[patch] Adding stack markings to the x86 assembly for not using executable stack

Kees Cook kees at ubuntu.com
Thu Aug 27 09:22:35 PDT 2009


On Thu, Aug 27, 2009 at 12:55:55PM +0200, Matthias Klose wrote:
> This was reported as https://edge.launchpad.net/bugs/409736
> Java is marked to have an executable stack[1]. This is potentially
> dangerous, and is simply an oversight from one of the compiled
> assembly files. Adding stack markings to the assembly solves the
> issue.
> sun/security/ssl/javax/net/ssl/NewAPIs/SessionCacheSizeTests.java
> passes both stock and and with non-exec-stack.
> gcc -fstack-protector is the default on Ubuntu. I'd like to see this
> patch for the IcedTea 1.6 release as well.

Just to clarify: these stack markings have to do with the memory
protections[1] for every Java's invocation (and is not related to
-fstack-protector).  For systems with NX hardware (or NX-emulation patches)
this improves the overall security in Java against exploitable of memory
corruption bugs.

If these patches are not okay, we can also set ASFLAGS to include



[1] https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks

Kees Cook
Ubuntu Security Team

More information about the hotspot-dev mailing list