Since BaseStackCheckLib is a static library that gets included by each individual UEFI module that uses it, we can improve the quality of the stack canaries by replacing the fixed value with a value that is subject to relocation, so that each module will use a different value that depends on the module's load address.
So initialize the __stack_chk_guard variable by taking its own address. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org> --- Note that this is almost exactly what was there already in the code but commented out, MdePkg/Library/BaseStackCheckLib/BaseStackCheckGcc.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/MdePkg/Library/BaseStackCheckLib/BaseStackCheckGcc.c b/MdePkg/Library/BaseStackCheckLib/BaseStackCheckGcc.c index 4cd0d4ce30f8..ecaf43b13099 100644 --- a/MdePkg/Library/BaseStackCheckLib/BaseStackCheckGcc.c +++ b/MdePkg/Library/BaseStackCheckLib/BaseStackCheckGcc.c @@ -23,10 +23,7 @@ #include <Library/PcdLib.h> /// "canary" value that is inserted by the compiler into the stack frame. -VOID *__stack_chk_guard = (VOID*)0x0AFF; - -// If ASLR was enabled we could use -//void (*__stack_chk_guard)(void) = __stack_chk_fail; +VOID *__stack_chk_guard = &__stack_chk_guard; /** Error path for compiler generated stack "canary" value check code. If the -- 2.1.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel