| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 20 Aug 2022 20:09:52 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Fangrui Song <maskray@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jens Axboe <axboe@...nel.dk>
Subject: Re: [PATCH 5.10 001/545] Makefile: link with -z noexecstack
--no-warn-rwx-segments
On Fri, Aug 19, 2022 at 10:14:51AM -0700, Nick Desaulniers wrote:
> On Fri, Aug 19, 2022 at 8:46 AM Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
> >
> > From: Nick Desaulniers <ndesaulniers@...gle.com>
> >
> > commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream.
> >
> > Users of GNU ld (BFD) from binutils 2.39+ will observe multiple
> > instances of a new warning when linking kernels in the form:
> >
> > ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack
> > ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> > ld: warning: vmlinux has a LOAD segment with RWX permissions
> >
> > Generally, we would like to avoid the stack being executable. Because
> > there could be a need for the stack to be executable, assembler sources
> > have to opt-in to this security feature via explicit creation of the
> > .note.GNU-stack feature (which compilers create by default) or command
> > line flag --noexecstack. Or we can simply tell the linker the
> > production of such sections is irrelevant and to link the stack as
> > --noexecstack.
> >
> > LLVM's LLD linker defaults to -z noexecstack, so this flag isn't
> > strictly necessary when linking with LLD, only BFD, but it doesn't hurt
> > to be explicit here for all linkers IMO. --no-warn-rwx-segments is
> > currently BFD specific and only available in the current latest release,
> > so it's wrapped in an ld-option check.
> >
> > While the kernel makes extensive usage of ELF sections, it doesn't use
> > permissions from ELF segments.
> >
> > Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/
> > Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> > Link: https://github.com/llvm/llvm-project/issues/57009
> > Reported-and-tested-by: Jens Axboe <axboe@...nel.dk>
> > Suggested-by: Fangrui Song <maskray@...gle.com>
> > Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>
> > Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > ---
> > Makefile | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -983,6 +983,11 @@ KBUILD_CFLAGS += $(KCFLAGS)
> > KBUILD_LDFLAGS_MODULE += --build-id=sha1
> > LDFLAGS_vmlinux += --build-id=sha1
> >
> > +KBUILD_LDFLAGS += -z noexecstack
> > +ifeq ($(CONFIG_LD_IS_BFD),y)
> > +KBUILD_LDFLAGS += $(call ld-option,--no-warn-rwx-segments)
> > +endif
>
> 5.10.y is missing CONFIG_LD_IS_BFD. Specifically
>
> commit 02aff8592204 ("kbuild: check the minimum linker version in Kconfig")
> which first landed in v5.12-rc1. I'd recommend simply dropping the
> `ifeq` guards; the ld-option guard will still work. Otherwise GNU BFD
> 2.39 users will observe linker warnings related to rwx-segments.
>
> Greg, do you mind dropping this patch and I'll supply a v2, or is it
> too late and I should send a patch on top?
I've fixed it up, thanks!
greg k-h
Powered by blists - more mailing lists