Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 6 Aug 2012 16:05:32 +0800
From: orc <orc@...server.ru>
To: musl@...ts.openwall.com
Subject: Re: noexecstack

On Mon, 6 Aug 2012 09:16:10 +0200
Daniel Cegiełka <daniel.cegielka@...il.com> wrote:

> 2012/8/6 orc <orc@...server.ru>:
> > On Sun, 5 Aug 2012 23:35:36 +0200
> 
> > Correct me if I'm wrong, but this is ugly stuff.
> >
> > - binutils ld has -z noexecstack command line option.
> > - this (GNU_STACK) is binutils-specific (tinycc, for example, does
> > not generate ELFs with that section, and future direction should be
> > on that plain ELFs without any gnuish extensions IMO)
> > - Kernel sets executable stack by default, kernel can be patched
> > not to do that (that's one line patch per architecture)
> 
> Can you give some example of how to do it? It might be worthwhile to
> introduce it into the main repository of Linux. What do you think?

I used to set it globally for all archs directly in binfmt_elf.c (here
is a patch example):

diff -Naur linux-3.2.12.o/fs/binfmt_elf.c linux-3.2.12/fs/binfmt_elf.c
--- linux-3.2.12.o/fs/binfmt_elf.c	2012-03-20 00:03:17.000000000
+0800 +++ linux-3.2.12/fs/binfmt_elf.c	2012-08-06
15:41:51.774013640 +0800 @@ -571,7 +571,7 @@
 	unsigned long interp_load_addr = 0;
 	unsigned long start_code, end_code, start_data, end_data;
 	unsigned long reloc_func_desc __maybe_unused = 0;
-	int executable_stack = EXSTACK_DEFAULT;
+	int executable_stack = EXSTACK_DISABLE_X;
 	unsigned long def_flags = 0;
 	struct {
 		struct elfhdr elf_ex;

This is a hack, and maybe executable_stack maybe set elsewhere. I did
not tried to trace that code. But it works (of course ELFs marked to be
with execstack will crash).
I think this may have benefits, but it always was controlled in
userspace, kernel defaults to executable stack because there are some
other compilers can be that may rely on this default. I tested tinycc,
it has no any issues (i.e. generates code that does not need executable
stack, and does not generates GNU_STACK extended section)

> 
> > - binutils can be patched to not produce ELFs with executable stack
> > by default
> >
> > While some of options I listed here may harm some GCC or binutils
> > internals (I don't know), I see an utility that comes with
> > grsecurity patches (paxctl) that operates that section (GNU_STACK),
> > converting it into it's own.
> > I tested a system with patched binutils and kernel (but binutils
> > patch here will be enough) without any problems.
> 
> It would be very nice if we could solve this problem in this way. I'm
> currently using this patch, but this is not the best solution in my
> opinion. Ideally if the system (kernel, binutils, libc) enforce
> noexecstack by default... definitely worth look closer at this issue.

Consider this patch as enforcing binutils' noexecstack by default:

diff -Naur binutils-2.17.50.0.17.o/ld/ldmain.c
binutils-2.17.50.0.17/ld/ldmain.c ---
binutils-2.17.50.0.17.o/ld/ldmain.c	2007-06-19
01:31:40.000000000 +0800 +++ binutils-2.17.50.0.17/ld/ldmain.c
2012-08-03 19:59:26.658980680 +0800 @@ -281,6 +281,8 @@
link_info.pei386_auto_import = -1; link_info.spare_dynamic_tags = 5;
   link_info.sharable_sections = FALSE;
+  link_info.execstack = FALSE;
+  link_info.noexecstack = TRUE;
 
   ldfile_add_arch ("");
   emulation = get_emulation (argc, argv);

(this one for binutils 2.17.50.0.17, recent maybe patched with finding
where link_info is initialized and appending this two lines)

GCC generates same .note.GNU-stack section definition in it's asm
output, as seen in your patch, but I don't know when it needs
executable stack and generates another definition.

libc plays no role here at enforcing executable stacks last time I
checked. It does some initialization of memory permissions in dynamic
linker, but better to ask Rich about that code.

Applying kernel patch may render your existing systems unbootable if it
is not glibc system.


If you don't want to patch and rebuild binutils and kernel, then the
best way to enforce noexecstack notes into ELFs is passing this command
line opts:

gcc: gcc -Wl,-z -Wl,noexecstack [the rest here...]
ld: ld -z noexecstack [...]

> Thanks,
> Daniel

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.