TC program compilation __stack_chk_fail not supported

[h3xduck]

➜  src git:(master) make all
  MKDIR    .output
  MKDIR    .output/libbpf
  LIB      libbpf.a
  MKDIR    /home/u1tron/TripleCross/src/.output//libbpf/staticobjs
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/netlink.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/str_error.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/xsk.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/strset.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/linker.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
  AR       /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.pc
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a 
  BPF      .output/kit.bpf.o
  GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
  CC       .output/kit.o
  CC       /home/u1tron/TripleCross/src/user/include/modules/module_manager.o
  BINARY   kit
clang -O2 -emit-llvm -g -c /home/u1tron/TripleCross/src/ebpf/include/bpf/tc.c -o - | \
llc -march=bpf -mcpu=probe -filetype=obj -o bin/tc.o
error: <unknown>:0:0: in function classifier_egress i32 (%struct.__sk_buff*): A call to built-in function '__stack_chk_fail' is not supported.

make: *** [Makefile:107: tckit] Error 1
rm .output/kit.bpf.o

Originally posted by @yasindce1998 in https://github.com/h3xduck/TripleCross/issues/39#issuecomment-1176212468

[h3xduck]

@yasindce1998 can you check the distro and version you are using?

lsb_release -a

The rootkit has only been tested in Ubuntu 21.04, if you are using this version already, which clang version are you on?

clang -v

[yasindce1998]

@h3xduck Apologies for the late response and Thank you for reviewing it. Here is what you needed.

➜  ~ lsb_release -a
LSB Version:    n/a
Distributor ID: Arch
Description:    Arch Linux
Release:        rolling
Codename:       n/a
➜  ~ clang -v
clang version 13.0.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-pc-linux-gnu/12.1.0
Found candidate GCC installation: /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/12.1.0
Selected GCC installation: /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/12.1.0
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Selected multilib: .;@m64
➜  ~ 

Extra informations

Operating System: Arch Linux                      
          Kernel: Linux 5.18.5-arch1-1
    Architecture: x86-64
 Hardware Vendor: Lenovo
  Hardware Model: Lenovo E41-25

[h3xduck]

Yeah we didn't test the rootkit on Arch, you will have to use Ubuntu 21.04 if you want to compile it.

For the record, these are issues with using TripleCross in a different distro and version that I can think of:

• Your compiler toolchain is different than the one in Ubuntu 21.04 (we used Clang v12). This results in the compiler sometimes generating instructions which are not valid in BPF (this is your case). You either will have to switch compiler or try with different fixes, -fno-stack-protector might work in your case.
• The library injection module depends on specific opcodes of functions at glibc which may vary between versions. We used glibc 2.33

We may extend it to other versions in the future, but for now you may need to patch it yourself or switch to the supported system.

[yasindce1998]

@h3xduck Thank you! I can switch to Ubuntu 21.04. Thank you for the clarification!