diff options
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | elf/Makefile | 41 | ||||
-rw-r--r-- | elf/check-execstack.c | 162 | ||||
-rw-r--r-- | scripts/check-execstack.awk | 52 |
4 files changed, 88 insertions, 177 deletions
@@ -1,5 +1,15 @@ 2012-05-01 Roland McGrath <roland@hack.frob.com> + * scripts/check-execstack.awk: New file. + * elf/Makefile ($(objpfx)check-execstack): Target removed. + (check-execstack-CFLAGS): Variable removed. + ($(objpfx)check-execstack.h): Target removed. + ($(objpfx)execstack-default): New target. + (generated): Add that instead of check-execstack.h. + ($(all-built-dso:=.phdr)): New static pattern rule. + (generated): Add those targets. + * elf/check-execstack.c: File removed. + * scripts/check-textrel.awk: New file. * elf/Makefile ($(objpfx)check-textrel): Target removed. (check-textrel-CFLAGS): Variable removed. diff --git a/elf/Makefile b/elf/Makefile index 50934be..c207b53 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -872,18 +872,6 @@ CFLAGS-tst-pie1.c += $(pie-ccflag) $(objpfx)tst-pie1: $(objpfx)tst-piemod1.so -check-execstack-CFLAGS = -O -Wall -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -std=gnu99 \ - $(objpfx:%/=-I%) -$(objpfx)check-execstack: check-execstack.c $(objpfx)check-execstack.h - $(native-compile) -$(objpfx)check-execstack.h: $(first-word $(wildcard $(sysdirs:%=%/stackinfo.h))) - $(make-target-directory) - { echo '#include <stackinfo.h>'; echo '@@@DEFAULT_STACK_PERMS@@@'; } | \ - $(CC) $(CFLAGS) $(CPPFLAGS) -E -x c-header - | \ - sed -n -e 's/^@@@\(.*\)@@@/#define DEFAULT_STACK_PERMS \1/p' > $@T - mv -f $@T $@ -generated += check-execstack.h - check-localplt-CFLAGS = -O -Wall -D_GNU_SOURCE -std=gnu99 $(objpfx)check-localplt: check-localplt.c $(native-compile) @@ -909,9 +897,32 @@ $(objpfx)check-textrel.out: $(..)scripts/check-textrel.awk \ LC_ALL=C $(AWK) -f $^ > $@ generated += check-textrel.out -$(objpfx)check-execstack.out: $(objpfx)check-execstack $(all-built-dso) - $(dir $<)$(notdir $<) $(filter-out $<, $^) > $@ -generated += check-execstack check-execstack.out +$(objpfx)execstack-default: $(first-word $(wildcard $(sysdirs:%=%/stackinfo.h))) + $(make-target-directory) + { echo '#include <elf.h>'; \ + echo '#include <stackinfo.h>'; \ + echo '#if (DEFAULT_STACK_PERMS & PF_X) == 0'; \ + echo '@@@execstack-no@@@'; \ + echo '#else'; \ + echo '@@@execstack-yes@@@'; \ + echo '#endif'; } | \ + $(CC) $(CFLAGS) $(CPPFLAGS) -E -x c-header - | \ + sed -n -e 's/^@@@\(.*\)@@@/\1/p' > $@T + mv -f $@T $@ +generated += execstack-default + +$(all-built-dso:=.phdr): %.phdr: % + @rm -f $@T + LC_ALL=C $(READELF) -W -l $< > $@T + test -s $@T + mv -f $@T $@ +generated += $(all-built-dso:=.phdr) + +$(objpfx)check-execstack.out: $(..)scripts/check-execstack.awk \ + $(objpfx)execstack-default \ + $(all-built-dso:=.phdr) + LC_ALL=C $(AWK) -f $^ > $@ +generated += check-execstack.out $(objpfx)tst-dlmodcount: $(libdl) $(objpfx)tst-dlmodcount.out: $(test-modules) diff --git a/elf/check-execstack.c b/elf/check-execstack.c deleted file mode 100644 index 6a5c4d9..0000000 --- a/elf/check-execstack.c +++ /dev/null @@ -1,162 +0,0 @@ -/* Check for executable stacks in DSOs. - Copyright (C) 2009, 2010 Free Software Foundation, Inc. - This file is part of the GNU C Library. - Contribute by Ulrich Drepper <drepper@redhat.com>. 2009. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <http://www.gnu.org/licenses/>. */ - -#include <byteswap.h> -#include <elf.h> -#include <endian.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include "check-execstack.h" - - -#ifdef BITS - -# define AB(name) _AB (name, BITS) -# define _AB(name, bits) __AB (name, bits) -# define __AB(name, bits) name##bits -# define E(name) _E (name, BITS) -# define _E(name, bits) __E (name, bits) -# define __E(name, bits) Elf##bits##_##name -# define SWAP(val) \ - ({ __typeof (val) __res; \ - if (((ehdr.e_ident[EI_DATA] == ELFDATA2MSB \ - && BYTE_ORDER == LITTLE_ENDIAN) \ - || (ehdr.e_ident[EI_DATA] == ELFDATA2LSB \ - && BYTE_ORDER == BIG_ENDIAN)) \ - && sizeof (val) != 1) \ - { \ - if (sizeof (val) == 2) \ - __res = bswap_16 (val); \ - else if (sizeof (val) == 4) \ - __res = bswap_32 (val); \ - else \ - __res = bswap_64 (val); \ - } \ - else \ - __res = (val); \ - __res; }) - - -static int -AB(handle_file) (const char *fname, int fd) -{ - E(Ehdr) ehdr; - - if (pread (fd, &ehdr, sizeof (ehdr), 0) != sizeof (ehdr)) - { - read_error: - printf ("%s: read error: %m\n", fname); - return 1; - } - - const size_t phnum = SWAP (ehdr.e_phnum); - const size_t phentsize = SWAP (ehdr.e_phentsize); - - /* Read the program header. */ - E(Phdr) *phdr = alloca (phentsize * phnum); - if (pread (fd, phdr, phentsize * phnum, SWAP (ehdr.e_phoff)) - != phentsize * phnum) - goto read_error; - - /* Search for the PT_GNU_STACK entry. */ - for (size_t cnt = 0; cnt < phnum; ++cnt) - if (SWAP (phdr[cnt].p_type) == PT_GNU_STACK) - { - unsigned int flags = SWAP(phdr[cnt].p_flags); - if (flags & PF_X) - { - printf ("%s: executable stack signaled\n", fname); - return 1; - } - - return 0; - } - - if (DEFAULT_STACK_PERMS & PF_X) - { - printf ("%s: no PT_GNU_STACK entry\n", fname); - return 1; - } - - return 0; -} - -# undef BITS -#else - -# define BITS 32 -# include "check-execstack.c" - -# define BITS 64 -# include "check-execstack.c" - - -static int -handle_file (const char *fname) -{ - int fd = open (fname, O_RDONLY); - if (fd == -1) - { - printf ("cannot open %s: %m\n", fname); - return 1; - } - - /* Read was is supposed to be the ELF header. Read the initial - bytes to determine whether this is a 32 or 64 bit file. */ - char ident[EI_NIDENT]; - if (read (fd, ident, EI_NIDENT) != EI_NIDENT) - { - printf ("%s: read error: %m\n", fname); - close (fd); - return 1; - } - - if (memcmp (&ident[EI_MAG0], ELFMAG, SELFMAG) != 0) - { - printf ("%s: not an ELF file\n", fname); - close (fd); - return 1; - } - - int result; - if (ident[EI_CLASS] == ELFCLASS64) - result = handle_file64 (fname, fd); - else - result = handle_file32 (fname, fd); - - close (fd); - - return result; -} - - -int -main (int argc, char *argv[]) -{ - int cnt; - int result = 0; - - for (cnt = 1; cnt < argc; ++cnt) - result |= handle_file (argv[cnt]); - return result; -} -#endif diff --git a/scripts/check-execstack.awk b/scripts/check-execstack.awk new file mode 100644 index 0000000..21d37e9 --- /dev/null +++ b/scripts/check-execstack.awk @@ -0,0 +1,52 @@ +# This awk script expects to get command-line files that are each +# the output of 'readelf -l' on a single shared object. +# But the first file should contain just "execstack-no" or "execstack-yes", +# indicating what the default is in the absence of PT_GNU_STACK. +# It exits successfully (0) if none indicated executable stack. +# It fails (1) if any did indicate executable stack. +# It fails (2) if the input did not take the expected form. + +BEGIN { result = sanity = 0; default_exec = -1 } + +/^execstack-no$/ { default_exec = 0; next } +/^execstack-yes$/ { default_exec = 1; next } + +function check_one(name) { + if (default_exec == -1) { + print "*** missing execstack-default file?"; + result = 2; + } + + if (!sanity) { + print name ": *** input did not look like readelf -l output"; + result = 2; + } else if (stack_line) { + if (stack_line ~ /^.*RW .*$/) { + print name ": OK"; + } else if (stack_line ~ /^.*E.*$/) { + print name ": *** executable stack signaled"; + result = result ? result : 1; + } + } else if (default_exec) { + print name ": *** no PT_GNU_STACK entry"; + result = result ? result : 1; + } else { + print name ": no PT_GNU_STACK but default is OK"; + } + + sanity = 0; +} + +FILENAME != lastfile { + if (lastfile) + check_one(lastfile); + lastfile = FILENAME; +} + +$1 == "Type" && $7 == "Flg" { sanity = 1; stack_line = "" } +$1 == "GNU_STACK" { stack_line = $0 } + +END { + check_one(lastfile); + exit(result); +} |