[PATCH] For comment - apply NOEXECSTACK to all .so files
Rich Felker
dalias at libc.org
Tue Aug 26 16:22:46 UTC 2014
On Tue, Aug 26, 2014 at 11:51:27PM +0930, Andrew McDonnell wrote:
> Whilst investigating hardening OpenWRT running on a MIPS SOC I noticed
> that several of the uClibc .so files (specifically, ld-uClibc-0.9.33.2.so,
> libcUclibc-0.9.33.2.so, librt-0.9.33.2.so and libpthread-0.9.33.2.so)
> did not have the NX flag set (a GNU_STACK not executable in readelf)
>
> This was in spite of UCLIBC_BUILD_NOEXECSTACK=y.
>
> I have been working through multiple hardening guides which seem to vary,
> some state apply -Wl,-z,noexecstack at the linker, others imply that the
> code could be fixed at the assembler level with the linker fix being
> a 'last resort'.
If nothing else, I think the linker-level "fix" is wrong because it
does not help static-linked programs. If there are some .o files with
executable stack status (i.e. missing the noexecstack flag), and any
of them make it into the static library archive files, it will cause
all static-linked programs to run with executable stack. So it would
be a lot better to track down which files (likely asm files being
built without the right ASFLAGS or whatever) are causing the
executable stack in the output .so's rather than just trying to force
the stack non-executable.
Rich
More information about the uClibc
mailing list