[klibc] [klibc:master] Kbuild: Tell gas we don't want executable stacks

klibc-bot for Ben Hutchings ben at decadent.org.uk
Fri Feb 28 16:27:05 PST 2020

Previous message (by thread): [klibc] [PATCH] support llvm's lld
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Commit-ID:  9d8d648e604026b32cad00a84ed6c29cbd157641
Gitweb:     http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=9d8d648e604026b32cad00a84ed6c29cbd157641
Author:     Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Sat, 29 Feb 2020 00:03:20 +0000
Committer:  Ben Hutchings <ben at decadent.org.uk>
CommitDate: Sat, 29 Feb 2020 00:11:26 +0000

[klibc] Kbuild: Tell gas we don't want executable stacks

The stack should be made non-executable, as a security hardening
measure.  This is irrelevant for most of the klibc utilities, but
ipconfig deals with network input that might be untrusted.  Since
Linux 5.6-rc1 the kernel now also warns (once) if a program has an
executable stack.

As this is necessarily a process-wide attribute at run-time, the
stack ends up being executable unless every object file linked into the
program is flagged as not needing it.  gas doesn't set the flag by
default, so we need to explicitly tell it to do so.

ia64 will also need a change to its linker script to retain the
.note.GNU-stack section, but I have no way of testing ia64 so I'm going
to leave that to later.

Reported-by: Christophe Leroy <christophe.leroy at c-s.fr>
References: https://lists.zytor.com/archives/klibc/2020-February/004271.html
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>

---
 scripts/Kbuild.klibc | 2 +-
 usr/klibc/Kbuild     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/Kbuild.klibc b/scripts/Kbuild.klibc
index b7e99b56..afc9a546 100644
--- a/scripts/Kbuild.klibc
+++ b/scripts/Kbuild.klibc
@@ -125,7 +125,7 @@ KLIBCDEFS        += -D__KLIBC__=$(KLIBCMAJOR)          \
 KLIBCCPPFLAGS    += $(KLIBCDEFS)
 KLIBCCFLAGS      += $(KLIBCCPPFLAGS) $(KLIBCREQFLAGS) $(KLIBCARCHREQFLAGS)  \
                     $(KLIBCOPTFLAGS) $(KLIBCWARNFLAGS)
-KLIBCAFLAGS      += -D__ASSEMBLY__ $(KLIBCCFLAGS)
+KLIBCAFLAGS      += -D__ASSEMBLY__ -Wa,--noexecstack $(KLIBCCFLAGS)
 KLIBCSTRIPFLAGS  += --strip-all -R .comment -R .note
 
 KLIBCLIBGCC_DEF  := $(shell $(KLIBCCC) $(KLIBCCFLAGS) --print-libgcc)
diff --git a/usr/klibc/Kbuild b/usr/klibc/Kbuild
index b462fbec..19ccfbec 100644
--- a/usr/klibc/Kbuild
+++ b/usr/klibc/Kbuild
@@ -180,6 +180,7 @@ quiet_cmd_interp = BUILD   $@
       cmd_interp = $(KLIBCCC) $(klibccflags) -D__ASSEMBLY__     \
                              -DLIBDIR=\"$(SHLIBDIR)\"         \
 			     -DSOHASH=\"$(SOLIBHASH)\" \
+                             -Wa,--noexecstack \
 			     -c -o $@ $<
 
 $(INTERP_O): $(obj)/interp.S $(SOLIB).hash

Previous message (by thread): [klibc] [PATCH] support llvm's lld
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the klibc mailing list