We have a client whose Infosec team have run a vulnerability scanning tool on our app

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Hey <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url=

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

ELF built without PIE & Stack Protection about rootbeer HOT 8 CLOSED

scottyab commented on August 22, 2024 2

ELF built without PIE & Stack Protection

from rootbeer.

Comments (8)

stealthcopter commented on August 22, 2024 1

I don't see any reason why not

from rootbeer.

stealthcopter commented on August 22, 2024 1

Hi @azbesthu I'm really sorry I didn't see this until just now. I'm not sure what version was used to compile 0.0.7 but I've just built 0.0.8 using version 21 so that should have all the protections mentioned.

I'm going to close this issue as I believe it's solved however please feel free to open more issues if you find issues with the native libraries! Thanks all.

from rootbeer.

Stephane84 commented on August 22, 2024 1

@stealthcopter thanks for the merged of the PR.
Is a 0.0.9 release is plan with the rebuild of the .so files ?
Thx

from rootbeer.

pich4ya commented on August 22, 2024

from rootbeer.

azbesthu commented on August 22, 2024

Hey @stealthcopter

Which NDK version was in use while building v0.0.7?
I just asking, because it seems current NDK v19b by default has " -stack-protector 2" in verbose log while building, that seems to be "-fstack-protector-strong" equivalent in LLVM.
I saw an issue in NDK v18 about they accidently removed this flag, but they re-enabled it in v18b.
android/ndk#815
Also do you know which NDK was used for v0.0.6 relese?

Hey @juan-dambra
Is this "-pie" issue happening only on MIPS platform? I just asking, because our security team mentioned it only for mips64 with v0.0.6 release. If I understand correctly, v0.0.7 dropped mips support, because google also dropped it from newer NDK versions. So maybe it is not a problem any more with that.

from rootbeer.

slawert commented on August 22, 2024

Hello,

I have tested the library with different tools(readelf, decomp) and found the following result: while the 32bit archs are indeed protected against stack smashing (armv7 an x86) however the more common 64 bit archs (arm64 and x86_64) don’t seem to be built the same way, and don’t have the needed checks.

Is there a chance that this can be fixed on your end ?@stealthcopter @scottyab

Thanks a lot!

from rootbeer.

stealthcopter commented on August 22, 2024

@slawert As this is an area I'm not very familiar with it's going to take me a while to research this. We'd love for someone to make a PR if there is anyone has more of a clue how to change this without removing support for any devices. Thanks :)

from rootbeer.

benjosantony commented on August 22, 2024

The PR was merged, but not released, possible to make a release with the fix ?

from rootbeer.

ELF built without PIE & Stack Protection about rootbeer HOT 8 CLOSED

Comments (8)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent