Re: [PATCH] emu: fix executable stack marking

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] emu: fix executable stack marking

From:	Michael Chang
Subject:	Re: [PATCH] emu: fix executable stack marking
Date:	Fri, 5 Feb 2021 12:31:35 +0800
User-agent:	Mutt/1.10.1 (2018-07-13)

On Thu, Feb 04, 2021 at 04:28:10PM -0600, Glenn Washburn wrote:
> Hi Michael,
> 
> On Wed,  3 Feb 2021 21:03:44 +0800
> Michael Chang via Grub-devel <grub-devel@gnu.org> wrote:
> 
> > The gcc by default assumes executable stack is required if the source
> > object file doesn't have .note.GNU-stack section in place. If any of
> > the source objects doesn't incorporate the GNU-stack note, the
> > resulting program will have executable stack flag set in PT_GNU_STACK
> > program header to instruct program loader or kernel to set up the
> > exeutable stack when program loads to memory.
> > 
> > Usually the .note.GNU-stack section will be generated by gcc
> > automatically if it finds that executable stack is not required.
> > However it doesn't take care of generating .note.GNU-stack section
> > for those object files built from assembler sources. This leads to
> > unnecessary risk of security of exploiting the executable stack
> > because those assembler sources don't actually require stack to be
> > executable to work.
> > 
> > The grub-emu and grub-emu-lite are found to flag stack as executable
> > revealed by execstack tool.
> > 
> >  $ mkdir -p build-emu && cd build-emu
> >  $ ../configure --with-platform=emu && make
> >  $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
> >  X grub-core/grub-emu
> >  X grub-core/grub-emu-lite
> > 
> > This patch will add the missing GNU-stack note to the assembler source
> > used by both utilities, therefore the result doesn't count on gcc
> > default behavior and the executable stack is disabled.
> > 
> >  $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
> >  - grub-core/grub-emu
> >  - grub-core/grub-emu-lite
> 
> Am I correct in thinking that this isn't as useful for the bootloader
> itself because, I assume, the grub linker doesn't look at that section
> header or flag.  I'm wondering if it might be worthwhile to do this for
> grub modules for instance.

The .note.GNU-stack section does exist in host's .module files but gets
stripped out by genmod.sh during the build process for the target grub
modules (*.mod). It could be intentional for the good of taking less
memory footprint, as you have mentioned that bootloader itself don't use
it thus it is reasonable to do so.

But I could imagine that it is unpleasant to see scanelf to output "bad
things" of grub modules.

  !WX --- ---  ./grub-core/read.mod

I think we can attribute this to be a cosmetic issue and the "fix" may
be otherwise unfavourable to the grub itself.

Thanks,
Michael

> 
> Glenn
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] emu: fix executable stack marking, Michael Chang, 2021/02/03
- Re: [PATCH] emu: fix executable stack marking, Glenn Washburn, 2021/02/04
  - Re: [PATCH] emu: fix executable stack marking, Michael Chang <=

Prev by Date: Re: [PATCH] emu: fix executable stack marking
Next by Date: Re: [PATCH 1/2] efi: SPI NOR flash support
Previous by thread: Re: [PATCH] emu: fix executable stack marking
Next by thread: [PATCH v2 1/1] docs: luks2: Mention key derival function support
Index(es):
- Date
- Thread