Opened 2 years ago

Closed 2 years ago

#22361 closed defect (fixed)

Some binaries are missing RELRO in latest linux nightly builds

Reported by: boklm Owned by: boklm
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201706R
Cc: tbb-team Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In the latest nightly builds, the following binaries are missing RELRO:

TorBrowser/Tor/libcrypto.so.1.0.0
TorBrowser/Tor/libevent-2.0.so.5
TorBrowser/Tor/libgmp.so.10
TorBrowser/Tor/libssl.so.1.0.0

When integrating Selfrando (#20683), we added our build of gcc and binutil to the PATH, to use them for building elfutils and selfrando. However, our gcc and binutils are now also used for the following builds that are done in gitian/descriptors/linux/gitian-utils.yml. This also means that the hardening wrappers are not used anymore.

To fix that, we can either:

  • reset the PATH and LD_LIBRARY_PATH to their previous value after building selfrando, to keep using the system compiler (and the hardened wrapper) for the other components
  • use our gcc build to build the other components, but copy hardened-cc to our gcc build directory, in the same way that we are doing in gitian/descriptors/linux/gitian-firefox.yml, to make sure we are using the hardening wrapper

Child Tickets

Change History (3)

comment:1 in reply to:  description Changed 2 years ago by gk

Replying to boklm:

  • use our gcc build to build the other components, but copy hardened-cc to our gcc build directory, in the same way that we are doing in gitian/descriptors/linux/gitian-firefox.yml, to make sure we are using the hardening wrapper

That sounds like the way to go here. Oh, and this bug is also responsible for missing stack canaries, right?

comment:2 Changed 2 years ago by boklm

Keywords: TorBrowserTeam201706R added; TorBrowserTeam201705 removed
Status: newneeds_review

I made a patch to fix that in branch bug_22361:
https://gitweb.torproject.org/user/boklm/tor-browser-bundle.git/commit/?h=bug_22361

I tried a build with this patch, which fixed the missing RELRO and stack canaries.

comment:3 Changed 2 years ago by gk

Keywords: tbb-7.0-must removed
Resolution: fixed
Status: needs_reviewclosed

Looks good to me. This won't make it into maint-7.0 as the selfrando commits are backed out on it. (Removing tbb-7.0-must for that reason) Applied to master as commit 095845a8bc96997b50c5208d831ae32272ca6f85.

Note: See TracTickets for help on using tickets.