Description of problem: Nodejs seems to be compiled with an executable stack. $ /usr/bin/eu-readelf -l /usr/bin/node | grep STACK GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10 Is this intentional? Otherwise an important security mitigation is missing. Version-Release number of selected component (if applicable): nodejs-14.16.0-1.fc33
Node.js is being compiled and linked with the standard CFLAGS and LDFLAGS provided by Fedora macros. I just randomly checked `/usr/bin/ls`, `/usr/bin/dir`, `/usr/bin/sscg`, `/usr/bin/openssl` and `/usr/bin/passwd` and every one of them lists GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10 There's nothing special about the way this is compiled/linked, so I suspect if you have an issue with this, it belongs to the Compiler Tools team. Reassigning to binutils.
(In reply to Stephen Gallagher from comment #1) > There's nothing special about the way this is compiled/linked, so I suspect > if you have an issue with this, it belongs to the Compiler Tools team. > Reassigning to binutils. I doubt if it really is an assembler/linker problem. More likely is that there is an assembler source file in the node.js sources (either physically present or manufactured by a tool), which is missing a .note.GNU-stack section, which then tells the linker to create an executable stack. For more details see: node-v14.14.0/deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.cc in the nodejs sources where there is: // Omitting this section can imply an executable stack, which is usually // a linker warning/error. C++ compilers add these automatically, but // compiling assembly requires the .note.GNU-stack section to be inserted // manually. // Additional documentation: // https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart fprintf(fp_, ".section .note.GNU-stack,\"\",%%progbits\n"); I will see if I can track down the offending file(s).
(In reply to Stephen Gallagher from comment #1) > I just randomly checked `/usr/bin/ls`, `/usr/bin/dir`, `/usr/bin/sscg`, > `/usr/bin/openssl` and `/usr/bin/passwd` and every one of them lists > GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 > 0x000000 RW 0x10 Please note this part of my reply: it looks like EVERY binary on my F34 system has an executable stack. It sounds as if this is not expected.
(In reply to Stephen Gallagher from comment #3) > (In reply to Stephen Gallagher from comment #1) > > I just randomly checked `/usr/bin/ls`, `/usr/bin/dir`, `/usr/bin/sscg`, > > `/usr/bin/openssl` and `/usr/bin/passwd` and every one of them lists > > GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 > > 0x000000 RW 0x10 > > > Please note this part of my reply: it looks like EVERY binary on my F34 > system has an executable stack. It sounds as if this is not expected. The quoted output is fine: an RW stack is not executable, it would have to be RWE (as shown in comment 0).
Reading comprehension is apparently not my strong suit today. Thank you for your help with tracking this down. I'll move it back to the nodejs component.
The culprit appears to be src/large_pages/node_text_start.S Changing it like this should fix the problem: --- src/large_pages/node_text_start.S.orig 2021-04-20 11:36:54.292044739 +0100 +++ src/large_pages/node_text_start.S 2021-04-20 11:35:43.828560783 +0100 @@ -3,3 +3,4 @@ .global __node_text_start .hidden __node_text_start __node_text_start: +.section .note.GNU-stack,"",%%progbits
Sorry, the "%%progbits" should be just "%progbits".
Does %progbits work everywhere? I know it's required on some targets, but @progbits is frequently used as well.
(In reply to Florian Weimer from comment #8) > Does %progbits work everywhere? No you are right - there are some targets for which it does not work. Most notably the ARM (32-bit. It does work for AArch64). > I know it's required on some targets, but > @progbits is frequently used as well. The @progbits version is probably better because it should work on all targets, including ARM. Cheers Nick
I thought it is the other way around. @ seems to be a comment character on arm, so I think %progbits is the only thing that works on ARM, and it should work on other arches too, while @progbits will only work on those where @ is not a comment character.
E.g. gas/testsuite/gas/elf/*.s tests all use just %progbits and not @progbits.
(In reply to Jakub Jelinek from comment #11) > E.g. gas/testsuite/gas/elf/*.s tests all use just %progbits and not > @progbits. Argh! I should not have gotten out of bed this morning. Yes you are right Jakub, the %progbits version is the preferred version.
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This was fixed some time ago and I forgot to close this BZ.