From: Glenn Washburn <development@efficientek.com>
To: The development of GNU GRUB <grub-devel@gnu.org>,
Daniel Kiper <dkiper@net-space.pl>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
Dimitri John Ledkov <dimitri.ledkov@canonical.com>,
Glenn Washburn <development@efficientek.com>
Subject: [PATCH v3 0/3] efi: Initialize canary to non-zero value
Date: Mon, 18 Dec 2023 23:59:58 -0600 [thread overview]
Message-ID: <cover.1702965318.git.development@efficientek.com> (raw)
Updates from v2:
* Change NULL to NUL
* Describe more why it is desirable to have a NUL byte in the canary
Glenn
Glenn Washburn (3):
efi: Initialize canary to non-zero value
efi: Generate stack protector canary at build time if urandom is
available
efi: Add support for reproducible builds
config.h.in | 2 ++
configure.ac | 22 ++++++++++++++++++++++
grub-core/kern/efi/init.c | 3 ++-
3 files changed, 26 insertions(+), 1 deletion(-)
Range-diff against v2:
1: a993f050ce89 ! 1: c4d3769d2c26 efi: Initialize canary to non-zero value
@@ Commit message
support the RNG protocol, then the canary will not be randomized and will
be zero. This seems like a possibly easier value to write by an attacker.
Initialize canary to static random bytes, so that it is still random when
- there is no RNG protocol. Set at least one byte to NULL to protect against
- string buffer overflow attacks.
+ there is no RNG protocol. Set at least one byte to NUL to protect against
+ string buffer overflow attacks. Code that writes NUL terminated strings
+ will terminate when a NUL is encountered in the input byte stream. So the
+ attacker will not be able to forge the canary by including it in the input
+ stream without terminating the string operation and thus limiting the
+ stack corruption.
+
+ [1] https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/
## grub-core/kern/efi/init.c ##
@@ grub-core/kern/efi/init.c: static grub_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
2: 177ae1cf1015 ! 2: 01a56aed2f26 efi: Generate stack protector canary at build time if urandom is available
@@ Commit message
Fallback to the statically generated random bytes if /dev/urandom is not
readable (eg. Windows).
- Reduce the canary to 3 bytes with a NULL upper byte on 32-bit architectures,
- which use a 32-bit canary, to filter out string buffer overflow attacks.
+ On 32-bit architectures, which use a 32-bit canary, reduce the canary to 4
+ bytes with one byte being NUL to filter out string buffer overflow attacks.
## config.h.in ##
@@
@@ configure.ac: else
+
+ if test -r /dev/urandom; then
+ # Generate the 8 byte stack protector canary at build time if /dev/urandom
-+ # is able to be read. The first byte should be NULL to filter out string
++ # is able to be read. The first byte should be NUL to filter out string
+ # buffer overflow attacks.
+ GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
+ else
@@ configure.ac: else
+
+ if test x"$target_m32" = x1 ; then
+ # Make sure that the canary default value is 24-bits by only using the
-+ # lower 3 bytes on 32 bit systems. This allows the upper byte to be NULL
++ # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
+ # to filter out string buffer overflow attacks.
+ GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
+ fi
3: c38fa7791697 ! 3: 5989c0102154 efi: Add support for reproducible builds
@@ configure.ac: else
+ GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2$(printf "%x" "$SOURCE_DATE_EPOCH" | sed 's/.*\(........\)$/\1/')"
+ elif test -r /dev/urandom; then
# Generate the 8 byte stack protector canary at build time if /dev/urandom
- # is able to be read. The first byte should be NULL to filter out string
+ # is able to be read. The first byte should be NUL to filter out string
# buffer overflow attacks.
--
2.34.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next reply other threads:[~2023-12-19 6:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-19 5:59 Glenn Washburn [this message]
2023-12-19 5:59 ` [PATCH v3 1/3] efi: Initialize canary to non-zero value Glenn Washburn
2023-12-19 6:00 ` [PATCH v3 2/3] efi: Generate stack protector canary at build time if urandom is available Glenn Washburn
2023-12-19 6:00 ` [PATCH v3 3/3] efi: Add support for reproducible builds Glenn Washburn
2023-12-20 13:09 ` [PATCH v3 0/3] efi: Initialize canary to non-zero value Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1702965318.git.development@efficientek.com \
--to=development@efficientek.com \
--cc=dimitri.ledkov@canonical.com \
--cc=dkiper@net-space.pl \
--cc=grub-devel@gnu.org \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.