about summary refs log tree commit diff
diff options
context:
space:
mode:
authorjvoisin <julien.voisin@dustri.org>2021-12-13 21:05:19 +0100
committerRich Felker <dalias@aerifal.cx>2022-03-08 16:52:25 -0500
commit74a28a8af21977ebbc2945beb879f1b9b6ff13ba (patch)
treebdd571f09e938573bae3a579dc2f0e817b0c805a
parent7c0c7a75ec8ecf3eedefc40bb4dae5aaa76d7108 (diff)
downloadmusl-74a28a8af21977ebbc2945beb879f1b9b6ff13ba.tar.gz
musl-74a28a8af21977ebbc2945beb879f1b9b6ff13ba.tar.xz
musl-74a28a8af21977ebbc2945beb879f1b9b6ff13ba.zip
protect stack canary from leak via read-as-string by zeroing second byte
This reduces entropy of the canary from 64-bit to 56-bit in exchange
for mitigating non-terminated C string overflows by setting the second
byte of the canary to nul, so that off-by-one write overflow with a
nul byte can still be detected.

Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b
-rw-r--r--src/env/__stack_chk_fail.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
index bf5a280a..e5352602 100644
--- a/src/env/__stack_chk_fail.c
+++ b/src/env/__stack_chk_fail.c
@@ -9,6 +9,15 @@ void __init_ssp(void *entropy)
 	if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
 	else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
 
+#if UINTPTR_MAX >= 0xffffffffffffffff
+	/* Sacrifice 8 bits of entropy on 64bit to prevent leaking/
+	 * overwriting the canary via string-manipulation functions.
+	 * The NULL byte is on the second byte so that off-by-ones can
+	 * still be detected. Endianness is taken care of
+	 * automatically. */
+	((char *)&__stack_chk_guard)[1] = 0;
+#endif
+
 	__pthread_self()->canary = __stack_chk_guard;
 }