[OpenWrt-Devel] [PATCH 0/6] buildsystem: Activate PIE ASLR for some packages

Wed Jan 8 18:10:07 EST 2020

On 1/8/20 7:24 AM, Petr Štetiar wrote:
> Hauke Mehrtens <hauke at hauke-m.de> [2020-01-07 23:21:19]:
> 
> Hi,
> 
> thanks for your work.
> 
>>> Hauke Mehrtens (6):
>>>   buildsystem: Make PIE ASLR option tristate
>>>   dnsmasq: Activate PIE by default
>>>   dropbear: Activate PIE by default
>>>   hostapd: Activate PIE by default
>>>   uhttpd: Activate PIE by default
>>>   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
> 
> just wondering, if there is any particular reason for leaving odhcp6c and
> odhcpd out as this are network exposed services and running in default
> install.

I just didn't thought about them. We could just add an extra patch to
activate it for them too.

> Thinking about it now, we should probably consider ubus, procd, rpcd and
> cgi-io (perhaps missed something) which might possibly process malicious
> inputs as well.

Then we have more or less everything. ;-)

> BTW I'm wondering how does this work with the shared libraries, like musl
> libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well
> in order to get `TARGET_LDFLAGS += $(FPIC)
> -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ?

Shared libraries are always linked position independent and then the
kernel is already loading them to random address offsets.

>> I would like to apply these patches to master?
> 
> I don't know if you've something newer in your tree, just looked at your aslr
> branch in your staging tree:

You can find the newest version here:
https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr

>  + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
> 
> Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the
> reason for !SDK? That way binary/library.

When something is build in the SDK I always want to use
PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build
packages common to multiple targets in the SDK and there I always want
to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the
same package is used on a tiny and a normal target. I hope it will work
like this. I want to prevent that some tiny target is used to build the
additional packages and then this gets accidentally deactivated.

>> Are there any objections to this? I already activated LTO to reduce the
>> size for all these components and the lantiq patch is already applied.
> 
> I don't have any objections, I welcome this additional hardening. Which branch
> can I use for runtime testing? I plan to test it and give you my Acked-by.

The disadvantage is that the size increases, otherwise I would activate
it for all binaries.

This is one example for dropbear:
------------------------------------------------------------------------
root at OpenWrt:/# cat /proc/1200/maps
5561e000-5564d000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
5565d000-5565e000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
5565e000-5565f000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
77e89000-77eab000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
77eab000-77eac000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
77eac000-77ead000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
77ead000-77f44000 r-xp 00000000 fe:00 286        /lib/libc.so
77f53000-77f55000 rwxp 00096000 fe:00 286        /lib/libc.so
77f55000-77f57000 rwxp 00000000 00:00 0
7fc95000-7fcb6000 rw-p 00000000 00:00 0          [stack]
7fefc000-7fefd000 r-xp 00000000 00:00 0
7ff70000-7ff72000 r--p 00000000 00:00 0          [vvar]
7ff72000-7ff73000 r-xp 00000000 00:00 0          [vdso]
root at OpenWrt:/# /etc/init.d/dropbear restart
root at OpenWrt:/# ps |grep dropbear
 2299 root      1108 S    /usr/sbin/dropbear -F -P
/var/run/dropbear.1.pid -p
 2315 root      1212 S    grep dropbear
root at OpenWrt:/# cat /proc/2299/maps
55557000-55586000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
55596000-55597000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
55597000-55598000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
77f12000-77f34000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
77f34000-77f35000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
77f35000-77f36000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
77f36000-77fcd000 r-xp 00000000 fe:00 286        /lib/libc.so
77fdc000-77fde000 rwxp 00096000 fe:00 286        /lib/libc.so
77fde000-77fe0000 rwxp 00000000 00:00 0
7fcbc000-7fcdd000 rw-p 00000000 00:00 0          [stack]
7fefc000-7fefd000 r-xp 00000000 00:00 0
7ff73000-7ff75000 r--p 00000000 00:00 0          [vvar]
7ff75000-7ff76000 r-xp 00000000 00:00 0          [vdso]
root at OpenWrt:/#
------------------------------------------------------------------------

All sections are loaded to different addresses the second time, except
7fefc000 ;-)

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200109/1df199fc/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel