August 27, 2008 23:48 · August 27, 2008 23:54 · March 31, 2009 02:18 · April 9, 2009 21:21 · April 9, 2009 23:41 · April 10, 2009 07:13
 diff --git a/ext/mysql.c b/ext/mysql.c
 index 765cfde..1e12557 100644
 --- a/ext/mysql.c
 +++ b/ext/mysql.c
 @@ -1064,14 +1064,37 @@ static VALUE fetch_row(VALUE obj)
     return ary;
 }
 
 -/*	fetch_hash2 (internal)	*/
 -static VALUE fetch_hash2(VALUE obj, VALUE with_table)
 diff --git a/ext/mysql.c b/ext/mysql.c
 index 765cfde..0e169e7 100644
 --- a/ext/mysql.c
 +++ b/ext/mysql.c
 @@ -1064,51 +1064,70 @@ static VALUE fetch_row(VALUE obj)
     return ary;
 }
 
 -/*	fetch_hash2 (internal)	*/
 -static VALUE fetch_hash2(VALUE obj, VALUE with_table)
 Index: eval.c
 ===================================================================
 --- eval.c	(revision 23100)
 +++ eval.c	(working copy)
 @@ -1038,6 +1038,7 @@
 #define PROT_LOOP   INT2FIX(1)	/* 3 */
 #define PROT_LAMBDA INT2FIX(2)	/* 5 */
 #define PROT_YIELD  INT2FIX(3)	/* 7 */
 +#define PROT_FIBER  INT2FIX(4)	/* 9 */
 
 def write_file
  begin
    File.open("/test", "w+") do |f|
      f.write("hello!\n")
      f.close
    end
    puts "wrote test file"
  rescue Errno::EACCES
    puts  "could not write test file"
  end
 diff --git a/lib/starling/server_runner.rb b/lib/starling/server_runner.rb
 index 535bac3..7531115 100644
 --- a/lib/starling/server_runner.rb
 +++ b/lib/starling/server_runner.rb
 @@ -182,8 +182,8 @@ module StarlingServer
     end
 
     def drop_privileges
 -      Process.egid = options[:group] if options[:group]
 -      Process.euid = options[:user] if options[:user]
 ##  
 ##  sneak peak at a potential future blog post @ http://timetobleed.com
 ##
 ##  this demos how using Process.euid= isn't strong enough for dropping privs
 ##  in linux. you need to use Process::Sys.setres[uid|gid] instead.
 ## 
 ##  execute this file as root, it will drop privs to nobody, then call an evil
 ##  ruby function that has a buffer overflow/double free/format string/etc vuln.
 ##  
 ##  (in this demo case i wrote BadGem which just does a blind strcpy, but you can
 diff --git a/main.c b/main.c
 index a93d8cb..72b7331 100644
 --- a/main.c
 +++ b/main.c
 @@ -42,7 +42,8 @@ main(argc, argv, envp)
 #endif
 
     {
 -        RUBY_INIT_STACK
 +        asm ("pushf; orl $(1 << 18), (%esp); popf;");
 /*
 *  is this cool enough that it warrants a blog post?
 *
 *  trigger breakpoint in GDB, from code.
 */

 #include <stdio.h>

 int main(int argc, char *argv[]) {
 #if 0
 In these examples, let's assume that passing more than 2 args to the program is 
 *not* the case we are optimizing this for.

 With that in mind, lets build a sample program with
 and without __builtin_expect and compare assembly output. 
 #endif

 /*
   no predictor:
 ;
 ;  branch predictor on with -O2
 ;


 0000000000000000 <st_lookup>:
   0:   48 89 5c 24 d8          mov    %rbx,-0x28(%rsp)
   5:   48 89 6c 24 e0          mov    %rbp,-0x20(%rsp)
   a:   48 89 fd                mov    %rdi,%rbp
   d:   4c 89 64 24 e8          mov    %r12,-0x18(%rsp)
	diff --git a/ext/mysql.c b/ext/mysql.c
	index 765cfde..1e12557 100644
	--- a/ext/mysql.c
	+++ b/ext/mysql.c
	@@ -1064,14 +1064,37 @@ static VALUE fetch_row(VALUE obj)
	return ary;
	}

	-/* fetch_hash2 (internal) */
	-static VALUE fetch_hash2(VALUE obj, VALUE with_table)
	diff --git a/ext/mysql.c b/ext/mysql.c
	index 765cfde..0e169e7 100644
	--- a/ext/mysql.c
	+++ b/ext/mysql.c
	@@ -1064,51 +1064,70 @@ static VALUE fetch_row(VALUE obj)
	return ary;
	}

	-/* fetch_hash2 (internal) */
	-static VALUE fetch_hash2(VALUE obj, VALUE with_table)
	Index: eval.c
	===================================================================
	--- eval.c (revision 23100)
	+++ eval.c (working copy)
	@@ -1038,6 +1038,7 @@
	#define PROT_LOOP INT2FIX(1) /* 3 */
	#define PROT_LAMBDA INT2FIX(2) /* 5 */
	#define PROT_YIELD INT2FIX(3) /* 7 */
	+#define PROT_FIBER INT2FIX(4) /* 9 */
	def write_file
	begin
	File.open("/test", "w+") do \|f\|
	f.write("hello!\n")
	f.close
	end
	puts "wrote test file"
	rescue Errno::EACCES
	puts "could not write test file"
	end
	diff --git a/lib/starling/server_runner.rb b/lib/starling/server_runner.rb
	index 535bac3..7531115 100644
	--- a/lib/starling/server_runner.rb
	+++ b/lib/starling/server_runner.rb
	@@ -182,8 +182,8 @@ module StarlingServer
	end

	def drop_privileges
	- Process.egid = options[:group] if options[:group]
	- Process.euid = options[:user] if options[:user]
	##
	## sneak peak at a potential future blog post @ http://timetobleed.com
	##
	## this demos how using Process.euid= isn't strong enough for dropping privs
	## in linux. you need to use Process::Sys.setres[uid\|gid] instead.
	##
	## execute this file as root, it will drop privs to nobody, then call an evil
	## ruby function that has a buffer overflow/double free/format string/etc vuln.
	##
	## (in this demo case i wrote BadGem which just does a blind strcpy, but you can
	diff --git a/main.c b/main.c
	index a93d8cb..72b7331 100644
	--- a/main.c
	+++ b/main.c
	@@ -42,7 +42,8 @@ main(argc, argv, envp)
	#endif

	{
	- RUBY_INIT_STACK
	+ asm ("pushf; orl $(1 << 18), (%esp); popf;");
	/*
	* is this cool enough that it warrants a blog post?
	*
	* trigger breakpoint in GDB, from code.
	*/

	#include <stdio.h>

	int main(int argc, char *argv[]) {
	#if 0
	In these examples, let's assume that passing more than 2 args to the program is
	not the case we are optimizing this for.

	With that in mind, lets build a sample program with
	and without __builtin_expect and compare assembly output.
	#endif

	/*
	no predictor:
	;
	; branch predictor on with -O2
	;


	0000000000000000 <st_lookup>:
	0: 48 89 5c 24 d8 mov %rbx,-0x28(%rsp)
	5: 48 89 6c 24 e0 mov %rbp,-0x20(%rsp)
	a: 48 89 fd mov %rdi,%rbp
	d: 4c 89 64 24 e8 mov %r12,-0x18(%rsp)