From: Daniel Micay <danielmicay@gmail.com>
To: linux-arm-kernel@lists.infradead.org
Subject: Re: stackprotector: ascii armor the stack canary
Date: Fri, 19 May 2017 23:57:07 +0000 [thread overview]
Message-ID: <1495238227.1190.1.camel@gmail.com> (raw)
In-Reply-To: <20170519212636.30440-1-riel@redhat.com>
On Fri, 2017-05-19 at 17:26 -0400, riel@redhat.com wrote:
> Zero out the first byte of the stack canary value on 64 bit systems,
> in order to prevent unterminated C string overflows from being able
> to successfully overwrite the canary, even if an attacker somehow
> guessed or obtained the canary value.
>
> Inspired by execshield ascii-armor and PaX/grsecurity.
>
> Thanks to Daniel Micay for extracting code of similar functionality
> from PaX/grsecurity and making it easy to find in his linux-hardened
> git tree on https://github.com/thestinger/linux-hardened/
To clarify something this part isn't from PaX / grsecurity. I marked the
commits from PaX / grsecurity as such in their commit messages and these
are among the ones that aren't from there.
This is from a set of changes that I did for CopperheadOS and forward
ported to mainline recently to start linux-hardened. It was only arm64
for CopperheadOS. The overlap with PaX is that when adding the leading
zero byte for x86, I needed to first fix get_random_int being used for
the per-task canary value. I didn't know PaX fixed it way back in 2007.
I implemented heap canaries for our userspace malloc implementation and
then later did the same thing for slub in the kernel. I added a leading
zero byte to both of those heap canaries later on and then did the SSP
implementation in Bionic and the kernel's arm64 code. I took the idea
from glibc but limited it to 64-bit where there's entropy to spare. The
glibc leading zero might have come from execshield, but I don't know.
WARNING: multiple messages have this Message-ID (diff)
From: danielmicay@gmail.com (Daniel Micay)
To: linux-arm-kernel@lists.infradead.org
Subject: stackprotector: ascii armor the stack canary
Date: Fri, 19 May 2017 19:57:07 -0400 [thread overview]
Message-ID: <1495238227.1190.1.camel@gmail.com> (raw)
In-Reply-To: <20170519212636.30440-1-riel@redhat.com>
On Fri, 2017-05-19 at 17:26 -0400, riel at redhat.com wrote:
> Zero out the first byte of the stack canary value on 64 bit systems,
> in order to prevent unterminated C string overflows from being able
> to successfully overwrite the canary, even if an attacker somehow
> guessed or obtained the canary value.
>
> Inspired by execshield ascii-armor and PaX/grsecurity.
>
> Thanks to Daniel Micay for extracting code of similar functionality
> from PaX/grsecurity and making it easy to find in his linux-hardened
> git tree on https://github.com/thestinger/linux-hardened/
To clarify something this part isn't from PaX / grsecurity. I marked the
commits from PaX / grsecurity as such in their commit messages and these
are among the ones that aren't from there.
This is from a set of changes that I did for CopperheadOS and forward
ported to mainline recently to start linux-hardened. It was only arm64
for CopperheadOS. The overlap with PaX is that when adding the leading
zero byte for x86, I needed to first fix get_random_int being used for
the per-task canary value. I didn't know PaX fixed it way back in 2007.
I implemented heap canaries for our userspace malloc implementation and
then later did the same thing for slub in the kernel. I added a leading
zero byte to both of those heap canaries later on and then did the SSP
implementation in Bionic and the kernel's arm64 code. I took the idea
from glibc but limited it to 64-bit where there's entropy to spare. The
glibc leading zero might have come from execshield, but I don't know.
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Micay <danielmicay@gmail.com>
To: riel@redhat.com, linux-kernel@vger.kernel.org
Cc: tytso@mit.edu, keescook@chromium.org, hpa@zytor.com,
luto@amacapital.net, mingo@kernel.org, x86@kernel.org,
linux-arm-kernel@lists.infradead.org, catalin.marinas@arm.com,
linux-sh@vger.kernel.org, ysato@users.sourceforge.jp
Subject: Re: stackprotector: ascii armor the stack canary
Date: Fri, 19 May 2017 19:57:07 -0400 [thread overview]
Message-ID: <1495238227.1190.1.camel@gmail.com> (raw)
In-Reply-To: <20170519212636.30440-1-riel@redhat.com>
On Fri, 2017-05-19 at 17:26 -0400, riel@redhat.com wrote:
> Zero out the first byte of the stack canary value on 64 bit systems,
> in order to prevent unterminated C string overflows from being able
> to successfully overwrite the canary, even if an attacker somehow
> guessed or obtained the canary value.
>
> Inspired by execshield ascii-armor and PaX/grsecurity.
>
> Thanks to Daniel Micay for extracting code of similar functionality
> from PaX/grsecurity and making it easy to find in his linux-hardened
> git tree on https://github.com/thestinger/linux-hardened/
To clarify something this part isn't from PaX / grsecurity. I marked the
commits from PaX / grsecurity as such in their commit messages and these
are among the ones that aren't from there.
This is from a set of changes that I did for CopperheadOS and forward
ported to mainline recently to start linux-hardened. It was only arm64
for CopperheadOS. The overlap with PaX is that when adding the leading
zero byte for x86, I needed to first fix get_random_int being used for
the per-task canary value. I didn't know PaX fixed it way back in 2007.
I implemented heap canaries for our userspace malloc implementation and
then later did the same thing for slub in the kernel. I added a leading
zero byte to both of those heap canaries later on and then did the SSP
implementation in Bionic and the kernel's arm64 code. I took the idea
from glibc but limited it to 64-bit where there's entropy to spare. The
glibc leading zero might have come from execshield, but I don't know.
next prev parent reply other threads:[~2017-05-19 23:57 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 21:26 stackprotector: ascii armor the stack canary riel
2017-05-19 21:26 ` riel
2017-05-19 21:26 ` riel at redhat.com
2017-05-19 21:26 ` [PATCH 1/5] random,stackprotect: introduce get_random_canary function riel
2017-05-19 21:26 ` riel
2017-05-19 21:26 ` [PATCH 1/5] random, stackprotect: " riel at redhat.com
2017-05-24 8:30 ` [PATCH 1/5] random,stackprotect: " Ingo Molnar
2017-05-24 8:30 ` Ingo Molnar
2017-05-24 8:30 ` Ingo Molnar
2017-05-19 21:26 ` [PATCH 2/5] fork,random: use get_random_canary to set tsk->stack_canary riel
2017-05-19 21:26 ` riel
2017-05-19 21:26 ` [PATCH 2/5] fork, random: " riel at redhat.com
2017-05-19 21:26 ` [PATCH 3/5] x86: ascii armor the x86_64 boot init stack canary riel
2017-05-19 21:26 ` riel
2017-05-19 21:26 ` riel at redhat.com
2017-05-19 21:26 ` [PATCH 4/5] arm64: ascii armor the arm64 " riel
2017-05-19 21:26 ` riel
2017-05-19 21:26 ` riel at redhat.com
2017-05-19 21:26 ` [PATCH 5/5] sh64: ascii armor the sh64 " riel
2017-05-19 21:26 ` riel
2017-05-19 21:26 ` riel at redhat.com
2017-05-19 21:32 ` stackprotector: ascii armor the " Kees Cook
2017-05-19 21:32 ` Kees Cook
2017-05-19 21:32 ` Kees Cook
2017-05-24 11:57 ` Geert Uytterhoeven
2017-05-24 11:57 ` Geert Uytterhoeven
2017-05-24 11:57 ` Geert Uytterhoeven
2017-05-19 23:57 ` Daniel Micay [this message]
2017-05-19 23:57 ` Daniel Micay
2017-05-19 23:57 ` Daniel Micay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495238227.1190.1.camel@gmail.com \
--to=danielmicay@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.