*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Lower 8bits are always zero in stack guard value, which makes stack
protector cannot detect the following stack smashing:
```
#include <string.h>
int get_input(char *data)
{
strcpy(data, "01234567");
return 0;
}
// main.c
#include <stdio.h>
#include <stdlib.h>
void *__stack_chk_guard = (void *)0xdeadbeef;
void __stack_chk_fail(void)
{
fprintf(stderr, "Stack smashing detected.\n");
exit(1);
}
void get_input(char *data);
char main(void)
{
char buffer[8] = { 0 };
get_input(buffer);
return buffer[0];
}
```
When I look into the problem with gdb, fs:0x28 (stack guard value) has always
lower 8 bits like
```
0x007fffffffe190│+0x0000: 0x0000000000000d ("\r"?) ← $rsp
0x007fffffffe198│+0x0008: 0x3fd2300ef2282e00 <-
0x007fffffffe1a0│+0x0010: 0x0000000000000001 ← $rbp
0x007fffffffe1a8│+0x0018: 0x007ffff7db6fd0 → <__libc_start_call_main+128> mov
edi, eax
0x007fffffffe1b0│+0x0020: 0x00555555554040 → (bad)
0x007fffffffe1b8│+0x0028: 0x0055555555519e → <main+0> endbr64
0x007fffffffe1c0│+0x0030: 0x0000000100000000
0x007fffffffe1c8│+0x0038: 0x007fffffffe2c8 → 0x007fffffffe577 →
"/home/sukbeom/Workspace/arm/stack_protector/sp"
```
I don't know much about stack protector but I think this should be
fixed. So I report this as a bug related to stack protector to get more
information. Please let me know if there is anything wrong with my
report.
I attach my system information:
$ lsb_release -rd
Description: Ubuntu 21.10
Release: 21.10
$ gcc -v
➜ linux git:(study) gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 11.2.0-7ubuntu2'
--with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr
--with-gcc-major-version-only --program-suffix=-11
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib
--enable-libphobos-checking=release --with-target-system-zlib=auto
--enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32
--enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none=/build/gcc-11-ZPT0kp/gcc-11-11.2.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-ZPT0kp/gcc-11-11.2.0/debian/tmp-gcn/usr
--without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
--with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.2.0 (Ubuntu 11.2.0-7ubuntu2)
Thank you.
** Affects: gcc-defaults (Ubuntu)
Importance: Undecided
Status: New
--
Lower 8 bits are always zero in stackguard value
https://bugs.launchpad.net/bugs/1959841
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
