[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecut

From: Sergei Trofimovich
Subject: [Tinycc-devel] Re: lib/alloca*: mark ELF stack access flags as nonexecutable
Date: Thu, 6 Jan 2011 21:09:24 +0200

On Thu, 06 Jan 2011 19:38:36 +0100
grischka <address@hidden> wrote:

> > So my goal is to harden the project I use a little bit more. It might sound 
> > too
> > paranoid in respect to the compiler, but tcc is one of rare packages in my 
> > system
> > violating nonexecutable stack policy (Gentoo has an automatic checker for 
> > such
> > packages).
> How does tcc violate that stack policy?

It installs suspicious library file (libtcc1.a) to the system, which violates 
QA checks.
It always generates execstack binaries (not fixed yet).
In theory (very unlikely, but possible) libtcc1.a could be used by gcc/ld 
directly (for
example to test/use this tiny lib).

> A section named ".note.GNU-stack" has no special meaning to tcc's
> built-in linker.

Aha. tcc's linker was my next target to look at (seems it's output still upsets 
valgrind as well).

> > Does that explanations sound good enough to keen this change?
> Well, it sounds like the change would improve security.  Does it?

Yes. Alas it still needs tcc's linker's support as well.

> Aside from that, would this code, compiled with gcc or tcc, run on
> your "hardened" system?
>      int main()
>      {
>          char xxx[] = { 0xc3 };
>          ((void(*)(void))xxx)();
>          return 0;
>      }

On hardened box (W^X is enforced by kernel):
$ cat > main.c
     int main()
         char xxx[] = { 0xc3 };
         return 0;
$ gcc main.c -o main.gcc
$ tcc main.c -o main.tcc
$ ./main.gcc
PAX: execution attempt in: <anonymous mapping>, 74c0ebfa9000-74c0ebfcb000 
PAX: terminating task: /tmp/z/main.gcc(main.gcc):17500, uid/euid: 1000/1000, 
PC: 000074c0ebfc9277, SP: 000074c0ebfc9268

$ ./main.tcc 
PAX: terminating task: /tmp/z/main.tcc(main.tcc):17706, uid/euid: 1000/1000, 
PC: 0000719781b5175f, SP: 0000719781b51748

This example should not work on stock system as well:
On nonhardened box:
$ ./main.gcc
Segmentation fault

[sf] /tmp/z:./main.tcc 
[sf] /tmp/z: # ooops, needs to be fixed!



Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]