Bug#827073: libc6: canary value should include null byte

To: submit <submit@bugs.debian.org>
Subject: Bug#827073: libc6: canary value should include null byte
From: Peter S <visserthree@gmail.com>
Date: Sat, 11 Jun 2016 16:55:53 -0500
Message-id: <[🔎] CAFdO5RLPkVc_6n+idKv5y58C1zKZuNCZoWwD6SazuEs6jZ7cWw@mail.gmail.com>
Reply-to: Peter S <visserthree@gmail.com>, 827073@bugs.debian.org

Subject: libc6: Canary value should include null byte
Package: libc6
Severity: normal

Dear Maintainer,

If it doesn't already, the canary value at the end of the stack should
include a null byte.  strcpy() won't be able to copy over that without
corrupting it:
If it copies the null byte, it won't hit the stack pointer, because it
stops at the null byte.  Program still crashes.
If it copies something else, the null byte will be corrupted, and the
program will crash before it does what the hacker wants.
If the canary value is 32 or 64 bits, it's still going to be quite
unpredictable.

That still leaves fun things like memcpy(), but it would make exploits
of sloppy strcpy() calls a no-go.

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Follow-Ups:
- Bug#827073: marked as done (libc6: canary value should include null byte)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Bug#826888: Spanish locale seems to use wrong 1st week definition
Next by Date: Bug#827073: marked as done (libc6: canary value should include null byte)
Previous by thread: Re: Locales question
Next by thread: Bug#827073: marked as done (libc6: canary value should include null byte)
Index(es):
- Date
- Thread