Expanding the list of "Hardened Packages"

[Steve Grubb]

On Saturday, April 13, 2013 08:44:44 PM Richard W.M. Jones wrote:
> On Sat, Apr 13, 2013 at 08:36:53PM +0200, Kevin Kofler wrote:
> > Richard W.M. Jones wrote:
> > > (1) -fstack-protector{,-all} doesn't implement full bounds checking
> > > for every C object.
> > 
> > But it prevents (with probability (256^n-1)/256^n, where n is the size of
> > the canary in bytes, which for n=4 is approximately .99999999976717)
> > exploiting the overflows to change the return address of any C function.
> 
> I said it "doesn't implement full bounds checking for every C object",
> and I stand by that.

It doesn't have to. It only places a canary on the stack without any notion of 
size. This technique is pretty effective and ruins most functions that could be 
used for ROP gadgets. If the C object is on the heap, then all you have 
protecting you from coding mistakes is FORTIFY_SOURCE. It requires size 
information at compile time and most of the time its not available.



> I doesn't cover stack objects smaller than some
> cut-off size, 

 -fstack-protector-all really is all. The default in Fedora is 4 bytes which 
would cover cases where ints and char[] are interposed as in some networking 
code. But more importantly, the defaul stack-protector only kicks in when the 
object is a char array. If its an int array or something exotic like an array 
within a struct, it does not kick in. That is what the -fstack-protector-
strong patch provides. Its been floating around the internet and is the default 
for chrome OS. All the testing I've done shows it catches all stack overflows 
of all kinds. We really need it integrated with Fedora's gcc.

-Steve