Lower 8 bits are always zero in stackguard value
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gcc-defaults (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Lower 8bits are always zero in stack guard value, which makes stack protector cannot detect the following stack smashing:
```
#include <string.h>
int get_input(char *data)
{
return 0;
}
// main.c
#include <stdio.h>
#include <stdlib.h>
void *__stack_chk_guard = (void *)0xdeadbeef;
void __stack_
{
fprintf(stderr, "Stack smashing detected.\n");
exit(1);
}
void get_input(char *data);
char main(void)
{
char buffer[8] = { 0 };
get_
return buffer[0];
}
```
When I look into the problem with gdb, fs:0x28 (stack guard value) has always lower 8 bits like
```
0x007fffffffe19
0x007fffffffe19
0x007fffffffe1a
0x007fffffffe1a
0x007fffffffe1b
0x007fffffffe1b
0x007fffffffe1c
0x007fffffffe1c
```
I don't know much about stack protector but I think this should be fixed. So I report this as a bug related to stack protector to get more information. Please let me know if there is anything wrong with my report.
I attach my system information:
$ lsb_release -rd
Description: Ubuntu 21.10
Release: 21.10
$ gcc -v
➜ linux git:(study) gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_
OFFLOAD_
OFFLOAD_
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.2.0 (Ubuntu 11.2.0-7ubuntu2)
Thank you.
information type: | Private Security → Public Security |
I'd like to close this issue.
I found that there is code like below in Linux Kernel (include/ linux/random. h)
``` f00UL fffUL
/*
* On 64-bit architectures, protect against non-terminated C string overflows
* by zeroing out the first byte of the canary; this leaves 56 bits of entropy.
*/
#ifdef CONFIG_64BIT
# ifdef __LITTLE_ENDIAN
# define CANARY_MASK 0xfffffffffffff
# else /* big endian, 64 bits: */
# define CANARY_MASK 0x00fffffffffff
# endif
#else /* 32 bits: */
# define CANARY_MASK 0xffffffffUL
#endif
```
I found Stack overflow by NULL character is already handled by kernel code. This makes me confused.
Sorry for making noise to you.
Thank you,
Jason Kim