oss-sec mailing list archives
Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions
From: Ramon de C Valle <rcvalle () live com>
Date: Tue, 23 Oct 2018 00:22:28 +0000
This is already public because oss-security is a public mailing list. Most GNU/Linux distributions ensure that only very special binaries (such as some versions of the Ada compiler) enable executable stacks. In our experience, if the toolchain produces a binary that requests an executable stack, it is more likely due to manually written assembler files without the required stack executability markup section, and not due to nested C functions whose address escapes. Without scanning built binaries for these discrepancies, such cases could easily be missed. Please also note that an executable stack is not a vulnerability itself, and it is not directly exploitable. (The same applies to the lack of Intel CET support in binaries.)
While I agree with that I still think that this extension (or its name) is misleading, see https://lkml.org/lkml/2012/1/9/138. The PF_X flag set in the PT_GNU_STACK segment header or the absence of the PT_GNU_STACK segment header can result in an application unnoticeably having not only the stack, but also all readable virtual memory mappings also executable. Ramon de C Valle
Current thread:
- GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Andrew Sandoval (Oct 22)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Florian Weimer (Oct 22)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Ramon de C Valle (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Solar Designer (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Jordan Glover (Oct 24)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Florian Weimer (Oct 22)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Mikhail Klementev (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Yann Droneaud (Oct 23)
- Re: GCC Compiler Induced Vulnerability - affects programs compiled with GCC 7 and 8 containing nested functions Matthew Fernandez (Oct 23)