forked from pool/grub2
74 lines
2.6 KiB
Diff
74 lines
2.6 KiB
Diff
|
From 4cc06bef26c3573309086bec4472cc9151b0379e Mon Sep 17 00:00:00 2001
|
||
|
|
From: Michael Chang <mchang@suse.com>
|
||
|
|
Date: Mon, 1 Feb 2021 20:14:12 +0800
|
||
|
|
Subject: [PATCH] emu: fix executable stack marking
|
||
|
|
|
||
|
|
The gcc by default assumes executable stack is required if the source
|
||
|
|
object file doesn't have .note.GNU-stack section in place. If any of the
|
||
|
|
source objects doesn't incorporate the GNU-stack note, the resulting
|
||
|
|
program will have executable stack flag set in PT_GNU_STACK program
|
||
|
|
header to instruct program loader or kernel to set up the exeutable
|
||
|
|
stack when program loads to memory.
|
||
|
|
|
||
|
|
Usually the .note.GNU-stack section will be generated by gcc
|
||
|
|
automatically if it finds that executable stack is not required. However
|
||
|
|
it doesn't take care of generating .note.GNU-stack section for those
|
||
|
|
object files built from assembler sources. This leads to unnecessary
|
||
|
|
risk of security of exploiting the executable stack because those
|
||
|
|
assembler sources don't actually require stack to be executable to work.
|
||
|
|
|
||
|
|
The grub-emu and grub-emu-lite are found to flag stack as executable
|
||
|
|
revealed by execstack tool.
|
||
|
|
|
||
|
|
$ mkdir -p build-emu && cd build-emu
|
||
|
|
$ ../configure --with-platform=emu && make
|
||
|
|
$ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
|
||
|
|
X grub-core/grub-emu
|
||
|
|
X grub-core/grub-emu-lite
|
||
|
|
|
||
|
|
This patch will add the missing GNU-stack note to the assembler source
|
||
|
|
used by both utilities, therefore the result doesn't count on gcc
|
||
|
|
default behavior and the executable stack is disabled.
|
||
|
|
|
||
|
|
$ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
|
||
|
|
- grub-core/grub-emu
|
||
|
|
- grub-core/grub-emu-lite
|
||
|
|
|
||
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||
|
|
---
|
||
|
|
grub-core/kern/emu/cache_s.S | 5 +++++
|
||
|
|
grub-core/lib/setjmp.S | 4 ++++
|
||
|
|
2 files changed, 9 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S
|
||
|
|
index 7bb1e1441..fca85c69e 100644
|
||
|
|
--- a/grub-core/kern/emu/cache_s.S
|
||
|
|
+++ b/grub-core/kern/emu/cache_s.S
|
||
|
|
@@ -2,6 +2,11 @@
|
||
|
|
#error "This source is only meant for grub-emu platform"
|
||
|
|
#endif
|
||
|
|
|
||
|
|
+/* An executable stack is not required for these functions */
|
||
|
|
+#if defined (__linux__) && defined (__ELF__)
|
||
|
|
+.section .note.GNU-stack,"",@progbits
|
||
|
|
+#endif
|
||
|
|
+
|
||
|
|
#if defined(__i386__) || defined(__x86_64__)
|
||
|
|
/* Nothing is necessary. */
|
||
|
|
#elif defined(__sparc__)
|
||
|
|
diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S
|
||
|
|
index a37467760..16f676368 100644
|
||
|
|
--- a/grub-core/lib/setjmp.S
|
||
|
|
+++ b/grub-core/lib/setjmp.S
|
||
|
|
@@ -1,3 +1,7 @@
|
||
|
|
+/* An executable stack is not required for these functions */
|
||
|
|
+#if defined (__linux__) && defined (__ELF__)
|
||
|
|
+.section .note.GNU-stack,"",@progbits
|
||
|
|
+#endif
|
||
|
|
#if defined(__i386__)
|
||
|
|
#include "./i386/setjmp.S"
|
||
|
|
#elif defined(__x86_64__)
|
||
|
|
--
|
||
|
|
2.30.0
|
||
|
|
|