52 lines
1.8 KiB
Diff
52 lines
1.8 KiB
Diff
|
From cc318cd6ccfe9833ab9c1cde4041ac5dd9f97a3b Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||
|
Date: Tue, 21 Feb 2023 09:16:29 +0100
|
||
|
Subject: [PATCH] efi: drop executable-stack bit from .elf file
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
An rpminspect test in Fedora/RHEL is flagging our stub files as having an
|
||
|
executable stack. The check is correct:
|
||
|
|
||
|
$ readelf --wide --program-headers build/src/boot/efi/linuxx64.elf.stub | rg -i stack
|
||
|
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10
|
||
|
|
||
|
It seems to be just an omission in the linker script… None of the objects that
|
||
|
are linked into the stub are marked as requiring an executable stack:
|
||
|
|
||
|
$ readelf --wide --sections build/src/boot/efi/*.c.o \
|
||
|
/usr/lib/gnuefi/x64/libgnuefi.a \
|
||
|
/usr/lib/gnuefi/x64/libefi.a \
|
||
|
/usr/lib/gcc/x86_64-redhat-linux/12/libgcc.a \
|
||
|
| rg '.note.GNU-stack.*X'
|
||
|
(nothing)
|
||
|
|
||
|
On aarch64 we end up with a nonexecutable stack, but on ia32 and x64 we get one,
|
||
|
so this might be just a matter of defaults in the linker. It doesn't matter
|
||
|
greatly, but let's mark the stack as non-executable to avoid the warning.
|
||
|
|
||
|
Note: '-Wl,-z' is not needed, things work with just '-z'.
|
||
|
|
||
|
RHEL-only
|
||
|
for now, as the patch is not yet in upstream
|
||
|
https://github.com/systemd/systemd/pull/26511
|
||
|
|
||
|
Related: #2140646
|
||
|
---
|
||
|
src/boot/efi/meson.build | 1 +
|
||
|
1 file changed, 1 insertion(+)
|
||
|
|
||
|
diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
|
||
|
index 0de43993a4..00f3361d66 100644
|
||
|
--- a/src/boot/efi/meson.build
|
||
|
+++ b/src/boot/efi/meson.build
|
||
|
@@ -266,6 +266,7 @@ efi_ldflags = [
|
||
|
'-Wl,--warn-common',
|
||
|
'-Wl,-Bsymbolic',
|
||
|
'-z', 'nocombreloc',
|
||
|
+ '-z', 'noexecstack',
|
||
|
efi_crt0,
|
||
|
]
|
||
|
|