[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23024 [Applications/Tor Browser]: Flags to increase hardening on Windows



#23024: Flags to increase hardening on Windows
--------------------------------------+--------------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_revision
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201707      |  Actual Points:
Parent ID:  #21448                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------------
Changes (by gk):

 * keywords:  TorBrowserTeam201707R => TorBrowserTeam201707
 * cc: boklm (added)
 * status:  needs_review => needs_revision


Comment:

 I tested `-fstack-protector-strong` on top of the latest `tor-browser-
 bundle` commit. And the compilation worked as expected. Is that a `tor-
 browser-build` issue? Or maybe the GCC version bump (tor 5.4.0) resolved
 this problem?

 Regarding fortify source: Have you checked whether the `_chk` part is
 actually there after compiling with `-D_FORTIFY_SOURCE=2`? Because it does
 not seem to be the case. Doing a
 {{{
 i686-w64-mingw32-nm -C firefox.exe | grep strcpy
 }}}
 after compiling with the flags in your patch does only give ma a
 {{{
 0041b3f4 I _imp__strcpy
 00413320 T strcpy
 }}}
 (Note: In order to check it the way I did you need to compile the browser
 part with `--disable-strip` and `--disable-install-strip`)

 Assuming I am not mistaken then the likely root cause of this problem is a
 GCC bug which the RedHat people are tracking in
 https://bugzilla.redhat.com/show_bug.cgi?id=1324759.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23024#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs