[Bug middle-end/81400] Stack smashing not caught by stack protector strong and allowing me to stack smash

Thu, 13 Jul 2017 01:44:57 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81400

--- Comment #4 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to Chris Severance from comment #3)
> Unless there's a security reason 0 should never be used as a canary value.
> Errant \0 should be caught 100% of the time. When I built malloc canaries
> for NPPTextFX I expressly avoided \0.

Agreed, it's not a good constant.

> 
> data[SMASH_ALIGN]='f' should be caught by bounds checking or a shadow stack,
> not ssp.

What do you mean by a shadow stack? If AddressSanitizer, then yes, it's doable:

$ gcc -fsanitize=address smashme.c -g && ./a.out 
=================================================================
==527==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd2b7aeb6
at pc 0x2b13549d69e7 bp 0x7ffdd2b7ad80 sp 0x7ffdd2b7a530
WRITE of size 7 at 0x7ffdd2b7aeb6 thread T0
    #0 0x2b13549d69e6 in __interceptor_vsprintf
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1345
    #1 0x2b13549d6d46 in __interceptor_sprintf
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1376
    #2 0x40093b in smashme
/home/marxin/Programming/testcases/PR81021/smashme.c:21
    #3 0x4009f7 in main /home/marxin/Programming/testcases/PR81021/smashme.c:28
    #4 0x2b13558ff469 in __libc_start_main (/lib64/libc.so.6+0x20469)
    #5 0x4007e9 in _start
(/home/marxin/Programming/testcases/PR81021/a.out+0x4007e9)

And by bounds checking you probably mean:

$ gcc -D_FORTIFY_SOURCE=2 smashme.c -O && ./a.out 
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
...

It doesn't overwrite any canaries. It only writes to icanary which
> is my canary, not a gcc canary. The only time it should be caught by ssp is
> when icanary is disabled and it overwrites CNRY at the top of the stack.

Currently we generate canary in between stack variables and return value. That
explains
why one can overwrite both icanary and also SSP canary.

> 
> For debug builds canaries should be placed between every stack variable and
> in the unused space of aligned but undersized variables. Is there such an
> option?

AFAICK not, but can be interesting enhancement.

Reply via email to