* [musl] [PATCH] Zero the leading stack canary byte
@ 2021-12-12 18:34 jvoisin
2021-12-12 19:35 ` Rich Felker
0 siblings, 1 reply; 5+ messages in thread
From: jvoisin @ 2021-12-12 18:34 UTC (permalink / raw)
To: musl; +Cc: jvoisin
This reduces entropy of the canary from 64-bit to 56-bit in exchange for
mitigating non-terminated C string overflows.
Checking the byte order should be "good enough", since I think that the stacks
on all architectures supported by musl are growing downwards. Worse case, this
can always be improved later if needed.
This is taken from https://github.com/GrapheneOS/platform_bionic/commit/7024d880b51f03a796ff8832f1298f2f1531fd7b
---
src/env/__stack_chk_fail.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
index bf5a280a..45f948fe 100644
--- a/src/env/__stack_chk_fail.c
+++ b/src/env/__stack_chk_fail.c
@@ -2,6 +2,11 @@
#include <stdint.h>
#include "pthread_impl.h"
+// Sacrifice 8 bits of entropy to mitigate non-terminated C string overflows
+static const uintptr_t canary_mask = __BYTE_ORDER == __BIG_ENDIAN ?
+ 0x00ffffffffffffffUL :
+ 0xffffffffffffff00UL ;
+
uintptr_t __stack_chk_guard;
void __init_ssp(void *entropy)
@@ -9,7 +14,7 @@ void __init_ssp(void *entropy)
if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
- __pthread_self()->canary = __stack_chk_guard;
+ __pthread_self()->canary = __stack_chk_guard & canary_mask;
}
void __stack_chk_fail(void)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [musl] [PATCH] Zero the leading stack canary byte
2021-12-12 18:34 [musl] [PATCH] Zero the leading stack canary byte jvoisin
@ 2021-12-12 19:35 ` Rich Felker
2021-12-13 12:24 ` jvoisin
0 siblings, 1 reply; 5+ messages in thread
From: Rich Felker @ 2021-12-12 19:35 UTC (permalink / raw)
To: jvoisin; +Cc: musl
On Sun, Dec 12, 2021 at 07:34:40PM +0100, jvoisin wrote:
> This reduces entropy of the canary from 64-bit to 56-bit in exchange for
> mitigating non-terminated C string overflows.
>
> Checking the byte order should be "good enough", since I think that the stacks
> on all architectures supported by musl are growing downwards. Worse case, this
> can always be improved later if needed.
>
> This is taken from https://github.com/GrapheneOS/platform_bionic/commit/7024d880b51f03a796ff8832f1298f2f1531fd7b
> ---
> src/env/__stack_chk_fail.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
> index bf5a280a..45f948fe 100644
> --- a/src/env/__stack_chk_fail.c
> +++ b/src/env/__stack_chk_fail.c
> @@ -2,6 +2,11 @@
> #include <stdint.h>
> #include "pthread_impl.h"
>
> +// Sacrifice 8 bits of entropy to mitigate non-terminated C string overflows
> +static const uintptr_t canary_mask = __BYTE_ORDER == __BIG_ENDIAN ?
> + 0x00ffffffffffffffUL :
> + 0xffffffffffffff00UL ;
> +
> uintptr_t __stack_chk_guard;
>
> void __init_ssp(void *entropy)
> @@ -9,7 +14,7 @@ void __init_ssp(void *entropy)
> if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
> else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
>
> - __pthread_self()->canary = __stack_chk_guard;
> + __pthread_self()->canary = __stack_chk_guard & canary_mask;
> }
>
> void __stack_chk_fail(void)
> --
> 2.30.2
As written this patch assumes a 64-bit uintptr_t, which isn't ok.
Indeed 56 bits should be fine on a 64-bit arch, but dropping from 32
to 24 on a 32-bit arch severely weakens the protection. So it probably
needs to be conditional on 64-bit.
Also, zeroing the first byte means we can no longer catch buffer
overflows of the form "off-by-one string length". This seems
unfortunate. Putting the 0 byte at the end would solve that at the
expense of allowing the canary value to be leaked via missing
termination bugs, and overall I would lean towards catching actual
buffer overflow bugs vs stopping canary leaks.
Rich
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [musl] [PATCH] Zero the leading stack canary byte
2021-12-12 19:35 ` Rich Felker
@ 2021-12-13 12:24 ` jvoisin
2021-12-13 14:23 ` Rich Felker
0 siblings, 1 reply; 5+ messages in thread
From: jvoisin @ 2021-12-13 12:24 UTC (permalink / raw)
To: musl; +Cc: jvoisin
> As written this patch assumes a 64-bit uintptr_t, which isn't ok.
> Indeed 56 bits should be fine on a 64-bit arch, but dropping from 32
> to 24 on a 32-bit arch severely weakens the protection. So it probably
> needs to be conditional on 64-bit.
Will do.
> Also, zeroing the first byte means we can no longer catch buffer
> overflows of the form "off-by-one string length". This seems
> unfortunate. Putting the 0 byte at the end would solve that at the
> expense of allowing the canary value to be leaked via missing
> termination bugs, and overall I would lean towards catching actual
> buffer overflow bugs vs stopping canary leaks.
As discussed on IRC, what about zero'ing the second byte instead? This
would allow to catch overflows, as well as preventing canary
leaks/overwrite via string-manipulating functions.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [musl] [PATCH] Zero the leading stack canary byte
2021-12-13 12:24 ` jvoisin
@ 2021-12-13 14:23 ` Rich Felker
2021-12-13 20:05 ` jvoisin
0 siblings, 1 reply; 5+ messages in thread
From: Rich Felker @ 2021-12-13 14:23 UTC (permalink / raw)
To: jvoisin; +Cc: musl
On Mon, Dec 13, 2021 at 01:24:38PM +0100, jvoisin wrote:
> > As written this patch assumes a 64-bit uintptr_t, which isn't ok.
> > Indeed 56 bits should be fine on a 64-bit arch, but dropping from 32
> > to 24 on a 32-bit arch severely weakens the protection. So it probably
> > needs to be conditional on 64-bit.
> Will do.
>
> > Also, zeroing the first byte means we can no longer catch buffer
> > overflows of the form "off-by-one string length". This seems
> > unfortunate. Putting the 0 byte at the end would solve that at the
> > expense of allowing the canary value to be leaked via missing
> > termination bugs, and overall I would lean towards catching actual
> > buffer overflow bugs vs stopping canary leaks.
> As discussed on IRC, what about zero'ing the second byte instead? This
> would allow to catch overflows, as well as preventing canary
> leaks/overwrite via string-manipulating functions.
That seems like a good idea too. Note that it can be done without
masking logic and large constants just with:
((char *)&__stack_chk_guard)[1] = 0;
And beginning or end could have been done just by reducing the memcpy
length by 1.
Rich
^ permalink raw reply [flat|nested] 5+ messages in thread
* [musl] [PATCH] Zero the leading stack canary byte
2021-12-13 14:23 ` Rich Felker
@ 2021-12-13 20:05 ` jvoisin
0 siblings, 0 replies; 5+ messages in thread
From: jvoisin @ 2021-12-13 20:05 UTC (permalink / raw)
To: musl; +Cc: jvoisin
This reduces entropy of the canary from 64-bit to 56-bit in exchange for
mitigating non-terminated C string overflows by setting the second byte
of the canary to NULL, so that off-by-one can still be detected.
This is taken from https://github.com/GrapheneOS/platform_bionic/commit/7024d880b51f03a796ff8832f1298f2f1531fd7b
---
src/env/__stack_chk_fail.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
index bf5a280a..be31a88a 100644
--- a/src/env/__stack_chk_fail.c
+++ b/src/env/__stack_chk_fail.c
@@ -9,6 +9,14 @@ void __init_ssp(void *entropy)
if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
+#if UINTPTR_MAX >= 0xffffffffffffffff
+ /* Sacrifice 8 bits of entropy on 64bit to prevent leaking/overwriting the
+ * canary via string-manipulation functions. The NULL byte is on the second
+ * byte so that off-by-ones can still be detected. Endianness is taken care
+ * of automatically. */
+ ((char *)&__stack_chk_guard)[1] = 0;
+#endif
+
__pthread_self()->canary = __stack_chk_guard;
}
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-12-13 20:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-12 18:34 [musl] [PATCH] Zero the leading stack canary byte jvoisin
2021-12-12 19:35 ` Rich Felker
2021-12-13 12:24 ` jvoisin
2021-12-13 14:23 ` Rich Felker
2021-12-13 20:05 ` jvoisin
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).