ProPolice/SSP in 7.0
Anders Hanssen
anders at rethink.no
Sun Dec 30 05:50:36 PST 2007
Hi!
Mike Silbersack wrote:
> Since the subject came up, I just tried using it, and it's not giving
> me the results I expected.
> But if I compile it like so:
>> cc -g -fstack-protector overrun.c
>
> The overrun is not caught.
>> ./a.out
> hi>
>
> Either I'm doing something wrong, or we have gcc misconfigured and
> it's not detecting that strcpy is a function which needs to be
> watched closedly.
My first guess would be that gcc knew the length of "ABCDE" and decided
it would fit in the stack buffer without overwriting anything used by
the program (because of alignment and the ideal stack layout).
But, anyway, I changed your program to strcpy() from argv instead,
hoping it would turn on ssp for overrun(). Still no protection.
# ./test AAAAAAAAAAAAAAAA
Segmentation fault: 11 (core dumped)
# gdb ./test test.core
[...]
#0 0x41414141 in ?? ()
A look at the generated code confirms it does not use ssp for overrun()
void
overrun(const char *str)
{
int x;
char a[4];
int y;
strcpy(a, str);
printf("hi");
}
# gcc -S -fstack-protector test.c
overrun:
pushl %ebp
movl %esp, %ebp
subl $24, %esp
movl 8(%ebp), %eax
movl %eax, 4(%esp)
leal -8(%ebp), %eax
movl %eax, (%esp)
call strcpy
movl $.LC1, (%esp)
call printf
leave
ret
# gcc -S -fstack-protector-all test.c
overrun:
pushl %ebp
movl %esp, %ebp
subl $40, %esp
movl 8(%ebp), %eax
movl %eax, -20(%ebp)
movl __stack_chk_guard, %eax ; put stack cookie in eax
movl %eax, -4(%ebp) ; store it on the stack
xorl %eax, %eax
movl -20(%ebp), %eax
movl %eax, 4(%esp)
leal -8(%ebp), %eax
movl %eax, (%esp)
call strcpy
movl $.LC1, (%esp)
call printf
movl -4(%ebp), %eax ; read cookie
xorl __stack_chk_guard, %eax ; if cookie is not changed,
je .L8 ; return
call __stack_chk_fail ; else abort
.L8:
leave
ret
Anyway, I don't know why gcc fail to see that overrun() needs protection.
--
Anders
More information about the freebsd-security
mailing list