gfelber
commented
4 weeks ago @microsoft-github-policy-service agree
Everything outside this pull request is considered "Not a Submission".
Closed gfelber closed 4 weeks ago
gfelber
commented
4 weeks ago @microsoft-github-policy-service agree
Everything outside this pull request is considered "Not a Submission".
daanx
commented
4 weeks ago Thank you so much for the PR -- good idea. I implemented it directly as the free.c needs to check the same canary so I'll close this PR. Thanks again!
gfelber
commented
4 weeks ago Thx for implementing this fix.
Problem
Currently it's possible to trivially leak the heap canary if the allocated buffer is fully filled and interpreted as a string. This is a common programming mistake, especially using POSIX functions that don't enforce null terminated strings (e.g.
strncpy).This potential implementation resolves #951.
Change
This pull request implements a simple bit mask, that enforces that the LSB (least significant byte of the canary) is a null byte.
notes
Sadly this implementation removes one potential byte of entropy for our canary, reducing it from 32bit to 24bit, but still allows the detection of common one null byte overflows, something that would be lost if the first/last character of padding was turned into a null byte.
This implementation only considers little endianness