Re: noexecstack

[orc <orc@sibserver.ru>]

On Mon, 6 Aug 2012 09:16:10 +0200
Daniel Cegiełka <daniel.cegielka@gmail.com> wrote:

> 2012/8/6 orc <orc@sibserver.ru>:
> > On Sun, 5 Aug 2012 23:35:36 +0200
> 
> > Correct me if I'm wrong, but this is ugly stuff.
> >
> > - binutils ld has -z noexecstack command line option.
> > - this (GNU_STACK) is binutils-specific (tinycc, for example, does
> > not generate ELFs with that section, and future direction should be
> > on that plain ELFs without any gnuish extensions IMO)
> > - Kernel sets executable stack by default, kernel can be patched
> > not to do that (that's one line patch per architecture)
> 
> Can you give some example of how to do it? It might be worthwhile to
> introduce it into the main repository of Linux. What do you think?

I used to set it globally for all archs directly in binfmt_elf.c (here
is a patch example):

diff -Naur linux-3.2.12.o/fs/binfmt_elf.c linux-3.2.12/fs/binfmt_elf.c
--- linux-3.2.12.o/fs/binfmt_elf.c	2012-03-20 00:03:17.000000000
+0800 +++ linux-3.2.12/fs/binfmt_elf.c	2012-08-06
15:41:51.774013640 +0800 @@ -571,7 +571,7 @@
 	unsigned long interp_load_addr = 0;
 	unsigned long start_code, end_code, start_data, end_data;
 	unsigned long reloc_func_desc __maybe_unused = 0;
-	int executable_stack = EXSTACK_DEFAULT;
+	int executable_stack = EXSTACK_DISABLE_X;
 	unsigned long def_flags = 0;
 	struct {
 		struct elfhdr elf_ex;

This is a hack, and maybe executable_stack maybe set elsewhere. I did
not tried to trace that code. But it works (of course ELFs marked to be
with execstack will crash).
I think this may have benefits, but it always was controlled in
userspace, kernel defaults to executable stack because there are some
other compilers can be that may rely on this default. I tested tinycc,
it has no any issues (i.e. generates code that does not need executable
stack, and does not generates GNU_STACK extended section)

> 
> > - binutils can be patched to not produce ELFs with executable stack
> > by default
> >
> > While some of options I listed here may harm some GCC or binutils
> > internals (I don't know), I see an utility that comes with
> > grsecurity patches (paxctl) that operates that section (GNU_STACK),
> > converting it into it's own.
> > I tested a system with patched binutils and kernel (but binutils
> > patch here will be enough) without any problems.
> 
> It would be very nice if we could solve this problem in this way. I'm
> currently using this patch, but this is not the best solution in my
> opinion. Ideally if the system (kernel, binutils, libc) enforce
> noexecstack by default... definitely worth look closer at this issue.

Consider this patch as enforcing binutils' noexecstack by default:

diff -Naur binutils-2.17.50.0.17.o/ld/ldmain.c
binutils-2.17.50.0.17/ld/ldmain.c ---
binutils-2.17.50.0.17.o/ld/ldmain.c	2007-06-19
01:31:40.000000000 +0800 +++ binutils-2.17.50.0.17/ld/ldmain.c
2012-08-03 19:59:26.658980680 +0800 @@ -281,6 +281,8 @@
link_info.pei386_auto_import = -1; link_info.spare_dynamic_tags = 5;
   link_info.sharable_sections = FALSE;
+  link_info.execstack = FALSE;
+  link_info.noexecstack = TRUE;
 
   ldfile_add_arch ("");
   emulation = get_emulation (argc, argv);

(this one for binutils 2.17.50.0.17, recent maybe patched with finding
where link_info is initialized and appending this two lines)

GCC generates same .note.GNU-stack section definition in it's asm
output, as seen in your patch, but I don't know when it needs
executable stack and generates another definition.

libc plays no role here at enforcing executable stacks last time I
checked. It does some initialization of memory permissions in dynamic
linker, but better to ask Rich about that code.

Applying kernel patch may render your existing systems unbootable if it
is not glibc system.


If you don't want to patch and rebuild binutils and kernel, then the
best way to enforce noexecstack notes into ELFs is passing this command
line opts:

gcc: gcc -Wl,-z -Wl,noexecstack [the rest here...]
ld: ld -z noexecstack [...]

> Thanks,
> Daniel