Bug#827073: marked as done (libc6: canary value should include null byte)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 12 Jun 2016 00:34:52 +0200
with message-id <20160611223452.GA30615@aurel32.net>
and subject line Re: Bug#827073: libc6: canary value should include null byte
has caused the Debian Bug report #827073,
regarding libc6: canary value should include null byte
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
827073: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827073
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit <submit@bugs.debian.org>
• Subject: libc6: canary value should include null byte
• From: Peter S <visserthree@gmail.com>
• Date: Sat, 11 Jun 2016 16:55:53 -0500
• Message-id: <[🔎] CAFdO5RLPkVc_6n+idKv5y58C1zKZuNCZoWwD6SazuEs6jZ7cWw@mail.gmail.com>

Subject: libc6: Canary value should include null byte
Package: libc6
Severity: normal

Dear Maintainer,

If it doesn't already, the canary value at the end of the stack should
include a null byte.  strcpy() won't be able to copy over that without
corrupting it:
If it copies the null byte, it won't hit the stack pointer, because it
stops at the null byte.  Program still crashes.
If it copies something else, the null byte will be corrupted, and the
program will crash before it does what the hacker wants.
If the canary value is 32 or 64 bits, it's still going to be quite
unpredictable.

That still leaves fun things like memcpy(), but it would make exploits
of sloppy strcpy() calls a no-go.

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

• To: Peter S <visserthree@gmail.com>, 827073-done@bugs.debian.org
• Subject: Re: Bug#827073: libc6: canary value should include null byte
• From: Aurelien Jarno <aurelien@aurel32.net>
• Date: Sun, 12 Jun 2016 00:34:52 +0200
• Message-id: <20160611223452.GA30615@aurel32.net>
• In-reply-to: <[🔎] CAFdO5RLPkVc_6n+idKv5y58C1zKZuNCZoWwD6SazuEs6jZ7cWw@mail.gmail.com>
• References: <[🔎] CAFdO5RLPkVc_6n+idKv5y58C1zKZuNCZoWwD6SazuEs6jZ7cWw@mail.gmail.com>

On 2016-06-11 16:55, Peter S wrote:
> Subject: libc6: Canary value should include null byte
> Package: libc6
> Severity: normal
> 
> Dear Maintainer,
> 
> If it doesn't already, the canary value at the end of the stack should
> include a null byte.  strcpy() won't be able to copy over that without
> corrupting it:
> If it copies the null byte, it won't hit the stack pointer, because it
> stops at the null byte.  Program still crashes.
> If it copies something else, the null byte will be corrupted, and the
> program will crash before it does what the hacker wants.
> If the canary value is 32 or 64 bits, it's still going to be quite
> unpredictable.
> 
> That still leaves fun things like memcpy(), but it would make exploits
> of sloppy strcpy() calls a no-go.

The canary value includes a null byte for more than 5 years already.
Please see this commit for more details:

  https://sourceware.org/git/?p=glibc.git;a=commit;h=15a856b1090669df0aec536edbdf240e71a470ca

Closing the bug.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

--- End Message ---