Bakaláři SQL vulnerability

A few weeks ago (precisely Nov 7 2007) I've found out a way how to break into the bakaláři czech high school system database. I used probably the most known method called SQL injection. After something below an hour (got up about 9:30, sent an email to the school at 10:08) I got the magic formula to execute SQL queries.

fuj order by cas desc'; select 1; -- '

Ok, so I informed the school which I had been attending for 6 years in the past about the security hole. But then I realized that it's not school specific, I found many schools which use the same system, so I didn't hesitate to drop a message to bakalari.cz people. Their reaction was fast and they fixed the problem next morning with promise that they will post updates to all high schools. Nice.

Not that much, because this haven't happened so far, you can still find many schools which are still vulnerable against this attack. This pisses me off little bit, I only hope they weren't involved in any grant for this sloppy work.

EDIT (Dec 8) they finally either seem to distribute the upgrade or the school admins update the soft.

fglrx and x1450

After many fights with this driver, it finally works!

I started use it about 8.38* and it never worked with X 7.2 from Fedora 7. I had to use 7.1 from F6. After upgrading to F8 with changed glibc 7.1 X didn't work anymore. I had to install old X proto devel and recompile whole X from F6 and use it with fglrx up to 8.40. No hw acceleration, no video overlay. I couldn't use it with F6 packages too, fglrx kernel module had broken suspend/resume (did you know, that you can use X driver with no need to use the kernel module).

Now I have 8.42.3 with patches from livna package (to have compilable sources on 2.6.23) and lkml (to enable suspend stuff) running on X 7.3 from F8. Also I can have fglrx kernel module loaded, suspend seems to work, hw accel and video overlay enabled, so I'm happy.

gmail & imap

I love it!

outb_p, outw_p, outl_p, inb_p, inw_p and inl_p in linux kernel

Do you want to know where the definitions of this macros for i386 and x86_64 platform are? Yes? Then you would try cscope as usually. But it shows nothing relevant. You might also try to grep whole sources, but with no reliable output. It's not that easy.

Try to generate preprocessor output by -E switch and it will show you, that you should take a look into asm/io.h (i.e. include/asm-arch/io.h) and … what you see? BUILDIO for i386 and __OUT* macros for x86_64. Ugly. Sometimes, preprocessor output might be useful :).

IRQ handling

There are 2 common principles how to get known about new data in card.
1) asynchronous – whenever the devices get data, it will interrupt line and will get know it in your ISR. Smarter devices support irq mitigation, which more or less means deferred interrupts unless there are more data or timeout elapsed – this is especially common in network devices, where interrupt overhead would be large on high speeds.
2) "synchronously" by timer – you setup a timer and "poll" the device even in the case, there are no data (you simply reschedule the timer). This is mostly useful for devices which generates interrupts at high rates, but do not support irq mitigation. Beside this, you may use this approach in the case you don't want (or must not – e.g. netconsole with data in opposite way) enable interrupts.

But when you enable interrupts, you must handle them, even if you don't want to do anything but returning IRQ_HANDLED in ISR (interrupt servicing routine – the function you register in request_irq).

Note that if you request shared interrupt, you also need to check, if the device really raised the interrupt you are handling.

Comments are mostly a bad idea

As I was saying ever before, comments are unneeded unless you write something not obvious, for example resetting a device in a place, where nobody would expect it. Then yes, comment is necessary to disallow everybody removing the code that is requisite.

The other case of using comments is documenting API. Everybody wants to know, what the function does without reading whole body and studying the code.

But for God's sake, don't try to comment each line of code explaining what it does if it's obvious or even worse how it does. If it seems to you, that the code is pretty unclear in the meaning what it does, do it better and don't vindicate it by long comments. This is often a very bad idea and makes the code totally unreadable and ugly. Beginners often do this, I saw a code that seemed something like this:

function min(a, b)
{
  /* compute minimum by comparing both values and */
  /* store the one, which is less than the other into */
  /* result variable, which will be finally returned */ 
  if (a < b)
    result = a
  else
    result = b
  
  /* and now, return the computed value */
  return result
}

Please, don't do that ;), at least don't do that where you are working in team, when other people will work on the same code either in parallel with you or after you leave the project.

Final quotation of Martin Fowler about Refactoring:

Comments are often a sign of unclear code... consider refactoring

Asus F2JE and defunct fn+brightness

While pressing Fn+brightness buttons, this occured in dmesg and nothing changes:

ACPI Error (psargs-0355): [\_SB_.PCI0.P0P2.VGA_.LCDD] Namespace lookup failure,
AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed
[\_SB_.PCI0.SBRG.EC0_._Q0F] (Node ffff81003ff07f70), AE_NOT_FOUND

I slighty changed DSDT, compiled it and used hex in "include custom DSDT" kernel option.

Sensable phantom driver

Good news to write is, that Sensable shows people sourcecode for their 2.4 Linux PHANToM driver. That means, everybody can sort out, how things work and use the know-how in their 2.6 driver.

This is exactly the thing, I've done. I have a 2.6 driver based on real basis, not rtc hack and ready to submit upstream :), whoooo, except the fact, that I'll probably rewrite it to standard force feedback layer before sumbit #2, as Dmitry Torokhov suggests.

The world becomes nice.

RAID1 is recovering

This means, everything went fine, RAID is now copying blocks to the spare device and user data stays intact :).

RAID1 assembly

After a month or so of running degraded RAID1 on the new disk to test it in our lab server (with almost daily backups on the old one) and since S.M.A.R.T. with its tests was silent, I've decided to finish the job of moving homes to the raid on the fly. The first step was done – repartitioning of the old one. Now I'm going to restart and move the old root to the end of the disk to have enough space for the raid partition. Keep one's finger crossed, please, I'll keep you informed.

Solaris, qemu and audio

After proper load of network driver, there is still one thing to do in Solaris + qemu – audio is defunct. According to Solaris HCL, audio1371 is for es1370 hardware (pci1274,5000). You can obtain a copy of audio drivers from tools.de site. After bunzipping, you can pkgadd -d it. Note, that you need only TOOLSSbpro driver, so that you may tell the installer not to install all the drivers from the package.

The next obvoius thing is to add_drv -i '"pci1274,5000"' audio1371, touch /reconfigure and reboot. Enjoy the audio :).

Solaris, qemu and network

When I was playing with Solaris 9 under qemu, I needed to install driver for network adapter (the default ne2k_pci). Rtl8139 neither other options doesn't seem to work not even in linux. Lspci says nothing when -net nic,model=<anything but ne2k_pci> is used in linux, the same result for prtconf in Solaris.

To get it right I've tried nei driver without success. Next thing I was told to test by google (and maybe Solaris HCL) was ni driver from this page. And it works, despite it's marked as beta. (You would propbably need to add_drv -i '"pci10ec,8029"' ni to add the driver, touch /reconfigure to tell Solaris to recheck hardware and reboot. Remember to create /etc/hostname.ni0 and /etc/dhcp.ni0 if you want to use dhcp client on this adapter (as you want to on qemu).

Just a note, use ls more than I. I installed gcc and make and after that I figured out, that there is already a binary driver in i386 (alias obj) dir. So you don't need to compile anything, if you don't want to.

Nasty bug

I've been playing for a six or so hours with one tiny bug. I was working on the high speed network adapter NetBSD driver and underlying PowerPC didn't want to send packet chain longer than one. Tons of messages in dmesg, many tries to debug DMA S/G transfers without anything reliable in return.

Finally I found out, how I'm stupid. I always set the end of the queue as transfer tail – send from end to end instead of send from this point to end. Aaargh.

I'm just curious, if there is any way to solve such issues not in so many hours.

NetBSD network stack

I'm playing with network stack in NetBSD and as a product I've released nettest – the test LKM to get familiarized with the stack. It's simple, it receives packets from userspace and sends them to the another interface and bpf listeners (tcpdump for instance). Everything is on my homepage.

It also contains examples of list queues use and deferred work. Everything in one short file.

Qemu is nice

Finally I've time to try it out. It works just fine, especially with kqemu – a kernel module for speedup.

I tried 3 systems till now: Windows XP 32bit, Netbsd 3.1 and Solaris 9. No problem with installing Solaris and Windows. The NetBSD dislikes kqemu module – it spits out a 'Warning: no /dev/console' and hangs when trying to boot installation iso. The (simple) solution is to add -no-kqemu to the qemu command-line (even for standard booting of installed system, otherwise it won't boot with no warning).

Going to test it all harder :). First thing I took a note is the processor load; it's low, at least I expected it to be more hardware exacring.

Quotation

Rodiče dřou děti sportem a muzikou, matematiku považují za týrání.
-- Jaroslav Král (origin, probably not the author)

(Sth. like parents force children to do sports and music, maths is considered as torture.)

Set it in stone :).

ALSA stoop

I finally got my 5.1 speakers work in linux properly with this asoundrc file:

pcm.p6 {
        type route
        slave.pcm surround51
        slave.channels 6
        ttable.0.0 1
        ttable.1.1 1
        ttable.0.2 1
        ttable.1.3 1
        ttable.0.4 0.4
        ttable.1.4 0.4
        ttable.0.5 0.2
        ttable.1.5 0.2
}

And then for example aplay -D plug:p6 <soundfile> plays the sound in all speakers. In xine I have settings which produces original AC3 sound into all speakers by default (I've set nothing) if available.

I had no idea about how asoundrc files works, I needed to study it and went through /etc/alsa stuff to understand it. Now, the life with ALSA is easier :). Let me note, that I have an emu10k1 card (creative sb live!) with analog genius speakers.