This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nptl/22850] New: Stack protector easy to bypass
- From: "blackzert at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 16 Feb 2018 12:09:04 +0000
- Subject: [Bug nptl/22850] New: Stack protector easy to bypass
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22850
Bug ID: 22850
Summary: Stack protector easy to bypass
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: nptl
Assignee: unassigned at sourceware dot org
Reporter: blackzert at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 10825
--> https://sourceware.org/bugzilla/attachment.cgi?id=10825&action=edit
Proof Of Concept
Stack protector ("canary") should protect application from been exploited by
stack-based buffer overflows. It is placed on stack frame in function prologue
and checked with some trusted value in function epilogue.
For x86 and x86-64 architecture canary value is located in structure
'tcbhead_t' field 'stack_guard'. Special register ('gs' for i386 and 'fs' for
x86-64) keeps pointer to this structure. tcbhead_t.stack_guard compared with
one on stack to detect stack smashing.
If application create new thread with pthread_create() function, tcbhead_t
structure will be placed on the top of the stack thread, so stack canary
protection could be easily bypassed - attacker just need to overflow enough
bytes to rewrite tcbhead_t.stack_guard with controllable value. tcbhead_t
should be removed from stack and allocated in separate region.
Another good improvement here would be to generate new canary value for any
thread. For now stack canary is the same as main thread and never changed.
--
You are receiving this mail because:
You are on the CC list for the bug.