mailing list of musl libc
 help / color / mirror / code / Atom feed
From: Rich Felker <dalias@libc.org>
To: jvoisin <julien.voisin@dustri.org>
Cc: musl@lists.openwall.com
Subject: Re: [musl] [PATCH] Zero the leading stack canary byte
Date: Sun, 12 Dec 2021 14:35:02 -0500	[thread overview]
Message-ID: <20211212193502.GF7074@brightrain.aerifal.cx> (raw)
In-Reply-To: <20211212183440.43118-1-julien.voisin@dustri.org>

On Sun, Dec 12, 2021 at 07:34:40PM +0100, jvoisin wrote:
> This reduces entropy of the canary from 64-bit to 56-bit in exchange for
> mitigating non-terminated C string overflows.
> 
> Checking the byte order should be "good enough", since I think that the stacks
> on all architectures supported by musl are growing downwards. Worse case, this
> can always be improved later if needed.
> 
> This is taken from https://github.com/GrapheneOS/platform_bionic/commit/7024d880b51f03a796ff8832f1298f2f1531fd7b
> ---
>  src/env/__stack_chk_fail.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
> index bf5a280a..45f948fe 100644
> --- a/src/env/__stack_chk_fail.c
> +++ b/src/env/__stack_chk_fail.c
> @@ -2,6 +2,11 @@
>  #include <stdint.h>
>  #include "pthread_impl.h"
>  
> +// Sacrifice 8 bits of entropy to mitigate non-terminated C string overflows
> +static const uintptr_t canary_mask = __BYTE_ORDER == __BIG_ENDIAN ?
> +  0x00ffffffffffffffUL :
> +  0xffffffffffffff00UL ;
> +
>  uintptr_t __stack_chk_guard;
>  
>  void __init_ssp(void *entropy)
> @@ -9,7 +14,7 @@ void __init_ssp(void *entropy)
>  	if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
>  	else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
>  
> -	__pthread_self()->canary = __stack_chk_guard;
> +	__pthread_self()->canary = __stack_chk_guard & canary_mask;
>  }
>  
>  void __stack_chk_fail(void)
> -- 
> 2.30.2

As written this patch assumes a 64-bit uintptr_t, which isn't ok.
Indeed 56 bits should be fine on a 64-bit arch, but dropping from 32
to 24 on a 32-bit arch severely weakens the protection. So it probably
needs to be conditional on 64-bit.

Also, zeroing the first byte means we can no longer catch buffer
overflows of the form "off-by-one string length". This seems
unfortunate. Putting the 0 byte at the end would solve that at the
expense of allowing the canary value to be leaked via missing
termination bugs, and overall I would lean towards catching actual
buffer overflow bugs vs stopping canary leaks.

Rich

  reply	other threads:[~2021-12-12 19:35 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-12 18:34 jvoisin
2021-12-12 19:35 ` Rich Felker [this message]
2021-12-13 12:24   ` jvoisin
2021-12-13 14:23     ` Rich Felker
2021-12-13 20:05       ` jvoisin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211212193502.GF7074@brightrain.aerifal.cx \
    --to=dalias@libc.org \
    --cc=julien.voisin@dustri.org \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).