oss-sec mailing list archives
Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions
From: Florian Weimer <fweimer () redhat com>
Date: Mon, 22 Oct 2018 23:16:00 +0200
* Andrew Sandoval:
Will Webroot communicate this to the public? Webroot believes in responsible disclosure and will work with third parties to ensure that the vulnerability is addressed before a public announcement. We are happy to work with your communications team on announcement timing.
This is already public because oss-security is a public mailing list. Most GNU/Linux distributions ensure that only very special binaries (such as some versions of the Ada compiler) enable executable stacks. In our experience, if the toolchain produces a binary that requests an executable stack, it is more likely due to manually written assembler files without the required stack executability markup section, and not due to nested C functions whose address escapes. Without scanning built binaries for these discrepancies, such cases could easily be missed. Please also note that an executable stack is not a vulnerability itself, and it is not directly exploitable. (The same applies to the lack of Intel CET support in binaries.) Thanks, Florian
Current thread:
- GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Andrew Sandoval (Oct 22)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Florian Weimer (Oct 22)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Ramon de C Valle (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Solar Designer (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Jordan Glover (Oct 24)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Florian Weimer (Oct 22)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Mikhail Klementev (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Yann Droneaud (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Matthew Fernandez (Oct 23)