Changes/Linker Error On Security Issues

Changes/Linker Error On Security Issues

Summary

Extend the %{hardened_build} feature of the redhat-rpm-config package so that the linker will generate an error message and fail if it is asked to create an executable binary that contains one or more known security issues. These issues are:

• an executable stack
• a loadable segment with read, write and execute permissions,
• a thread local storage segment with execute permission.

Owner

• Name: Nick Clifton
• Email: nickc@redhat.com

Current status

• Targeted release: Fedora Linux 40
• Last updated: 2023-12-16
• Announced
• Discussion thread
• FESCo issue: #3110
• Tracker bug: #2254787
• Release notes tracker: #1062

Detailed Description

The BFD linker (ld.bfd) is able to detect several potential security problems with the binaries that it is creating. Currently however the linker's default behaviour is to generate warning messages about these problems, but then it carries on and completes the link.

Since only warning messages are generated, and these can be ignored or lost in the output from a build, it is possible that packages are being built without their owners being aware of the potential security problems. This change will alter the linker's default behaviour and turn the warnings into errors, which in turn will prevent the builds from completing successfully, and thus force package maintainers to either fix the problem or disable the errors.

The change would apply to three linker warnings:

• The creation of a program containing a stack that is in a memory region that has execute permission.
• The creation of a program with a loadable segment that has all three of the read, write and execute permission bits set.
• The creation of a thread local storage segment that has the execute permission bit set.

Note: Since this change is only being made in the macros defined in redhat-rpm-config, only packages that use those macros will benefit from this change. Packages that have their own build systems, but still use the BFD linker, will not be affected.

Feedback

Benefit to Fedora

The benefit of this change is that it will increase the overall security of Fedora by helping to ensure that packages cannot be built with one or more of these vulnerabilities without the owner being made aware and having to take specific actions - either to remove the vulnerability or disable the linker error message.

Scope

• Proposal owners:

Patch the redhat-rpm-config package to add the insertion of two new options into the %{_hardening_ld_flags} variable, along with a mechanism to disable this insertion, and documentation of the effects of the new options.

Following that a system wide rebuild will be needed in order for the change to have a chance to take affect and cause vulnerable packages to fail to build. Any packages that fail to build because of the change will need to be updated to either remove the cause of the problem or else suppress the new errors.

• Other developers:

Other developers will only be affected if their package(s) fail to build with the new linker. In this case the developer will need to decide if the security vulnerability is actually needed by their package, or if it can be removed.

If the vulnerability is intentional then the new errors can be disabled by adding %undefine _hardened_linker_errors to the package's spec file.

It is also possible to use specific linker command line options to turn off one error message whilst leaving the other enabled. The has a LOAD segment with RWX permissions and has a TLS segment with execute permission errors can be turned back into warning messages by using the --no-error-rwx-segments option or removed entirely from the linker's output by using the --no-warn-rwx-segments option.

The missing .note.GNU-stack section implies executable stack error message can be turned back into a warning by using the --no-error-execstack option or removed from the linker's output entirely by using the --no-warn-execstack option or the -z execstack option.

It is known that this change will affect the edk2, glibc, mesa and grub2 packages. Their owners have been contacted to assist them in deciding how they wish to resolve the problems specific to their packages.

• Release engineering: [1]

• Policies and guidelines: N/A (not needed for this Change)

The packaging guidelines should not need to be updated. The vast majority of programs will not be affected by this change. Packages that are affected will already be requiring special behaviour from the linker, so it can be assumed that their maintainers are familiar with how to report linker problems and how to receive help.

• Trademark approval: N/A (not needed for this Change)

• Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

Upgrading previous versions of Fedora to one containing this change will have no immediate effect. In fact the only visible change would be if the upgraded system is used to compile a program and that program contains one or more of the potential security vulnerabilities that will now trigger errors. Even then the previous functionality (of being able to successfully compile the vulnerable program) can be restored by adding a specific linker command line option.

How To Test

Compile programs.

No special hardware or data is needed in order to test this change. Just a Fedora system with the updated binutils package installed plus whatever other packages are needed to compile any test programs. If the programs compile and link successfully then there are no issues. If they do not, and the reason that they do not compile is because of error messages from the linker, then something needs to be done.

Note - the linker's own testsuite includes tests to make sure that the error messages are generated under the correct circumstances as well tests to make sure that the errors can be disabled by the correct command line options.

User Experience

On the whole, users should not notice this change.

Users who build programs on Fedora, and whose programs are built in such a way that they are exposed to the security issues that will trigger the new errors will be affected. Such users might be happy that the problem is being being brought to light, or annoyed that they will now have to consider whether they need to fix their program or fix their build system.

Dependencies

None.

Contingency Plan

• Contingency mechanism: Revert the change to the linker.
• Contingency deadline: Fedora 40 beta freeze.
• Blocks release? No

Documentation

There is a blog about the warning messages that are being turned into errors:

https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments

Release Notes

(For the Developers/Binutils section of the release Notes)

The linker's warning messages about the creation of binaries with executable stacks or memory segments with the execute, read and write permissions have now been turned into errors. This will prevent the creation of programs with either of these vulnerabilities. The errors can be turned off via the use of the --no-warn-execstack and --no-warn-rwx-segments linker command line options.