1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 07:37:35 +00:00

LibELF: Add stack guard hardening

Employ the same hardening that glibc and the Linux kernel use for
generating stack guards: zero the first byte of the guard such that
if C-style string functions read out of bounds on the stack, we do
not overwrite or potentially leak the stack guard.
This commit is contained in:
Keegan Saunders 2022-11-27 15:46:17 -05:00 committed by Andreas Kling
parent 89b23c473a
commit e575339564
2 changed files with 10 additions and 1 deletions

View file

@ -13,6 +13,7 @@
#include <AK/HashTable.h>
#include <AK/LexicalPath.h>
#include <AK/NonnullRefPtrVector.h>
#include <AK/Platform.h>
#include <AK/ScopeGuard.h>
#include <AK/Vector.h>
#include <LibC/bits/pthread_integration.h>
@ -258,7 +259,14 @@ static void initialize_libc(DynamicObject& libc)
// This is not done in __libc_init, as we definitely have to return from that, and it might affect Loader as well.
res = libc.lookup_symbol("__stack_chk_guard"sv);
VERIFY(res.has_value());
arc4random_buf(res.value().address.as_ptr(), sizeof(uintptr_t));
void* stack_guard = res.value().address.as_ptr();
arc4random_buf(stack_guard, sizeof(uintptr_t));
#ifdef AK_ARCH_64_BIT
// For 64-bit platforms we include an additional hardening: zero the first byte of the stack guard to avoid
// leaking or overwriting the stack guard with C-style string functions.
((char*)stack_guard)[0] = 0;
#endif
res = libc.lookup_symbol("__environ_is_malloced"sv);
VERIFY(res.has_value());