[tor-commits] [tor-browser-build/master] Bug 22194/20683: Integrate Selfrando into alpha Linux builds
boklm at torproject.org
boklm at torproject.org
Wed May 17 22:31:02 UTC 2017
commit 16d87451179ed55fd6422cd09988a99f5ee886b7
Author: Nicolas Vigier <boklm at torproject.org>
Date: Thu May 18 00:10:16 2017 +0200
Bug 22194/20683: Integrate Selfrando into alpha Linux builds
Selfrando is a new defense against code reuse attacks developed by the
Redactor and Readactor++ people. We should give it a wider testing
audience by including it in the alpha series.
This is currently only available for 64bit Linux builds, though.
Supporting other platforms and architectures is work in progress.
tor-browser-bundle.git author: Georg Koppen <gk at torproject.org>
tor-browser-bundle.git commit: 332c5b6c16f1b0915f537a4ad5af48295f80c733
tor-browser-bundle.git commit: 8fe0e322b950efa2456502428bee66dde8b4948a
tor-browser-bundle.git commit: 3e752843dfa39beec844822c9f6c3dd1f80355ea
---
keyring/elfutils.gpg | Bin 0 -> 10483 bytes
keyring/selfrando.gpg | Bin 0 -> 2759 bytes
projects/binutils/binutils-224-gold.patch | 98 +++++++++++++++++++++
projects/binutils/build | 6 ++
projects/binutils/config | 2 +
projects/elfutils/build | 23 +++++
projects/elfutils/config | 22 +++++
projects/firefox/build | 9 ++
projects/firefox/config | 4 +
projects/selfrando/build | 25 ++++++
projects/selfrando/config | 23 +++++
.../tor-browser/RelativeLink/start-tor-browser | 1 +
12 files changed, 213 insertions(+)
diff --git a/keyring/elfutils.gpg b/keyring/elfutils.gpg
new file mode 100644
index 0000000..f1cd4b3
Binary files /dev/null and b/keyring/elfutils.gpg differ
diff --git a/keyring/selfrando.gpg b/keyring/selfrando.gpg
new file mode 100644
index 0000000..276955d
Binary files /dev/null and b/keyring/selfrando.gpg differ
diff --git a/projects/binutils/binutils-224-gold.patch b/projects/binutils/binutils-224-gold.patch
new file mode 100644
index 0000000..a45e49c
--- /dev/null
+++ b/projects/binutils/binutils-224-gold.patch
@@ -0,0 +1,98 @@
+From f984741df04cd68bb116073fdfa9405808810ab4 Mon Sep 17 00:00:00 2001
+From: Cary Coutant <ccoutant at google.com>
+Date: Wed, 5 Feb 2014 22:59:02 -0800
+Subject: [PATCH] Fix issues with gold undefined symbol diagnostics.
+
+PR binutils/15435 complains that gold issues a visibility error for an
+weak undefined symbol with hidden visibility. The message should be
+suppressed if the symbol is a weak undef.
+
+An earlier patch to add an extra note about key functions when a class's
+vtable symbol is undefined missed a case where the reference to the
+vtable came from a shared library. This patch moves the check to a
+lower-level routine that catches both cases.
+
+gold/
+
+2014-02-05 Cary Coutant <ccoutant at google.com>
+
+ * errors.cc (Errors::undefined_symbol): Move undef vtable symbol
+ check to here.
+ * target-reloc.h (is_strong_undefined): New function.
+ (relocate_section): Move undef vtable symbol check from here.
+ Check for is_strong_undefined.
+
+diff --git a/gold/ChangeLog b/gold/ChangeLog
+index dcf7ed41f8..dd7ef72980 100644
+--- a/gold/ChangeLog
++++ b/gold/ChangeLog
+@@ -1,3 +1,14 @@
++2014-02-05 Cary Coutant <ccoutant at google.com>
++
++ Fix issues with gold undefined symbol diagnostics.
++
++ PR binutils/15435
++ * errors.cc (Errors::undefined_symbol): Move undef vtable symbol
++ check to here.
++ * target-reloc.h (is_strong_undefined): New function.
++ (relocate_section): Move undef vtable symbol check from here.
++ Check for is_strong_undefined.
++
+ 2013-11-22 Cary Coutant <ccoutant at google.com>
+
+ * testsuite/Makefile.am (exception_x86_64_bnd_test): Use in-tree
+diff --git a/gold/errors.cc b/gold/errors.cc
+index b79764bd1d..98db0fdd86 100644
+--- a/gold/errors.cc
++++ b/gold/errors.cc
+@@ -193,6 +193,11 @@ Errors::undefined_symbol(const Symbol* sym, const std::string& location)
+ fprintf(stderr,
+ _("%s: %s: undefined reference to '%s', version '%s'\n"),
+ location.c_str(), zmsg, sym->demangled_name().c_str(), version);
++
++ if (sym->is_cxx_vtable())
++ gold_info(_("%s: the vtable symbol may be undefined because "
++ "the class is missing its key function"),
++ program_name);
+ }
+
+ // Issue a debugging message.
+diff --git a/gold/target-reloc.h b/gold/target-reloc.h
+index b544c78f37..d609bcbaa8 100644
+--- a/gold/target-reloc.h
++++ b/gold/target-reloc.h
+@@ -144,6 +144,12 @@ class Default_comdat_behavior
+ }
+ };
+
++inline bool
++is_strong_undefined(const Symbol* sym)
++{
++ return sym->is_undefined() && sym->binding() != elfcpp::STB_WEAK;
++}
++
+ // Give an error for a symbol with non-default visibility which is not
+ // defined locally.
+
+@@ -411,16 +417,10 @@ relocate_section(
+ }
+
+ if (issue_undefined_symbol_error(sym))
+- {
+- gold_undefined_symbol_at_location(sym, relinfo, i, offset);
+- if (sym->is_cxx_vtable())
+- gold_info(_("%s: the vtable symbol may be undefined because "
+- "the class is missing its key function"),
+- program_name);
+- }
++ gold_undefined_symbol_at_location(sym, relinfo, i, offset);
+ else if (sym != NULL
+ && sym->visibility() != elfcpp::STV_DEFAULT
+- && (sym->is_undefined() || sym->is_from_dynobj()))
++ && (is_strong_undefined(sym) || sym->is_from_dynobj()))
+ visibility_error(sym);
+
+ if (sym != NULL && sym->has_warning())
+--
+2.11.0
+
diff --git a/projects/binutils/build b/projects/binutils/build
index bd949a5..baef68f 100644
--- a/projects/binutils/build
+++ b/projects/binutils/build
@@ -26,6 +26,12 @@ cd [% project %]-[% c("version") %]
# Zeroing timestamps in PE headers reliably, see bug 12753.
patch -p1 < ../peXXigen.patch
[% END -%]
+[% IF c("var/linux-x86_64") -%]
+ # We need to work around a gold linker bug in 2.24 to get selfrando working,
+ # see bug 20683.
+ # XXX: 64bits only for now :(, see #20683.
+ patch -p1 < $rootdir/binutils-224-gold.patch
+[% END -%]
./configure --prefix=$distdir [% c('var/configure_opt') %]
make -j4
make install
diff --git a/projects/binutils/config b/projects/binutils/config
index 0cb2088..88640f8 100644
--- a/projects/binutils/config
+++ b/projects/binutils/config
@@ -21,3 +21,5 @@ input_files:
enable: '[% c("var/windows") %]'
- filename: peXXigen.patch
enable: '[% c("var/windows") %]'
+ - filename: binutils-224-gold.patch
+ enable: '[% c("var/linux-x86_64") %]'
diff --git a/projects/elfutils/build b/projects/elfutils/build
new file mode 100644
index 0000000..8fdd013
--- /dev/null
+++ b/projects/elfutils/build
@@ -0,0 +1,23 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+distdir=/var/tmp/dist/[% project %]
+[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
+
+mkdir -p /var/tmp/dist
+
+tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/binutils') %]
+export PATH="/var/tmp/dist/binutils/bin:$PATH"
+
+mkdir -p /var/tmp/build
+tar -C /var/tmp/build -xf $rootdir/[% c('input_files_by_name/elfutils') %]
+
+cd /var/tmp/build/[% project %]-[% c("version") %]
+./configure --prefix="$distdir"
+make -j4
+make install
+
+cd /var/tmp/dist
+[% c('tar', {
+ tar_src => [ project ],
+ tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
+ }) %]
diff --git a/projects/elfutils/config b/projects/elfutils/config
new file mode 100644
index 0000000..2c21cf2
--- /dev/null
+++ b/projects/elfutils/config
@@ -0,0 +1,22 @@
+# vim: filetype=yaml sw=2
+version: '0.166'
+filename: 'elfutils-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
+tag_gpg_id: 1
+
+var:
+ container:
+ use_container: 1
+ arch_deps:
+ - zlib1g-dev
+
+input_files:
+ - project: container-image
+ - name: elfutils
+ URL: 'https://sourceware.org/elfutils/ftp/[% c("version") %]/elfutils-[% c("version") %].tar.bz2'
+ file_gpg_id: 1
+ gpg_keyring: elfutils.gpg
+ sig_ext: sig
+ - name: '[% c("var/compiler") %]'
+ project: '[% c("var/compiler") %]'
+ - project: binutils
+ name: binutils
diff --git a/projects/firefox/build b/projects/firefox/build
index f445454..afb11bb 100644
--- a/projects/firefox/build
+++ b/projects/firefox/build
@@ -27,6 +27,15 @@ mkdir -p /var/tmp/build
export PATH="/var/tmp/dist/binutils/bin:$PATH"
[% END -%]
+[% IF c("var/linux-x86_64") -%]
+ # XXX: 64bits only for now :(, see #20683.
+ tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/selfrando') %]
+ # Selfrando wrapper
+ export PATH="/var/tmp/dist/selfrando/Tools/TorBrowser/tc-wrapper/:$PATH"
+ # We need to avoid the shuffling while building as this breaks compilation
+ export SELFRANDO_skip_shuffle=
+[% END -%]
+
tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
[% IF c("var/osx") %]
diff --git a/projects/firefox/config b/projects/firefox/config
index 9c807ad..1cd986f 100644
--- a/projects/firefox/config
+++ b/projects/firefox/config
@@ -71,6 +71,10 @@ input_files:
- project: binutils
name: binutils
enable: '[% c("var/linux") %]'
+ - project: selfrando
+ name: selfrando
+ # XXX: 64bits only for now :(, see #20683.
+ enable: '[% c("var/linux-x86_64") %]'
- filename: fix-info-plist.py
enable: '[% c("var/osx") %]'
- URL: https://people.torproject.org/~mikeperry/mirrors/sources/msvcr100.dll
diff --git a/projects/selfrando/build b/projects/selfrando/build
new file mode 100644
index 0000000..8bbd63e
--- /dev/null
+++ b/projects/selfrando/build
@@ -0,0 +1,25 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+distdir=/var/tmp/dist/[% project %]
+[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
+
+mkdir -p /var/tmp/dist
+
+tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/elfutils') %]
+tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/binutils') %]
+export PATH="/var/tmp/dist/binutils/bin:$PATH"
+
+tar -C /var/tmp/dist -xf $rootdir/[% project %]-[% c("version") %].tar.gz
+
+cd /var/tmp/dist
+mv [% project %]-[% c("version") %] [% project %]
+cd [% project %]
+scons -Q arch=x86_64 LIBELF_PATH="/var/tmp/dist/elfutils" FORCE_INPLACE=1 DEBUG_LEVEL=env WRITE_LAYOUTS=env LOG=console
+# Fix the path where we install selfrando
+sed -i 's|^SR_PATH=.*|SR_PATH=/var/tmp/dist/selfrando/out/x86_64/bin|' Tools/TorBrowser/tc-wrapper/ld
+
+cd /var/tmp/dist
+[% c('tar', {
+ tar_src => [ project ],
+ tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
+ }) %]
diff --git a/projects/selfrando/config b/projects/selfrando/config
new file mode 100644
index 0000000..8b73080
--- /dev/null
+++ b/projects/selfrando/config
@@ -0,0 +1,23 @@
+# vim: filetype=yaml sw=2
+filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
+version: 0.2
+git_hash: 'tb-v[% c("version") %]'
+git_url: https://github.com/immunant/selfrando.git
+gpg_keyring: selfrando.gpg
+tag_gpg_id: 1
+
+var:
+ container:
+ use_container: 1
+ arch_deps:
+ - scons
+ - zlib1g-dev
+
+input_files:
+ - project: container-image
+ - name: binutils
+ project: binutils
+ - name: elfutils
+ project: elfutils
+ - name: '[% c("var/compiler") %]'
+ project: '[% c("var/compiler") %]'
diff --git a/projects/tor-browser/RelativeLink/start-tor-browser b/projects/tor-browser/RelativeLink/start-tor-browser
index a78b367..2dd40fc 100755
--- a/projects/tor-browser/RelativeLink/start-tor-browser
+++ b/projects/tor-browser/RelativeLink/start-tor-browser
@@ -270,6 +270,7 @@ fi
LD_LIBRARY_PATH="${HOME}/TorBrowser/Tor/"
export LD_LIBRARY_PATH
+export SELFRANDO_write_layout_file=
function setControlPortPasswd() {
local ctrlPasswd=$1
More information about the tor-commits
mailing list