Re: [PATCH] emu: fix executable stack marking

[Glenn Washburn]

Hi Michael,

On Wed,  3 Feb 2021 21:03:44 +0800
Michael Chang via Grub-devel <grub-devel@gnu.org> wrote:

> The gcc by default assumes executable stack is required if the source
> object file doesn't have .note.GNU-stack section in place. If any of
> the source objects doesn't incorporate the GNU-stack note, the
> resulting program will have executable stack flag set in PT_GNU_STACK
> program header to instruct program loader or kernel to set up the
> exeutable stack when program loads to memory.
> 
> Usually the .note.GNU-stack section will be generated by gcc
> automatically if it finds that executable stack is not required.
> However it doesn't take care of generating .note.GNU-stack section
> for those object files built from assembler sources. This leads to
> unnecessary risk of security of exploiting the executable stack
> because those assembler sources don't actually require stack to be
> executable to work.
> 
> The grub-emu and grub-emu-lite are found to flag stack as executable
> revealed by execstack tool.
> 
>  $ mkdir -p build-emu && cd build-emu
>  $ ../configure --with-platform=emu && make
>  $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
>  X grub-core/grub-emu
>  X grub-core/grub-emu-lite
> 
> This patch will add the missing GNU-stack note to the assembler source
> used by both utilities, therefore the result doesn't count on gcc
> default behavior and the executable stack is disabled.
> 
>  $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
>  - grub-core/grub-emu
>  - grub-core/grub-emu-lite

Am I correct in thinking that this isn't as useful for the bootloader
itself because, I assume, the grub linker doesn't look at that section
header or flag.  I'm wondering if it might be worthwhile to do this for
grub modules for instance.

Glenn