LibC: Don't change the stack canary across function boundaries

Author: https://github.com/timschumi Commit: https://github.com/SerenityOS/serenity/commit/a880457380 Pull-request: https://github.com/SerenityOS/serenity/pull/14189 Reviewed-by: https://github.com/ADKaster ✅ Reviewed-by: https://github.com/linusg
2022-06-07 15:59:05 +02:00 · 2022-06-07 15:59:05 +02:00 · a880457380 · 2024-07-17 11:30:05 +09:00
commit a880457380
parent 75e8b1305d
1 changed files with 8 additions and 3 deletions
--- a/Userland/Libraries/LibC/crt0.cpp
+++ b/Userland/Libraries/LibC/crt0.cpp
@ -33,10 +33,15 @@ NAKED void _start(int, char**, char**)
 int _entry(int argc, char** argv, char** env)
 {
    size_t original_stack_chk = __stack_chk_guard;
-    arc4random_buf(&__stack_chk_guard, sizeof(__stack_chk_guard));

-    if (__stack_chk_guard == 0)
-        __stack_chk_guard = original_stack_chk;
+    // We can't directly overwrite __stack_chk_guard using arc4random_buf,
+    // as it doesn't know that the stack canary changed and it would instantly
+    // cause a stack protector failure when returning.
+    size_t new_stack_chk = 0;
+    arc4random_buf(&new_stack_chk, sizeof(new_stack_chk));
+
+    if (new_stack_chk != 0)
+        __stack_chk_guard = new_stack_chk;

    environ = env;
    __environ_is_malloced = false;