When building the stack guard, it has been traditionally important to have the value start (in memory) with a zero byte to protect the guard value (and the rest of the stack past it) from being read via strcpy, etc.
This patch reduces the number of random bytes by one, leaving the leading zero byte. https://www.kildarehousebuilders.ie -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to eglibc in Ubuntu. https://bugs.launchpad.net/bugs/413278 Title: stack protector guard value does not lead with a NULL byte Status in GLibC: Fix Released Status in eglibc package in Ubuntu: Fix Released Status in glibc package in Ubuntu: Invalid Status in eglibc source package in Jaunty: Invalid Status in glibc source package in Jaunty: Fix Released Status in eglibc source package in Karmic: Fix Released Status in glibc source package in Karmic: Invalid Bug description: IMPACT: stack protections are weakened due to strcpy function being able to write the stack guard (since it does not start with a zero byte). ADDRESSED: correctly implement leading zero, as done in Karmic. DISCUSSION: regression potential is low, since the patch is isolated and well tested. TEST CASE: $ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing $ cd qa-regression-testing/scripts $ ./test-glibc-security.py -v Build helper tools ... (9.10) ok glibc heap protection ... ok sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... ok glibc pointer obfuscation ... ok Password hashes ... (sha512) ok Stack guard exists ... ok Stack guard leads with zero byte ... FAIL Stack guard is randomized ... ok ====================================================================== FAIL: Stack guard leads with zero byte ---------------------------------------------------------------------- Traceback (most recent call last): File "./test-glibc-security.py", line 170, in test_81_stack_guard_leads_zero self.assertEqual(one.startswith('00 '), expected, one) AssertionError: 62 55 59 69 cd 20 39 80 ---------------------------------------------------------------------- Ran 8 tests in 0.145s FAILED (failures=1) expected outcome: 0 failures. ProblemType: Bug Architecture: amd64 Date: Thu Aug 13 13:59:02 2009 Dependencies: findutils 4.4.2-1 gcc-4.4-base 4.4.1-1ubuntu3 libc6 2.10.1-0ubuntu6 libgcc1 1:4.4.1-1ubuntu3 DistroRelease: Ubuntu 9.10 Package: libc6 2.10.1-0ubuntu6 ProcEnviron: LANGUAGE=en_US.UTF-8 PATH=(custom, user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.31-5.24-generic SourcePackage: eglibc Uname: Linux 2.6.31-5-generic x86_64 To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/413278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
