Bug 10149

Summary:	stack guard should lead with zero byte to gain protections from str* writes
Product:	glibc	Reporter:	Kees Cook <kees>
Component:	libc	Assignee:	Ulrich Drepper <drepper.fsp>
Status:	RESOLVED FIXED
Severity:	normal	CC:	adhemerval.zanella, bap.fayol, bryanmcsp, glassmtech, glibc-bugs, gulsenenginar, kimolsun2020, mark, mehmetgelisin, progonsaytu
Priority:	P2	Flags:	fweimer: security-
Version:	unspecified
Target Milestone:	---
Host:		Target:
Build:		Last reconfirmed:
Project(s) to access:		ssh public key:
Attachments:	keep leading zero

Description Kees Cook 2009-05-12 18:05:34 UTC

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the leading zero byte.

Comment 1 Kees Cook 2009-05-12 18:05:58 UTC

Created attachment 3933 [details]
keep leading zero

Comment 2 Kees Cook 2009-05-14 21:48:40 UTC

I should clarify -- the read-blocking is nice, but the more common reason the
leading zero is important is to avoid the guard being written as part of a
larger overflow being written out by a str* function, if its value were leaked
to an attacker in some other way.

Comment 3 Ulrich Drepper 2011-05-15 15:00:37 UTC

I've applied a cleaner and more efficient patch.

Comment 4 Kim Olsun 2021-09-05 07:39:00 UTC Comment hidden (spam)

http://www.iu-bloomington.com/
https://komiya-dental.com/
http://steemfilter.space/
http://michielleunens.tech/
http://sleepypoetstuff.website/
http://biciclubvalencia.website/
http://reputation-management.site/
http://pitesti.online/
http://tobuweb.space/
http://ancientmariners.online/
http://betwsycoednet.online
http://kuzin.website
http://kundaliniyoga.tech
http://localpay.tech
http://my-iframe.online
http://getimov.xyz/
http://ooviv.xyz/
http://mirei.xyz
http://toblek.xyz/
http://sevenwonders.store
http://peralga.xyz/
https://texastourgear.live
http://freixenet.site/influencerprogramme/
http://timvanorden.store/
http://rhee.tech/
http://f3group.online/
https://www.hlungomare.store/
https://www.lungomarebikehotel.store
http://www.lvmaimai.xyz/
https://sozdanie.site/
http://www.tabletshop.xyz/
http://steroidslegit.xyz/
http://ruirui.store/
http://www.foamhands.store/
http://www.i-obchody.info/
http://naughtyrobot.digital/
https://www.webb-dev.co.uk/
https://waytowhatsnext.com/
http://troubadourtunes.online/
http://www.babygadgets.xyz/
http://agens128.site/
http://hydra-official.site/
http://www.gardensupplies.xyz/
http://www.learntosurf.xyz/
http://www.handmadecandle.xyz/
http://www.divingcourses.xyz/
http://www.vapingpro.xyz/
http://www.partypieces.xyz/
http://www.cookwareonline.xyz/
http://www.fencesuppliers.xyz/
http://alaskamysterypictures.website/
http://j70sanfranciscobay.website
http://vloerverwarming.xyz/
http://koffieautomaat.xyz/
http://motherlode.store/
http://yamaro-everyfish.store/
http://ipatovo.store/
http://tinguely.site/
http://wasillahomes.website/
http://www-look-4.com/

Comment 5 Mehmet gelisin 2021-09-10 19:36:44 UTC Comment hidden (spam)

gdb/dwarf: disable per-BFD resource sharing for -readnow objfiles

New in v2:

- Disable sharing only for -readnow objfiles, not all objfiles.

As described in PR 27541, we hit an internal error when loading a binary
the standard way and then loading it with the -readnow option:

$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out"
Reading symbols from /home/simark/a.out...
Reading symbols from ~/a.out...
/home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion `per_objfile->per_bfd->all_comp_units.empty ()' failed.

This is a recurring problem that exposes a design issue in the DWARF
per-BFD sharing feature. Things work well when loading a binary with
the same method (with/without index, with/without readnow) twice in a
row. But they don't work so well when loading a binary with different
methods. See this previous fix, for example:

efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")

That one handled the case where the first load is normal (uses partial
symbols) and the second load uses an index.

I think the most sensible fix would be to not share a dwarf2_per_bfd
between two objfiles loaded with different methods. That means that two
objfiles sharing the same BFD and loaded the same way would share a
dwarf2_per_bfd. Two objfiles sharing the same BFD but loaded with
different methods would use two different dwarf2_per_bfd structures. http://www.iu-bloomington.com/

However, this isn't a trivial change. So to fix the known issue quickly
(including in the gdb 10 branch), this patch just disables all
dwarf2_per_bfd sharing for objfiles using READNOW.

Generalize the gdb.base/index-cache-load-twice.exp test to test all
the possible combinations of loading a file with partial symtabs, index
and readnow. Move it to gdb.dwarf2, since it really exercises features
of the DWARF
gdb/dwarf: disable per-BFD resource sharing for -readnow objfiles
https://www.webb-dev.co.uk/
New in v2:

- Disable sharing only for -readnow objfiles, not all objfiles.

As described in PR 27541, we hit an internal error when loading a binary
the standard way and then loading it with the -readnow option:
https://waytowhatsnext.com/
$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out"
Reading symbols from /home/simark/a.out...
Reading symbols from ~/a.out...
/home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion `per_objfile->per_bfd->all_comp_units.empty ()' failed.
http://www.acpirateradio.co.uk/
This is a recurring problem that exposes a design issue in the DWARF
per-BFD sharing feature. Things work well when loading a binary with
the same method (with/without index, with/without readnow) twice in a
row. But they don't work so well when loading a binary with different
methods. See this previous fix, for example: http://www.logoarts.co.uk/

efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")

That one handled the case where the first load is normal (uses partial
symbols) and the second load uses an index. http://www.slipstone.co.uk/

I think the most sensible fix would be to not share a dwarf2_per_bfd
between two objfiles loaded with different methods. http://connstr.net/ That means that two
objfiles sharing the same BFD and loaded the same way would share a
dwarf2_per_bfd. Two objfiles http://joerg.li/ sharing the same BFD but loaded with
different methods would use two different dwarf2_per_bfd structures. http://www.jopspeech.com/

However, this isn't a trivial change. So to fix the known issue quickly
(including in the gdb 10 branch), this patch just disables all http://www.wearelondonmade.com/
dwarf2_per_bfd sharing for objfiles using READNOW.

Generalize the gdb.base/index-cache-load-twice.exp test to test all http://www.compilatori.com/
the possible combinations of loading a file with partial symtabs, index
and readnow. Move it to gdb.dwarf2, since it really exercises features
of the DWARF http://www-look-4.com/

Comment 6 Gulsen Engin 2021-10-09 11:00:05 UTC Comment hidden (spam)

$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out" http://www-look-4.com/category/technology/
Reading symbols from /home/simark/a.out...
Reading symbols from ~/a.out...
/home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: https://komiya-dental.com/shopping/safety-for-online-shopping/ internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion `per_objfile->per_bfd->all_comp_units.empty ()' failed.
http://www.iu-bloomington.com/health/health-and-cannabis/
This is a recurring problem that exposes a design issue in the DWARF
per-BFD sharing feature. Things work well when loading a binary with https://waytowhatsnext.com/crypto/bought-house-with-bitcoin/
the same method (with/without index, with/without readnow) twice in a
row. But they don't work so well when loading a binary with different
methods. See this previous fix, for example:
http://www.wearelondonmade.com/category/health/
efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")

That one handled the case where the first load is normal (uses partial
symbols) and the second load uses an index. http://www.jopspeech.com/category/services/

The problem is that when loading an objfile with a method A, we create a
dwarf2_per_bfd and some dwarf2_per_cu_data and initialize them with the
data belonging to that method. http://joerg.li/category/health/ When loading another obfile sharing the
same BFD but with a different method B, it's not clear how to re-use the
dwarf2_per_bfd/dwarf2_per_cu_data previously created, because they
contain the data specific to method A http://connstr.net/category/health/
$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out" http://embermanchester.uk/category/health/
Reading symbols from /home/simark/a.out...
Reading symbols from ~/a.out...
/home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion http://www.slipstone.co.uk/category/health/ `per_objfile->per_bfd->all_comp_units.empty ()' failed.

This is a recurring problem that exposes a design issue in the DWARF http://www.logoarts.co.uk/category/services/
per-BFD sharing feature. Things work well when loading a binary with
the same method (with/without index, with/without readnow) twice in a
row. But they don't work so well when http://www.acpirateradio.co.uk/category/tech/ loading a binary with different
methods. See this previous fix, for example:

efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")
http://www.compilatori.com/category/health/
That one handled the case where the first load is normal (uses partial
symbols) and the second load uses an index.

The problem is that when loading an objfile with a method A, we create a
dwarf2_per_bfd and some dwarf2_per_cu_data and initialize them with the
data belonging to that method. When loading another obfile sharing the
same BFD but with a different method B, it's not clear how to re-use the
dwarf2_per_bfd/dwarf2_per_cu_data previously created, because they
contain the data specific to method A https://www.webb-dev.co.uk/health/health-and-cannabis/
$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out"
Reading symbols from /home/simark/a.out...
Reading symbols from ~/a.out...
/home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion `per_objfile->per_bfd->all_comp_units.empty ()' failed.

efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile"

Comment 7 progonsaytu 2021-10-19 07:15:04 UTC Comment hidden (spam)

https://www.ремонты-квартир.com/
https://www.дизайн-квартиры.com/
https://www.о-ремонте.com/
https://www.о-заборах.com/
https://www.bsegypt.com/
https://www.buyingrealty.net/
https://www.khersonnews.com/
https://www.kontrolstroy.info/
https://www.sama-mama.com/
https://www.secretovnet.org/
https://www.teleriko.com/
https://www.us-best-store.com/
https://www.віктор.com/
https://www.accord-hotel.ru/
https://releazer.ru/
https://www.a-n-e-k-d-o-t.ru/
https://www.adhan.ru/
http://www.al-aures.ru/
https://www.apriori-design.ru/
http://artdoski.ru/
https://www.bombusmod.net.ru/
https://www.canadianahealthandcaremallreviews.ru/
https://www.celestiaproject.ru/
https://www.cryptogu.ru/
https://www.downloadskypefree.ru/
https://www.encyclopedia-flowers.ru/
https://www.factura.net.ru/
http://freewizards.ru/
http://futurefactory.ru/
https://glina-med.ru/
http://google-dmoz.ru/
http://iix.su/
https://www.imperia51.ru/
https://www.info-tehnologii.ru/
https://www.kvartira-v-bolgarii.ru/
https://ljubi-i-pozdravljaj.ru/
https://www.majesticarticles.ru/
https://www.onlinecredit247.ru/
https://www.orfey.net.ru/
https://www.pgpk.net.ru/
https://www.rainbow.net.ru/
http://www.rainbowbaby.ru/
http://www.respublika-okon.ru/
https://ribku-lovim.ru/
http://rusorchestra.ru/
http://shmoscow.ru/
https://www.skifspb.ru/
https://www.spare.net.ru/
https://www.stranainform.ru/
https://www.taxi-smile.ru/
https://www.tkanishik.ru/
http://www.tremulous.net.ru/
https://trust-women.ru/
http://uralbel.ru/
https://www.yar-art-union.ru/
https://www.xn----7sbcngq4awkg0k.xn--p1ai/
https://www.xn----7sbbmgbytlh3a0ll.xn--p1ai/
https://www.xn--35-mlcuxidl.xn--p1ai/
https://www.xn--f1addf1alkk1d.xn--p1ai/
https://www.history-of-great-discoveries.com/
https://www.it-business-trends.com
https://www.interesting-history-of-art.com
https://www.interesting-news-about-cars.com
https://www.architecture-and-design-news.com
https://history-of-great-discoveries.blogspot.com/
https://it-business-trends.blogspot.com/
https://interesting-history-of-art.blogspot.com/
https://interesting-news-about-cars.blogspot.com/
https://architecture-and-design-news.blogspot.com/
https://www.secretovnet.org/archives/18806 
https://www.secretovnet.org/archives/17685 
https://www.secretovnet.org/archives/17683 
https://www.secretovnet.org/archives / 17681 
https://www.secretovnet.org/archives/13740 
https://www.secretovnet.org/archives/13737 
https://www.secretovnet.org/archives/13734 
https://www.secretovnet.org / archives / 13732 
https://www.secretovnet.org/archives/13729 
https://www.secretovnet.org/archives/17679 
https://www.secretovnet.org/archives/17677 
https://www.secretovnet .org / archives / 17675 
https://www.secretovnet.org/archives/17670 
https://www.secretovnet.org/archives/17667 
https://www.secretovnet.org/archives/18686
https://www.secretovnet.org/archives/18684 
https://www.secretovnet.org/archives/18682 
https://www.secretovnet.org/archives/17665 
https://www.secretovnet.org/archives / 17663 
https://www.secretovnet.org/archives/17661 
https://www.secretovnet.org/archives/17659 
https://www.secretovnet.org/archives/17657 
https://www.secretovnet.org / archives / 13723 
https://www.secretovnet.org/archives/13717 
https://www.secretovnet.org/archives/13714 
https://www.secretovnet.org/archives/13711 
https://www.secretovnet .org / archives / 13708 
https://www.secretovnet.org/archives/17655 
https://www.secretovnet.org/archives/13702 
https://www.secretovnet.org/archives/17647
https://www.secretovnet.org/archives/17645

Comment 8 yaoltreza 2021-10-21 06:45:25 UTC Comment hidden (spam)

thank you guys for sharing your tips. https://www.depannage-auto-dijon.com

Comment 9 glassmtech 2021-10-24 10:03:23 UTC Comment hidden (spam)

http://www.ремонты-квартир.com/
http://www.дизайн-квартиры.com/
http://www.о-ремонте.com/
http://www.о-заборах.com/
http://www.bsegypt.com/
http://www.buyingrealty.net/
http://www.khersonnews.com/
http://www.kontrolstroy.info/
http://www.sama-mama.com/
http://www.secretovnet.org/
http://www.teleriko.com/
http://www.us-best-store.com/
http://www.віктор.com/
http://www.accord-hotel.ru/
http://releazer.ru/
http://www.a-n-e-k-d-o-t.ru/
http://www.adhan.ru/
https://www.al-aures.ru/
http://www.apriori-design.ru/
https://artdoski.ru/
http://www.bombusmod.net.ru/
http://www.canadianahealthandcaremallreviews.ru/
http://www.celestiaproject.ru/
http://www.cryptogu.ru/
http://www.downloadskypefree.ru/
http://www.encyclopedia-flowers.ru/
http://www.factura.net.ru/
https://freewizards.ru/
https://futurefactory.ru/
http://glina-med.ru/
https://google-dmoz.ru/
https://iix.su/
http://www.imperia51.ru/
http://www.info-tehnologii.ru/
http://www.kvartira-v-bolgarii.ru/
http://ljubi-i-pozdravljaj.ru/
http://www.majesticarticles.ru/
http://www.onlinecredit247.ru/
http://www.orfey.net.ru/
http://www.pgpk.net.ru/
http://www.rainbow.net.ru/
https://www.rainbowbaby.ru/
https://www.respublika-okon.ru/
http://ribku-lovim.ru/
https://rusorchestra.ru/
https://shmoscow.ru/
http://www.skifspb.ru/
http://www.spare.net.ru/
http://www.stranainform.ru/
http://www.taxi-smile.ru/
http://www.tkanishik.ru/
https://www.tremulous.net.ru/
http://trust-women.ru/
https://uralbel.ru/
http://www.yar-art-union.ru/
http://www.xn----7sbcngq4awkg0k.xn--p1ai/
http://www.xn----7sbbmgbytlh3a0ll.xn--p1ai/
http://www.xn--35-mlcuxidl.xn--p1ai/
http://www.xn--f1addf1alkk1d.xn--p1ai/
http://www.history-of-great-discoveries.com/
http://www.it-business-trends.com
http://www.interesting-history-of-art.com
http://www.interesting-news-about-cars.com
http://www.architecture-and-design-news.com
https://ремонты-квартир.com/
https://дизайн-квартиры.com/
https://о-ремонте.com/
https://о-заборах.com/
https://bsegypt.com/
https://buyingrealty.net/
https://khersonnews.com/
https://kontrolstroy.info/
https://sama-mama.com/
https://secretovnet.org/
https://teleriko.com/
https://us-best-store.com/
https://віктор.com/
https://accord-hotel.ru/
https://www.releazer.ru/
https://a-n-e-k-d-o-t.ru/
https://adhan.ru/
http://al-aures.ru/
https://apriori-design.ru/
http://www.artdoski.ru/
https://bombusmod.net.ru/
https://canadianahealthandcaremallreviews.ru/
https://celestiaproject.ru/
https://cryptogu.ru/
https://downloadskypefree.ru/
https://encyclopedia-flowers.ru/
https://factura.net.ru/
http://www.freewizards.ru/
http://www.futurefactory.ru/
https://www.glina-med.ru/
http://www.google-dmoz.ru/
http://www.iix.su/
https://imperia51.ru/
https://info-tehnologii.ru/
https://kvartira-v-bolgarii.ru/
https://www.ljubi-i-pozdravljaj.ru/
https://majesticarticles.ru/
https://onlinecredit247.ru/
https://orfey.net.ru/
https://pgpk.net.ru/
https://rainbow.net.ru/
http://rainbowbaby.ru/
http://respublika-okon.ru/
https://www.ribku-lovim.ru/
http://www.rusorchestra.ru/
http://www.shmoscow.ru/
https://skifspb.ru/
https://spare.net.ru/
https://stranainform.ru/
https://taxi-smile.ru/
https://tkanishik.ru/
http://tremulous.net.ru/
https://www.trust-women.ru/
http://www.uralbel.ru/
https://yar-art-union.ru/
https://xn----7sbcngq4awkg0k.xn--p1ai/
https://xn----7sbbmgbytlh3a0ll.xn--p1ai/
https://xn--35-mlcuxidl.xn--p1ai/
https://xn--f1addf1alkk1d.xn--p1ai/
https://history-of-great-discoveries.com/
https://it-business-trends.com
https://interesting-history-of-art.com
https://interesting-news-about-cars.com
https://architecture-and-design-news.com

Comment 10 Takkelink 2021-11-10 14:12:36 UTC Comment hidden (spam)

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the leading zero byte. https://www.kildarehousebuilders.ie