This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug middle-end/81400] Stack smashing not caught by stack protector strong and allowing me to stack smash

From: "gccbugzilla.severach at spamgourmet dot com" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Wed, 12 Jul 2017 14:49:04 +0000
Subject: [Bug middle-end/81400] Stack smashing not caught by stack protector strong and allowing me to stack smash
Auto-submitted: auto-generated
References: <bug-81400-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81400

--- Comment #3 from Chris Severance <gccbugzilla.severach at spamgourmet dot com> ---
Unless there's a security reason 0 should never be used as a canary value.
Errant \0 should be caught 100% of the time. When I built malloc canaries for
NPPTextFX I expressly avoided \0.

data[SMASH_ALIGN]='f' should be caught by bounds checking or a shadow stack,
not ssp. It doesn't overwrite any canaries. It only writes to icanary which is
my canary, not a gcc canary. The only time it should be caught by ssp is when
icanary is disabled and it overwrites CNRY at the top of the stack.

For debug builds canaries should be placed between every stack variable and in
the unused space of aligned but undersized variables. Is there such an option?

References:
- [Bug c/81400] New: Stack smashing not caught by stack protector strong and allowing me to stack smash
  - From: gccbugzilla.severach at spamgourmet dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]