Tags: moreinfo
Hi,
On Wed, Nov 26, 2014 at 11:30:42AM +0000, Cornea, Alexandru wrote:
> The script hardening-check can give a false negative result if the binary
> analyzed was compiled with ICC (with stack protection).
> Hardening-check looks for __stack_chk_fail, but in ICC compiled binaries the
> correct functions to be searched for should be __intel_security_cookie or
> __intel_security_check_cookie.
Thanks for the report! Can you point me to documentation on ICC's
stack protection implementation? If the ICC-compiled binaries are using
something other than __stack_chk_fail, then they may not be using glibc's
canary, which I would view as a regression. (As in, I would like to be
convinced that this is actually a false negative -- this may be reporting
a weak stack protector scheme instead.)
> Below is a naive patch:
>
> diff --git a/usr/bin/hardening-check b/hardening-check-intel
> index 799943c..f40eda7 100755
> --- a/usr/bin/hardening-check
> +++ b/hardening-check-intel
> @@ -302,6 +302,7 @@ foreach my $file (@ARGV) {
> # Stack-protected
> $name = " Stack protected";
> if (defined($functions->{'__stack_chk_fail'}) ||
> + defined($functions->{'__intel_security_cookie'}) ||
You mentioned __intel_security_check_cookie as well. I assume this is
the canary? How is it chosen, what is its value?
> (!$elf && defined($functions->{'__stack_chk_fail_local'}))) {
> good($name, "yes")
> }
>
> Regards,
> Alex
Thanks!
-Kees
--
Kees Cook @debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
