From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ji+aCpgPbWB5HAEAgWs5BA (envelope-from ) for ; Wed, 07 Apr 2021 03:49:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id gTmLA5gPbWBQQwAAbx9fmQ (envelope-from ) for ; Wed, 07 Apr 2021 01:49:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3BE8F14635 for ; Wed, 7 Apr 2021 03:49:11 +0200 (CEST) Received: from localhost ([::1]:36778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTxJd-0004sH-CF for larch@yhetil.org; Tue, 06 Apr 2021 21:49:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45740) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTxJW-0004s7-IP for bug-guix@gnu.org; Tue, 06 Apr 2021 21:49:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59332) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lTxJW-0006NI-B5 for bug-guix@gnu.org; Tue, 06 Apr 2021 21:49:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lTxJW-0007tF-9e for bug-guix@gnu.org; Tue, 06 Apr 2021 21:49:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47614: [security] Chunked store references in .zo files in Racket 8 #47614 Resent-From: Philip McGrath Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 07 Apr 2021 01:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47614 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47614@debbugs.gnu.org Received: via spool by 47614-submit@debbugs.gnu.org id=B47614.161776012430301 (code B ref 47614); Wed, 07 Apr 2021 01:49:02 +0000 Received: (at 47614) by debbugs.gnu.org; 7 Apr 2021 01:48:44 +0000 Received: from localhost ([127.0.0.1]:42645 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTxJE-0007se-GC for submit@debbugs.gnu.org; Tue, 06 Apr 2021 21:48:44 -0400 Received: from mail-qk1-f176.google.com ([209.85.222.176]:36466) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTxJC-0007sS-Bo for 47614@debbugs.gnu.org; Tue, 06 Apr 2021 21:48:43 -0400 Received: by mail-qk1-f176.google.com with SMTP id c4so17215249qkg.3 for <47614@debbugs.gnu.org>; Tue, 06 Apr 2021 18:48:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=philipmcgrath.com; s=google; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=TC9M1/7KxaFEkPgP1zYLPFVVOmqewfiUKZvJNvU5xk8=; b=KewtNXDXmmQOD1dLHvRCPgFM6Ruw/eHxHr48sWLHbosHCuey5hJQVvMCkd/w5BlkiY z4ZOKQwyHUhu+Q7kz23IwOEWUofVuJHmhKdVVuza8BJ40We0TvdzGVqq4pPu4qLZ8l/p n3e8RO+DBUZ1AzBUnIK7DaF49XMomAm73fd5ryoGC+j+h+IPeX4NdQIKaLWyRK5cW1y3 0ERqQrUtRDfdhBuVhv+IKyggeixB/lsDKjMoppdoTq43Uq15eiivu6VrZeil+24/5ZA6 fuDLiSfy2R79JAGnAvJFHC09PXIrzqXFSDgOSBVY3yn4D4RC9phW2xyjR0MbT0CAoQwu Sr+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TC9M1/7KxaFEkPgP1zYLPFVVOmqewfiUKZvJNvU5xk8=; b=qSJ4SCd2sw7U7OM4Qh6YQFnsoCEZmnPpcfhK0Hsp4udG6Dj57jgVL8f90boPtFpGhT Xg+K5kZObJybpCRsu0pZVKNGKZBZSmgVAUGc1jyQOvg2L05z48Sz1q9n3vDR8KxNB9NA oBbpui0fnOQjt7FPuEXMYnag3Zc+XL8UPrmXLmuJRu285gRntVWwjPH8shAo8oYKs2i9 1NR64qxDBK5i0at4M54xevuCbv5VYHCK6r0D9BYMbblr1rTsHo3VsqH6RDLC7SzVAF8q 7nC3OFVn5uFCJhn1DdgIsL6VBDPPrWlEUzlynqhrhMX8ZCmR4aMB/lrVxBa3WsfKsfbx 1yfA== X-Gm-Message-State: AOAM5334ezcdhcbnSWLuqzsOZNDyzqnAYLsuYh/fHWnNAyr2c3IZ+VBU ySQqjJ/C+TVAoEa0XrdgXIuSOC3OLWZNEgt6PYg= X-Google-Smtp-Source: ABdhPJxqTuvBXKFGDmMChF2k7KApDmwVWwUwQU/xtlaG7TBywYbe5KxmpcFZB1gCHANkoIxm2ljrRQ== X-Received: by 2002:a37:a281:: with SMTP id l123mr904503qke.218.1617760116458; Tue, 06 Apr 2021 18:48:36 -0700 (PDT) Received: from Sapientia.local (c-73-125-89-242.hsd1.fl.comcast.net. [73.125.89.242]) by smtp.gmail.com with ESMTPSA id g3sm15981128qth.66.2021.04.06.18.48.35 for <47614@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 06 Apr 2021 18:48:35 -0700 (PDT) References: <7eaf8b95-5550-66e1-fda2-d691255b49d7@philipmcgrath.com> From: Philip McGrath X-Forwarded-Message-Id: <7eaf8b95-5550-66e1-fda2-d691255b49d7@philipmcgrath.com> Message-ID: <2abc59d0-905e-ab0c-ae25-bf572f34fcd5@philipmcgrath.com> Date: Tue, 6 Apr 2021 21:48:34 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <7eaf8b95-5550-66e1-fda2-d691255b49d7@philipmcgrath.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617760151; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=TC9M1/7KxaFEkPgP1zYLPFVVOmqewfiUKZvJNvU5xk8=; b=D+FDn3GDiK9JRmStnmV6QzGukytJk5Sof41e6lyf6FzxoGUgbpYSLGVwaf9jX6PhmcHPBz d2a0zlPV/RH+/ZYUrWLfosVB+n+v6tC+5OZVdGQtf03VPrnuEefzhHgCVUg14SeMYqhmbb DZTpAjW58qGsGOYXUFm8SIdxhcsivZcwV4xHezwbmMz00w+4EdpNDMhbGdvaMcNeP0ei/b EsLXhLny57MH70EgvT+RFcNrbIqk9B6AcSjUcvQkZhjgQUitJIKWO2E9XpcGr0/Re79+T5 XmJbnUmBDsq+4ah3qoWStKHqjvO9H/eWxIK+m7C99BTCV8U8GTYvrEVPjb2cVg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617760151; a=rsa-sha256; cv=none; b=a1I1eqYZzlacudzwYqlci1TxL7u4sIUaYiWqfIutAoR+Ur6rWFS6BcVWTg4Sfvv1pwRGn0 URBfw5IWYja73AQ7bBNIVbiAZYuATFtjtOLonHA5pVS2sxPZt/Y1DlIZak2UmbfLOuTpnT xQs/vzxyf9tCcbp8NYlYnGgACsUr9akQwAhzfvJauN4FyOGUeE1guvgxWDIIT16S3tRlaK 0C7QWZ6OMuHNMkRzwVcDyBSPMV79cUrtBn9+0PrFIfiTZm8x8NkEZoq9voyNgTjbHgzo4R Y6Nc95Jf/7TON2T0demzzPv3sVwDX1ZEUESpdj+zSA7+l27dnIQJ8Wq8wP7t6Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=philipmcgrath.com header.s=google header.b=KewtNXDX; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.44 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=philipmcgrath.com header.s=google header.b=KewtNXDX; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 3BE8F14635 X-Spam-Score: -1.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: yK1pvXQ7i76S Ah, I see the thread for https://issues.guix.gnu.org/47614 wasn't cc'ed here: -------- Forwarded Message -------- Subject: Re: Racket 8 and store references (was [security] Chunked store references in .zo files in Racket 8 #47614) Date: Tue, 6 Apr 2021 21:38:57 -0400 From: Philip McGrath To: Jack Hill , Mark H Weaver CC: guix-devel@gnu.org Indeed, I expect this is a more precise diagnosis of the same problem. My patch in https://issues.guix.gnu.org/47180 solves it by putting the store references (search paths for foreign libraries) in a configuration data file that isn't compiled, so they don't end up in .zo files in the first place. The .zo format is intentionally undocumented and subject to breaking change, including from different compilation options. At a minimum, a change to the Racket version number signals a breaking change to compiled code (e.g. Git is now at 8.0.0.13, so 13 breaking changes since the release). Internally, I don't know all the details, but the normal 8.0 .zo format has a Racket layer around the Chez Scheme object format, which seems to be very complex: it looks like it supports user-configurable compression at the granularity of the individual object within an object file. So it seems much better to avoid rewriting .zo files altogether. -Philip On 4/6/21 9:20 PM, Jack Hill wrote: > On Tue, 6 Apr 2021, Mark H Weaver wrote: > >> Anyway, I doubt that imposing such a limitation would adequately solve >> the problem here of chunked references in Racket 8, because I suspect >> that Racket 8 could split store references at arbitrary points in the >> string.  I doubt that we can safely assume that the hash component of >> store references will be stored contiguously in *.zo files. > > Mark and everyone, > > I wanted to spin off a subthread on guix-devel, to make you aware of > another problem that we've run into with reference in .zo getting > mangled: https://issues.guix.gnu.org/47180 > > Best, > Jack >