There are still some programs that have executable stack regions, which results in their being vulnerable to exploitation via stack memory. There are only a few very rare situations where executable stacks are actually desired, the rest are usually the result of lacking flags in assembly code or using nested functions (which are generally avoidable).

When the linker (ld) performs linking, it marks the stack as executable based on the lowest common demoninator. For example, if everything is marked non-executable except one .o file, the entire library would get marked for an executable stack. In the case of a shared library, this would pollute any program it was loaded into. (The assembler assumes that unmarked .S files need an executable stack, and mark them accordingly.)

If a user is running a PAE kernel or has other NX-memory protections, they lose the ability to protect that program's stack memory from execution, leaving it open to potential unknown future vulnerabilities that might try to execute shellcode from stack memory.

  • Detection:

    • found on the system, check an ELF binary: "readelf -lW $BIN | grep GNU_STACK" shows with "E" flag.
    • found in a build, check a .o file: "readelf -SW $OBJ | grep GNU-stack" shows with "X" flag. (Or "scanelf -e $OBJ" shows an "X".)
  • Information: Gentoo write-up about exec stack handling: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

  • Potential Solutions:

    • fix assembly source by adding flags to assembler:
      • GNU as:

        #if defined(__linux__) && defined(__ELF__)
        .section        .note.GNU-stack, "", %progbits
      • YASM (be careful of builds that use yasm's "-f" to specific "elf64" or "elf32", which breaks the following test -- in that case just skip the ifidn/endif lines):

        %ifidn __OUTPUT_FORMAT__,elf
        section .note.GNU-stack noalloc noexec nowrite progbits
    • fix compiler's default when encountering unmarked assembly: -Wa,--noexecstack will change the behavior of compiler's asm-without-stack-markings defaults.

    • rework code to avoid using nested functions.
    • force markings into a safe state via "execstack -c $BINARY" during package build.

Main/Restricted Packages


  • None known


  • klibc (setjmp implementation)
  • kexec-tools (statically linked against klibc)
  • mono (but only in the i386 debugger, it seems)

Nested Functions

Uses Nested Functions which compiler generates as trampolines on the stack. Not allowed by ISO C.

  • grub
  • grub2 upstream bug (in progress upstream for 2.01 --cjwatson)

Unmarked Assembler

  • None known

Shipped Precompiled Binaries

  • None known

No Stack Section

  • memtest86+ (is a boot-loaded ELF, not a big deal)

Fixed Lucid Main/Restricted

Fixed Karmic Main/Restricted Packages

  • zip (umarked asm)

  • bogl (nested function)

  • link-grammar (nested function)

  • nss (unmarked asm)

  • icon (unmarked asm)

  • john (unmarked asm)

  • openjdk-6 (unmarked asm)

  • xvidcore (unmarked asm)

  • mountall (nested functions)

  • fglrx-installer (shipped precompiled binaries)

  • nvidia (shipped precompiled binaries)

    • nvidia-graphics-drivers-173
    • nvidia-graphics-drivers-180
    • nvidia-graphics-drivers-71
    • nvidia-graphics-drivers-96

Fedora Patches for universe packages

SecurityTeam/Roadmap/ExecutableStacks (last edited 2013-01-21 13:50:05 by cjwatson)