diff --git a/0001-Fix-build-error-in-binutils-2.36.patch b/0001-Fix-build-error-in-binutils-2.36.patch new file mode 100644 index 0000000..43a19aa --- /dev/null +++ b/0001-Fix-build-error-in-binutils-2.36.patch @@ -0,0 +1,47 @@ +From 7801d671905329d28e789082225570fc54fe5784 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Fri, 19 Feb 2021 17:40:43 +0800 +Subject: [PATCH] Fix build error in binutils 2.36 + +The build fails in binutils 2.36 + +[ 520s] cat kernel_syms.lst > syminfo.lst.new +[ 520s] /usr/lib64/gcc/x86_64-suse-linux/10/../../../../x86_64-suse-linux/bin/ld: section .note.gnu.property VMA [0000000000400158,0000000000400187] overlaps section .bss VMA [000000000000f000,000000000041e1af] + +It is caused by assembler now generates the GNU property notes section +by default. Use the assmbler option -mx86-used-note=no to disable the +section from being generated to workaround the ensuing linker issue. + +Signed-off-by: Michael Chang +--- + configure.ac | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/configure.ac b/configure.ac +index c39e8379f..a3fb713ad 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -827,6 +827,20 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p + TARGET_CFLAGS="$TARGET_CFLAGS -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow" + fi + ++if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ); then ++ AC_CACHE_CHECK([whether -Wa,-mx86-used-note works], [grub_cv_cc_mx86_used_note], [ ++ CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no -Werror" ++ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])], ++ [grub_cv_cc_mx86_used_note=yes], ++ [grub_cv_cc_mx86_used_note=no]) ++ ]) ++ ++ if test "x$grub_cv_cc_mx86_used_note" = xyes; then ++ TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no" ++ TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mx86-used-note=no" ++ fi ++fi ++ + # GRUB doesn't use float or doubles at all. Yet some toolchains may decide + # that floats are a good fit to run instead of what's written in the code. + # Given that floating point unit is disabled (if present to begin with) +-- +2.30.0 + diff --git a/0001-emu-fix-executable-stack-marking.patch b/0001-emu-fix-executable-stack-marking.patch new file mode 100644 index 0000000..c9c2954 --- /dev/null +++ b/0001-emu-fix-executable-stack-marking.patch @@ -0,0 +1,73 @@ +From 4cc06bef26c3573309086bec4472cc9151b0379e Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 1 Feb 2021 20:14:12 +0800 +Subject: [PATCH] emu: fix executable stack marking + +The gcc by default assumes executable stack is required if the source +object file doesn't have .note.GNU-stack section in place. If any of the +source objects doesn't incorporate the GNU-stack note, the resulting +program will have executable stack flag set in PT_GNU_STACK program +header to instruct program loader or kernel to set up the exeutable +stack when program loads to memory. + +Usually the .note.GNU-stack section will be generated by gcc +automatically if it finds that executable stack is not required. However +it doesn't take care of generating .note.GNU-stack section for those +object files built from assembler sources. This leads to unnecessary +risk of security of exploiting the executable stack because those +assembler sources don't actually require stack to be executable to work. + +The grub-emu and grub-emu-lite are found to flag stack as executable +revealed by execstack tool. + + $ mkdir -p build-emu && cd build-emu + $ ../configure --with-platform=emu && make + $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite + X grub-core/grub-emu + X grub-core/grub-emu-lite + +This patch will add the missing GNU-stack note to the assembler source +used by both utilities, therefore the result doesn't count on gcc +default behavior and the executable stack is disabled. + + $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite + - grub-core/grub-emu + - grub-core/grub-emu-lite + +Signed-off-by: Michael Chang +--- + grub-core/kern/emu/cache_s.S | 5 +++++ + grub-core/lib/setjmp.S | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S +index 7bb1e1441..fca85c69e 100644 +--- a/grub-core/kern/emu/cache_s.S ++++ b/grub-core/kern/emu/cache_s.S +@@ -2,6 +2,11 @@ + #error "This source is only meant for grub-emu platform" + #endif + ++/* An executable stack is not required for these functions */ ++#if defined (__linux__) && defined (__ELF__) ++.section .note.GNU-stack,"",@progbits ++#endif ++ + #if defined(__i386__) || defined(__x86_64__) + /* Nothing is necessary. */ + #elif defined(__sparc__) +diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S +index a37467760..16f676368 100644 +--- a/grub-core/lib/setjmp.S ++++ b/grub-core/lib/setjmp.S +@@ -1,3 +1,7 @@ ++/* An executable stack is not required for these functions */ ++#if defined (__linux__) && defined (__ELF__) ++.section .note.GNU-stack,"",@progbits ++#endif + #if defined(__i386__) + #include "./i386/setjmp.S" + #elif defined(__x86_64__) +-- +2.30.0 + diff --git a/grub2.changes b/grub2.changes index f93cced..d801dd1 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Feb 22 12:49:48 UTC 2021 - Michael Chang + +- Fix build error in binutils 2.36 (bsc#1181741) + * 0001-Fix-build-error-in-binutils-2.36.patch +- Fix executable stack in grub-emu (bsc#1181696) + * 0001-emu-fix-executable-stack-marking.patch + ------------------------------------------------------------------- Thu Feb 18 05:21:29 UTC 2021 - Michael Chang diff --git a/grub2.spec b/grub2.spec index 40d857c..f9bd1b4 100644 --- a/grub2.spec +++ b/grub2.spec @@ -346,6 +346,8 @@ Patch735: 0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch Patch736: 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch737: 0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch Patch738: 0009-squash-Add-support-for-linuxefi.patch +Patch739: 0001-Fix-build-error-in-binutils-2.36.patch +Patch740: 0001-emu-fix-executable-stack-marking.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -680,6 +682,8 @@ swap partition while in resuming %patch736 -p1 %patch737 -p1 %patch738 -p1 +%patch739 -p1 +%patch740 -p1 %build # collect evidence to debug spurious build failure on SLE15