Bug#1101937: libvkd3d-shader1: vkd3d libraries have executable stack, with a comment indicating it might be unintended

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1101937: libvkd3d-shader1: vkd3d libraries have executable stack, with a comment indicating it might be unintended
From: Simon McVittie <smcv@debian.org>
Date: Wed, 2 Apr 2025 16:35:18 +0100
Message-id: <[🔎] Z-1ZNk0ShFSVlcbW@remnant.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 1101937@bugs.debian.org

Package: libvkd3d-shader1
Version: 1.2-15
Severity: normal
X-Debbugs-Cc: Giovanni Mascellani <gio@debian.org>, Elizabeth Figura <zfigura@codeweavers.com>, debian-wine@lists.debian.org

All of the VKD3D libraries (of which libvkd3d-shader1 is the 
lowest-level) are marked as requiring an executable stack:

$ podman run --rm -it debian:sid-slim
# apt update
# apt install binutils libvkd3d-utils1
# readelf -l /usr/lib/*/libvkd3d*.so.1| grep -A1 GNU_STACK
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10
--
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10
--
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10

(the "E" indicates executable stack, you'd see "RW" for a typical shared 
library)

This is sometimes necessary for self-modifying code, but it defeats some 
security hardening measures. Since glibc 2.41, it also means that none 
of the VKD3D libraries can be dlopen'd, unless the executable or one of 
its DT_NEEDED dependencies *also* requests an executable stack.

This seems to have been introduced in commit 67a40fc5 "release 1.2-15"[0], 
with this comment in debian/rules, and no further clarification in the 
commit message or changelog:

> # disable executable stack
> export DEB_LDFLAGS_MAINT_APPEND=-Wl,-z,execstack

The word "disable" in the comment is not consistent with the linker 
option chosen in the line below. I see two possibilities:

1. this library genuinely does need an executable stack, and the comment 
   should say so (and ideally mention why) instead of claiming that it's 
   being disabled;

2. or this library does not need an executable stack, the linker flag 
   was intended to disable it or silence a warning, but the wrong linker 
   flag was used, and it should say something more like -Wl,-z,noexecstack

For what it's worth, Fedora[1] and Arch[2] don't seem to use any special 
linker options, which suggests that either (2.) is the right 
interpretation, or the need for an executable stack has gone away in 
newer upstream releases (see #1033733).

Can a maintainer or one of the contributors to #1033733 shed some light
on this?

Thanks,
    smcv

[0] https://salsa.debian.org/wine-team/vkd3d/-/commit/67a40fc5e14ce05b0863dda6be878759f7be8934
[1] https://src.fedoraproject.org/rpms/vkd3d/blob/rawhide/f/vkd3d.spec
[2] https://gitlab.archlinux.org/archlinux/packaging/packages/vkd3d/-/blob/main/PKGBUILD?ref_type=heads

Reply to:

Follow-Ups:
- Processed: Re: Bug#1101937: libvkd3d-shader1: vkd3d libraries have executable stack, with a comment indicating it might be unintended
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1101937: libvkd3d-shader1: vkd3d libraries have executable stack, with a comment indicating it might be unintended
  - From: Simon McVittie <smcv@collabora.com>

Prev by Date: Bug#1100695: marked as done (wine: Wine hangs on startup on arm64)
Next by Date: Bug#1101977: wine64 is not to create a prefix anymore
Previous by thread: Bug#1100695: marked as done (wine: Wine hangs on startup on arm64)
Next by thread: Processed: Re: Bug#1101937: libvkd3d-shader1: vkd3d libraries have executable stack, with a comment indicating it might be unintended
Index(es):
- Date
- Thread