On Mon, 13 Nov 2023 17:18:50 +0100 Daniel Kiper <dki...@net-space.pl> wrote:
> On Sun, Nov 12, 2023 at 08:22:42AM +0100, Heinrich Schuchardt wrote: > > On 11/12/23 04:23, Glenn Washburn wrote: > > > The canary, __stack_chk_guard, is in the BSS and so will get initialized > > > to > > > zero if it is not explicitly initialized. If the UEFI firmware does not > > > support the RNG protocol, then the canary will not be randomized and will > > > be used as zero. This seems like a possibly easier value to write by an > > > attacker. Initialize canary to static random bytes, so that it is still > > > random when there is not RNG protocol. > > > > > > Signed-off-by: Glenn Washburn <developm...@efficientek.com> > > > > Reviewed-by: Heinrich Schuchardt <xypron.g...@gmx.de> > > Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> > > > > --- > > > grub-core/kern/efi/init.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c > > > index 0e28bea17a76..b85d98ca47fd 100644 > > > --- a/grub-core/kern/efi/init.c > > > +++ b/grub-core/kern/efi/init.c > > > @@ -41,7 +41,7 @@ static grub_guid_t rng_protocol_guid = > > > GRUB_EFI_RNG_PROTOCOL_GUID; > > > > > > static grub_efi_uint8_t stack_chk_guard_buf[32]; > > > > > > -grub_addr_t __stack_chk_guard; > > > +grub_addr_t __stack_chk_guard = (grub_addr_t) 0x92f2b7e2f193b25c; I've come across more information[1] on this subject that leads me to believe that at least the byte with the lowest memory address should be a NULL byte (eg. grub_cpu_to_be64_compile_time(0x00f2b7e2f193b25c)) to make the common case of string buffer overflows non-bypassable. And in the absence of random bytes at runtime, it might be a good idea to xor with the current time and perhaps the EFI app base load address. So I suggest not merging this yet and I'll have a v2 coming soon. Glenn [1] https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/ > > I would add last sentence from the commit message before this line. > I can do it for you before push... > > > > > > > void __attribute__ ((noreturn)) > > > __stack_chk_fail (void) > > Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
