Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 30 Dec 2007 13:50:10 +0100
From:      Anders Hanssen <anders@rethink.no>
To:        Mike Silbersack <silby@silby.com>
Cc:        Gunther Mayer <gunther.mayer@googlemail.com>, freebsd-security@freebsd.org
Subject:   Re: ProPolice/SSP in 7.0
Message-ID:  <47779402.7060105@rethink.no>
In-Reply-To: <20071228200428.J6052@odysseus.silby.com>
References:  <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> <20071228200428.J6052@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi!

Mike Silbersack wrote:
> Since the subject came up, I just tried using it, and it's not giving
> me the results I expected.

> But if I compile it like so:
>> cc -g -fstack-protector overrun.c
> 
> The overrun is not caught.
>> ./a.out
> hi>
> 
> Either I'm doing something wrong, or we have gcc misconfigured and 
> it's not detecting that strcpy is a function which needs to be 
> watched closedly.

My first guess would be that gcc knew the length of "ABCDE" and decided
it would fit in the stack buffer without overwriting anything used by
the program (because of alignment and the ideal stack layout).

But, anyway, I changed your program to strcpy() from argv instead,
hoping it would turn on ssp for overrun(). Still no protection.

# ./test AAAAAAAAAAAAAAAA
Segmentation fault: 11 (core dumped)

# gdb ./test test.core
[...]
#0  0x41414141 in ?? ()

A look at the generated code confirms it does not use ssp for overrun()

void
overrun(const char *str)
{
     int x;
     char a[4];
     int y;

     strcpy(a, str);
     printf("hi");
}

# gcc -S -fstack-protector test.c

overrun:
     pushl   %ebp
     movl    %esp, %ebp
     subl    $24, %esp
     movl    8(%ebp), %eax
     movl    %eax, 4(%esp)
     leal    -8(%ebp), %eax
     movl    %eax, (%esp)
     call    strcpy
     movl    $.LC1, (%esp)
     call    printf
     leave
     ret

# gcc -S -fstack-protector-all test.c

overrun:
     pushl   %ebp
     movl    %esp, %ebp
     subl    $40, %esp
     movl    8(%ebp), %eax
     movl    %eax, -20(%ebp)
     movl    __stack_chk_guard, %eax ; put stack cookie in eax
     movl    %eax, -4(%ebp)          ; store it on the stack
     xorl    %eax, %eax
     movl    -20(%ebp), %eax
     movl    %eax, 4(%esp)
     leal    -8(%ebp), %eax
     movl    %eax, (%esp)
     call    strcpy
     movl    $.LC1, (%esp)
     call    printf
     movl    -4(%ebp), %eax          ; read cookie
     xorl    __stack_chk_guard, %eax ; if cookie is not changed,
     je      .L8                     ; return
     call    __stack_chk_fail        ; else abort
.L8:
     leave
     ret

Anyway, I don't know why gcc fail to see that overrun() needs protection.

-- 
Anders

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47779402.7060105>