[5839] in bugtraq
Re: StackGuard: Automatic Protection From Stack-smashing Attacks
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Dec 19 17:54:08 1997
Date: Fri, 19 Dec 1997 15:01:35 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Tim Newsham <newsham@LAVA.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 19 Dec 1997 08:55:31 -1000."
<m0xj7a8-00115dC@malasada.lava.net>
> int save_uid;
> char buf[10];
>
> save_uid = getuid();
> setuid(0);
> fp = fopen("input", "r");
> fscanf(fp, "%s", buf);
> setuid(save_uid);
For this particular example, in some levels of optimization (gcc -O2,
I believe, or via other future compiler hacks) your generated code
could place the objects on the stack in this order: return address,
buf[], save_uid. Coupled with the other approaches, that would solve
this particular case.
(But I don't believe in solving these special cases one by one).
> My personal feelings on the recent proposals for fixing
> "the overflow problem" is that I don't like them. They all
> seem hacky to me, and all claim to be a silver bullet to finally
> put an end to the problem. I much rather see the original problems
> fixed, a solution that is much more aesthetically pleasing to
> me. On the other hand the proposals do reduce the number of
> attacks, and buy time until attackers get more sophisticated
> in their exploits.
I don't even hope to see a magic solution coming down the line. I'll
just continue fixing the basic bugs. (But they are getting harder to
find; perhaps I should start using Purify or Insight..)
