[Fedora-packaging] RFC mass bug reporting: checksec failures
Florian Weimer
fweimer at redhat.com
Thu Sep 17 11:35:13 UTC 2015
On 09/17/2015 01:03 PM, Alexander Todorov wrote:
> На 17.09.2015 в 12:26, Richard W.M. Jones написа:
>>> As far as I can see most of them report "Partial RELRO" which may
>>> well be fixed as you propose below. If not I can easily exclude
>>> them.
>>
>> They're intermediate files used by developers. They aren't runnable
>> binaries. I think everything in %{libdir}/ocaml should be ignored.
>>
>
>
> I see .o files, .so files and some .cmxs ones. Should all of them be
> ignored then ?
.o files need to have an empty .note.GNU-stack section.
If they are compiled with GCC (see the .comment section), they need to
have debugging information, and the debugging information must include
the recorded command line options. Those command line options must have
the required hardening flags. The debugging information must cover all
object code.
For .so files, similar rules apply, but the debug information may have
been separated. Instead of section, the non-executable stack is now
controlled by the GNU_STACK program header. Additionally, there most be
GNU_RELRO program header. and the relocations must not overlap with a
page that is read-write.
checksec cannot check most of this, unfortunately.
I don't know how .cmxs files are used. They seem similar to .so files,
so the same rules apply.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list