diff options
| author | Brent Cook <busterb@gmail.com> | 2014-12-21 23:14:02 -0600 |
|---|---|---|
| committer | Brent Cook <bcook@openbsd.org> | 2014-12-22 23:04:47 -0600 |
| commit | 04158cd40e184e2325a7a0e5fef232cce038cc4b (patch) | |
| tree | 06f5f4b7ae29efbfe76a976754bd9124ad9e1d18 | |
| parent | 8c6c07c5ba7e4f862a4f70b2f1bf7c1fc7f968f2 (diff) | |
| download | portable-04158cd40e184e2325a7a0e5fef232cce038cc4b.tar.gz portable-04158cd40e184e2325a7a0e5fef232cce038cc4b.tar.bz2 portable-04158cd40e184e2325a7a0e5fef232cce038cc4b.zip | |
do not mark GNU_STACK WX in ELFs generated from assembly
When generating ELF objects from assembly, gcc and clang mark the
GNU_STACK program headers as RWX by default. This is a security issue,
so we make sure it is marked only RW.
This modifies Anthony G. Basile's original patch for Linux to set
.note.GNU-stack whenever the assembler supports it. It is surprising
that any modern toolchain would enable an executable stack without an
explicit request. The number of programs that need an executable stack
is surely much smaller than the number of programs that include assembly.
| -rw-r--r-- | configure.ac | 13 | ||||
| -rwxr-xr-x | update.sh | 10 |
2 files changed, 22 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index e56e39d..bdb015b 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -57,7 +57,6 @@ AC_CHECK_FUNC([clock_gettime],, | |||
| 57 | AC_CHECK_FUNC([dl_iterate_phdr],, | 57 | AC_CHECK_FUNC([dl_iterate_phdr],, |
| 58 | [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])]) | 58 | [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])]) |
| 59 | 59 | ||
| 60 | AM_PROG_AS | ||
| 61 | AC_PROG_CC | 60 | AC_PROG_CC |
| 62 | AC_PROG_LIBTOOL | 61 | AC_PROG_LIBTOOL |
| 63 | AC_PROG_CC_STDC | 62 | AC_PROG_CC_STDC |
| @@ -73,6 +72,18 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], | |||
| 73 | ) | 72 | ) |
| 74 | CFLAGS="$save_cflags $AM_CFLAGS" | 73 | CFLAGS="$save_cflags $AM_CFLAGS" |
| 75 | 74 | ||
| 75 | save_cflags="$CFLAGS" | ||
| 76 | CFLAGS= | ||
| 77 | AC_MSG_CHECKING([whether AS supports .note.GNU-stack]) | ||
| 78 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | ||
| 79 | __asm__(".section .note.GNU-stack,\"\",@progbits");]])], | ||
| 80 | [AC_MSG_RESULT([yes])] | ||
| 81 | [AM_CFLAGS=-DHAVE_GNU_STACK], | ||
| 82 | [AC_MSG_RESULT([no])] | ||
| 83 | ) | ||
| 84 | CFLAGS="$save_cflags $AM_CFLAGS" | ||
| 85 | AM_PROG_AS | ||
| 86 | |||
| 76 | AC_MSG_CHECKING([if compiling with clang]) | 87 | AC_MSG_CHECKING([if compiling with clang]) |
| 77 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[ | 88 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[ |
| 78 | #ifndef __clang__ | 89 | #ifndef __clang__ |
| @@ -125,10 +125,20 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui | |||
| 125 | asm_src=$libssl_src/src/crypto | 125 | asm_src=$libssl_src/src/crypto |
| 126 | gen_asm_stdout() { | 126 | gen_asm_stdout() { |
| 127 | perl $asm_src/$2 $1 > $3.tmp | 127 | perl $asm_src/$2 $1 > $3.tmp |
| 128 | [[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp | ||
| 129 | #if defined(HAVE_GNU_STACK) | ||
| 130 | .section .note.GNU-stack,"",%progbits | ||
| 131 | #endif | ||
| 132 | EOF | ||
| 128 | $MV $3.tmp $3 | 133 | $MV $3.tmp $3 |
| 129 | } | 134 | } |
| 130 | gen_asm() { | 135 | gen_asm() { |
| 131 | perl $asm_src/$2 $1 $3.tmp | 136 | perl $asm_src/$2 $1 $3.tmp |
| 137 | [[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp | ||
| 138 | #if defined(HAVE_GNU_STACK) | ||
| 139 | .section .note.GNU-stack,"",%progbits | ||
| 140 | #endif | ||
| 141 | EOF | ||
| 132 | $MV $3.tmp $3 | 142 | $MV $3.tmp $3 |
| 133 | } | 143 | } |
| 134 | for abi in elf macosx; do | 144 | for abi in elf macosx; do |