[Bug 413278]

Bryanmcsp 413278 at bugs.launchpad.net
Wed Nov 10 14:12:36 UTC 2021 

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the
leading zero byte. https://www.kildarehousebuilders.ie

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/413278

Title:
  stack protector guard value does not lead with a NULL byte

Status in GLibC:
  Fix Released
Status in eglibc package in Ubuntu:
  Fix Released
Status in glibc package in Ubuntu:
  Invalid
Status in eglibc source package in Jaunty:
  Invalid
Status in glibc source package in Jaunty:
  Fix Released
Status in eglibc source package in Karmic:
  Fix Released
Status in glibc source package in Karmic:
  Invalid

Bug description:
  IMPACT: stack protections are weakened due to strcpy function being able to write the stack guard (since it does not start with a zero byte).
  ADDRESSED: correctly implement leading zero, as done in Karmic.
  DISCUSSION: regression potential is low, since the patch is isolated and well tested.

  TEST CASE:
  $ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
  $ cd qa-regression-testing/scripts
  $ ./test-glibc-security.py -v
  Build helper tools ... (9.10) ok
  glibc heap protection ... ok
  sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... ok
  glibc pointer obfuscation ... ok
  Password hashes ...  (sha512) ok
  Stack guard exists ... ok
  Stack guard leads with zero byte ... FAIL
  Stack guard is randomized ... ok

  ======================================================================
  FAIL: Stack guard leads with zero byte
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-glibc-security.py", line 170, in test_81_stack_guard_leads_zero
      self.assertEqual(one.startswith('00 '), expected, one)
  AssertionError: 62 55 59 69 cd 20 39 80 

  ----------------------------------------------------------------------
  Ran 8 tests in 0.145s

  FAILED (failures=1)

  expected outcome: 0 failures.

  ProblemType: Bug
  Architecture: amd64
  Date: Thu Aug 13 13:59:02 2009
  Dependencies:
   findutils 4.4.2-1
   gcc-4.4-base 4.4.1-1ubuntu3
   libc6 2.10.1-0ubuntu6
   libgcc1 1:4.4.1-1ubuntu3
  DistroRelease: Ubuntu 9.10
  Package: libc6 2.10.1-0ubuntu6
  ProcEnviron:
   LANGUAGE=en_US.UTF-8
   PATH=(custom, user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
  SourcePackage: eglibc
  Uname: Linux 2.6.31-5-generic x86_64

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/413278/+subscriptions

More information about the foundations-bugs mailing list