[tor-bugs] #12427 [Tor bundles/installation]: Investigate Virtual Table Verification (VTV) hardening for Tor Browser on Windows
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 31 09:43:29 UTC 2014
#12427: Investigate Virtual Table Verification (VTV) hardening for Tor Browser on
Windows
-------------------------------------+-------------------------------------
Reporter: gk | Owner: erinn
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
bundles/installation | Keywords: tbb-security,
Resolution: | TorbrowserTeam201407
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by gk):
Okay. I tried to debug the VTV issues with Firefox in order to get enough
information to file a Mozilla bug. Here is the short story: With the
invaluable help of Caroline Tice (thanks again!) I managed to get/do the
following:
1) Compile a GCC 4.9.0 with the option to debug VTV issues (see:
https://docs.google.com/document/d/1wN-
uygC0hicLe1dyAGCvtn_tJhnwFer0Nsy56b84doY/pub). This means using something
like:
{{{
make -j4 CFLAGS_FOR_TARGET="-g -O0" CXXFLAGS_FOR_TARGET="-g -O0" all
}}}
when compiling GCC.
2) Compile a Firefox with VTV support. That means atm adding
{{{
export CXXFLAGS="-fvtable-verify=std -rdynamic -Wl,-z,relro -m64
-Wl,-R,/path/to/your/debug_gcc/lib64"
}}}
to the .mozconfig file
3) Go to /dist/bin in your objdir and start gdb with
{{{
gdb firefox
}}}
NOTE: The GDB in Ubuntu Precise is buggy and won't help you (which took us
quite a while to realize). Not sure which version is good, 7.7.1 worked
for me at least.
4) Set a breakpoint
{{{
(gdb) b __vtv_verify_fail
Function "__vtv_verify_fail" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (__vtv_verify_fail) pending.
(gdb)
}}}
5) Run firefox
{{{
(gdb) run --help
}}}
6) Try to find out what's wrong and you'll get something like
{{{
(gdb) up
#1 0x00007ffff7ff1f2c in __VLTVerifyVtablePointer (
set_handle_ptr=0x7ffff6bcd6e8 <_VTV<xpcIJSGetFactory>::__vtable_map>,
vtable_ptr=0x7ffff68d06d0 <vtable for nsXPTCStubBase+16>)
at ../../../libvtv/vtv_rts.cc:1351
1351 __vtv_verify_fail ((void **) handle_ptr, vtable_ptr);
(gdb) x/x vtable_ptr
0x7ffff68d06d0 <_ZTV14nsXPTCStubBase+16>: 0xf18eca8c
(gdb) x/x set_handle_ptr
0x7ffff6bcd6e8 <_ZN4_VTVI16xpcIJSGetFactoryE12__vtable_mapE>: 0x00000000
}}}
7) Make a backtrace which should give you something like
{{{
#0 0x00007ffff7ff0380 in __vtv_verify_fail(void**, void const*)@plt ()
from /home/gk/asan/gcc-4.9.0debug/usr/local/lib64/libvtv.so.0
#1 0x00007ffff7ff1f2c in __VLTVerifyVtablePointer (
set_handle_ptr=0x7ffff58c2c50 <_VTV<xpcIJSGetFactory>::__vtable_map>,
vtable_ptr=0x7ffff52fa890 <vtable for nsXPTCStubBase+16>)
at ../../../libvtv/vtv_rts.cc:1351
#2 0x00007fffeea019a6 in mozJSComponentLoader::ModuleEntry::GetFactory (
module=..., entry=...)
at /home/gk/asan/mozilla-
central/js/xpconnect/loader/mozJSComponentLoader.cpp:1440
#3 0x00007fffee101e4d in nsFactoryEntry::GetFactory (this=0x7fffe5d77340)
at /home/gk/asan/mozilla-
central/xpcom/components/nsComponentManager.cpp:1786
#4 0x00007fffee100362 in
nsComponentManagerImpl::CreateInstanceByContractID (
this=0x7ffff6e9a360,
aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1",
aDelegate=0x0,
aIID=..., aResult=0x7fffffffcb20)
at /home/gk/asan/mozilla-
central/xpcom/components/nsComponentManager.cpp:1080
#5 0x00007fffee100e46 in nsComponentManagerImpl::GetServiceByContractID (
this=0x7ffff6e9a360,
aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1",
aIID=...,
result=0x7fffffffcc58)
at /home/gk/asan/mozilla-
central/xpcom/components/nsComponentManager.cpp:1440
#6 0x00007fffee1438e0 in CallGetService (
aContractID=0x7fffe2dfe760 "@mozilla.org/browser/webide-clh;1",
aIID=...,
aResult=0x7fffffffcc58)
at /home/gk/asan/mozilla-
central/xpcom/glue/nsComponentManagerUtils.cpp:69
}}}
8) Check what vtable and class were verified after exiting gdb and you'll
get something like
{{{
c++filt _ZTV14nsXPTCStubBase
vtable for nsXPTCStubBase
c++filt _ZN4_VTVI16xpcIJSGetFactoryE12__vtable_mapE
_VTV<xpcIJSGetFactory>::__vtable_map
}}}
9) Start glaring at mozJSComponentLoader.cpp and friends.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12427#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list