[Bug middle-end/81400] Stack smashing not caught by stack protector strong and allowing me to stack smash

marxin at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Wed Jul 12 08:28:00 GMT 2017 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81400

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |uros at gcc dot gnu.org

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
So there are 2 issue I can see:

1) Using -mstack-protector-guard=tls (which is default for recent glibc) causes
usage of %fs:40 as a canary value. However as it does not cooperate with
__guard_setup it has 0 as canary value. That's reason why your buffer overflow
is not caught (and one needs to assign a non-zero value: data[SMASH_ALIGN]='f';

I don't know how should be responsible for a set-up of the register as it's a
per thread value. Uros can you please help?

2) We have in gcc.c:

#ifndef LINK_SSP_SPEC
#ifdef TARGET_LIBC_PROVIDES_SSP
#define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
                       "|fstack-protector-strong|fstack-protector-explicit:}"
#else
#define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
                       "|fstack-protector-strong|fstack-protector-explicit" \
                       ":-lssp_nonshared -lssp}"
#endif
#endif

That is wrong when one uses:

$ gcc smashme.c -fstack-protector-all -mstack-protector-guard=global
/tmp/ccq3aEcz.o: In function `smashme':
smashme.c:(.text+0xb): undefined reference to `__stack_chk_guard'
smashme.c:(.text+0x59): undefined reference to `__stack_chk_guard'
/tmp/ccq3aEcz.o: In function `main':
smashme.c:(.text+0x7b): undefined reference to `__stack_chk_guard'
smashme.c:(.text+0x94): undefined reference to `__stack_chk_guard'
collect2: error: ld returned 1 exit status

which should be fixed by:

diff --git a/gcc/gcc.c b/gcc/gcc.c
index e8e3d6687c3..0043f86d8d2 100644
--- a/gcc/gcc.c
+++ b/gcc/gcc.c
@@ -869,7 +869,8 @@ proper position among the other output files.  */
 #ifndef LINK_SSP_SPEC
 #ifdef TARGET_LIBC_PROVIDES_SSP
 #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
-                      "|fstack-protector-strong|fstack-protector-explicit:}"
+                      "|fstack-protector-strong|fstack-protector-explicit:" \
+                      "%{mstack-protector-guard=global:-lssp}}"
 #else
 #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
                       "|fstack-protector-strong|fstack-protector-explicit" \

More information about the Gcc-bugs mailing list