From 2358e931b55effa0cb99b4e2aaa4691352964f5c Mon Sep 17 00:00:00 2001 From: David Pinedo Date: Mon, 2 May 2016 12:12:04 -0600 Subject: [PATCH] winrtinstaller: added patch file to be used when building nsis --- windowsRuntimeInstaller/NSIS_Security.patch | 47 +++++++++++++++++++++++++++++ windowsRuntimeInstaller/README.txt | 29 +++++++++--------- 2 files changed, 61 insertions(+), 15 deletions(-) create mode 100644 windowsRuntimeInstaller/NSIS_Security.patch diff --git a/windowsRuntimeInstaller/NSIS_Security.patch b/windowsRuntimeInstaller/NSIS_Security.patch new file mode 100644 index 0000000..87bf7e6 --- /dev/null +++ b/windowsRuntimeInstaller/NSIS_Security.patch @@ -0,0 +1,47 @@ +diff --git a/nsis-3.0b3-src/SCons/Config/ms b/nsis-3.0b3-src/SCons/Config/ms +index 32d3d33..d2c4d25 100644 +--- a/nsis-3.0b3-src/SCons/Config/ms ++++ b/nsis-3.0b3-src/SCons/Config/ms +@@ -16,7 +16,7 @@ def entry(x,u): + + defenv['ENTRY_FLAG'] = entry + defenv['MAP_FLAG'] = '/map' +-defenv['NODEFLIBS_FLAG'] = '/NODEFAULTLIB' ++#defenv['NODEFLIBS_FLAG'] = '/NODEFAULTLIB' + defenv['C_FLAG'] = '/TC' + defenv['CPP_FLAG'] = '/TP' + defenv['CPP_REQUIRES_STDLIB'] = 0 +@@ -29,7 +29,7 @@ defenv['STDCALL'] = '__stdcall' + msvs_version = float(defenv['MSVS_VERSION'].replace('Exp','')) + if msvs_version >= 8.0: + defenv['EXCEPTION_FLAG'] = '/EHsc' +- defenv.Append(CCFLAGS = ['/GS-']) ++ defenv.Append(CCFLAGS = ['/GS']) + defenv.Append(CPPDEFINES = ['_CRT_SECURE_NO_WARNINGS', '_CRT_NONSTDC_NO_WARNINGS', '_CRT_SECURE_NO_DEPRECATE', '_CRT_NON_CONFORMING_SWPRINTFS']) + defenv['MSVCRT_FLAG'] = '/MT' # Avoid msvcr?0.dll dependency + else: +@@ -143,9 +143,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst']) # listing file name + stub_env.Append(LINKFLAGS = ['$NODEFLIBS_FLAG']) # no default libraries + stub_env.Append(LINKFLAGS = ['$MAP_FLAG']) # generate map file + +-if msvs_version >= 10.0: +- # no relocations that our resource editor ignores +- stub_env.Append(LINKFLAGS = ['/FIXED']) ++#if msvs_version >= 10.0: ++# # no relocations that our resource editor ignores ++# stub_env.Append(LINKFLAGS = ['/FIXED']) + + stub_uenv = stub_env.Clone() + stub_uenv.Append(CPPDEFINES = ['_UNICODE', 'UNICODE']) +diff --git a/nsis-3.0b3-src/Source/exehead/Main.c b/nsis-3.0b3-src/Source/exehead/Main.c +index eb231e7..e4642ce 100644 +--- a/nsis-3.0b3-src/Source/exehead/Main.c ++++ b/nsis-3.0b3-src/Source/exehead/Main.c +@@ -84,6 +84,7 @@ void *g_SHGetFolderPath; + NSIS_ENTRYPOINT_GUINOCRT + EXTERN_C void NSISWinMainNOCRT() + { ++ __security_init_cookie(); + int ret = 0; + const TCHAR *m_Err = _LANG_ERRORWRITINGTEMP; + diff --git a/windowsRuntimeInstaller/README.txt b/windowsRuntimeInstaller/README.txt index d9d48c8..02dce10 100644 --- a/windowsRuntimeInstaller/README.txt +++ b/windowsRuntimeInstaller/README.txt @@ -12,36 +12,35 @@ To build the Vulkan Runtime Installer: 1a. Note that the NSIS binary version available at http://nsis.sourceforge.net/Download is not built with - NSIS_CONFIG_LOG=yes and NSIS_MAX_STRLEN=8192 set, so you may have - to build NSIS from source with these flags set. The source for - NSIS 3.0.b3 is available from + NSIS_CONFIG_LOG=yes and NSIS_MAX_STRLEN=8192 set. Also, changes to need + to be made to NSIS to increase the security of the Runtime Installer. + + The source for NSIS 3.0.b3 can be downloaded from https://sourceforge.net/projects/nsis/files/NSIS%203%20Pre-release/3.0b3/nsis-3.0b3-src.tar.bz2/download Instructions for building NSIS are available at http://nsis//sourceforge.net/Docs/AppendixG.html. - To increase the security of the Runtime Installer - specifically - enabling buffer overrun security checks and enabling address space - layout randomization (ASLR), these changes should be made to the NSIS source file - nsis-3.0b3-src/SCons/Config/ms: + The security changes to NSIS involve adding the /DYMANICBASE and /GS options + to the NSIS compile/link steps, so that the Runtime Installer and Uninstaller + are built with address space layout randomization and buffer overrun checks. - - comment out the line enabling the /FIXED linker option - - change the line that sets the /GS- compile option to instead set the /GS compile option - - comment out the line that sets the NODEFLIBS_FLAG to /NODEFAULTLIB + The security changes to NSIS can be made by applying the patch in the + NSIS_Security.patch file in this folder. - The command to build NSIS from source: + After you have applied the security patch, build NSIS with this command: scons SKIPUTILS="NSIS Menu","MakeLangId" UNICODE=yes \ ZLIB_W32=\zlib-1.2.7-win32-x86 NSIS_MAX_STRLEN=8192 \ NSIS_CONFIG_LOG=yes NSIS_CONFIG_LOG_TIMESTAMP=yes \ APPEND_CCFLAGS="/DYNAMICBASE /Zi" APPEND_LINKFLAGS="/DYNAMICBASE \ /DEBUG /OPT:REF /OPT:ICF" SKIPDOC=all dist-zip - + This will create a zip file in the nsis-3.0.b3-src directory. Unpack the zip file anywhere on your system. The resulting tree will contain a - Plugins directory. Install the NSIS AccessControl plugin in this - directory. Add the Bin directory to your PATH enviroment variable so that - the CreateInstaller.sh script below will use your custom-built version of + Plugins directory. Install the NSIS AccessControl plugin in this directory. + Add the Bin directory to your PATH enviroment variable so that the + CreateInstaller.sh step below will use your custom-built version of NSIS. Before using NSIS and creating the installer, make sure that all shared -- 2.7.4