Home Explore Help
Sign In
hongwenjun
/
musl
mirror of https://git.musl-libc.org/git/musl
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

protect stack canary from leak via read-as-string by zeroing second byte

This reduces entropy of the canary from 64-bit to 56-bit in exchange
for mitigating non-terminated C string overflows by setting the second
byte of the canary to nul, so that off-by-one write overflow with a
nul byte can still be detected.

Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b
jvoisin 3 years ago
parent
7c0c7a75ec
commit
74a28a8af2
1 changed files with 9 additions and 0 deletions
Split View Show Diff Stats
  1. 9 0
      src/env/__stack_chk_fail.c

+ 9 - 0
src/env/__stack_chk_fail.c
View File 

@@ -9,6 +9,15 @@ void __init_ssp(void *entropy)
 
 	if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
 
 	else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
 
 
+#if UINTPTR_MAX >= 0xffffffffffffffff
 
+	/* Sacrifice 8 bits of entropy on 64bit to prevent leaking/
 
+	 * overwriting the canary via string-manipulation functions.
 
+	 * The NULL byte is on the second byte so that off-by-ones can
 
+	 * still be detected. Endianness is taken care of
 
+	 * automatically. */
 
+	((char *)&__stack_chk_guard)[1] = 0;
 
+#endif
 
+
 
 	__pthread_self()->canary = __stack_chk_guard;
 
 }