[tor-commits] [tor-browser-bundle/master] Attempt to use MinGW hardening for Windows

mikeperry at torproject.org mikeperry at torproject.org
Wed Jun 19 18:25:14 UTC 2013 

commit 509e91fb187b4e42672e677a0ec65afbb4b87f68
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Wed Jun 19 11:17:13 2013 -0700

    Attempt to use MinGW hardening for Windows
    
    Too bad it causes everything to insta-crash :/.
---
 gitian/build-helpers/i686-w64-mingw32-g++     |    4 ++++
 gitian/build-helpers/i686-w64-mingw32-gcc     |    4 ++++
 gitian/build-helpers/i686-w64-mingw32-ld      |    9 +++++++++
 gitian/descriptors/windows/gitian-firefox.yml |   27 +++++++++++++++----------
 gitian/descriptors/windows/gitian-tor.yml     |    3 +++
 5 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/gitian/build-helpers/i686-w64-mingw32-g++ b/gitian/build-helpers/i686-w64-mingw32-g++
new file mode 100755
index 0000000..e3c13fd
--- /dev/null
+++ b/gitian/build-helpers/i686-w64-mingw32-g++
@@ -0,0 +1,4 @@
+#!/bin/sh
+# Hardened mingw gcc wrapper
+
+/usr/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@"
diff --git a/gitian/build-helpers/i686-w64-mingw32-gcc b/gitian/build-helpers/i686-w64-mingw32-gcc
new file mode 100755
index 0000000..830e11b
--- /dev/null
+++ b/gitian/build-helpers/i686-w64-mingw32-gcc
@@ -0,0 +1,4 @@
+#!/bin/sh
+# Hardened mingw gcc wrapper
+
+/usr/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@"
diff --git a/gitian/build-helpers/i686-w64-mingw32-ld b/gitian/build-helpers/i686-w64-mingw32-ld
new file mode 100755
index 0000000..e085bdd
--- /dev/null
+++ b/gitian/build-helpers/i686-w64-mingw32-ld
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Hardened mingw gcc wrapper
+
+if [ -x /usr/bin/i686-w64-mingw32-ld.orig ];
+then
+  /usr/bin/i686-w64-mingw32-ld.orig --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@"
+else
+  /usr/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@"
+fi
diff --git a/gitian/descriptors/windows/gitian-firefox.yml b/gitian/descriptors/windows/gitian-firefox.yml
index cbf3976..a881440 100644
--- a/gitian/descriptors/windows/gitian-firefox.yml
+++ b/gitian/descriptors/windows/gitian-firefox.yml
@@ -10,9 +10,9 @@ packages:
 - "zip"
 - "autoconf"
 - "autoconf2.13"
-- "mingw-w64"
 - "faketime"
 - "yasm"
+- "mingw-w64"
 - "g++-mingw-w64-i686"
 - "mingw-w64-tools"
 reference_datetime: "2000-01-01 00:00:00"
@@ -25,6 +25,9 @@ files:
 - "torbrowser.version"
 - "re-dzip.sh"
 - "dzip.sh"
+- "i686-w64-mingw32-gcc"
+- "i686-w64-mingw32-g++"
+- "i686-w64-mingw32-ld"
 script: |
   INSTDIR="$HOME/install/FirefoxPortable/"
   export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
@@ -39,7 +42,7 @@ script: |
   # If we ever find out that the 12.04 mingw is buggy/insufficient:
   #sudo bash -c 'echo "deb http://archive.ubuntu.com/ubuntu raring main restricted universe multiverse" >> /etc/apt/sources.list'
   #sudo apt-get update
-  #sudo apt-get install g++-mingw-w64-i686 mingw-w64-tools mingw-w64
+  #sudo apt-get install -y g++-mingw-w64-i686 mingw-w64-tools mingw-w64
   #
   # Build the latest MinGW-w64 headers and CRT
   # FIXME: We need sudo for all of this because otherwise
@@ -83,18 +86,20 @@ script: |
   make -f client.mk configure
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   #
-  # The build sometimes randomly fails (faketime issues?) Just restart it until success
+  # FIXME: MinGW doens't like being built with hardening, and Firefox doesn't
+  # like being configured with it
+  # XXX: These changes cause the exes to crash on launch.
+  #mkdir -p ~/build/bin/
+  #cp ~/build/i686* ~/build/bin/
+  #export PATH=~/build/bin:$PATH
+  # XXX: the path to ld is hardcoded in mingw.. This forces gcc's linking to
+  # use our flags:
+  #sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
+  #sudo cp ~/build/bin/i686-w64-mingw32-ld /usr/bin/
+  #
   make $MAKEOPTS -f client.mk build
-  while [ $? -ne 0 ];
-  do
-    make $MAKEOPTS -f client.mk build
-  done
   #
   make -C obj-* package INNER_MAKE_PACKAGE=true
-  while [ $? -ne 0 ];
-  do
-    make -C obj-* package INNER_MAKE_PACKAGE=true
-  done
   cp -a obj-*/dist/firefox/* $INSTDIR/App/Firefox/
   cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libgcc_s_sjlj-1.dll $INSTDIR/App/Firefox/
   cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libssp*.dll $INSTDIR/App/Firefox/
diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml
index 4d7e36f..5fb0ef5 100644
--- a/gitian/descriptors/windows/gitian-tor.yml
+++ b/gitian/descriptors/windows/gitian-tor.yml
@@ -32,6 +32,9 @@ script: |
   export TZ=UTC
   export CFLAGS="-mwindows"
   export LDFLAGS="-mwindows"
+  # XXX: Hardening options cause the exe's to crash.. not sure why
+  #export CFLAGS="-mwindows -fstack-protector-all -fPIE -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat-security"
+  #export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/"
   umask 0022
   # 
   mkdir -p $INSTDIR/bin/

More information about the tor-commits mailing list