react-native
react-native copied to clipboard
Build React Native Shared Objects with Stack Smash Protection
Summary:
Some of the .so files in React Native does not seem to be stack protected. We figure that out by checking for "__stack_chk_fail" string inside the binary files.
This was probably happening because we were not using the "-fstack-protector" flag.
The fix I have imagined involves adding a "-fstack-protector-all" flag in the compile options in the CMake files.
Changelog:
[ANDROID][ADDED] - Added -fstack-protector-all
flag in CMakeLists.txt for ReactAndroid
and ReactCommon
.
Test Plan:
One of the ways to test this would be to generate the rn-tester app from this branch and following these steps: https://github.com/facebook/react-native/issues/36870#issuecomment-1592796732
Platform | Engine | Arch | Size (bytes) | Diff |
---|---|---|---|---|
android | hermes | arm64-v8a | 9,036,875 | +70,445 |
android | hermes | armeabi-v7a | 8,359,314 | +131,702 |
android | hermes | x86 | 9,551,081 | +70,993 |
android | hermes | x86_64 | 9,393,621 | +71,064 |
android | jsc | arm64-v8a | 9,583,699 | +56,343 |
android | jsc | armeabi-v7a | 8,769,028 | +103,139 |
android | jsc | x86 | 9,668,085 | +56,176 |
android | jsc | x86_64 | 9,916,452 | +57,976 |
Base commit: 8ddb334bb08851ea7b5ed68246fcfd0bc36165c0 Branch: main
@cortinico I see. Do you suggest that we add this as a cppFlag in build.gradle under externalNativeBuild
?
Nope we need to understand why the NDK is not setting this flag. We don't need to specify it manually
@cortinico I am not sure if NDK toolchain would automatically set the stack-protector flag by default because adding that flag might cause a size increase and might impact perf negatively . I thought developers are supposed to mention these flags as required. Is there any documentation around this which i can read up on?
@cortinico I am not sure if NDK toolchain would automatically set the stack-protector flag by default because adding that flag might cause a size increase and might impact perf negatively . I thought developers are supposed to mention these flags as required. Is there any documentation around this which i can read up on?
It does. The list of flags that the NDK sets automatically for a release build of 0.72 are:
-g -DANDROID -fdata-sections -ffunction-sections -funwind-tables -fstack-protector-strong -no-canonical-prefixes -D_FORTIFY_SOURCE=2 -march=armv7-a -mthumb -Wformat -Werror=format-security -Os -DNDEBUG -fPIE
More on this here also: https://github.com/android/ndk/issues/1693
So -fstack-protector-strong
is there.
we are blocked in a huge public program because of the missing stack protection of reactive native. Any forecast by when a version will be available fully supporting this security requirment?
we are blocked in a huge public program because of the missing stack protection of reactive native. Any forecast by when a version will be available fully supporting this security requirment?
We'll get back to this after the NDK 25 bump: #37974