Disable execstack in freebl x86_64 builds on Linux

RESOLVED FIXED in 3.12.4

Status

NSS
Libraries
RESOLVED FIXED
9 years ago
8 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

3.12.3
3.12.4
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: FIPS)

Attachments

(3 attachments)

(Assignee)

Description

9 years ago
Originally reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=493663

The current build flags cause libfreebl3 to get built with the execstack flag, causing trouble for selinux.
(Assignee)

Comment 1

9 years ago
Created attachment 370674 [details] [diff] [review]
Patch v1 (checked in)

Patch proposed by Ulrich
Attachment #370674 - Flags: review?(wtc)

Comment 2

9 years ago
Comment on attachment 370674 [details] [diff] [review]
Patch v1 (checked in)

r+ rrelyea

for 3.12.4
Attachment #370674 - Flags: superreview+

Updated

9 years ago
Target Milestone: --- → 3.12.4
Comment on attachment 370674 [details] [diff] [review]
Patch v1 (checked in)

Is this an issue only for x86_64 ?

Comment 4

9 years ago
(In reply to comment #3)
> (From update of attachment 370674 [details] [diff] [review])
> Is this an issue only for x86_64 ?

Yes.  The offending asm file is only on x86 and only Linux performs the stack tests.  So it's even Linux-x86-64 specific.

Updated

9 years ago
Attachment #370674 - Flags: review?(wtc) → review+

Comment 5

9 years ago
Comment on attachment 370674 [details] [diff] [review]
Patch v1 (checked in)

r=wtc.

In the past, we have been solving this problem by
adding this magic section to the end of every .s file:

  # Magic indicating no need for an executable stack
  .section .note.GNU-stack,"",@progbits
  .previous

For example, see
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/arcfour-amd64-gas.s&rev=1.2&mark=118-120#118

So you can also fix this bug by adding this section
to the new .s files added in NSS 3.12.3 (I believe
intel-ase.s is the only one).  I would do that.

If you decide to use the -Wa,--noexecstack solution,
you should do it for all CPU architectures.
In reply to comment 5,
I remember that we had to remove that magic pseudo-op from one of our .s 
files because gas on some platform didn't recognize it.  I prefer solving
it through a command line option instead of a pseudo-op, if possible,
because it's easier to have command lines that vary by platform than to 
have assembler source that varies by platform.

Comment 7

9 years ago
Created attachment 370780 [details] [diff] [review]
Use -Wa,--noexecstack for all processor architectures

To be future-proof, you may want to use -Wa,--noexecstack
for all processor architectures.

Comment 8

9 years ago
Created attachment 370782 [details] [diff] [review]
Set it in coreconf/Linux.mk

We can also set it in coreconf/Linux.mk, which will take
care of all the NSS and JSS directories.

Comment 9

9 years ago
Comment on attachment 370674 [details] [diff] [review]
Patch v1 (checked in)

Kai, I noticed that you haven't checked in this patch, so I checked it in 
on the NSS trunk (NSS 3.12.4).  I actually prefer passing the -Wa,--noexecstack
flag for all processor architectures (we also have assembly files for
x86), but I checked in this patch because it has received review+.

Checking in Makefile;
/cvsroot/mozilla/security/nss/lib/freebl/Makefile,v  <--  Makefile
new revision: 1.106; previous revision: 1.105
done
Attachment #370674 - Attachment description: Patch v1 → Patch v1 (checked in)

Updated

9 years ago
Assignee: nobody → kaie
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Updated

9 years ago
Duplicate of this bug: 488959
This bug was originally reported against x86_64 builds on Linux, and was only 
fixed for that platform.  :(

Now it has been reported again for x86_32 builds on Linux in bug 499584.
I propose that we back out the fix committed for this bug, and commit 
wan-Teh's patch in attachment 370782 [details] [diff] [review] instead.  Please follow this issue in 
bug 499584.
Hardware: x86 → x86_64
Summary: disable execstack when building freebl → Disable execstack in freebl x86_64 builds on Linux
Whiteboard: FIPS
Duplicate of this bug: 499584
No. I was mistaken.  Bug 499584 was also about x86_64, and is a duplicate 
of this bug.  However, I do think we should fix it as shown in Wan-Teh's 
patch in attachment 370782 [details] [diff] [review], so that it is fixed for x86_32 also.

Comment 14

9 years ago
Comment on attachment 370782 [details] [diff] [review]
Set it in coreconf/Linux.mk

If you check in this patch, please back out patch v1 (attachment 370674 [details] [diff] [review])
to avoid duplicate -Wa,--noexecstack flags.

Comment 15

9 years ago
Wan-Teh, does the duplicate cause a problem with the compilier?

If not, I would prefer to leave it until the next time we open the FIPS token tree.

bob

Comment 16

9 years ago
Comment on attachment 370782 [details] [diff] [review]
Set it in coreconf/Linux.mk

Then we can wait until then to check in this patch.
I don't think we will add assembly code to any directory
other than lib/freebl.

Updated

9 years ago
Version: trunk → 3.12.3
Is this something that should be backported to 3.12.3 for those users still using that branch?
Reed, to what branch(es) are you referring?
Naturally, we'd prefer that any products using 3.12.3 simply update to 
3.12.4 now that it has been released.
Linux distros typically use "system NSS" and can easily upgrade to 3.12.4 or even apply this patch to their own 3.12.3 version if they prefer. Firefox will be upgrading to 3.12.4 and any effort should go into making that happen rather than putting this patch on 3.12.3

Updated

9 years ago
Duplicate of this bug: 522462

Updated

8 years ago
You need to log in before you can comment on or make changes to this bug.