Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Nov 2014 07:16:54 -0500
From: "Anthony G. Basile" <>
Subject: Re: Re: fixing -fPIE + -fstack-protector-all

On 11/06/14 21:10, Andy Lutomirski wrote:
> On 11/06/2014 03:45 AM, Anthony G. Basile wrote:
>> On 11/05/14 10:43, Rich Felker wrote:
>>> On Wed, Nov 05, 2014 at 04:25:03PM +0100, John Spencer wrote:
>>>> using -fPIE + -fstack-protector-all is currently broken for a number
>>>> of architectures (most notably i386) in the default gcc setup
>>>> (including the musl-cross patches), as it depends on a
>>>> libssp_nonshared.a which provides __stack_chk_fail_local().
>>> As discussed on IRC, I would _like_ to be able to simply add the
>>> following to crt/i386/crti.s:
>>> __stack_chk_fail_local: hlt
>>> and equivalent for other archs. This has the added benefit of
>>> effecting a crash without going through the PLT (whereas
>>> libssp_nonshared.a's __stack_chk_fail_local calls __stack_chk_fail via
>>> the PLT) so it's not vulnerable to attacks that have overwritten the
>>> GOT with malicious pointers.
>> For what its worth, hardening in gentoo (PaX kernel + userland hardening
>> with relro and bindnow) tries to prevent this kind of attack by making
>> the GOT read only after initial linking.
> What does the PaX kernel have to do with this?
> --Andy

Overspoke.  The userland stuff is sufficient to freeze the GOT.  I was 
just tangentially thinking of PaX's enhanced aslr.

Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.