(repost from internal mail from yesterday, i have removed only internal mailingaddresses referenced). Hi folks, We decided to offer and use an additional method of stack overflow protection for the next products. We are currently using the "Fortify Source" lightweight buffer overflow checking (you will know the -D_FORTIFY_SOURCE=2 defines that get used by autobuild). I explained it in my previous mail. With gcc 4.1 there is an new additional method of stack overflow detection. It was formerly called "ProPolice" or "Stack Smash Protection (SSP)" but is now usually refered to as "Stack Protector". It protects against stack based buffer overflows using following heuristics: - On function entry a canary ("Kanarienvogel") is put onto the stack. (Canary in tribute to the canary birds that early coalminers took into the mines to detect poisonous gases ... when the canaries die they still had time to leave.) x86 generated code: mov %gs:0x14,%eax (fetch random canary from TLS) mov %eax,0xffffffec(%ebp) (store on stack) xor %eax,%eax (clear value) - On function exit the canary is compared with the value on the stack. If it is no longer the same, the program is aborted. x86 generated code: mov 0xffffffec(%ebp),%edx (retrieve canary from stack) xor %gs:0x14,%edx (xor against original value, if same it will be 0 (equal)) jne ....aborting... (if not equal ... jump to abort) ... normal return assembler code... - The code will change the order of variables on the stack to put character arrays on top of the stack. This avoids overwrite of other function variables by stack overflows of character arrays which might go undetected by this protector otherwise. This checking code can be enabled in two modes: - normal (-fstack-protector) In this mode it will use a heuristic to determine the functions that need the above wrapper. The current heuristic is "uses a character array at least 8 byte long" This number of bytes can be changed by using this compiler option: --param ssp-buffer-size=8 - full (-fstack-protector-all) The wrapper will be generated for all functions. Performance loss: There will be some small performance loss (due to the approx 6 instructions added). But the number of functions with characters arrays is usually limited and not in the fast path. I have two apps already compiled with -fstack-protector: gaim has 76 functions out of 2022 instrumented. ethereal has 141 functions out of 1973 instrumented. What YOU need to do: If you think your application or library might have stack buffer overflows, you can add it to your global optflags. I have created a list of suggested RPMs to instrument, generated by the following criteria: - Had security updates in the last years. - Processes input got from the network, especially pdf, images, multimedia. - Might be used for local privilege escalation. Ciao, Marcus dcraw mDNSResponder rrdtool webalizer libopensync libsyncml gaim-otr novell-openwbem-authenticator novell-openwbem-authorizer novell-provider-base openwbem id3v2 hal snort abiword avahi banshee beagle dia epiphany-extensions epiphany evince evolution f-spot gaim-galago gaim galeon gdk-pixbuf gedit gobby gpdf gtk2 inkscape libsoup libsvg-cairo libsvg liferea NetworkManager obby poppler xchat sim grip libvisual libvisual-plugins ppp pure-ftpd qpopper vsftpd xntp konversation hp2xx hplip hp-officeJet imlib2 kdegraphics3 kdegraphics kdenetwork3 kdenetwork3 kipi-plugins koffice-wordprocessing ktorrent libkexif libextractor openh323 pwlib sfftobmp cups-backends cups-drivers cups foomatic-filters lynx unace licq unarj unrar xli zoo pdftohtml libmng pam_krb5 libexif freetype2 freetype2 uim xine-lib gnokii kismet tcpdump openslp curl cron mutt pcre wget irssi net-snmp gd giflib id3lib ImageMagick ImageMagick jpeg libpng libpng libtiff libtiff libwmf mc netpbm netpbm sox xpdf xpdf novell-ldapext novell-smash cvs librpcsecgss subversion OpenOffice_org OpenOffice_org dhcpcd dhcp dhcp-server openssl openvpn ethereal exif exiftool imgvtopgm openssh ufraw easytag imlib zip cyrus-imapd cyrus-sasl pam_ldap mailman at libosip2 libsidplay arc exifprobe fetchmail gftp ghostpcl lha libsidplay1 gawk openmotif21-libs openmotif imap gpsdrive cabextract freeradius MozillaFirefox MozillaThunderbird seamonkey dbus-1 libid3tag libogg libvorbis bind postfix a2ps enscript filters ghostscript-library lpdfilter lpdfilter man procmail texinfo xv sylpheed-claws performace critical perhaps: mysql postgresql apache2