stack protector guard value uses a static sentinel

Bug #275493 reported by Kees Cook on 2008-09-28
262
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
High
Kees Cook
Dapper
Undecided
Unassigned
Hardy
Medium
Kees Cook

Bug Description

glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random.

(see _dl_setup_stack_chk_guard):
http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup

statement explaining the impact: stack overflow attacks are easier to launch when the stack guard is a known value.
how the bug has been addressed: Fedora patch ported in Intrepid, Jaunty. Karmic uses AT_RANDOM.
regression potential: comparing build log output shows no differences -- all tests seem to pass:
 https://edge.launchpad.net/~kees/+archive/ppa/+build/1159081

TEST CASE:
 bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
 cd qa-regression-testing/scripts
 sudo apt-get install lsb-release build-essential
 ./test-glibc-security.py -v

EXPECTED:
 Build helper tools ... (8.04) ok
 glibc heap protection ... ok
 sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... (skipped: Hardy known broken) ok
 glibc pointer obfuscation ... ok
 Password hashes ... (md5) ok
 Stack guard exists ... ok
 Stack guard leads with zero byte ... ok
 Stack guard is randomized ... ok

CURRENTLY:
Stack guard is randomized ... FAIL

======================================================================
FAIL: Stack guard is randomized
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-glibc-security.py", line 199, in test_82_stack_guard_randomized
    self.assertEqual(one != two and one != three and two != three, expected, one + two + three)
AssertionError: 0xff0a0000
0xff0a0000
0xff0a0000

Kees Cook (kees) wrote :
Changed in glibc:
assignee: nobody → kees
importance: Undecided → High
milestone: none → ubuntu-8.10-beta
status: New → In Progress
Kees Cook (kees) wrote :
Changed in glibc:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.8~20080505-0ubuntu7

---------------
glibc (2.8~20080505-0ubuntu7) intrepid; urgency=low

  * Add debian/patches/ubuntu/stack-guard-quick-randomization.diff: do
    light-weight randomization of the stack guard value instead of using
    a static sentinel (LP: #275493).

 -- Kees Cook <email address hidden> Sun, 28 Sep 2008 09:30:01 -0700

Changed in glibc:
status: Fix Committed → Fix Released
Kees Cook (kees) on 2009-07-29
Changed in glibc (Ubuntu Dapper):
status: New → Triaged
Changed in glibc (Ubuntu Hardy):
status: New → Triaged
Kees Cook (kees) on 2009-07-30
Changed in glibc (Ubuntu Dapper):
status: Triaged → Won't Fix
Kees Cook (kees) wrote :

This is test_82_stack_guard_randomized in test-glibc-security.py from the qa-regression-testing suite, which has been updated to expect Hardy to pass now.

Changed in glibc (Ubuntu Hardy):
status: Triaged → In Progress
Kees Cook (kees) wrote :

Test builds running for a -proposed upload and SRU.

Changed in glibc (Ubuntu Hardy):
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Kees Cook (kees) wrote :
Kees Cook (kees) on 2009-08-12
description: updated
description: updated
Steve Langasek (vorlon) wrote :

FWIW, I'm having difficulty reconciling this proposed SRU with the following statement in the SRU policy (https://wiki.ubuntu.com/StableReleaseUpdates):

  Stable release updates will, in general, only be issued in order to fix high-impact bugs.

Have there been DSAs issued for vulnerabilities in hardy that would have been mitigated by this patch, or other evidence to support treating this as a "high-impact bug"?

Yes, the recent dhclient stack buffer overflow[1][2] used memcpy, not
strcpy, making this an issue for Hardy. There is evidence that attacks
were built against Ubuntu Hardy that took into account the static guard
value, which would have been stopped if the value was correctly
randomized.

Given that similar issues may again happen, I feel it is best to make
sure this protection is fixed for Hardy.

[1] http://www.ubuntu.com/usn/usn-803-1
[2] http://www.debian.org/security/2009/dsa-1833
[3] http://lists.immunitysec.com/pipermail/dailydave/2009-July/005829.html

Steve Langasek (vorlon) wrote :

Accepted into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in glibc (Ubuntu Hardy):
status: In Progress → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

I tested this on Hardy using libc6 2.7-10ubuntu4 and observed the test case failing. I then upgraded to libc6 2.7-10ubuntu5 and observed the test case pass. Thanks for providing such a great test case!

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.7-10ubuntu5

---------------
glibc (2.7-10ubuntu5) hardy-proposed; urgency=low

  * stack-guard-quick-randomization.diff: use stack guard randomimzation
    patch from Intrepid (along with Jaunty tests patch) to stop using static
    sentinel (LP: #275493).

 -- Kees Cook <email address hidden> Wed, 29 Jul 2009 23:45:51 -0700

Changed in glibc (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers