flak rss random

extension injection detection

One of the unexpected but very interesting side effects of the brutalist html quine is that anything added to the page suddenly becomes visible as well. In the common case, this might be browser extensions adding custom stylesheets, but it might also be stylesheet or script injection by a network interloper.

What if every web page had a little something like this embedded in it?

<style>head { display: block; }
link[rel=stylesheet], style, script { display: block; font-family: monospace; white-space: pre-wrap; }
link:not([href^="/style.css"])::before { content:attr(href) }</style>

That’s an actual style. It should be the only one visible on this page. If there’s anything else visible, it’s not coming from me.

Posted 05 Jun 2019 10:12 by tedu Updated: 05 Jun 2019 10:12
Tagged: web

honking for fun and profit

It’s been a little while, so a few more notes about ActivityPub implementation, federation, and other odds and ends. There’s no real order to these notes, just things that have come up in the past two months.

more...

Posted 03 Jun 2019 09:03 by tedu Updated: 03 Jun 2019 09:03
Tagged: project web

hello android

I’ve had an iPhone for many years, and an iPad for not quite as long. People would tell me I should switch to Android. I thought they were crazy. I recently got some Android devices. Now I know they are crazy. Some notes on recent experiences with a Moto G6 and Samsung Tab S5e.

more...

Posted 01 Jun 2019 18:21 by tedu Updated: 01 Jun 2019 18:21
Tagged: gadget review

ssh in https

The wifi network at BSDcan, really the UOttawa network, blocks a bunch of ports. This makes it difficult to connect to outside machines using “exotic” protocols, basically anything except http or https. There are many ways to resolve this, here’s what I did.

Pick a port that’s allowed, such as 443. Unfortunately I’m already using port 443 for some very serious https business. But it’s possible to run two protocols over the same port with some smarts in the endpoint.

ssh connections start by having both client and server exchange version strings. You can observe this by running netcat.

> nc localhost 22
SSH-2.0-OpenSSH_8.0

Or start a server and observe the client, ssh -p 20002 localhost.

> nc -l localhost 20002
SSH-2.0-OpenSSH_8.0

This is convenient because many other protocols typically begin with only one party. You can’t tell you’re talking to a web server, for instance, because the server doesn’t respond until it receives a request. The upside, for ssh, is that you can probably inject it into almost anything, given some control over the software.

In my case, I’m running a web server. My request loop used to look like this:

        _, err := rw.Reader.Peek(1)
        if err != nil {
            return
        }
        req, err := http.ReadRequest(rw.Reader)

It’s reading one byte to check for timeouts and disconnects. If we read a little more, we can spot ssh connections.

        sneak, err := rw.Reader.Peek(4)
        if err != nil {
            return
        }
        if conn.sshproxy && string(sneak) == "SSH-" {
            sshconn, err := net.Dial("tcp", "127.0.0.1:22")
            sneak, _ = rw.Reader.Peek(rw.Reader.Buffered())
            sshconn.Write(sneak)
            c := make(chan net.Conn)
            go copyuntildone(netconn, sshconn, c)
            go copyuntildone(sshconn, netconn, c)
            closewhendone(c)
            return
        }
        req, err := http.ReadRequest(rw.Reader)

From there, it’s a simple matter of copying data from one socket to the other.

On the client side, this requires a simple proxy command to connect via TLS first.

ProxyCommand nc -c %h 443
Posted 17 May 2019 17:32 by tedu Updated: 17 May 2019 17:32
Tagged: openbsd software web

syzkaller found a bug

Common problem for operating system fuzzers is breaking the system they’re running on. Some forms of damage are expected, some are not, and sometimes it’s difficult to tell which is which.

A few days ago, a stack leak bug was fixed in FreeBSD. A similar fix for OpenBSD was committed. And then syzkaller came kalling just a few days later.

panic: bad dir

There’s a few possible causes for this, but inspection revealed that the most likely case might be a directory entry missing the nul terminator. The timing certainly seemed suspicious. Could there be an off by one?

memset(newdirp->d_name + (cnp->cn_namelen & ~(DIR_ROUNDUP-1)), 0, DIR_ROUNDUP);

Actually no. syzkaller had found a way to create filesystem corruption through one of the “expected” damage paths, but the test case was a little obfuscated. More study revealed it was calling mknod to create a new device that happened to be equal to /dev/sd0c and opening it, and then calling pwrite to write some garbage to a random spot.

mknod("banana", 0777, 0x0402);
open("banana")
pwrite(3, "oops", 4, 0x9000);

Not recommended.

Further complicating the matter was that syzkaller didn’t know that pwrite is one of the magic syscalls that takes a padding argument before off_t. This didn’t affect the test, per se, but makes it harder to interpret because syzkaller calls things directly. (The actual syscall in use was the iovec variant, pwritev.)

syscall(SYS_pwritev, r[0], 0x200002c0, 1, 0);

If you read the man page for pwritev that looks correct. But inspecting src/sys/kern/syscalls.master reveals that the fourth argument is actually a pad argument, and the offset is the fifth argument. So the call above was writing to an offset that was not zero.

Not the first fuzzer to encounter this oddity. More details here.

In the end, it was just coincidence that syzkaller found a new way to corrupt its filesystem a few days after a filesystem commit.

Posted 10 May 2019 16:02 by tedu Updated: 10 May 2019 16:02
Tagged: openbsd

viewport and iphone reflow

Something that’s annoyed me for some years is that all the web sites I build don’t work quite right with my iphone. Scroll down a page, visit a link, go back, and safari jumps back to the top of the page. Very annoying. Pretty much no other site I visit seems to have this problem, yet I couldn’t figure out what I was doing wrong since I’m barely doing anything at all. There are some support forum complaints about similar bugs, but mostly from several years ago, and mostly “solved: it works now” without explanation.

Finally, figured out what seems to be the problem. The iphone introduces its own viewport meta tag, to define the screen dimensions, and control whether the user can zoom or not. A lot of sites abuse this to the point of unusability, so I very determinedly stayed clear. But without a viewport tag, safari is really dumb.

Without a viewport setting safari picks some defaults and renders the page to fit. They seem fine to me. The problem is that after leaving a page and coming back, safari has forgotten what size it picked, picks again, and then has to reflow all the page content. Even though it has picked exactly the same dimensions as the previous render. With the result that it forgets its scroll position and resets to the top of the page. Sigh. At least that’s what I’ve determined is going on.

So I finally broke down and added a viewport tag to the header. This required futzing with the CSS some more because now it rendered to a much smaller virtual canvas, but generally solvable.

Anyway, this frustrated me for a long time, I couldn’t find any useful information about it, and now it seems to work.

Posted 19 Apr 2019 17:27 by tedu Updated: 22 Apr 2019 18:55
Tagged: web

the png that squished really big

I posted a tiny png, a mastodon stepped on it, and... it got really big.

more...

Posted 16 Apr 2019 17:33 by tedu Updated: 16 Apr 2019 17:34
Tagged: software web

removing array duplicates

I had an array with some duplicates. I wanted to remove them. I know how to do this, but I searched for solutions anyway to make sure I wasn’t missing some trick. The results were disappointing, very language specific, and rarely discussed run time. And if we’re working with an unsorted array, the provided answers are even worse. Just sort the array first. Well, duh; any problem with unsorted data can be transformed into a problem with sorted data by sorting first. That’s not very interesting, though, and maybe there’s a reason the data is unsorted. Here’s a few solutions I worked through, but no stunning algorithmic breakthroughs.

more...

Posted 11 Apr 2019 19:30 by tedu Updated: 11 Apr 2019 19:53
Tagged: programming

honk 0.1

honk is my take on a federated status updater. One might say it’s opinionated software. Since my opinions are correct, this makes honk the world’s first provably correct social media application. Here’s a formerly brief rundown of things that work, things that don’t work, and things that won’t work. Plus some complaints about how other people do things. The version number, 0.1, indicates your expected level of satisfaction.

more...

Posted 09 Apr 2019 12:36 by tedu Updated: 04 Jun 2019 18:36
Tagged: project software web

battery consuming battery software

This is a little tour of some software I took today. One of the topics that consistently comes up when people discuss what operating system to run on their laptop is how much battery life to expect, and the answers are all over the map. The focus always seems to be on the kernel and how advanced its scheduler algorithm is, and the minutia of interrupt controllers. We throw around terms like race to sleep. But rarely do I see anyone mention the impact that the software they choose to run spending millions of CPU cycles on trivial tasks might have on battery life. Especially ironic if that software ends up being the software we’re running to monitor how much battery is left.

more...

Posted 08 Apr 2019 17:12 by tedu Updated: 08 Apr 2019 17:12
Tagged: software