[OpenWrt-Devel] Missing 'noexecstack' in uClibc MIPS builds
bugs at andrewmcdonnell.net
Fri Oct 3 20:31:54 EDT 2014
True. Perhaps that makes it a moot issue for BB.
But I dont think it would hurt to be ahead of the curve in this day and age...
I am not the only one adding this latent protection to MIPS:
https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html (source of my patch
submission which I emailed later when I finally cracked this)
The trade-off might be giving people a false sense of protection, I guess. But
that could happen anyway once the fix meanders tghrough gcc upstream. Then
again, who else before me even bothered to scan their router files for this :-)
Of lower priority for OpenWRT mainstream, is a determined user could also
cherry-pick emulated NX protection from PAX.
When they google this problem they will at least find my work. Which was a
great learning exercise regardless. I blogged about it here -->
Anyways, up to you I guess. I am still learning this stuff. Its not like the
"experts" regularly get security stuff right...
On 04/10/14 02:54, Felix Fietkau wrote:
> On 2014-10-03 19:14, Catalin Patulea wrote:
>> On Wed, Oct 1, 2014 at 6:42 PM, Andrew McDonnell
>> <bugs at andrewmcdonnell.net> wrote:
>>> It seems that OpenWRT sets the relevant flag to require uClibc to build with
>>> NOEXECSTACK set. This is good. (For one introduction to NOEXECSTACK, see
>>> http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart )
>> Does anything actually enforce NX on MIPS?
> There are MIPS CPUs that support it, but my guess is that most of our
> MIPS targets don't have any hardware support for it.
> - Felix
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel