From 04158cd40e184e2325a7a0e5fef232cce038cc4b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 21 Dec 2014 23:14:02 -0600 Subject: [PATCH 1/4] do not mark GNU_STACK WX in ELFs generated from assembly When generating ELF objects from assembly, gcc and clang mark the GNU_STACK program headers as RWX by default. This is a security issue, so we make sure it is marked only RW. This modifies Anthony G. Basile's original patch for Linux to set .note.GNU-stack whenever the assembler supports it. It is surprising that any modern toolchain would enable an executable stack without an explicit request. The number of programs that need an executable stack is surely much smaller than the number of programs that include assembly. --- configure.ac | 13 ++++++++++++- update.sh | 10 ++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index e56e39d..bdb015b 100644 --- a/configure.ac +++ b/configure.ac @@ -57,7 +57,6 @@ AC_CHECK_FUNC([clock_gettime],, AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])]) -AM_PROG_AS AC_PROG_CC AC_PROG_LIBTOOL AC_PROG_CC_STDC @@ -73,6 +72,18 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], ) CFLAGS="$save_cflags $AM_CFLAGS" +save_cflags="$CFLAGS" +CFLAGS= +AC_MSG_CHECKING([whether AS supports .note.GNU-stack]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +__asm__(".section .note.GNU-stack,\"\",@progbits");]])], + [AC_MSG_RESULT([yes])] + [AM_CFLAGS=-DHAVE_GNU_STACK], + [AC_MSG_RESULT([no])] +) +CFLAGS="$save_cflags $AM_CFLAGS" +AM_PROG_AS + AC_MSG_CHECKING([if compiling with clang]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[ #ifndef __clang__ diff --git a/update.sh b/update.sh index c49f7eb..c8ec876 100755 --- a/update.sh +++ b/update.sh @@ -125,10 +125,20 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui asm_src=$libssl_src/src/crypto gen_asm_stdout() { perl $asm_src/$2 $1 > $3.tmp + [[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp + #if defined(HAVE_GNU_STACK) + .section .note.GNU-stack,"",%progbits + #endif + EOF $MV $3.tmp $3 } gen_asm() { perl $asm_src/$2 $1 $3.tmp + [[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp + #if defined(HAVE_GNU_STACK) + .section .note.GNU-stack,"",%progbits + #endif + EOF $MV $3.tmp $3 } for abi in elf macosx; do From 23c90228ac36f6afeb4fbeb5b4891dad120fec4b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sat, 27 Dec 2014 16:34:02 -0600 Subject: [PATCH 2/4] enable __STRICT_ALIGNMENT on sparc --- configure.ac | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/configure.ac b/configure.ac index bdb015b..d5382a9 100644 --- a/configure.ac +++ b/configure.ac @@ -45,6 +45,12 @@ case $host_os in *) ;; esac +case $host_cpu in + *sparc*) + CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT" + ;; +esac + AM_CONDITIONAL([HOST_DARWIN], [test x$HOST_OS = xdarwin]) AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd]) AM_CONDITIONAL([HOST_LINUX], [test x$HOST_OS = xlinux]) From c83d468cfd5d3ca60a499b69c0b7c9d0b159d405 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sat, 27 Dec 2014 16:34:48 -0600 Subject: [PATCH 3/4] do not double-link libcrypto libssl already has LIBFLAGS for libcrypto, so adding -lcrypto is superfluous. --- apps/Makefile.am | 1 - tests/Makefile.am.tpl | 1 - 2 files changed, 2 deletions(-) diff --git a/apps/Makefile.am b/apps/Makefile.am index 769a033..16f88ad 100644 --- a/apps/Makefile.am +++ b/apps/Makefile.am @@ -5,7 +5,6 @@ bin_PROGRAMS = openssl openssl_CFLAGS = $(USER_CFLAGS) openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) openssl_LDADD += $(top_builddir)/ssl/libssl.la -openssl_LDADD += $(top_builddir)/crypto/libcrypto.la openssl_SOURCES = apps.c openssl_SOURCES += asn1pars.c diff --git a/tests/Makefile.am.tpl b/tests/Makefile.am.tpl index b2a4920..fb3986b 100644 --- a/tests/Makefile.am.tpl +++ b/tests/Makefile.am.tpl @@ -5,7 +5,6 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) LDADD += $(top_builddir)/ssl/libssl.la -LDADD += $(top_builddir)/crypto/libcrypto.la TESTS = check_PROGRAMS = From 9adc6d64588e32b6becf3c94f30c0a1b05702687 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sat, 27 Dec 2014 16:52:25 -0600 Subject: [PATCH 4/4] Revert "do not double-link libcrypto" This reverts commit c83d468cfd5d3ca60a499b69c0b7c9d0b159d405. It wasn't as superfluous as I thought on all platforms. --- apps/Makefile.am | 1 + tests/Makefile.am.tpl | 1 + 2 files changed, 2 insertions(+) diff --git a/apps/Makefile.am b/apps/Makefile.am index 16f88ad..769a033 100644 --- a/apps/Makefile.am +++ b/apps/Makefile.am @@ -5,6 +5,7 @@ bin_PROGRAMS = openssl openssl_CFLAGS = $(USER_CFLAGS) openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) openssl_LDADD += $(top_builddir)/ssl/libssl.la +openssl_LDADD += $(top_builddir)/crypto/libcrypto.la openssl_SOURCES = apps.c openssl_SOURCES += asn1pars.c diff --git a/tests/Makefile.am.tpl b/tests/Makefile.am.tpl index fb3986b..b2a4920 100644 --- a/tests/Makefile.am.tpl +++ b/tests/Makefile.am.tpl @@ -5,6 +5,7 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) LDADD += $(top_builddir)/ssl/libssl.la +LDADD += $(top_builddir)/crypto/libcrypto.la TESTS = check_PROGRAMS =