From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 13:50:36 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55CDD16A417 for ; Sun, 30 Dec 2007 13:50:36 +0000 (UTC) (envelope-from anders@rethink.no) Received: from smtp.getmail.no (smtp.getmail.no [84.208.20.33]) by mx1.freebsd.org (Postfix) with ESMTP id 0CAC513C44B for ; Sun, 30 Dec 2007 13:50:36 +0000 (UTC) (envelope-from anders@rethink.no) Received: from pmxchannel-daemon.no-osl-m323-srv-009-z2.isp.get.no by no-osl-m323-srv-009-z2.isp.get.no (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) id <0JTV001014ZPH100@no-osl-m323-srv-009-z2.isp.get.no> for freebsd-security@freebsd.org; Sun, 30 Dec 2007 13:50:13 +0100 (CET) Received: from smtp.getmail.no ([10.5.16.1]) by no-osl-m323-srv-009-z2.isp.get.no (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JTV00HWR4ZNZL60@no-osl-m323-srv-009-z2.isp.get.no> for freebsd-security@freebsd.org; Sun, 30 Dec 2007 13:50:11 +0100 (CET) Received: from [84.208.203.204] by no-osl-m323-srv-004-z1.isp.get.no (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JTV004MW4ZMZ0E0@no-osl-m323-srv-004-z1.isp.get.no> for freebsd-security@freebsd.org; Sun, 30 Dec 2007 13:50:11 +0100 (CET) Date: Sun, 30 Dec 2007 13:50:10 +0100 From: Anders Hanssen In-reply-to: <20071228200428.J6052@odysseus.silby.com> To: Mike Silbersack Message-id: <47779402.7060105@rethink.no> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> <20071228200428.J6052@odysseus.silby.com> User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 13:50:36 -0000 Hi! Mike Silbersack wrote: > Since the subject came up, I just tried using it, and it's not giving > me the results I expected. > But if I compile it like so: >> cc -g -fstack-protector overrun.c > > The overrun is not caught. >> ./a.out > hi> > > Either I'm doing something wrong, or we have gcc misconfigured and > it's not detecting that strcpy is a function which needs to be > watched closedly. My first guess would be that gcc knew the length of "ABCDE" and decided it would fit in the stack buffer without overwriting anything used by the program (because of alignment and the ideal stack layout). But, anyway, I changed your program to strcpy() from argv instead, hoping it would turn on ssp for overrun(). Still no protection. # ./test AAAAAAAAAAAAAAAA Segmentation fault: 11 (core dumped) # gdb ./test test.core [...] #0 0x41414141 in ?? () A look at the generated code confirms it does not use ssp for overrun() void overrun(const char *str) { int x; char a[4]; int y; strcpy(a, str); printf("hi"); } # gcc -S -fstack-protector test.c overrun: pushl %ebp movl %esp, %ebp subl $24, %esp movl 8(%ebp), %eax movl %eax, 4(%esp) leal -8(%ebp), %eax movl %eax, (%esp) call strcpy movl $.LC1, (%esp) call printf leave ret # gcc -S -fstack-protector-all test.c overrun: pushl %ebp movl %esp, %ebp subl $40, %esp movl 8(%ebp), %eax movl %eax, -20(%ebp) movl __stack_chk_guard, %eax ; put stack cookie in eax movl %eax, -4(%ebp) ; store it on the stack xorl %eax, %eax movl -20(%ebp), %eax movl %eax, 4(%esp) leal -8(%ebp), %eax movl %eax, (%esp) call strcpy movl $.LC1, (%esp) call printf movl -4(%ebp), %eax ; read cookie xorl __stack_chk_guard, %eax ; if cookie is not changed, je .L8 ; return call __stack_chk_fail ; else abort .L8: leave ret Anyway, I don't know why gcc fail to see that overrun() needs protection. -- Anders