Hi Kees,

On Mon, Aug 24, 2009 at 07:04:01PM -0700, Kees Cook wrote:
> It seems that john is built (in some situation) against assembly code that
> lack stack markings[1].  This results in the entire program being built
> with an executable stack.
> The attached patch solve this by adding a default ASFLAGS option to turn
> off executable stacks when assembling.

Yes, I am aware of this issue - for some years now, in fact.  I did not
fix it yet because I was worried that the proposed fixes would break
portability to some older and/or non-Linux systems, and I did not have
time to check (had more important stuff to do).  Well, I checked the
.section approach as used by Gentoo on an 11 years old Linux system
just recently - and it worked (in the sense that it did not break the
compile).  So I think I will just use it with a proper #ifdef.

As to the ASFLAGS change, it does break things on this same ancient system:

gcc -c -Wa,--noexecstack x86.S
/usr/i486-linux/bin/as: unrecognized option `--noexecstack'

GNU assembler version 980303 (i586-linux), using BFD version

Meanwhile, it is up to you to choose any of these approaches for the
Debian and Ubuntu packages.

On a related note, I think that exec-shield lacks an enforcing mode
(sysctl'able) where it would ignore those flags, because most binaries
that it treats as potentially requiring executable stack actually don't.



Pkg-john-devel mailing list

Reply via email to