any ideas what I can or should do about my "dubious" kernel messages? E.g. "0:31:5: mem address conflict 0xfe01/0x1000" What does that "0:31:5:" indicate? Or the "not configured" messages like these for example: > "Intel Core GMM" rev 0x00 at pci0 dev 8 function 0 not configured > "Intel 300 Series Thermal" rev 0x30 at pci0 dev 18 function 0 not configured > xhci0 at pci0 dev 20 function 0 "Intel 300 Series xHCI" rev 0x30: msi, xHCI > 1.10 > usb0 at xhci0: USB revision 3.0 > uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 > addr 1 > "Intel 300 Series Shared SRAM" rev 0x30 at pci0 dev 20 function 2 not > configured > "Intel 300 Series MEI" rev 0x30 at pci0 dev 22 function 0 not configured > ahci0 at pci0 dev 23 function 0 "Intel 300 Series AHCI" rev 0x30: msi, AHCI > 1.3.1 > ahci0: port 2: 6.0Gb/s It seems as if that Intel 300 chip is only partially supported. Maybe that's not a significant problem? Though I worry a bit about the "Thermal" message ... suggesting some temperature sensing may not be working correctly. The other good news is that the new (old) keyboard is working well :-) > uhidev0 at uhub2 port 4 configuration 1 interface 0 "Fujitsu Component Sun > USB Keyboard" rev 2.00/1.05 addr 4 Cheers, Robb.
Re: bridge, vether & dhcpd
On Tue, Mar 17, 2020 at 12:14:21PM +0100, Salvatore Cuzzilla wrote: > nope, the L2 if(s) (including bridge) are running only with option ‘up’ > within hostname.if files > & all the other L3 ifs are with IP statically assigned Then you need to share a lot more details, such as your pf.conf, and tcpdumps from all relevant interfaces including pflog0 which show the facts about the actual vs. expected flow of packets.
Re: bridge, vether & dhcpd
nope, the L2 if(s) (including bridge) are running only with option ‘up’ within hostname.if files & all the other L3 ifs are with IP statically assigned > On 17 Mar 2020, at 09:44, Stefan Sperling wrote: > > On Tue, Mar 17, 2020 at 08:24:34AM +0100, Salvatore Cuzzilla wrote: >> Dear all, >> >> is someone using a setup with multiple layer 2 interfaces & a single vether >> IP interface (layer 3) bundled all together in a bridge? >> Well, i’m using this setup too and almost everything is working like >> expected. >> >> However, >> I have a couple of hosts connected to the L2 interfaces & i would like them >> to dynamically get an IP (dhcpd instance already up & running) >> atm, this is not working. I thought about PF , but probably it’s not the >> issue … >> >> any advice? configuration examples i can go through? >> >> > > Is dhclient also running? If so, try to stop dhclient and see if > it works then.
Re: Hosting a CDN question
On 2020-03-17 02:48, Aaron Mason wrote: > It's worth noting that httpd didn't go over ~30% in the test, whereas > the Go web server absolutely slammed the system. I wonder if this is linked to Go's concurrency. Personally I would look into tweaking httpd defaults and relayd as GOs net/http runs everything as one user and so I prefer to gain httpds TLS key protection with go via fcgi akin to gcp app engine. You also need to tweak timeouts etc. for Go, as it's defaults are not ready for production (easy DOS upon internet exposure) without being behind app engine/httpd etc. I would also trust httpds routing over gorilla/mux, though stdlib mux is probably closer (no regex) but *maybe* not as powerful as httpds. Of course fcgi *may* slow it down further, if HW cost is paramount.
Re: bridge, vether & dhcpd
On Tue, Mar 17, 2020 at 08:24:34AM +0100, Salvatore Cuzzilla wrote: > Dear all, > > is someone using a setup with multiple layer 2 interfaces & a single vether > IP interface (layer 3) bundled all together in a bridge? > Well, i’m using this setup too and almost everything is working like > expected. > > However, > I have a couple of hosts connected to the L2 interfaces & i would like them > to dynamically get an IP (dhcpd instance already up & running) > atm, this is not working. I thought about PF , but probably it’s not the > issue … > > any advice? configuration examples i can go through? > > Is dhclient also running? If so, try to stop dhclient and see if it works then.
Re: Record with a device, playback with another with sndiod
On Mon, Mar 16, 2020 at 10:09:50PM +0100, David Demelier wrote: > It has only one jack yes, but the logo on top of the jack is a headset > with a microphone but I don't even know if combined output/microphone > jacks are supported? I never experienced them at all, I don't have a > headset that has microphone with a single jack to test anyway. I finally realized that I actually have a combined headset (one shipped with my phone) and yes the dock can record/playback at the same time in this unique jack, awesome! Case closed :). Regards, -- David
Re: Hosting a CDN question
varnish does not bring down the network latency if users are sitting on the other end of the world... On 17.03.20 08:48, Wayne Oliver wrote: On 2020/03/16 12:26, Flipchan wrote: Hey all, My company needs to put up a cdn for fast hosting of javascript, images and css for websites, and then i would need something faster then httpd. Does anyone here run a cdn for static website content? If so what software did u use to set it up ? have a good one Sincerely Filip What about sticking a caching server/s in front of your httpd instance/s. e.g. https://varnish-cache.org/
Re: Hosting a CDN question
On 2020/03/16 12:26, Flipchan wrote: Hey all, My company needs to put up a cdn for fast hosting of javascript, images and css for websites, and then i would need something faster then httpd. Does anyone here run a cdn for static website content? If so what software did u use to set it up ? have a good one Sincerely Filip What about sticking a caching server/s in front of your httpd instance/s. e.g. https://varnish-cache.org/
bridge, vether & dhcpd
Dear all, is someone using a setup with multiple layer 2 interfaces & a single vether IP interface (layer 3) bundled all together in a bridge? Well, i’m using this setup too and almost everything is working like expected. However, I have a couple of hosts connected to the L2 interfaces & i would like them to dynamically get an IP (dhcpd instance already up & running) atm, this is not working. I thought about PF , but probably it’s not the issue … any advice? configuration examples i can go through?
