[OpenWrt-Devel] [PATCH 0/6] buildsystem: Activate PIE ASLR for some packages

Rosen Penev rosenp at gmail.com
Wed Jan 8 19:49:17 EST 2020 

> On Jan 8, 2020, at 3:10 PM, Hauke Mehrtens <hauke at hauke-m.de> wrote:
> 
> On 1/8/20 7:24 AM, Petr Štetiar wrote:
>> Hauke Mehrtens <hauke at hauke-m.de> [2020-01-07 23:21:19]:
>> 
>> Hi,
>> 
>> thanks for your work.
>> 
>>>> Hauke Mehrtens (6):
>>>>  buildsystem: Make PIE ASLR option tristate
>>>>  dnsmasq: Activate PIE by default
>>>>  dropbear: Activate PIE by default
>>>>  hostapd: Activate PIE by default
>>>>  uhttpd: Activate PIE by default
>>>>  lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
>> 
>> just wondering, if there is any particular reason for leaving odhcp6c and
>> odhcpd out as this are network exposed services and running in default
>> install.
> 
> I just didn't thought about them. We could just add an extra patch to
> activate it for them too.
> 
>> Thinking about it now, we should probably consider ubus, procd, rpcd and
>> cgi-io (perhaps missed something) which might possibly process malicious
>> inputs as well.
> 
> Then we have more or less everything. ;-)
> 
>> BTW I'm wondering how does this work with the shared libraries, like musl
>> libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well
>> in order to get `TARGET_LDFLAGS += $(FPIC)
>> -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ?
> 
> Shared libraries are always linked position independent and then the
> kernel is already loading them to random address offsets.
> 
>>> I would like to apply these patches to master?
>> 
>> I don't know if you've something newer in your tree, just looked at your aslr
>> branch in your staging tree:
> 
> You can find the newest version here:
> https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr
> 
>> + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
>> 
>> Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the
>> reason for !SDK? That way binary/library.
> 
> When something is build in the SDK I always want to use
> PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build
> packages common to multiple targets in the SDK and there I always want
> to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the
> same package is used on a tiny and a normal target. I hope it will work
> like this. I want to prevent that some tiny target is used to build the
> additional packages and then this gets accidentally deactivated.
> 
>>> Are there any objections to this? I already activated LTO to reduce the
>>> size for all these components and the lantiq patch is already applied.
>> 
>> I don't have any objections, I welcome this additional hardening. Which branch
>> can I use for runtime testing? I plan to test it and give you my Acked-by.
> 
> The disadvantage is that the size increases, otherwise I would activate
> it for all binaries.
> 
> This is one example for dropbear:
> ------------------------------------------------------------------------
> root at OpenWrt:/# cat /proc/1200/maps
> 5561e000-5564d000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
> 5565d000-5565e000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
> 5565e000-5565f000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
> 77e89000-77eab000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
> 77eab000-77eac000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
> 77eac000-77ead000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
> 77ead000-77f44000 r-xp 00000000 fe:00 286        /lib/libc.so
> 77f53000-77f55000 rwxp 00096000 fe:00 286        /lib/libc.so
> 77f55000-77f57000 rwxp 00000000 00:00 0
> 7fc95000-7fcb6000 rw-p 00000000 00:00 0          [stack]
> 7fefc000-7fefd000 r-xp 00000000 00:00 0
> 7ff70000-7ff72000 r--p 00000000 00:00 0          [vvar]
> 7ff72000-7ff73000 r-xp 00000000 00:00 0          [vdso]
> root at OpenWrt:/# /etc/init.d/dropbear restart
> root at OpenWrt:/# ps |grep dropbear
> 2299 root      1108 S    /usr/sbin/dropbear -F -P
> /var/run/dropbear.1.pid -p
> 2315 root      1212 S    grep dropbear
> root at OpenWrt:/# cat /proc/2299/maps
> 55557000-55586000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
> 55596000-55597000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
> 55597000-55598000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
> 77f12000-77f34000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
> 77f34000-77f35000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
> 77f35000-77f36000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
> 77f36000-77fcd000 r-xp 00000000 fe:00 286        /lib/libc.so
> 77fdc000-77fde000 rwxp 00096000 fe:00 286        /lib/libc.so
> 77fde000-77fe0000 rwxp 00000000 00:00 0
> 7fcbc000-7fcdd000 rw-p 00000000 00:00 0          [stack]
> 7fefc000-7fefd000 r-xp 00000000 00:00 0
> 7ff73000-7ff75000 r--p 00000000 00:00 0          [vvar]
> 7ff75000-7ff76000 r-xp 00000000 00:00 0          [vdso]
> root at OpenWrt:/#
> ------------------------------------------------------------------------
> 
> All sections are loaded to different addresses the second time, except
> 7fefc000 ;-)
Yousong has a patch that gets rid of that. What happened to it?
> 
> Hauke
> 

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list