[Patches] [ python-Patches-1560695 ] Exec stacks in python 2.5
SourceForge.net
noreply at sourceforge.net
Sun Oct 22 12:55:57 CEST 2006
Patches item #1560695, was opened at 2006-09-18 14:23
Message generated for change (Comment added) made by loewis
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1560695&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Accepted
Priority: 5
Submitted By: Chaza (masterdriverz)
Assigned to: Nobody/Anonymous (nobody)
Summary: Exec stacks in python 2.5
Initial Comment:
Python 2.5 contains executable stacks. Attached patch
fixes this.
----------------------------------------------------------------------
>Comment By: Martin v. Löwis (loewis)
Date: 2006-10-22 12:55
Message:
Logged In: YES
user_id=21627
Thanks for the patch. Committed as r52418 and r52419.
----------------------------------------------------------------------
Comment By: Chaza (masterdriverz)
Date: 2006-09-21 13:51
Message:
Logged In: YES
user_id=1096685
No, sorry I've badly described the situation in the previous
post.
This patch explicitly tells GCC to not make the stack
executable for
Python-2.5c1/Modules/_ctypes/libffi/src/x86/sysv.S , this
means that it should execute successfully on a hardened
system. Without this patch, GCC guesses (incorrectly) that
sysv.o requires an executable stack, and sets it
accordingly. This can cause execution to fail if Exec Shield
is enabled on hardened systems.
Basically its just better practice to explicitly mark
whether assembly code needs an executable stack or not, and
for the most part, it doesn't.
For more info (since I'm not brilliant at explaining this) see:
http://people.redhat.com/drepper/nonselsec.pdf (particularly
Appendix A and Exec Shield)
http://people.redhat.com/drepper/selinux-mem.html
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
or drop into #gentoo-hardened on Freenode.
----------------------------------------------------------------------
Comment By: Martin v. Löwis (loewis)
Date: 2006-09-20 19:05
Message:
Logged In: YES
user_id=21627
Ah, so the patch doesn't actually fix that Python 2.5
contains executable stacks. It rather makes it execute
successfully on a hardened system.
Still, I don't understand what you mean by "Python contains
executable stacks". Where does it do so? And what precisely
breaks on a hardened system when Python is running on it?
----------------------------------------------------------------------
Comment By: Chaza (masterdriverz)
Date: 2006-09-20 13:58
Message:
Logged In: YES
user_id=1096685
It is probably best summed up here ->
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml but put
simply, executable stacks don't work on hardened systems.
The simplest way to fix them is to explicitly tell gcc to
compile libraries without executable stacks.
----------------------------------------------------------------------
Comment By: Martin v. Löwis (loewis)
Date: 2006-09-20 08:26
Message:
Logged In: YES
user_id=21627
Can you please elaborate? What is an "executable stack", why
does Python have one, why is that bad, and how does your
patch fix that?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1560695&group_id=5470
More information about the Patches
mailing list