Ubuntu
eglibc package

stack protector guard value does not lead with a NULL byte

Bug #413278 reported by Kees Cook
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GLibC
Fix Released
Medium
eglibc (Ubuntu)
Fix Released
Medium
Kees Cook
Ubuntu karmic-alpha-5
Jaunty
Invalid
Medium
Unassigned
Karmic
Fix Released
Medium
Kees Cook
Ubuntu karmic-alpha-5
glibc (Ubuntu)
Invalid
Undecided
Unassigned
Jaunty
Fix Released
Medium
Kees Cook
Karmic
Invalid
Undecided
Unassigned

Bug Description

IMPACT: stack protections are weakened due to strcpy function being able to write the stack guard (since it does not start with a zero byte).
ADDRESSED: correctly implement leading zero, as done in Karmic.
DISCUSSION: regression potential is low, since the patch is isolated and well tested.

TEST CASE:
$ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
$ cd qa-regression-testing/scripts
$ ./test-glibc-security.py -v
Build helper tools ... (9.10) ok
glibc heap protection ... ok
sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... ok
glibc pointer obfuscation ... ok
Password hashes ... (sha512) ok
Stack guard exists ... ok
Stack guard leads with zero byte ... FAIL
Stack guard is randomized ... ok

======================================================================
FAIL: Stack guard leads with zero byte
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-glibc-security.py", line 170, in test_81_stack_guard_leads_zero
    self.assertEqual(one.startswith('00 '), expected, one)
AssertionError: 62 55 59 69 cd 20 39 80

----------------------------------------------------------------------
Ran 8 tests in 0.145s

FAILED (failures=1)

expected outcome: 0 failures.

ProblemType: Bug
Architecture: amd64
Date: Thu Aug 13 13:59:02 2009
Dependencies:
 findutils 4.4.2-1
 gcc-4.4-base 4.4.1-1ubuntu3
 libc6 2.10.1-0ubuntu6
 libgcc1 1:4.4.1-1ubuntu3
DistroRelease: Ubuntu 9.10
Package: libc6 2.10.1-0ubuntu6
ProcEnviron:
 LANGUAGE=en_US.UTF-8
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
SourcePackage: eglibc
Uname: Linux 2.6.31-5-generic x86_64

See original description
Revision history for this message
In , Kees Cook (kees) wrote :

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the leading zero byte.

Revision history for this message
In , Kees Cook (kees) wrote :

Created attachment 3933
keep leading zero

Revision history for this message
In , Kees Cook (kees) wrote :

I should clarify -- the read-blocking is nice, but the more common reason the
leading zero is important is to avoid the guard being written as part of a
larger overflow being written out by a str* function, if its value were leaked
to an attacker in some other way.

Kees Cook (kees)
Changed in eglibc (Ubuntu Karmic):
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
milestone: none → karmic-alpha-5
Changed in eglibc (Ubuntu Jaunty):
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
status: New → Invalid
Changed in glibc (Ubuntu Karmic):
status: New → Invalid
Changed in eglibc (Ubuntu Jaunty):
assignee: Kees Cook (kees) → nobody
Kees Cook (kees)
Changed in glibc (Ubuntu Jaunty):
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.10.1-0ubuntu7

---------------
eglibc (2.10.1-0ubuntu7) karmic; urgency=low

  * patches/ubuntu/submitted-leading-zero-stack-guard.diff: require that
    the stack guard start with a zero-byte to protect against str*
    function more completely (LP: #413278).

 -- Kees Cook <email address hidden> Wed, 12 Aug 2009 16:35:43 -0700

Changed in eglibc (Ubuntu Karmic):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in glibc:
status: Unknown → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Uploaded to -proposed...

description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

Is that a regression from intrepid, or cause serious bugs? In particular, would this have helped to mitigate vulnerabilities which were discovered/fixed in jaunty?

This does not match the SRU criteria at first sight, so please elaborate about the impact a bit. The regression potential on this one seems to be excessively high to me, since it could potentially affect all programs (and some might do weird tricks with the stack, and got fixed later on for karmic).

Changed in glibc (Ubuntu Jaunty):
status: New → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

This is a regression from Intrepid, yes. Upstream glibc changed how they constructed the random value, losing this protection from strcpy-style overflows. While I do not have any active examples of exploits that have read-access to stack memory and also a strcpy, I do feel the regression potential is low given that this patch does not change the locations of the stack protector, it just limits the first byte to 0.

Changed in glibc (Ubuntu Jaunty):
status: Incomplete → New
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted glibc into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: regression-release
Changed in glibc (Ubuntu Jaunty):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Steve Beattie (sbeattie) wrote :

I have reproduced the issue with glibc from jaunty, 2.9-4ubuntu6, and can confirm that the version of glibc in jaunty-proposed, 2.9-4ubuntu6.1, has a stack canary value that contains a leading NULL byte. I've verified that the the glibc-security regression tests all pass on both i386 and amd64 with the version of glibc in proposed, as well ensuring that i386, amd64, and lpia systems successfully reboot and bring up a gnome desktop sessions, and have also ran through a few of the other qa-regression-tests to verify that the libc update didn't break anything with them.

The one downside to using a leading NULL byte is this reduces the search space that an attacker would to go through to brute-force an attempted overflow while guessing at the canary value; for 64 bit platforms, this only reduces the space to 56 bits which is tolerable, but on a 32 bit platform, the possible canary value space is reduced to 24 bits, which makes it possibly easier to successfully brute-force before the attack is noticed. (Note that one of the published weaknesses against ASLR is that on 32 bit platforms, the effective randomness is around 20-21 bits,and thus easily brute-forcible.) OTOH, given that a large percentage of such vulnerabilities are due to poor C string handling, this fix is a reasonable tradeoff given that it makes exploitation harder for those vulnerabilities. In an ideal world, the stack canary would be 64 or 128 bits wide on all platforms, but that has the potential to introduce noticable performance issues.

Marking verification-done.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.9-4ubuntu6.1

---------------
glibc (2.9-4ubuntu6.1) jaunty-proposed; urgency=low

  * patches/ubuntu/submitted-leading-zero-stack-guard.diff: require that
    the stack guard start with a zero-byte to protect against str*
    function more completely (LP: #413278).

 -- Kees Cook <email address hidden> Tue, 25 Aug 2009 00:06:51 -0700

Changed in glibc (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Revision history for this message
In , Drepper-fsp (drepper-fsp) wrote :

I've applied a cleaner and more efficient patch.

Bug Watch Updater (bug-watch-updater)
Changed in glibc:
importance: Unknown → Medium
status: Confirmed → Fix Released
Revision history for this message
In , Kimolsun2020 (kimolsun2020) wrote :

http://www.iu-bloomington.com/
https://komiya-dental.com/
http://steemfilter.space/
http://michielleunens.tech/
http://sleepypoetstuff.website/
http://biciclubvalencia.website/
http://reputation-management.site/
http://pitesti.online/
http://tobuweb.space/
http://ancientmariners.online/
http://betwsycoednet.online
http://kuzin.website
http://kundaliniyoga.tech
http://localpay.tech
http://my-iframe.online
http://getimov.xyz/
http://ooviv.xyz/
http://mirei.xyz
http://toblek.xyz/
http://sevenwonders.store
http://peralga.xyz/
https://texastourgear.live
http://freixenet.site/influencerprogramme/
http://timvanorden.store/
http://rhee.tech/
http://f3group.online/
https://www.hlungomare.store/
https://www.lungomarebikehotel.store
http://www.lvmaimai.xyz/
https://sozdanie.site/
http://www.tabletshop.xyz/
http://steroidslegit.xyz/
http://ruirui.store/
http://www.foamhands.store/
http://www.i-obchody.info/
http://naughtyrobot.digital/
https://www.webb-dev.co.uk/
https://waytowhatsnext.com/
http://troubadourtunes.online/
http://www.babygadgets.xyz/
http://agens128.site/
http://hydra-official.site/
http://www.gardensupplies.xyz/
http://www.learntosurf.xyz/
http://www.handmadecandle.xyz/
http://www.divingcourses.xyz/
http://www.vapingpro.xyz/
http://www.partypieces.xyz/
http://www.cookwareonline.xyz/
http://www.fencesuppliers.xyz/
http://alaskamysterypictures.website/
http://j70sanfranciscobay.website
http://vloerverwarming.xyz/
http://koffieautomaat.xyz/
http://motherlode.store/
http://yamaro-everyfish.store/
http://ipatovo.store/
http://tinguely.site/
http://wasillahomes.website/
http://www-look-4.com/

Revision history for this message
In , Mehmetgelisin (mehmetgelisin) wrote :
Download full text (5.3 KiB)

gdb/dwarf: disable per-BFD resource sharing for -readnow objfiles

    New in v2:

      - Disable sharing only for -readnow objfiles, not all objfiles.

    As described in PR 27541, we hit an internal error when loading a binary
    the standard way and then loading it with the -readnow option:

        $ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out"
        Reading symbols from /home/simark/a.out...
        Reading symbols from ~/a.out...
        /home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion `per_objfile->per_bfd->all_comp_units.empty ()' failed.

    This is a recurring problem that exposes a design issue in the DWARF
    per-BFD sharing feature. Things work well when loading a binary with
    the same method (with/without index, with/without readnow) twice in a
    row. But they don't work so well when loading a binary with different
    methods. See this previous fix, for example:

        efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")

    That one handled the case where the first load is normal (uses partial
    symbols) and the second load uses an index.

    The problem is that when loading an objfile with a method A, we create a
    dwarf2_per_bfd and some dwarf2_per_cu_data and initialize them with the
    data belonging to that method. When loading another obfile sharing the
    same BFD but with a different method B, it's not clear how to re-use the
    dwarf2_per_bfd/dwarf2_per_cu_data previously created, because they
    contain the data specific to method A. https://komiya-dental.com/

    I think the most sensible fix would be to not share a dwarf2_per_bfd
    between two objfiles loaded with different methods. That means that two
    objfiles sharing the same BFD and loaded the same way would share a
    dwarf2_per_bfd. Two objfiles sharing the same BFD but loaded with
    different methods would use two different dwarf2_per_bfd structures. http://www.iu-bloomington.com/

    However, this isn't a trivial change. So to fix the known issue quickly
    (including in the gdb 10 branch), this patch just disables all
    dwarf2_per_bfd sharing for objfiles using READNOW.

    Generalize the gdb.base/index-cache-load-twice.exp test to test all
    the possible combinations of loading a file with partial symtabs, index
    and readnow. Move it to gdb.dwarf2, since it really exercises features
    of the DWARF
gdb/dwarf: disable per-BFD resource sharing for -readnow objfiles
     https://www.webb-dev.co.uk/
    New in v2:

      - Disable sharing only for -readnow objfiles, not all objfiles.

    As described in PR 27541, we hit an internal error when loading a binary
    the standard way and then loading it with the -readnow option:
    https://waytowhatsnext.com/
        $ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out"
        Reading symbols from /home/simark/a.out...
        Reading symbols from ~/a.out...
        /home/simark/src/binut...

Read more...

Revision history for this message
In , Gulsenenginar (gulsenenginar) wrote :
Download full text (4.2 KiB)

$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out" http://www-look-4.com/category/technology/
        Reading symbols from /home/simark/a.out...
        Reading symbols from ~/a.out...
        /home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: https://komiya-dental.com/shopping/safety-for-online-shopping/ internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion `per_objfile->per_bfd->all_comp_units.empty ()' failed.
    http://www.iu-bloomington.com/health/health-and-cannabis/
    This is a recurring problem that exposes a design issue in the DWARF
    per-BFD sharing feature. Things work well when loading a binary with https://waytowhatsnext.com/crypto/bought-house-with-bitcoin/
    the same method (with/without index, with/without readnow) twice in a
    row. But they don't work so well when loading a binary with different
    methods. See this previous fix, for example:
    http://www.wearelondonmade.com/category/health/
        efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")

    That one handled the case where the first load is normal (uses partial
    symbols) and the second load uses an index. http://www.jopspeech.com/category/services/

    The problem is that when loading an objfile with a method A, we create a
    dwarf2_per_bfd and some dwarf2_per_cu_data and initialize them with the
    data belonging to that method. http://joerg.li/category/health/ When loading another obfile sharing the
    same BFD but with a different method B, it's not clear how to re-use the
    dwarf2_per_bfd/dwarf2_per_cu_data previously created, because they
    contain the data specific to method A http://connstr.net/category/health/
$ ./gdb -nx -q --data-directory=data-directory ~/a.out -ex "set confirm off" -ex "file -readnow ~/a.out" http://embermanchester.uk/category/health/
        Reading symbols from /home/simark/a.out...
        Reading symbols from ~/a.out...
        /home/simark/src/binutils-gdb/gdb/dwarf2/read.c:8098: internal-error: void create_all_comp_units(dwarf2_per_objfile*): Assertion http://www.slipstone.co.uk/category/health/ `per_objfile->per_bfd->all_comp_units.empty ()' failed.

    This is a recurring problem that exposes a design issue in the DWARF http://www.logoarts.co.uk/category/services/
    per-BFD sharing feature. Things work well when loading a binary with
    the same method (with/without index, with/without readnow) twice in a
    row. But they don't work so well when http://www.acpirateradio.co.uk/category/tech/ loading a binary with different
    methods. See this previous fix, for example:

        efb763a5ea35 ("gdb: check for partial symtab presence in dwarf2_initialize_objfile")
     http://www.compilatori.com/category/health/
    That one handled the case where the first load is normal (uses partial
    symbols) and the second load uses an index.

    The problem is that when loading an objfile with a method A, we create a
    dwarf2_per_bfd and some dwarf2_per_cu_data and initialize them with the
    data belonging to that method. When loading another obfile sharing the
...

Read more...

Revision history for this message
In , Glassmtech (glassmtech) wrote :
Download full text (3.5 KiB)

http://www.ремонты-квартир.com/
http://www.дизайн-квартиры.com/
http://www.о-ремонте.com/
http://www.о-заборах.com/
http://www.bsegypt.com/
http://www.buyingrealty.net/
http://www.khersonnews.com/
http://www.kontrolstroy.info/
http://www.sama-mama.com/
http://www.secretovnet.org/
http://www.teleriko.com/
http://www.us-best-store.com/
http://www.віктор.com/
http://www.accord-hotel.ru/
http://releazer.ru/
http://www.a-n-e-k-d-o-t.ru/
http://www.adhan.ru/
https://www.al-aures.ru/
http://www.apriori-design.ru/
https://artdoski.ru/
http://www.bombusmod.net.ru/
http://www.canadianahealthandcaremallreviews.ru/
http://www.celestiaproject.ru/
http://www.cryptogu.ru/
http://www.downloadskypefree.ru/
http://www.encyclopedia-flowers.ru/
http://www.factura.net.ru/
https://freewizards.ru/
https://futurefactory.ru/
http://glina-med.ru/
https://google-dmoz.ru/
https://iix.su/
http://www.imperia51.ru/
http://www.info-tehnologii.ru/
http://www.kvartira-v-bolgarii.ru/
http://ljubi-i-pozdravljaj.ru/
http://www.majesticarticles.ru/
http://www.onlinecredit247.ru/
http://www.orfey.net.ru/
http://www.pgpk.net.ru/
http://www.rainbow.net.ru/
https://www.rainbowbaby.ru/
https://www.respublika-okon.ru/
http://ribku-lovim.ru/
https://rusorchestra.ru/
https://shmoscow.ru/
http://www.skifspb.ru/
http://www.spare.net.ru/
http://www.stranainform.ru/
http://www.taxi-smile.ru/
http://www.tkanishik.ru/
https://www.tremulous.net.ru/
http://trust-women.ru/
https://uralbel.ru/
http://www.yar-art-union.ru/
http://www.xn----7sbcngq4awkg0k.xn--p1ai/
http://www.xn----7sbbmgbytlh3a0ll.xn--p1ai/
http://www.xn--35-mlcuxidl.xn--p1ai/
http://www.xn--f1addf1alkk1d.xn--p1ai/
http://www.history-of-great-discoveries.com/
http://www.it-business-trends.com
http://www.interesting-history-of-art.com
http://www.interesting-news-about-cars.com
http://www.architecture-and-design-news.com
https://ремонты-квартир.com/
https://дизайн-квартиры.com/
https://о-ремонте.com/
https://о-заборах.com/
https://bsegypt.com/
https://buyingrealty.net/
https://khersonnews.com/
https://kontrolstroy.info/
https://sama-mama.com/
https://secretovnet.org/
https://teleriko.com/
https://us-best-store.com/
https://віктор.com/
https://accord-hotel.ru/
https://www.releazer.ru/
https://a-n-e-k-d-o-t.ru/
https://adhan.ru/
http://al-aures.ru/
https://apriori-design.ru/
http://www.artdoski.ru/
https://bombusmod.net.ru/
https://canadianahealthandcaremallreviews.ru/
https://celestiaproject.ru/
https://cryptogu.ru/
https://downloadskypefree.ru/
https://encyclopedia-flowers.ru/
https://factura.net.ru/
http://www.freewizards.ru/
http://www.futurefactory.ru/
https://www.glina-med.ru/
http://www.google-dmoz.ru/
http://www.iix.su/
https://imperia51.ru/
https://info-tehnologii.ru/
https://kvartira-v-bolgarii.ru/
https://www.ljubi-i-pozdravljaj.ru/
https://majesticarticles.ru/
https://onlinecredit247.ru/
https://orfey.net.ru/
https://pgpk.net.ru/
https://rainbow.net.ru/
http://rainbowbaby.ru/
http://respublika-okon.ru/
https://www.ribku-lovim.ru/
http://www.rusorchestra.ru/
http://www.shmoscow.ru/
https://skifspb.ru/
https://spare.net.ru/
https://stranainform.ru/
https://taxi-smile.ru/
https://tkanishik.ru/
http://tremulous.net.ru/
https://...

Read more...

Revision history for this message
In , Bryanmcsp (bryanmcsp) wrote :

When building the stack guard, it has been traditionally important to have the
value start (in memory) with a zero byte to protect the guard value (and the
rest of the stack past it) from being read via strcpy, etc.

This patch reduces the number of random bytes by one, leaving the leading zero byte. https://www.kildarehousebuilders.ie

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.