On Saturday, April 13, 2013 08:36:53 PM Kevin Kofler wrote:
(1) -fstack-protector{,-all} doesn't implement full bounds checking for every C object.
But it prevents (with probability (256^n-1)/256^n, where n is the size of the canary in bytes, which for n=4 is approximately .99999999976717) exploiting the overflows to change the return address of any C function.
There is the off chance that an attacker correctly guesses the canary value. :-)
One thing that I found in doing a recent study was that there is a build system, scons, where our defaults are not getting used during compile. For example, the zfs-fuse package uses the scons build system. It did not have PIE, RELRO, stack protector, or FORTIFY_SOURCE anywhere. Anything else that uses scons should be inspected for similar problems.
-Steve