Remove strong stack protector on target CFLAGS

Related: #RHEL-89464 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-08-21 09:50:55 -06:00 · 2025-08-21 09:50:55 -06:00 · 76e12e1b3d
commit 76e12e1b3d
parent 6b3c891675
4 changed files with 8 additions and 70 deletions
--- a/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
+++ b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
@ -1,65 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leo Sandoval <lsandova@redhat.com>
 Date: Fri, 1 Aug 2025 11:56:53 -0600
 Subject: [PATCH] Add __stack_chk_fail function for non-EFI archs
 This function allows to include '-fstack-protector-strong' compiler
 flag for non-EFI archs. Also fixes a configure.ac condition where only
 disables stack protection when stack protector is not possible.
 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
 ---
 configure.ac          | 4 +---
 grub-core/kern/main.c | 8 ++++++++
 include/grub/misc.h   | 4 ++++
 3 files changed, 13 insertions(+), 3 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index a6a6957fbd..a803d21a3e 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1466,9 +1466,7 @@ AC_ARG_ENABLE([stack-protector],
 	      [],
 	      [enable_stack_protector=no])
 if test "x$enable_stack_protector" = xno; then
 -  if test "x$ssp_possible" = xyes; then
 -    # Need that, because some distributions ship compilers that include
 -    # `-fstack-protector' in the default specs.
 +  if test "x$ssp_possible" != xyes; then
     TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
   fi
 elif test "x$platform" != xefi; then
 diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
 index 2e6b79ee3d..aeafbbff9c 100644
 --- a/grub-core/kern/main.c
 +++ b/grub-core/kern/main.c
@@ -39,6 +39,14 @@
 static bool cli_disabled = false;
 static bool cli_need_auth = false;
 +#ifndef GRUB_MACHINE_EFI
 +void __attribute__ ((noreturn))
 +__stack_chk_fail (void)
 +{
 +  grub_abort();
 +}
 +#endif
 +
 grub_addr_t
 grub_modules_get_end (void)
 {
 diff --git a/include/grub/misc.h b/include/grub/misc.h
 index 0429339ef3..751eb992ca 100644
 --- a/include/grub/misc.h
 +++ b/include/grub/misc.h
@@ -446,6 +446,10 @@ extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
 extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
 extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
 +#ifndef GRUB_MACHINE_EFI
 +extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
 +#endif
 +
 /* Must match softdiv group in gentpl.py.  */
 #if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
     (defined(__riscv) && (__riscv_xlen == 32)))
--- a/grub.macros
+++ b/grub.macros
@ -27,6 +27,7 @@
 		-e 's/-O. //g'					\\\
 		-e 's/-fplugin=annobin//g'			\\\
 		-e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]*,,g' \\\
 		-e 's/-fstack-protector[[:alpha:]-]\\+//g'	\\\
 		-e 's/-[^ ]*D_FORTIFY_SOURCE=[[:digit:]][^ ]*\\+//g'	\\\
 		-e 's/--param=ssp-buffer-size=4//g'		\\\
 		-e 's/-mregparm=3/-mregparm=4/g'		\\\
@ -36,7 +37,7 @@
 		-e 's/^/ -fno-strict-aliasing /'		\\\
 		%{nil}
-%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})}
+%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})} -fstack-protector-strong
 %ifarch x86_64
 %global host_cflags %{host_cflags_} -fcf-protection
 %else
@ -50,7 +51,7 @@
 	)}
 %global efi_host_cflags %{expand:%%(echo %{host_cflags})}
-%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})} -fstack-protector-strong
+%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})}
 %global legacy_target_cflags					\\\
 	%{expand:%%(echo %{target_cflags} | 			\\\
 	%{cflags_sed}						\\\
@ -372,7 +373,6 @@ rm -r build-aux m4						\
 	--target=%{1}						\\\
 	--with-grubdir=grub2					\\\
 	--program-transform-name=s,grub,grub2,		\\\
 	--enable-stack-protector=strong			\\\
 	--disable-werror || ( cat config.log ; exit 1 )		\
 git add .							\
 git commit -m "After efi configure"				\
--- a/grub.patches
+++ b/grub.patches
@ -367,4 +367,3 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch
 Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
 Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
 Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
 Patch0371: 0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	27%{?dist}
+Release:	28%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@ -574,6 +574,10 @@ fi
 %endif
 %changelog
 * Thu Aug 21 2025 Leo Sandoval <lsandova@redhat.com> 2.12-28
 - Remove strong stack protector on target CFLAGS
 - Related: #RHEL-89464
 * Fri Aug 15 2025 Leo Sandoval <lsandova@redhat.com> 2.12-27
 - Revert annobin's regex removal into cflags_sed
 - Resolves: #RHEL-89464