Bugzilla Bug 153382

$ cat hello.ml 
print_string "Hello world!\n";;
$ ocamlopt -o hello hello.ml 
$ ./hello 
Hello world!
$ scanelf -a hello
 TYPE    PAX   STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC ---xe- RWX --- RW-    -      -   LAZY hello 

i know nothing about ocaml so i dont really know where to start looking for the
problem (the problem being that the stack is marked with +X)

*** Bug 134402 has been marked as a duplicate of this bug. ***

As far as I know, the compiler is doing that by design, and there is no way to
"fix" it.

why dont you actually ask upstream first

I was refering to bug #120832, since ocaml compiles itself and I assume mattam
knows what he talks about. I'll post to the caml-list though, asking for
clarifications.

*** Bug 116586 has been marked as a duplicate of this bug. ***

So, I've asked upstream here :
http://caml.inria.fr/pub/ml-archives/caml-list/2006/11/d84db6c6073041b79a6005ff66328d24.en.html

Their answer, which should appear shortly on the archives, was that they were
just unaware of the executable stacks problems and that we are welcome to help
them fix it.
I've taken a quick look at the compiler code and the ASM generation seems to
happen in the file ocaml-3.09.3/asmcomp/i386/emit.mlp. We can easily add some
asm at the end of the generated file, in the function end_assembly, and I can
deal with the ocaml syntax, but I'm not very sure of what exactly I should add,
since it's none of the options discussed in
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

Thanks for any help

that's because that file is written in OCAML it looks like :)

i dont know OCAML, but i think you want to add a match for Config.system to
"linux_elf" and have that output ` .section .note.GNU-stack,"",%progbits\n';
... prob be best if you place it at the top of the end_assembly() function so
that it appears before the .text section and you dont have to worry about
saving/restoring section names ...

btw, this should be done for every arch, not just i386

Created an attachment (id=101059) [edit]
Patch for i386

Thanks to julien cristau, I have been able to make a small patch that seems to
solve the issue here, for i386 archs. Before sending it upstream, I'm waiting
for some review and I'm also wondering about other archs. Is the code snippet
for gnu as valid on all of them? If so, it will be trivial to patch all of
them.

i dont really think you want to go changing .s to .S ... that could easily have
unintended consequences

since Config.system already reports linux_elf, there is no need to go checking
the __ELF__ preprocessor ... also, we want this section marking only on linux,
not for all elf systems

proper exec stack markings are valid for anything that runs under the linux
kernel

Created an attachment (id=101061) [edit]
Patch for all archs

Sorry, I hadn't seen your answer. Here comes a new patch that basically does
the same modification for every arch. I haven't tested it on any other arch
than i386, though. I've also moved .note.GNU-stack to the beginning of
end_assembly, as you advised.

$ echo "print_string \"prout\n\"" > prout.ml
$ ocamlopt -S -verbose -dstartup -o prout prout.ml             
+ as -o 'prout.o' 'prout.S'
+ as -o '/tmp/camlstartupd95ee8.o' '/tmp/camlstartup754e7c.S'
+ gcc   -o 'prout' -I'/usr/lib/ocaml'  '/tmp/camlstartupd95ee8.o'
'/usr/lib/ocaml/std_exit.o' 'prout.o' '/usr/lib/ocaml/stdlib.a' 
'-L/usr/lib/ocaml'  '/usr/lib/ocaml/libasmrun.a' -lm  -ldl
$  scanelf -e prout                                              
 TYPE   STK/REL/PTL FILE 
ET_EXEC RW- --- RW- prout


I'll send the patch upstream if it's ok with you.

Created an attachment (id=101063) [edit]
Patch for all archs

Oops, I had used >> instead of > for creating the patch. Corrected now.

you're still doing __ELF__ though instead of checking Config.system for
"linux_elf"

Created an attachment (id=101131) [edit]
Revised version of the patch

New version which doesn't change .s to .S and relies on Config.system instead.
Also valid for all archs (untested elsewhere than i386 though).
I tried to avoid code duplication in asmcomp/${arch}/emit.mlp but it looks like
asm can be added directly only in .mlp files since they are preprocessed during
compilation.

afaictl, that one looks good ... this is of course assuming that all
architectures dont actually leverage executable stacks ;)

i'd send that one upstream and see what they think

Created an attachment (id=101142) [edit]
Patch sent upstream

Here is the last version which I sent upstream. Diff is some archs dropped
(mips and power-aix/power-rhapsody) plus different values of Config.system
depending on the given arch.

I hope it'll be included in the next release and we won't have to patch it
ourselves.

*** Bug 158035 has been marked as a duplicate of this bug. ***

*** Bug 168538 has been marked as a duplicate of this bug. ***

Small update of this bug: I spoke to Xavier Leroy, the main maintainer of
ocaml, and he said that this patch would probably be included for x86/amd64 in
the next release of ocaml, but not on other arches, since they lack proper
hardware for extensive testing. He also said that the patch looked ok.

*** Bug 188733 has been marked as a duplicate of this bug. ***

ocaml-3.10.0 still has this problem... :(
Was the patch applied upstream? If so, it doesn't work here.

Portage 2.1.3.5 (default-linux/x86/2007.0/desktop, gcc-4.2.0, glibc-2.6.1-r0,
2.6.22-gentoo-r2 i686)
=================================================================
System uname: 2.6.22-gentoo-r2 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz
Gentoo Base System release 2.0.0_rc2
Timestamp of tree: Mon, 13 Aug 2007 14:20:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17.50.0.18
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/splash /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms
strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.ing.unibo.it/gentoo/                 
ftp://ftp.unina.it/pub/linux/distributions/gentoo/                 
http://gentoo.osuosl.org/"
LANG="it_IT.UTF-8"
LC_ALL="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed"
LINGUAS="it"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/pesa"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi adns alsa audiofile avahi bash-completion berkdb
bitmap-fonts bzip2 cairo caps cddb cdinstall cdparanoia cdr cli cracklib crypt
cups curl curlwrappers dbus dri dts dv dvd dvdr dvdread emacs emboss encode evo
exif expat fam fbcon ffmpeg fftw firefox flac ftp gd gdbm gif glut gnutls gpm
graphviz hal iconv idn ieee1394 imagemagick imlib innodb isdnlog jabber jack
javascript jbig jpeg jpeg2k kde kdeenablefinal kdexdeltas lcms ldap
libsamplerate mad matroska midi mikmod mmap mmx mng mp3 mpeg mplayer msn
mudflap mule musepack musicbrainz mysql mysqli ncurses nls nptl nptlonly
nsplugin ocaml offensive ogg opengl openmp oss pam pcre pdf png pppd pulseaudio
python qt3 qt3support qt4 quicktime readline reflection ruby samba sasl sdl
session slang sndfile snmp socks5 speex spell spl sqlite sqlite3 sse sse2 ssl
svg tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts unicode
vcd vorbis win32codecs wmf x264 x86 xcomposite xine xml xorg xosd xpm xv xvid
zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw
multi null plug rate route share shm softvol" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it"
USERLAND="GNU" VIDEO_CARDS="nvidia nv vesa"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

If upstream approved of the patch, maybe we could just patch the beast
downstream, remind upstream of the patch (possibly by re-submitting it) and be
happy ever after? ;)

I've just wasted hours on an ebuild till I thought of searching our own
Bugzilla... :)

this had been fixed starting from ocaml-3.09.3-r1

about 3.10.0, this was due to a wrong check on x86 thus it was still not
outputing the noxecstack stuff there (and has been fixed afterwards).