Hi Alex, Yeah, I think I'll wind up with some ifdef code for the static init. In the case of arm (32-bit), there is actually a GCC bug that causes it to use the address of the canary value instead of the canary value itself. GCC upstream just fixed that a few days ago, but it may be a year or so before the appropriate GCC version is widely available.
I may eventually add an optional mechanism to allow the value to be
changed (very carefully) at runtime. This has to be done early enough that
we cannot wait for an RNG to be identified via DTB, but there are a few
ways to keep arm and aarch64 from being too predictable and some boards may
have peripherals that can provide a sufficiently variable value.
-Joel
On Sun, Jan 10, 2021 at 2:40 PM Alex Sadovsky <
nable.mainin...@googlemail.com> wrote:
> Hi,
> > +
> > +unsigned long __stack_chk_guard = 0xfeedf00ddeadbeef;
>
> sizeof(unsigned long) isn't always 8, even gcc issues a warning when it's
> invoked with proper options (e.g. 32-bit build):
>
> > warning: conversion from ‘long long unsigned int’ to ‘long unsigned int’
> changes value from ‘18369602397475290863’ to ‘3735928559’ [-Woverflow]
>
> Maybe there's some better way to initialize this variable. E.g. with #if …
> #else … #endif or using some initialization function that is invoked early.
> I should also mention that a fixed canary value doesn't actually bring
> proper protection against exploits, thus run-time initialization with a
> random value is usually preferred.
>
> I'm not sure whether it's important at all in bootloader code, I just
> wanted to be sure that it isn't unnoticed.
>
> Cheers, Alex.
>
>
smime.p7s
Description: S/MIME Cryptographic Signature
