Summary: | stack smash protection possibly evadable | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | John Richard Moser <nigelenki> |
Component: | Hardened | Assignee: | Hardened Gentoo <hardened> |
Status: | RESOLVED UPSTREAM | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | vuln.c |
Description
John Richard Moser
2004-03-17 23:44:43 UTC
Created attachment 27540 [details]
vuln.c
vuln.c, the almighty vuln tester!
because I updated vuln.c but didn't update the steps to reproduce, Line 13 and Line 14 in the Steps to Reproduce should be Line 17 and Line 18. Sorry. More testing shows that declaring char a[10] in the vuln_cpstr() function and copying a large buffer to a with strcpy() WILL terminate the program. Unfortunately, using an malloc()'d 10 byte buffer, stack smash protection does nothing: with char *a = malloc(10) in vuln_cpystr(), strcpy(a,from): bluefox@icebox bluefox $ gcc -O0 vuln.c -o vuln -fstack-protector-all bluefox@icebox bluefox $ ./vuln 1234567890123456028965901635021649021904665123056 Copying input buffer of length 52 to internal buffer of length 10 Success. with char a[10] in vuln_cpystr(), strcpy(a,from): bluefox@icebox bluefox $ gcc -O0 vuln.c -o vuln -fstack-protector-all bluefox@icebox bluefox $ ./vuln 1234567890123456028965901635021649021904665123056 Copying input buffer of length 52 to internal buffer of length 10 vuln: stack smashing attack in function vuln_cpystr() Segmentation fault stack smash protection has a long way to go. We need: - Protection of passed pointers - Protection of malloc()ed buffers Is there anything that Gentoo can do to address this bug? I think if you have something to prove about defeating ssp you should take it UPSTREAM |