Hello. There is a bunch of discussions here https://www.openwall.com/lists/musl/2020/01/31/8. All musl developers confirms that musl do not support DT_TEXTREL. Now they are discussing how to provide informative error instead of segfault (runtime protection). I found out that developers don't want to add simple debug only memory protector, they are going to implement batch pre-validation of all relocations. I think it will be good for gentoo to provide link time protection against DT_TEXTREL for all musl profiles: LDFLAGS="-Wl,-z,text" It looks like this line can be added into "/usr/portage/profiles/*/musl/make.defaults". Reproducible: Always
I think we could instead just build binutils with --enable-textrel-check=error on musl given we know it'll go terribly there.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86ac5c16e3149458710b691e1cad81c50be8d661 commit 86ac5c16e3149458710b691e1cad81c50be8d661 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-30 16:26:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-30 16:42:29 +0000 sys-devel/binutils: add various hardening options to 2.41 Newer Binutils has its several configure arguments we can use: * --enable-textrel-check={warning,error} * --enable-warn-execstack=yes (*) * --enable-warn-rwx-segments=yes (*) * --enable-default-execstack=no We chuck these in now unconditionally (with some stricter changes for USE=hardened, as described below) except for those marked with (*) where we whitelist certain arches (amd64/arm64/x86 for now) because the autoconf logic is broken, see https://sourceware.org/bugzilla/show_bug.cgi?id=29592 (it both needs --enable...=no rather than --disable, but it also breaks arches where executable stacks are unavoidable.) In the past (see 47b8db23ff55dd29992198dfbadda53984a4ab2d, e4b8746852919960969944904c59334cecddfe25 in binutils-patches.git), we patched Binutils to always warn on textrels opt-out on a per-build basis with '--no-warn-shared-textrel'). From >= Binutils 2.35, upstream has a '--enable-textrel-check=warning' configure option we use. For USE=hardened, our new changes for TEXTRELs are equivalent to `-z text` which make TEXTRELs fatal. Now, while at it, also make TEXTRELs fatal on musl unconditionally because musl doesn't support them and they explode at runtime. Yet another reason to get rid of them entirely. So, in summary: there's several changes here: * Make textrels fatal for USE=hardened (we've warned about them for a while on all profiles) * Make textrels fatal for musl (they don't work there at all, bug #707660) * Disable implicit/automatic executable stacks for USE=hardened (plan to do this in general later on) * Warn on executable stacks in general * Warn on RWX segments in general See also https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments for more information. All of this came to mind again after reading the Qualys writeup for the recent OpenSSH bug (bug #910553): https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt. (Note their use of various gadgets involving these.) Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29592 Bug: https://bugs.gentoo.org/707660 Bug: https://bugs.gentoo.org/869881 Bug: https://bugs.gentoo.org/871150 Bug: https://bugs.gentoo.org/910553 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/binutils/binutils-2.41.ebuild | 43 +++++++++++++++++++++++------- sys-devel/binutils/binutils-9999.ebuild | 47 ++++++++++++++++++++++++--------- 2 files changed, 68 insertions(+), 22 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80a72bac2350811712c018b68f61a031736c579f commit 80a72bac2350811712c018b68f61a031736c579f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-30 17:07:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-30 17:07:24 +0000 profiles/features/musl: enable USE=pic musl has no support for textrels, so we always need PIC. At some point, I want to move this into the general profiles by default (especially given the Binutils work we're doing, see 86ac5c16e3149458710b691e1cad81c50be8d661), but baby steps. Anyway, this is essential given things will crash on musl otherwise. Bug: https://bugs.gentoo.org/707660 Signed-off-by: Sam James <sam@gentoo.org> profiles/features/musl/make.defaults | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7df93674f9e3aef31b49307e3edd955c52a8ee74 commit 7df93674f9e3aef31b49307e3edd955c52a8ee74 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-10-09 02:42:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-12-13 21:44:19 +0000 profiles/features/hardened/amd64: enable USE=pic There's no real reason not to do this. The status quo is wrong for when we're doing multilib 32-bit builds on x86, and we already have to undo this on musl because its handling for TEXTRELs is limited (see bug #707660). (I noted my intention to do this in 80a72bac2350811712c018b68f61a031736c579f as well.) This seems to have been added originally in e718e1dc1781b3bb5cd80233c217aea3b0e46755 and bb28d08f1cf8cf16f6e57929a8de6b7c85bbe714 (git graft commit). Bug: https://bugs.gentoo.org/707660 Bug: https://bugs.gentoo.org/913412 Signed-off-by: Sam James <sam@gentoo.org> profiles/features/hardened/amd64/make.defaults | 2 +- profiles/features/hardened/amd64/no-multilib/make.defaults | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-)
