RFC: Longjmp vs LD_POINTER_GUARD revisited
Daniel Jacobowitz
drow@false.org
Mon Nov 16 14:37:00 GMT 2009
On Sun, Nov 15, 2009 at 03:05:33PM -0800, Paul Pluzhnikov wrote:
> Still it's trivial to discover the canary without disassembling
> anything (disassembling requires symbols, which may be stripped):
> there are only 3 different algorithms I've seen (no canary, XOR,
> XOR+shift-by-9). Hmm, looks like x86_64 has XOR+shift-by-17 now, but
> ia64, SPARC and PPC all have just "plain XOR".
I don't know about "trivial" - could you explain how you would do this
without disassembling? I think that at the least we'd have to call
setjmp in the inferior, which has risks with signals / multiple
threads / etc. I don't think we call functions in the inferior for
discovery otherwise.
(Also I'm not entirely comfortable having GDB call functions
silently. We do this for malloc, yes - IMO there ought to be an
option to turn that off. This is a nasty gotcha that folks using GDB
for software forensics may not consider...)
IMO the debug info is quite commonly available now, but I wonder what
other folks see. Doesn't Red Hat's GDB suggest debuginfo RPMs that
you should install?
--
Daniel Jacobowitz
CodeSourcery
More information about the Gdb-patches
mailing list