klibc-bot for Ben Hutchings
2020-Feb-29 00:27 UTC
[klibc] [klibc:master] Kbuild: Tell gas we don't want executable stacks
Commit-ID: 9d8d648e604026b32cad00a84ed6c29cbd157641
Gitweb:
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=9d8d648e604026b32cad00a84ed6c29cbd157641
Author: Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Sat, 29 Feb 2020 00:03:20 +0000
Committer: Ben Hutchings <ben at decadent.org.uk>
CommitDate: Sat, 29 Feb 2020 00:11:26 +0000
[klibc] Kbuild: Tell gas we don't want executable stacks
The stack should be made non-executable, as a security hardening
measure. This is irrelevant for most of the klibc utilities, but
ipconfig deals with network input that might be untrusted. Since
Linux 5.6-rc1 the kernel now also warns (once) if a program has an
executable stack.
As this is necessarily a process-wide attribute at run-time, the
stack ends up being executable unless every object file linked into the
program is flagged as not needing it. gas doesn't set the flag by
default, so we need to explicitly tell it to do so.
ia64 will also need a change to its linker script to retain the
.note.GNU-stack section, but I have no way of testing ia64 so I'm going
to leave that to later.
Reported-by: Christophe Leroy <christophe.leroy at c-s.fr>
References: https://lists.zytor.com/archives/klibc/2020-February/004271.html
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
scripts/Kbuild.klibc | 2 +-
usr/klibc/Kbuild | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/scripts/Kbuild.klibc b/scripts/Kbuild.klibc
index b7e99b56..afc9a546 100644
--- a/scripts/Kbuild.klibc
+++ b/scripts/Kbuild.klibc
@@ -125,7 +125,7 @@ KLIBCDEFS += -D__KLIBC__=$(KLIBCMAJOR) \
KLIBCCPPFLAGS += $(KLIBCDEFS)
KLIBCCFLAGS += $(KLIBCCPPFLAGS) $(KLIBCREQFLAGS) $(KLIBCARCHREQFLAGS) \
$(KLIBCOPTFLAGS) $(KLIBCWARNFLAGS)
-KLIBCAFLAGS += -D__ASSEMBLY__ $(KLIBCCFLAGS)
+KLIBCAFLAGS += -D__ASSEMBLY__ -Wa,--noexecstack $(KLIBCCFLAGS)
KLIBCSTRIPFLAGS += --strip-all -R .comment -R .note
KLIBCLIBGCC_DEF := $(shell $(KLIBCCC) $(KLIBCCFLAGS) --print-libgcc)
diff --git a/usr/klibc/Kbuild b/usr/klibc/Kbuild
index b462fbec..19ccfbec 100644
--- a/usr/klibc/Kbuild
+++ b/usr/klibc/Kbuild
@@ -180,6 +180,7 @@ quiet_cmd_interp = BUILD $@
cmd_interp = $(KLIBCCC) $(klibccflags) -D__ASSEMBLY__ \
-DLIBDIR=\"$(SHLIBDIR)\" \
-DSOHASH=\"$(SOLIBHASH)\" \
+ -Wa,--noexecstack \
-c -o $@ $<
$(INTERP_O): $(obj)/interp.S $(SOLIB).hash
Seemingly Similar Threads
- [klibc:master] Revert " Kbuild: Tell gas we don't want executable stacks"
- [PATCH klibc 1/3] Revert " Kbuild: Tell gas we don't want executable stacks"
- [klibc:master] Kbuild: Add a per-architecture option to disable exectable stacks
- [klibc 19/43] klibc basic build infrastructure
- [kvm-unit-tests PATCH v3 1/4] Kbuild: add support for clang builds
Wisdom of the Ancients
