Execstack clear failing

execstack: ../../src/dso.c:877: reopen_dso: Assertion dso->shdr[j].sh_size == 0’ failed.`

In order to pass the store review tools we have to clear the executable stack flag bit. This is failing as above for gitter-desktop. We’re downloading and dumping out the deb then clearing execstack

        execstack --clear-execstack ${SNAPCRAFT_PART_INSTALL}/opt/Gitter/linux/nacl_irt_x86_64.nexe

I have downloaded the deb on a 16.04 KDE Neon machine and ran the same command and got the same results. So it’s not a launchpad environment or snapcraft issue, but appears to be a problem with either execstack or the binary shipped in the gitter deb.

Anyone else seen this kind of thing? Makes it difficult to publish updates to apps if we can’t fulfill the store requirement to clear execstack. My googling only turned up issues from the distant past.

1 Like


I don’t think .nexe files are native binaries, so they shouldn’t be subject to the execstack stripping. Try not stripping those .nexe files and submitting to the store again.

It’s an ELF:

$ file squashfs-root/opt/Gitter/linux/nacl_irt_x86_64.nexe
squashfs-root/opt/Gitter/linux/nacl_irt_x86_64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=4ba00d320a6f1180564a9fccd5aab4169f64a4c3, stripped

I can reproduce the issue:

$ execstack -c squashfs-root/opt/Gitter/linux/nacl_irt_x86_64.nexe
execstack: dso.c:877: reopen_dso: Assertion `dso->shdr[j].sh_size == 0' failed.

This seems like a bug in execstack that someone should report. That said, the real fix is not stripping the executable stack from the binary but to have the binary built so it doesn’t end up with an executable stack (which will increase the security of the binary, regardless of snappy). https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks has some details for the producer of the nexe binary.

I also faced with this issue, but in my case, it happens on non-stripped binary. After strip execstack works