Skip to content

Validate that ELF objects request a non-executable stack#1070

Merged
jjhelmus merged 2 commits intomainfrom
geofft/validate-noexecstack
Apr 13, 2026
Merged

Validate that ELF objects request a non-executable stack#1070
jjhelmus merged 2 commits intomainfrom
geofft/validate-noexecstack

Conversation

@geofft
Copy link
Copy Markdown
Collaborator

@geofft geofft commented Mar 29, 2026

Closes #1069.

@geofft geofft requested a review from jjhelmus March 29, 2026 23:06
@jjhelmus
Copy link
Copy Markdown
Contributor

jjhelmus commented Mar 30, 2026

llvm/llvm-project#186004 will cause object files assembled with LLVM 22 to fail this check.
These could be post-processed with objcopy to add the section. Another option is to limit this check to only the ELF objects in the install directory or potentially just python and libpython.

@geofft
Copy link
Copy Markdown
Collaborator Author

geofft commented Mar 30, 2026

Yeah, I also missed the distinction between executables/libraries which have the PT_GNU_STACK program headers, and intermediate objects that have the section but no program headers (at all). I'll make this check conditional on final objects (ET_EXEC or ET_DYN, I think), and we can defer checking .o files to later.

@jjhelmus
Copy link
Copy Markdown
Contributor

jjhelmus commented Mar 31, 2026

LGTM. Should we validate this on other architectures before meting?

@geofft
Copy link
Copy Markdown
Collaborator Author

geofft commented Mar 31, 2026

I was gonna pay attention to CI post-merge and then open a new PR to do -Wl,-z,noexecstack if there are any failures. Lemme know if that seems too risky :)

@jjhelmus
Copy link
Copy Markdown
Contributor

jjhelmus commented Apr 13, 2026

Watching the post merge for failures is reasonable.
Merging. I will keep an eye out for failures. Thanks.

@jjhelmus jjhelmus merged commit e7a7f46 into main Apr 13, 2026
24 checks passed
@jjhelmus jjhelmus deleted the geofft/validate-noexecstack branch April 13, 2026 14:38
@jjhelmus
Copy link
Copy Markdown
Contributor

jjhelmus commented Apr 13, 2026

riscv64 builds are failing verification.

python/install/lib/thread3.0.4/libtcl9thread3.0.4.so missing PT_GNU_STACK header (defaults to executable stack)

https://github.com/astral-sh/python-build-standalone/actions/runs/24349377629/job/71099408609

I'm taking a look

@jjhelmus
Copy link
Copy Markdown
Contributor

jjhelmus commented Apr 13, 2026

Confirmed the missing GNU_STACK header in the riscv64 builds, mostly in Tcl/Tk related libraries, locally. This is not new, the header is missing in an older (20251010) release as well.

Adding in an explicit flag to avoid this should be done, if too much work this test can be skipped on the architecture. I'll prepare both after lunch.

jjhelmus added a commit to jjhelmus/python-build-standalone that referenced this pull request Apr 13, 2026
@jjhelmus
noexecstack when cross-compiling
cd873fb 
Explicitly disable an executable stack on all Linux targets, even when
cross-compiling.

Follow up to test failures cased by astral-sh#1070
@jjhelmus jjhelmus mentioned this pull request Apr 13, 2026
Merged
jjhelmus added a commit that referenced this pull request Apr 14, 2026
@jjhelmus @geofft
link with noexecstack when cross-compiling (#1092)
f322496 
Explicitly disable an executable stack on all Linux targets, even when
cross-compiling.

Follow up to test failures cased by #1070

---------

Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com>
@jjhelmus jjhelmus mentioned this pull request Apr 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jjhelmus jjhelmus jjhelmus approved these changes

Assignees

No one assigned

Labels

arch:x86_64 build:freethreaded libc:gnu platform:linux Specific to the Linux platform python:3.14

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add validation for none-executable stack

2 participants

@geofft @jjhelmus