This is the mail archive of the
mailing list for the GDB project.
Re: RFC: Longjmp vs LD_POINTER_GUARD revisited
On Sun, Nov 15, 2009 at 2:35 PM, Daniel Jacobowitz <email@example.com> wrote:
> There's a rotate and an xor involved; I don't believe this would work
> as written... sure, we could "discover" it from disassembling key
> functions automatically...
Oh, right. There was "plain XOR" in FC6, and shift-by-9 added in FC7.
Still it's trivial to discover the canary without disassembling
anything (disassembling requires symbols, which may be stripped):
there are only 3 different algorithms I've seen (no canary, XOR,
XOR+shift-by-9). Hmm, looks like x86_64 has XOR+shift-by-17 now, but
ia64, SPARC and PPC all have just "plain XOR".
Still I think this may be a more robust then requiring debuginfo or