[OpenWrt-Devel] Missing 'noexecstack' in uClibc MIPS builds

[Andrew McDonnell]

True. Perhaps that makes it a moot issue for BB.
But I dont think it would hurt to be ahead of the curve in this day and age...

I am not the only one  adding this latent protection to MIPS:

https://webrtc-codereview.appspot.com/994006/
https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html  (source of my patch 
submission which I emailed later when I finally cracked this)
http://lists.busybox.net/pipermail/uclibc/2014-August/048474.html

The trade-off might be giving people a false sense of protection, I guess. But 
that could happen anyway once the fix meanders tghrough gcc upstream. Then 
again, who else before me even bothered to scan their router files for this :-)

Of lower priority for OpenWRT mainstream, is a determined user could also 
cherry-pick emulated NX protection from PAX.
When they google this problem they will at least find my work. Which was a 
great learning exercise regardless. I blogged about it here --> 
http://blog.oldcomputerjunk.net/

Anyways, up to you I guess. I am still learning this stuff. Its not like the 
"experts" regularly get security stuff right...

cheers,
--Andrew


On 04/10/14 02:54, Felix Fietkau wrote:
> On 2014-10-03 19:14, Catalin Patulea wrote:
>> On Wed, Oct 1, 2014 at 6:42 PM, Andrew McDonnell
>> <bugs at andrewmcdonnell.net> wrote:
>>> It seems that OpenWRT sets the relevant flag to require uClibc to build with
>>> NOEXECSTACK set. This is good.  (For one introduction to NOEXECSTACK, see
>>> http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart )
>> Does anything actually enforce NX on MIPS?
> There are MIPS CPUs that support it, but my guess is that most of our
> MIPS targets don't have any hardware support for it.
>
> - Felix
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel