Plan is: 1. This CL 2. Update the CI/CQ recipe to be able to run this 3. Update the CI/CQ config to enable this on ELF platforms 4. Do not land, but patch out the .note.GNU-stack annotations and -Wa,--noexecstack and confirm CI/CQ fails. Based on manual testing and https://crbug.com/boringssl/292#c4, I anticipate we'll only have coverage on x86 and x86_64 Linux. Currently, our only Arm Linux builders are Android, which use the LLVM linker. The LLVM linker doesn't have this design flaw, so it doesn't need .note.GNU-stack in the first place. It also sounds like GNU ld will make this moot in a future release. 5. Remove -Wa,--noexecstack from crypto/CMakeLists.txt and confirm CI/CQ still passes. Other than generally wanting to test things, the immediate motivation is https://boringssl-review.googlesource.com/c/boringssl/+/55626/1/crypto/perlasm/arm-xlate.pl#b246 Bug: 292 Change-Id: Id1c049bfc2b4e8b7e2c8c32ea6456733a588dfe1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55645 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>fips-20230428
David Benjamin
2 years ago
committed by
Boringssl LUCI CQ
parent
785bb12634
commit
b15e56a694
1 changed files with 45 additions and 0 deletions
@ -0,0 +1,45 @@ |
||||
// Copyright (c) 2022, Google Inc.
|
||||
//
|
||||
// Permission to use, copy, modify, and/or distribute this software for any
|
||||
// purpose with or without fee is hereby granted, provided that the above
|
||||
// copyright notice and this permission notice appear in all copies.
|
||||
//
|
||||
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
||||
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
||||
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
||||
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
// check_stack.go checks that each of its arguments has a non-executable stack.
|
||||
// See https://www.airs.com/blog/archives/518 for details.
|
||||
package main |
||||
|
||||
import ( |
||||
"debug/elf" |
||||
"fmt" |
||||
"os" |
||||
) |
||||
|
||||
func checkStack(path string) { |
||||
file, err := elf.Open(path) |
||||
if err != nil { |
||||
fmt.Fprintf(os.Stderr, "Error opening %s: %s\n", path, err) |
||||
os.Exit(1) |
||||
} |
||||
defer file.Close() |
||||
|
||||
for _, prog := range file.Progs { |
||||
if prog.Type == elf.PT_GNU_STACK && prog.Flags&elf.PF_X != 0 { |
||||
fmt.Fprintf(os.Stderr, "%s has an executable stack.\n", path) |
||||
os.Exit(1) |
||||
} |
||||
} |
||||
} |
||||
|
||||
func main() { |
||||
for _, path := range os.Args[1:] { |
||||
checkStack(path) |
||||
} |
||||
} |
||||
Loading…
Reference in new issue