2024-04-28 15:53:40

by Sam James

[permalink] [raw]
Subject: [oss-security] Suspicious hook-loading mechanism in hyprland

Hi!

Someone passed along https://blog.vaxry.net/articles/2024-own-malloc to
me, and I noticed some curious bits.

hyprland seems to have committed an interesting homebrew malloc
implementation (which is fine in theory), but the reasons for it
existing & how it works are not so fine.

Fisrt, it relies on writing an object file at a predictable
path in /tmp and reading it back later.

It was needed to facilitate a trampoline which looks.. unsound. The
whole hook system looks terrifying.

Initial reading:
* https://github.com/hyprwm/Hyprland/blob/965a2e5b213eee595808bc7bff28e7df59442720/src/plugins/HookSystem.cpp#L138
* https://github.com/hyprwm/Hyprland/blob/965a2e5b213eee595808bc7bff28e7df59442720/src/plugins/HookSystem.cpp#L188

There are some primitives that may be useful even once the hook setup is
done too.

I have charitably termed the mechanism "not robust". I haven't reported
it upstream because of their hostility on other matters. I don't feel
too guilty about not having reported it given it fell out so immediately
upon inspection.

I don't plan on spending more time on this, sorry, but I felt like I had
to share it.

thanks,
sam


Attachments:
signature.asc (385.00 B)