uwsgi
uwsgi copied to clipboard
unbit
ld: warning: plugins/pypy/pypy_setup.py.o: missing .note.GNU-stack section implies executable stack
The note is newly printed with latest binutils master:
[ 14s] [gcc] legion_cache_fetch_plugin.so
[ 14s] build time: 0 seconds
[ 20s] /usr/lib64/gcc/x86_64-suse-linux/13/../../../../x86_64-suse-linux/bin/ld: warning: plugins/pypy/pypy_setup.py.o: missing .note.GNU-stack section implies executable stack
[ 20s] /usr/lib64/gcc/x86_64-suse-linux/13/../../../../x86_64-suse-linux/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
[ 28s] *** legion_cache_fetch plugin built and available in legion_cache_fetch_plugin.so ***
Please use -z noexecstack linker option in order to silent the warning. Otherwise, libffi_plugin.so will have executable stack enabled.
So something like this:
diff --git a/uwsgiconfig.py b/uwsgiconfig.py
index 9998bc5..abb44e4 100644
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
@@ -539,7 +539,7 @@ def build_uwsgi(uc, print_only=False, gcll=None):
gcc_list.append('%s/%s' % (path, cfile))
for bfile in up.get('BINARY_LIST', []):
try:
- binary_link_cmd = "ld -r -b binary -o %s/%s.o %s/%s" % (path, bfile[1], path, bfile[1])
+ binary_link_cmd = "ld -z noexecstack -r -b binary -o %s/%s.o %s/%s" % (path, bfile[1], path, bfile[1])
print(binary_link_cmd)
if os.system(binary_link_cmd) != 0:
raise Exception('unable to link binary file')
@@ -1146,7 +1146,7 @@ class uConf(object):
if not self.embed_config:
self.embed_config = self.get('embed_config')
if self.embed_config:
- binary_link_cmd = "ld -r -b binary -o %s.o %s" % (binarize(self.embed_config), self.embed_config)
+ binary_link_cmd = "ld -z noexecstack -r -b binary -o %s.o %s" % (binarize(self.embed_config), self.embed_config)
print(binary_link_cmd)
os.system(binary_link_cmd)
self.cflags.append("-DUWSGI_EMBED_CONFIG=_binary_%s_start" % binarize(self.embed_config))
@@ -1165,7 +1165,7 @@ class uConf(object):
for directory, directories, files in os.walk(ef):
for f in files:
fname = "%s/%s" % (directory, f)
- binary_link_cmd = "ld -r -b binary -o %s.o %s" % (binarize(fname), fname)
+ binary_link_cmd = "ld -z noexecstack -r -b binary -o %s.o %s" % (binarize(fname), fname)
print(binary_link_cmd)
os.system(binary_link_cmd)
if symbase:
@@ -1175,7 +1175,7 @@ class uConf(object):
os.system(objcopy_cmd)
binary_list.append(binarize(fname))
else:
- binary_link_cmd = "ld -r -b binary -o %s.o %s" % (binarize(ef), ef)
+ binary_link_cmd = "ld -z noexecstack -r -b binary -o %s.o %s" % (binarize(ef), ef)
print(binary_link_cmd)
os.system(binary_link_cmd)
binary_list.append(binarize(ef))
@@ -1465,7 +1465,7 @@ def build_plugin(path, uc, cflags, ldflags, libs, name = None):
gcc_list.append(path + '/' + cfile)
for bfile in up.get('BINARY_LIST', []):
try:
- binary_link_cmd = "ld -r -b binary -o %s/%s.o %s/%s" % (path, bfile[1], path, bfile[1])
+ binary_link_cmd = "ld -z noexecstack -r -b binary -o %s/%s.o %s/%s" % (path, bfile[1], path, bfile[1])
print(binary_link_cmd)
if os.system(binary_link_cmd) != 0:
raise Exception('unable to link binary file')
Starting with glibc 2.41, the dlopen and dlmopen functions no longer make the stack executable if a shared library requires it and instead just fail. This change aims to improve security, as the previous behaviour was used as a vector for RCE.
With glibc 2.41, the pypy plugin won't be loadable anymore.
The above patch fixes the problem.
