From: "Paweł Sikora" <pluto@pld-linux.org>
To: Andi Kleen <ak@suse.de>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PROPOSAL/PATCH] Remove PT_GNU_STACK support before 2.6.11
Date: Sun, 6 Feb 2005 19:07:27 +0100 [thread overview]
Message-ID: <200502061907.28165.pluto@pld-linux.org> (raw)
In-Reply-To: <20050206124701.GD30109@wotan.suse.de>
[-- Attachment #1: Type: text/plain, Size: 2384 bytes --]
On Sunday 06 of February 2005 13:47, you wrote:
> On Sun, Feb 06, 2005 at 01:03:11PM +0100, Pawel Sikora wrote:
> > On Sunday 06 of February 2005 12:36, you wrote:
> > > Worse is that even when the program has trampolines and has
> > > PT_GNU_STACK header with an E bit on the stack it still won't get an
> > > executable heap by default (this is what broke grub)
> > > (...)
> > > My proposal is to turn this all off at least for 2.6.11.
> >
> > My proposal is to recompile broken software with cflags +=
> > -Wa,--noexecstack
>
> By how do you detect broken software? There doesn't seem to be any
> fool proof way other than a extensive test on a NX capable system
> with correct kernel.
[1] glibc-2.3.4 kill buggy bins at the load time.
(please look into: elf/dl-load.c, elf/dl-support.c, elf/rtld.c)
This works on i386/PaX systems too (hardware NX isn't required).
[2] `readelf -Wl |grep GNU_STACK` shows RWE ;-)
Please look at this quick example.
# gcc tmp1.c tmp2-invalid.S -o tmp -s
# readelf -Wl tmp
(...)
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
^ execstack?
PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4
(...)
Now, let's add section note to the asm. file and rebuild.
# gcc tmp1.c tmp2-valid.S -o tmp -s
# readelf -Wl tmp
(...)
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4
(...)
The execstack req. disappeard (~99% of broken sources).
I get the same effect with fixed cflags and invalid source.
# gcc tmp1.c tmp2-invalid.S -o tmp -s -Wa,--noexecstack
# readelf -Wl tmp
(...)
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4
(...)
I known several apps that really need executable data/stack (eg. jvm, xorg).
The rest of RWE-marked binaries have IMHO buggy sources.
> It would be fine if there was a compile time error or something,
> but there isn't.
IMHO the `as` should warn about missed (.note.GNU-stack) section.
Regards,
Paweł.
--
/* Copyright (C) 2003, SCO, Inc. This is valuable Intellectual Property. */
#define say(x) lie(x)
[-- Attachment #2: tmp1.c --]
[-- Type: text/x-csrc, Size: 83 bytes --]
extern void test();
int main(int argc, char** argv)
{
test();
return 0;
}
[-- Attachment #3: tmp2-invalid.S --]
[-- Type: text/plain, Size: 50 bytes --]
.text
.global test
test:
ret
.end
[-- Attachment #4: tmp2-valid.S --]
[-- Type: text/plain, Size: 103 bytes --]
.section .note.GNU-stack,"",@progbits; .previous
.text
.global test
test:
ret
.end
next prev parent reply other threads:[~2005-02-06 18:08 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-06 11:36 [PROPOSAL/PATCH] Remove PT_GNU_STACK support before 2.6.11 Andi Kleen
2005-02-06 11:47 ` Arjan van de Ven
2005-02-06 12:02 ` Ingo Molnar
2005-02-06 12:25 ` Ingo Molnar
2005-02-06 12:36 ` Andi Kleen
2005-02-06 12:45 ` Ingo Molnar
2005-02-06 12:50 ` Andi Kleen
2005-02-06 12:59 ` Arjan van de Ven
2005-02-06 13:01 ` Andi Kleen
2005-02-06 13:04 ` Arjan van de Ven
2005-02-06 13:09 ` Andi Kleen
2005-02-06 13:31 ` Ingo Molnar
2005-02-06 13:43 ` Andi Kleen
2005-02-06 13:06 ` Christoph Hellwig
2005-02-06 13:11 ` Andi Kleen
2005-02-06 13:32 ` Ingo Molnar
2005-02-06 13:46 ` Andi Kleen
2005-02-06 14:08 ` Ingo Molnar
2005-02-06 14:22 ` Ingo Molnar
2005-02-06 14:29 ` Andi Kleen
2005-02-06 17:08 ` Linus Torvalds
2005-02-06 17:13 ` Arjan van de Ven
2005-02-06 17:31 ` Linus Torvalds
2005-02-06 17:39 ` Arjan van de Ven
2005-02-06 18:04 ` Linus Torvalds
2005-02-06 18:08 ` Arjan van de Ven
2005-02-06 17:56 ` Andi Kleen
2005-02-06 12:33 ` Andi Kleen
2005-02-06 12:40 ` Arjan van de Ven
2005-02-06 12:48 ` Andi Kleen
2005-02-06 15:54 ` Andreas Schwab
2005-02-06 17:05 ` Linus Torvalds
2005-02-06 17:58 ` Andi Kleen
2005-02-06 12:11 ` Paweł Sikora
[not found] ` <200502061303.12377.pluto@pld-linux.org>
[not found] ` <20050206124701.GD30109@wotan.suse.de>
2005-02-06 18:07 ` Paweł Sikora [this message]
2005-02-06 18:38 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200502061907.28165.pluto@pld-linux.org \
--to=pluto@pld-linux.org \
--cc=ak@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox