[HN Gopher] A memory leak in Apple's Network Extension framework
___________________________________________________________________
A memory leak in Apple's Network Extension framework
Author : chmaynard
Score : 144 points
Date : 2024-11-14 13:53 UTC (9 hours ago)
(HTM) web link (obdev.at)
(TXT) w3m dump (obdev.at)
| lapcat wrote:
| See also yesterday's "Apple's built-in macOS firewall breaks
| third-party firewalls" https://obdev.at/blog/apples-built-in-
| macos-firewall-breaks-...
| hrdwdmrbl wrote:
| I think this is the one that broke Time Machine for everyone
| with a third-party firewall wall
| isodev wrote:
| > For the time being, until Apple fixes this serious bug in
| macOS, we therefore highly recommend to turn off the built-in
| firewall of macOS when also using Little Snitch or Little
| Snitch Mini.
|
| I remember back in the day when installing two firewalls or two
| antivirus programs on Windows would break it, so it will have
| to be reinstalled. That was 20 years ago, though, one would
| think we're better at making an OS by now.
| hombre_fatal wrote:
| We like to wishfully think of human systems (software,
| government, anything) as immune systems that accumulate
| knowledge in the system itself over time so that it's
| increasingly resilient to the systemic problems it's
| encountered before.
|
| Instead, human systems require eternal vigilance from the
| humans inside it. Even governmental systems which can encode
| knowledge into laws rely on the eternal vigilance of judges,
| prosecutors, and defenders to utilize that knowledge.
|
| So GGz if you're writing a new subsystem in an OS and you're
| expected to learn from mistakes a team of two people made in
| some subsystem 20 years ago that someone quietly patched.
| isodev wrote:
| True, and having the benefit of hindsight, it's easy for us
| to judge.
|
| The trouble is, Apple's feedback process is so opaque that
| we can never know the details. All we have is the feeling
| of "a simple test of macOS with a third party firewall
| before unleashing it to the world would have shown the
| problem".
|
| For a piece of software on which countless people rely upon
| (which macOS and iOS are), the "beta" begins after
| exhausting all internal means of detecting regressions and
| unwanted behaviour. It's not cheap but they can't just dump
| something and expect unpaid, third party developers to
| report all the bugs (while never getting a reply on that
| feedback app).
| toast0 wrote:
| I mean... sounds like we are if you only have to turn off one
| of the firewalls and not reinstall. I think ancient windows
| firewalls would routinely replace the system networking
| driver files, and that's why things got really messy. At
| least we're beyond that.
| DavideNL wrote:
| = https://news.ycombinator.com/item?id=42135148
| jamil7 wrote:
| Apple's frameworks, especially in betas, often have memory leaks.
| isodev wrote:
| Apple's frameworks must be perpetually in beta.
| steve1977 wrote:
| Must be all that Swift goodness they impose on us... ;)
| KerrAvon wrote:
| turns out Swift is pretty difficult to use in frameworks
| compared to other executables
| glhaynes wrote:
| How so?
| johnnythunder wrote:
| base sudo leaks at.obdev.littlesnitch.networkextension | grep
| "total leaked bytes" Password: Process 310 is not debuggable. Due
| to security restrictions, leaks can only show or save contents of
| readonly memory of restricted processes.
|
| Process 310: 314990 leaks for 967643488 total leaked bytes.
|
| Ouch!
| sleepybrett wrote:
| brett@algol minikube / default ~/Documents/misc sudo leaks
| at.obdev.littlesnitch.networkextension | grep "total leaked
| bytes" Password: Process 43619 is not debuggable. Due to
| security restrictions, leaks can only show or save contents of
| readonly memory of restricted processes.
|
| Process 43619: 2194911 leaks for 6742615664 total leaked bytes.
|
| jesus.
| DavideNL wrote:
| Process 575 is not debuggable. Due to security restrictions,
| leaks can only show or save contents of readonly memory of
| restricted processes. Process 575: 747950 leaks
| for 2294465728 total leaked bytes.
| zackmorris wrote:
| I wish there was an independent unit test suite for operating
| systems and other proprietary software.
|
| The suite would run the most-used apps and utilities against
| updates and report regressions.
|
| So for example, the vast majority of apps on my Mac can't run,
| because they were written for early versions of OS X and OS 9,
| even all the way back to System 7 when apps were expected to
| still run on 4/5/6. The suite would reveal that Apple has a track
| record of de-prioritizing backwards compatibility or backporting
| bug fixes to previous OS versions.
|
| Edit: integration test suite
| wrs wrote:
| You don't need to do anything special to "reveal" that Apple
| doesn't prioritize backwards compatibility. That is very well
| known. For example, standard practice for audio professionals
| is to wait a year or more to upgrade MacOS, to give all the
| vendors a chance to fix what broke.
| troupo wrote:
| Even 15 years ago the common knowledge was to never upgrade
| to major versions of Apple software, and wait for a .2
| release, at least.
|
| However, these days it seems that even point releases only
| introduce new bugs in the rush to deliver late features, and
| rarely address any issues
| baq wrote:
| I have to disagree. Sequoia .0 was spectacularly broken and
| .1 is a very noticeable improvement.
|
| ...of course I'd rather stay on Sonoma if I could go back
| in time...
| brailsafe wrote:
| Eh, I agree in a sense, but I'm also ok without the same level
| of backwards compatibility that Windows is beleaguered by.
| Every new version of Windows is little more than a thin veneer
| of whatever they think is a popular choice for UI design that
| year, and with that comes a clumsy amalgamation of hugely
| varying settings dialogs, the classic registry, all the goop.
| Meanwhile on macos, I don't expect very complex software to
| maintain perfect compatibility, but I can reasonably expect
| most of the stuff I use to carry forward 5+ years. Parallels
| and Omnifocus were the exceptions, but 1password from 2012 is
| still kicking, Data Rescue 3 somehow still works, I'm sure even
| Adobe CS6 would even though it's from the Carbon era.
|
| Just as well, although I loathe some of the choices Apple's
| made over the years, such as it's own Settings app, the overall
| UI would be pretty recognizable if me from 20 years ago found a
| time machine (pun intended). I recently bought a new mac, and
| it occurred to me that it feels basically like the E-Mac I used
| in middle school all those years ago, albeit with the
| occasional annoyance I wouldn't have been aware of then.
| louis771 wrote:
| Just checked, I have 6.5GB of memory leak, only running Little
| Snitch for two days. Ouch!
| dunham wrote:
| Yeah, I stopped using it because of that.
| gabeio wrote:
| Damn if only they told us yesterday before I restarted for the
| first time in a month. I wonder how big my memory leak would
| have been. I have only been online for about 11 hours (~9 of
| those were in hibernation) now and already at a 13MB leak.
| baq wrote:
| I've been restarting my MacBook weekly for 2 years now. It's
| way more than I've done this with Windows.
| danhon wrote:
| Eeesh.
|
| Process 665: 874477 leaks for 2686387600 total leaked bytes.
| herpdyderp wrote:
| This must be why my system becomes increasingly unstable over
| time ever since I upgraded to Sequoia. I've had to reboot quite
| regularly.
| blacksmith_tb wrote:
| I generally don't sleep my macOS machines these days, as
| hardware has gotten faster and faster, the pain of booting up
| is less and less. Unless I want to be able to wake on network
| etc., at least.
| switch007 wrote:
| Now we know they bumped Macs up to 16GB !
| userbinator wrote:
| Make it harder to use the original way, push developers to a
| suboptimal mechanism and deprecate the original way, then
| eventually deprecate and remove extensions entirely.
|
| "See? This is why extensions are bad!"
|
| It's 100% in Apple's culture to do so. They don't even need to do
| it deliberately --- just ignore the inevitable bugs that appear.
| SG- wrote:
| meanwhile my Lulu alternative to littlesnitch is barely leaking
| anything after running for weeks:
|
| sudo leaks com.objective-see.lulu.extension | grep "total leaked
| bytes" Password: Process 851 is not debuggable. Due to security
| restrictions, leaks can only show or save contents of readonly
| memory of restricted processes.
|
| Process 851: 1086 leaks for 108576 total leaked bytes.
___________________________________________________________________
(page generated 2024-11-14 23:00 UTC)