[Bug libc/12189] __stack_chk_fail should not attempt a backtrace

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "sstewartgallus00 at mylangara dot bc.ca" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/12189] __stack_chk_fail should not attempt a backtrace
Date: Sun, 30 Mar 2014 00:42:00 -0000	[thread overview]
Message-ID: <bug-12189-131-n9nw1DRtE8@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-12189-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=12189

Steven Stewart-Gallus <sstewartgallus00 at mylangara dot bc.ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sstewartgallus00@mylangara.
                   |                            |bc.ca

--- Comment #12 from Steven Stewart-Gallus <sstewartgallus00 at mylangara dot bc.ca> ---
It might be possible to fork and execute a second uncorrupted process but
simply aborting is safer and lazier. Something like the following might work:

#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/*
 * In a real implementation this would be a real crash reporting
 * program. It would use /proc to examine debugging information such
 * as the command line. It could also do ptrace debugger stuff. It
 * could also be set by a command line option.
 */
#define CRASH_REPORTER "/bin/echo"

void stack_overflow(void);

int main()
{
    stack_overflow();
}

void stack_overflow(void)
{
    /*
     * As soon as possible give control over to a fresh crash reporter
     * instance. If any bad things happen abort immmediately and don't
     * risk compromise due to an attack from an enemy.
     */

    /*
     * Fork a copy of the program to be debugged from the crash
     * reporter instance. The copy of the program must be the child
     * because certain systems are hardened to only allow parents of
     * the processes to do certain debugging tasks.
     */
    pid_t child = fork();
    if (-1 == child) {
        abort();
    }

    if (0 == child) {
        raise(SIGSTOP);
    }

    /* Don't bother with sprintf to minimize the chance of attacks. */
    char child_string[sizeof child + 1];
    memcpy(child_string, &child, sizeof child);
    child_string[sizeof child] = '\0';

    /*
     * execve the crash reporter to use the thinnest possible wrapper
     * over the system call.
     */
    char * argv[] = {
        (char *) CRASH_REPORTER,
        child_string,
        NULL
    };
    char * envp[] = { NULL };
    execve(CRASH_REPORTER, argv, envp);
    abort();
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

next prev parent reply	other threads:[~2014-03-30  0:42 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-03 21:20 [Bug libc/12189] New: " kees at outflux dot net
2010-11-04  1:04 ` [Bug libc/12189] " drepper.fsp at gmail dot com
2010-11-04  9:52 ` pasky at suse dot cz
2010-11-04 11:25 ` drepper.fsp at gmail dot com
2013-08-29 21:46 ` kees at outflux dot net
2013-08-29 21:47 ` kees at outflux dot net
2013-08-29 21:53 ` kees at outflux dot net
2013-08-30 17:56 ` carlos at redhat dot com
2013-08-30 18:26 ` bugdal at aerifal dot cx
2013-08-30 19:12 ` carlos at redhat dot com
2013-08-30 20:52 ` joseph at codesourcery dot com
2013-08-30 21:02 ` joseph at codesourcery dot com
2013-09-03 20:43 ` carlos at redhat dot com
2014-03-30  0:42 ` sstewartgallus00 at mylangara dot bc.ca [this message]
2014-06-13 10:58 ` fweimer at redhat dot com
2014-06-13 12:18 ` fweimer at redhat dot com
2015-02-24 12:46 ` [Bug libc/12189] __stack_chk_fail should not attempt a backtrace (CVE-2010-3192) fweimer at redhat dot com
2015-02-24 12:48 ` fweimer at redhat dot com
2015-04-28 19:18 ` carlos at redhat dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-12189-131-n9nw1DRtE8@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).