> On Jan 8, 2020, at 3:10 PM, Hauke Mehrtens <[email protected]> wrote: > > On 1/8/20 7:24 AM, Petr Štetiar wrote: >> Hauke Mehrtens <[email protected]> [2020-01-07 23:21:19]: >> >> Hi, >> >> thanks for your work. >> >>>> Hauke Mehrtens (6): >>>> buildsystem: Make PIE ASLR option tristate >>>> dnsmasq: Activate PIE by default >>>> dropbear: Activate PIE by default >>>> hostapd: Activate PIE by default >>>> uhttpd: Activate PIE by default >>>> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers >> >> just wondering, if there is any particular reason for leaving odhcp6c and >> odhcpd out as this are network exposed services and running in default >> install. > > I just didn't thought about them. We could just add an extra patch to > activate it for them too. > >> Thinking about it now, we should probably consider ubus, procd, rpcd and >> cgi-io (perhaps missed something) which might possibly process malicious >> inputs as well. > > Then we have more or less everything. ;-) > >> BTW I'm wondering how does this work with the shared libraries, like musl >> libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well >> in order to get `TARGET_LDFLAGS += $(FPIC) >> -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ? > > Shared libraries are always linked position independent and then the > kernel is already loading them to random address offsets. > >>> I would like to apply these patches to master? >> >> I don't know if you've something newer in your tree, just looked at your aslr >> branch in your staging tree: > > You can find the newest version here: > https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr > >> + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && >> !SDK) >> >> Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the >> reason for !SDK? That way binary/library. > > When something is build in the SDK I always want to use > PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build > packages common to multiple targets in the SDK and there I always want > to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the > same package is used on a tiny and a normal target. I hope it will work > like this. I want to prevent that some tiny target is used to build the > additional packages and then this gets accidentally deactivated. > >>> Are there any objections to this? I already activated LTO to reduce the >>> size for all these components and the lantiq patch is already applied. >> >> I don't have any objections, I welcome this additional hardening. Which >> branch >> can I use for runtime testing? I plan to test it and give you my Acked-by. > > The disadvantage is that the size increases, otherwise I would activate > it for all binaries. > > This is one example for dropbear: > ------------------------------------------------------------------------ > root@OpenWrt:/# cat /proc/1200/maps > 5561e000-5564d000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear > 5565d000-5565e000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear > 5565e000-5565f000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear > 77e89000-77eab000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 > 77eab000-77eac000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 > 77eac000-77ead000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 > 77ead000-77f44000 r-xp 00000000 fe:00 286 /lib/libc.so > 77f53000-77f55000 rwxp 00096000 fe:00 286 /lib/libc.so > 77f55000-77f57000 rwxp 00000000 00:00 0 > 7fc95000-7fcb6000 rw-p 00000000 00:00 0 [stack] > 7fefc000-7fefd000 r-xp 00000000 00:00 0 > 7ff70000-7ff72000 r--p 00000000 00:00 0 [vvar] > 7ff72000-7ff73000 r-xp 00000000 00:00 0 [vdso] > root@OpenWrt:/# /etc/init.d/dropbear restart > root@OpenWrt:/# ps |grep dropbear > 2299 root 1108 S /usr/sbin/dropbear -F -P > /var/run/dropbear.1.pid -p > 2315 root 1212 S grep dropbear > root@OpenWrt:/# cat /proc/2299/maps > 55557000-55586000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear > 55596000-55597000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear > 55597000-55598000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear > 77f12000-77f34000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 > 77f34000-77f35000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 > 77f35000-77f36000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 > 77f36000-77fcd000 r-xp 00000000 fe:00 286 /lib/libc.so > 77fdc000-77fde000 rwxp 00096000 fe:00 286 /lib/libc.so > 77fde000-77fe0000 rwxp 00000000 00:00 0 > 7fcbc000-7fcdd000 rw-p 00000000 00:00 0 [stack] > 7fefc000-7fefd000 r-xp 00000000 00:00 0 > 7ff73000-7ff75000 r--p 00000000 00:00 0 [vvar] > 7ff75000-7ff76000 r-xp 00000000 00:00 0 [vdso] > root@OpenWrt:/# > ------------------------------------------------------------------------ > > All sections are loaded to different addresses the second time, except > 7fefc000 ;-) Yousong has a patch that gets rid of that. What happened to it? > > Hauke >
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
