Hello Phil, This article may provide some context with regard to the security implications of trampolines and executable stacks when linking objects from different compilers.
https://nullprogram.com/blog/2019/11/15/ See the authors notes regarding the rebuttal at the bottom. TLDR; gun binutils ld is going to leave you with an executable stack to support trampolines by default when linking code from different compilers. Hardening WSJT-X is ambitious, but given the unique nature of what it does and the esoteric attack vectors it would probably make for the coolest Defcon talk ever! Good luck, Robert. 73, Ryan N2BP On Mon, Jan 12, 2026, 9:36 PM Phil Karn via wsjt-devel < [email protected]> wrote: > I know what an executable stack means and why they’re a bad idea and I’ve > heard of trampolines but I don’t actually know what they are or why they’re > necessary. On Mon, Jan 12, 2026 at 15: 39 Robert Henry via wsjt-devel > <wsjt-devel@ lists. sourceforge. net> > > I know what an executable stack means and why they’re a bad idea and I’ve > heard of trampolines but I don’t actually know what they are or why they’re > necessary. > > > On Mon, Jan 12, 2026 at 15:39 Robert Henry via wsjt-devel < > [email protected]> wrote: > >> gcc/gfortran will put executable "trampoline" code on the stack as a way >> to implement procedures passed as arguments ("funargs" in the lingo) to >> other procedures. >> >> Executable stacks are a *major* security breach, and should be avoided. >> >> In the wsjt Fortran code base there are 2 ways to avoid this, I think. >> >> (1) rewrite the fortran code involving dispatch through "callback" >> routines. I think this is doable, and the infrastructure to support this >> style of object oriented programming could probably be removed too. >> >> (2) If using GNU compilers, compile everywhere with >> -ftrampoline-impl=heap -z noexecstack which will put trampolines on the >> heap (dynamic memory) and tell the linker to tell the operating system to >> not make the stack executable. >> >> I *think* that gcc on x86/x64 is the only pair of compilers and targets >> that still puts trampolines on the stack. ARM, MacOsX and Windows probably >> use the heap all the time for trampolines. >> _______________________________________________ >> wsjt-devel mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/wsjt-devel >> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/wsjt-devel__;!!DLa72PTfQgg!JsU9Rz1ouui21Hr7f9pALFMIh8NVjxxRlFEoGCEpwZgjlxoU2eV_Db5zIBv9Ig9mZujPbj6JxvJFK8cz0Bq4qu7cVf8cy6a2$> >> > _______________________________________________ > wsjt-devel mailing list > [email protected] > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/wsjt-devel__;!!DLa72PTfQgg!JsU9Rz1ouui21Hr7f9pALFMIh8NVjxxRlFEoGCEpwZgjlxoU2eV_Db5zIBv9Ig9mZujPbj6JxvJFK8cz0Bq4qu7cVf8cy6a2$ >
_______________________________________________ wsjt-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/wsjt-devel
