Joe Damato ice799

## gist:7612
diff --git a/ext/mysql.c b/ext/mysql.c
index 765cfde..1e12557 100644
--- a/ext/mysql.c
+++ b/ext/mysql.c
@@ -1064,14 +1064,37 @@ static VALUE fetch_row(VALUE obj)
     return ary;
 }

-/*	fetch_hash2 (internal)	*/
-static VALUE fetch_hash2(VALUE obj, VALUE with_table)

## gist:7614
diff --git a/ext/mysql.c b/ext/mysql.c
index 765cfde..0e169e7 100644
--- a/ext/mysql.c
+++ b/ext/mysql.c
@@ -1064,51 +1064,70 @@ static VALUE fetch_row(VALUE obj)
     return ary;
 }

-/*	fetch_hash2 (internal)	*/
-static VALUE fetch_hash2(VALUE obj, VALUE with_table)

## fibers_18_head.diff
Index: eval.c
===================================================================
--- eval.c	(revision 23100)
+++ eval.c	(working copy)
@@ -1038,6 +1038,7 @@
 #define PROT_LOOP   INT2FIX(1)	/* 3 */
 #define PROT_LAMBDA INT2FIX(2)	/* 5 */
 #define PROT_YIELD  INT2FIX(3)	/* 7 */
+#define PROT_FIBER  INT2FIX(4)	/* 9 */


## gist:92746
def write_file
  begin
    File.open("/test", "w+") do |f|
      f.write("hello!\n")
      f.close
    end
    puts "wrote test file"
  rescue Errno::EACCES
    puts  "could not write test file"
  end

## gist:92823
diff --git a/lib/starling/server_runner.rb b/lib/starling/server_runner.rb
index 535bac3..7531115 100644
--- a/lib/starling/server_runner.rb
+++ b/lib/starling/server_runner.rb
@@ -182,8 +182,8 @@ module StarlingServer
     end

     def drop_privileges
-      Process.egid = options[:group] if options[:group]
-      Process.euid = options[:user] if options[:user]

## gist:92980
##
##  sneak peak at a potential future blog post @ http://timetobleed.com
##
##  this demos how using Process.euid= isn't strong enough for dropping privs
##  in linux. you need to use Process::Sys.setres[uid|gid] instead.
##
##  execute this file as root, it will drop privs to nobody, then call an evil
##  ruby function that has a buffer overflow/double free/format string/etc vuln.
##
##  (in this demo case i wrote BadGem which just does a blind strcpy, but you can

## gist:96876
diff --git a/main.c b/main.c
index a93d8cb..72b7331 100644
--- a/main.c
+++ b/main.c
@@ -42,7 +42,8 @@ main(argc, argv, envp)
 #endif

     {
-        RUBY_INIT_STACK
+        asm ("pushf; orl $(1 << 18), (%esp); popf;");

## gdb_trigger.c
/*
 *  is this cool enough that it warrants a blog post?
 *
 *  trigger breakpoint in GDB, from code.
 */

#include <stdio.h>

int main(int argc, char *argv[]) {

## branch_predictor.c
#if 0
In these examples, let's assume that passing more than 2 args to the program is
*not* the case we are optimizing this for.

With that in mind, lets build a sample program with
 and without __builtin_expect and compare assembly output.
#endif

/*
   no predictor:

## branch predictor
;
;  branch predictor on with -O2
;


0000000000000000 <st_lookup>:
   0:   48 89 5c 24 d8          mov    %rbx,-0x28(%rsp)
   5:   48 89 6c 24 e0          mov    %rbp,-0x20(%rsp)
   a:   48 89 fd                mov    %rdi,%rbp
   d:   4c 89 64 24 e8          mov    %r12,-0x18(%rsp)
	diff --git a/ext/mysql.c b/ext/mysql.c
	index 765cfde..1e12557 100644
	--- a/ext/mysql.c
	+++ b/ext/mysql.c
	@@ -1064,14 +1064,37 @@ static VALUE fetch_row(VALUE obj)
	return ary;
	}

	-/* fetch_hash2 (internal) */
	-static VALUE fetch_hash2(VALUE obj, VALUE with_table)
	diff --git a/ext/mysql.c b/ext/mysql.c
	index 765cfde..0e169e7 100644
	--- a/ext/mysql.c
	+++ b/ext/mysql.c
	@@ -1064,51 +1064,70 @@ static VALUE fetch_row(VALUE obj)
	return ary;
	}

	-/* fetch_hash2 (internal) */
	-static VALUE fetch_hash2(VALUE obj, VALUE with_table)
	Index: eval.c
	===================================================================
	--- eval.c (revision 23100)
	+++ eval.c (working copy)
	@@ -1038,6 +1038,7 @@
	#define PROT_LOOP INT2FIX(1) /* 3 */
	#define PROT_LAMBDA INT2FIX(2) /* 5 */
	#define PROT_YIELD INT2FIX(3) /* 7 */
	+#define PROT_FIBER INT2FIX(4) /* 9 */
	def write_file
	begin
	File.open("/test", "w+") do \|f\|
	f.write("hello!\n")
	f.close
	end
	puts "wrote test file"
	rescue Errno::EACCES
	puts "could not write test file"
	end
	diff --git a/lib/starling/server_runner.rb b/lib/starling/server_runner.rb
	index 535bac3..7531115 100644
	--- a/lib/starling/server_runner.rb
	+++ b/lib/starling/server_runner.rb
	@@ -182,8 +182,8 @@ module StarlingServer
	end

	def drop_privileges
	- Process.egid = options[:group] if options[:group]
	- Process.euid = options[:user] if options[:user]
	##
	## sneak peak at a potential future blog post @ http://timetobleed.com
	##
	## this demos how using Process.euid= isn't strong enough for dropping privs
	## in linux. you need to use Process::Sys.setres[uid\|gid] instead.
	##
	## execute this file as root, it will drop privs to nobody, then call an evil
	## ruby function that has a buffer overflow/double free/format string/etc vuln.
	##
	## (in this demo case i wrote BadGem which just does a blind strcpy, but you can
	diff --git a/main.c b/main.c
	index a93d8cb..72b7331 100644
	--- a/main.c
	+++ b/main.c
	@@ -42,7 +42,8 @@ main(argc, argv, envp)
	#endif

	{
	- RUBY_INIT_STACK
	+ asm ("pushf; orl $(1 << 18), (%esp); popf;");
	/*
	* is this cool enough that it warrants a blog post?
	*
	* trigger breakpoint in GDB, from code.
	*/

	#include <stdio.h>

	int main(int argc, char *argv[]) {
	#if 0
	In these examples, let's assume that passing more than 2 args to the program is
	not the case we are optimizing this for.

	With that in mind, lets build a sample program with
	and without __builtin_expect and compare assembly output.
	#endif

	/*
	no predictor:
	;
	; branch predictor on with -O2
	;


	0000000000000000 <st_lookup>:
	0: 48 89 5c 24 d8 mov %rbx,-0x28(%rsp)
	5: 48 89 6c 24 e0 mov %rbp,-0x20(%rsp)
	a: 48 89 fd mov %rdi,%rbp
	d: 4c 89 64 24 e8 mov %r12,-0x18(%rsp)