executable stack

[jkroonza]

noexecutable stack is only enforced during release builds.

Under what circumstances would not enforcing noexecstack not be beneficial?

Compiler flags:
C               -O2 -march=native -pipe -Wall -D__FLB_FILENAME__=__FILE__ -Wl,-z,relro,-z,now -Wl,-z,noexecstack -fstack-protector -D_FORTIFY_SOURCE=1
C++             -O2 -march=native -pipe

I don't see C++ code so this is probably OK.

But should not the nonexecutable stack be enforced always, rather than only for release builds?

In most projects I work with the stack is non-executable by default, so I'm guessing the real question is what's causing the stack to be marked executable in the first place such that an override linker option is required in the first place?

https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart#Causes_of_executable_stack_markings

Contains additional information.

From what I can tell, it looks like the WASM build system is causing the stack to be marked non-executable in the first place:

.../fluent-bit-4.0.3 # scanelf -qeR .
RWX --- ---  ./lib/wasm-micro-runtime-WAMR-1.3.3/test-tools/IoT-APP-Store-Demo/wasm_django/static/upload/simple
RWX --- ---  ./lib/wasm-micro-runtime-WAMR-1.3.3/test-tools/IoT-APP-Store-Demo/wasm_django/static/upload/wasm_runtime_wgl

[cosmo0920]

Could you report this issue into WAMR repo and send your patch there?
https://github.com/bytecodealliance/wasm-micro-runtime

This is because we always fix vendored library issues in theirs repositories at first.

[cosmo0920]

Thanks for sending your patch in WAMR.
We use WAMR 1.3.x series for now. So, could you send your PR into https://github.com/bytecodealliance/wasm-micro-runtime/tree/release/1.3.x branch, too?