Hi Michael, On Wed, 3 Feb 2021 21:03:44 +0800 Michael Chang via Grub-devel <grub-devel@gnu.org> wrote:
> The gcc by default assumes executable stack is required if the source > object file doesn't have .note.GNU-stack section in place. If any of > the source objects doesn't incorporate the GNU-stack note, the > resulting program will have executable stack flag set in PT_GNU_STACK > program header to instruct program loader or kernel to set up the > exeutable stack when program loads to memory. > > Usually the .note.GNU-stack section will be generated by gcc > automatically if it finds that executable stack is not required. > However it doesn't take care of generating .note.GNU-stack section > for those object files built from assembler sources. This leads to > unnecessary risk of security of exploiting the executable stack > because those assembler sources don't actually require stack to be > executable to work. > > The grub-emu and grub-emu-lite are found to flag stack as executable > revealed by execstack tool. > > $ mkdir -p build-emu && cd build-emu > $ ../configure --with-platform=emu && make > $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite > X grub-core/grub-emu > X grub-core/grub-emu-lite > > This patch will add the missing GNU-stack note to the assembler source > used by both utilities, therefore the result doesn't count on gcc > default behavior and the executable stack is disabled. > > $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite > - grub-core/grub-emu > - grub-core/grub-emu-lite Am I correct in thinking that this isn't as useful for the bootloader itself because, I assume, the grub linker doesn't look at that section header or flag. I'm wondering if it might be worthwhile to do this for grub modules for instance. Glenn _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
