$ cat hello.ml print_string "Hello world!\n";; $ ocamlopt -o hello hello.ml $ ./hello Hello world! $ scanelf -a hello TYPE PAX STK/REL/PTL TEXTREL RPATH BIND FILE ET_EXEC ---xe- RWX --- RW- - - LAZY hello i know nothing about ocaml so i dont really know where to start looking for the problem (the problem being that the stack is marked with +X)
*** Bug 134402 has been marked as a duplicate of this bug. ***
As far as I know, the compiler is doing that by design, and there is no way to "fix" it.
why dont you actually ask upstream first
I was refering to bug #120832, since ocaml compiles itself and I assume mattam knows what he talks about. I'll post to the caml-list though, asking for clarifications.
*** Bug 116586 has been marked as a duplicate of this bug. ***
So, I've asked upstream here : http://caml.inria.fr/pub/ml-archives/caml-list/2006/11/d84db6c6073041b79a6005ff66328d24.en.html Their answer, which should appear shortly on the archives, was that they were just unaware of the executable stacks problems and that we are welcome to help them fix it. I've taken a quick look at the compiler code and the ASM generation seems to happen in the file ocaml-3.09.3/asmcomp/i386/emit.mlp. We can easily add some asm at the end of the generated file, in the function end_assembly, and I can deal with the ocaml syntax, but I'm not very sure of what exactly I should add, since it's none of the options discussed in http://www.gentoo.org/proj/en/hardened/gnu-stack.xml Thanks for any help
that's because that file is written in OCAML it looks like :) i dont know OCAML, but i think you want to add a match for Config.system to "linux_elf" and have that output ` .section .note.GNU-stack,"",%progbits\n'; ... prob be best if you place it at the top of the end_assembly() function so that it appears before the .text section and you dont have to worry about saving/restoring section names ... btw, this should be done for every arch, not just i386
Created attachment 101059 [details, diff] Patch for i386 Thanks to julien cristau, I have been able to make a small patch that seems to solve the issue here, for i386 archs. Before sending it upstream, I'm waiting for some review and I'm also wondering about other archs. Is the code snippet for gnu as valid on all of them? If so, it will be trivial to patch all of them.
i dont really think you want to go changing .s to .S ... that could easily have unintended consequences since Config.system already reports linux_elf, there is no need to go checking the __ELF__ preprocessor ... also, we want this section marking only on linux, not for all elf systems proper exec stack markings are valid for anything that runs under the linux kernel
Created attachment 101061 [details, diff] Patch for all archs Sorry, I hadn't seen your answer. Here comes a new patch that basically does the same modification for every arch. I haven't tested it on any other arch than i386, though. I've also moved .note.GNU-stack to the beginning of end_assembly, as you advised. $ echo "print_string \"prout\n\"" > prout.ml $ ocamlopt -S -verbose -dstartup -o prout prout.ml + as -o 'prout.o' 'prout.S' + as -o '/tmp/camlstartupd95ee8.o' '/tmp/camlstartup754e7c.S' + gcc -o 'prout' -I'/usr/lib/ocaml' '/tmp/camlstartupd95ee8.o' '/usr/lib/ocaml/std_exit.o' 'prout.o' '/usr/lib/ocaml/stdlib.a' '-L/usr/lib/ocaml' '/usr/lib/ocaml/libasmrun.a' -lm -ldl $ scanelf -e prout TYPE STK/REL/PTL FILE ET_EXEC RW- --- RW- prout I'll send the patch upstream if it's ok with you.
Created attachment 101063 [details, diff] Patch for all archs Oops, I had used >> instead of > for creating the patch. Corrected now.
you're still doing __ELF__ though instead of checking Config.system for "linux_elf"
Created attachment 101131 [details, diff] Revised version of the patch New version which doesn't change .s to .S and relies on Config.system instead. Also valid for all archs (untested elsewhere than i386 though). I tried to avoid code duplication in asmcomp/${arch}/emit.mlp but it looks like asm can be added directly only in .mlp files since they are preprocessed during compilation.
afaictl, that one looks good ... this is of course assuming that all architectures dont actually leverage executable stacks ;) i'd send that one upstream and see what they think
Created attachment 101142 [details, diff] Patch sent upstream Here is the last version which I sent upstream. Diff is some archs dropped (mips and power-aix/power-rhapsody) plus different values of Config.system depending on the given arch. I hope it'll be included in the next release and we won't have to patch it ourselves.
*** Bug 158035 has been marked as a duplicate of this bug. ***
*** Bug 168538 has been marked as a duplicate of this bug. ***
Small update of this bug: I spoke to Xavier Leroy, the main maintainer of ocaml, and he said that this patch would probably be included for x86/amd64 in the next release of ocaml, but not on other arches, since they lack proper hardware for extensive testing. He also said that the patch looked ok.
*** Bug 188733 has been marked as a duplicate of this bug. ***
ocaml-3.10.0 still has this problem... :( Was the patch applied upstream? If so, it doesn't work here. Portage 2.1.3.5 (default-linux/x86/2007.0/desktop, gcc-4.2.0, glibc-2.6.1-r0, 2.6.22-gentoo-r2 i686) ================================================================= System uname: 2.6.22-gentoo-r2 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System release 2.0.0_rc2 Timestamp of tree: Mon, 13 Aug 2007 14:20:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17.50.0.18 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.ing.unibo.it/gentoo/ ftp://ftp.unina.it/pub/linux/distributions/gentoo/ http://gentoo.osuosl.org/" LANG="it_IT.UTF-8" LC_ALL="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed" LINGUAS="it" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/pesa" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi adns alsa audiofile avahi bash-completion berkdb bitmap-fonts bzip2 cairo caps cddb cdinstall cdparanoia cdr cli cracklib crypt cups curl curlwrappers dbus dri dts dv dvd dvdr dvdread emacs emboss encode evo exif expat fam fbcon ffmpeg fftw firefox flac ftp gd gdbm gif glut gnutls gpm graphviz hal iconv idn ieee1394 imagemagick imlib innodb isdnlog jabber jack javascript jbig jpeg jpeg2k kde kdeenablefinal kdexdeltas lcms ldap libsamplerate mad matroska midi mikmod mmap mmx mng mp3 mpeg mplayer msn mudflap mule musepack musicbrainz mysql mysqli ncurses nls nptl nptlonly nsplugin ocaml offensive ogg opengl openmp oss pam pcre pdf png pppd pulseaudio python qt3 qt3support qt4 quicktime readline reflection ruby samba sasl sdl session slang sndfile snmp socks5 speex spell spl sqlite sqlite3 sse sse2 ssl svg tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis win32codecs wmf x264 x86 xcomposite xine xml xorg xosd xpm xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="nvidia nv vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
If upstream approved of the patch, maybe we could just patch the beast downstream, remind upstream of the patch (possibly by re-submitting it) and be happy ever after? ;) I've just wasted hours on an ebuild till I thought of searching our own Bugzilla... :)
this had been fixed starting from ocaml-3.09.3-r1 about 3.10.0, this was due to a wrong check on x86 thus it was still not outputing the noxecstack stuff there (and has been fixed afterwards).
