From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23698 invoked by alias); 29 Feb 2012 14:51:45 -0000 Received: (qmail 23685 invoked by uid 22791); 29 Feb 2012 14:51:43 -0000 X-SWARE-Spam-Status: No, hits=-0.7 required=5.0 tests=AWL,BAYES_00,SPF_NEUTRAL,TW_YG X-Spam-Check-By: sourceware.org Received: from smtp4.epfl.ch (HELO smtp4.epfl.ch) (128.178.224.218) by sourceware.org (qpsmtpd/0.43rc1) with SMTP; Wed, 29 Feb 2012 14:51:28 +0000 Received: (qmail 29925 invoked by uid 107); 29 Feb 2012 14:51:25 -0000 Received: from dhcphost-ic245.utsc.utoronto.ca (HELO [142.1.102.245]) (142.1.102.245) (authenticated) by smtp4.epfl.ch (AngelmatoPhylax SMTP proxy) with ESMTPA; Wed, 29 Feb 2012 15:51:25 +0100 Message-ID: <4F4E3B6C.1080607@cs.utoronto.ca> Date: Wed, 29 Feb 2012 15:01:00 -0000 From: Ryan Johnson User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: BLODA detection code in latest snapshot References: <20120227122614.GB31025@calimero.vinschen.de> In-Reply-To: <20120227122614.GB31025@calimero.vinschen.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2012-02/txt/msg00902.txt.bz2 On 27/02/2012 7:26 AM, Corinna Vinschen wrote: > Hi folks, > > > I've just uploaded a new snapshot "2012-02-27 12:04:23 UTC". It > contains two code snippets which are supposed to help diagnosing BLODA > problems. > > If you set the environment variable CYGWIN to "detect_bloda" and then > start a Cygwin process (bash or so), then Cygwin will detect two types > of anomalies: > > - Threads injected into the process from an unknown source. > > Every thread started in a process triggers a message to the DLLs > in a process. When the Cygwin DLL gets this message, it tweaks > the function pointer of the thread entry point so that it points to > a Cygwin function. Usually Cygwin just performs some setup and > then starts the original thread function. > > If CYGWIN=detect_bloda, then the original function address is > evaluated and if the address is neither in the Cygwin DLL, nor in > the application image, nor in one of a few filtered system DLLs, > then Cygwin prints a message like this: > > Potential BLODA detected! Thread function called outside of Cygwin DLL: > C:\foo\bar\baz.dll > > Of course this is not foolproof. The only filtered system DLLs so > far are kernel32.dll, ntdll.dll, mswsock.dll, amd ws2_32.dll. If you > playing around with this, and if you find that a core system DLL is > reported (like, say, advapi32.dll), then please notify this list, too. > > - Some BLODAs affect the network. Winsock allows so-called "Layered > Service Providers" (LSP). The socket handle returned by a socket(2) > call is not a real socket, but a pseudo handle returned by the LSP. > While Cygwin tries to workaround this, it's nevertheless interesting > to learn that an LSP is installed. > > For instance, there's the "Bytemobile optimization client" on our > BLODA list at http://cygwin.com/faq/faq.using.html#faq.using.bloda > If this is installed on your machine, and if you have CYGWIN=detect_bloda > set, it's existence will be recognized twice when you try to open a > socket connection. First it injects a thread into the application, so > you'll see something like this: > > Potential BLODA detected! Thread function called outside of Cygwin DLL: > C:\Windows\System32\bmnet.dll > > And additionally you'll see this: > > Potential BLODA detected! Layered Socket Service Provider: > BMA over MSAFD Tcpip [TCP/IP] > > Please note that this new CYGWIN=detect_bloda setting is just for > diagnosing BLODA problems. It's no swiss army knife to fix the BLODA > problems, but it might help to detect the cause for some of them. > > Of course I'd be interested in your experience with this and in any > BLODA message you get by setting CYGWIN=detect_bloda. Would it be a good idea to update the FAQ's bloda entry with this info? Sure, it's probably going to give occasional false positives and/or negatives, but it would definitely catch the obvious cases and give a quick test for claims of bloda-free systems. You'd almost want a new cygcheck -b option that could fork off a process or two with detect_bloda active and capture any output that results. Ryan -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple