From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sun, 12 Mar 2017 17:49:13 -0400 Subject: [PATCH] on 64-bit, zero the leading stack canary byte This reduces entropy of the canary from 64-bit to 56-bit in exchange for mitigating non-terminated C string overflows. Signed-off-by: anupritaisno1 --- libc/bionic/__libc_init_main_thread.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libc/bionic/__libc_init_main_thread.cpp b/libc/bionic/__libc_init_main_thread.cpp index 7c8256cd6..554477674 100644 --- a/libc/bionic/__libc_init_main_thread.cpp +++ b/libc/bionic/__libc_init_main_thread.cpp @@ -49,8 +49,11 @@ uintptr_t __stack_chk_guard[PAGE_SIZE / sizeof(uintptr_t)] = {0}; static pthread_internal_t main_thread; -void __libc_init_global_stack_chk_guard(KernelArgumentBlock& args) { -} +#if __LP64__ +static const uintptr_t canary_mask = __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ ? + 0xffffffffffffff00UL : + 0x00ffffffffffffffUL; +#endif // Setup for the main thread. For dynamic executables, this is called by the // linker _before_ libc is mapped in memory. This means that all writes to @@ -129,6 +132,10 @@ extern "C" void __libc_init_main_thread_late() { // before we initialize the TLS. Dynamic executables will initialize their copy of the global // stack protector from the one in the main thread's TLS. __libc_safe_arc4random_buf(&__stack_chk_guard[0], sizeof(__stack_chk_guard[0])); +#if __LP64__ + // Sacrifice 8 bits of entropy on 64-bit to mitigate non-terminated C string overflows + __stack_chk_guard[0] &= canary_mask; +#endif if (mprotect(__stack_chk_guard, sizeof(__stack_chk_guard), PROT_READ) == -1) { async_safe_fatal("mprotect __stack_chk_guard: %s", strerror(errno)); }