ExecutableStacks

Differences between revisions 1 and 27 (spanning 26 versions)
Revision 1 as of 2009-08-03 15:21:48
Size: 1478
Editor: 89
Comment:
Revision 27 as of 2009-08-06 10:04:28
Size: 2619
Editor: 89
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).
  * '''Detection''':
   * check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
   * check a .o file: "scanelf -e $BIN | grep X".
  * '''Information''': Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
  * '''Potential Solutions''':
   * fix assembly source by adding flags to assembler: {{{.section .note.GNU-stack, "", @progbits}}}
   * fix compiler's default when encountering unmarked assembly: {{{-Wl,-z,noexecstack}}} will change the [[http://sourceware.org/ml/binutils/2003-05/msg00741.html|behavior]] of compiler's asm-without-stack-markings defaults.
   * rework code to avoid using nested functions.
   * force markings into a safe state via "execstack -c $BINARY" during package build.

= Main/Restricted Packages =
Line 3: Line 15:
== Fixed ==
 * [[https://launchpad.net/bugs/375121|zip]] (umarked asm)
 * [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539775|bogl]] (nested function)
 * [[https://launchpad.net/bugs/408499|mono]] (unmarked asm)
Line 4: Line 21:
Uses [[http://grub.enbug.org/NestedFunctions|Nested Functions]] which compiler generates as trampolines on the stack.    * bogl [[http://cvs.fedoraproject.org/viewvc//devel/bogl/bogl-0.1.18-noexecstack.patch?view=markup|patch]] Uses [[http://grub.enbug.org/NestedFunctions|Nested Functions]] which compiler generates as [[http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html|trampolines]] on the stack.
Line 7: Line 23:
 * grub2  * grub2 [[http://savannah.gnu.org/bugs/?25220|upstream bug]]
 * [[https://launchpad.net/bugs/409766|link-grammar]]
 * mbr
 * icon
Line 9: Line 28:
== Unclassified ==
 * fglrx-installer
 * icon		 == Trampolines ==
 * klibc (setjmp implementation)
 * kexec-tools (statically linked against klibc)

== Shipped Precompiled Binary ==
 * [[https://bugs.launchpad.net/bugs/409440|fglrx-installer]]
 * [[https://bugs.launchpad.net/bugs/409456|nvidia]]
  * nvidia-graphics-drivers-173
  * nvidia-graphics-drivers-180
  * nvidia-graphics-drivers-71
  * nvidia-graphics-drivers-96

== Unmarked Assembler ==
 * [[https://launchpad.net/bugs/409736|openjdk-6]]
Line 13: Line 43:
 * link-grammar
 * mbr
 * memtest86+
 * mono
 * nvidia-graphics-drivers-173
 * nvidia-graphics-drivers-180
 * nvidia-graphics-drivers-71
 * nvidia-graphics-drivers-96
 * openjdk-6
Line 23: Line 44:
== Harmless ==
 * kexec-tools
 * klibc		 == No Stack Section ==
 * memtest86+ (is a boot-loaded ELF, not a big deal)
Line 27: Line 47:
= Fedora Patches =
 * http://cvs.fedoraproject.org/viewcvs/devel/gdk-pixbuf/gtk+-2.2.2-noexecstack.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/libdv/libdv-0.104-no-exec-stack.patch?view=markup		 = Fedora Patches for universe packages =
Line 31: Line 49:
 * http://cvs.fedoraproject.org/viewcvs/devel/net-tools/net-tools-1.60-execshield.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/net-tools/netplug-1.2.9-execshield.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/ocaml/ocaml-3.11-dev12-no-executable-stack.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/qimageblitz/qimageblitz-0.0.4-noexecstack.patch?view=markup

There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).

  • Detection:

    • check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
    • check a .o file: "scanelf -e $BIN | grep X".

  • Information: Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

  • Potential Solutions:

    • fix assembly source by adding flags to assembler: .section        .note.GNU-stack, "", @progbits

    • fix compiler's default when encountering unmarked assembly: -Wl,-z,noexecstack will change the behavior of compiler's asm-without-stack-markings defaults.

    • rework code to avoid using nested functions.
    • force markings into a safe state via "execstack -c $BINARY" during package build.

Main/Restricted Packages

Originally generated from the ELF files with executable stacks in Karmic main.

Fixed

  • zip (umarked asm)

  • bogl (nested function)

  • mono (unmarked asm)

Nested Functions

Uses Nested Functions which compiler generates as trampolines on the stack.

Trampolines

  • klibc (setjmp implementation)
  • kexec-tools (statically linked against klibc)

Shipped Precompiled Binary

  • fglrx-installer

  • nvidia

    • nvidia-graphics-drivers-173
    • nvidia-graphics-drivers-180
    • nvidia-graphics-drivers-71
    • nvidia-graphics-drivers-96

Unmarked Assembler

No Stack Section

  • memtest86+ (is a boot-loaded ELF, not a big deal)

Fedora Patches for universe packages

SecurityTeam/Roadmap/ExecutableStacks (last edited 2017-08-22 14:25:31 by jdstrand)