Executable stacks

Executable stacks

[Petteri Räty]

[-- Attachment #1: Type: text/plain, Size: 702 bytes --]

Hello. GRUB2 contains executable stacks. Usually these are not needed
and can be easily fixed.

betelgeuse@pena ~/checkouts/grub2 $ scanelf -qeR .
RWX --- ---  ./grub-setup
!WX --- ---  ./pxeboot_img-boot_i386_pc_pxeboot.o
RWX --- ---  ./grub-emu
!WX --- ---  ./kernel_img-kern_i386_pc_startup.o
RWX --- ---  ./grub-probefs
!WX --- ---  ./boot_img-boot_i386_pc_boot.o
RWX --- RWX  ./kernel.exec
--- --- RWX  ./diskboot.exec
!WX --- ---  ./normal_mod-normal_i386_setjmp.o
!WX --- ---  ./diskboot_img-boot_i386_pc_diskboot.o
--- --- RWX  ./pxeboot.exec
--- --- RWX  ./boot.exec

http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
This document is very helpful in fixing this problem.

Regards,
Petteri

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: Executable stacks

[Marco Gerards]

Petteri Räty <betelgeuse@gentoo.org> writes:

> Hello. GRUB2 contains executable stacks. Usually these are not needed
> and can be easily fixed.

It's funny that you mention this now. :-)

There have been a lot of reports about this already, see the
mailinglist archives.  Because of this I have added a page to the
wiki, which I just finished a few seconds ago:

http://grub.enbug.org/NestedFunctions

Please proofread it to make sure the facts are correct.  Although this
is a wiki, I hope people don't just change it so it reflects their
opinion instead of the facts I carefully added to this page.  I am
saying this because people for some reason are a bit fanatic about
this issue. ;-)

--
Marco

Re: Executable stacks

[Olaf Hering]

 On Sat, Dec 31, Marco Gerards wrote:

> http://grub.enbug.org/NestedFunctions

You should add some blurb about the "why cant grub2 get away without
nested functions?" thing.

-- 
short story of a lazy sysadmin:
 alias appserv=wotan

Re: Executable stacks

[Petteri Räty]

[-- Attachment #1: Type: text/plain, Size: 1651 bytes --]

Marco Gerards wrote:
> Petteri Räty <betelgeuse@gentoo.org> writes:
> 
> 
>>Hello. GRUB2 contains executable stacks. Usually these are not needed
>>and can be easily fixed.
> 
> 
> It's funny that you mention this now. :-)
> 
> There have been a lot of reports about this already, see the
> mailinglist archives.  Because of this I have added a page to the
> wiki, which I just finished a few seconds ago:
> 
> http://grub.enbug.org/NestedFunctions
> 
> Please proofread it to make sure the facts are correct.  Although this
> is a wiki, I hope people don't just change it so it reflects their
> opinion instead of the facts I carefully added to this page.  I am
> saying this because people for some reason are a bit fanatic about
> this issue. ;-)
> 

I am not an expert in this area. Our tools just automatically warn you
about executable stacks so I reported it here.

"Some operating systems and GNU/Linux distributions don't have an
executable stack for security reasons. Sometimes it does not have an
executable stack by default, but the executable stack can be enabled
again by tagging the binary."

Better wording would be that some distributions don't allow executable
stacks for security reasons and I did this modification to the wiki.

"Another solution is enabling the executable stack again by calling some
function."

This is really vague. I think this should be dropped unless you can
specify the name of the function but I leave the decision to you. I also
had trouble understanding some of the stuff on the page but then again I
am not an expert in these issues.


Regards,
Petteri



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: Executable stacks

[Marco Gerards]

Petteri Räty <betelgeuse@gentoo.org> writes:

> I am not an expert in this area. Our tools just automatically warn you
> about executable stacks so I reported it here.

Sure :)

> "Some operating systems and GNU/Linux distributions don't have an
> executable stack for security reasons. Sometimes it does not have an
> executable stack by default, but the executable stack can be enabled
> again by tagging the binary."
>
> Better wording would be that some distributions don't allow executable
> stacks for security reasons and I did this modification to the wiki.

I noticed that, we were editing the same page simultaneously.  I hope
everything went right.

> "Another solution is enabling the executable stack again by calling some
> function."
>
> This is really vague. I think this should be dropped unless you can
> specify the name of the function but I leave the decision to you. I also
> had trouble understanding some of the stuff on the page but then again I
> am not an expert in these issues.

I changed the wording a bit.  I hope it is clearer now.  English is
not my native language and suggestions for improvements are more than
welcome. :-)

Thanks,
Marco