On Mon, Aug 08, 2016 at 05:11:28PM +0200, David Coppa wrote: > On Sun, 07 Aug 2016, Landry Breuil wrote: > > > On Sun, Aug 07, 2016 at 10:20:50PM +0200, Christian Weisgerber wrote: > > > OpenBSD is increasingly mandating W^X. What does that mean? Memory > > > can either be mapped writable, or it can be executable, but not > > > both (Write xor eXecute). This is a security concern. Without > > > W^X, an attacker can load their own code into memory and then execute > > > it. W^X protects against this. > > > > > > Unfortunately there is important third-party code, such as just-in-time > > > compilers, that still uses mmap(2) to make memory both writable and > > > executable, so for the time being, we have to arrange ourselves > > > with it. > > > > > > For a binary to be allowed to violate W^X, it must > > > (1) reside on a filesystem that is mounted with the "wxallowed" > > > flag (the installer enables this for /usr/local); > > > (2) be annotated with PT_OPENBSD_WXNEEDED at the ELF level. > > > > > > So far, only (1) is strictly enforced and any program in violation > > > is terminated at once. > > > > > > For (2), the W^X violation is logged (dmesg, syslog). In recent > > > snapshots, the offending mmap() call has also begun to return an > > > error. Alas, many programs don't handle this failure gracefully > > > and crash. > > > > > > Now, obviously getting rid of W^X violations has to be the end goal, > > > but that will take time and effort. In the meantime, offenders > > > *MUST* be marked wxneeded. This is done by linking the executable > > > with "ld -z wxneeded". When linking is performed through cc, which > > > is the usual case, you add "-Wl,-z,wxneeded" to the linking command > > > line. That's it. > > > > > > Currently only four affected ports are marked wxneeded. More will > > > need this. Please, when you see a port throwing "foo(4711): W^X > > > violation" log messages, look into adding wxneeded. > > > > > > We can draw up a list of affected ports, but it isn't exactly hard > > > to notice. Some ports already need wxneeded to build. Presumably > > > there are a few others where it will only show up at run time. > > > > > > This is important. The W^X hammer is coming down and without > > > wxneeded annotations you will find that a number of your favorite > > > programs (e.g. everything Mozilla) will no longer run. > > > > Free ok coupons to whoever wants to fix 'everything Mozilla' by applying > > the necessary knob/bandaid like a sir. I wont have time nor interest to > > look into this before g2k16. > > This should help thunderbird (we already had this patch for firefox). > > I'm doing the rebuild myself, hoping someone with a faster machine > can beat me...
Ok as long as it works and you apply the same fix to seamonkey. For xulrunner, i'm afraid wxneeded will need to be passed to linker flags.. probably via vars in CONFIGURE_ENV or patching configure (boo!) Landry
