Add note on PT_GNU_STACK on 32-bit x86

William Huhn noted during the C/C++ Compiler BP Call on 2024-09-19 that `PT_GNU_STACK` must be present on binaries on 32-bit x86 even on more recent kernels than 5.8 for the resulting process to benefit from execution prevention for program data, not only the stack. Signed-off-by: Thomas Nyman <[email protected]>
ossf · Sep 19, 2024 · add26bb · add26bb
1 parent 3ba1400
commit add26bb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
@@ -807,7 +807,7 @@ Consequently the `-Wl,-z,noexecstack` option works best when combined with appro
 
 Modern compilers perform this marking automatically through the `p_flags` field in the `PT_GNU_STACK` program header entry and the linker consults the entries for consituent objects when deciding the marking for the produced binary. If the marking is missing the kernel or the dynamic linker needs to assume the binary might need executable stack.
 
-In Linux prior to kernel version 5.8 a missing `PT_GNU_STACK` marking on x86_64 will also expose other readable pages (such as the program `.data` section) as executable[^Hernandez2013], not just their stack memory. While this behavior has since changed[^Cook2020], we recommend enabling `-Wl,-z,noexecstack` explicitly during linking to ensure produced binaries benefit from data execution prevention for both the stack and other program data as widely as possible and guarding against compatibility issues by using the [`-Wtrampolines`](#-Wtrampolines) in tandem when available.
+In Linux prior to kernel version 5.8 a missing `PT_GNU_STACK` marking on x86_64 will also expose other readable pages (such as the program `.data` section) as executable[^Hernandez2013], not just their stack memory. While this behavior has since changed for x86_64[^Cook2020], we recommend enabling `-Wl,-z,noexecstack` explicitly during linking to ensure produced binaries benefit from data execution prevention for both the stack and other program data as widely as possible and guarding against compatibility issues by using the [`-Wtrampolines`](#-Wtrampolines) in tandem when available. For example, binaries on 32-bit x86 architectures must be equipped with a `PT_GNU_STACK` marking to benefit from data execution prevention for stack and other program data even on more recent Linux kernel versions.
 
 [^gcc-trampolines]: GCC team, [Support for Nested Functions.](https://gcc.gnu.org/onlinedocs/gccint/Trampolines.html), GCC Internals, 2023-07-27.