[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] emu: fix executable stack marking
From: |
Glenn Washburn |
Subject: |
Re: [PATCH] emu: fix executable stack marking |
Date: |
Thu, 4 Feb 2021 16:28:10 -0600 |
Hi Michael,
On Wed, 3 Feb 2021 21:03:44 +0800
Michael Chang via Grub-devel <grub-devel@gnu.org> wrote:
> The gcc by default assumes executable stack is required if the source
> object file doesn't have .note.GNU-stack section in place. If any of
> the source objects doesn't incorporate the GNU-stack note, the
> resulting program will have executable stack flag set in PT_GNU_STACK
> program header to instruct program loader or kernel to set up the
> exeutable stack when program loads to memory.
>
> Usually the .note.GNU-stack section will be generated by gcc
> automatically if it finds that executable stack is not required.
> However it doesn't take care of generating .note.GNU-stack section
> for those object files built from assembler sources. This leads to
> unnecessary risk of security of exploiting the executable stack
> because those assembler sources don't actually require stack to be
> executable to work.
>
> The grub-emu and grub-emu-lite are found to flag stack as executable
> revealed by execstack tool.
>
> $ mkdir -p build-emu && cd build-emu
> $ ../configure --with-platform=emu && make
> $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
> X grub-core/grub-emu
> X grub-core/grub-emu-lite
>
> This patch will add the missing GNU-stack note to the assembler source
> used by both utilities, therefore the result doesn't count on gcc
> default behavior and the executable stack is disabled.
>
> $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
> - grub-core/grub-emu
> - grub-core/grub-emu-lite
Am I correct in thinking that this isn't as useful for the bootloader
itself because, I assume, the grub linker doesn't look at that section
header or flag. I'm wondering if it might be worthwhile to do this for
grub modules for instance.
Glenn