From Fedora Project Wiki
(submitting change to fesco)
Line 14: Line 14:


== Current status ==
== Current status ==
[[Category:ChangeAnnounced]]
[[Category:ChangeReadyForFesco]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 30: Line 30:
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/KK3LCKM2RR5F67Z5LELNXYUF7LLK6MCG/ Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/KK3LCKM2RR5F67Z5LELNXYUF7LLK6MCG/ Announced]
* [https://discussion.fedoraproject.org/t/f40-change-proposal-linker-error-on-security-issues-system-wide/95801 Discussion thread]
* [https://discussion.fedoraproject.org/t/f40-change-proposal-linker-error-on-security-issues-system-wide/95801 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3110 #3110]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>

Revision as of 23:45, 22 November 2023

Changes/Linker Error On Security Issues

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Change the system linker (ld.bfd) so that by default it will generate an error message and fail if it is asked to create an executable binary that contains one or more known security issues. These issues are:

  • an executable stack
  • a loadable segment with read, write and execute permissions,
  • a thread local storage segment with execute permission.

Owner

Current status

Detailed Description

The BFD linker (ld.bfd) is able to detect several potential security problems with the binaries that it is creating. Currently however the linker's default behaviour is to generate warning messages about these problems, but then it carries on and completes the link.

Since only warning messages are generated, and these can be ignored or lost in the output from a build, it is possible that packages are being built without their owners being aware of the potential security problems. Hence this change will alter the linker's default behaviour to turn the warnings into errors, which in turn will prevent the builds from completing successfully.

The change would apply to three linker warnings:

  • The creation of a program containing a stack that is in a memory region that has execute permission.
  • The creation of a program with a loadable segment that has all three of the read, write and execute permission bits set.
  • The creation of a thread local storage segment that has the execute permission bit set.

Feedback

Benefit to Fedora

The benefit of this change is that it will increase the overall security of Fedora by helping to ensure that packages cannot be built with one or more of these vulnerabilities without the owner being made aware and having to take specific actions - either to remove the vulnerability or disable the linker error message.

Scope

  • Proposal owners:

Enable the 'error_for_executable_stacks' and 'error_for_rwx_segments' optional features in the binutils.spec file and then rebuild the binutils.

Following that a system wide rebuild will be needed in order for the change to have a chance to take affect and cause vulnerable packages to fail to build. Any packages that fail to build because of the change will need to be updated to either remove the cause of the problem or else add an extra command line option to be passed to the linker to disable the new feature.

  • Other developers:

Other developers will only be affected if their package(s) fail to build with the new linker. In this case the developer will need to decide if the security vulnerability is actually needed by their package, and if so add a linker command line option to turn off the error, or if the vulnerability is not needed then fix their code so that the problem is removed.

It is known that this change will affect the edk2, glibc and grub2 packages. Their owners will be contacted to assist them in deciding how they wish to resolve the problems specific to their packages.

Other developers can use specific linker command line options to counter this change. The has a LOAD segment with RWX permissions and has a TLS segment with execute permission errors can be turned back into warning messages by using the --no-error-rwx-segments option or removed entirely from the linker's output by using the --no-warn-rwx-segments option.

The missing .note.GNU-stack section implies executable stack error message can be turned back into a warning by using the --no-error-execstack option or removed from the linker's output entirely by using the --no-warn-execstack option.

  • Release engineering: [1]
  • Policies and guidelines: N/A (not needed for this Change)

The packaging guidelines should not need to be updated. The vast majority of programs will not be affected by this change. Packages that are affected will already be requiring special behaviour from the linker, so it can be assumed that their maintainers are familiar with how to report linker problems and how to receive help.

  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

Upgrading previous versions of Fedora to one containing this change will have no immediate effect. In fact the only visible change would be if the upgraded system is used to compile a program and that program contains one or more of the potential security vulnerabilities that will now trigger errors. Even then the previous functionality (of being able to successfully compile the vulnerable program) can be restored by adding a specific linker command line option.


How To Test

Compile programs.

No special hardware or data is needed in order to test this change. Just a Fedora system with the updated binutils package installed plus whatever other packages are needed to compile any test programs. If the programs compile and link successfully then there are no issues. If they do not, and the reason that they do not compile is because of error messages from the linker, then something needs to be done.

Note - the linker's own testsuite includes tests to make sure that the error messages are generated under the correct circumstances as well tests to make sure that the errors can be disabled by the correct command line options.

User Experience

On the whole, users should not notice this change.

Users who build programs on Fedora, and whose programs are built in such a way that they are exposed to the security issues that will trigger the new errors will be affected. Such users might be happy that the problem is being being brought to light, or annoyed that they will now have to consider whether they need to fix their program or fix their build system.

Dependencies

None.

Contingency Plan

  • Contingency mechanism: Revert the change to the linker.
  • Contingency deadline: Fedora 40 beta freeze.
  • Blocks release? No

Documentation

There is a blog about the warning messages that are being turned into errors:

https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments


Release Notes

(For the Developers/Binutils section of the release Notes)

The linker's warning messages about the creation of binaries with executable stacks or memory segments with the execute, read and write permissions have now been turned into errors. This will prevent the creation of programs with either of these vulnerabilities. The errors can be turned off via the use of the --no-warn-execstack and --no-warn-rwx-segments linker command line options.