grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v3 2/3] efi: Generate stack protector canary at build time if ura

From: Glenn Washburn
Subject: [PATCH v3 2/3] efi: Generate stack protector canary at build time if urandom is available
Date: Tue, 19 Dec 2023 00:00:00 -0600 
Generating the canary at build time allows the canary to be different for
every build which could limit the effectiveness of certain exploits.
Fallback to the statically generated random bytes if /dev/urandom is not
readable (eg. Windows).

On 32-bit architectures, which use a 32-bit canary, reduce the canary to 4
bytes with one byte being NUL to filter out string buffer overflow attacks.

Signed-off-by: Glenn Washburn <development@efficientek.com>
---
 config.h.in               |  2 ++
 configure.ac              | 20 ++++++++++++++++++++
 grub-core/kern/efi/init.c |  2 +-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/config.h.in b/config.h.in
index 4d1e50eba79c..9b1d39971858 100644
--- a/config.h.in
+++ b/config.h.in
@@ -64,6 +64,8 @@
 #  define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
 #  define GRUB_PLATFORM "@GRUB_PLATFORM@"
 
+#  define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@
+
 #  define RE_ENABLE_I18N 1
 
 #  define _GNU_SOURCE 1
diff --git a/configure.ac b/configure.ac
index c19779c14d08..f15d31ec4c0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1438,6 +1438,26 @@ else
     AC_MSG_ERROR([invalid value $enable_stack_protector for 
--enable-stack-protector])
   fi
   TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
+
+  if test -r /dev/urandom; then
+     # Generate the 8 byte stack protector canary at build time if /dev/urandom
+     # is able to be read. The first byte should be NUL to filter out string
+     # buffer overflow attacks.
+     GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; 
rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), 
"hex").decode("ascii"))')"
+  else
+    # Some hosts may not have a urandom (eg. Windows), so use statically
+    # generated random bytes
+    GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
+  fi
+
+  if test x"$target_m32" = x1 ; then
+    # Make sure that the canary default value is 24-bits by only using the
+    # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
+    # to filter out string buffer overflow attacks.
+    GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 
's/.*\(......\)$/\1/')"
+  fi
+
+  AC_SUBST([GRUB_STACK_PROTECTOR_INIT])
 fi
 
 CFLAGS="$TARGET_CFLAGS"
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 08e24d46fad9..6c54af6e79e5 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -46,7 +46,7 @@ static grub_guid_t rng_protocol_guid = 
GRUB_EFI_RNG_PROTOCOL_GUID;
 static grub_efi_uint8_t stack_chk_guard_buf[32];
 
 /* Initialize canary in case there is no RNG protocol. */
-grub_addr_t __stack_chk_guard = (grub_addr_t) 0x00f2b7e2f193b25c;
+grub_addr_t __stack_chk_guard = (grub_addr_t) GRUB_STACK_PROTECTOR_INIT;
 
 void __attribute__ ((noreturn))
 __stack_chk_fail (void)
-- 
2.34.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]