From 3ae218a6d902f419daec38f50ada7dd039fb742f Mon Sep 17 00:00:00 2001
From: Xavier Leroy <xavier.leroy@college-de-france.fr>
Date: Tue, 20 Aug 2024 09:29:44 +0200
Subject: [PATCH] Mark stack as non-executable in binaries produced by ccomp

On Linux and BSD, add "stack not executable" annotations to every asm file
produced by ccomp or hand-written in the runtime support library.

Left for future work: adding the annotation to runtime/powerpc*/*.s .
(These files are not preprocessed, and must remain compatible with Diab.)
---
 backend/PrintAsm.ml       | 1 +
 backend/PrintAsmaux.ml    | 9 +++++++++
 runtime/aarch64/sysdeps.h | 4 ++++
 runtime/arm/sysdeps.h     | 4 ++++
 runtime/riscV/sysdeps.h   | 3 +++
 runtime/x86_32/sysdeps.h  | 2 ++
 runtime/x86_64/sysdeps.h  | 2 ++
 7 files changed, 25 insertions(+)

diff --git a/backend/PrintAsm.ml b/backend/PrintAsm.ml
index 514f3d32..18bedd4f 100644
--- a/backend/PrintAsm.ml
+++ b/backend/PrintAsm.ml
@@ -210,6 +210,7 @@ let print_program oc p =
   List.iter (Printer.print_globdef oc) p.prog_defs;
   Target.print_epilogue oc;
   Printer.print_ais_annot oc;
+  print_nonexec_stack_note oc;
   if !Clflags.option_g then
     begin
       let atom_to_s s =
diff --git a/backend/PrintAsmaux.ml b/backend/PrintAsmaux.ml
index 0bcc94cd..8ee8e2ca 100644
--- a/backend/PrintAsmaux.ml
+++ b/backend/PrintAsmaux.ml
@@ -355,3 +355,12 @@ let macos_mergeable_string_section sz =
   | 0 | 2 | 4 -> ".const"
   | 1 -> ".cstring"
   | _ -> assert false
+
+(** Marking the stack as non executable *)
+
+let print_nonexec_stack_note oc =
+  match Configuration.system with
+  | "linux" | "bsd" ->
+      output_string oc "\n\t.section .note.GNU-stack,\"\",%progbits\n"
+  | _ ->
+      ()
diff --git a/runtime/aarch64/sysdeps.h b/runtime/aarch64/sysdeps.h
index b098cf1c..4f050fbe 100644
--- a/runtime/aarch64/sysdeps.h
+++ b/runtime/aarch64/sysdeps.h
@@ -63,3 +63,7 @@ f:
 	.type f, @function; .size f, . - f
 
 #endif
+
+#if defined(SYS_linux) || defined(SYS_bsd)
+	.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/runtime/arm/sysdeps.h b/runtime/arm/sysdeps.h
index 0c873f95..0906fa19 100644
--- a/runtime/arm/sysdeps.h
+++ b/runtime/arm/sysdeps.h
@@ -138,3 +138,7 @@ f:
 #define Reg3HI r7
 #define Reg3LO r6
 #endif
+
+#if defined(SYS_linux) || defined(SYS_bsd)
+	.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/runtime/riscV/sysdeps.h b/runtime/riscV/sysdeps.h
index b95ca1b1..ca081dca 100644
--- a/runtime/riscV/sysdeps.h
+++ b/runtime/riscV/sysdeps.h
@@ -61,3 +61,6 @@ f:
 
 #endif
 
+#if defined(SYS_linux) || defined(SYS_bsd)
+	.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/runtime/x86_32/sysdeps.h b/runtime/x86_32/sysdeps.h
index 973bbe2f..c22ed770 100644
--- a/runtime/x86_32/sysdeps.h
+++ b/runtime/x86_32/sysdeps.h
@@ -36,6 +36,8 @@
 
 #if defined(SYS_linux) || defined(SYS_bsd)
 
+	.section .note.GNU-stack,"",%progbits
+
 #define GLOB(x) x
 #define FUNCTION(f) \
 	.text; \
diff --git a/runtime/x86_64/sysdeps.h b/runtime/x86_64/sysdeps.h
index 9031d5d0..26fc7456 100644
--- a/runtime/x86_64/sysdeps.h
+++ b/runtime/x86_64/sysdeps.h
@@ -36,6 +36,8 @@
 
 #if defined(SYS_linux) || defined(SYS_bsd)
 
+	.section .note.GNU-stack,"",%progbits
+
 #define GLOB(x) x
 #define FUNCTION(f) \
 	.text; \
-- 
GitLab