ExecutableStacks

Differences between revisions 1 and 20 (spanning 19 versions)
Revision 1 as of 2009-08-03 15:21:48
Size: 1478
Editor: 89
Comment:
Revision 20 as of 2009-08-06 08:27:58
Size: 3093
Editor: 89
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).
  * '''Detection''':
   * check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
   * check a .o file: "scanelf -qe $BIN" shows with "X" flag.
  * '''Information''': Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
  * '''Potential Solutions''':
   * fix assembly source by adding flags to assembler: {{{.section .note.GNU-stack, "", @progbits}}}
   * fix compiler's default when encountering unmarked assembly: {{{-Wl,-z,noexecstack}}} will change the [[http://sourceware.org/ml/binutils/2003-05/msg00741.html|behavior]] of compiler's asm-without-stack-markings defaults.
   * rework code to avoid using nested functions.
   * force markings into a safe state via "execstack -c $BINARY" during package build.

= Main/Restricted Packages =
Line 3: Line 15:
== Fixed ==
 * [[https://launchpad.net/bugs/375121|zip]]
 * [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539775|bogl]]
 * [[https://launchpad.net/bugs/408499|mono]]
Line 4: Line 21:
Uses [[http://grub.enbug.org/NestedFunctions|Nested Functions]] which compiler generates as trampolines on the stack.    * bogl [[http://cvs.fedoraproject.org/viewvc//devel/bogl/bogl-0.1.18-noexecstack.patch?view=markup|patch]] Uses [[http://grub.enbug.org/NestedFunctions|Nested Functions]] which compiler generates as [[http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html|trampolines]] on the stack.
Line 7: Line 23:
 * grub2  * grub2 [[http://savannah.gnu.org/bugs/?25220|upstream bug]]

== Trampolines ==
 * klibc (setjmp implementation)
 * kexec-tools (statically linked against klibc)

== Shipped Precompiled Binary ==
 * [[https://bugs.launchpad.net/bugs/409440|fglrx-installer]]
 * [[https://bugs.launchpad.net/bugs/409456|nvidia]]
  * nvidia-graphics-drivers-173
  * nvidia-graphics-drivers-180
  * nvidia-graphics-drivers-71
  * nvidia-graphics-drivers-96

== Unmarked Assembler ==
 * [[https://launchpad.net/bugs/409736|openjdk-6]]
Line 10: Line 41:
 * fglrx-installer
Line 16: Line 46:
 * mono
 * nvidia-graphics-drivers-173
 * nvidia-graphics-drivers-180
 * nvidia-graphics-drivers-71
 * nvidia-graphics-drivers-96
 * openjdk-6

== Harmless ==
 * kexec-tools
 * klibc

There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).

  • Detection:

    • check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
    • check a .o file: "scanelf -qe $BIN" shows with "X" flag.

  • Information: Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

  • Potential Solutions:

    • fix assembly source by adding flags to assembler: .section        .note.GNU-stack, "", @progbits

    • fix compiler's default when encountering unmarked assembly: -Wl,-z,noexecstack will change the behavior of compiler's asm-without-stack-markings defaults.

    • rework code to avoid using nested functions.
    • force markings into a safe state via "execstack -c $BINARY" during package build.

Main/Restricted Packages

Originally generated from the ELF files with executable stacks in Karmic main.

Fixed

Nested Functions

Uses Nested Functions which compiler generates as trampolines on the stack.

Trampolines

  • klibc (setjmp implementation)
  • kexec-tools (statically linked against klibc)

Shipped Precompiled Binary

  • fglrx-installer

  • nvidia

    • nvidia-graphics-drivers-173
    • nvidia-graphics-drivers-180
    • nvidia-graphics-drivers-71
    • nvidia-graphics-drivers-96

Unmarked Assembler

Unclassified

  • icon
  • john
  • link-grammar
  • mbr
  • memtest86+

Fedora Patches

SecurityTeam/Roadmap/ExecutableStacks (last edited 2017-08-22 14:25:31 by jdstrand)