grub2/0001-emu-fix-executable-stack-marking.patch

From 4cc06bef26c3573309086bec4472cc9151b0379e Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Mon, 1 Feb 2021 20:14:12 +0800
Subject: [PATCH] emu: fix executable stack marking

The gcc by default assumes executable stack is required if the source
object file doesn't have .note.GNU-stack section in place. If any of the
source objects doesn't incorporate the GNU-stack note, the resulting
program will have executable stack flag set in PT_GNU_STACK program
header to instruct program loader or kernel to set up the exeutable
stack when program loads to memory.

Usually the .note.GNU-stack section will be generated by gcc
automatically if it finds that executable stack is not required. However
it doesn't take care of generating .note.GNU-stack section for those
object files built from assembler sources. This leads to unnecessary
risk of security of exploiting the executable stack because those
assembler sources don't actually require stack to be executable to work.

The grub-emu and grub-emu-lite are found to flag stack as executable
revealed by execstack tool.

 $ mkdir -p build-emu && cd build-emu
 $ ../configure --with-platform=emu && make
 $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
 X grub-core/grub-emu
 X grub-core/grub-emu-lite

This patch will add the missing GNU-stack note to the assembler source
used by both utilities, therefore the result doesn't count on gcc
default behavior and the executable stack is disabled.

 $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
 - grub-core/grub-emu
 - grub-core/grub-emu-lite

Signed-off-by: Michael Chang <mchang@suse.com>
---
 grub-core/kern/emu/cache_s.S | 5 +++++
 grub-core/lib/setjmp.S       | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S
index 7bb1e1441..fca85c69e 100644
--- a/grub-core/kern/emu/cache_s.S
+++ b/grub-core/kern/emu/cache_s.S
@@ -2,6 +2,11 @@
 #error "This source is only meant for grub-emu platform"
 #endif
 
+/* An executable stack is not required for these functions */
+#if defined (__linux__) && defined (__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+
 #if defined(__i386__) || defined(__x86_64__)
 /* Nothing is necessary.  */
 #elif defined(__sparc__)
diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S
index a37467760..16f676368 100644
--- a/grub-core/lib/setjmp.S
+++ b/grub-core/lib/setjmp.S
@@ -1,3 +1,7 @@
+/* An executable stack is not required for these functions */
+#if defined (__linux__) && defined (__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
 #if defined(__i386__)
 #include "./i386/setjmp.S"
 #elif defined(__x86_64__)
-- 
2.30.0