Problem: An attacker could place code on the stack and then run it Fix By: Updating compiler, assembler sources and/or linker scripts Waive If: The application *really* needs to be able to dynamically create and execute code Example: FAIL: gnu-stack test because the .stack section has incorrect permissions Example: FAIL: gnu-stack test because the .note.GNU-stack section has execute permission Example: FAIL: gnu-stack test because the GNU stack segment has execute permission Example: FAIL: gnu-stack test because the GNU stack segment does not have both read & write permissions Example: FAIL: gnu-stack test because no .note.GNU-stack section found Example: MAYB: gnu-stack test because multiple stack sections detected
This test checks that it is not possible to place code onto the stack and then execute it. Normally the stack just holds data and addresses, but never instructions. A favourite tactic of attackers however is to discover a buffer overrun bug that addresses the stack and then place instructions there before forcing the processor to execute them.
The test actually checks several different parts of a binary file in order to determine that its stack is safe, which is why there are several different potential failure messages.
Most applications will have a section inserted into them by the compiler called .note.GNU-stack. The section has no contents, but the read, write, and execute attributes of the section reflect the needs of the application’s stack.
Ordinary compiled code should never see this problem, but the test failure can be triggered by programs built with an old compiler which does not support the .note-GNU-stack section, or if the program contains some assembler source files or linked with a custom made linker map.
To fix the problem either the compiler needs to be upgraded or the linker map needs to be updated or the assembler sources need to be extended to add the .note-GNU-stack section by adding code like this:
.section .note.GNU-stack,"",%progbits
If necessary the test can be disabled via the --skip-gnu-stack option and re-enabled via the --test-gnu-stack option.