Bug#543451: needlessly executable stack
Solar Designer
solar at openwall.com
Tue Aug 25 12:52:06 UTC 2009
Hi Kees,
On Mon, Aug 24, 2009 at 07:04:01PM -0700, Kees Cook wrote:
> It seems that john is built (in some situation) against assembly code that
> lack stack markings[1]. This results in the entire program being built
> with an executable stack.
>
> The attached patch solve this by adding a default ASFLAGS option to turn
> off executable stacks when assembling.
Yes, I am aware of this issue - for some years now, in fact. I did not
fix it yet because I was worried that the proposed fixes would break
portability to some older and/or non-Linux systems, and I did not have
time to check (had more important stuff to do). Well, I checked the
.section approach as used by Gentoo on an 11 years old Linux system
just recently - and it worked (in the sense that it did not break the
compile). So I think I will just use it with a proper #ifdef.
As to the ASFLAGS change, it does break things on this same ancient system:
gcc -c -Wa,--noexecstack x86.S
/usr/i486-linux/bin/as: unrecognized option `--noexecstack'
GNU assembler version 980303 (i586-linux), using BFD version 2.8.1.0.23
Meanwhile, it is up to you to choose any of these approaches for the
Debian and Ubuntu packages.
On a related note, I think that exec-shield lacks an enforcing mode
(sysctl'able) where it would ignore those flags, because most binaries
that it treats as potentially requiring executable stack actually don't.
Thanks,
Alexander
More information about the Pkg-john-devel
mailing list