[Bug 413278] Re: stack protector guard value does not lead with a NULL byte

Bug Watch Updater 413278 at bugs.launchpad.net
Thu May 26 11:35:25 UTC 2011 

Launchpad has imported 4 comments from the remote bug at
http://sourceware.org/bugzilla/show_bug.cgi?id=10149.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2009-05-12T18:05:34+00:00 Kees Cook wrote:

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the
leading zero byte.

Reply at: https://bugs.launchpad.net/glibc/+bug/413278/comments/0

------------------------------------------------------------------------
On 2009-05-12T18:05:58+00:00 Kees Cook wrote:

Created attachment 3933
keep leading zero

Reply at: https://bugs.launchpad.net/glibc/+bug/413278/comments/1

------------------------------------------------------------------------
On 2009-05-14T21:48:40+00:00 Kees Cook wrote:

I should clarify -- the read-blocking is nice, but the more common reason the
leading zero is important is to avoid the guard being written as part of a
larger overflow being written out by a str* function, if its value were leaked
to an attacker in some other way.

Reply at: https://bugs.launchpad.net/glibc/+bug/413278/comments/2

------------------------------------------------------------------------
On 2011-05-15T15:00:37+00:00 Drepper-fsp wrote:

I've applied a cleaner and more efficient patch.

Reply at: https://bugs.launchpad.net/glibc/+bug/413278/comments/11


** Changed in: glibc
       Status: Confirmed => Fix Released

** Changed in: glibc
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/413278

Title:
  stack protector guard value does not lead with a NULL byte

Status in The GNU C Library:
  Fix Released
Status in “eglibc” package in Ubuntu:
  Fix Released
Status in “glibc” package in Ubuntu:
  Invalid
Status in “eglibc” source package in Jaunty:
  Invalid
Status in “glibc” source package in Jaunty:
  Fix Released
Status in “eglibc” source package in Karmic:
  Fix Released
Status in “glibc” source package in Karmic:
  Invalid

Bug description:
  IMPACT: stack protections are weakened due to strcpy function being able to write the stack guard (since it does not start with a zero byte).
  ADDRESSED: correctly implement leading zero, as done in Karmic.
  DISCUSSION: regression potential is low, since the patch is isolated and well tested.

  TEST CASE:
  $ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
  $ cd qa-regression-testing/scripts
  $ ./test-glibc-security.py -v
  Build helper tools ... (9.10) ok
  glibc heap protection ... ok
  sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... ok
  glibc pointer obfuscation ... ok
  Password hashes ...  (sha512) ok
  Stack guard exists ... ok
  Stack guard leads with zero byte ... FAIL
  Stack guard is randomized ... ok

  ======================================================================
  FAIL: Stack guard leads with zero byte
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-glibc-security.py", line 170, in test_81_stack_guard_leads_zero
      self.assertEqual(one.startswith('00 '), expected, one)
  AssertionError: 62 55 59 69 cd 20 39 80 

  ----------------------------------------------------------------------
  Ran 8 tests in 0.145s

  FAILED (failures=1)

  expected outcome: 0 failures.

  ProblemType: Bug
  Architecture: amd64
  Date: Thu Aug 13 13:59:02 2009
  Dependencies:
   findutils 4.4.2-1
   gcc-4.4-base 4.4.1-1ubuntu3
   libc6 2.10.1-0ubuntu6
   libgcc1 1:4.4.1-1ubuntu3
  DistroRelease: Ubuntu 9.10
  Package: libc6 2.10.1-0ubuntu6
  ProcEnviron:
   LANGUAGE=en_US.UTF-8
   PATH=(custom, user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
  SourcePackage: eglibc
  Uname: Linux 2.6.31-5-generic x86_64

More information about the foundations-bugs mailing list