Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Dec 2021 21:05:19 +0100
From: jvoisin <>
Cc: jvoisin <>
Subject: [PATCH] Zero the leading stack canary byte

This reduces entropy of the canary from 64-bit to 56-bit in exchange for
mitigating non-terminated C string overflows by setting the second byte
of the canary to NULL, so that off-by-one can still be detected.

This is taken from
 src/env/__stack_chk_fail.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
index bf5a280a..be31a88a 100644
--- a/src/env/__stack_chk_fail.c
+++ b/src/env/__stack_chk_fail.c
@@ -9,6 +9,14 @@ void __init_ssp(void *entropy)
 	if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
 	else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
+#if UINTPTR_MAX >= 0xffffffffffffffff
+	/* Sacrifice 8 bits of entropy on 64bit to prevent leaking/overwriting the
+	 * canary via string-manipulation functions. The NULL byte is on the second
+	 * byte so that off-by-ones can still be detected. Endianness is taken care
+	 * of automatically. */
+	((char *)&__stack_chk_guard)[1] = 0;
 	__pthread_self()->canary = __stack_chk_guard;

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.