Question - intention of UCLIBC_BUILD_NOEXECSTACK?

bugs at andrewmcdonnell.net bugs at andrewmcdonnell.net
Mon Aug 25 01:06:16 UTC 2014


Hi,

I have been playing with uClibc on some embedded Linux systems, and 
trying out some hardening techniques.

When I tested the .so files built by uClibc (using the checksec.sh tool 
from http://www.trapkit.de/tools/checksec.html, which is basically a 
wrapper around readelf), the files do not exhibit the GNU_STACK flag.

What I would like to do is actually build with the linker option 
'-Wl,-z,noexecstack' as per 
http://www.win.tue.nl/~aeb/linux/hh/protection.html or 
http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart (for just two 
examples)  I eventually managed to do this by using and patching 
Config.in (0.9.33.2) to recognise UCLIBC_LDFLAGS_EXTRA , after which the 
.so files had the relevant flag. (I can post that patch to enable 
UCLIBC_LDFLAGS_EXTRA separately)

One thing I noticed is that uClibc has a Config setting 
UCLIBC_BUILD_NOEXECSTACK but all this seems to do is pass the relevant 
flag to the assembler and not to the linker. The gentoo hardening guide 
applies the flag to both assembler and linker stage.

According to Config.in help: "Mark all assembler files as noexecstack. 
This will result in marking
	  all libraries and executables built against uClibc not requiring
	  executable stack."

I guess the gap in my knowledge is how uClibc, by only applying to 
assembler files, meets "marking all libraries and executables" when the 
GNU_STACK flag is missing from the ELF images? Note it has been a very 
long time since I coded in anger (as opposed to disassembled) any 
assembly language, so I could well be misunderstanding something!

thanks,
Andrew

---

http://blog.oldcomputerjunk.net


More information about the uClibc mailing list