ExecutableStacks

Differences between revisions 3 and 25 (spanning 22 versions)
Revision 3 as of 2009-08-03 15:27:19
Size: 1833
Editor: 89
Comment:
Revision 25 as of 2009-08-06 09:27:14
Size: 2469
Editor: 89
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
There are still some programs that have executable stack regions.
  * [[https://bugs.launchpad.net/ubuntu/+bugs?field.tag=execstack|open bugs in LP]]
  * check an ELF binary: "readelf -l $BIN | grep GNU_STACK" shows with "E" flag.
  * Gentoo write-up of what to do: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml		 There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).
  * '''Detection''':
   * check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
   * check a .o file: "scanelf -e $BIN | grep X".
  * '''Information''': Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
  * '''Potential Solutions''':
   * fix assembly source by adding flags to assembler: {{{.section .note.GNU-stack, "", @progbits}}}
   * fix compiler's default when encountering unmarked assembly: {{{-Wl,-z,noexecstack}}} will change the [[http://sourceware.org/ml/binutils/2003-05/msg00741.html|behavior]] of compiler's asm-without-stack-markings defaults.
   * rework code to avoid using nested functions.
   * force markings into a safe state via "execstack -c $BINARY" during package build.
Line 9: Line 15:
== Fixed ==
 * [[https://launchpad.net/bugs/375121|zip]]
 * [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539775|bogl]]
 * [[https://launchpad.net/bugs/408499|mono]]
Line 10: Line 21:
Uses [[http://grub.enbug.org/NestedFunctions|Nested Functions]] which compiler generates as trampolines on the stack.    * bogl [[http://cvs.fedoraproject.org/viewvc//devel/bogl/bogl-0.1.18-noexecstack.patch?view=markup|patch]] Uses [[http://grub.enbug.org/NestedFunctions|Nested Functions]] which compiler generates as [[http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html|trampolines]] on the stack.
Line 13: Line 23:
 * grub2  * grub2 [[http://savannah.gnu.org/bugs/?25220|upstream bug]]

== Trampolines ==
 * klibc (setjmp implementation)
 * kexec-tools (statically linked against klibc)

== Shipped Precompiled Binary ==
 * [[https://bugs.launchpad.net/bugs/409440|fglrx-installer]]
 * [[https://bugs.launchpad.net/bugs/409456|nvidia]]
  * nvidia-graphics-drivers-173
  * nvidia-graphics-drivers-180
  * nvidia-graphics-drivers-71
  * nvidia-graphics-drivers-96

== Unmarked Assembler ==
 * [[https://launchpad.net/bugs/409736|openjdk-6]]
Line 16: Line 41:
 * fglrx-installer
Line 22: Line 46:
 * mono
 * nvidia-graphics-drivers-173
 * nvidia-graphics-drivers-180
 * nvidia-graphics-drivers-71
 * nvidia-graphics-drivers-96
 * openjdk-6

== Harmless ==
 * kexec-tools
 * klibc
Line 34: Line 48:
 * http://cvs.fedoraproject.org/viewcvs/devel/gdk-pixbuf/gtk+-2.2.2-noexecstack.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/libdv/libdv-0.104-no-exec-stack.patch?view=markup
Line 37: Line 49:
 * http://cvs.fedoraproject.org/viewcvs/devel/net-tools/net-tools-1.60-execshield.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/net-tools/netplug-1.2.9-execshield.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/ocaml/ocaml-3.11-dev12-no-executable-stack.patch?view=markup
 * http://cvs.fedoraproject.org/viewcvs/devel/qimageblitz/qimageblitz-0.0.4-noexecstack.patch?view=markup

There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).

  • Detection:

    • check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
    • check a .o file: "scanelf -e $BIN | grep X".

  • Information: Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

  • Potential Solutions:

    • fix assembly source by adding flags to assembler: .section        .note.GNU-stack, "", @progbits

    • fix compiler's default when encountering unmarked assembly: -Wl,-z,noexecstack will change the behavior of compiler's asm-without-stack-markings defaults.

    • rework code to avoid using nested functions.
    • force markings into a safe state via "execstack -c $BINARY" during package build.

Main/Restricted Packages

Originally generated from the ELF files with executable stacks in Karmic main.

Fixed

Nested Functions

Uses Nested Functions which compiler generates as trampolines on the stack.

Trampolines

  • klibc (setjmp implementation)
  • kexec-tools (statically linked against klibc)

Shipped Precompiled Binary

  • fglrx-installer

  • nvidia

    • nvidia-graphics-drivers-173
    • nvidia-graphics-drivers-180
    • nvidia-graphics-drivers-71
    • nvidia-graphics-drivers-96

Unmarked Assembler

Unclassified

  • icon
  • john
  • link-grammar
  • mbr
  • memtest86+

Fedora Patches

SecurityTeam/Roadmap/ExecutableStacks (last edited 2017-08-22 14:25:31 by jdstrand)