Subject: libc6: Canary value should include null byte Package: libc6 Severity: normal
Dear Maintainer, If it doesn't already, the canary value at the end of the stack should include a null byte. strcpy() won't be able to copy over that without corrupting it: If it copies the null byte, it won't hit the stack pointer, because it stops at the null byte. Program still crashes. If it copies something else, the null byte will be corrupted, and the program will crash before it does what the hacker wants. If the canary value is 32 or 64 bits, it's still going to be quite unpredictable. That still leaves fun things like memcpy(), but it would make exploits of sloppy strcpy() calls a no-go. -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
