F40 Change Proposal: Linker Error on Security Issues (System-Wide)

Linker Error on Security Issues

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Announced
Wiki

Summary

Change the system linker (ld.bfd) so that by default it will generate an error message and fail if it is asked to create an executable binary that contains one or more known security issues. These issues are:

  • an executable stack
  • a loadable segment with read, write and execute permissions,
  • a thread local storage segment with execute permission.

:link: Owner

:link: Detailed Description

The BFD linker (ld.bfd) is able to detect several potential security problems with the binaries that it is creating. Currently however the linker’s default behaviour is to generate warning messages about these problems, but then it carries on and completes the link.

Since only warning messages are generated, and these can be ignored or lost in the output from a build, it is possible that packages are being built without their owners being aware of the potential security problems. Hence this change will alter the linker’s default behaviour to turn the warnings into errors, which in turn will prevent the builds from completing successfully.

The change would apply to three linker warnings:

  • The creation of a program containing a stack that is in a memory region that has execute permission.
  • The creation of a program with a loadable segment that has all three of the read, write and execute permission bits set.
  • The creation of a thread local storage segment that has the execute permission bit set.

:link: Feedback

:link: Benefit to Fedora

The benefit of this change is that it will increase the overall security of Fedora by helping to ensure that packages cannot be built with one or more of these vulnerabilities without the owner being made aware and having to take specific actions - either to remove the vulnerability or disable the linker error message.

:link: Scope

  • Proposal owners:

Enable the ‘error_for_executable_stacks’ and ‘error_for_rwx_segments’ optional features in the binutils.spec file and then rebuild the binutils.

Following that a system wide rebuild will be needed in order for the change to have a chance to take affect and cause vulnerable packages to fail to build. Any packages that fail to build because of the change will need to be updated to either remove the cause of the problem or else add an extra command line option to be passed to the linker to disable the new feature.

  • Other developers:

Other developers will only be affected if their package(s) fail to build with the new linker. In this case the developer will need to decide if the security vulnerability is actually needed by their package, and if so add a linker command line option to turn off the error, or if the vulnerability is not needed then fix their code so that the problem is removed.

It is known that this change will affect the edk2, glibc and grub2 packages. Their owners will be contacted to assist them in deciding how they wish to resolve the problems specific to their packages.

Other developers can use the “–no-warn-execstack” and “–no-warn-rwx-segments” linker command line options to disable the errors.

  • Release engineering: [1]

  • Policies and guidelines: N/A (not needed for this Change)

The packaging guidelines should not need to be updated. The vast majority of programs will not be affected by this change. Packages that are affected will already be requiring special behaviour from the linker, so it can be assumed that their maintainers are familiar with how to report linker problems and how to receive help.

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Community Initiatives: N/A

:link: Upgrade/compatibility impact

Upgrading previous versions of Fedora to one containing this change will have no immediate effect. In fact the only visible change would be if the upgraded system is used to compile a program and that program contains one or more of the potential security vulnerabilities that will now trigger errors. Even then the previous functionality (of being able to successfully compile the vulnerable program) can be restored by adding a specific linker command line option.

:link: How To Test

Compile programs.

No special hardware or data is needed in order to test this change. Just a Fedora system with the updated binutils package installed plus whatever other packages are needed to compile any test programs. If the programs compile and link successfully then there are no issues. If they do not, and the reason that they do not compile is because of error messages from the linker, then something needs to be done.

Note - the linker’s own testsuite includes tests to make sure that the error messages are generated under the correct circumstances as well tests to make sure that the errors can be disabled by the correct command line options.

:link: User Experience

On the whole, users should not notice this change.

Users who build programs on Fedora, and whose programs are built in such a way that they are exposed to the security issues that will trigger the new errors will be affected. Such users might be happy that the problem is being being brought to light, or annoyed that they will now have to consider whether they need to fix their program or fix their build system.

:link: Dependencies

None.

:link: Contingency Plan

  • Contingency mechanism: Revert the change to the linker.
  • Contingency deadline: Fedora 40 beta freeze.
  • Blocks release? No

:link: Documentation

There is a blog about the warning messages that are being turned into errors:

:link: Release Notes

(For the Developers/Binutils section of the release Notes)

The linker’s warning messages about the creation of binaries with executable stacks or memory segments with the execute, read and write permissions have now been turned into errors. This will prevent the creation of programs with either of these vulnerabilities. The errors can be turned off via the use of the --no-warn-execstack and --no-warn-rwx-segments linker command line options.

This change proposal has now been submitted to FESCo with ticket #3110 for voting.

To find out more, please visit our Changes Policy documentation.

Will we have macros for being able to activate these linker options to disable this? Otherwise this could get a little thorny on being able to use in packages.

@ngompa - No, at the moment there are no macros to disable this new behaviour. There are new linker command line options which can be used, and there are ways that these can be inserted into a build harness, but I agree that having a macro to do this work would be preferable.

I will look into replacing my original (linker) patch with a change to redhat-rpm-config instead.

Hi Neal,

I have changed the proposal so that now it is the redhat-rpm-config package that will/would be updated. I have added the change into the hardening options already supported by the macros there and it can be disabled by undefining a new macro called %_hardened_linker_errors.

Cheers
Nick