On 1/8/20 7:24 AM, Petr Štetiar wrote: > Hauke Mehrtens <[email protected]> [2020-01-07 23:21:19]: > > Hi, > > thanks for your work. > >>> Hauke Mehrtens (6): >>> buildsystem: Make PIE ASLR option tristate >>> dnsmasq: Activate PIE by default >>> dropbear: Activate PIE by default >>> hostapd: Activate PIE by default >>> uhttpd: Activate PIE by default >>> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers > > just wondering, if there is any particular reason for leaving odhcp6c and > odhcpd out as this are network exposed services and running in default > install.
I just didn't thought about them. We could just add an extra patch to activate it for them too. > Thinking about it now, we should probably consider ubus, procd, rpcd and > cgi-io (perhaps missed something) which might possibly process malicious > inputs as well. Then we have more or less everything. ;-) > BTW I'm wondering how does this work with the shared libraries, like musl > libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well > in order to get `TARGET_LDFLAGS += $(FPIC) > -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ? Shared libraries are always linked position independent and then the kernel is already loading them to random address offsets. >> I would like to apply these patches to master? > > I don't know if you've something newer in your tree, just looked at your aslr > branch in your staging tree: You can find the newest version here: https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr > + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && > !SDK) > > Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the > reason for !SDK? That way binary/library. When something is build in the SDK I always want to use PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build packages common to multiple targets in the SDK and there I always want to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the same package is used on a tiny and a normal target. I hope it will work like this. I want to prevent that some tiny target is used to build the additional packages and then this gets accidentally deactivated. >> Are there any objections to this? I already activated LTO to reduce the >> size for all these components and the lantiq patch is already applied. > > I don't have any objections, I welcome this additional hardening. Which branch > can I use for runtime testing? I plan to test it and give you my Acked-by. The disadvantage is that the size increases, otherwise I would activate it for all binaries. This is one example for dropbear: ------------------------------------------------------------------------ root@OpenWrt:/# cat /proc/1200/maps 5561e000-5564d000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear 5565d000-5565e000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear 5565e000-5565f000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear 77e89000-77eab000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 77eab000-77eac000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 77eac000-77ead000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 77ead000-77f44000 r-xp 00000000 fe:00 286 /lib/libc.so 77f53000-77f55000 rwxp 00096000 fe:00 286 /lib/libc.so 77f55000-77f57000 rwxp 00000000 00:00 0 7fc95000-7fcb6000 rw-p 00000000 00:00 0 [stack] 7fefc000-7fefd000 r-xp 00000000 00:00 0 7ff70000-7ff72000 r--p 00000000 00:00 0 [vvar] 7ff72000-7ff73000 r-xp 00000000 00:00 0 [vdso] root@OpenWrt:/# /etc/init.d/dropbear restart root@OpenWrt:/# ps |grep dropbear 2299 root 1108 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 2315 root 1212 S grep dropbear root@OpenWrt:/# cat /proc/2299/maps 55557000-55586000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear 55596000-55597000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear 55597000-55598000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear 77f12000-77f34000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 77f34000-77f35000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 77f35000-77f36000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 77f36000-77fcd000 r-xp 00000000 fe:00 286 /lib/libc.so 77fdc000-77fde000 rwxp 00096000 fe:00 286 /lib/libc.so 77fde000-77fe0000 rwxp 00000000 00:00 0 7fcbc000-7fcdd000 rw-p 00000000 00:00 0 [stack] 7fefc000-7fefd000 r-xp 00000000 00:00 0 7ff73000-7ff75000 r--p 00000000 00:00 0 [vvar] 7ff75000-7ff76000 r-xp 00000000 00:00 0 [vdso] root@OpenWrt:/# ------------------------------------------------------------------------ All sections are loaded to different addresses the second time, except 7fefc000 ;-) Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
