Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004564OCamlIncomingpublic2008-06-09 19:502012-04-10 23:36
ReporterRichard Jones 
Assigned Toxleroy 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.11+dev 
Target VersionFixed in Version 
Summary0004564: [Patch] add .note.GNU-stack to avoid generating binaries with executable stacks
DescriptionAs discussed on the list, ocamlopt generates binaries which run with
executable stacks. However this isn't necessary or desirable behaviour:
http://caml.inria.fr/pub/ml-archives/caml-list/2006/11/2678e935e05e0298cc2e5352b966c262.en.html [^]

Attached to this bug report is a patch which adds the correct
note section to assembly files, both those generated by ocamlopt
and the parts of the runtime written in assembly.

I've only been able to test this on Linux/ELF. It's possible that
the patch breaks non-ELF platforms (are there any??) but with
any luck the meaningless section should just be ignored on these
platforms.
TagsNo tags attached.
Attached Filespatch file icon ocaml-3.11-dev12-no-executable-stack.patch [^] (11,289 bytes) 2008-06-09 19:50 [Show Content]
patch file icon ocaml-3.11-dev12-no-executable-stack-2.patch [^] (11,231 bytes) 2008-06-09 22:53 [Show Content]

- Relationships

-  Notes
(0004517)
Richard Jones (reporter)
2008-06-09 19:52

Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=450551 [^]
(0004518)
Richard Jones (reporter)
2008-06-09 22:53

Here's an updated patch which fixes the Mac OS X / x86 build issue.

I should explain a bit more about what this patch does. I had a useful link
before which explained everything but now I've lost it. Anyway:

Each object file generated by recent gcc is marked according to whether or
not it needs an executable stack. If the C file used a nested function (GCC
extension) then it needs a trampoline which uses an executable stack,
otherwise not. Finally the linker examines every object, and if they all
don't need a non-executable stack, the final binary is marked as
non-executable stack too. However if any object file needs an executable
stack, then the whole binary needs an executable stack.

For backwards compatibility, any unmarked object file is assumed to
need an executable stack.

So if ocamlopt doesn't mark its object files, then any ocamlopt
binaries get an executable stack by default.

Note that this is a security problem: any C object files linked in may
have buffer overflows. A non-executable stack is very desirable because
it prevents (some of) these overflows.

So how do we mark a file? By adding one of these lines to the
assembly code:

  .section .note.GNU-stack,"",%progbits

or (if you _do_ need an executable stack):

  .section .note.GNU-stack,"x",%progbits

To see if a binary is linked to require an executable stack, use
readelf -l binary and look for 'RWE' in the GNU_STACK header.
(0004519)
Richard Jones (reporter)
2008-06-09 23:05

Found that link:
http://gcc.gnu.org/ml/gcc-patches/2007-07/msg01155.html [^]

and a few others of interest:
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml [^]
http://en.wikipedia.org/wiki/NX_bit [^]
(0004548)
xleroy (administrator)
2008-08-01 10:22

Thanks for the detailed explanations -- the Gentoo doc page was particularly informative. Since I'm of the prudent kind, I have so far added the "note" only for Linux/x86 and Linux/x86-64, the two Linux platforms where I can test myself. We'll see what to do for other platforms on a by-need basis.

- Issue History
Date Modified Username Field Change
2008-06-09 19:50 Richard Jones New Issue
2008-06-09 19:50 Richard Jones File Added: ocaml-3.11-dev12-no-executable-stack.patch
2008-06-09 19:52 Richard Jones Note Added: 0004517
2008-06-09 22:53 Richard Jones File Added: ocaml-3.11-dev12-no-executable-stack-2.patch
2008-06-09 22:53 Richard Jones Note Added: 0004518
2008-06-09 23:05 Richard Jones Note Added: 0004519
2008-06-10 10:50 doligez Status new => acknowledged
2008-08-01 10:22 xleroy Note Added: 0004548
2008-08-01 10:22 xleroy Status acknowledged => resolved
2008-08-01 10:22 xleroy Resolution open => fixed
2008-08-01 10:22 xleroy Status resolved => assigned
2008-08-01 10:22 xleroy Assigned To => xleroy
2008-08-01 10:23 xleroy Status assigned => resolved
2010-04-29 14:25 xleroy Status resolved => closed


Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker