Closed Bug 1357216 Opened 7 years ago Closed 7 years ago

NSS inadvertently marks the stack executable

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.31
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: mt)

Details

This is a regression of bug 320497.

We have added quite a few GNU assembly files to the build, some of which do not include the magic incantation:

.section .note.GNU-stack,"",@progbits

Without this, libfreeblpriv3.so ends up requesting an executable stack.  See https://news.ycombinator.com/item?id=11599909

I don't know if Firefox already requires an executable stack for other reason (the javascript VM maybe), but other programs are being exposed to unnecessary risk as a result of this error.

Rather than patch in this arcane syntax for every new file, it is easier to tell the linker not to create an executable stack.  Adding -z noexecstack to the linker command line avoids the problem.
https://hg.mozilla.org/projects/nss/rev/89c818ff7f8b0a47c253f6f794addbd633f5ba23
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Version: trunk → 3.31
Assignee: nobody → martin.thomson
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.