Hi,
I have been taking a look at some of the OpenWRT security hardening and
discovered something puzzling.
It seems that OpenWRT sets the relevant flag to require uClibc to build with
NOEXECSTACK set. This is good. (For one introduction to NOEXECSTACK, see
http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart )
However on a MIPS build (specicially, a carambola2 target) on barrier breaker
(and I think trunk, but I need to rerun my experiments there again) NX is
missing from several uClibc .so files unless I hack an override in which is
apparently the 'no-preferred' method.
I had a chat on the uClibc list and they suggested I try different versions of
binutils and of course the latest uClibc. So after much steep elarning curve I
worked out how to do that with OpenWRT and the problem recurs. Currently the
suspicision is now on gcc.
In any case I thought at this point I would see if anyone else could repeat my
findings before I delve much deeper.
So I was hoping if some could take a MIPS build and do the following:
* Download checksec from https://github.com/slimm609/checksec.sh
* Run it over their generated rootfs as follows:
cd taging_dir/target-xxxxx/root-xxxx
( in my case it was staging_dir/target-mips_34kc_uClibc-0.9.34-git/root-ar71xx )
for p in lib usr/lib sbin usr/sbin bin usr/bin ; do
"$WRT_BUILDROOT_DIR"/checksec.sh/checksec.sh --dir $p ; done
and see if NX is enable for at least all the uClibc libraries. It probably
wont be for several of the packages at this stage, although I have a patch to
force it without going through and fixing all the upstreams.
When I ran the above test against x86 all uClibc libraries has NX set as
expected.
As an aside, I have a patch that will bring OpenWRT up to the September trunk
of uClibc and the latest 2.24.51 binutils if anyone is interested
cheers,
--Andrew
--
http://blog.oldcomputerjunk.net
https://github.com/pastcompute
Twitter: @pastcompute
GPG: http://www.andrewmcdonnell.net/gpg.html
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
