svn commit: r332940 - head/lib/libc/secure

Konstantin Belousov kib at FreeBSD.org
Tue Apr 24 15:59:40 UTC 2018 

Author: kib
Date: Tue Apr 24 15:59:39 2018
New Revision: 332940
URL: https://svnweb.freebsd.org/changeset/base/332940

Log:
  Carefully update stack guard bytes inside __guard_setup().
  
  This is necessary to make sure that functions that can have stack
  protection are not used to update the stack guard. If not, the stack
  guard check would fail when it shouldn't.
  
  guard_setup() calls elf_aux_info(), which, in turn, calls memcpy() to
  update stack_chk_guard.  If either elf_aux_info() or memcpy() have
  stack protection enabled, __stack_chk_guard will be modified before
  returning from them, causing the stack protection check to fail.
  
  This change uses a temporary buffer to delay changing
  __stack_chk_guard until elf_aux_info() returns.
  
  Submitted by:	Luis Pires
  MFC after:	1 week
  Differential revision:	https://reviews.freebsd.org/D15173

Modified:
  head/lib/libc/secure/stack_protector.c

Modified: head/lib/libc/secure/stack_protector.c
==============================================================================
--- head/lib/libc/secure/stack_protector.c	Tue Apr 24 15:04:07 2018	(r332939)
+++ head/lib/libc/secure/stack_protector.c	Tue Apr 24 15:59:39 2018	(r332940)
@@ -54,15 +54,27 @@ static void
 __guard_setup(void)
 {
 	static const int mib[2] = { CTL_KERN, KERN_ARND };
+	volatile long tmp_stack_chk_guard[nitems(__stack_chk_guard)];
 	size_t len;
-	int error;
+	int error, idx;
 
 	if (__stack_chk_guard[0] != 0)
 		return;
-	error = _elf_aux_info(AT_CANARY, __stack_chk_guard,
-	    sizeof(__stack_chk_guard));
-	if (error == 0 && __stack_chk_guard[0] != 0)
+	/*
+	 * Avoid using functions which might have stack protection
+	 * enabled, to update the __stack_chk_guard.  First fetch the
+	 * data into a temporal array, then do manual volatile copy to
+	 * not allow optimizer to call memcpy() behind us.
+	 */
+	error = _elf_aux_info(AT_CANARY, (void *)tmp_stack_chk_guard,
+	    sizeof(tmp_stack_chk_guard));
+	if (error == 0 && tmp_stack_chk_guard[0] != 0) {
+		for (idx = 0; idx < nitems(__stack_chk_guard); idx++) {
+			__stack_chk_guard[idx] = tmp_stack_chk_guard[idx];
+			tmp_stack_chk_guard[idx] = 0;
+		}
 		return;
+	}
 
 	len = sizeof(__stack_chk_guard);
 	if (__sysctl(mib, nitems(mib), __stack_chk_guard, &len, NULL, 0) ==

More information about the svn-src-all mailing list