Re: [klibc] process '/usr/bin/rsync' started with executable stack

[Christophe Leroy]

Le 25/06/2020 Ã 22:20, Kees Cook a ÃcritÂ:
> On Thu, Jun 25, 2020 at 01:04:29PM +0300, Dan Carpenter wrote:
> > On Wed, Jun 24, 2020 at 12:39:24PM -0700, Kees Cook wrote:
> > > On Wed, Jun 24, 2020 at 07:51:48PM +0300, Dan Carpenter wrote:
> > > > In Debian testing the initrd triggers the warning.
> > > >
> > > > [   34.529809] process '/usr/bin/fstype' started with executable stack
> > >
> > > Where does fstype come from there? I am going to guess it is either
> > > busybox or linked against klibc?
> > >
> > > klibc has known problems with executable stacks due to its trampoline
> > > implementation:
> > > https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks
> >
> > Yeah.  It comes from klibc-utils.
>
> This is exactly what I was worried about back in Feb:
> https://lore.kernel.org/lkml/202002251341.48BC06E@keescook/
>
> This warning, combined with klibc-based initrds, makes the whole thing
> pointless because it will always warn once on boot for the klibc stack,
> and then not warn about anything else after that.
>
> It looks like upstream klibc hasn't been touched in about 4 years, and
> it's been up to Ben to keep it alive in Debian.
>
> A couple ideas, in order of my preference:
>
> 1) stop using klibc-utils[1]. initramfs-tools-core is the only thing with a
>     dependency on klibc-utils. Only a few things are missing from busybox.

Does busybox cleanly build with klibc lib ?
If it does, is the result as small ?

> 2) make the warning rate-limited instead?
>
> 3) fix the use of trampolines in klibc

That's done, see 
https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9d8d648e604026b32cad00a84ed6c29cbd157641

Discussed here 
https://lists.zytor.com/archives/klibc/2020-February/004271.html

Christophe

> Thoughts?
>
> -Kees
>
>
> [1] Ben appears well aware of this idea, as he suggested it in 2018. :)
>      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887159