diff options
| author | Jason Zaman <[email protected]> | 2016-10-29 07:10:00 +0800 |
|---|---|---|
| committer | Brian Behlendorf <[email protected]> | 2016-10-28 16:10:00 -0700 |
| commit | f26eb428622a6f3dc613d81faf905958e231e8b1 (patch) | |
| tree | 75c2c768a8ae327f0acf6175245e6fb8303d03d4 | |
| parent | c6a89b58a997a2b2c672542542e675447efcf4e4 (diff) | |
Add paxcheck make lint target
This uses scanelf (from pax-utils) to check for any issues with the
binaries. It currently checks for executable stacks and textrels.
The checks are in a script so can be extended easily in the future for
more checks.
Executable stacks and textrels are frequently caused by issues in asm
files and lead to security and perf problems.
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Jason Zaman <[email protected]>
Closes #5338
| -rw-r--r-- | Makefile.am | 7 | ||||
| -rwxr-xr-x | scripts/paxcheck.sh | 43 |
2 files changed, 49 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index 26f684d59..0137407e4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,13 +55,18 @@ shellcheck: done; \ fi -lint: cppcheck +lint: cppcheck paxcheck cppcheck: @if type cppcheck > /dev/null 2>&1; then \ cppcheck --quiet --force --error-exitcode=2 ${top_srcdir}; \ fi +paxcheck: + @if type scanelf > /dev/null 2>&1; then \ + scripts/paxcheck.sh ${top_srcdir}; \ + fi + flake8: @if type flake8 > /dev/null 2>&1; then \ flake8 ${top_srcdir}; \ diff --git a/scripts/paxcheck.sh b/scripts/paxcheck.sh new file mode 100755 index 000000000..1d85f9d01 --- /dev/null +++ b/scripts/paxcheck.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +if ! type scanelf > /dev/null 2>&1; then + echo "scanelf (from pax-utils) is required for these checks." >&2 + exit 3 +fi + +RET=0 + +# check for exec stacks +OUT="$(scanelf -qyRAF '%e %p' $1)" + +if [ x"${OUT}" != x ]; then + RET=2 + echo "The following files contain writable and executable sections" + echo " Files with such sections will not work properly (or at all!) on some" + echo " architectures/operating systems." + echo " For more information, see:" + echo " https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart" + echo + echo "${OUT}" + echo +fi + + +# check for TEXTRELS +OUT="$(scanelf -qyRAF '%T %p' $1)" + +if [ x"${OUT}" != x ]; then + RET=2 + echo "The following files contain runtime text relocations" + echo " Text relocations force the dynamic linker to perform extra" + echo " work at startup, waste system resources, and may pose a security" + echo " risk. On some architectures, the code may not even function" + echo " properly, if at all." + echo " For more information, see:" + echo " https://wiki.gentoo.org/wiki/Hardened/HOWTO_locate_and_fix_textrels" + echo + echo "${OUT}" + echo +fi + +exit $RET |