| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Aug 2022 10:14:51 -0700
From: Nick Desaulniers <ndesaulniers@...gle.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Fangrui Song <maskray@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jens Axboe <axboe@...nel.dk>
Subject: Re: [PATCH 5.10 001/545] Makefile: link with -z noexecstack --no-warn-rwx-segments
On Fri, Aug 19, 2022 at 8:46 AM Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
>
> From: Nick Desaulniers <ndesaulniers@...gle.com>
>
> commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream.
>
> Users of GNU ld (BFD) from binutils 2.39+ will observe multiple
> instances of a new warning when linking kernels in the form:
>
> ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack
> ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> ld: warning: vmlinux has a LOAD segment with RWX permissions
>
> Generally, we would like to avoid the stack being executable. Because
> there could be a need for the stack to be executable, assembler sources
> have to opt-in to this security feature via explicit creation of the
> .note.GNU-stack feature (which compilers create by default) or command
> line flag --noexecstack. Or we can simply tell the linker the
> production of such sections is irrelevant and to link the stack as
> --noexecstack.
>
> LLVM's LLD linker defaults to -z noexecstack, so this flag isn't
> strictly necessary when linking with LLD, only BFD, but it doesn't hurt
> to be explicit here for all linkers IMO. --no-warn-rwx-segments is
> currently BFD specific and only available in the current latest release,
> so it's wrapped in an ld-option check.
>
> While the kernel makes extensive usage of ELF sections, it doesn't use
> permissions from ELF segments.
>
> Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/
> Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> Link: https://github.com/llvm/llvm-project/issues/57009
> Reported-and-tested-by: Jens Axboe <axboe@...nel.dk>
> Suggested-by: Fangrui Song <maskray@...gle.com>
> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> ---
> Makefile | 5 +++++
> 1 file changed, 5 insertions(+)
>
> --- a/Makefile
> +++ b/Makefile
> @@ -983,6 +983,11 @@ KBUILD_CFLAGS += $(KCFLAGS)
> KBUILD_LDFLAGS_MODULE += --build-id=sha1
> LDFLAGS_vmlinux += --build-id=sha1
>
> +KBUILD_LDFLAGS += -z noexecstack
> +ifeq ($(CONFIG_LD_IS_BFD),y)
> +KBUILD_LDFLAGS += $(call ld-option,--no-warn-rwx-segments)
> +endif
5.10.y is missing CONFIG_LD_IS_BFD. Specifically
commit 02aff8592204 ("kbuild: check the minimum linker version in Kconfig")
which first landed in v5.12-rc1. I'd recommend simply dropping the
`ifeq` guards; the ld-option guard will still work. Otherwise GNU BFD
2.39 users will observe linker warnings related to rwx-segments.
Greg, do you mind dropping this patch and I'll supply a v2, or is it
too late and I should send a patch on top?
> +
> ifeq ($(CONFIG_STRIP_ASM_SYMS),y)
> LDFLAGS_vmlinux += $(call ld-option, -X,)
> endif
>
>
--
Thanks,
~Nick Desaulniers
Powered by blists - more mailing lists