ab7ed2db6e
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
48 lines
2.0 KiB
Diff
48 lines
2.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Leo Sandoval <lsandova@redhat.com>
|
|
Date: Mon, 5 Aug 2024 13:19:28 -0600
|
|
Subject: [PATCH] Set non-executable stack sections on EFI assembly files
|
|
|
|
For those manual assembly files created where no '.note.GNU-stack'
|
|
section is explicitly added, linker defaults it as executable and this
|
|
is the reason that RHEL CI rpminspect & annocheck tests are
|
|
failing. The proposed change sets the corresponding GNU-stack
|
|
sections otherwise CI detects the following security vulnerability
|
|
|
|
$ annocheck annocheck --ignore-unknown --verbose --profile=el9 *.rpm 2>&1 | grep FAIL | grep stack
|
|
(standard input):(standard input):Hardened: ./usr/lib/grub/x86_64-efi/kernel.exec: FAIL: gnu-stack test because .note.GNU-stack section has execute permission
|
|
(standard input):(standard input):Hardened: ./usr/lib/grub/x86_64-efi/kernel.img: FAIL: gnu-stack test because .note.GNU-stack section has execute permission
|
|
|
|
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
|
|
---
|
|
grub-core/kern/i386/efi/startup.S | 5 +++++
|
|
grub-core/kern/x86_64/efi/startup.S | 5 +++++
|
|
2 files changed, 10 insertions(+)
|
|
|
|
diff --git a/grub-core/kern/i386/efi/startup.S b/grub-core/kern/i386/efi/startup.S
|
|
index fc5ea3dac..36d1b1a68 100644
|
|
--- a/grub-core/kern/i386/efi/startup.S
|
|
+++ b/grub-core/kern/i386/efi/startup.S
|
|
@@ -34,3 +34,8 @@ _start:
|
|
movl %eax, EXT_C(grub_efi_system_table)
|
|
call EXT_C(grub_main)
|
|
ret
|
|
+
|
|
+/* An executable stack is not required for these functions. */
|
|
+#if defined (__linux__) && defined (__ELF__)
|
|
+.section .note.GNU-stack,"",%progbits
|
|
+#endif
|
|
diff --git a/grub-core/kern/x86_64/efi/startup.S b/grub-core/kern/x86_64/efi/startup.S
|
|
index 9357e5c5d..f5c6bc3d8 100644
|
|
--- a/grub-core/kern/x86_64/efi/startup.S
|
|
+++ b/grub-core/kern/x86_64/efi/startup.S
|
|
@@ -33,3 +33,8 @@ _start:
|
|
andq $~0xf, %rsp
|
|
call EXT_C(grub_main)
|
|
/* Doesn't return. */
|
|
+
|
|
+/* An executable stack is not required for these functions. */
|
|
+#if defined (__linux__) && defined (__ELF__)
|
|
+.section .note.GNU-stack,"",%progbits
|
|
+#endif
|