From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/1425 Path: news.gmane.org!not-for-mail From: =?ISO-8859-2?Q?Daniel_Cegie=B3ka?= Newsgroups: gmane.linux.lib.musl.general Subject: Re: noexecstack Date: Mon, 6 Aug 2012 09:16:10 +0200 Message-ID: References: <20120806144521.565b32cc@sibserver.ru> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Trace: dough.gmane.org 1344237416 26386 80.91.229.3 (6 Aug 2012 07:16:56 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 6 Aug 2012 07:16:56 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-1426-gllmg-musl=m.gmane.org@lists.openwall.com Mon Aug 06 09:16:56 2012 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1SyHYe-0007Zq-D5 for gllmg-musl@plane.gmane.org; Mon, 06 Aug 2012 09:16:56 +0200 Original-Received: (qmail 21661 invoked by uid 550); 6 Aug 2012 07:16:47 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 21624 invoked from network); 6 Aug 2012 07:16:42 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=uSIWQpfcf6vWVWgJr5U81c/K78Kv5VT3LgWqTHAqHOQ=; b=Y/XKIs/Ob5rgkUyrDg5JvZp6uUnR/NqVAQdip8t11hJbotfpefrmQMqpkzeLtqzhBq 4S8CoS7HKWAkIc+yO//z7Ma3dkYch2ojBEMe9+du2hKAJs7uOymH5XSSb1L8y44pdB3H d9o+FolUecjA9nJh0tYewRUX1M2dBtVUcTY+ZuQGvfbIRvMWaRWwKOup1dVquZxKHOK7 FHJsBIiDghWfwOV8/mZmjFM+YRSVF3j1c+VN6BJtB434ONkAUnc7PfswBz8UeNutaazO RjFQSw7wpfm9vAvzLW2RduPJdnpqichvH1P4F8CHGsWYi5GT2KxV3hg6IrnEWAtTlwSZ puYQ== In-Reply-To: <20120806144521.565b32cc@sibserver.ru> Xref: news.gmane.org gmane.linux.lib.musl.general:1425 Archived-At: 2012/8/6 orc : > On Sun, 5 Aug 2012 23:35:36 +0200 > Correct me if I'm wrong, but this is ugly stuff. > > - binutils ld has -z noexecstack command line option. > - this (GNU_STACK) is binutils-specific (tinycc, for example, does not > generate ELFs with that section, and future direction should be on > that plain ELFs without any gnuish extensions IMO) > - Kernel sets executable stack by default, kernel can be patched not to > do that (that's one line patch per architecture) Can you give some example of how to do it? It might be worthwhile to introduce it into the main repository of Linux. What do you think? > - binutils can be patched to not produce ELFs with executable stack by > default > > While some of options I listed here may harm some GCC or binutils > internals (I don't know), I see an utility that comes with grsecurity > patches (paxctl) that operates that section (GNU_STACK), converting it > into it's own. > I tested a system with patched binutils and kernel (but binutils patch > here will be enough) without any problems. It would be very nice if we could solve this problem in this way. I'm currently using this patch, but this is not the best solution in my opinion. Ideally if the system (kernel, binutils, libc) enforce noexecstack by default... definitely worth look closer at this issue. Thanks, Daniel