Re: [gentoo-hardened] 2.6.27-hardened-r8: assassination

public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed

From: pageexec@freemail.hu
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] 2.6.27-hardened-r8: assassination
Date: Wed, 09 Mar 2011 11:03:45 +0200	[thread overview]
Message-ID: <4D775081.26078.50332CF5@pageexec.freemail.hu> (raw)
In-Reply-To: <AANLkTi=Gp5A7mDLbbobp8_Z9-_A=NTFCmcyiYu+g-BQE@mail.gmail.com>

On 8 Mar 2011 at 15:55, Mike Frysinger wrote:

> On Tue, Mar 8, 2011 at 3:49 PM, Anthony G. Basile wrote:
> > Nothing to say that Mike hasn't already said.  pipacs knows about this
> > but what can he do?  Good luck with upstream glibc.  Next time I speak
> > with pipacs I can bring it up, see if anything is changing.  I doubt it.
>
> if there is a real bug in glibc that drepper is ignoring, that doesnt
> mean we cant merge it into Gentoo's glibc.  hence open a bug in
> bugs.g.o with the patch for me to review.

it's not just a glibc bug, it's the whole shit concept of GNU_STACK and
all it brings with it, see my Nth explanation here:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611195#10

i can (and do) disable GNU_STACK handling in PaX, but userland is out of
my reach (well, technically i could do even that by hacking the page cache
but that's too ugly to even consider). so as far as i'm concerned, you have
the following choices in order of preference:

1. disable GNU_STACK processing (mostly in ld.so i think)
   - this should solve all current and future problems but it won't be a
     one-liner patch

2. fix at least the mprotect return value checks in ld.so
   - the patch is in the glibc bugzilla
   - this fixes only the segfaults, it won't let these app to work under PaX,
   - actually, you could modify the patch and on the first mprotect failure
     you can just not attempt the write to that relro variable (and not bother
     with the second mprotect obviously), that should then let the library load
     too (elsewhere gentoo already fixed the stack mprotect code and ignores
     *its* mprotect failures under PaX)

3. execstack -c affected libs/binaries from portage
   - at install time we can detect (and already do, iirc) RWE GNU_STACK headers
   - if such a GNU_STACK header is really needed, i.e., the given app/lib does
     need an executable stack (nested function trampolines are emulated under
     PaX so they just need EMUTRAMP enabled on the app) then disable MPROTECT
     on the app (and for libs, all apps using the given lib)
   - if the RWE GNU_STACK header is a false positive, either fix the app (if we
     have source code) or execstack -c for binaries.
   - this is again quite some work

next prev parent reply	other threads:[~2011-03-09 11:03 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-06  3:57 [gentoo-hardened] 2.6.27-hardened-r8: assassination Alex Efros
2009-03-06  7:11 ` Alex Efros
2009-03-06  7:15 ` pageexec
2009-03-06 15:13   ` Alex Efros
2009-03-06 17:28     ` pageexec
2009-03-06 21:51       ` Alex Efros
2009-03-06 21:12         ` pageexec
2009-03-06 22:57           ` Alex Efros
2009-03-06 23:25             ` Ned Ludd
2009-03-06 23:46               ` Alex Efros
2009-03-19 14:50                 ` pageexec
2009-03-19 16:46                   ` John Eckhart
2009-03-20 22:31                     ` pageexec
2009-03-21 15:12                       ` atoth
2011-03-08 18:40               ` Alex Efros
2011-03-08 19:05                 ` Mike Frysinger
2011-03-08 19:52                   ` Alex Efros
2011-03-08 20:01                     ` Mike Frysinger
2011-03-08 20:48                     ` klondike
2011-03-08 20:49                   ` Anthony G. Basile
2011-03-08 20:55                     ` Mike Frysinger
2011-03-09  9:03                       ` pageexec [this message]
2011-03-10 20:30                         ` Anthony G. Basile
2011-03-10 20:39                         ` Anthony G. Basile
2011-03-08 21:07                     ` Alex Efros
2011-03-09 13:07                 ` med

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D775081.26078.50332CF5@pageexec.freemail.hu \
    --to=pageexec@freemail.hu \
    --cc=gentoo-hardened@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox