October, 2020 | Nan Xiao's Blog

Gcc’s “-fstack-protector-strong” option

Gcc‘s “-fstack-protector-strong” helped me catch an array overflow bug recently. The “-fstack-protector-strong” option will add “canary” in the function stack, when function returns, it would check whether the guard is corrupted or not. If corrupted, __stack_chk_fail() will be invoked:

    0x00007ffff5138674 <+52>:   mov    -0x38(%rbp),%rax
    0x00007ffff5138678 <+56>:   xor    %fs:0x28,%rax
    0x00007ffff5138681 <+65>:   jne    0x7ffff5138ff3 <function+2483>
    ......
    0x00007ffff5138ff3 <+2483>: callq  0x7ffff50c2100 <__stack_chk_fail@plt>

And the program will crash:

*** stack smashing detected ***: program terminated
Segmentation fault

Use gdb to check:

(gdb) bt
#0  0x00007fffde26e0b8 in ?? () from /usr/lib64/libgcc_s.so.1
#1  0x00007fffde26efb9 in _Unwind_Backtrace () from /usr/lib64/libgcc_s.so.1
#2  0x00007fffde890aa6 in backtrace () from /usr/lib64/libc.so.6
#3  0x00007fffde7f4ef4 in __libc_message () from /usr/lib64/libc.so.6
#4  0x00007fffde894577 in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007fffde894532 in __stack_chk_fail () from /usr/lib64/libc.so.6
#6  0x00007ffff5138ff8 in function () at src.c:685
#7  0x045b9fd4c77e2ff3 in ?? ()
#8  0x9a8ad8e7e2eb8ca8 in ?? ()
#9  0x0fa0e627193655f1 in ?? ()
#10 0xfc295178098bb96f in ?? ()
#11 0xa09a574a7780cd13 in ?? ()
......

The function frames and return addresses are overwritten, so the call stack can’t be recovered. Please be aware that the line which gdb prints:

#6  0x00007ffff5138ff8 in function () at src.c:685

may not be related to culprit!

“argument to variable-length array may be too large [-Wvla-larger-than=]” warning

I use gcc-9 from CentOS:

$ /opt/rh/devtoolset-9/root/usr/bin/gcc --version
gcc (GCC) 9.3.1 20200408 (Red Hat 9.3.1-2)
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

And I found if using -O3 compile option, for some Variable-length array in C programming language, gcc will report following warning:

warning: argument to variable-length array may be too large [-Wvla-larger-than=]
  596 |  uint8_t header[header_size];
      |          ^~~~~~~~~~~~~~~~~~

If not using -O3 option, the warning won’t be generated.

Create IETF QUIC pcap file (continued)

My previous post introduces how to create QUIC pcap file, but it ignores the encryption part, so I create a new project to illustrate it. Furthermore, if you are curious about generating keys, my another article can be a good reference!

The caveat of using Chrome to test QUIC implementation

This document gives a detailed information about how to use Chrome to test QUIC implementation. But from my test:

$ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
  --enable-quic \
  --quic-version=h3-T051 \
  --origin-to-force-quic-on=r2---sn-fxc25nn-nwje.googlevideo.com:443 \
  https://r2---sn-fxc25nn-nwje.googlevideo.com/

Opening in existing browser session.

If Chrome is already running, the above command will open tab in existing browser session, and it will use current existing Chrome process’s QUIC version, e.g, T050. So to test different QUIC versions, you should close current running Chrome processes.

Use Wireshark to decrypt TLS flows

TLS debugging is an awesome introduction of using Wireshark to debug TLS issues (The presentation material can be found here). I just summarise how to decrypt TLS flows here:

(1) Set the filter and capture only TLS flows:

(2) Open chromium and save session secrets in command line:

SSLKEYLOGFILE="$PWD/keys.txt" /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/cr

(3)After saving pcap file, Load key and decrypt TLS flows: