[patch] Adding stack markings to the x86 assembly for not using executable stack
Kees Cook
kees at ubuntu.com
Fri Aug 28 13:51:47 PDT 2009
Hi,
On Thu, Aug 27, 2009 at 06:01:06PM +0100, Andrew John Hughes wrote:
> 2009/8/27 Kees Cook <kees at ubuntu.com>:
> > On Thu, Aug 27, 2009 at 12:04:07PM +0100, Andrew John Hughes wrote:
> >> 2009/8/27 Matthias Klose <doko at ubuntu.com>:
> >> > This was reported as https://edge.launchpad.net/bugs/409736
> >> >
> >> > Java is marked to have an executable stack[1]. This is potentially
> >> > dangerous, and is simply an oversight from one of the compiled assembly
> >> > files. Adding stack markings to the assembly solves the issue.
> >> >
> >> > sun/security/ssl/javax/net/ssl/NewAPIs/SessionCacheSizeTests.java passes
> >> > both stock and and with non-exec-stack.
> >> >
> >> > gcc -fstack-protector is the default on Ubuntu. I'd like to see this patch
> >> > for the IcedTea 1.6 release as well.
> >> >
> >> > Matthias
> >> >
> >>
> >> I've heard about this issue before from Gentoo users and the fix, if
> >> it truly is this simple, would be good to have.
> >
> > The question tends to be one of portability. In cases were non-gcc is
> > used, ifdef's need to be built around the flag line. I can provide some
> > examples, if needed.
> >
>
> I don't see an immediate problem, as they only affect x86/linux and
> x86_64/linux where the compiler is gcc.
Okay, sounds good.
> >> Are you sending this patch upstream? It would be good to have some
> >> feedback from the HotSpot developers before we commit this for a
> >> release.
> >>
> >> Does this affect SPARC too?
> >
> > I'm not familiar with SPARC hardware, but if it supports "execute" memory
> > protections, then it is a valuable change there too. It it doesn't, it
> > won't hurt anything, IIUC.
>
> Do you have an SCA, either via Ubuntu or personally? A webrev needs to
> be prepared against one of the HotSpot forests and posted to
> hotspot-dev. If this is the compiler, hotspot-comp is appropriate and
> twisti can review it ;)
I haven't signed it yet, but these two (identical) lines are unlikely
to be attributable to me anyway, they're common knowledge for this area
of work.
I'll go figure out what I need to do for the SCA for future stuff, though.
Thanks!
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the distro-pkg-dev
mailing list