Hi Stephen,
On 2021-06-30 21:18, Stephen Kitt wrote:
On Wed, 30 Jun 2021 19:37:18 +0200, Tim Kosse
~$ x86_64-w64-mingw32-objdump -p
/usr/lib/gcc/x86_64-w64-mingw32/8.3-win32/libgcc_s_seh-1.dll | grep
DllCharacteristics
DllCharacteristics 00000160
Not quite: the DLLs were built with those flags set, but they weren’t built
with support for the features — as a result, in many cases the protection
features were unusable and even misleading. See
https://www.kb.cert.org/vuls/id/307144/ and the links therein for details.
Doesn't this issue only affect executables with a missing relocation
table? As such it would only apply to .exe files, as .dlls normally have
relocation tables. In any case, this is completely unrelated to NX.
IMAGE_DLLCHARACTERISTICS_NX_COMPAT,
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE and
IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA
These libraries should be built with both mitigations enabled.
I agree, at least those options which make sense for DLLs, but it’s still not
straightforward.
The solution seems to be there already in the binutils-mingw-w64 package
of Bullseye, simply replacing disable-flags.patch with
default-secure-pe-flags.patch suffices.
With the rebuilt binutils, .exe files by default include relocations and
ASLR works well[*]. You originally disabled the patch in light of this
vulnerability, even though the .exe files linked with it are not
affected by it.
This behavior is different in Buster's binutils-mingw-w6 though, there
the relocations are missing in .exe files.
[*] The icing on top would be a >4GB default image base for some extra
entropy, as explained in
https://msrc-blog.microsoft.com/2013/12/11/software-defense-mitigating-common-exploitation-techniques/
Ideally, support for this should come from upstream (GCC and
MinGW-w64), not just the Debian packages.
According to https://sourceware.org/bugzilla/show_bug.cgi?id=19011#c14
this is being worked on upstream. At least the toolchain currently
distributed through msys2 uses ALSR/NX by default for all .exe and .dlls
built with it.
Regards,
Tim
