Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp895299lqa; Sun, 28 Apr 2024 08:53:40 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUN3CnqRkQsQJUhSItjQ5CkcA/IBcNXlBhl/uRRC0A350RwS+7GQVsu3xEurrGqFbaEMSpR6+8H4hpmeV0FRdCucGkRSPLTTIhs41gsKA== X-Google-Smtp-Source: AGHT+IER61HRzFLFX5ciqBqJsNLcjP+Otc7zAO6/5E/ryzqIvpAwLNwH8HrI22g9h/u8lJ0Chy9s X-Received: by 2002:a17:906:b20b:b0:a51:b666:b372 with SMTP id p11-20020a170906b20b00b00a51b666b372mr3366040ejz.27.1714319620142; Sun, 28 Apr 2024 08:53:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714319620; cv=none; d=google.com; s=arc-20160816; b=En5GKC9aK70w/A4ayhV8/QfqePTNN9/3NshgpkpItUJjkH3Qo9sjtKbxpJQFlisQFf uM9wf1ajYZQ8w2s8H1ppRMOU05OctAMjsP21mpJivZgQrEJW7SkbMoC9eaajtQ5pz4fS CzbiP/EMRmXjZDjfxvRvfPDwXbRfajp4jqsB/rus4xPbdBOqnZ4UxOGdjQYx/PfHgawF DGiGcgOrlIy/WJ8pqaQ8PgV9C82362T078fd3/46y9JAjBKbCM4XY3r8I61cLOn/fd2V 8aOu+Jjhh55bPhzulT2by9vZT3txBkcOJTqpiwtW3I/pVKyi+IUvHAgnO/97YzvR5Oqh oPcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:message-id:date:user-agent:organization:to :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=kR+brBd8Cf0y8X0CCqnGnNje8y0gzkviHqgbFKFElHY=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=g+TUqpKZuChIgV0mMBzi1mCCEB45qb27nn6C/a8pKRKJJ5Zpwl4jcMoVhWTkMyF5LG ye2CrOq+pi94m6wiNHnAV0Z2JbHThU49JtS/ae1w0Mo2gqcg96q0SaUVqS0HJDODM7su kpLHYpYNYtY5GKs57haoGogS5GI2XQSpEMetvdeo4gA08ElG1iA9dNNfmdeizHY5Hq1n L9UdfvT3NXZyjgCGhCtNUjKxXKtAyH+F98Gw3yL3MsZ1g2w8i0XV/E3YHlYJXM1hB7oa hsXL5jNhpDNVJPGAMlJ2m6W9yR2ZThlotYfF2Xd7nvOVd2Q1C4sCNsgFXs30f7Q0gAG8 DZRA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30091-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30091-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gentoo.org Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id d20-20020a1709067f1400b00a559e7c9abcsi10519461ejr.938.2024.04.28.08.53.40 for ; Sun, 28 Apr 2024 08:53:40 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30091-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30091-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30091-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gentoo.org Received: (qmail 11940 invoked by uid 550); 28 Apr 2024 15:53:21 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 9341 invoked from network); 28 Apr 2024 15:34:16 -0000 From: Sam James To: oss-security@lists.openwall.com Organization: Gentoo User-Agent: mu4e 1.12.4; emacs 30.0.50 Date: Sun, 28 Apr 2024 16:34:01 +0100 Message-ID: <871q6p8psm.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Subject: [oss-security] Suspicious hook-loading mechanism in hyprland --=-=-= Content-Type: text/plain Hi! Someone passed along https://blog.vaxry.net/articles/2024-own-malloc to me, and I noticed some curious bits. hyprland seems to have committed an interesting homebrew malloc implementation (which is fine in theory), but the reasons for it existing & how it works are not so fine. Fisrt, it relies on writing an object file at a predictable path in /tmp and reading it back later. It was needed to facilitate a trampoline which looks.. unsound. The whole hook system looks terrifying. Initial reading: * https://github.com/hyprwm/Hyprland/blob/965a2e5b213eee595808bc7bff28e7df59442720/src/plugins/HookSystem.cpp#L138 * https://github.com/hyprwm/Hyprland/blob/965a2e5b213eee595808bc7bff28e7df59442720/src/plugins/HookSystem.cpp#L188 There are some primitives that may be useful even once the hook setup is done too. I have charitably termed the mechanism "not robust". I haven't reported it upstream because of their hostility on other matters. I don't feel too guilty about not having reported it given it fell out so immediately upon inspection. I don't plan on spending more time on this, sorry, but I felt like I had to share it. thanks, sam --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZi5sal8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZAW1wD/WROydRE5TbGTvgVBhchPkswHt6NkcjrkWGUD dcggsaAA/RNRC0dJwD40EU1mv1PTm3rztzUFB+QENczpCWFcNWIA =q9+v -----END PGP SIGNATURE----- --=-=-=--