Skip to content

include noexecstack hardening flag on Linux#1064

Merged
jjhelmus merged 1 commit intoastral-sh:mainfrom
jjhelmus:noexecstack
Mar 29, 2026
Merged

include noexecstack hardening flag on Linux#1064
jjhelmus merged 1 commit intoastral-sh:mainfrom
jjhelmus:noexecstack

Conversation

@jjhelmus
Copy link
Copy Markdown
Contributor

@jjhelmus jjhelmus commented Mar 27, 2026

Mark the stack memory as non-executable using the '-Wl,-z,noexecstack' flag on aarch64 and x86_64 linux platforms.

Other linux targets are cross-compiled, this flag is left off for the time being.

closes #1061

@jjhelmus
include noexecstack hardening flag on Linux
82b2591 
Mark the stack memory as non-executable using the
'-Wl,-z,noexecstack' flag on aarch64 and x86_64 linux platforms.

Other linux targets are cross-compiled, this flag is left off for the
time being.

closes astral-sh#1061
@jjhelmus jjhelmus requested review from geofft, indygreg and zanieb March 27, 2026 21:21
@jjhelmus
Copy link
Copy Markdown
Contributor Author

jjhelmus commented Mar 27, 2026
edited
Loading

Testing this locally confirms this addresses #1061

❯ execstack -q python/install/lib/libpython3.14.so
- python/install/lib/libpython3.14.so

This change does not address #956

@jjhelmus jjhelmus added the platform:linux Specific to the Linux platform label Mar 27, 2026
@jjhelmus jjhelmus mentioned this pull request Mar 27, 2026
Merged
indygreg
indygreg approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@indygreg indygreg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a follow-up, please teach the ELF validation code to ensure that the stack isn't executable.

@jjhelmus jjhelmus merged commit 5bf3a6f into astral-sh:main Mar 29, 2026
1391 of 1393 checks passed
jjhelmus added a commit that referenced this pull request Mar 29, 2026
@jjhelmus
remove -use-gnu-stack from BOLT flags (#1065)
0b479df 
Remove -use-gnu-stack from the BOLT flags used to optimize CPython as it
incorrectly removes the PT_GNU_STACK segment causing glibc to default to
an executable stack, for example when creating a new thread.

This can be reverted when
llvm/llvm-project#174191 is fixed in LLVM

Should be applied after #1064 

closes #956
@jjhelmus jjhelmus mentioned this pull request Mar 29, 2026
Closed
@geofft
Copy link
Copy Markdown
Collaborator

geofft commented Mar 29, 2026

This is fine, but I'd also like to track down why this is happening, if possible. Is it some assembly file somewhere?

@jjhelmus
Copy link
Copy Markdown
Contributor Author

jjhelmus commented Mar 30, 2026
edited
Loading

This is fine, but I'd also like to track down why this is happening, if possible. Is it some assembly file somewhere?

I should have included a mention of llvm/llvm-project#186004 in this issue and the commit message. It is discussed in #1061

LLVM 22 does not emit a .note.GNU-stack section when -Wa,--noexecstack is passed to the assembler. This has been fixed in the dev branch of llvm and I think has been or will be backported to LLVM 22.

@geofft
Copy link
Copy Markdown
Collaborator

geofft commented Mar 30, 2026

Wait, why is this not relevant for cross-compiled targets?

@jjhelmus
Copy link
Copy Markdown
Contributor Author

jjhelmus commented Mar 30, 2026

Wait, why is this not relevant for cross-compiled targets?

A non-executable stack is relevant for all targets, both native and cross but the cross-compiled targets use gcc for compilation so should not be effected by the llvm bug.

That said, adding -Wl,-z,noexecstack to LDFLAGS on all Linux targets is a good idea.

Didah pushed a commit to bewellinnovations/python-build-standalone that referenced this pull request Apr 20, 2026
@jjhelmus @Didah
include noexecstack hardening flag on Linux (astral-sh#1064)
c852555 
Mark the stack memory as non-executable using the '-Wl,-z,noexecstack' flag on aarch64 and x86_64 linux platforms.

Other linux targets are cross-compiled, this flag is left off for the time being.

closes astral-sh#1061
Didah pushed a commit to bewellinnovations/python-build-standalone that referenced this pull request Apr 20, 2026
@jjhelmus @Didah
remove -use-gnu-stack from BOLT flags (astral-sh#1065)
6302d31 
Remove -use-gnu-stack from the BOLT flags used to optimize CPython as it
incorrectly removes the PT_GNU_STACK segment causing glibc to default to
an executable stack, for example when creating a new thread.

This can be reverted when
llvm/llvm-project#174191 is fixed in LLVM

Should be applied after astral-sh#1064 

closes astral-sh#956
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@indygreg indygreg indygreg approved these changes

@geofft geofft Awaiting requested review from geofft

@zanieb zanieb Awaiting requested review from zanieb

Assignees

No one assigned

Labels

platform:linux Specific to the Linux platform

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

20260320 builds seem to have executable-stack set on python shared library

3 participants

@jjhelmus @geofft @indygreg