[OpenWrt-Devel] [PATCH][BB, toolchain] Fix broken implementation of NOEXECSTACK flag for MIPS architectures for gcc-linaro-4.8

Andrew McDonnell bugs at andrewmcdonnell.net
Fri Oct 3 11:05:00 EDT 2014


This patch ensures that libgcc_s.so properly honours the NOEXECSTACK flag
for MIPS builds, when gcc-linaro-4.8 is the chosen C compiler.

Signed-off-by: Andrew McDonnell <bugs at andrewmcdonnell.net>

---
Extended Summary: NOEXECSTACK is a security hardening feature of Linux that
prevents execution of arbitrary code for some classes of buffer overflow.
When the binaries and libraries in a firmware image are scanned with the
checksec tool [1,2] on x86 OpenWRT firmware all have the marking, but in MIPS
firmware very few have the marking.

To cut a long story short, libgcc_s.so is built in a way that causes it to
have an executable stack, and because most other binaries and libraries are
linked to this library, they in turn also have an executable stack.  The fix
for this is a backport patch against the development of gcc. [3,4]

[1] https://github.com/slimm609/checksec.sh
[2] http://www.trapkit.de/tools/checksec.html
[3] http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
[4] https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html 

This is probably required against gc 4.6 and gcc 4.8 as well.

 .../4.8-linaro/930-fix-mips-noexecstack.patch      | 124 +++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch

diff --git a/toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch b/toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch
new file mode 100644
index 0000000..81deda6
--- /dev/null
+++ b/toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch
@@ -0,0 +1,124 @@
+From da45b3fde60095756f5f6030f6012c23a3d34429 Mon Sep 17 00:00:00 2001
+From: Andrew McDonnell <bugs at andrewmcdonnell.net>
+Date: Fri, 3 Oct 2014 19:09:00 +0930
+Subject: Add .note.GNU-stack section
+
+See http://lists.busybox.net/pipermail/uclibc/2014-October/048671.html
+Below copied from https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html
+
+Re: [Patch, MIPS] Add .note.GNU-stack section
+
+    From: Steve Ellcey <sellcey at mips dot com>
+
+On Wed, 2014-09-10 at 10:15 -0700, Eric Christopher wrote:
+>
+>
+> On Wed, Sep 10, 2014 at 9:27 AM, <pinskia at gmail.com> wrote:
+
+>         This works except you did not update the assembly files in
+>         libgcc or glibc. We (Cavium) have the same patch in our tree
+>         for a few released versions.
+
+> Mind just checking yours in then Andrew?
+
+> Thanks!
+> -eric
+
+I talked to Andrew about what files he changed in GCC and created and
+tested this new patch.  Andrew also mentioned changing some assembly
+files in glibc but I don't see any use of '.section .note.GNU-stack' in
+any assembly files in glibc (for any platform) so I wasn't planning on
+creating a glibc to add them to mips glibc assembly language files.
+
+OK to check in this patch?
+
+Steve Ellcey
+sellcey at mips.com
+
+
+
+2014-09-26  Steve Ellcey  <sellcey at mips.com>
+---
+ gcc/config/mips/mips.c          | 3 +++
+ libgcc/config/mips/crti.S       | 4 ++++
+ libgcc/config/mips/crtn.S       | 3 +++
+ libgcc/config/mips/mips16.S     | 4 ++++
+ libgcc/config/mips/vr4120-div.S | 4 ++++
+ 5 files changed, 18 insertions(+)
+
+diff --git a/gcc/config/mips/mips.c b/gcc/config/mips/mips.c
+index 41c5d6b..33d9793 100644
+--- a/gcc/config/mips/mips.c
++++ b/gcc/config/mips/mips.c
+@@ -18223,6 +18223,9 @@ mips_expand_vec_minmax (rtx target, rtx op0, rtx op1,
+ #undef TARGET_VECTORIZE_VEC_PERM_CONST_OK
+ #define TARGET_VECTORIZE_VEC_PERM_CONST_OK mips_vectorize_vec_perm_const_ok
+ 
++#undef TARGET_ASM_FILE_END
++#define TARGET_ASM_FILE_END file_end_indicate_exec_stack
++
+ struct gcc_target targetm = TARGET_INITIALIZER;
+ 
+ #include "gt-mips.h"
+diff --git a/libgcc/config/mips/crti.S b/libgcc/config/mips/crti.S
+index c7418db..e5f2762 100644
+--- a/libgcc/config/mips/crti.S
++++ b/libgcc/config/mips/crti.S
+@@ -21,6 +21,10 @@ a copy of the GCC Runtime Library Exception along with this program;
+ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
+ <http://www.gnu.org/licenses/>.  */
+ 
++
++/* An executable stack is *not* required for these functions.  */
++	.section .note.GNU-stack,"",%progbits
++
+ /* 4 slots for argument spill area.  1 for cpreturn, 1 for stack.
+    Return spill offset of 40 and 20.  Aligned to 16 bytes for n32.  */
+ 
+diff --git a/libgcc/config/mips/crtn.S b/libgcc/config/mips/crtn.S
+index 59d1a90..5cc03bf 100644
+--- a/libgcc/config/mips/crtn.S
++++ b/libgcc/config/mips/crtn.S
+@@ -21,6 +21,9 @@ a copy of the GCC Runtime Library Exception along with this program;
+ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
+ <http://www.gnu.org/licenses/>.  */
+ 
++/* An executable stack is *not* required for these functions.  */
++        .section .note.GNU-stack,"",%progbits
++
+ /* 4 slots for argument spill area.  1 for cpreturn, 1 for stack.
+    Return spill offset of 40 and 20.  Aligned to 16 bytes for n32.  */
+ 
+diff --git a/libgcc/config/mips/mips16.S b/libgcc/config/mips/mips16.S
+index ab3a794..4ded5da 100644
+--- a/libgcc/config/mips/mips16.S
++++ b/libgcc/config/mips/mips16.S
+@@ -27,6 +27,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
+    values using the soft-float calling convention, but do the actual
+    operation using the hard floating point instructions.  */
+ 
++/* An executable stack is *not* required for these functions.  */
++        .section .note.GNU-stack,"",%progbits
++	.previous
++
+ #if defined _MIPS_SIM && (_MIPS_SIM == _ABIO32 || _MIPS_SIM == _ABIO64)
+ 
+ /* This file contains 32-bit assembly code.  */
+diff --git a/libgcc/config/mips/vr4120-div.S b/libgcc/config/mips/vr4120-div.S
+index 6e9242a..1e260cd 100644
+--- a/libgcc/config/mips/vr4120-div.S
++++ b/libgcc/config/mips/vr4120-div.S
+@@ -26,6 +26,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
+    -mfix-vr4120.  div and ddiv do not give the correct result when one
+    of the operands is negative.  */
+ 
++/* An executable stack is *not* required for these functions.  */
++        .section .note.GNU-stack,"",%progbits
++	.previous
++
+ 	.set	nomips16
+ 
+ #define DIV								\
+-- 
+1.9.1
+
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list