grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed

From: Glenn Washburn <development@efficientek.com>
To: The development of GNU GRUB <grub-devel@gnu.org>,
	Daniel Kiper <dkiper@net-space.pl>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Dimitri John Ledkov <dimitri.ledkov@canonical.com>,
	Glenn Washburn <development@efficientek.com>
Subject: [PATCH v3 2/3] efi: Generate stack protector canary at build time if urandom is available
Date: Tue, 19 Dec 2023 00:00:00 -0600	[thread overview]
Message-ID: <01a56aed2f263ec96b9f54faf0a4745bb086bc6f.1702965318.git.development@efficientek.com> (raw)
In-Reply-To: <cover.1702965318.git.development@efficientek.com>

Generating the canary at build time allows the canary to be different for
every build which could limit the effectiveness of certain exploits.
Fallback to the statically generated random bytes if /dev/urandom is not
readable (eg. Windows).

On 32-bit architectures, which use a 32-bit canary, reduce the canary to 4
bytes with one byte being NUL to filter out string buffer overflow attacks.

Signed-off-by: Glenn Washburn <development@efficientek.com>
---
 config.h.in               |  2 ++
 configure.ac              | 20 ++++++++++++++++++++
 grub-core/kern/efi/init.c |  2 +-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/config.h.in b/config.h.in
index 4d1e50eba79c..9b1d39971858 100644
--- a/config.h.in
+++ b/config.h.in
@@ -64,6 +64,8 @@
 #  define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
 #  define GRUB_PLATFORM "@GRUB_PLATFORM@"
 
+#  define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@
+
 #  define RE_ENABLE_I18N 1
 
 #  define _GNU_SOURCE 1
diff --git a/configure.ac b/configure.ac
index c19779c14d08..f15d31ec4c0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1438,6 +1438,26 @@ else
     AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
   fi
   TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
+
+  if test -r /dev/urandom; then
+     # Generate the 8 byte stack protector canary at build time if /dev/urandom
+     # is able to be read. The first byte should be NUL to filter out string
+     # buffer overflow attacks.
+     GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
+  else
+    # Some hosts may not have a urandom (eg. Windows), so use statically
+    # generated random bytes
+    GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
+  fi
+
+  if test x"$target_m32" = x1 ; then
+    # Make sure that the canary default value is 24-bits by only using the
+    # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
+    # to filter out string buffer overflow attacks.
+    GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
+  fi
+
+  AC_SUBST([GRUB_STACK_PROTECTOR_INIT])
 fi
 
 CFLAGS="$TARGET_CFLAGS"
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 08e24d46fad9..6c54af6e79e5 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -46,7 +46,7 @@ static grub_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
 static grub_efi_uint8_t stack_chk_guard_buf[32];
 
 /* Initialize canary in case there is no RNG protocol. */
-grub_addr_t __stack_chk_guard = (grub_addr_t) 0x00f2b7e2f193b25c;
+grub_addr_t __stack_chk_guard = (grub_addr_t) GRUB_STACK_PROTECTOR_INIT;
 
 void __attribute__ ((noreturn))
 __stack_chk_fail (void)
-- 
2.34.1


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

next prev parent reply	other threads:[~2023-12-19  6:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-19  5:59 [PATCH v3 0/3] efi: Initialize canary to non-zero value Glenn Washburn
2023-12-19  5:59 ` [PATCH v3 1/3] " Glenn Washburn
2023-12-19  6:00 ` Glenn Washburn [this message]
2023-12-19  6:00 ` [PATCH v3 3/3] efi: Add support for reproducible builds Glenn Washburn
2023-12-20 13:09 ` [PATCH v3 0/3] efi: Initialize canary to non-zero value Daniel Kiper

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4d1e50eba79 dfblob:9b1d3997185 dfblob:c19779c14d0
dfblob:f15d31ec4c0 dfblob:08e24d46fad dfblob:6c54af6e79e )
 OR (
bs:"[PATCH v3 2/3] efi: Generate stack protector canary at build time if urandom is available" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=01a56aed2f263ec96b9f54faf0a4745bb086bc6f.1702965318.git.development@efficientek.com \
    --to=development@efficientek.com \
    --cc=dimitri.ledkov@canonical.com \
    --cc=dkiper@net-space.pl \
    --cc=grub-devel@gnu.org \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).