Hi Kyle, On Wed, Jan 27, 2010 at 03:23:34PM -0800, Kyle Bader wrote: > ii libc6 2.7-18 > ... > ~# gcc -fstack-protector-all -pie -fPIE -z relro -o buggy buggy.c > ... > Partial RELRO Canary found NX enabled PIE enabled buggy
I would add "-Wl,-z,now" to gain better RELRO support. Also, "-z relro" is more correctly expressed as "-Wl,-z,relro". And, for even more fun, add "-O2" (or higher) and "-D_FORTIFY_SOURCE=2". For more details, see: http://wiki.debian.org/Hardening https://wiki.ubuntu.com/CompilerFlags > ~# ./buggy `perl -e 'print "X"x2048'` > Copied argument > Segmentation fault (core dumped) This is probably crashing in the stack protector backtrace unwinder (you can check under gdb), and is not vulnerable. With a smaller overflow you can see that it is being caught: $ ./buggy `perl -e 'print "X"x1025'` Copied argument *** stack smashing detected ***: ./buggy terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x4b)[0xf76b058b] /lib/libc.so.6(__fortify_fail+0x0)[0xf76b0540] ... If I remember correctly, earlier glibc did not attempt a stack unwinding on stack check failures. > ~# ./print-canary buggy > canary value: ff0a000000000000 This is expected on older kernel/glibc combinations. Debian's glibc does not include the RedHat randomization patch for the canary. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563637 https://bugs.edge.launchpad.net/ubuntu/+source/glibc/+bug/275493 Newer kernels (and glibc) will handle this more correctly via AT_RANDOM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f06295b44c296c8fb08823a3118468ae343b60f2 > The other problem is that the Lenny libc6 doesn't appear to be > compiled with —enable-stackguard-randomization, this causes the canary > to always be a predictable "ff0a000000000000". This option causes libc to open /dev/urandom on every exec, which ends up being rather expensive. AT_RANDOM is the better solution and should happen automatically if the kernel supports it. The up-shot of the static canary is that usually it's string operations that overflow the stack, and it's not possible to over and past a canary with \x00 in it using the str* functions. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
