Re: [PATCH] efi: Initialize canary to non-zero value

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] efi: Initialize canary to non-zero value

From:	Glenn Washburn
Subject:	Re: [PATCH] efi: Initialize canary to non-zero value
Date:	Sat, 18 Nov 2023 15:01:30 -0600

On Mon, 13 Nov 2023 17:18:50 +0100
Daniel Kiper <dkiper@net-space.pl> wrote:

> On Sun, Nov 12, 2023 at 08:22:42AM +0100, Heinrich Schuchardt wrote:
> > On 11/12/23 04:23, Glenn Washburn wrote:
> > > The canary, __stack_chk_guard, is in the BSS and so will get initialized 
> > > to
> > > zero if it is not explicitly initialized. If the UEFI firmware does not
> > > support the RNG protocol, then the canary will not be randomized and will
> > > be used as zero. This seems like a possibly easier value to write by an
> > > attacker. Initialize canary to static random bytes, so that it is still
> > > random when there is not RNG protocol.
> > >
> > > Signed-off-by: Glenn Washburn <development@efficientek.com>
> >
> > Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> 
> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> 
> > > ---
> > >   grub-core/kern/efi/init.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
> > > index 0e28bea17a76..b85d98ca47fd 100644
> > > --- a/grub-core/kern/efi/init.c
> > > +++ b/grub-core/kern/efi/init.c
> > > @@ -41,7 +41,7 @@ static grub_guid_t rng_protocol_guid = 
> > > GRUB_EFI_RNG_PROTOCOL_GUID;
> > >
> > >   static grub_efi_uint8_t stack_chk_guard_buf[32];
> > >
> > > -grub_addr_t __stack_chk_guard;
> > > +grub_addr_t __stack_chk_guard = (grub_addr_t) 0x92f2b7e2f193b25c;

I've come across more information[1] on this subject that leads me to
believe that at least the byte with the lowest memory address should be
a NULL byte (eg. grub_cpu_to_be64_compile_time(0x00f2b7e2f193b25c)) to
make the common case of string buffer overflows non-bypassable. And in
the absence of random bytes at runtime, it might be a good idea to xor
with the current time and perhaps the EFI app base load address. So I
suggest not merging this yet and I'll have a v2 coming soon.

Glenn

[1]
https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/

> 
> I would add last sentence from the commit message before this line.
> I can do it for you before push...
> 
> > >
> > >   void __attribute__ ((noreturn))
> > >   __stack_chk_fail (void)
> 
> Daniel

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] efi: Initialize canary to non-zero value, Glenn Washburn, 2023/11/11
- Re: [PATCH] efi: Initialize canary to non-zero value, Heinrich Schuchardt, 2023/11/12
  - Re: [PATCH] efi: Initialize canary to non-zero value, Daniel Kiper, 2023/11/13
    - Re: [PATCH] efi: Initialize canary to non-zero value, Glenn Washburn, 2023/11/13
    - Re: [PATCH] efi: Initialize canary to non-zero value, Dimitri John Ledkov, 2023/11/13
    - Re: [PATCH] efi: Initialize canary to non-zero value, Glenn Washburn, 2023/11/18
    - Re: [PATCH] efi: Initialize canary to non-zero value, Glenn Washburn <=

Prev by Date: [PATCH v3 2/3] bli: Add explicit dependency on the part_gpt module
Next by Date: Re: [PATCH] efi: Initialize canary to non-zero value
Previous by thread: Re: [PATCH] efi: Initialize canary to non-zero value
Next by thread: [PATCH 0/2] Bli: fix hidden module dependency
Index(es):
- Date
- Thread