Re: [Caml-list] Executable stacks in ocaml

Mailing list for all users of the OCaml language and system.
 help / color / mirror / Atom feed

From: Xavier Leroy <Xavier.Leroy@inria.fr>
To: Alexandre Buisse <nattfodd@gentoo.org>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Executable stacks in ocaml
Date: Thu, 02 Nov 2006 09:43:54 +0100	[thread overview]
Message-ID: <4549AFCA.80801@inria.fr> (raw)
In-Reply-To: <20061102002726.GA26031@ubik>

> I am one of the gentoo maintainers of ocaml and we had a couple of QA
> reports saying that binaries produced by ocaml had the stack marked as
> executable (I understand this is a problem for hardened systems as it
> can cause security issues).
>
> Is there a way to tell ocaml to mark the stack as non-executable
> or is it part of the compiler design and thus can't be changed?

I wasn't familiar with this "executable stack" business, but a bit of
searching led to this useful page at Gentoo which you might know already:
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

The brief answer is that no part of OCaml executes code located in the
stack, especially not the assembly code generated by ocamlopt.

The issue, if I understand correctly, is to inform the assembler
and/or linker of this fact.  The page above lists several approaches,
all of which seem to be applicable to OCaml, but some need more
patching than other.  You're welcome to explore the options on your
own and let us (caml@inria.fr) know of your conclusions.

- Xavier Leroy

     prev parent reply	other threads:[~2006-11-02  8:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-02  0:27 Alexandre Buisse
2006-11-02  8:43 ` Xavier Leroy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4549AFCA.80801@inria.fr \
    --to=xavier.leroy@inria.fr \
    --cc=caml-list@inria.fr \
    --cc=nattfodd@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox