Accepting request 874318 from home:michael-chang:branches:Base:System

- Fix build error in binutils 2.36 (bsc#1181741) * 0001-Fix-build-error-in-binutils-2.36.patch - Fix executable stack in grub-emu (bsc#1181696) * 0001-emu-fix-executable-stack-marking.patch OBS-URL: https://build.opensuse.org/request/show/874318 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=373
2021-02-23 00:58:17 +00:00 · 2021-02-23 00:58:17 +00:00 · b2d62d6d4b
commit b2d62d6d4b
parent baeaac9f95
4 changed files with 132 additions and 0 deletions
--- a/0001-Fix-build-error-in-binutils-2.36.patch
+++ b/0001-Fix-build-error-in-binutils-2.36.patch
@ -0,0 +1,47 @@
+From 7801d671905329d28e789082225570fc54fe5784 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 19 Feb 2021 17:40:43 +0800
+Subject: [PATCH] Fix build error in binutils 2.36
+
+The build fails in binutils 2.36
+
+[  520s] cat kernel_syms.lst > syminfo.lst.new
+[  520s] /usr/lib64/gcc/x86_64-suse-linux/10/../../../../x86_64-suse-linux/bin/ld: section .note.gnu.property VMA [0000000000400158,0000000000400187] overlaps section .bss VMA [000000000000f000,000000000041e1af]
+
+It is caused by assembler now generates the GNU property notes section
+by default. Use the assmbler option -mx86-used-note=no to disable the
+section from being generated to workaround the ensuing linker issue.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ configure.ac | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index c39e8379f..a3fb713ad 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -827,6 +827,20 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p
+   TARGET_CFLAGS="$TARGET_CFLAGS -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow"
+ fi
+ 
+if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ); then
+  AC_CACHE_CHECK([whether -Wa,-mx86-used-note works], [grub_cv_cc_mx86_used_note], [
+    CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mx86_used_note=yes],
+	[grub_cv_cc_mx86_used_note=no])
+  ])
+
+  if test "x$grub_cv_cc_mx86_used_note" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mx86-used-note=no"
+  fi
+fi
+
+ # GRUB doesn't use float or doubles at all. Yet some toolchains may decide
+ # that floats are a good fit to run instead of what's written in the code.
+ # Given that floating point unit is disabled (if present to begin with)
+-- 
+2.30.0
+
--- a/0001-emu-fix-executable-stack-marking.patch
+++ b/0001-emu-fix-executable-stack-marking.patch
@ -0,0 +1,73 @@
+From 4cc06bef26c3573309086bec4472cc9151b0379e Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 1 Feb 2021 20:14:12 +0800
+Subject: [PATCH] emu: fix executable stack marking
+
+The gcc by default assumes executable stack is required if the source
+object file doesn't have .note.GNU-stack section in place. If any of the
+source objects doesn't incorporate the GNU-stack note, the resulting
+program will have executable stack flag set in PT_GNU_STACK program
+header to instruct program loader or kernel to set up the exeutable
+stack when program loads to memory.
+
+Usually the .note.GNU-stack section will be generated by gcc
+automatically if it finds that executable stack is not required. However
+it doesn't take care of generating .note.GNU-stack section for those
+object files built from assembler sources. This leads to unnecessary
+risk of security of exploiting the executable stack because those
+assembler sources don't actually require stack to be executable to work.
+
+The grub-emu and grub-emu-lite are found to flag stack as executable
+revealed by execstack tool.
+
+ $ mkdir -p build-emu && cd build-emu
+ $ ../configure --with-platform=emu && make
+ $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
+ X grub-core/grub-emu
+ X grub-core/grub-emu-lite
+
+This patch will add the missing GNU-stack note to the assembler source
+used by both utilities, therefore the result doesn't count on gcc
+default behavior and the executable stack is disabled.
+
+ $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
+ - grub-core/grub-emu
+ - grub-core/grub-emu-lite
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/kern/emu/cache_s.S | 5 +++++
+ grub-core/lib/setjmp.S       | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S
+index 7bb1e1441..fca85c69e 100644
+--- a/grub-core/kern/emu/cache_s.S
+++ b/grub-core/kern/emu/cache_s.S
+@@ -2,6 +2,11 @@
+ #error "This source is only meant for grub-emu platform"
+ #endif
+ 
+/* An executable stack is not required for these functions */
+#if defined (__linux__) && defined (__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+
+ #if defined(__i386__) || defined(__x86_64__)
+ /* Nothing is necessary.  */
+ #elif defined(__sparc__)
+diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S
+index a37467760..16f676368 100644
+--- a/grub-core/lib/setjmp.S
+++ b/grub-core/lib/setjmp.S
+@@ -1,3 +1,7 @@
+/* An executable stack is not required for these functions */
+#if defined (__linux__) && defined (__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+ #if defined(__i386__)
+ #include "./i386/setjmp.S"
+ #elif defined(__x86_64__)
+-- 
+2.30.0
+
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Feb 22 12:49:48 UTC 2021 - Michael Chang <mchang@suse.com>
+
+- Fix build error in binutils 2.36 (bsc#1181741)
+  * 0001-Fix-build-error-in-binutils-2.36.patch
+- Fix executable stack in grub-emu (bsc#1181696)
+  * 0001-emu-fix-executable-stack-marking.patch
+
 -------------------------------------------------------------------
 Thu Feb 18 05:21:29 UTC 2021 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -346,6 +346,8 @@ Patch735:       0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
 Patch736:       0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch
 Patch737:       0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
 Patch738:       0009-squash-Add-support-for-linuxefi.patch
+Patch739:       0001-Fix-build-error-in-binutils-2.36.patch
+Patch740:       0001-emu-fix-executable-stack-marking.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@ -680,6 +682,8 @@ swap partition while in resuming
 %patch736 -p1
 %patch737 -p1
 %patch738 -p1
+%patch739 -p1
+%patch740 -p1

 %build
 # collect evidence to debug spurious build failure on SLE15