10149 – stack guard should lead with zero byte to gain protections from str* writes

Bug 10149 - stack guard should lead with zero byte to gain protections from str* writes

Summary: stack guard should lead with zero byte to gain protections from str* writes

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-05-12 18:05 IST by Kees Cook
Modified:	2014-07-01 20:34 IST (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
keep leading zero (786 bytes, patch) 2009-05-12 18:05 IST, Kees Cook	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kees Cook 2009-05-12 18:05:34 IST

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the leading zero byte.

Comment 1 Kees Cook 2009-05-12 18:05:58 IST

Created attachment 3933 [details]
keep leading zero

Comment 2 Kees Cook 2009-05-14 21:48:40 IST

I should clarify -- the read-blocking is nice, but the more common reason the
leading zero is important is to avoid the guard being written as part of a
larger overflow being written out by a str* function, if its value were leaked
to an attacker in some other way.

Comment 3 Ulrich Drepper 2011-05-15 15:00:37 IST

I've applied a cleaner and more efficient patch.