New glibc security things: Pointer obfuscation
glibc 2.4 (in SUSE Linux 10.1) introduces pointer obfuscation. On program startup a random value is read from /dev/urandom, and several pointers are xor'ed with this value when storing them to data structure and when restoring them.
This goes for:
- jmp_bufs (setjmp/longjmp) which could be used by Stack Overflows to execute code. If you could overwrite the stack pointer or instruction related register stored in jmp_buf (usually stored on the stack too), you could exploit stack overflows even without triggering canaries.
- atexit() functions, in case the attacker overwrites heap and those function pointers
- iconv / gconv related function pointers.