diff options
author | Florian Weimer <fweimer@redhat.com> | 2020-03-02 14:24:27 +0100 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2020-03-02 14:25:20 +0100 |
commit | 0499a353a6e196f468e7ec554cb13c82011f0e36 (patch) | |
tree | 581108932370bf01836d379db99bafc4330e3cf7 /sysdeps | |
parent | b5b7fb76e15c0db545aa11a3ce88f836e5d01a19 (diff) | |
download | glibc-0499a353a6e196f468e7ec554cb13c82011f0e36.tar.gz glibc-0499a353a6e196f468e7ec554cb13c82011f0e36.tar.xz glibc-0499a353a6e196f468e7ec554cb13c82011f0e36.zip |
elf: Add elf/check-wx-segment, a test for the presence of WX segments
Writable, executable segments defeat security hardening. The existing check for DT_TEXTREL does not catch this. hppa and SPARC currently keep the PLT in an RWX load segment.
Diffstat (limited to 'sysdeps')
-rw-r--r-- | sysdeps/sparc/Makefile | 9 | ||||
-rw-r--r-- | sysdeps/unix/sysv/linux/hppa/Makefile | 9 |
2 files changed, 16 insertions, 2 deletions
diff --git a/sysdeps/sparc/Makefile b/sysdeps/sparc/Makefile index 38b33af6e0..c123b527b5 100644 --- a/sysdeps/sparc/Makefile +++ b/sysdeps/sparc/Makefile @@ -16,6 +16,15 @@ CPPFLAGS-crti.S += -fPIC CPPFLAGS-crtn.S += -fPIC endif +ifeq ($(subdir),elf) + +# Lazy binding on SPARC rewrites the PLT sequence. See the Solaris +# Linker and Libraries Guide, section SPARC: Procedure Linkage Table. +# <https://docs.oracle.com/cd/E19455-01/816-0559/chapter6-1236/index.html> +test-xfail-check-wx-segment = * + +endif # $(subdir) == elf + # nscd uses atomic_spin_nop which in turn requires cpu_relax ifeq ($(subdir),nscd) routines += cpu_relax diff --git a/sysdeps/unix/sysv/linux/hppa/Makefile b/sysdeps/unix/sysv/linux/hppa/Makefile index e1637f54f5..c89ec83182 100644 --- a/sysdeps/unix/sysv/linux/hppa/Makefile +++ b/sysdeps/unix/sysv/linux/hppa/Makefile @@ -3,9 +3,14 @@ ifeq ($(subdir),stdlib) gen-as-const-headers += ucontext_i.sym endif +ifeq ($(subdir),elf) # Supporting non-executable stacks on HPPA requires changes to both # the Linux kernel and glibc. The kernel currently needs an executable # stack for syscall restarts and signal returns. -ifeq ($(subdir),elf) test-xfail-check-execstack = yes -endif + +# On hppa, the PLT is executable because it contains an executable +# trampoline used during lazy binding. +test-xfail-check-wx-segment = * + +endif # $(subdir) == elf |