playing with glibc-2.5-r3, kernel 2.6.21 and AT_ENTROPY

everybody who has a glibc-2.5-r3 please test the following program:


#include LESS_THAN_SIGN stdio.h GREATER_THAN_SIGN

extern unsigned long int __guard;

int main(void) {
printf("__guard: [[0x%x]]\n", __guard);
while(1) { ; }
return(0);
}


compiled with gcc -static and single stepped with gdb, it should show that the guard is randomly inizialized.

but compiled without -static, it shows for my tests that the __guard is always 0x0... bad bad cow.

but there is good news too: the AT_ENTROPY patch

this is a stub for 2.6.21 kernel source

falcon linux # grep -A2 -B2 -ri "deadbeef" fs/binfmt_elf.c
NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);

NEW_AUX_ENT(AT_ENTROPY, 0xdeadbeef);

NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);



the glibc patch is "done" (leave out the 0x0 problem)



diff -Nru glibc-2.5.ORIG/csu/libc-start.c glibc-2.5/csu/libc-start.c
--- glibc-2.5.ORIG/csu/libc-start.c 2007-06-16 15:23:50.000000000 +0200
+++ glibc-2.5/csu/libc-start.c 2007-06-16 16:01:19.000000000 +0200
@@ -165,8 +165,16 @@
#endif

# ifndef SHARED
- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ /* Set up the stack checker's canary, optional kernel entropy */
+ uintptr_t stack_chk_guard;
+
+ if (GLRO(dl_entropy) != 0) {
+ stack_chk_guard = GLRO(dl_entropy);
+ }
+ else {
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+
#ifdef ENABLE_OLD_SSP_COMPAT
__guard_local = stack_chk_guard;
#endif
diff -Nru glibc-2.5.ORIG/elf/dl-support.c glibc-2.5/elf/dl-support.c
--- glibc-2.5.ORIG/elf/dl-support.c 2005-05-11 19:27:22.000000000 +0200
+++ glibc-2.5/elf/dl-support.c 2007-06-16 16:13:33.000000000 +0200
@@ -155,6 +155,8 @@
#ifdef HAVE_AUX_VECTOR
int _dl_clktck;

+uintptr_t _dl_entropy;
+
void
internal_function
_dl_aux_init (ElfW(auxv_t) *av)
@@ -172,6 +174,9 @@
case AT_CLKTCK:
GLRO(dl_clktck) = av->a_un.a_val;
break;
+ case AT_ENTROPY:
+ GLRO(dl_entropy) = av->a_un.a_val;
+ break;
case AT_PHDR:
GL(dl_phdr) = (void *) av->a_un.a_val;
break;
diff -Nru glibc-2.5.ORIG/elf/dl-sysdep.c glibc-2.5/elf/dl-sysdep.c
--- glibc-2.5.ORIG/elf/dl-sysdep.c 2005-12-14 09:36:14.000000000 +0100
+++ glibc-2.5/elf/dl-sysdep.c 2007-06-16 16:12:38.000000000 +0200
@@ -160,6 +160,9 @@
case AT_CLKTCK:
GLRO(dl_clktck) = av->a_un.a_val;
break;
+ case AT_ENTROPY:
+ GLRO(dl_entropy) = av->a_un.a_val;
+ break;
case AT_FPUCW:
GLRO(dl_fpu_control) = av->a_un.a_val;
break;
diff -Nru glibc-2.5.ORIG/elf/elf.h glibc-2.5/elf/elf.h
--- glibc-2.5.ORIG/elf/elf.h 2007-06-16 15:23:49.000000000 +0200
+++ glibc-2.5/elf/elf.h 2007-06-16 16:01:48.000000000 +0200
@@ -977,6 +977,8 @@

#define AT_SECURE 23 /* Boolean, was exec setuid-like? */

+#define AT_ENTROPY 24 /* kernel entropy */
+
/* Pointer to the global system page used for system calls and other
nice things. */
#define AT_SYSINFO 32
diff -Nru glibc-2.5.ORIG/elf/rtld.c glibc-2.5/elf/rtld.c
--- glibc-2.5.ORIG/elf/rtld.c 2007-06-16 15:23:49.000000000 +0200
+++ glibc-2.5/elf/rtld.c 2007-06-16 16:01:28.000000000 +0200
@@ -1838,8 +1838,16 @@
tcbp = init_tls ();
#endif

- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ /* Set up the stack checker's canary, optional kernel entropy */
+ uintptr_t stack_chk_guard;
+
+ if (GLRO(dl_entropy) != 0) {
+ stack_chk_guard = GLRO(dl_entropy);
+ }
+ else {
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+
#ifdef ENABLE_OLD_SSP_COMPAT
__guard_local = stack_chk_guard;
#endif
diff -Nru glibc-2.5.ORIG/sysdeps/generic/ldsodefs.h glibc-2.5/sysdeps/generic/ldsodefs.h
--- glibc-2.5.ORIG/sysdeps/generic/ldsodefs.h 2006-08-24 22:27:05.000000000 +0200
+++ glibc-2.5/sysdeps/generic/ldsodefs.h 2007-06-16 16:04:02.000000000 +0200
@@ -558,6 +558,9 @@
/* CLK_TCK as reported by the kernel. */
EXTERN int _dl_clktck;

+ /* ENTROPY provided by kernel */
+ EXTERN uintptr_t _dl_entropy;
+
/* If nonzero print warnings messages. */
EXTERN int _dl_verbose;



cya,

Alex