|
Date: Sun, 12 Dec 2021 14:35:02 -0500 From: Rich Felker <dalias@...c.org> To: jvoisin <julien.voisin@...tri.org> Cc: musl@...ts.openwall.com Subject: Re: [PATCH] Zero the leading stack canary byte On Sun, Dec 12, 2021 at 07:34:40PM +0100, jvoisin wrote: > This reduces entropy of the canary from 64-bit to 56-bit in exchange for > mitigating non-terminated C string overflows. > > Checking the byte order should be "good enough", since I think that the stacks > on all architectures supported by musl are growing downwards. Worse case, this > can always be improved later if needed. > > This is taken from https://github.com/GrapheneOS/platform_bionic/commit/7024d880b51f03a796ff8832f1298f2f1531fd7b > --- > src/env/__stack_chk_fail.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c > index bf5a280a..45f948fe 100644 > --- a/src/env/__stack_chk_fail.c > +++ b/src/env/__stack_chk_fail.c > @@ -2,6 +2,11 @@ > #include <stdint.h> > #include "pthread_impl.h" > > +// Sacrifice 8 bits of entropy to mitigate non-terminated C string overflows > +static const uintptr_t canary_mask = __BYTE_ORDER == __BIG_ENDIAN ? > + 0x00ffffffffffffffUL : > + 0xffffffffffffff00UL ; > + > uintptr_t __stack_chk_guard; > > void __init_ssp(void *entropy) > @@ -9,7 +14,7 @@ void __init_ssp(void *entropy) > if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t)); > else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245; > > - __pthread_self()->canary = __stack_chk_guard; > + __pthread_self()->canary = __stack_chk_guard & canary_mask; > } > > void __stack_chk_fail(void) > -- > 2.30.2 As written this patch assumes a 64-bit uintptr_t, which isn't ok. Indeed 56 bits should be fine on a 64-bit arch, but dropping from 32 to 24 on a 32-bit arch severely weakens the protection. So it probably needs to be conditional on 64-bit. Also, zeroing the first byte means we can no longer catch buffer overflows of the form "off-by-one string length". This seems unfortunate. Putting the 0 byte at the end would solve that at the expense of allowing the canary value to be leaked via missing termination bugs, and overall I would lean towards catching actual buffer overflow bugs vs stopping canary leaks. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.