Executable stacks in ocaml

Executable stacks in ocaml

[Alexandre Buisse]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

Hi,

I am one of the gentoo maintainers of ocaml and we had a couple of QA
reports saying that binaries produced by ocaml had the stack marked as
executable (I understand this is a problem for hardened systems as it
can cause security issues).

Is there a way to tell ocaml to mark the stack as non-executable
or is it part of the compiler design and thus can't be changed?

Thanks,
/Alexandre
-- 
Hi, I'm a .signature virus! Please copy me in your ~/.signature.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [Caml-list] Executable stacks in ocaml

[Xavier Leroy]

> I am one of the gentoo maintainers of ocaml and we had a couple of QA
> reports saying that binaries produced by ocaml had the stack marked as
> executable (I understand this is a problem for hardened systems as it
> can cause security issues).
>
> Is there a way to tell ocaml to mark the stack as non-executable
> or is it part of the compiler design and thus can't be changed?

I wasn't familiar with this "executable stack" business, but a bit of
searching led to this useful page at Gentoo which you might know already:
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

The brief answer is that no part of OCaml executes code located in the
stack, especially not the assembly code generated by ocamlopt.

The issue, if I understand correctly, is to inform the assembler
and/or linker of this fact.  The page above lists several approaches,
all of which seem to be applicable to OCaml, but some need more
patching than other.  You're welcome to explore the options on your
own and let us (caml@inria.fr) know of your conclusions.

- Xavier Leroy