Opened 5 years ago

Last modified 18 months ago

#325 accepted Bug / Defect

Windows: Lacking ASLR and DEP support

Reported by: Ghamela Owned by: Samuli Seppänen
Priority: major Milestone: release 2.4
Component: Building / Compiling Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows volunteer
Cc: steffan@…

Description

All exe's and dll's from OpenVPN Windows client 2.3.2 64 bit lack ASLR and DEP support, I haven't checked other versions.

Change History (14)

comment:1 Changed 5 years ago by Ghamela

Update: In addition to the files in Program Files\OpenVPN, neither do the files including the TAP driver in Program Files\TAP-Windows

comment:2 Changed 5 years ago by Samuli Seppänen

Component: Generic / unclassifiedBuilding / Compiling
Milestone: release 2.4
Owner: set to Samuli Seppänen
Status: newassigned
Version: 2.3.2git master branch

There is no ASLR/DEP support in the Windows binaries yet. It seems that mingw_w64 does have the support, so adding it should be fairly straightforward. I will look into this before the 2.4 release (which is still some months away).

comment:3 Changed 4 years ago by David Sommerseth

Keywords: windows added
Summary: Lacking ASLR and DEP supportWindows: Lacking ASLR and DEP support

comment:4 Changed 4 years ago by Samuli Seppänen

It seems that this ticket should be split into two, one for aslr and one for dep.

Anecdotal evidence suggests that the aslr support in mingw_w64 is a bit buggy, but this has not been verified. As for dep there is a strong chance that openvpn will require some modifications to work with it enabled.

comment:6 Changed 3 years ago by Samuli Seppänen

Keywords: volunteer added

My plate is full enough even without this task. If somebody knows mingw_w64 / cross-compiling well, we could definitely use some help with creating a proof of concept.

comment:7 Changed 3 years ago by Samuli Seppänen

Owner: Samuli Seppänen deleted

comment:8 Changed 3 years ago by Samuli Seppänen

Owner: set to Samuli Seppänen
Status: assignedaccepted

Steffan knew the incantations for enabling ASLR/DEP:

Just for reference: those are supported by mingw/gcc too:
-fstack-protector for canaries, -Wl,--nxcompat for DEP,
-Wl,--dynamicbase for ASLR.

I will try these and see what happens.

comment:9 Changed 23 months ago by Samuli Seppänen

Cc: steffan@… added

Where should the flags be added exactly? By aping this pull request I tried modifying generic/build in openvpn-build:

 if [ -n "${BUILD_FOR_WINDOWS}" ]; then
    CONFIGOPTS=" \
        ${CONFIGOPTS} \ 
        --sbindir=/bin \
    "
    export LDFLAGS="$LDFLAGS -Wl,--dynamicbase -Wl,--nxcompat"
    export PKG_CONFIG="true"
fi

This did change did not seem to have the desired effect. Is this basically the correct approach? Or should the linker flags be added to OpenVPN's Makefile?

comment:10 Changed 23 months ago by Steffan Karger

I have CFLAGS="${CFLAGS} -Wl,--dynamicbase,--nxcompat" in my build wrappers. That seems to work.

Last edited 23 months ago by Steffan Karger (previous) (diff)

comment:11 Changed 23 months ago by Samuli Seppänen

I'll test that, thanks!

comment:12 Changed 18 months ago by Samuli Seppänen

And finally here is a test installer with ASLR/DEP support. It was a trivial change:

--- a/generic/build.vars
+++ b/generic/build.vars
@@ -41,4 +41,6 @@ EXTRA_OPENSSL_CONFIG="${EXTRA_OPENSSL_CONFIG:--static-libgcc}" # uncomment if op
 #EXTRA_PKCS11_HELPER_CONFIG
 #EXTRA_OPENVPN_CONFIG

+EXTRA_TARGET_CFLAGS="-Wl,--dynamicbase,--nxcompat"
+

comment:13 Changed 18 months ago by Samuli Seppänen

According to PEStudio all the executables and libraries bundled in the above installer have ASLR and DEP enabled. The official 2.4.0-I601 installer lack those features, so the build flags actually seem to work.

Note: See TracTickets for help on using tickets.