Closed Bug 1520308 Opened 1 year ago Closed 1 year ago

mingw-clang builds do not have ASLR

Categories

(Firefox Build System :: General: Unsupported Platforms, enhancement, P5)

enhancement

Tracking

(firefox-esr60 fixed, firefox66 fixed)

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- fixed
firefox66 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor])

Attachments

(2 files)

mingw requires ASLR to be specified manually.

There seems to be two potential issues with this:

  1. A problem I don't really know/understand that prevents it being enabled by default
  2. An issue with relocations being stripped (as described here): https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html

We don't seem to be affected by (2) - I confirmed with Process Explorer that both the x86 and x64 opt builds[0] have ASLR on all modules and spot-checked several with winchecksec which checks for relocations.

I don't think we're affected by (1) either... the problem IIRC is with gcc/binutils and lld merely mirrors the default there.

[0] https://treeherder.mozilla.org/#/jobs?repo=try&revision=18c6aa91dd32be03d9f3f071ab63dcee4283b7b4 for reference

Is there a reason that this needs to go under hardening flags, as opposed to just some general location?

(In reply to David Major [:dmajor] from comment #2)

Is there a reason that this needs to go under hardening flags, as opposed to just some general location?

No; it just seemed the most appropriate place. (I figured the fewer things that go in old-configure.in the better; and wasn't sure of a better place in a foo.configure.py)

I'm on the fence so I'll leave it in the queue and see if anyone else has a strong opinion.

Attachment #9036712 - Flags: review?(core-build-config-reviews) → review+

Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/326b73629e37
Enable ASLR for mingw-clang builds. r=froydnj

Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: Needed by Tor; brings central and esr60 in sync

User impact if declined: Tor will need to carry another patch

Fix Landed on Version: 66.0a1 / 20190119095933

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): mingw-clang build change only

((Note that this can wait until 60.6 just like Bug 1520310))

Attachment #9038261 - Flags: approval-mozilla-esr60?
Comment on attachment 9038261 [details] [diff] [review]
Bug 1520308 - Enable ASLR for mingw-clang builds. r=froydnj (esr60)

aslr for mingwclang, approved for 60.5esr build2.
Attachment #9038261 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.