Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions

[Florian Weimer <fweimer () redhat com>]

* Andrew Sandoval:

> Will Webroot communicate this to the public?
> Webroot believes in responsible disclosure and will work with third parties to
> ensure that the vulnerability is addressed before a public announcement. We
> are happy to work with your communications team on announcement timing.

This is already public because oss-security is a public mailing list.

Most GNU/Linux distributions ensure that only very special binaries
(such as some versions of the Ada compiler) enable executable stacks.
In our experience, if the toolchain produces a binary that requests an
executable stack, it is more likely due to manually written assembler
files without the required stack executability markup section, and not
due to nested C functions whose address escapes.  Without scanning built
binaries for these discrepancies, such cases could easily be missed.

Please also note that an executable stack is not a vulnerability itself,
and it is not directly exploitable.  (The same applies to the lack of
Intel CET support in binaries.)

Thanks,
Florian