< Changes
(submitting change to fesco) |
No edit summary |
||
| Line 4: | Line 4: | ||
== Summary == | == Summary == | ||
Extend the ''%{hardened_build}'' feature of the redhat-rpm-config package so that the linker will generate an error message and fail if it is asked to create an executable binary that contains one or more known security issues. These issues are: | |||
* an executable stack | * an executable stack | ||
* a loadable segment with read, write and execute permissions, | * a loadable segment with read, write and execute permissions, | ||
| Line 37: | Line 37: | ||
The BFD linker (ld.bfd) is able to detect several potential security problems with the binaries that it is creating. Currently however the linker's default behaviour is to generate warning messages about these problems, but then it carries on and completes the link. | The BFD linker (ld.bfd) is able to detect several potential security problems with the binaries that it is creating. Currently however the linker's default behaviour is to generate warning messages about these problems, but then it carries on and completes the link. | ||
Since only warning messages are generated, and these can be ignored or lost in the output from a build, it is possible that packages are being built without their owners being aware of the potential security problems. | Since only warning messages are generated, and these can be ignored or lost in the output from a build, it is possible that packages are being built without their owners being aware of the potential security problems. This change will alter the linker's default behaviour and turn the warnings into errors, which in turn will prevent the builds from completing successfully, and thus force package maintainers to either fix the problem or disable the errors. | ||
The change would apply to three linker warnings: | The change would apply to three linker warnings: | ||
| Line 45: | Line 45: | ||
* The creation of a thread local storage segment that has the execute permission bit set. | * The creation of a thread local storage segment that has the execute permission bit set. | ||
Note: Since this change is only being made in the macros defined in redhat-rpm-config, only packages that use those macros will benefit from this change. Packages that have their own build systems, but still use the BFD linker, will not be affected. | |||
== Feedback == | == Feedback == | ||
| Line 52: | Line 54: | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
Patch the redhat-rpm-config package to add the insertion of two new options into the ''%{_hardening_ld_flags}'' variable, along with a mechanism to disable this insertion, and documentation of the effects of the new options. | |||
Following that a system wide rebuild will be needed in order for the change to have a chance to take affect and cause vulnerable packages to fail to build. Any packages that fail to build because of the change will need to be updated to either remove the cause of the problem or else | Following that a system wide rebuild will be needed in order for the change to have a chance to take affect and cause vulnerable packages to fail to build. Any packages that fail to build because of the change will need to be updated to either remove the cause of the problem or else suppress the new errors. | ||
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Other developers will only be affected if their package(s) fail to build with the new linker. In this case the developer will need to decide if the security vulnerability is actually needed by their package | Other developers will only be affected if their package(s) fail to build with the new linker. In this case the developer will need to decide if the security vulnerability is actually needed by their package, or if it can be removed. | ||
If the vulnerability is intentional then the new errors can be disabled by adding '''%undefine _hardened_linker_errors''' to the package's spec file. | |||
It is also possible to use specific linker command line options to turn off one error message whilst leaving the other enabled. The '''has a LOAD segment with RWX permissions''' and '''has a TLS segment with execute permission''' errors can be turned back into warning messages by using the ''--no-error-rwx-segments'' option or removed entirely from the linker's output by using the ''--no-warn-rwx-segments'' option. | |||
'''has a LOAD segment with RWX permissions''' and '''has a TLS segment with execute permission''' errors can be turned back into warning messages by using the ''--no-error-rwx-segments'' option or removed entirely from the linker's output by using the ''--no-warn-rwx-segments'' option. | |||
The '''missing .note.GNU-stack section implies executable stack''' error message can be turned back into a warning by using the ''--no-error-execstack'' option or removed from the linker's output entirely by using the ''--no-warn-execstack'' option. | The '''missing .note.GNU-stack section implies executable stack''' error message can be turned back into a warning by using the ''--no-error-execstack'' option or removed from the linker's output entirely by using the ''--no-warn-execstack'' option or the ''-z execstack'' option. | ||
It is known that this change will affect the edk2, glibc, mesa and grub2 packages. Their owners have been contacted to assist them in deciding how they wish to resolve the problems specific to their packages. | |||
* Release engineering: [https://pagure.io/releng/issue/11777] | * Release engineering: [https://pagure.io/releng/issue/11777] | ||
Revision as of 10:17, 1 December 2023
Changes/Linker Error On Security Issues
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Extend the %{hardened_build} feature of the redhat-rpm-config package so that the linker will generate an error message and fail if it is asked to create an executable binary that contains one or more known security issues. These issues are:
- an executable stack
- a loadable segment with read, write and execute permissions,
- a thread local storage segment with execute permission.
Owner
- Name: Nick Clifton
- Email: nickc@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2023-12-01
- Announced
- Discussion thread
- FESCo issue: #3110
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The BFD linker (ld.bfd) is able to detect several potential security problems with the binaries that it is creating. Currently however the linker's default behaviour is to generate warning messages about these problems, but then it carries on and completes the link.
Since only warning messages are generated, and these can be ignored or lost in the output from a build, it is possible that packages are being built without their owners being aware of the potential security problems. This change will alter the linker's default behaviour and turn the warnings into errors, which in turn will prevent the builds from completing successfully, and thus force package maintainers to either fix the problem or disable the errors.
The change would apply to three linker warnings:
- The creation of a program containing a stack that is in a memory region that has execute permission.
- The creation of a program with a loadable segment that has all three of the read, write and execute permission bits set.
- The creation of a thread local storage segment that has the execute permission bit set.
Note: Since this change is only being made in the macros defined in redhat-rpm-config, only packages that use those macros will benefit from this change. Packages that have their own build systems, but still use the BFD linker, will not be affected.
Feedback
Benefit to Fedora
The benefit of this change is that it will increase the overall security of Fedora by helping to ensure that packages cannot be built with one or more of these vulnerabilities without the owner being made aware and having to take specific actions - either to remove the vulnerability or disable the linker error message.
Scope
- Proposal owners:
Patch the redhat-rpm-config package to add the insertion of two new options into the %{_hardening_ld_flags} variable, along with a mechanism to disable this insertion, and documentation of the effects of the new options.
Following that a system wide rebuild will be needed in order for the change to have a chance to take affect and cause vulnerable packages to fail to build. Any packages that fail to build because of the change will need to be updated to either remove the cause of the problem or else suppress the new errors.
- Other developers:
Other developers will only be affected if their package(s) fail to build with the new linker. In this case the developer will need to decide if the security vulnerability is actually needed by their package, or if it can be removed.
If the vulnerability is intentional then the new errors can be disabled by adding %undefine _hardened_linker_errors to the package's spec file.
It is also possible to use specific linker command line options to turn off one error message whilst leaving the other enabled. The has a LOAD segment with RWX permissions and has a TLS segment with execute permission errors can be turned back into warning messages by using the --no-error-rwx-segments option or removed entirely from the linker's output by using the --no-warn-rwx-segments option.
The missing .note.GNU-stack section implies executable stack error message can be turned back into a warning by using the --no-error-execstack option or removed from the linker's output entirely by using the --no-warn-execstack option or the -z execstack option.
It is known that this change will affect the edk2, glibc, mesa and grub2 packages. Their owners have been contacted to assist them in deciding how they wish to resolve the problems specific to their packages.
- Release engineering: [1]
- Policies and guidelines: N/A (not needed for this Change)
The packaging guidelines should not need to be updated. The vast majority of programs will not be affected by this change. Packages that are affected will already be requiring special behaviour from the linker, so it can be assumed that their maintainers are familiar with how to report linker problems and how to receive help.
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives: N/A
Upgrade/compatibility impact
Upgrading previous versions of Fedora to one containing this change will have no immediate effect. In fact the only visible change would be if the upgraded system is used to compile a program and that program contains one or more of the potential security vulnerabilities that will now trigger errors. Even then the previous functionality (of being able to successfully compile the vulnerable program) can be restored by adding a specific linker command line option.
How To Test
Compile programs.
No special hardware or data is needed in order to test this change. Just a Fedora system with the updated binutils package installed plus whatever other packages are needed to compile any test programs. If the programs compile and link successfully then there are no issues. If they do not, and the reason that they do not compile is because of error messages from the linker, then something needs to be done.
Note - the linker's own testsuite includes tests to make sure that the error messages are generated under the correct circumstances as well tests to make sure that the errors can be disabled by the correct command line options.
User Experience
On the whole, users should not notice this change.
Users who build programs on Fedora, and whose programs are built in such a way that they are exposed to the security issues that will trigger the new errors will be affected. Such users might be happy that the problem is being being brought to light, or annoyed that they will now have to consider whether they need to fix their program or fix their build system.
Dependencies
None.
Contingency Plan
- Contingency mechanism: Revert the change to the linker.
- Contingency deadline: Fedora 40 beta freeze.
- Blocks release? No
Documentation
There is a blog about the warning messages that are being turned into errors:
https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments
Release Notes
(For the Developers/Binutils section of the release Notes)
The linker's warning messages about the creation of binaries with executable stacks or memory segments with the execute, read and write permissions have now been turned into errors. This will prevent the creation of programs with either of these vulnerabilities. The errors can be turned off via the use of the --no-warn-execstack and --no-warn-rwx-segments linker command line options.