| Message ID | e90b5826343e0e5858db015df44e4eaa332bd938.1642457047.git.martin.b.radev@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | kvmtool: Fix few found bugs | expand |
On Tue, 18 Jan 2022 00:12:02 +0200 Martin Radev <martin.b.radev@gmail.com> wrote: > This patch modifies CFLAGS to mark the stack explicitly > as not executable. > > Signed-off-by: Martin Radev <martin.b.radev@gmail.com> Reviewed-by: Andre Przywara <andre.przywara@arm.com> Cheers, Andre > --- > Makefile | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/Makefile b/Makefile > index f251147..09ef282 100644 > --- a/Makefile > +++ b/Makefile > @@ -380,8 +380,11 @@ DEFINES += -D_GNU_SOURCE > DEFINES += -DKVMTOOLS_VERSION='"$(KVMTOOLS_VERSION)"' > DEFINES += -DBUILD_ARCH='"$(ARCH)"' > > +# The stack doesn't need to be executable > +SECURITY_HARDENINGS := -z noexecstack > + > KVM_INCLUDE := include > -CFLAGS += $(CPPFLAGS) $(DEFINES) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g > +CFLAGS += $(CPPFLAGS) $(DEFINES) $(SECURITY_HARDENINGS) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g > > WARNINGS += -Wall > WARNINGS += -Wformat=2 > @@ -582,4 +585,4 @@ ifneq ($(MAKECMDGOALS),clean) > > KVMTOOLS-VERSION-FILE: > @$(SHELL_PATH) util/KVMTOOLS-VERSION-GEN $(OUTPUT) > -endif > \ No newline at end of file > +endif
Hi Martin, On Tue, Jan 18, 2022 at 12:12:02AM +0200, Martin Radev wrote: > This patch modifies CFLAGS to mark the stack explicitly > as not executable. > > Signed-off-by: Martin Radev <martin.b.radev@gmail.com> > --- > Makefile | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/Makefile b/Makefile > index f251147..09ef282 100644 > --- a/Makefile > +++ b/Makefile > @@ -380,8 +380,11 @@ DEFINES += -D_GNU_SOURCE > DEFINES += -DKVMTOOLS_VERSION='"$(KVMTOOLS_VERSION)"' > DEFINES += -DBUILD_ARCH='"$(ARCH)"' > > +# The stack doesn't need to be executable > +SECURITY_HARDENINGS := -z noexecstack > + > KVM_INCLUDE := include > -CFLAGS += $(CPPFLAGS) $(DEFINES) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g > +CFLAGS += $(CPPFLAGS) $(DEFINES) $(SECURITY_HARDENINGS) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g I used scanelf to check that the final binary has the stack marked as executable. For arm and arm64 I got this: $ scanelf -e lkvm TYPE STK/REL/PTL FILE ET_DYN RW- R-- RW- lkvm which as far as I can tell means the stack is not executable. For x86: $ scanelf -e lkvm TYPE STK/REL/PTL FILE ET_DYN RWX R-- RW- vm which means the stack is executable. Digging further, it looks like there are two objects which are missing the .note.GNU-stack section, x86/bios/entry.o and x86/bios/bios-rom.o. I suggest you try to fix the source files for those two objects before adding the flag to gcc. I used the Gentoo wiki [1] to diagnose the problem, in case it's useful to you. [1] https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart Thanks, Alex > > WARNINGS += -Wall > WARNINGS += -Wformat=2 > @@ -582,4 +585,4 @@ ifneq ($(MAKECMDGOALS),clean) > > KVMTOOLS-VERSION-FILE: > @$(SHELL_PATH) util/KVMTOOLS-VERSION-GEN $(OUTPUT) > -endif > \ No newline at end of file > +endif > -- > 2.25.1 >
diff --git a/Makefile b/Makefile index f251147..09ef282 100644 --- a/Makefile +++ b/Makefile @@ -380,8 +380,11 @@ DEFINES += -D_GNU_SOURCE DEFINES += -DKVMTOOLS_VERSION='"$(KVMTOOLS_VERSION)"' DEFINES += -DBUILD_ARCH='"$(ARCH)"' +# The stack doesn't need to be executable +SECURITY_HARDENINGS := -z noexecstack + KVM_INCLUDE := include -CFLAGS += $(CPPFLAGS) $(DEFINES) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g +CFLAGS += $(CPPFLAGS) $(DEFINES) $(SECURITY_HARDENINGS) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g WARNINGS += -Wall WARNINGS += -Wformat=2 @@ -582,4 +585,4 @@ ifneq ($(MAKECMDGOALS),clean) KVMTOOLS-VERSION-FILE: @$(SHELL_PATH) util/KVMTOOLS-VERSION-GEN $(OUTPUT) -endif \ No newline at end of file +endif
This patch modifies CFLAGS to mark the stack explicitly as not executable. Signed-off-by: Martin Radev <martin.b.radev@gmail.com> --- Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)