libkern stack_protector

Matthew Dillon dillon at
Sat Jan 29 11:46:50 PST 2005

:On Fri, Jan 28, 2005 at 05:29:03PM -0500, Robert Connolly wrote:
:> Hello. In regards to your:
:> src/sys/libkern/stack_protector.c
:> You have:
:> int __guard = 0x00000aff;
:> #else
:> int __guard = 0xff0a0000;
:> #endif
:> Why do you check for endianness? 
:Because the order of the cookie bytes changes the meaning of
:how overflowing buffers are used.
:> robert

    Right.  The idea of the cookie is to catch an overflow.  Catching
    an overflow means emplacing the cookie such that a one-byte overflow
    is likely to be caught.  We'd rather have a non-zero byte for the first
    byte of the overflow area rather then a zero byte.  

    Why aren't all the bytes non-zero?  Because we also want the guard
    to provide at least one zero byte for string termination.  And there
    are a few other reasons too.  It's mostly inconsequential but there is
    a method behind the madness.

					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Kernel mailing list