On Mon, Nov 13, 2023 at 11:08 AM Aoife Moloney <amoloney@xxxxxxxxxx> wrote:
Wiki -> https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Change the system linker (ld.bfd) so that by default it will generate
an error message and fail if it is asked to create an executable
binary that contains one or more known security issues. These issues
are:
* an executable stack
* a loadable segment with read, write and execute permissions,
* a thread local storage segment with execute permission.
== Owner ==
* Name: [[User:nickc| Nick Clifton]]
* Email: nickc@xxxxxxxxxx
== Detailed Description ==
The BFD linker (ld.bfd) is able to detect several potential security
problems with the binaries that it is creating. Currently however the
linker's default behaviour is to generate warning messages about these
problems, but then it carries on and completes the link.
Since only warning messages are generated, and these can be ignored or
lost in the output from a build, it is possible that packages are
being built without their owners being aware of the potential security
problems. Hence this change will alter the linker's default behaviour
to turn the warnings into errors, which in turn will prevent the
builds from completing successfully.
The change would apply to three linker warnings:
* The creation of a program containing a stack that is in a memory
region that has execute permission.
* The creation of a program with a loadable segment that has all three
of the read, write and execute permission bits set.
* The creation of a thread local storage segment that has the execute
permission bit set.
== Feedback ==
== Benefit to Fedora ==
The benefit of this change is that it will increase the overall
security of Fedora by helping to ensure that packages cannot be built
with one or more of these vulnerabilities without the owner being made
aware and having to take specific actions - either to remove the
vulnerability or disable the linker error message.
== Scope ==
* Proposal owners:
Enable the 'error_for_executable_stacks' and 'error_for_rwx_segments'
optional features in the binutils.spec file and then rebuild the
binutils.
Following that a system wide rebuild will be needed in order for the
change to have a chance to take affect and cause vulnerable packages
to fail to build. Any packages that fail to build because of the
change will need to be updated to either remove the cause of the
problem or else add an extra command line option to be passed to the
linker to disable the new feature.
* Other developers:
Other developers will only be affected if their package(s) fail to
build with the new linker. In this case the developer will need to
decide if the security vulnerability is actually needed by their
package, and if so add a linker command line option to turn off the
error, or if the vulnerability is not needed then fix their code so
that the problem is removed.
It is known that this change will affect the edk2, glibc and grub2
packages. Their owners will be contacted to assist them in deciding
how they wish to resolve the problems specific to their packages.
Other developers can use the "--no-warn-execstack" and
"--no-warn-rwx-segments" linker command line options to disable the
errors.
Is there a way to test for problems due to this before the spec file changes are made? E.g. is there a set of linker flags that can be given during mock/scratch builds to enable this check in individual packages to see if they are affected?
-Ian
* Release engineering: [https://pagure.io/releng/issue/11777]
* Policies and guidelines: N/A (not needed for this Change) <!--
REQUIRED FOR SYSTEM WIDE CHANGES -->
The packaging guidelines should not need to be updated. The vast
majority of programs will not be affected by this change. Packages
that are affected will already be requiring special behaviour from the
linker, so it can be assumed that their maintainers are familiar with
how to report linker problems and how to receive help.
* Trademark approval: N/A (not needed for this Change)
* Alignment with Community Initiatives: N/A
== Upgrade/compatibility impact ==
Upgrading previous versions of Fedora to one containing this change
will have no immediate effect. In fact the only visible change would
be if the upgraded system is used to compile a program and that
program contains one or more of the potential security vulnerabilities
that will now trigger errors. Even then the previous functionality
(of being able to successfully compile the vulnerable program) can be
restored by adding a specific linker command line option.
== How To Test ==
Compile programs.
No special hardware or data is needed in order to test this change.
Just a Fedora system with the updated binutils package installed plus
whatever other packages are needed to compile any test programs. If
the programs compile and link successfully then there are no issues.
If they do not, and the reason that they do not compile is because of
error messages from the linker, then something needs to be done.
Note - the linker's own testsuite includes tests to make sure that the
error messages are generated under the correct circumstances as well
tests to make sure that the errors can be disabled by the correct
command line options.
== User Experience ==
On the whole, users should not notice this change.
Users who build programs on Fedora, and whose programs are built in
such a way that they are exposed to the security issues that will
trigger the new errors will be affected. Such users might be happy
that the problem is being brought to light, or annoyed that they will
now have to consider whether they need to fix their program or fix
their build system.
== Dependencies ==
None.
== Contingency Plan ==
* Contingency mechanism: Revert the change to the linker.
* Contingency deadline: Fedora 40 beta freeze.
* Blocks release? No
== Documentation ==
There is a blog about the warning messages that are being turned into errors:
https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments
== Release Notes ==
(For the Developers/Binutils section of the release Notes)
The linker's warning messages about the creation of binaries with
executable stacks or memory segments with the execute, read and write
permissions have now been turned into errors. This will prevent the
creation of programs with either of these vulnerabilities. The errors
can be turned off via the use of the --no-warn-execstack and
--no-warn-rwx-segments linker command line options.
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
