From 7da32b384eb34ea25ce176b88e8907165c6a27a0 Mon Sep 17 00:00:00 2001 From: deraadt Date: Sat, 28 Dec 2013 03:22:52 +0000 Subject: [PATCH] change the stack protector guard into a long word (removing the old legacy compat pointed out by miod), and place it inside the ELF .openbsd.randomdata segment. Inside main(), only re-initialize the guard if the bootblocks failed to initialize it for us. --- sys/kern/init_main.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index c26b9d4acef..703727b6985 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: init_main.c,v 1.194 2013/12/28 03:12:56 deraadt Exp $ */ +/* $OpenBSD: init_main.c,v 1.195 2013/12/28 03:22:52 deraadt Exp $ */ /* $NetBSD: init_main.c,v 1.84.4.1 1996/06/02 09:08:06 mrg Exp $ */ /* @@ -132,10 +132,7 @@ int ncpusfound = 1; /* number of cpus we find */ __volatile int start_init_exec; /* semaphore for start_init() */ #if !defined(NO_PROPOLICE) -#ifdef __ELF__ -long __guard_local __dso_hidden; -#endif -long __guard[8]; +long __guard_local __attribute__((section(".openbsd.randomdata"))); #endif /* XXX return int so gcc -Werror won't complain */ @@ -415,16 +412,11 @@ main(void *framep) #endif #if !defined(NO_PROPOLICE) - { - volatile long newguard[8]; - - arc4random_buf((long *)newguard, sizeof(newguard)); + if (__guard_local == 0) { + volatile long newguard; -#ifdef __ELF__ - __guard_local = newguard[0]; -#endif - for (i = nitems(__guard) - 1; i; i--) - __guard[i] = newguard[i]; + newguard = arc4random(); + __guard_local = newguard; } #endif -- 2.20.1