On Mon, Jun 24, 2013 at 09:13:29PM +0200, Miloslav Trmač wrote: > On Mon, Jun 24, 2013 at 8:46 PM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > but the plugins from that build are not hardened fully: > Isn't it possible that the plugins are just so trivial that there were > no opportunities for hardening? > > > $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so > > ./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: > > Position Independent Executable: no, regular shared library (ignored) > > Stack protected: no, not found! > No on-stack arrays that I can find. > > > Fortify Source functions: no, only unprotected functions found! > I can see libc calls with compile-time-known destination sizes except > for example1_load () where it can be statically proven the call is > safe. Yes, I think you're right. I only checked the simple example* plugins. The xz plugin which is rather more complicated does seem to be protected: $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
