[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Dec 2021 21:05:19 +0100
From: jvoisin <julien.voisin@...tri.org>
To: musl@...ts.openwall.com
Cc: jvoisin <julien.voisin@...tri.org>
Subject: [PATCH] Zero the leading stack canary byte
This reduces entropy of the canary from 64-bit to 56-bit in exchange for
mitigating non-terminated C string overflows by setting the second byte
of the canary to NULL, so that off-by-one can still be detected.
This is taken from https://github.com/GrapheneOS/platform_bionic/commit/7024d880b51f03a796ff8832f1298f2f1531fd7b
---
src/env/__stack_chk_fail.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
index bf5a280a..be31a88a 100644
--- a/src/env/__stack_chk_fail.c
+++ b/src/env/__stack_chk_fail.c
@@ -9,6 +9,14 @@ void __init_ssp(void *entropy)
if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
+#if UINTPTR_MAX >= 0xffffffffffffffff
+ /* Sacrifice 8 bits of entropy on 64bit to prevent leaking/overwriting the
+ * canary via string-manipulation functions. The NULL byte is on the second
+ * byte so that off-by-ones can still be detected. Endianness is taken care
+ * of automatically. */
+ ((char *)&__stack_chk_guard)[1] = 0;
+#endif
+
__pthread_self()->canary = __stack_chk_guard;
}
--
2.30.2
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
