[Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecut

tinycc-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecut

From:	Sergei Trofimovich
Subject:	[Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable
Date:	Thu, 6 Jan 2011 21:09:24 +0200

On Thu, 06 Jan 2011 19:38:36 +0100
grischka <address@hidden> wrote:

> > So my goal is to harden the project I use a little bit more. It might sound 
> > too
> > paranoid in respect to the compiler, but tcc is one of rare packages in my 
> > system
> > violating nonexecutable stack policy (Gentoo has an automatic checker for 
> > such
> > packages).
> 
> How does tcc violate that stack policy?

It installs suspicious library file (libtcc1.a) to the system, which violates 
QA checks.
It always generates execstack binaries (not fixed yet).
In theory (very unlikely, but possible) libtcc1.a could be used by gcc/ld 
directly (for
example to test/use this tiny lib).

> A section named ".note.GNU-stack" has no special meaning to tcc's
> built-in linker.

Aha. tcc's linker was my next target to look at (seems it's output still upsets 
valgrind as well).

> > Does that explanations sound good enough to keen this change?
> 
> Well, it sounds like the change would improve security.  Does it?

Yes. Alas it still needs tcc's linker's support as well.

> Aside from that, would this code, compiled with gcc or tcc, run on
> your "hardened" system?
> 
>      int main()
>      {
>          char xxx[] = { 0xc3 };
>          ((void(*)(void))xxx)();
>          return 0;
>      }

On hardened box (W^X is enforced by kernel):
$ cat > main.c
     int main()
     {
         char xxx[] = { 0xc3 };
         ((void(*)(void))xxx)();
         return 0;
     }
$ gcc main.c -o main.gcc
$ tcc main.c -o main.tcc
$ ./main.gcc
Killed
PAX: execution attempt in: <anonymous mapping>, 74c0ebfa9000-74c0ebfcb000 
7ffffffdd000
PAX: terminating task: /tmp/z/main.gcc(main.gcc):17500, uid/euid: 1000/1000, 
PC: 000074c0ebfc9277, SP: 000074c0ebfc9268

$ ./main.tcc 
Killed
PAX: terminating task: /tmp/z/main.tcc(main.tcc):17706, uid/euid: 1000/1000, 
PC: 0000719781b5175f, SP: 0000719781b51748

This example should not work on stock system as well:
On nonhardened box:
$ ./main.gcc
Segmentation fault

[sf] /tmp/z:./main.tcc 
[sf] /tmp/z: # ooops, needs to be fixed!

-- 

  Sergei

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Tinycc-devel] lib/alloca*: mark ELF stack access flags as nonexecutable, grischka, 2011/01/05
- [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, Sergei Trofimovich, 2011/01/05
  - [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, grischka, 2011/01/06
    - [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, Sergei Trofimovich <=
    - [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, grischka, 2011/01/06
    - [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, Sergei Trofimovich, 2011/01/06
    - [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, grischka, 2011/01/06
    - [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable, Sergei Trofimovich, 2011/01/06

Prev by Date: [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable
Next by Date: [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable
Previous by thread: [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable
Next by thread: [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable
Index(es):
- Date
- Thread