Closed Bug 741258 Opened 10 years ago Closed 9 years ago

ASAN: unresolved symbols in libnssutil3.dylib

Categories

(Core :: Security, defect)

x86_64
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla15

People

(Reporter: posidron, Assigned: decoder)

Details

(Whiteboard: [asan][asan-build-blocker])

Attachments

(1 file)

As discussed in IRC one possible solution would be to add the flag -undefined dynamic_lookup to DSO_LDOPTS in security/coreconf/Darwin.mk

Example:

DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names -undefined dynamic_lookup
I reached out to the ASan developers to first ensure that -undefined dynamic_lookup is the right way to do it. Once we are sure about that, I'll take a look where exactly we can add it with best (preferably outside NSS).
According to the ASan developers, we are not supposed to pass -undefined dynamic_lookup ourselves, but instead it's likely that for the linker call here -faddress-sanitizer is not passed (which it should). I'm currently investigating why this flag is dropped at some point in NSS and how to force it.
Attached patch PatchSplinter Review
The proper solution here is to ensure that NSS builds dylibs with -faddress-sanitizer, i.e. that LDFLAGS are correctly passed to NSS dylibs when MOZ_CFLAGS_NSS is set.

I haven't found a good solution to do this without touching NSS itself, but overriding DARWIN_DYLIB_VERSIONS seemed the least intrusive way and it works :)

These changes are only active when building with the --enable-address-sanitizer build option.
Attachment #613682 - Flags: review?(khuey)
Comment on attachment 613682 [details] [diff] [review]
Patch

Review of attachment 613682 [details] [diff] [review]:
-----------------------------------------------------------------

Not a mac person.
Attachment #613682 - Flags: review?(khuey) → review?(ted.mielczarek)
Comment on attachment 613682 [details] [diff] [review]
Patch

Review of attachment 613682 [details] [diff] [review]:
-----------------------------------------------------------------

This feels like the wrong way to fix this. Can you patch NSS instead? I know that's more of a hassle, but I don't like wedging things in where they don't belong.
Attachment #613682 - Flags: review?(ted.mielczarek) → review-
Comment on attachment 613682 [details] [diff] [review]
Patch

In light of the fact that this code is only hit in a non-default configuration, I'll r+ this. However, I want you to file an NSS bug on adding a way to pass this info down in a more correct way, and mention the bug number in a comment here.
Attachment #613682 - Flags: review- → review+
Filed follow-up bug 748423 to discuss and resolve the situation more properly in NSS. I also emailed wtc to ask about the right solution here.
Attachment #613682 - Flags: checkin?(gary)
Target Milestone: --- → mozilla15
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][asan-build-blocker]
You need to log in before you can comment on or make changes to this bug.