From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on yquem.inria.fr X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=AWL autolearn=disabled version=3.1.3 Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by yquem.inria.fr (Postfix) with ESMTP id 172DCBC69 for ; Thu, 2 Nov 2006 09:44:03 +0100 (CET) Received: from [128.93.11.95] (estephe.inria.fr [128.93.11.95]) by concorde.inria.fr (8.13.6/8.13.6) with ESMTP id kA28hswt031131; Thu, 2 Nov 2006 09:43:55 +0100 Message-ID: <4549AFCA.80801@inria.fr> Date: Thu, 02 Nov 2006 09:43:54 +0100 From: Xavier Leroy User-Agent: Mozilla Thunderbird 1.0.6-6mdk (X11/20050322) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alexandre Buisse Cc: caml-list@inria.fr Subject: Re: [Caml-list] Executable stacks in ocaml References: <20061102002726.GA26031@ubik> In-Reply-To: <20061102002726.GA26031@ubik> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Miltered: at concorde with ID 4549AFCA.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Spam: no; 0.00; ocaml:01 gentoo:01 ocaml:01 stack:01 stack:01 compiler:01 gentoo:01 ocamlopt:01 patching:01 binaries:01 stacks:01 caml-list:01 maintainers:01 executes:01 caml:02 > I am one of the gentoo maintainers of ocaml and we had a couple of QA > reports saying that binaries produced by ocaml had the stack marked as > executable (I understand this is a problem for hardened systems as it > can cause security issues). > > Is there a way to tell ocaml to mark the stack as non-executable > or is it part of the compiler design and thus can't be changed? I wasn't familiar with this "executable stack" business, but a bit of searching led to this useful page at Gentoo which you might know already: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml The brief answer is that no part of OCaml executes code located in the stack, especially not the assembly code generated by ocamlopt. The issue, if I understand correctly, is to inform the assembler and/or linker of this fact. The page above lists several approaches, all of which seem to be applicable to OCaml, but some need more patching than other. You're welcome to explore the options on your own and let us (caml@inria.fr) know of your conclusions. - Xavier Leroy