Re: execlineb ELF executable stack on Linux

From: Xavier Stonestreet <xstonestreet_at_gmail.com>
Date: Fri, 9 Apr 2021 15:35:33 +0200

On Fri, Apr 9, 2021 at 5:06 AM Laurent Bercot <ska-skaware_at_skarnet.org> wrote:
>
> To make things perfectly clear: the modification I pushed to git also
> applies to the ld invocations creating shared libraries, including
> libskarnet.so. So with that change, skalibs or libutmps will not
> pollute anything else. ;)

Sounds good. However I'm afraid that doesn't fix the problem for the
few of us who statically link with skarnet libraries.

ld -noexecstack is a blunt tool that works after the fact, like the
execstack(8) tool
(<https://man7.org/linux/man-pages/man8/execstack.8.html>). It's
mainly intended to be used when the source code to the library, or
executable, respectively, is not available.

For anyone out there who may be interested in addressing the root
cause of the issue, I did some more investigation and the problem lies
in the Makefile's strip instructions which remove the GNU-stack
section from the object files. Without the GNU-stack section the
linker reverts to its backwards-compatible default which is to make
the stack executable. Here is a patch to fix skalibs' Makefile for
example:

--- skalibs-2.10.0.2/Makefile 2020-01-27 17:20:44.000000000 +0100
+++ skalibs-2.10.0.2/Makefile.new 2021-04-09 15:03:17.811582318 +0200
_at_@ -70,10 +70,10 @@

 strip: $(ALL_LIBS)
 ifneq ($(strip $(STATIC_LIBS)),)
- exec $(STRIP) -x -R .note -R .comment -R .note.GNU-stack $(STATIC_LIBS)
+ exec $(STRIP) -x -R .note -R .comment $(STATIC_LIBS)
 endif
 ifneq ($(strip $(SHARED_LIBS)),)
- exec $(STRIP) -R .note -R .comment -R .note.GNU-stack $(SHARED_LIBS)
+ exec $(STRIP) -R .note -R .comment $(SHARED_LIBS)
 endif

 install: install-data install-sysdeps install-dynlib install-lib
install-include

--
The same change needs to be applied to all skarnet Makefiles.
Personally I just use strip --unneeded when I manually strip libraries
and executables, statically or dynamically linked. This lets binutils
figure out the details of what the (dynamic) linker actually needs,
without requiring me to have any understanding of what the heck all
those details are. This is also what libtool does, and although
libtool is not the best tool in the world, it's pretty widely used
without issues. This option may not be portable however, I don't know.
Hope this helps, FWIW.
Received on Fri Apr 09 2021 - 13:35:33 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC