Stack smashing protection (ssp, ProPolice)

RESOLVED DUPLICATE of bug 620058

Status

enhancement
RESOLVED DUPLICATE of bug 620058
15 years ago
9 months ago

People

(Reporter: ahziem1, Unassigned)

Tracking

(Blocks 1 bug)

Trunk
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0

History has shown buffer overflows in web client are dangerous; however, it is
possible to mitigate this risk using stack smashing protection.

I suggest making Firefox (and any libraries) compatible with this SSP, so that
Firefox compiles and runs properly.  Then I suggest Firefox downloads are
compiled with SSP enabled.

Reproducible: Didn't try
Steps to Reproduce:
I could not find any information that shows that SSP is enabled or works for
Firefox.

According to other peoples' experiences, Firefox does not work with stack
protection: 
     http://archives.neohapsis.com/archives/linux/debian/2004-q3/0146.html
Actual Results:  
It appears SSP does not work with Firefox.

Expected Results:  
Firefox download should have SSP by default.

IBM: GCC extension for protecting applications from stack-smashing attacks
http://www.trl.ibm.com/projects/security/ssp/
Status: UNCONFIRMED → NEW
Component: General → Build Config
Ever confirmed: true
this would be a mozilla wide issue would it not?
Earlier versions of Mozilla, Firefox, and Thunderbird had problems with
ProPolice on certain OpenBSD platforms.  However, OpenBSD now enables Propolice
for the current versions of all these packages.  It's possible that it works on
Debian now too.
i managed to build firefox with propolice on mandrake.
firefox seems to run fine, though it was not tested very hard.

did it this way:
patched gcc/g++ with the propolice patch and installed in ~/local/bin
set CC=~/local/bin/gcc and g++ and builded firefox.
the only problem was a hardcoded "gcc" somewhere in crypto but it was overcome
by doing the compile with local gcc.
then all that was needed was adding a gcc shared library in LD_LIBRARY_PATH.

even easier would be: ln -s ~/local/bin/gcc /usr/bin/gcc && same_for_g++ and
then distributing the libgcc*.so in dist/bin.

the risk of breaking something is very low imho.

why not distribute some propolice nightlies and see if users cry?
patched gcc was configured with --enable-stack-protector so no need of CFLAGS.
the last time we tried to play with gcc libraries we ran afoul of licensing,
that may or may not have changed (it might have been related to problems w/ 296
which were fixed later)
Assignee: firefox → bryner
according to
http://gcc.gnu.org/gcc-4.1/changes.html

GCC can now emit code for protecting applications from stack-smashing attacks. The protection is realized by buffer overflow detection and reordering of stack variables to avoid pointer corruption.

when building with shared libraries a gcc library seems needed.
Regarding Comment #6, previous version of GCC could do the same with a patch (mentioned in comment #1), but the trick, from what I understand, is making sure that the application runs correctly with the modification.  Since Fedora Core 5 includes both GCC 4.1 (including the stack smashing feature enabled) and Firefox, it will be a good test.  However, it would still be good for Mozilla to distribute official binaries (for Windows, Linux, etc.) with the stack smashing.
i have successfully built mozilla with the propolice patch and it worked with (almost) no performance penalty.

now mainstream gcc supports some stack protection.

probably
export CFLAGS=-fstack-protector
make build
should be enough
iirc hardened gentoo, openbsd and adamantix "build world" with the propolice patch (not quite sure about adamantix)
QA Contact: general → build.config
Assignee: bryner → nobody
Version: unspecified → Trunk
building with gcc 4.1 and
CFLAGS="-fstack-protector -static-libgcc"
CXXFLAGS="-fstack-protector -static-libgcc"
(not sure if static-libgcc is needed) works - the archive works on another distro.

probably making this on winblows is just a matter of compiler/linker switches.

what is the problem for not distributing such builds?

chofmann, can something be done for this bug?

it is a matter of compiler flags and the ROI is good though not perfect.
pav & vlad,  any thoughts?
gcc can do this now, it's true. And perhaps as or more significantly, so can modern msvc releases, /GS and whatnot. Have been for a while. I believe they've spent quite some effort tuning it to be cheap, even.
We do use /GS on Windows, see bug 222471.
Warms my heart to hear, thanks :)
> gcc can do this now

FYI vanilla gcc can do this since at least several years and even more with a patch.
Looks like this can be used on all platforms …
OS: Linux → All
Hardware: x86 → All
Per comment 14 we already have this on Windows.
Yeah, that leaves Linux + OS X.
Bug 620058 added |--enable-hardening| which sets |-fstack-protector-strong|, so I believe this can be closed.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 620058
Component: Build Config → General
Product: Firefox → Firefox Build System
You need to log in before you can comment on or make changes to this bug.