24

I have just noticed that my simple program has its data and stack segments executable. I saw it in /proc/[pid]/maps, and simple code confirmed it.

For example:

; prog.asm
section .data
    code:   db 0xCC    ;int3

section .text
global _start
_start:
    jmp    code

    mov    rax, 60    ; sys_exit
    mov    rdi, 0
    syscall

then

nasm -f elf64 prog.asm
ld -o prog prog.o
./prog

causes prog to execute int3 instruction.

Programs written in C and built with gcc have their data, stack and heap non-executable, so why those written in assembly behave in a different manner?

Improve this question

1 Answer 1

Reset to default
25

On modern Linux systems, the linker will mark stack/data non-executable IFF all objects that participate in the link have a special "marker" section .note.GNU-stack.

If you compile e.g. int foo() { return 1; } into assembly (with gcc -S foo.c), you'll see this:

    .section    .note.GNU-stack,"",@progbits

For nasm, the syntax is shown in section 8.9.2 of the manual; you want something like this:

 section .note.GNU-stack noalloc noexec nowrite progbits

Note

This has to be done for every .o file that goes into the executable. If any object file needs executable stack or data, then it's set for the entire segment.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

It works, thanks. Btw, I found this: link, and in section 7.9.2 "elf Extensions to the SECTION Directive" there is statement that section .data by default has noexec flag. But even writing noexec explicitly in code with section .data doesn't work. Strange.
Could you provide any source that documents the GNU_STACK behavior? I have seen that you can pass -z noexecstack to ld for it to have the same behavior... But isn't this a loader problem? the loader is mapping the .data section as executable when it clearly is marked as noexec.
@Marco: slightly more info at Unexpected exec permission from mmap when assembly files included in the project, including a link to the Linux kernel source.
Thanks. That provides some clarity. I think I understand the rationale of it: old elfs (before NX bit in modern archs), might depend on having executable data, as there was no way to disable it. So in order to detect "newer" elfs, the loader uses the executable stack feature. It's sad that nasm doesn't have a flag to add that automatically.
Note that the behavior recently changed for the linux kernel. With newer kernels the sections compiled with nasm will no longer be executable by default in x86_64. See commit

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.