Remove strong stack protector on target CFLAGS

Related: #RHEL-89464 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-08-21 09:50:55 -06:00 · 2025-08-21 09:50:55 -06:00 · 76e12e1b3d
commit 76e12e1b3d
parent 6b3c891675
4 changed files with 8 additions and 70 deletions
--- a/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
+++ b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
@ -1,65 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Leo Sandoval <lsandova@redhat.com>
-Date: Fri, 1 Aug 2025 11:56:53 -0600
-Subject: [PATCH] Add __stack_chk_fail function for non-EFI archs
-
-This function allows to include '-fstack-protector-strong' compiler
-flag for non-EFI archs. Also fixes a configure.ac condition where only
-disables stack protection when stack protector is not possible.
-
-Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
- configure.ac          | 4 +---
- grub-core/kern/main.c | 8 ++++++++
- include/grub/misc.h   | 4 ++++
- 3 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index a6a6957fbd..a803d21a3e 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -1466,9 +1466,7 @@ AC_ARG_ENABLE([stack-protector],
- 	      [],
- 	      [enable_stack_protector=no])
- if test "x$enable_stack_protector" = xno; then
-  if test "x$ssp_possible" = xyes; then
-    # Need that, because some distributions ship compilers that include
-    # `-fstack-protector' in the default specs.
-+  if test "x$ssp_possible" != xyes; then
-     TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
-   fi
- elif test "x$platform" != xefi; then
-diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
-index 2e6b79ee3d..aeafbbff9c 100644
--- a/grub-core/kern/main.c
-+++ b/grub-core/kern/main.c
-@@ -39,6 +39,14 @@
- static bool cli_disabled = false;
- static bool cli_need_auth = false;
- 
-+#ifndef GRUB_MACHINE_EFI
-+void __attribute__ ((noreturn))
-+__stack_chk_fail (void)
-+{
-+  grub_abort();
-+}
-+#endif
-+
- grub_addr_t
- grub_modules_get_end (void)
- {
-diff --git a/include/grub/misc.h b/include/grub/misc.h
-index 0429339ef3..751eb992ca 100644
--- a/include/grub/misc.h
-+++ b/include/grub/misc.h
-@@ -446,6 +446,10 @@ extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
- extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
- extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
- 
-+#ifndef GRUB_MACHINE_EFI
-+extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
-+#endif
-+
- /* Must match softdiv group in gentpl.py.  */
- #if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
-     (defined(__riscv) && (__riscv_xlen == 32)))
--- a/grub.macros
+++ b/grub.macros
@ -27,6 +27,7 @@
 		-e 's/-O. //g'					\\\
 		-e 's/-fplugin=annobin//g'			\\\
 		-e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]*,,g' \\\
+		-e 's/-fstack-protector[[:alpha:]-]\\+//g'	\\\
 		-e 's/-[^ ]*D_FORTIFY_SOURCE=[[:digit:]][^ ]*\\+//g'	\\\
 		-e 's/--param=ssp-buffer-size=4//g'		\\\
 		-e 's/-mregparm=3/-mregparm=4/g'		\\\
@ -36,7 +37,7 @@
 		-e 's/^/ -fno-strict-aliasing /'		\\\
 		%{nil}

-%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})}
+%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})} -fstack-protector-strong
 %ifarch x86_64
 %global host_cflags %{host_cflags_} -fcf-protection
 %else
@ -50,7 +51,7 @@
 	)}
 %global efi_host_cflags %{expand:%%(echo %{host_cflags})}

-%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})} -fstack-protector-strong
+%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})}
 %global legacy_target_cflags					\\\
 	%{expand:%%(echo %{target_cflags} | 			\\\
 	%{cflags_sed}						\\\
@ -372,7 +373,6 @@ rm -r build-aux m4						\
 	--target=%{1}						\\\
 	--with-grubdir=grub2					\\\
 	--program-transform-name=s,grub,grub2,		\\\
-	--enable-stack-protector=strong			\\\
 	--disable-werror || ( cat config.log ; exit 1 )		\
 git add .							\
 git commit -m "After efi configure"				\
--- a/grub.patches
+++ b/grub.patches
@ -367,4 +367,3 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch
 Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
 Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
 Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
-Patch0371: 0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	27%{?dist}
+Release:	28%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@ -574,6 +574,10 @@ fi
 %endif

 %changelog
+* Thu Aug 21 2025 Leo Sandoval <lsandova@redhat.com> 2.12-28
+- Remove strong stack protector on target CFLAGS
+- Related: #RHEL-89464
+
 * Fri Aug 15 2025 Leo Sandoval <lsandova@redhat.com> 2.12-27
 - Revert annobin's regex removal into cflags_sed
 - Resolves: #RHEL-89464