c - Stacks are executable even with `noexecstack` -
i'm trying protect application against buffer overflow exploits. among other things, i'm using non-executable stacks , link binaries noexecstack
flag (by passing -wl,-z,noexecstack
gcc).
everything seems fine - readelf
confirms pt_gnu_stack
specifies correct permissions:
$ readelf -l target | grep -a1 gnu_stack gnu_stack 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 rw 10
so execstack
:
$ execstack -q target - target
there's 1 problem. stacks executable:
root@170ubuntu16p04-64smp-1:~# cat /proc/12878/task/*/maps | grep stack 7ffcac654000-7ffcac675000 rwxp 00000000 00:00 0 [stack] 7fe540e66000-7fe541666000 rwxp 00000000 00:00 0 [stack] 7fe540665000-7fe540e65000 rwxp 00000000 00:00 0 [stack] 7fe53b800000-7fe53c000000 rwxp 00000000 00:00 0 [stack]
i've trapped allocate_stack calls , examined protection flags. in theory, should initialized according pt_gnu_stack
. in case, seems pt_gnu_stack
ignored , _dl_stack_flags
initialized default permissions.
does know have caused this? seems correct, stacks still executable.
i'm using gcc 4.8.3 / glibc 2.11.
what have caused this?
in addition main executable's pt_gnu_stack
having correct permissions, also need have pt_gnu_stack
correct permissions in every directly-linked shared library.
if 1 of these libraries not have pt_gnu_stack
@ all, or has 1 executable permissions, "poison" of stacks executable permission.
so run
for j in $(ldd target | grep -o '=> .* ' | sed -e 's/=> //' -e '/^ *$/d' ); out=$(readelf -wl $j | grep stack) [[ -z "$out" ]] && echo "missing gnu_stack in $j" echo $out | grep -q rwe && echo "executable gnu_stack in $j" done
and see @ least 1 library missing or executable stack.
p.s. see olaf has (partially) suggested this.
Comments
Post a Comment