https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95249
Bug ID: 95249
Summary: Stack protector runtime has to waste one byte on null
terminator
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: bugdal at aerifal dot cx
Target Milestone: ---
At least glibc presently stores a null byte in the first byte of the stack
protector canary value, so that string-based read overflows can't leak the
canary value. On 32-bit targets, this wastes a significant portion of the
randomness, making it possible that massive-scale attacks (e.g. against
millions of mobile or IoT devices) will have a decent chance of some success
bypassing stack protector. musl presently does not zero the first byte, but I
received a suggestion that we should do so, and got to thinking about the
tradeoffs involved.
If GCC would skip one byte below the canary, the full range of values could be
used by the stack protector runtime without the risk of string-read-based
disclosure. This should be inexpensive in terms of space and time to store a
single 0 byte on the stack.
