[hardening-discuss] Bug#771056: Bug#771056: ICC stack protection false negative

[Kees Cook]

Tags: moreinfo

Hi,

On Wed, Nov 26, 2014 at 11:30:42AM +0000, Cornea, Alexandru wrote:
> The script hardening-check can give a false negative result if the binary analyzed was compiled with ICC (with stack protection).
> Hardening-check looks for __stack_chk_fail, but in ICC compiled binaries the correct functions to be searched for should be __intel_security_cookie or __intel_security_check_cookie.

Thanks for the report! Can you point me to documentation on ICC's
stack protection implementation? If the ICC-compiled binaries are using
something other than __stack_chk_fail, then they may not be using glibc's
canary, which I would view as a regression. (As in, I would like to be
convinced that this is actually a false negative -- this may be reporting
a weak stack protector scheme instead.)

> Below is a naive patch:
> 
> diff --git a/usr/bin/hardening-check b/hardening-check-intel
> index 799943c..f40eda7 100755
> --- a/usr/bin/hardening-check
> +++ b/hardening-check-intel
> @@ -302,6 +302,7 @@ foreach my $file (@ARGV) {
>      # Stack-protected
>      $name = " Stack protected";
>      if (defined($functions->{'__stack_chk_fail'}) ||
> +      defined($functions->{'__intel_security_cookie'}) ||

You mentioned __intel_security_check_cookie as well. I assume this is
the canary? How is it chosen, what is its value?

>          (!$elf && defined($functions->{'__stack_chk_fail_local'}))) {
>          good($name, "yes")
>      }
> 
> Regards,
>    Alex

Thanks!

-Kees

-- 
Kees Cook                                            @debian.org