[Secure-testing-team] Bug#797375: general: default build options turn off stack protections

Richard Jasmin frazzledjazz at gmail.com
Sun Aug 30 07:12:41 UTC 2015 

Package: general
Severity: grave
Tags: upstream security patch
Justification: user security hole

I noticed this when doing my homework to see what build options are defaults
and why.

We should do a review here on packages. It seems we MAY have overlooked
something SERIOUS.

Loads of people optimize code with -O2 or -O3 (free pascal goes one step
further.. -O4) and that is generally accepted practice. But there is one
significant problem in doing so, at least with C/C++ code. (I dont think
(Free)Pascal apps are affected this way, if you can prove me wrong, please do
so. (Free)Pascal apps are strictly type and resource checked long before
linking.)

**WE OMIT the FRAME POINTER necessary for STACK protections to properly work.

AS far as I know and have seen data on, this is causing a silent stack
protection failure on build.Stack protections are simply turned off as thier
depends(the frame pointer) just isnt there.

Yes, there is a way to fix this.

use this:
--enable-frame-pointer

As far as I can tell, ALL C/C++ apps are build with at least -O2 optimizations,
which BY DEFAULT OMITS the frame pointer.I have yet to see a Makefile that
turns it back on, even though it is really needed to prevent stack from being
overridden. As we know, there are vulnerable stack and libc jumps that
basically allow arbitrary commands to be ran and root access to be gained.

Why C/C++ have not prevented this sort of behaviour REALLY IRKS me. If you only
have 64 chars to write, why ever allow more than that to be written?
BUT C/C++ DOES ALLOW it.


This is despite use of NX bits.(which are really only an X86-64/i386(Pentium
4+?) method anyways....)

Im no expert on disassembly here but could check some apps here if you like.

The check-security script floating around may help. This may be a moot point,
but it is well worth note-ing. Maybe we can wake up some app devs with this.



-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: checksec.sh
Type: text/x-shellscript
Size: 27095 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150830/cd9a4c8a/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Makefile
Type: text/x-makefile
Size: 92280 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150830/cd9a4c8a/attachment-0003.bin>

More information about the Secure-testing-team mailing list