Ubuntu
mono package

mono has an executable stack on 32bit

Bug #408499 reported by Kees Cook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mono (Debian)
New
Unknown
mono (Gentoo Linux)
Won't Fix
Medium
mono (Ubuntu)
Triaged
Wishlist
Unassigned
mono (openSUSE)
Invalid
Medium

Bug Description

Binary package hint: mono

mono lacks stack markings on mono/mini/mdb-debug-info32.s, which is recommended for improved security.

https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks

ProblemType: Bug
Architecture: i386
Date: Mon Aug 3 18:33:32 2009
DistroRelease: Ubuntu 9.10
Package: mono-runtime 2.4+dfsg-5ubuntu1
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-4.23-generic
SourcePackage: mono
Uname: Linux 2.6.31-4-generic i686

See original description

Related branches

lp:ubuntu/lucid/mono
Revision history for this message
In , Rafał Mużyło (galtgendo) wrote :

This has came up when I was looking at the biuld system mono uses.
I'm not sure I classified this bug correctly.

The problem is:
in revision 69955, mono/mini/mdb-debug-info64.s did receive a fix to
prevent that executable from getting an executable stack,
but my question is: what was the reason mono/mini/mdb-debug-info32.s
didn't receive same fix ?

Revision history for this message
In , Vargaz (vargaz) wrote :

-> runtime.

Revision history for this message
In , Rafał Mużyło (galtgendo) wrote :

Well, after five months, I'd be happy to receive any answer,
even "your question is stupid", as long as it explains, why is it
stupid.

Revision history for this message
In , Vargaz (vargaz) wrote :

I have no idea.

Revision history for this message
In , Rafał Mużyło (galtgendo) wrote :

Well, somebody did create that revision, so
perhaps that person can shed some light on this issue ?

Revision history for this message
In , Leszek 'skolima' Ciesielski (skolima) wrote :

That change has been made by Martin Baulig, so I'm adding him as CC.

Revision history for this message
In , Ub71a-martin-b69y0 (ub71a-martin-b69y0) wrote :

Setting to RESOLVED / INVALID since this is not a bug but a question ....

Rafal, if I remember correctly this is only on x86_64 because the on-executable stack needs hardware and kernel support which exists on the AMD64, but not necessarily on i386.

I'm not entirely sure since it's been a very long time since I wrote that code, but I think the reason for making the stack non-executable was because that is the default in mono when running on x86_64, but not on i386.

Martin

Revision history for this message
In , Rafał Mużyło (galtgendo) wrote :

(In reply to comment #6)
> Setting to RESOLVED / INVALID since this is not a bug but a question ....
>
> Rafal, if I remember correctly this is only on x86_64 because the on-executable
> stack needs hardware and kernel support which exists on the AMD64, but not
> necessarily on i386.
>
> I'm not entirely sure since it's been a very long time since I wrote that code,
> but I think the reason for making the stack non-executable was because that is
> the default in mono when running on x86_64, but not on i386.
>
> Martin

Well, that's definitely an answer to a question, just not to mine.

Mine was: during build of mono on x86, libraries/executables
are created by gnu linker, which contain executable stack;
the sole source of it is mono/mini/mdb-debug-info32.s;
does mono need this file to create executable stack in
those libraries/executables ?

Note, that I did try to add that note for non-executable
in that file and mono built fine and it did compile a trivial
program, I'm simply not sure, if I did broke anything that way.

Revision history for this message
In , Rafał Mużyło (galtgendo) wrote :

Or more exactly: on amd64 executable stack is not needed,
is it different on x86 ?

Revision history for this message
In , Kees Cook (kees) wrote :

Ironically, the mono/mini/mdb-debug-info64.s file doesn't need the markings at all. the mono/mini/mdb-debug-info32.s is the one that needs the markings (since only ia32 defaults to executable stack when asm lacks the flags).

Revision history for this message
Kees Cook (kees) wrote :
Changed in mono (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in mono (Gentoo Linux):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in mono (openSUSE):
status: Unknown → Confirmed
Revision history for this message
In , Ub71a-martin-b69y0 (ub71a-martin-b69y0) wrote :

Since we're not going to touch this code anyways, -> RESOLVED / INVALID again.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mono - 2.4+dfsg-5ubuntu2

---------------
mono (2.4+dfsg-5ubuntu2) karmic; urgency=low

  * Added debian/patches/fix_exec_stack.dpatch: mark up missed
    flags for x86 asm (LP: #408499, debian bug 539807).

 -- Kees Cook <email address hidden> Mon, 03 Aug 2009 10:47:55 -0700

Changed in mono (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in mono (openSUSE):
status: Confirmed → Invalid
Kees Cook (kees)
visibility: private → public
description: updated
Revision history for this message
Kees Cook (kees) wrote :

It seems that mono actually does use the stack for execution, but only when using the debugger. :(

$ echo 'class MainClass { static void Main() { System.Console.WriteLine("Hello World!"); } }' > hello.cs
$ gmcs hello.cs
$ mdb ./hello.exe
Mono Debugger
(mdb) run
Starting program: ./hello.exe
Cannot read symbol file `/usr/lib/mono/2.0/mscorlib.dll.mdb': Could not find file "/usr/lib/mono/2.0/mscorlib.dll.mdb".
Cannot read symbol file `/home/kees/hello.exe.mdb': Could not find file "/home/kees/hello.exe.mdb".
(mdb) Thread @1 received signal 11 at #0: 0xff87c909.
0xff87c909 push $0xff87c932
quit
The program is running. Exit anyway? (y or n) y
Thread @1 exited.
Process #1 exited.
Target exited.

Changed in mono (Ubuntu):
status: Fix Released → Confirmed
Kees Cook (kees)
summary: - mono has a needlessly executable stack
+ mono has an executable stack
Bug Watch Updater (bug-watch-updater)
Changed in mono (Debian):
status: Unknown → New
Revision history for this message
Kees Cook (kees) wrote : Re: mono has an executable stack

After some upstream discussion, it seems that Mono's debugger injects marshallers onto the debug-ee's stack and executes them. Possible work-around: leave Mono non-exec-stack, but have the debugger inject an mprotect call to gain stack-exec. Probably as much work as correctly fixing the marshallers.

Changed in mono (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in mono (Gentoo Linux):
status: Confirmed → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in mono (Gentoo Linux):
importance: Unknown → Medium
Kees Cook (kees)
security vulnerability: yes → no
Changed in mono (Ubuntu):
importance: Medium → Wishlist
summary: - mono has an executable stack
+ mono has an executable stack on 32bit
Revision history for this message
In , Dan Wallis (fredden) wrote :

Still appears to be a problem in v2.10.5

Bug Watch Updater (bug-watch-updater)
Changed in mono (openSUSE):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.