Opened 5 years ago

Last modified 7 days ago

#13056 new defect

Some stack canaries are still missing on Tor Browser binaries

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It seems that the following binaries have missing stack canaries:

libmozalloc.so
libnssckbi.so
libplc4.so
libplds4.so
TorBrowser/Tor/libgmpxx.so
TorBrowser/Tor/libgmpxx.so.4
TorBrowser/Tor/libgmpxx.so.4.3.3
TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so
TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so
TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so
TorBrowser/Tor/PluggableTransports/meek-client-torbrowser
TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so
TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so
TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so
TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so

Child Tickets

Attachments (1)

coffre.gif (5.3 KB) - added by JamesTow 5 years ago.
Si vous recherchez à vous protéger efficacement contre les cambrioleurs, il convient d'investir dans un coffre-fort agréé. Une armoire forte pour armes longues servira éventuellement pour le stockage des fusils de chasse pour ranger vos archives et dossiers importants. Une alarme n'est pas suffisante, les cambrioleurs savent où trouver vos valeurs et liquidités et fond des raids éclairs pour repartir avec vos valeurs, avant que le voisinage ait eu le temps d'alerter la police ou la gendarmerie. Un coffre-fort agréé et homologué qui sera correctement fixé au sol permettra de mettre les cambrioleurs en échec, ils n'auront d'autre choix que de s'enfuir pour ne pas se faire prendre.

Download all attachments as: .zip

Change History (27)

comment:1 Changed 5 years ago by cypherpunks

hardened-c++ adds '-fstack-protector','--param=ssp-buffer-size=4' to arguments for compiler only if no -nostdlib or -ffreestanding was passed to compiler.

comment:2 Changed 5 years ago by cypherpunks

-nostdlib or -ffreestanding was passed to compiler.

Unlikely any of those.
And wrapper passing needed arguments for another firefox's libs, so no problem with wrapper for firefox case.

comment:3 Changed 5 years ago by cypherpunks

TorBrowser/Tor/libgmpxx.so
TorBrowser/Tor/libgmpxx.so.4
TorBrowser/Tor/libgmpxx.so.4.3.3

This case is about '-nostdlib' that passed to g++ while libgmpxx compiled. Then hardened-c++ skips ssp arguments.

comment:4 Changed 5 years ago by cypherpunks

TorBrowser/Tor/PluggableTransports/meek-client-torbrowser

Meek compiled by Go compiler, and hardening-wrapper wraps around GCC.

Changed 5 years ago by JamesTow

Attachment: coffre.gif added

Si vous recherchez à vous protéger efficacement contre les cambrioleurs, il convient d'investir dans un coffre-fort agréé. Une armoire forte pour armes longues servira éventuellement pour le stockage des fusils de chasse pour ranger vos archives et dossiers importants. Une alarme n'est pas suffisante, les cambrioleurs savent où trouver vos valeurs et liquidités et fond des raids éclairs pour repartir avec vos valeurs, avant que le voisinage ait eu le temps d'alerter la police ou la gendarmerie. Un coffre-fort agréé et homologué qui sera correctement fixé au sol permettra de mettre les cambrioleurs en échec, ils n'auront d'autre choix que de s'enfuir pour ne pas se faire prendre.

comment:5 Changed 5 years ago by gk

libgmpxx is no issue anymore since #13588 got fixed.

comment:6 Changed 5 years ago by gk

The libstdc++ we ship has no stack canaries either.

comment:8 Changed 5 years ago by cypherpunks

libmozalloc.so
libnssckbi.so
libplc4.so
libplds4.so

Was any of those reported as protected for any previous versions?
hardening-wrapper (1.25) packaged for lucid using -fstack-protector which can't cover any functions from those libs (it needs proof, but brief reading code show that functions are small enough to be protected). If no protected functions then no detection code compiled and no canaries support reported.

comment:9 Changed 5 years ago by cypherpunks

hardening-wrapper (1.25)

Btw, it doesn't passes reduced ssp-buffer-size value, which is 8 by default, to protect more functions, with compare to --param ssp-buffer-size=4 used for windows builds.

comment:10 Changed 5 years ago by cypherpunks

Comparing Windows and Linux builds, mozalloc lib:
For Windows build, protected one function (exported as _ZN7mozilla14VolatileBuffer4InitEjj)
For Linux build, no functions protected.

comment:11 Changed 5 years ago by cypherpunks

_ZN7mozilla14VolatileBuffer4InitEjj
For Linux build, no functions protected.

Bad choice to compare, those code too different for Linux and Windows.

comment:12 Changed 5 years ago by cypherpunks

nssckbi.dll
plc4.dll
plds4.dll

No any SSP generated too.

comment:13 Changed 5 years ago by cypherpunks

Tested some dlls for vanilla Firefox ESR (msvc build) to compare with TorBrowser, if any function protected (firefox codebase only):

freebl3.dll  yes
mozalloc.dll yes (the same one, like for TB)
nss3.dll     yes
nssckbi.dll  no
nssdbm3.dll  yes

comment:14 Changed 5 years ago by cypherpunks

The libstdc++ we ship has no stack canaries either.

System libstdc++ from Debian (wheezy, jessie, sid) wasn't built with SSP too. Does it excuse TB?

comment:15 Changed 4 years ago by boklm

The following 2 files are also missing stack canary on linux32 (but not on linux64):

    TorBrowser/Tor/PluggableTransports/meek-client
    TorBrowser/Tor/PluggableTransports/obfs4proxy

comment:16 Changed 4 years ago by gk

Keywords: tbb-hardening added

comment:17 Changed 4 years ago by gk

Keywords: tbb-hardened added; tbb-hardening removed

comment:18 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added
Severity: Normal

comment:19 Changed 3 years ago by boklm

In ESR52 builds, libmozsandbox.so is also missing stack canaries.

comment:20 Changed 2 years ago by gk

Keywords: tbb-hardened removed

Remove tbb-hardened keyword.

comment:21 Changed 2 years ago by cypherpunks

Status: newneeds_information
Summary: Some stack canaries are still missing on Tor Browser binaries on LinuxSome stack canaries are still missing on Tor Browser binaries

Shouldn't you pass SSP flags to DLLFLAGS to get it working with NSS, like in https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/firefox/build#n77?

comment:22 in reply to:  21 Changed 2 years ago by gk

Replying to cypherpunks:

Shouldn't you pass SSP flags to DLLFLAGS to get it working with NSS, like in https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/firefox/build#n77?

This issue happens on Linux, so it seems that DLLFLAGS won't help us here. Or are you referring to comment:12?

comment:23 Changed 7 months ago by boklm

The current list of binaries that we skip in our readelf_stack_canary test is:

            abicheck
            gtk2/libmozgtk.so
            libmozalloc.so
            libmozgtk.so
            libnssckbi.so
            libplc4.so
            libplds4.so
            TorBrowser/Tor/libstdc++/libstdc++.so.6
            TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so
            TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so
            TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so
            TorBrowser/Tor/PluggableTransports/fte/cDFA.so
            TorBrowser/Tor/PluggableTransports/meek-client-torbrowser
            TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so
            TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so
            TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so
            TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so
            TorBrowser/Tor/PluggableTransports/meek-client
            TorBrowser/Tor/PluggableTransports/obfs4proxy

comment:24 Changed 7 months ago by boklm

From https://wiki.debian.org/HardeningWalkthrough:

Stack Protected: When an executable was built without any character arrays being allocated on the stack, this check will lead to false alarms (since there is no use of stack_chk_fail, even though it was compiled with the correct options.

comment:25 Changed 3 months ago by gk

Another one since esr68 is liblgpllibs.so. I guess part of this ticket is to figure first out which of the errors are actually false positives and which need to get addressed. We can then file new tickets for the latter and adapt our test tools accordingly.

comment:26 Changed 7 days ago by gk

Status: needs_informationnew
Note: See TracTickets for help on using tickets.