protect stack canary from leak via read-as-string by zeroing second byte

This reduces entropy of the canary from 64-bit to 56-bit in exchange
for mitigating non-terminated C string overflows by setting the second
byte of the canary to nul, so that off-by-one write overflow with a
nul byte can still be detected.

Idea from GrapheneOS bionic commit 7024d880b51f03a796ff8832f1298f2f1531fd7b

diff --git a/src/env/__stack_chk_fail.c b/src/env/__stack_chk_fail.c
index bf5a280..e535260 100644 (file)
--- a/src/env/__stack_chk_fail.c
+++ b/src/env/__stack_chk_fail.c
@@ -9,6 +9,15 @@ void __init_ssp(void *entropy)
        if (entropy) memcpy(&__stack_chk_guard, entropy, sizeof(uintptr_t));
        else __stack_chk_guard = (uintptr_t)&__stack_chk_guard * 1103515245;
 
+#if UINTPTR_MAX >= 0xffffffffffffffff
+       /* Sacrifice 8 bits of entropy on 64bit to prevent leaking/
+        * overwriting the canary via string-manipulation functions.
+        * The NULL byte is on the second byte so that off-by-ones can
+        * still be detected. Endianness is taken care of
+        * automatically. */
+       ((char *)&__stack_chk_guard)[1] = 0;
+#endif
+
        __pthread_self()->canary = __stack_chk_guard;
 }