Page MenuHomeFreeBSD
Differential D41102

OpenSSL: Link with -znoexecstack when using ld.bfd.
AbandonedPublic
Actions

Authored by jhb on Jul 19 2023, 6:31 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sep 27 2024, 8:45 AM
Unknown Object (File)
Sep 27 2024, 7:36 AM
Unknown Object (File)
Sep 21 2024, 12:01 PM
Unknown Object (File)
Sep 21 2024, 6:08 AM
Unknown Object (File)
Sep 20 2024, 7:43 PM
Unknown Object (File)
Sep 18 2024, 12:09 AM
Unknown Object (File)
Sep 8 2024, 12:30 PM
Unknown Object (File)
Sep 7 2024, 5:39 PM
View All 25 Files
Subscribers
imp
jlduran
khorben_defora.org

Details

Reviewers
emaste
Summary

ld.bfd >= 2.39 emits warnings if input object files do not have
note.GNU-stack annotations requesting a non-executable stack. It is
not feasible to patch all of the assembly files from OpenSSL to add
this annotation as a local patch, so tell the linker to assume the
stack is non-executable instead.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 52729
Build 49620: arc lint + arc unit

Event Timeline

jhb created this revision.Jul 19 2023, 6:31 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 19 2023, 6:31 PM
jhb requested review of this revision.Jul 19 2023, 6:31 PM
Harbormaster completed remote builds in B52729: Diff 124885.Jul 19 2023, 6:31 PM
jhb added a comment.Jul 19 2023, 6:32 PM

This fixes linking libcrypto.so with GCC 12.

emaste added a subscriber: khorben_defora.org.Jul 19 2023, 6:55 PM

Is this actually an openssl bug, generating these files without the annotation? (E.g., upstream build infra thinks they are required only on Linux?)

I think I'd rather we just set it in LDFLAGS (also for lld)

emaste accepted this revision.Jul 19 2023, 6:56 PM

(But no objection to this as an immediate-term fix)

This revision is now accepted and ready to land.Jul 19 2023, 6:56 PM
jhb added a comment.Jul 19 2023, 7:26 PM

Yes, OpenSSL will care once Linux distributions upgrade to ld.bfd 2.39 and presumably they will fix it at some point.

However, I think LLD just doesn't care and always assumes -znoexectsack on FreeBSD. Arguably we should just globally add -Wl,-znoexecstack to LDFLAGS for bfd instead of patching it piecemeal.

emaste added a comment.Jul 19 2023, 7:34 PM

From lld's docs, "Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security."

Arguably we should just globally add -Wl,-znoexecstack to LDFLAGS for bfd instead of patching it piecemeal.

Yeah, I'd be happy to have that change go in.

jhb mentioned this in D41101: amd64 crt1: Explicitly use a PLT entry for main in the PIC case..Jul 20 2023, 5:45 PM
jlduran added a subscriber: jlduran.Jul 20 2023, 5:47 PM
jhb added a comment.Jul 20 2023, 7:56 PM
In D41102#935864, @emaste wrote:

From lld's docs, "Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security."

Arguably we should just globally add -Wl,-znoexecstack to LDFLAGS for bfd instead of patching it piecemeal.

Yeah, I'd be happy to have that change go in.

I've tested this as an alternative and posted it as D41120

jhb abandoned this revision.Jul 20 2023, 11:35 PM

Revision Contents
Changeset List

PathSize
secure/
lib/
libcrypto/
3 lines
modules/
3 lines

Diff 124885

View Options

secure/lib/libcrypto/Makefile.inc

Loading...
View Options

secure/lib/libcrypto/modules/Makefile.inc

Loading...