FS#26458 - [namcap] Warn when stack is executable in ELF
Attached to Project:
Arch Linux
Opened by Sverd Johnsen (sjohnsen) - Saturday, 15 October 2011, 16:18 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 04 February 2012, 13:16 GMT
Opened by Sverd Johnsen (sjohnsen) - Saturday, 15 October 2011, 16:18 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 04 February 2012, 13:16 GMT
|
Details
Please throw a warning if a ELF file has a executable stack.
(RWE)
Example output: # readelf -l usr/lib/libgnutls.so.28.2.0 <cut> Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00000000 0x00000000 0xe60b4 0xe60b4 R E 0x1000 LOAD 0x0e6d70 0x000e7d70 0x000e7d70 0x04ea4 0x05a88 RW 0x1000 DYNAMIC 0x0eacac 0x000ebcac 0x000ebcac 0x00118 0x00118 RW 0x4 NOTE 0x000114 0x00000114 0x00000114 0x00024 0x00024 R 0x4 GNU_EH_FRAME 0x0cdd54 0x000cdd54 0x000cdd54 0x03a54 0x03a54 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 <---------------- Should be RW GNU_RELRO 0x0e6d70 0x000e7d70 0x000e7d70 0x04290 0x04290 R 0x1 <cut> Or using the execstack utility from prelink: # execstack usr/lib/libgnutls* - usr/lib/libgnutls-extra.so - usr/lib/libgnutls-extra.so.28 - usr/lib/libgnutls-extra.so.28.2.0 - usr/lib/libgnutls-openssl.so - usr/lib/libgnutls-openssl.so.27 - usr/lib/libgnutls-openssl.so.27.0.1 X usr/lib/libgnutls.so X usr/lib/libgnutls.so.28 X usr/lib/libgnutls.so.28.2.0 - usr/lib/libgnutlsxx.so - usr/lib/libgnutlsxx.so.28 - usr/lib/libgnutlsxx.so.28.0.0 Applications that link against libraries with an executable stack will NOT work on hardened systems. Besides that, it's bad and bugs should be filed against the upstream project if the usual fixes* do not work. * Adding -Wa,--noexecstack to CFLAGS and/or using -Wl,-z,noexecstack linker flag, whatever works. |
This task depends upon
Closed by Rémy Oudompheng (remyoudompheng)
Saturday, 04 February 2012, 13:16 GMT
Reason for closing: Implemented
Additional comments about closing: features in 3.2.2
Saturday, 04 February 2012, 13:16 GMT
Reason for closing: Implemented
Additional comments about closing: features in 3.2.2
https://bugs.archlinux.org/task/26457
https://bugs.archlinux.org/task/24694
https://bugs.archlinux.org/task/12434