Bug 10149

Summary: stack guard should lead with zero byte to gain protections from str* writes
Product: glibc Reporter: Kees Cook <kees>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Status: RESOLVED FIXED    
Severity: normal CC: adhemerval.zanella, bap.fayol, glassmtech, glibc-bugs, gulsenenginar, kimolsun2020, mark, mehmetgelisin, progonsaytu
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: keep leading zero

Description Kees Cook 2009-05-12 18:05:34 UTC
When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the leading zero byte.
Comment 1 Kees Cook 2009-05-12 18:05:58 UTC
Created attachment 3933 [details]
keep leading zero
Comment 2 Kees Cook 2009-05-14 21:48:40 UTC
I should clarify -- the read-blocking is nice, but the more common reason the
leading zero is important is to avoid the guard being written as part of a
larger overflow being written out by a str* function, if its value were leaked
to an attacker in some other way.
Comment 3 Ulrich Drepper 2011-05-15 15:00:37 UTC
I've applied a cleaner and more efficient patch.
Comment 4 Kim Olsun 2021-09-05 07:39:00 UTC Comment hidden (spam)
Comment 5 Mehmet gelisin 2021-09-10 19:36:44 UTC Comment hidden (spam)
Comment 6 Gulsen Engin 2021-10-09 11:00:05 UTC Comment hidden (spam)
Comment 7 progonsaytu 2021-10-19 07:15:04 UTC Comment hidden (spam)
Comment 8 yaoltreza 2021-10-21 06:45:25 UTC Comment hidden (spam)
Comment 9 glassmtech 2021-10-24 10:03:23 UTC Comment hidden (spam)