From 06da50afc71a5ab2bc63de54c66930a2dbe379cd Mon Sep 17 00:00:00 2001 From: Brian Gianforcaro Date: Fri, 1 Jan 2021 15:27:42 -0800 Subject: Build + LibC: Enable -fstack-protector-strong in user space Modify the user mode runtime to insert stack canaries to find stack corruptions. The `-fstack-protector-strong` variant was chosen because it catches more issues than vanilla `-fstack-protector`, but doesn't have substantial performance impact like `-fstack-protector-all`. Details: -fstack-protector enables stack protection for vulnerable functions that contain: * A character array larger than 8 bytes. * An 8-bit integer array larger than 8 bytes. * A call to alloca() with either a variable size or a constant size bigger than 8 bytes. -fstack-protector-strong enables stack protection for vulnerable functions that contain: * An array of any size and type. * A call to alloca(). * A local variable that has its address taken. Example of it catching corrupting in the `stack-smash` test: ``` courage ~ $ ./user/Tests/LibC/stack-smash [+] Starting the stack smash ... Error: Stack protector failure, stack smashing detected! Shell: Job 1 (/usr/Tests/LibC/stack-smash) Aborted ``` --- Userland/Tests/LibC/stack-smash.cpp | 54 +++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 Userland/Tests/LibC/stack-smash.cpp (limited to 'Userland/Tests/LibC/stack-smash.cpp') diff --git a/Userland/Tests/LibC/stack-smash.cpp b/Userland/Tests/LibC/stack-smash.cpp new file mode 100644 index 0000000000..00f6f44aa5 --- /dev/null +++ b/Userland/Tests/LibC/stack-smash.cpp @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2021, Brian Gianforcaro + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +// Note: Needs to be 'noline' so stack canary isn't optimized out. +static void __attribute__((noinline)) smasher(char* string) +{ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Warray-bounds" + for (int i = 0; i < 256; i++) { + string[i] = 'A'; + } +#pragma GCC diagnostic pop +} + +// Note: Needs to be 'noline' so stack canary isn't optimized out. +static void __attribute__((noinline)) stack_to_smash() +{ + char string[8] = {}; + smasher(string); +} + +int main() +{ + puts("[+] Starting the stack smash..."); + stack_to_smash(); + puts("[+] Stack smash wasn't detected!"); + + return 0; +} -- cgit v1.2.3