[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DSO-style FFI

From: Stephen J. Turnbull
Subject: Re: DSO-style FFI
Date: Sun, 13 Oct 2013 08:36:20 +0900

Michael Welsh Duggan writes:

 > As an example, it would be possible to use a raw libffi binding to call
 > memset with appropriate arguments to tromp right over any memory that
 > emacs has access to.

Sure.  But this requires a bit of knowledge of C APIs.  With a tiny
bit more knowledge of C and a dollop of cargo cult, one can use
Stefan's interface to do the same thing, compile it, load it, and
crash or corrupt Emacs.  One could even write Lisp that writes most of
such a program.

 > This isn't to say that something that is not libffi itself could
 > use libffi to create something safer.

No, you can't, in practice.  That would require all libraries to be
safely coded (in the sense that memset is not).  You would need to
exclude linkage to unsafe APIs, but that would be very hard to do (how
about calling PNG editing facilities on an uninitialized piece of
memory that happens to already contain Emacs code or data?)

As for RMS's freedom concern, he's already stated what would be
acceptable: create an Emacs-side API requirement in its FFI
implementation that the DSO declare its GPL compatibility (including
version, I assume).  If the API isn't present, dlopen() will fail,
AIUI.  If the API doesn't declare a compatible set of versions, the
FFI implementation will refuse to bind Lisp to the DSO and unload it.

Note that this is actually quite effective as far as I can see.  If a
DSO is being commercially distributed under false pretenses at the API
level, that's not just a copyright violation, it's fraud.  This means
that there's a good chance that not only the FSF (as owner of the
copyright to Emacs), but also the customer (victim of fraud) and the
relevant government authorities (since fraud is a crime) have standing
to take action against the perpetrator.  (Copyright violation in
general is a tort, not a crime, so the FSF as owner needs to take
action.)  IANAL, etc, but if RMS and the FSF's legal staff are in
agreement that this is good enough, I'm willing to bet it is. :-)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]