This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12189] __stack_chk_fail should not attempt a backtrace
- From: "sstewartgallus00 at mylangara dot bc.ca" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sun, 30 Mar 2014 00:42:50 +0000
- Subject: [Bug libc/12189] __stack_chk_fail should not attempt a backtrace
- Auto-submitted: auto-generated
- References: <bug-12189-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=12189
Steven Stewart-Gallus <sstewartgallus00 at mylangara dot bc.ca> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sstewartgallus00@mylangara.
| |bc.ca
--- Comment #12 from Steven Stewart-Gallus <sstewartgallus00 at mylangara dot bc.ca> ---
It might be possible to fork and execute a second uncorrupted process but
simply aborting is safer and lazier. Something like the following might work:
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/*
* In a real implementation this would be a real crash reporting
* program. It would use /proc to examine debugging information such
* as the command line. It could also do ptrace debugger stuff. It
* could also be set by a command line option.
*/
#define CRASH_REPORTER "/bin/echo"
void stack_overflow(void);
int main()
{
stack_overflow();
}
void stack_overflow(void)
{
/*
* As soon as possible give control over to a fresh crash reporter
* instance. If any bad things happen abort immmediately and don't
* risk compromise due to an attack from an enemy.
*/
/*
* Fork a copy of the program to be debugged from the crash
* reporter instance. The copy of the program must be the child
* because certain systems are hardened to only allow parents of
* the processes to do certain debugging tasks.
*/
pid_t child = fork();
if (-1 == child) {
abort();
}
if (0 == child) {
raise(SIGSTOP);
}
/* Don't bother with sprintf to minimize the chance of attacks. */
char child_string[sizeof child + 1];
memcpy(child_string, &child, sizeof child);
child_string[sizeof child] = '\0';
/*
* execve the crash reporter to use the thinnest possible wrapper
* over the system call.
*/
char * argv[] = {
(char *) CRASH_REPORTER,
child_string,
NULL
};
char * envp[] = { NULL };
execve(CRASH_REPORTER, argv, envp);
abort();
}
--
You are receiving this mail because:
You are on the CC list for the bug.