Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #22660

Closed (moved)
Open
Opened Jun 19, 2017 by teor@teor

Guard against stack smashing attacks in tor with additional compiler options.

If we tor with -fstack-check (GCC, it's a no-op in clang[0]), it will protect against stack smashing attacks that jump the stack guard page(s):

Recompile all userland code (ld.so, libraries, binaries) with GCC's
  "-fstack-check" option, which prevents the stack-pointer from moving
  into another memory region without accessing the stack guard-page (it
  writes one word to every 4KB page allocated on the stack).

III Solutions, https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

" -fstack-check Generate code to verify that you do not go beyond the boundary of the stack. You should specify this flag if you are running in an environment with multiple threads, but only rarely need to specify it in a single-threaded environment since stack overflow is automatically detected on nearly all systems if there is only one stack. Note that this switch does not actually cause checking to be done; the operating system must do that. The switch causes generation of code to ensure that the operating system sees the stack being extended. " http://gcc.gnu.org/onlinedocs/gcc-4.3.6/gcc/Code-Gen-Options.html#Code-Gen-Options

This protects against:

- a local-root exploit against ld.so and most SUID-root binaries
  (CVE-2017-1000366, CVE-2017-1000379) on amd64 Debian, Ubuntu, Fedora,
  CentOS;

There are remote attack possibilities mentioned in the paper as well.

We might also want to add:

-Wl,-z,noexecstack and -Wl,-z,noexecheap

https://www.owasp.org/index.php/C-Based_Toolchain_Hardening#GCC.2FBinutils

[0]: for clsng, we could use -fsanitize=safe-stack instead, but that's more intrusive: https://blog.quarkslab.com/clang-hardening-cheat-sheet.html

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
Tor: unspecified
Milestone
Tor: unspecified
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#22660