Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
security: Build with non-executable stacks #37885
Cockroach currently fails on SELinux (with default configurations) because it attempts to mmap a region of memory with PROT_WRITE and PROT_EXEC. Preliminary investigation shows that this is memory used for the stack.
According to this page (from 2011, don't know if it's still accurate), the executable bit for the stack is controlled by a link-time option. Somewhere in our build toolchain, that's not getting set correctly.
This was a fun/frustrating one to chase down.
History: When the ability to mark stack memory as non-executable was introduced, GCC adopted it conservatively. Each object file must be marked as OK for use with a non-executable stack, or else the entire binary would be marked as requiring an executable stack. (This is a case where the default should really be flipped, but there's a lot of inertia for these things).
Most compilers now set the "needs executable stack" bit on their object files automatically (usually to false, but certain dynamic features might cause it to be set to true). The major exception is assembly: any
How was cockroach getting marked as needing an executable stack? The
The culprit turns out to be the empty file introduced in #22244 (cc @petermattis). The presence of this assembly file, in addition to allowing us to perform unseemly hacks with the
There's a simple fix, to add the