From 74a28a8af21977ebbc2945beb879f1b9b6ff13ba Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 13 Dec 2021 21:05:19 +0100 Subject: protect stack canary from leak via read-as-string by zeroing second byte This reduces entropy of the canary from 64-bit to 56-bit in exchange for mitigating non-terminated C string overflows by setting the second byte of the canary to nul, so that off-by-one write overflow with a nul byte can still be detected. Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b --- src/env/__stack_chk_fail.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c index bf5a280a..e5352602 100644 --- a/src/env/__stack_chk_fail.c +++ b/src/env/__stack_chk_fail.c @@ -9,6 +9,15 @@ void __init_ssp(void *entropy) if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t)); else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245; +#if UINTPTR_MAX >= 0xffffffffffffffff + /* Sacrifice 8 bits of entropy on 64bit to prevent leaking/ + * overwriting the canary via string-manipulation functions. + * The NULL byte is on the second byte so that off-by-ones can + * still be detected. Endianness is taken care of + * automatically. */ + ((char *)&__stack_chk_guard)[1] = 0; +#endif + __pthread_self()->canary = __stack_chk_guard; } -- cgit v1.2.1