Remove executable flag from GNU_STACK segment#2857
Merged
terrelln merged 1 commit intofacebook:devfrom Nov 16, 2021
Merged
Conversation
Putting stack marking into every assembly files is required to indicate that the stack does not need to be executable. Executable flag on stack conflicts with some security measures, Systemd MemoryDenyWriteExecute=yes for example.
Contributor
|
Thanks @ko-zu! We noticed this issue internally a few weeks ago, when our builds broke systemd. Looking into this was on my todo list, so you've solved a huge problem for me! I've opened up Issue #2865 to add a test case for this, so we don't regress in the future. We'll make sure to do it before our next release. |
terrelln
added a commit
to terrelln/zstd
that referenced
this pull request
Nov 30, 2021
Adds a test for PR facebook#2857. Tests that libzstd.so doesn't have the exec-stack bit set using readelf. If the stack is marked executable systemd will refuse to link against zstd. We now test that it isn't set on every PR.
terrelln
added a commit
to terrelln/zstd
that referenced
this pull request
Nov 30, 2021
Tests that libzstd.so doesn't have the exec-stack bit set using readelf. If the stack is marked executable systemd will refuse to link against zstd. We now test that it isn't set on every PR. Adds a test for PR facebook#2857 Fixes Issue facebook#2865
terrelln
added a commit
to terrelln/zstd
that referenced
this pull request
Dec 1, 2021
Tests that libzstd.so doesn't have the exec-stack bit set using readelf. If the stack is marked executable systemd will refuse to link against zstd. We now test that it isn't set on every PR. Adds a test for PR facebook#2857 Fixes Issue facebook#2865
felixhandte
added a commit
to felixhandte/zstd
that referenced
this pull request
Dec 30, 2021
Apparently, even when the assembly file is empty (because `ZSTD_ENABLE_ASM_X86_64_BMI2` is false), it still is marked as possibly needing an executable stack and so the whole library is marked as such. This commit applies a simple patch for this problem by moving the noexecstack indication outside the macro guard. This commit builds on facebook#2857. This commit addresses facebook#2963.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Putting stack marking into every assembly file is required to indicate
that the stack does not need to be executable.
Executable flag on stack conflicts with some security measures, Systemd
MemoryDenyWriteExecute=yes for example.
The current dev branch produces libzstd.so that uses executable GNU_STACK on Linux amd64 machines. It makes some of systemd daemons crash as they cannot load the library because of systemd security option
MemoryDenyWriteExecute=yesThis executable stack makes systemd angry. Systemd has a security option
MemoryDenyWriteExecute=yesthat blocks memory allocation with writable and executable flags on.To emulate the option, on ubuntu 21.10,