[PATCH] For comment - apply NOEXECSTACK to all .so files
Andrew McDonnell
bugs at andrewmcdonnell.net
Tue Aug 26 14:21:27 UTC 2014
Whilst investigating hardening OpenWRT running on a MIPS SOC I noticed
that several of the uClibc .so files (specifically, ld-uClibc-0.9.33.2.so,
libcUclibc-0.9.33.2.so, librt-0.9.33.2.so and libpthread-0.9.33.2.so)
did not have the NX flag set (a GNU_STACK not executable in readelf)
This was in spite of UCLIBC_BUILD_NOEXECSTACK=y.
I have been working through multiple hardening guides which seem to vary,
some state apply -Wl,-z,noexecstack at the linker, others imply that the
code could be fixed at the assembler level with the linker fix being
a 'last resort'. I do not have enough experience with uClibc to know
which is the ideal solution, so my patch just applies the linker fix.
My guess is that there are things done in code in those four DLL that
misses out on the ASFLAGS, and from my basic understanding this means
that the default condition gets applied to the entire file by the linker.
My references include the Gentoo hardening guide and the Ubuntu
Security Team Executable Stacks wiki page.
This may be OK, but I propose this patch and leave it to anyone with
more knowledge than myself to decide on its efficacy.
Note this has only been tested on MIPS on a carambola2 SOC.
Before/after testing can be done quickly using 'checksec.sh' from
http://www.trapkit.de/tools/checksec.html
>From some reading it is possible this may break on some environments
(e.g. PPC???) without extra work to check. Whilst creating the patch
I discovered that code in Rules.mak that exists to check if a flag is
valid, cannot cope with flags with a comma. Fixing that is currently
beyond me also!
More information about the uClibc
mailing list