This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/12189] __stack_chk_fail should not attempt a backtrace

From: "sstewartgallus00 at mylangara dot bc.ca" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sun, 30 Mar 2014 00:42:50 +0000
Subject: [Bug libc/12189] __stack_chk_fail should not attempt a backtrace
Auto-submitted: auto-generated
References: <bug-12189-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=12189

Steven Stewart-Gallus <sstewartgallus00 at mylangara dot bc.ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sstewartgallus00@mylangara.
                   |                            |bc.ca

--- Comment #12 from Steven Stewart-Gallus <sstewartgallus00 at mylangara dot bc.ca> ---
It might be possible to fork and execute a second uncorrupted process but
simply aborting is safer and lazier. Something like the following might work:

#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/*
 * In a real implementation this would be a real crash reporting
 * program. It would use /proc to examine debugging information such
 * as the command line. It could also do ptrace debugger stuff. It
 * could also be set by a command line option.
 */
#define CRASH_REPORTER "/bin/echo"

void stack_overflow(void);

int main()
{
    stack_overflow();
}

void stack_overflow(void)
{
    /*
     * As soon as possible give control over to a fresh crash reporter
     * instance. If any bad things happen abort immmediately and don't
     * risk compromise due to an attack from an enemy.
     */

    /*
     * Fork a copy of the program to be debugged from the crash
     * reporter instance. The copy of the program must be the child
     * because certain systems are hardened to only allow parents of
     * the processes to do certain debugging tasks.
     */
    pid_t child = fork();
    if (-1 == child) {
        abort();
    }

    if (0 == child) {
        raise(SIGSTOP);
    }

    /* Don't bother with sprintf to minimize the chance of attacks. */
    char child_string[sizeof child + 1];
    memcpy(child_string, &child, sizeof child);
    child_string[sizeof child] = '\0';

    /*
     * execve the crash reporter to use the thinnest possible wrapper
     * over the system call.
     */
    char * argv[] = {
        (char *) CRASH_REPORTER,
        child_string,
        NULL
    };
    char * envp[] = { NULL };
    execve(CRASH_REPORTER, argv, envp);
    abort();
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]