-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
React Native 0.71.3 generates .so files that are not stack canary protected #36870
Comments
|
That happens because those |
@cortinico Thank you for your prompt reply. I'm currently trying to remedy the issue by building from source, but I do understand building from source is not the recommended approach of development and would require the node_modules to not be updated as well. Sorry if I am not really well-versed on this matter, and am not sure if you would be able to advise, but would like to inquire why these source files are not built with stack canary flags as a default when prebuilt? It seems to be a common enough use case for security requirements for developers. I understand the intention of the prebuilt files are for quicker build times, but it seems the ability to add these additional configs requires quite an atypical dev flow, as well as lots of additional debugging on the ReactAndroid etc. config files just to force this flag in. Additionally it would not be able to be maintained on version control unless I remove node_modules from .gitignore. |
I've done further investigation and noticed that we do have the You can verify this by yourself by cloning the repo and running Here the flags used for a debug run I did locally for the target
|
Our security team raised the exact same issue for the same version. They also reported that those libraries are missing the FORTIFY protection. I do see a FORTIFY_SOURCE command line argument though. From this build log it seems like both measures are actually being applied for the prebuilt libs, but then when our security team investigates our app it appears that it actually is not applied. 🤷🏻♂️ Maybe something is going wrong in the build pipeline reverting/overriding these security measures resulting in final .so files that don't have them applied after all? |
Could you provide more evidence that those flags are missing? How are they investigating the |
Sure. This is from their report. The affected native libraries are all part of the split_config.arm64_v8a.apk. This file format is a zip file, which could be extracted using an archiving utility. A reverse engineering framework like Rizin11 or Radare212 could be used to verify if exploit mitigations have been enabled for a binary, by using the following command for Rizin:
When no mitigations have been enabled, no output is given after execution of the command. If checks have been enabled, an output will look similar to the output below:
The first line is for the FORTIFY_SOURCE obtain, which adds a check for all dangerous standard functions. The second line is for the stack canary protection. The following libraries are missing stack canary protection: The following libraries are missing the FORTIFY protection: |
Thanks this is really valuable. I'd love to have this looked into. |
Also this is up for grab. It's going to be a matter of adding missing flags to |
sorry, can't think of anyone MSFT side that can take this up |
Hello, our support team raised the same issue for the React Native 0.71.0, tried to use: in android/app/build.gradle under android / defaultConfig but it didn't help in any way. |
This obviously has no effect as we distribute prebuilts, so you can't add new I identified a potential bug in the NDK that is causing this. I believe version 0.72 of React Native will fix this issue, so I ask you to try again once we'll have a stable version out. |
Hi @cortinico , I am also being to repro the same issue on React Native 0.71. |
Just FYI I think we can do this much easily even without using rz-bin. Steps below (MAC):
This will print "__stack_chk_fail" for all files which have stack smash protection enabled. For files which do not have this, it will just print the file name. The |
Yes I believe 0.72 will fix this issue to some degree. |
@cortinico let me check that. |
@cortinico @kelset @dragorwyin libreact_config.so |
These not-stack-protected .so files are common for all architectures (arm68-v8a, armeabi-v7a, x86, x86_64). |
@cortinico @kelset @dragorwyin this PR: #38018 should solve the stack_chk_fail part of this issue. |
Could you clarify which file in the .aar is not stack protected (as there are several called |
Hello, as it's essential to my team, I need to ask: what is the estimated fixing date for this one? If there is any? |
There are no ETAs |
@cortinico I am not sure what prefab/non-prefab is but the "__stack_chk_fail" string is missing for the above shared objects in all architectures. x86, x86_64, armeabi-v7a and arm68-v8a |
What I mean is that if you download this file: and unzip it, search for
which one have you checked @SparshaSaha ? |
as for example, I just checked |
Let me take a look again. I will report back here once I have an answer |
@cortinico I just downloaded the release 0.72 and I checked But unfortunately I do not see any stack_chk_fail string inside it. I am not sure how we are seeing different things on the same I used the $strings command then then piped it into grep. To confirm once again, I tried to search for it by opening the file in a code editor. |
You're correct. That was my fault. I was looking at a stale |
Hello, just kindly pinging ;) Any update here or is it stuck? Thank you! |
Currently blocked by this: |
Hello guys, any plan for this issue? :) |
Hi all, I've verified that we build with That being said, if you attempt to search for
Those two
Those 3 .so files instead contain method calls, but those methods don't contain stack buffer calls, so there are no We won't be adding |
Hello @cortinico, sorry for writing on closed ticket, but I think it's the best place to just ask about it. |
Sadly commenting on closed issues it's not the right place to ask this questions. |
Description
Spinning up a new project using React Native 0.71.3 will generate various .so files packaged in the Android APK generated when running ./gradlew assembleRelease . Of these .so files, some were found to not be stack canary protected using security tools like MobSF, checksec, or readelf. This happens despite placing the below in my android/app/build.gradle configurations.
externalNativeBuild{ cmake{ cppFlags "-fstack-protector-all" } }
These were the files we found so far:
libreact_debug
libreact_render_debug
libreact_utils
libruntimeexecutor
React Native Version
0.71.3
Output of
npx react-native info
System:
OS: Windows 10 10.0.19045
CPU: (8) x64 11th Gen Intel(R) Core(TM) i5-1145G7 @ 2.60GHz
Memory: 2.64 GB / 15.69 GB
Binaries:
Node: 18.15.0 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 9.5.0 - C:\Program Files\nodejs\npm.CMD
Watchman: Not Found
SDKs:
Android SDK: Not Found
Windows SDK: Not Found
IDEs:
Android Studio: AI-221.6008.13.2211.9619390
Visual Studio: Not Found
Languages:
Java: 11.0.15.1 - C:\Program Files\Common Files\Oracle\Java\javapath\javac.EXE
npmPackages:
@react-native-community/cli: ^11.1.2 => 10.2.2
react: ^18.2.0 => 18.2.0
react-native: ^0.71.3 => 0.71.6
react-native-windows: Not Found
npmGlobalPackages:
react-native: Not Found
Steps to reproduce
It can be noted here that the libreact_utils.so does not have stack canary symbols or stack_chk_fail function implemented.
Snack, code example, screenshot, or link to a repository
The text was updated successfully, but these errors were encountered: