emu: Fix executable stack marking

The gcc by default assumes executable stack is required if the source
object file doesn't have .note.GNU-stack section in place. If any of the
source objects doesn't incorporate the GNU-stack note, the resulting
program will have executable stack flag set in PT_GNU_STACK program
header to instruct program loader or kernel to set up the executable
stack when program loads to memory.

Usually the .note.GNU-stack section will be generated by gcc
automatically if it finds that executable stack is not required. However
it doesn't take care of generating .note.GNU-stack section for those
object files built from assembler sources. This leads to unnecessary
risk of security of exploiting the executable stack because those
assembler sources don't actually require stack to be executable to work.

The grub-emu and grub-emu-lite are found to flag stack as executable
revealed by execstack tool.

 $ mkdir -p build-emu && cd build-emu
 $ ../configure --with-platform=emu && make
 $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
 X grub-core/grub-emu
 X grub-core/grub-emu-lite

This patch will add the missing GNU-stack note to the assembler source
used by both utilities, therefore the result doesn't count on gcc
default behavior and the executable stack is disabled.

 $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
 - grub-core/grub-emu
 - grub-core/grub-emu-lite

Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S
index 2245cddc323b57ab8bd43286b8f4233812089c53..6885ffd69bde2b59a84f2594d68fc72df220c9c9 100644 (file)
--- a/grub-core/kern/emu/cache_s.S
+++ b/grub-core/kern/emu/cache_s.S
@@ -2,6 +2,11 @@
 #error "This source is only meant for grub-emu platform"
 #endif
 
+/* An executable stack is not required for these functions. */
+#if defined (__linux__) && defined (__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
+
 #if defined(__i386__) || defined(__x86_64__)
 /* Nothing is necessary.  */
 #elif defined(__sparc__)

diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S
index aa297ab0af2febcab78b03502d48cc8b2c15c476..9c8721088a3ff8f1974c2e5d730260c5c01feeb9 100644 (file)
--- a/grub-core/lib/setjmp.S
+++ b/grub-core/lib/setjmp.S
@@ -1,3 +1,7 @@
+/* An executable stack is not required for these functions. */
+#if defined (__linux__) && defined (__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
 #if defined(__i386__)
 #include "./i386/setjmp.S"
 #elif defined(__x86_64__)