stack protector guard value does not lead with a NULL byte
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GLibC |
Fix Released
|
Medium
|
|||
eglibc (Ubuntu) |
Fix Released
|
Medium
|
Kees Cook | ||
Jaunty |
Invalid
|
Medium
|
Unassigned | ||
Karmic |
Fix Released
|
Medium
|
Kees Cook | ||
glibc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jaunty |
Fix Released
|
Medium
|
Kees Cook | ||
Karmic |
Invalid
|
Undecided
|
Unassigned |
Bug Description
IMPACT: stack protections are weakened due to strcpy function being able to write the stack guard (since it does not start with a zero byte).
ADDRESSED: correctly implement leading zero, as done in Karmic.
DISCUSSION: regression potential is low, since the patch is isolated and well tested.
TEST CASE:
$ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-
$ cd qa-regression-
$ ./test-
Build helper tools ... (9.10) ok
glibc heap protection ... ok
sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... ok
glibc pointer obfuscation ... ok
Password hashes ... (sha512) ok
Stack guard exists ... ok
Stack guard leads with zero byte ... FAIL
Stack guard is randomized ... ok
=======
FAIL: Stack guard leads with zero byte
-------
Traceback (most recent call last):
File "./test-
self.
AssertionError: 62 55 59 69 cd 20 39 80
-------
Ran 8 tests in 0.145s
FAILED (failures=1)
expected outcome: 0 failures.
ProblemType: Bug
Architecture: amd64
Date: Thu Aug 13 13:59:02 2009
Dependencies:
findutils 4.4.2-1
gcc-4.4-base 4.4.1-1ubuntu3
libc6 2.10.1-0ubuntu6
libgcc1 1:4.4.1-1ubuntu3
DistroRelease: Ubuntu 9.10
Package: libc6 2.10.1-0ubuntu6
ProcEnviron:
LANGUAGE=
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: eglibc
Uname: Linux 2.6.31-5-generic x86_64
Changed in eglibc (Ubuntu Karmic): | |
assignee: | nobody → Kees Cook (kees) |
importance: | Undecided → Medium |
milestone: | none → karmic-alpha-5 |
Changed in eglibc (Ubuntu Jaunty): | |
assignee: | nobody → Kees Cook (kees) |
importance: | Undecided → Medium |
status: | New → Invalid |
Changed in glibc (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in eglibc (Ubuntu Jaunty): | |
assignee: | Kees Cook (kees) → nobody |
Changed in glibc (Ubuntu Jaunty): | |
assignee: | nobody → Kees Cook (kees) |
importance: | Undecided → Medium |
Changed in glibc: | |
status: | Unknown → Confirmed |
Changed in glibc: | |
importance: | Unknown → Medium |
status: | Confirmed → Fix Released |
When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.
This patch reduces the number of random bytes by one, leaving the leading zero byte.