[AMDGPU] Linking with FatBinary files disables stack execution protection

[AngryLoki]

After constructGenerateObjFileFromHIPFatBinary at https://github.com/llvm/llvm-project/blob/main/clang/lib/Driver/ToolChains/HIPUtility.cpp#L137, llvm-mc is used to generate an object file, which is linked into an executable/library file as a part of hipcc -> clang -> ld chain call. And as mcin file has no GNU-stack section, the entire library gets marked for an executable stack[1].

I discovered this as a result of warning in Gentoo[2], as a chain for rccl-5.7.1 compilation. The whole chain there is hipcc -> clang 17.0.3 -> [clang-offload-bundler + lld + llvm-mc + x86_64-pc-linux-gnu-ld.bfd], which eventually completes with

/usr/bin/x86_64-pc-linux-gnu-ld.bfd: warning: /tmp/bootstrap-29289b.o: missing .note.GNU-stack section implies executable stack
/usr/bin/x86_64-pc-linux-gnu-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker

The following files contain writable and executable sections
...
RWX --- --- usr/lib64/librccl.so.1.0

I hope this describes the issue clear enough; attaching compilation log (huge!) won't help, because underlying commands are not even visible there (but visible with -###).

I can additionally mention, that ROCm/clr#22 has similar issue: mcin file includes fatbin, the difference is that they use cmake to generate mcin file (I understand that the problem in clr is separate, but it is thematically related).

Could you add .note.GNU-stack in constructGenerateObjFileFromHIPFatBinary or provide any other solution? Thanks!

[1] https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks
[2] https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

[littlewu2508]

Reviewer of https://reviews.llvm.org/D78759 (which introduces https://github.com/llvm/llvm-project/blob/main/clang/lib/Driver/ToolChains/HIPUtility.cpp#L137), @yxsamliu, can you please take a look at this?

[llvmbot]

@llvm/issue-subscribers-backend-amdgpu

Author: None (AngryLoki)

After `constructGenerateObjFileFromHIPFatBinary` at https://github.com/llvm/llvm-project/blob/main/clang/lib/Driver/ToolChains/HIPUtility.cpp#L137, llvm-mc is used to generate an object file, which is linked into an executable/library file as a part of hipcc -> clang -> ld chain call. And as mcin file has no GNU-stack section, the entire library gets marked for an executable stack[1].

I discovered this as a result of warning in Gentoo[2], as a chain for rccl-5.7.1 compilation. The whole chain there is hipcc -> clang 17.0.3 -> [clang-offload-bundler + lld + llvm-mc + x86_64-pc-linux-gnu-ld.bfd], which eventually completes with

/usr/bin/x86_64-pc-linux-gnu-ld.bfd: warning: /tmp/bootstrap-29289b.o: missing .note.GNU-stack section implies executable stack
/usr/bin/x86_64-pc-linux-gnu-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker

The following files contain writable and executable sections
...
RWX --- --- usr/lib64/librccl.so.1.0

I hope this describes the issue clear enough; attaching compilation log (huge!) won't help, because underlying commands are not even visible there (but visible with -###).

I can additionally mention, that ROCm/clr#22 has similar issue: mcin file includes fatbin, the difference is that they use cmake to generate mcin file (I understand that the problem in clr is separate, but it is thematically related).

Could you add .note.GNU-stack in constructGenerateObjFileFromHIPFatBinary or provide any other solution? Thanks!

[1] https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks
[2] https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

[yxsamliu]

Thanks for reporting the issue. I will fix it.

[llvmbot]

@llvm/issue-subscribers-clang-driver

Author: None (AngryLoki)

After `constructGenerateObjFileFromHIPFatBinary` at https://github.com/llvm/llvm-project/blob/main/clang/lib/Driver/ToolChains/HIPUtility.cpp#L137, llvm-mc is used to generate an object file, which is linked into an executable/library file as a part of hipcc -> clang -> ld chain call. And as mcin file has no GNU-stack section, the entire library gets marked for an executable stack[1].

I discovered this as a result of warning in Gentoo[2], as a chain for rccl-5.7.1 compilation. The whole chain there is hipcc -> clang 17.0.3 -> [clang-offload-bundler + lld + llvm-mc + x86_64-pc-linux-gnu-ld.bfd], which eventually completes with

/usr/bin/x86_64-pc-linux-gnu-ld.bfd: warning: /tmp/bootstrap-29289b.o: missing .note.GNU-stack section implies executable stack
/usr/bin/x86_64-pc-linux-gnu-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker

The following files contain writable and executable sections
...
RWX --- --- usr/lib64/librccl.so.1.0

I hope this describes the issue clear enough; attaching compilation log (huge!) won't help, because underlying commands are not even visible there (but visible with -###).

I can additionally mention, that ROCm/clr#22 has similar issue: mcin file includes fatbin, the difference is that they use cmake to generate mcin file (I understand that the problem in clr is separate, but it is thematically related).

Could you add .note.GNU-stack in constructGenerateObjFileFromHIPFatBinary or provide any other solution? Thanks!

[1] https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks
[2] https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart