mirror of
git://git.musl-libc.org/musl
synced 2025-03-06 20:48:29 +01:00
protect stack canary from leak via read-as-string by zeroing second byte
This reduces entropy of the canary from 64-bit to 56-bit in exchange for mitigating non-terminated C string overflows by setting the second byte of the canary to nul, so that off-by-one write overflow with a nul byte can still be detected. Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b
This commit is contained in:
jvoisin
Rich Felker
parent
7c0c7a75ec
commit
74a28a8af2
1 changed files with 9 additions and 0 deletions
9
src/env/__stack_chk_fail.c
vendored
9
src/env/__stack_chk_fail.c
vendored
|
|
@ -9,6 +9,15 @@ void __init_ssp(void *entropy)
|
|||
if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
|
||||
else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
|
||||
|
||||
#if UINTPTR_MAX >= 0xffffffffffffffff
|
||||
/* Sacrifice 8 bits of entropy on 64bit to prevent leaking/
|
||||
* overwriting the canary via string-manipulation functions.
|
||||
* The NULL byte is on the second byte so that off-by-ones can
|
||||
* still be detected. Endianness is taken care of
|
||||
* automatically. */
|
||||
((char *)&__stack_chk_guard)[1] = 0;
|
||||
#endif
|
||||
|
||||
__pthread_self()->canary = __stack_chk_guard;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue