[OpenWrt-Devel] Missing 'noexecstack' in uClibc MIPS builds

Andrew McDonnell bugs at andrewmcdonnell.net
Fri Oct 3 20:31:54 EDT 2014

True. Perhaps that makes it a moot issue for BB.
But I dont think it would hurt to be ahead of the curve in this day and age...

I am not the only one  adding this latent protection to MIPS:

https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html  (source of my patch 
submission which I emailed later when I finally cracked this)

The trade-off might be giving people a false sense of protection, I guess. But 
that could happen anyway once the fix meanders tghrough gcc upstream. Then 
again, who else before me even bothered to scan their router files for this :-)

Of lower priority for OpenWRT mainstream, is a determined user could also 
cherry-pick emulated NX protection from PAX.
When they google this problem they will at least find my work. Which was a 
great learning exercise regardless. I blogged about it here --> 

Anyways, up to you I guess. I am still learning this stuff. Its not like the 
"experts" regularly get security stuff right...


On 04/10/14 02:54, Felix Fietkau wrote:
> On 2014-10-03 19:14, Catalin Patulea wrote:
>> On Wed, Oct 1, 2014 at 6:42 PM, Andrew McDonnell
>> <bugs at andrewmcdonnell.net> wrote:
>>> It seems that OpenWRT sets the relevant flag to require uClibc to build with
>>> NOEXECSTACK set. This is good.  (For one introduction to NOEXECSTACK, see
>>> http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart )
>> Does anything actually enforce NX on MIPS?
> There are MIPS CPUs that support it, but my guess is that most of our
> MIPS targets don't have any hardware support for it.
> - Felix
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list