[tor-bugs] #12968 [Applications/Tor Browser]: Specify HEASLR (High Entropy Address Space Layout Randomization) in MinGW-w64
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 27 17:38:24 UTC 2018
#12968: Specify HEASLR (High Entropy Address Space Layout Randomization) in
MinGW-w64
-------------------------------------------------+-------------------------
Reporter: mikeperry | Owner: tbb-
| team
Type: enhancement | Status:
| needs_revision
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, tbb-rbm, ff60-esr, | Actual Points:
TorBrowserTeam201806, boklm201806 |
Parent ID: #24631 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by sukhbir):
As an update, I have been trying to build and find a solution for this
with boklm's changes above, and it fails with a similar error to the one
boklm had.
As per the `ffmpeg` commit, they apply `--image-base,0x140000000` to get a
higher entropy for HEASLR. Since that is not working for us, how about we
just go with `-Wl,--high-entropy-va` for now till we find a solution?
There are other "solutions", that use `-Wl,--image-base,0x10000000`
instead (and rebase the address later?) and that seems to work, for the
build and for the final EXE as well. However, this comes with its own set
of caveats: https://www.cygwin.com/ml/cygwin-apps/2013-05/msg00134.html is
the thread that talks about this.
For inspecting the binary, as per https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=836365, I inspected both with `-Wl,--image-
base,0x10000000` and `-Wl,--high-entropy-va`:
{{{
$ readpe firefox.exe | grep DLL
DLL characteristics: 0x160
}}}
Indicates that HEASLR was applied in both cases, so if anything, we lose
out on the extra entropy?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12968#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list