Hi Alexander, On Tue, Aug 25, 2009 at 04:52:06PM +0400, Solar Designer wrote: > On Mon, Aug 24, 2009 at 07:04:01PM -0700, Kees Cook wrote: > > It seems that john is built (in some situation) against assembly code that > > lack stack markings. This results in the entire program being built > > with an executable stack. > > > > The attached patch solve this by adding a default ASFLAGS option to turn > > off executable stacks when assembling. > > Yes, I am aware of this issue - for some years now, in fact. I did not > fix it yet because I was worried that the proposed fixes would break > portability to some older and/or non-Linux systems, and I did not have > time to check (had more important stuff to do). Well, I checked the > .section approach as used by Gentoo on an 11 years old Linux system > just recently - and it worked (in the sense that it did not break the > compile). So I think I will just use it with a proper #ifdef.
Ah, perfect. Generally it's up in the air which is better (ifdef'ing each .s file, or a version-sensitive ASFLAGS). Thanks for looking into it! > Meanwhile, it is up to you to choose any of these approaches for the > Debian and Ubuntu packages. Sure thing. Since we've already got specific versions of compilers, I think ASFLAGS is the smallest patch, so we'll probably keep that until we pull the exec-stack-fixed version of john. :) > On a related note, I think that exec-shield lacks an enforcing mode > (sysctl'able) where it would ignore those flags, because most binaries > that it treats as potentially requiring executable stack actually don't. Well, the memory-protection bits are mainline (not part of the exec-shield patches), but yes, the ELF loader non-optionally sets the memory protections based on GNU_STACK flags. -Kees -- kees Cook @debian.org -- Pkg-john-devel mailing list Pkgfirstname.lastname@example.org http://lists.alioth.debian.org/mailman/listinfo/pkg-john-devel