Opened 3 years ago

Last modified 16 months ago

#20322 new defect

SafeSEH support for mingw-w64 for Tor Browser on Windows

Reported by: bugzilla Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201711, GeorgKoppen201711
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

Not only SEH, because of www.fuzzysecurity.com/tutorials/expDev/3.html
Even YASM can do it https://www.tortall.net/projects/yasm/manual/html/objfmt-win32-safeseh.html

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by gk

Parent ID: #16010

comment:2 Changed 2 years ago by cypherpunks

As there is no activity on this problem, should we proceed with the public disclosure?

comment:4 Changed 21 months ago by gk

Keywords: TorBrowserTeam201711 GeorgKoppen201711 added
Sponsor: Sponsor4

comment:5 Changed 21 months ago by gk

Priority: MediumVery High

Changing prio to reflect sponsor deadline

comment:6 Changed 20 months ago by gk

Parent ID: #21777
Priority: Very HighMedium

I did some digging and with our GCC-based toolchain this is tricky right now. However, we probably need a clang-based toolchain for ESR 59 anyway due to https://bugzilla.mozilla.org/show_bug.cgi?id=1390583 and it seems we'd get SafeSEH when switching. Thus, it makes no sense to fix this bug right now for the current toolchain. We should get SafeSEH with #21777 being fixed.

comment:7 in reply to:  6 Changed 20 months ago by cypherpunks

Replying to gk:

I did some digging and with our GCC-based toolchain this is tricky right now.

Read comment:3. There is nothing tricky in adding one flag.

Thus, it makes no sense to fix this bug right now for the current toolchain.

Quite the opposite.

There is a very real security benefit to this, mainly because it's so easy for malware to corrupt the SEH chain. Once the SEH chain is corrupted, it's typically very easy to cause an exception, at which point the exception handling machinery will go and dispatch execution to the handlers indicated in the chain. If a handler points into a DLL which doesn't have NO-SEH or SAFESEH, execution will transfer to that address without trouble.

comment:8 Changed 16 months ago by gk

Parent ID: #21777
Note: See TracTickets for help on using tickets.