From: Ryan Johnson <ryan.johnson@cs.utoronto.ca>
To: cygwin@cygwin.com
Subject: Re: BLODA detection code in latest snapshot
Date: Wed, 29 Feb 2012 15:01:00 -0000 [thread overview]
Message-ID: <4F4E3B6C.1080607@cs.utoronto.ca> (raw)
In-Reply-To: <20120227122614.GB31025@calimero.vinschen.de>
On 27/02/2012 7:26 AM, Corinna Vinschen wrote:
> Hi folks,
>
>
> I've just uploaded a new snapshot "2012-02-27 12:04:23 UTC". It
> contains two code snippets which are supposed to help diagnosing BLODA
> problems.
>
> If you set the environment variable CYGWIN to "detect_bloda" and then
> start a Cygwin process (bash or so), then Cygwin will detect two types
> of anomalies:
>
> - Threads injected into the process from an unknown source.
>
> Every thread started in a process triggers a message to the DLLs
> in a process. When the Cygwin DLL gets this message, it tweaks
> the function pointer of the thread entry point so that it points to
> a Cygwin function. Usually Cygwin just performs some setup and
> then starts the original thread function.
>
> If CYGWIN=detect_bloda, then the original function address is
> evaluated and if the address is neither in the Cygwin DLL, nor in
> the application image, nor in one of a few filtered system DLLs,
> then Cygwin prints a message like this:
>
> Potential BLODA detected! Thread function called outside of Cygwin DLL:
> C:\foo\bar\baz.dll
>
> Of course this is not foolproof. The only filtered system DLLs so
> far are kernel32.dll, ntdll.dll, mswsock.dll, amd ws2_32.dll. If you
> playing around with this, and if you find that a core system DLL is
> reported (like, say, advapi32.dll), then please notify this list, too.
>
> - Some BLODAs affect the network. Winsock allows so-called "Layered
> Service Providers" (LSP). The socket handle returned by a socket(2)
> call is not a real socket, but a pseudo handle returned by the LSP.
> While Cygwin tries to workaround this, it's nevertheless interesting
> to learn that an LSP is installed.
>
> For instance, there's the "Bytemobile optimization client" on our
> BLODA list at http://cygwin.com/faq/faq.using.html#faq.using.bloda
> If this is installed on your machine, and if you have CYGWIN=detect_bloda
> set, it's existence will be recognized twice when you try to open a
> socket connection. First it injects a thread into the application, so
> you'll see something like this:
>
> Potential BLODA detected! Thread function called outside of Cygwin DLL:
> C:\Windows\System32\bmnet.dll
>
> And additionally you'll see this:
>
> Potential BLODA detected! Layered Socket Service Provider:
> BMA over MSAFD Tcpip [TCP/IP]
>
> Please note that this new CYGWIN=detect_bloda setting is just for
> diagnosing BLODA problems. It's no swiss army knife to fix the BLODA
> problems, but it might help to detect the cause for some of them.
>
> Of course I'd be interested in your experience with this and in any
> BLODA message you get by setting CYGWIN=detect_bloda.
Would it be a good idea to update the FAQ's bloda entry with this info?
Sure, it's probably going to give occasional false positives and/or
negatives, but it would definitely catch the obvious cases and give a
quick test for claims of bloda-free systems. You'd almost want a new
cygcheck -b option that could fork off a process or two with
detect_bloda active and capture any output that results.
Ryan
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2012-02-29 14:51 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-27 14:38 Corinna Vinschen
2012-02-27 15:23 ` Larry Hall (Cygwin)
2012-02-28 8:16 ` David Rothenberger
2012-02-28 8:17 ` David Rothenberger
2012-02-28 9:43 ` Corinna Vinschen
2012-02-28 23:20 ` Andrey Repin
2012-02-29 9:26 ` Corinna Vinschen
2012-02-29 12:46 ` Andrey Repin
2012-02-29 14:45 ` Ryan Johnson
2012-03-01 23:05 ` Andrey Repin
2012-02-28 9:40 ` Corinna Vinschen
2012-03-21 9:40 ` Denis Excoffier
2012-03-21 10:44 ` Corinna Vinschen
2012-03-21 11:05 ` Denis Excoffier
2012-03-21 11:44 ` Corinna Vinschen
2012-02-29 15:01 ` Ryan Johnson [this message]
2012-02-29 15:18 ` Corinna Vinschen
2012-02-29 16:35 ` Ryan Johnson
2012-03-01 9:54 ` Corinna Vinschen
2012-03-01 13:19 ` Ryan Johnson
2012-03-01 13:53 ` Corinna Vinschen
2012-03-30 20:51 ` Christian Franke
2012-03-30 21:15 ` David Rothenberger
2012-03-30 23:37 ` Yaakov (Cygwin/X)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4E3B6C.1080607@cs.utoronto.ca \
--to=ryan.johnson@cs.utoronto.ca \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).