RFC: Longjmp vs LD_POINTER_GUARD revisited
Paul Pluzhnikov
ppluzhnikov@google.com
Sun Nov 15 23:06:00 GMT 2009
On Sun, Nov 15, 2009 at 2:35 PM, Daniel Jacobowitz <drow@false.org> wrote:
> There's a rotate and an xor involved; I don't believe this would work
> as written... sure, we could "discover" it from disassembling key
> functions automatically...
Oh, right. There was "plain XOR" in FC6, and shift-by-9 added in FC7.
Still it's trivial to discover the canary without disassembling
anything (disassembling requires symbols, which may be stripped):
there are only 3 different algorithms I've seen (no canary, XOR,
XOR+shift-by-9). Hmm, looks like x86_64 has XOR+shift-by-17 now, but
ia64, SPARC and PPC all have just "plain XOR".
Still I think this may be a more robust then requiring debuginfo or
non-stripped glibc.
--
Paul Pluzhnikov
More information about the Gdb-patches
mailing list