This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: RFC: Longjmp vs LD_POINTER_GUARD revisited

From: Paul Pluzhnikov <ppluzhnikov at google dot com>
To: Paul Pluzhnikov <ppluzhnikov at google dot com>, gdb-patches at sourceware dot org, Pedro Alves <pedro at codesourcery dot com>, Ulrich Weigand <uweigand at de dot ibm dot com>
Date: Sun, 15 Nov 2009 15:05:33 -0800
Subject: Re: RFC: Longjmp vs LD_POINTER_GUARD revisited
References: <20091115173429.GB23483@caradoc.them.org> <8ac60eac0911151029i60ae1713m8ee2de5c05103d9d@mail.gmail.com> <20091115223539.GA23336@caradoc.them.org>

On Sun, Nov 15, 2009 at 2:35 PM, Daniel Jacobowitz <drow@false.org> wrote:

> There's a rotate and an xor involved; I don't believe this would work
> as written... sure, we could "discover" it from disassembling key
> functions automatically...

Oh, right. There was "plain XOR" in FC6, and shift-by-9 added in FC7.
Still it's trivial to discover the canary without disassembling
anything (disassembling requires symbols, which may be stripped):
there are only 3 different algorithms I've seen (no canary, XOR,
XOR+shift-by-9). Hmm, looks like x86_64 has XOR+shift-by-17 now, but
ia64, SPARC and PPC all have just "plain XOR".

Still I think this may be a more robust then requiring debuginfo or
non-stripped glibc.

-- 
Paul Pluzhnikov

Follow-Ups:
- Re: RFC: Longjmp vs LD_POINTER_GUARD revisited
  - From: Daniel Jacobowitz

References:
- RFC: Longjmp vs LD_POINTER_GUARD revisited
  - From: Daniel Jacobowitz
- Re: RFC: Longjmp vs LD_POINTER_GUARD revisited
  - From: Paul Pluzhnikov
- Re: RFC: Longjmp vs LD_POINTER_GUARD revisited
  - From: Daniel Jacobowitz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]