Question - intention of UCLIBC_BUILD_NOEXECSTACK?

Khem Raj raj.khem at gmail.com
Mon Aug 25 04:17:01 UTC 2014


On 14-08-25 12:06:16, bugs at andrewmcdonnell.net wrote:
> Hi,
> 
> I have been playing with uClibc on some embedded Linux systems, and trying
> out some hardening techniques.
> 
> When I tested the .so files built by uClibc (using the checksec.sh tool from
> http://www.trapkit.de/tools/checksec.html, which is basically a wrapper
> around readelf), the files do not exhibit the GNU_STACK flag.
> 
> What I would like to do is actually build with the linker option
> '-Wl,-z,noexecstack' as per
> http://www.win.tue.nl/~aeb/linux/hh/protection.html or
> http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart (for just two
> examples)  I eventually managed to do this by using and patching Config.in
> (0.9.33.2) to recognise UCLIBC_LDFLAGS_EXTRA , after which the .so files had
> the relevant flag. (I can post that patch to enable UCLIBC_LDFLAGS_EXTRA
> separately)
> 
> One thing I noticed is that uClibc has a Config setting
> UCLIBC_BUILD_NOEXECSTACK but all this seems to do is pass the relevant flag
> to the assembler and not to the linker. The gentoo hardening guide applies
> the flag to both assembler and linker stage.
> 
> According to Config.in help: "Mark all assembler files as noexecstack. This
> will result in marking
> 	  all libraries and executables built against uClibc not requiring
> 	  executable stack."
> 
> I guess the gap in my knowledge is how uClibc, by only applying to assembler
> files, meets "marking all libraries and executables" when the GNU_STACK flag
> is missing from the ELF images? Note it has been a very long time since I

it wont. Can you patch UCLIBC_BUILD_NOEXECSTACK code to pass the linker
option as well ?



More information about the uClibc mailing list