Opened 11 years ago

Closed 4 years ago

Last modified 4 years ago

#325 closed Bug / Defect (fixed)

Windows: Lacking ASLR and DEP support

Reported by: Ghamela Owned by: Samuli Seppänen
Priority: major Milestone: release 2.4
Component: Building / Compiling Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows volunteer
Cc: steffan@…

Description

All exe's and dll's from OpenVPN Windows client 2.3.2 64 bit lack ASLR and DEP support, I haven't checked other versions.

Change History (16)

comment:1 Changed 11 years ago by Ghamela

Update: In addition to the files in Program Files\OpenVPN, neither do the files including the TAP driver in Program Files\TAP-Windows

comment:2 Changed 11 years ago by Samuli Seppänen

Component: Generic / unclassifiedBuilding / Compiling
Milestone: release 2.4
Owner: set to Samuli Seppänen
Status: newassigned
Version: 2.3.2git master branch

There is no ASLR/DEP support in the Windows binaries yet. It seems that mingw_w64 does have the support, so adding it should be fairly straightforward. I will look into this before the 2.4 release (which is still some months away).

comment:3 Changed 10 years ago by David Sommerseth

Keywords: windows added
Summary: Lacking ASLR and DEP supportWindows: Lacking ASLR and DEP support

comment:4 Changed 10 years ago by Samuli Seppänen

It seems that this ticket should be split into two, one for aslr and one for dep.

Anecdotal evidence suggests that the aslr support in mingw_w64 is a bit buggy, but this has not been verified. As for dep there is a strong chance that openvpn will require some modifications to work with it enabled.

comment:6 Changed 10 years ago by Samuli Seppänen

Keywords: volunteer added

My plate is full enough even without this task. If somebody knows mingw_w64 / cross-compiling well, we could definitely use some help with creating a proof of concept.

comment:7 Changed 10 years ago by Samuli Seppänen

Owner: Samuli Seppänen deleted

comment:8 Changed 9 years ago by Samuli Seppänen

Owner: set to Samuli Seppänen
Status: assignedaccepted

Steffan knew the incantations for enabling ASLR/DEP:

Just for reference: those are supported by mingw/gcc too:
-fstack-protector for canaries, -Wl,--nxcompat for DEP,
-Wl,--dynamicbase for ASLR.

I will try these and see what happens.

comment:9 Changed 8 years ago by Samuli Seppänen

Cc: steffan@… added

Where should the flags be added exactly? By aping this pull request I tried modifying generic/build in openvpn-build:

 if [ -n "${BUILD_FOR_WINDOWS}" ]; then
    CONFIGOPTS=" \
        ${CONFIGOPTS} \ 
        --sbindir=/bin \
    "
    export LDFLAGS="$LDFLAGS -Wl,--dynamicbase -Wl,--nxcompat"
    export PKG_CONFIG="true"
fi

This did change did not seem to have the desired effect. Is this basically the correct approach? Or should the linker flags be added to OpenVPN's Makefile?

comment:10 Changed 8 years ago by Steffan Karger

I have CFLAGS="${CFLAGS} -Wl,--dynamicbase,--nxcompat" in my build wrappers. That seems to work.

Last edited 8 years ago by Steffan Karger (previous) (diff)

comment:11 Changed 8 years ago by Samuli Seppänen

I'll test that, thanks!

comment:12 Changed 8 years ago by Samuli Seppänen

And finally here is a test installer with ASLR/DEP support. It was a trivial change:

--- a/generic/build.vars
+++ b/generic/build.vars
@@ -41,4 +41,6 @@ EXTRA_OPENSSL_CONFIG="${EXTRA_OPENSSL_CONFIG:--static-libgcc}" # uncomment if op
 #EXTRA_PKCS11_HELPER_CONFIG
 #EXTRA_OPENVPN_CONFIG

+EXTRA_TARGET_CFLAGS="-Wl,--dynamicbase,--nxcompat"
+

comment:13 Changed 8 years ago by Samuli Seppänen

According to PEStudio all the executables and libraries bundled in the above installer have ASLR and DEP enabled. The official 2.4.0-I601 installer lack those features, so the build flags actually seem to work.

comment:15 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: acceptedclosed

Since /79 is merged to openvpn-build, it seems this one can be closed, no?

comment:16 Changed 4 years ago by Samuli Seppänen

I think so, yes, according to the comments.

Note: See TracTickets for help on using tickets.