On Saturday, April 13, 2013 08:44:44 PM Richard W.M. Jones wrote:
> On Sat, Apr 13, 2013 at 08:36:53PM +0200, Kevin Kofler wrote:
> > Richard W.M. Jones wrote:
> > > (1) -fstack-protector{,-all} doesn't implement full bounds checking
> > > for every C object.
> >
> > But it prevents (with probability (256^n-1)/256^n, where n is the size of
> > the canary in bytes, which for n=4 is approximately .99999999976717)
> > exploiting the overflows to change the return address of any C function.
>
> I said it "doesn't implement full bounds checking for every C object",
> and I stand by that.
It doesn't have to. It only places a canary on the stack without any notion of
size. This technique is pretty effective and ruins most functions that could be
used for ROP gadgets. If the C object is on the heap, then all you have
protecting you from coding mistakes is FORTIFY_SOURCE. It requires size
information at compile time and most of the time its not available.
> I doesn't cover stack objects smaller than some
> cut-off size,
-fstack-protector-all really is all. The default in Fedora is 4 bytes which
would cover cases where ints and char[] are interposed as in some networking
code. But more importantly, the defaul stack-protector only kicks in when the
object is a char array. If its an int array or something exotic like an array
within a struct, it does not kick in. That is what the -fstack-protector-
strong patch provides. Its been floating around the internet and is the default
for chrome OS. All the testing I've done shows it catches all stack overflows
of all kinds. We really need it integrated with Fedora's gcc.
-Steve
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
