Patches item #1560695, was opened at 2006-09-18 12:23 Message generated for change (Comment added) made by masterdriverz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1560695&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Chaza (masterdriverz) Assigned to: Nobody/Anonymous (nobody) Summary: Exec stacks in python 2.5 Initial Comment: Python 2.5 contains executable stacks. Attached patch fixes this. ---------------------------------------------------------------------- >Comment By: Chaza (masterdriverz) Date: 2006-09-21 11:51 Message: Logged In: YES user_id=1096685 No, sorry I've badly described the situation in the previous post. This patch explicitly tells GCC to not make the stack executable for Python-2.5c1/Modules/_ctypes/libffi/src/x86/sysv.S , this means that it should execute successfully on a hardened system. Without this patch, GCC guesses (incorrectly) that sysv.o requires an executable stack, and sets it accordingly. This can cause execution to fail if Exec Shield is enabled on hardened systems. Basically its just better practice to explicitly mark whether assembly code needs an executable stack or not, and for the most part, it doesn't. For more info (since I'm not brilliant at explaining this) see: http://people.redhat.com/drepper/nonselsec.pdf (particularly Appendix A and Exec Shield) http://people.redhat.com/drepper/selinux-mem.html http://www.gentoo.org/proj/en/hardened/gnu-stack.xml or drop into #gentoo-hardened on Freenode. ---------------------------------------------------------------------- Comment By: Martin v. Löwis (loewis) Date: 2006-09-20 17:05 Message: Logged In: YES user_id=21627 Ah, so the patch doesn't actually fix that Python 2.5 contains executable stacks. It rather makes it execute successfully on a hardened system. Still, I don't understand what you mean by "Python contains executable stacks". Where does it do so? And what precisely breaks on a hardened system when Python is running on it? ---------------------------------------------------------------------- Comment By: Chaza (masterdriverz) Date: 2006-09-20 11:58 Message: Logged In: YES user_id=1096685 It is probably best summed up here -> http://www.gentoo.org/proj/en/hardened/gnu-stack.xml but put simply, executable stacks don't work on hardened systems. The simplest way to fix them is to explicitly tell gcc to compile libraries without executable stacks. ---------------------------------------------------------------------- Comment By: Martin v. Löwis (loewis) Date: 2006-09-20 06:26 Message: Logged In: YES user_id=21627 Can you please elaborate? What is an "executable stack", why does Python have one, why is that bad, and how does your patch fix that? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1560695&group_id=5470 _______________________________________________ Patches mailing list Patches@python.org http://mail.python.org/mailman/listinfo/patches
