This patch ensures that libgcc_s.so properly honours the NOEXECSTACK flag
for MIPS builds, when gcc-linaro-4.8 is the chosen C compiler.
Signed-off-by: Andrew McDonnell <b...@andrewmcdonnell.net>
---
Extended Summary: NOEXECSTACK is a security hardening feature of Linux that
prevents execution of arbitrary code for some classes of buffer overflow.
When the binaries and libraries in a firmware image are scanned with the
checksec tool [1,2] on x86 OpenWRT firmware all have the marking, but in MIPS
firmware very few have the marking.
To cut a long story short, libgcc_s.so is built in a way that causes it to
have an executable stack, and because most other binaries and libraries are
linked to this library, they in turn also have an executable stack. The fix
for this is a backport patch against the development of gcc. [3,4]
[1] https://github.com/slimm609/checksec.sh
[2] http://www.trapkit.de/tools/checksec.html
[3] http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
[4] https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html
This is probably required against gc 4.6 and gcc 4.8 as well.
.../4.8-linaro/930-fix-mips-noexecstack.patch | 124 +++++++++++++++++++++
1 file changed, 124 insertions(+)
create mode 100644
toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch
diff --git a/toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch
b/toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch
new file mode 100644
index 0000000..81deda6
--- /dev/null
+++ b/toolchain/gcc/patches/4.8-linaro/930-fix-mips-noexecstack.patch
@@ -0,0 +1,124 @@
+From da45b3fde60095756f5f6030f6012c23a3d34429 Mon Sep 17 00:00:00 2001
+From: Andrew McDonnell <b...@andrewmcdonnell.net>
+Date: Fri, 3 Oct 2014 19:09:00 +0930
+Subject: Add .note.GNU-stack section
+
+See http://lists.busybox.net/pipermail/uclibc/2014-October/048671.html
+Below copied from https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02430.html
+
+Re: [Patch, MIPS] Add .note.GNU-stack section
+
+ From: Steve Ellcey <sellcey at mips dot com>
+
+On Wed, 2014-09-10 at 10:15 -0700, Eric Christopher wrote:
+>
+>
+> On Wed, Sep 10, 2014 at 9:27 AM, <pins...@gmail.com> wrote:
+
+> This works except you did not update the assembly files in
+> libgcc or glibc. We (Cavium) have the same patch in our tree
+> for a few released versions.
+
+> Mind just checking yours in then Andrew?
+
+> Thanks!
+> -eric
+
+I talked to Andrew about what files he changed in GCC and created and
+tested this new patch. Andrew also mentioned changing some assembly
+files in glibc but I don't see any use of '.section .note.GNU-stack' in
+any assembly files in glibc (for any platform) so I wasn't planning on
+creating a glibc to add them to mips glibc assembly language files.
+
+OK to check in this patch?
+
+Steve Ellcey
+sell...@mips.com
+
+
+
+2014-09-26 Steve Ellcey <sell...@mips.com>
+---
+ gcc/config/mips/mips.c | 3 +++
+ libgcc/config/mips/crti.S | 4 ++++
+ libgcc/config/mips/crtn.S | 3 +++
+ libgcc/config/mips/mips16.S | 4 ++++
+ libgcc/config/mips/vr4120-div.S | 4 ++++
+ 5 files changed, 18 insertions(+)
+
+diff --git a/gcc/config/mips/mips.c b/gcc/config/mips/mips.c
+index 41c5d6b..33d9793 100644
+--- a/gcc/config/mips/mips.c
++++ b/gcc/config/mips/mips.c
+@@ -18223,6 +18223,9 @@ mips_expand_vec_minmax (rtx target, rtx op0, rtx op1,
+ #undef TARGET_VECTORIZE_VEC_PERM_CONST_OK
+ #define TARGET_VECTORIZE_VEC_PERM_CONST_OK mips_vectorize_vec_perm_const_ok
+
++#undef TARGET_ASM_FILE_END
++#define TARGET_ASM_FILE_END file_end_indicate_exec_stack
++
+ struct gcc_target targetm = TARGET_INITIALIZER;
+ �
+ #include "gt-mips.h"
+diff --git a/libgcc/config/mips/crti.S b/libgcc/config/mips/crti.S
+index c7418db..e5f2762 100644
+--- a/libgcc/config/mips/crti.S
++++ b/libgcc/config/mips/crti.S
+@@ -21,6 +21,10 @@ a copy of the GCC Runtime Library Exception along with this
program;
+ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
+ <http://www.gnu.org/licenses/>. */
+
++
++/* An executable stack is *not* required for these functions. */
++ .section .note.GNU-stack,"",%progbits
++
+ /* 4 slots for argument spill area. 1 for cpreturn, 1 for stack.
+ Return spill offset of 40 and 20. Aligned to 16 bytes for n32. */
+
+diff --git a/libgcc/config/mips/crtn.S b/libgcc/config/mips/crtn.S
+index 59d1a90..5cc03bf 100644
+--- a/libgcc/config/mips/crtn.S
++++ b/libgcc/config/mips/crtn.S
+@@ -21,6 +21,9 @@ a copy of the GCC Runtime Library Exception along with this
program;
+ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
+ <http://www.gnu.org/licenses/>. */
+
++/* An executable stack is *not* required for these functions. */
++ .section .note.GNU-stack,"",%progbits
++
+ /* 4 slots for argument spill area. 1 for cpreturn, 1 for stack.
+ Return spill offset of 40 and 20. Aligned to 16 bytes for n32. */
+
+diff --git a/libgcc/config/mips/mips16.S b/libgcc/config/mips/mips16.S
+index ab3a794..4ded5da 100644
+--- a/libgcc/config/mips/mips16.S
++++ b/libgcc/config/mips/mips16.S
+@@ -27,6 +27,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively.
If not, see
+ values using the soft-float calling convention, but do the actual
+ operation using the hard floating point instructions. */
+
++/* An executable stack is *not* required for these functions. */
++ .section .note.GNU-stack,"",%progbits
++ .previous
++
+ #if defined _MIPS_SIM && (_MIPS_SIM == _ABIO32 || _MIPS_SIM == _ABIO64)
+
+ /* This file contains 32-bit assembly code. */
+diff --git a/libgcc/config/mips/vr4120-div.S b/libgcc/config/mips/vr4120-div.S
+index 6e9242a..1e260cd 100644
+--- a/libgcc/config/mips/vr4120-div.S
++++ b/libgcc/config/mips/vr4120-div.S
+@@ -26,6 +26,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively.
If not, see
+ -mfix-vr4120. div and ddiv do not give the correct result when one
+ of the operands is negative. */
+
++/* An executable stack is *not* required for these functions. */
++ .section .note.GNU-stack,"",%progbits
++ .previous
++
+ .set nomips16
+
+ #define DIV \
+--
+1.9.1
+
--
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
