xref: /freebsd/lib/libc/secure/libc_stack_protector.c (revision e7a629c851d747772cc138efcb0418809ecdea55) 
1*e7a629c8SKyle Evans /* $NetBSD: stack_protector.c,v 1.4 2006/11/22 17:23:25 christos Exp $	*/
2*e7a629c8SKyle Evans /* $OpenBSD: stack_protector.c,v 1.10 2006/03/31 05:34:44 deraadt Exp $	*/
3*e7a629c8SKyle Evans /*
4*e7a629c8SKyle Evans  * Copyright (c) 2002 Hiroaki Etoh, Federico G. Schwindt, and Miodrag Vallat.
5*e7a629c8SKyle Evans  * All rights reserved.
6*e7a629c8SKyle Evans  *
7*e7a629c8SKyle Evans  * Redistribution and use in source and binary forms, with or without
8*e7a629c8SKyle Evans  * modification, are permitted provided that the following conditions
9*e7a629c8SKyle Evans  * are met:
10*e7a629c8SKyle Evans  * 1. Redistributions of source code must retain the above copyright
11*e7a629c8SKyle Evans  *    notice, this list of conditions and the following disclaimer.
12*e7a629c8SKyle Evans  * 2. Redistributions in binary form must reproduce the above copyright
13*e7a629c8SKyle Evans  *    notice, this list of conditions and the following disclaimer in the
14*e7a629c8SKyle Evans  *    documentation and/or other materials provided with the distribution.
15*e7a629c8SKyle Evans  *
16*e7a629c8SKyle Evans  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
17*e7a629c8SKyle Evans  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18*e7a629c8SKyle Evans  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19*e7a629c8SKyle Evans  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT,
20*e7a629c8SKyle Evans  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21*e7a629c8SKyle Evans  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22*e7a629c8SKyle Evans  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23*e7a629c8SKyle Evans  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24*e7a629c8SKyle Evans  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
25*e7a629c8SKyle Evans  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26*e7a629c8SKyle Evans  * POSSIBILITY OF SUCH DAMAGE.
27*e7a629c8SKyle Evans  *
28*e7a629c8SKyle Evans  */
29*e7a629c8SKyle Evans 
30*e7a629c8SKyle Evans #include <sys/param.h>
31*e7a629c8SKyle Evans #include <sys/sysctl.h>
32*e7a629c8SKyle Evans #include <errno.h>
33*e7a629c8SKyle Evans #include <link.h>
34*e7a629c8SKyle Evans #include <signal.h>
35*e7a629c8SKyle Evans #include <string.h>
36*e7a629c8SKyle Evans #include <syslog.h>
37*e7a629c8SKyle Evans #include <unistd.h>
38*e7a629c8SKyle Evans #include "libc_private.h"
39*e7a629c8SKyle Evans 
40*e7a629c8SKyle Evans /*
41*e7a629c8SKyle Evans  * We give __guard_setup a defined priority early on so that statically linked
42*e7a629c8SKyle Evans  * applications have a defined priority at which __stack_chk_guard will be
43*e7a629c8SKyle Evans  * getting initialized.  This will not matter to most applications, because
44*e7a629c8SKyle Evans  * they're either not usually statically linked or they simply don't do things
45*e7a629c8SKyle Evans  * in constructors that would be adversely affected by their positioning with
46*e7a629c8SKyle Evans  * respect to this initialization.
47*e7a629c8SKyle Evans  */
48*e7a629c8SKyle Evans static void __guard_setup(void)
49*e7a629c8SKyle Evans     __attribute__((__constructor__ (200), __used__));
50*e7a629c8SKyle Evans 
51*e7a629c8SKyle Evans extern long __stack_chk_guard[8];
52*e7a629c8SKyle Evans extern int __sysctl(const int *name, u_int namelen, void *oldp,
53*e7a629c8SKyle Evans     size_t *oldlenp, void *newp, size_t newlen);
54*e7a629c8SKyle Evans 
55*e7a629c8SKyle Evans long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0};
56*e7a629c8SKyle Evans static void __fail(const char *) __dead2;
57*e7a629c8SKyle Evans void __stack_chk_fail(void) __dead2;
58*e7a629c8SKyle Evans void __chk_fail(void) __dead2;
59*e7a629c8SKyle Evans 
60*e7a629c8SKyle Evans /*LINTED used*/
61*e7a629c8SKyle Evans static void
__guard_setup(void)62*e7a629c8SKyle Evans __guard_setup(void)
63*e7a629c8SKyle Evans {
64*e7a629c8SKyle Evans 	static const int mib[2] = { CTL_KERN, KERN_ARND };
65*e7a629c8SKyle Evans 	volatile long tmp_stack_chk_guard[nitems(__stack_chk_guard)];
66*e7a629c8SKyle Evans 	size_t idx, len;
67*e7a629c8SKyle Evans 	int error;
68*e7a629c8SKyle Evans 
69*e7a629c8SKyle Evans 	if (__stack_chk_guard[0] != 0)
70*e7a629c8SKyle Evans 		return;
71*e7a629c8SKyle Evans 	/*
72*e7a629c8SKyle Evans 	 * Avoid using functions which might have stack protection
73*e7a629c8SKyle Evans 	 * enabled, to update the __stack_chk_guard.  First fetch the
74*e7a629c8SKyle Evans 	 * data into a temporal array, then do manual volatile copy to
75*e7a629c8SKyle Evans 	 * not allow optimizer to call memcpy() behind us.
76*e7a629c8SKyle Evans 	 */
77*e7a629c8SKyle Evans 	error = _elf_aux_info(AT_CANARY,
78*e7a629c8SKyle Evans 	    __DEQUALIFY(void *, tmp_stack_chk_guard),
79*e7a629c8SKyle Evans 	    sizeof(tmp_stack_chk_guard));
80*e7a629c8SKyle Evans 	if (error == 0 && tmp_stack_chk_guard[0] != 0) {
81*e7a629c8SKyle Evans 		for (idx = 0; idx < nitems(__stack_chk_guard); idx++) {
82*e7a629c8SKyle Evans 			__stack_chk_guard[idx] = tmp_stack_chk_guard[idx];
83*e7a629c8SKyle Evans 			tmp_stack_chk_guard[idx] = 0;
84*e7a629c8SKyle Evans 		}
85*e7a629c8SKyle Evans 		return;
86*e7a629c8SKyle Evans 	}
87*e7a629c8SKyle Evans 
88*e7a629c8SKyle Evans 	len = sizeof(__stack_chk_guard);
89*e7a629c8SKyle Evans 	if (__sysctl(mib, nitems(mib), __stack_chk_guard, &len, NULL, 0) ==
90*e7a629c8SKyle Evans 	    -1 || len != sizeof(__stack_chk_guard)) {
91*e7a629c8SKyle Evans 		/* If sysctl was unsuccessful, use the "terminator canary". */
92*e7a629c8SKyle Evans 		((unsigned char *)(void *)__stack_chk_guard)[0] = 0;
93*e7a629c8SKyle Evans 		((unsigned char *)(void *)__stack_chk_guard)[1] = 0;
94*e7a629c8SKyle Evans 		((unsigned char *)(void *)__stack_chk_guard)[2] = '\n';
95*e7a629c8SKyle Evans 		((unsigned char *)(void *)__stack_chk_guard)[3] = 255;
96*e7a629c8SKyle Evans 	}
97*e7a629c8SKyle Evans }
98*e7a629c8SKyle Evans 
99*e7a629c8SKyle Evans /*ARGSUSED*/
100*e7a629c8SKyle Evans static void
__fail(const char * msg)101*e7a629c8SKyle Evans __fail(const char *msg)
102*e7a629c8SKyle Evans {
103*e7a629c8SKyle Evans 	struct sigaction sa;
104*e7a629c8SKyle Evans 	sigset_t mask;
105*e7a629c8SKyle Evans 
106*e7a629c8SKyle Evans 	/* Immediately block all signal handlers from running code */
107*e7a629c8SKyle Evans 	(void)sigfillset(&mask);
108*e7a629c8SKyle Evans 	(void)sigdelset(&mask, SIGABRT);
109*e7a629c8SKyle Evans 	(void)sigprocmask(SIG_BLOCK, &mask, NULL);
110*e7a629c8SKyle Evans 
111*e7a629c8SKyle Evans 	/* This may fail on a chroot jail... */
112*e7a629c8SKyle Evans 	syslog(LOG_CRIT, "%s", msg);
113*e7a629c8SKyle Evans 
114*e7a629c8SKyle Evans 	(void)memset(&sa, 0, sizeof(sa));
115*e7a629c8SKyle Evans 	(void)sigemptyset(&sa.sa_mask);
116*e7a629c8SKyle Evans 	sa.sa_flags = 0;
117*e7a629c8SKyle Evans 	sa.sa_handler = SIG_DFL;
118*e7a629c8SKyle Evans 	(void)sigaction(SIGABRT, &sa, NULL);
119*e7a629c8SKyle Evans 	(void)kill(getpid(), SIGABRT);
120*e7a629c8SKyle Evans 	_exit(127);
121*e7a629c8SKyle Evans }
122*e7a629c8SKyle Evans 
123*e7a629c8SKyle Evans void
__stack_chk_fail(void)124*e7a629c8SKyle Evans __stack_chk_fail(void)
125*e7a629c8SKyle Evans {
126*e7a629c8SKyle Evans 	__fail("stack overflow detected; terminated");
127*e7a629c8SKyle Evans }
128*e7a629c8SKyle Evans 
129*e7a629c8SKyle Evans void
__chk_fail(void)130*e7a629c8SKyle Evans __chk_fail(void)
131*e7a629c8SKyle Evans {
132*e7a629c8SKyle Evans 	__fail("buffer overflow detected; terminated");
133*e7a629c8SKyle Evans }
134*e7a629c8SKyle Evans 
135*e7a629c8SKyle Evans #ifndef PIC
136*e7a629c8SKyle Evans __weak_reference(__stack_chk_fail, __stack_chk_fail_local);
137*e7a629c8SKyle Evans #endif
138