ZeroTierOne icon indicating copy to clipboard operation
ZeroTierOne copied to clipboard
verified publisher icon zerotier

Please compile binaries without executable stack

Open LaurentBonnaud opened this issue 5 years ago • 5 comments

Is your feature request related to a problem? Please describe.

I checked if the zerotier-one binary has an executable stack and found the following:

$ execstack /usr/sbin/zerotier-one
X /usr/sbin/zerotier-one

Another way to see the problem is to look at the zerotier process:

# cat /proc/$(pidof zerotier-one)/maps | grep stack
7ffffa909000-7ffffa93a000 rwxp 00000000 00:00 0                          [stack]

Describe the solution you'd like

Compile the binary with a non-executable stack. Main Linux distributions have done this work many years ago and recent toolchains do this by default. So recompiling on a recent distribution should be enough.

Describe alternatives you've considered

Compiling zerotier-one oneself without executable stack is possible, but

  • few people will do it
  • it is more difficult to update the software
  • when reporting bugs it is better to rely on the same binaries as the developer

LaurentBonnaud avatar Apr 09 '20 10:04 LaurentBonnaud

The problem still exists in version 1.6.0 of zerotier.

LaurentBonnaud avatar Nov 21 '20 10:11 LaurentBonnaud

This is a pretty old ticket but I'm curious: Would execstack -c zerotier-one after compilation have the same effect as linking with the flag not set?

$ execstack zerotier-one
X zerotier-one
$ execstack -c zerotier-one
$ execstack zerotier-one
- zerotier-one

joseph-henry avatar Apr 12 '22 05:04 joseph-henry

Yes it does. I get the same result on my systems. And restarting the service no longer causes the kernel to log this message:

# dmesg | grep zerotier
[   34.395362] process '/usr/sbin/zerotier-one' started with executable stack

LaurentBonnaud avatar Apr 14 '22 14:04 LaurentBonnaud

Hi,

this execstack problem still exists with the latest package version for Ubuntu 22.04/jammy:

Package: zerotier-one
Version: 1.8.9

LaurentBonnaud avatar May 02 '22 09:05 LaurentBonnaud

I encountered this today with 1.10 when trying to build for OpenSUSE Tumbleweed using their OBS. Rpmlint was not letting the builds succeed with executable stack.

The error:

[  250s] zerotier-one.x86_64: E: executable-stack (Badness: 10000) /usr/sbin/zerotier-one
[  250s] The binary declares the stack as executable. Executable stack is usually an
[  250s] error as it is only needed if the code contains GCC trampolines or similar
[  250s] constructs which uses code on the stack. One common source for needlessly
[  250s] executable stack cases are object files built from assembler files which don't
[  250s] define a proper .note.GNU-stack section.

I found a workaround, by adding ZT_USE_X64_ASM_ED25519=0 and ZT_USE_X64_ASM_SALSA=0 as make parameters. Only using 1 of them did not work for me.

I found this by comparing the output between the i586 builds and the x86_64 ones, because the i586 builds were working.

Edited with more details.

jason-kurzik avatar Jun 21 '22 00:06 jason-kurzik

FWIW I've packaged 1.10.1 at https://build.opensuse.org/package/show/home:aredridel/zerotier-one by using execstack -c on the binary

aredridel avatar Sep 29 '22 04:09 aredridel