|
|
ac3a84 |
From cc318cd6ccfe9833ab9c1cde4041ac5dd9f97a3b Mon Sep 17 00:00:00 2001
|
|
|
ac3a84 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
ac3a84 |
Date: Tue, 21 Feb 2023 09:16:29 +0100
|
|
|
ac3a84 |
Subject: [PATCH] efi: drop executable-stack bit from .elf file
|
|
|
ac3a84 |
MIME-Version: 1.0
|
|
|
ac3a84 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ac3a84 |
Content-Transfer-Encoding: 8bit
|
|
|
ac3a84 |
|
|
|
ac3a84 |
An rpminspect test in Fedora/RHEL is flagging our stub files as having an
|
|
|
ac3a84 |
executable stack. The check is correct:
|
|
|
ac3a84 |
|
|
|
ac3a84 |
$ readelf --wide --program-headers build/src/boot/efi/linuxx64.elf.stub | rg -i stack
|
|
|
ac3a84 |
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10
|
|
|
ac3a84 |
|
|
|
ac3a84 |
It seems to be just an omission in the linker script… None of the objects that
|
|
|
ac3a84 |
are linked into the stub are marked as requiring an executable stack:
|
|
|
ac3a84 |
|
|
|
ac3a84 |
$ readelf --wide --sections build/src/boot/efi/*.c.o \
|
|
|
ac3a84 |
/usr/lib/gnuefi/x64/libgnuefi.a \
|
|
|
ac3a84 |
/usr/lib/gnuefi/x64/libefi.a \
|
|
|
ac3a84 |
/usr/lib/gcc/x86_64-redhat-linux/12/libgcc.a \
|
|
|
ac3a84 |
| rg '.note.GNU-stack.*X'
|
|
|
ac3a84 |
(nothing)
|
|
|
ac3a84 |
|
|
|
ac3a84 |
On aarch64 we end up with a nonexecutable stack, but on ia32 and x64 we get one,
|
|
|
ac3a84 |
so this might be just a matter of defaults in the linker. It doesn't matter
|
|
|
ac3a84 |
greatly, but let's mark the stack as non-executable to avoid the warning.
|
|
|
ac3a84 |
|
|
|
ac3a84 |
Note: '-Wl,-z' is not needed, things work with just '-z'.
|
|
|
ac3a84 |
|
|
|
ac3a84 |
RHEL-only
|
|
|
ac3a84 |
for now, as the patch is not yet in upstream
|
|
|
ac3a84 |
https://github.com/systemd/systemd/pull/26511
|
|
|
ac3a84 |
|
|
|
ac3a84 |
Related: #2140646
|
|
|
ac3a84 |
---
|
|
|
ac3a84 |
src/boot/efi/meson.build | 1 +
|
|
|
ac3a84 |
1 file changed, 1 insertion(+)
|
|
|
ac3a84 |
|
|
|
ac3a84 |
diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
|
|
|
ac3a84 |
index 0de43993a4..00f3361d66 100644
|
|
|
ac3a84 |
--- a/src/boot/efi/meson.build
|
|
|
ac3a84 |
+++ b/src/boot/efi/meson.build
|
|
|
ac3a84 |
@@ -266,6 +266,7 @@ efi_ldflags = [
|
|
|
ac3a84 |
'-Wl,--warn-common',
|
|
|
ac3a84 |
'-Wl,-Bsymbolic',
|
|
|
ac3a84 |
'-z', 'nocombreloc',
|
|
|
ac3a84 |
+ '-z', 'noexecstack',
|
|
|
ac3a84 |
efi_crt0,
|
|
|
ac3a84 |
]
|
|
|
ac3a84 |
|