lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-30 22:43:12 +03:00
Code Activity
Files
master
glibc/sysdeps/unix/sysv/linux/mips/Makefile
Adhemerval Zanella 0ca8785a28 elf: Do not change stack permission on dlopen/dlmopen 
If some shared library loaded with dlopen/dlmopen requires an executable
stack, either implicitly because of a missing GNU_STACK ELF header
(where the ABI default flags implies in the executable bit) or explicitly
because of the executable bit from GNU_STACK; the loader will try to set
the both the main thread and all thread stacks (from the pthread cache)
as executable.

Besides the issue where any __nptl_change_stack_perm failure does not
undo the previous executable transition (meaning that if the library
fails to load, there can be thread stacks with executable stacks), this
behavior was used on a CVE [1] as a vector for RCE.

This patch changes that if a shared library requires an executable
stack, and the current stack is not executable, dlopen fails.  The
change is done only for dynamically loaded modules, if the program
or any dependency requires an executable stack, the loader will still
change the main thread before program execution and any thread created
with default stack configuration.

[1] https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Checked on x86_64-linux-gnu and i686-linux-gnu.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2024-12-31 09:04:20 -03:00

89 lines
2.9 KiB
Makefile
Raw Permalink Blame History

ifeq ($(subdir),signal)
#sysdep_routines += sigsuspend
endif
ifeq ($(subdir),misc)
sysdep_routines += cachectl cacheflush sysmips _test_and_set
sysdep_headers += sys/cachectl.h sys/sysmips.h sys/tas.h
endif
abi-variants := o32_soft o32_hard o32_soft_2008 o32_hard_2008
abi-variants += n32_soft n32_hard n32_soft_2008 n32_hard_2008
abi-variants += n64_soft n64_hard n64_soft_2008 n64_hard_2008
ifeq (,$(filter $(default-abi),$(abi-variants)))
Unknown ABI, must be one of $(abi-variants)
endif
abi-includes := sgidefs.h
# _MIPS_SIM_ABI32 == 1, _MIPS_SIM_NABI32 == 2, _MIPS_SIM_ABI64 == 3
abi-o32_soft-condition := !defined(__mips_nan2008) \
&& defined(__mips_soft_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI32)
abi-o32_hard-condition := !defined(__mips_nan2008) \
&& defined(__mips_hard_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI32)
abi-o32_soft_2008-condition := defined(__mips_nan2008) \
&& defined(__mips_soft_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI32)
abi-o32_hard_2008-condition := defined(__mips_nan2008) \
&& defined(__mips_hard_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI32)
abi-n32_soft-condition := !defined(__mips_nan2008) \
&& defined(__mips_soft_float) \
&& (_MIPS_SIM == _MIPS_SIM_NABI32)
abi-n32_hard-condition := !defined(__mips_nan2008) \
&& defined(__mips_hard_float) \
&& (_MIPS_SIM == _MIPS_SIM_NABI32)
abi-n32_soft_2008-condition := defined(__mips_nan2008) \
&& defined(__mips_soft_float) \
&& (_MIPS_SIM == _MIPS_SIM_NABI32)
abi-n32_hard_2008-condition := defined(__mips_nan2008) \
&& defined(__mips_hard_float) \
&& (_MIPS_SIM == _MIPS_SIM_NABI32)
abi-n64_soft-condition := !defined(__mips_nan2008) \
&& defined(__mips_soft_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI64)
abi-n64_hard-condition := !defined(__mips_nan2008) \
&& defined(__mips_hard_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI64)
abi-n64_soft_2008-condition := defined(__mips_nan2008) \
&& defined(__mips_soft_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI64)
abi-n64_hard_2008-condition := defined(__mips_nan2008) \
&& defined(__mips_hard_float) \
&& (_MIPS_SIM == _MIPS_SIM_ABI64)
ifeq ($(subdir),elf)
# If the compiler doesn't use GNU.stack note,
# this test is expected to fail.
ifneq ($(mips-has-gnustack),yes)
test-xfail-check-execstack = yes
CFLAGS-tst-execstack.c += -DDEFAULT_RWX_STACK=1
endif
endif
ifeq ($(subdir),stdlib)
gen-as-const-headers += ucontext_i.sym
endif
ifeq ($(subdir),nptl)
ifeq ($(mips-force-execstack),yes)
CFLAGS-tst-execstack-threads.c += -DDEFAULT_RWX_STACK=1
endif
endif
ifeq ($(mips-force-execstack),yes)
CFLAGS-.o += -Wa,-execstack
CFLAGS-.os += -Wa,-execstack
CFLAGS-.op += -Wa,-execstack
CFLAGS-.oS += -Wa,-execstack
ASFLAGS-.o += -Wa,-execstack
ASFLAGS-.os += -Wa,-execstack
ASFLAGS-.op += -Wa,-execstack
ASFLAGS-.oS += -Wa,-execstack
endif
View Git Blame Copy Permalink