[PyPy-issue] [issue610] The generated pypy binary is unnecessarily flagged as needing an executable stack

Dave Malcolm pypy-dev-issue at codespeak.net
Thu Dec 16 19:44:49 CET 2010

New submission from Dave Malcolm <dmalcolm at redhat.com>:

$ execstack -q ./pypy
X ./pypy

$ eu-readelf -l ./pypy | grep STACK
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x8

Note that the stack is marked as "RWE", not just "RW".

>From IRC chat on #pypy earlier:
<dmalcolm> random ELF-hardening question: does a pypy-jit process' stack need to be executable for any reason?
<dmalcolm> (ideally not)
<Alex_Gaynor> The stack?  I wouldn't think so, we obviously mark some regions of the heap as executable for the machine code.
<arigato> dmalcolm: no, no reason, as long as gcc doesn't add its own (from the regular ANSI C code we produce)

If we don't need the process' stacks to be executable, they shouldn't be, preventing some kinds of buffer-overflow attacks (perhaps 
in extension modules and other libraries).

The GNU toolchain attempts to determine if a binary/shared library needs its processes' threads' stacks to be executable.

As I understand things, typically when gcc builds a binary, it goes from .c via .o files, and the compiler "knows" that the code 
doesn't need an executable stack, and thus embeds:
   .section .note.GNU-stack,"", at progbits
in every .o file built from a .c file.

This typically fails for assembler files (.s): the assembler can't determine if the resulting machine code would need an executable 
stack, and thus pessimistically omits the no-exec-stack flag.

One workaound may be to add:
   .section .note.GNU-stack,"", at progbits
to every .s file, though that may be gcc-specific.

However, the generated Makefile creates the executable ("TARGET") by passing all of the .lbl.s files to gcc, using LDFLAGS, so it may 
be fixable by ensuring that LDFLAGS contains "--no-exec-stack" (I'm currently trying a build to verify this).

Alternatively, one can simply run:
  execstack --clear-execstack PATH_TO_ELF_FILE
to remove the tainted bit from the ELF file's internal metadata.

(See also Appendix A of http://people.redhat.com/drepper/nonselsec.pdf for more info on this)

effort: easy
messages: 2007
nosy: dmalcolm, pypy-issue
priority: bug
release: 1.4
status: unread
title: The generated pypy binary is unnecessarily flagged as needing an executable stack

PyPy development tracker <pypy-dev-issue at codespeak.net>

More information about the Pypy-issue mailing list