Question - intention of UCLIBC_BUILD_NOEXECSTACK?
bugs at andrewmcdonnell.net
bugs at andrewmcdonnell.net
Mon Aug 25 01:06:16 UTC 2014
Hi,
I have been playing with uClibc on some embedded Linux systems, and
trying out some hardening techniques.
When I tested the .so files built by uClibc (using the checksec.sh tool
from http://www.trapkit.de/tools/checksec.html, which is basically a
wrapper around readelf), the files do not exhibit the GNU_STACK flag.
What I would like to do is actually build with the linker option
'-Wl,-z,noexecstack' as per
http://www.win.tue.nl/~aeb/linux/hh/protection.html or
http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart (for just two
examples) I eventually managed to do this by using and patching
Config.in (0.9.33.2) to recognise UCLIBC_LDFLAGS_EXTRA , after which the
.so files had the relevant flag. (I can post that patch to enable
UCLIBC_LDFLAGS_EXTRA separately)
One thing I noticed is that uClibc has a Config setting
UCLIBC_BUILD_NOEXECSTACK but all this seems to do is pass the relevant
flag to the assembler and not to the linker. The gentoo hardening guide
applies the flag to both assembler and linker stage.
According to Config.in help: "Mark all assembler files as noexecstack.
This will result in marking
all libraries and executables built against uClibc not requiring
executable stack."
I guess the gap in my knowledge is how uClibc, by only applying to
assembler files, meets "marking all libraries and executables" when the
GNU_STACK flag is missing from the ELF images? Note it has been a very
long time since I coded in anger (as opposed to disassembled) any
assembly language, so I could well be misunderstanding something!
thanks,
Andrew
---
http://blog.oldcomputerjunk.net
More information about the uClibc
mailing list